summaryrefslogtreecommitdiff
path: root/Cryptlib/OpenSSL/crypto/bn
diff options
context:
space:
mode:
authorGary Ching-Pang Lin <glin@suse.com>2015-07-28 11:46:38 -0400
committerPeter Jones <pjones@redhat.com>2015-07-28 11:46:38 -0400
commit5ce38c90cf43ee79cd999716ea83a5a44eeb819e (patch)
tree2fb3d9dd667c772fae5f87fa61e1501cf12da0ce /Cryptlib/OpenSSL/crypto/bn
parent69ba24ff72921ecabbb47178de40dc5a79350040 (diff)
downloadefi-boot-shim-5ce38c90cf43ee79cd999716ea83a5a44eeb819e.tar.gz
efi-boot-shim-5ce38c90cf43ee79cd999716ea83a5a44eeb819e.zip
Update openssl to 1.0.2d
Also update Cryptlib to edk2 r17731 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/bn')
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn.h1266
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_asm.c607
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_blind.c13
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_ctx.c8
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_div.c322
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_err.c6
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_exp.c577
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_gcd.c5
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c420
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_lcl.h633
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_lib.c72
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_mont.c404
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_nist.c745
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_opt.c86
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_prime.h535
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_print.c43
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_rand.c10
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/bn_shift.c39
-rw-r--r--Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h56
19 files changed, 3251 insertions, 2596 deletions
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn.h b/Cryptlib/OpenSSL/crypto/bn/bn.h
index f1719a58..5696965e 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn.h
+++ b/Cryptlib/OpenSSL/crypto/bn/bn.h
@@ -5,21 +5,21 @@
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -34,10 +34,10 @@
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,223 +49,247 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
- * Portions of the attached software ("Contribution") are developed by
+ * Portions of the attached software ("Contribution") are developed by
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
*
* The Contribution is licensed pursuant to the Eric Young open source
* license provided above.
*
- * The binary polynomial arithmetic software is originally written by
+ * The binary polynomial arithmetic software is originally written by
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
*
*/
#ifndef HEADER_BN_H
-#define HEADER_BN_H
+# define HEADER_BN_H
-#include <openssl/e_os2.h>
-#ifndef OPENSSL_NO_FP_API
-#include <stdio.h> /* FILE */
-#endif
-#include <openssl/ossl_typ.h>
+# include <openssl/e_os2.h>
+# ifndef OPENSSL_NO_FP_API
+# include <stdio.h> /* FILE */
+# endif
+# include <openssl/ossl_typ.h>
+# include <openssl/crypto.h>
#ifdef __cplusplus
extern "C" {
#endif
-/* These preprocessor symbols control various aspects of the bignum headers and
- * library code. They're not defined by any "normal" configuration, as they are
- * intended for development and testing purposes. NB: defining all three can be
- * useful for debugging application code as well as openssl itself.
- *
- * BN_DEBUG - turn on various debugging alterations to the bignum code
- * BN_DEBUG_RAND - uses random poisoning of unused words to trip up
+/*
+ * These preprocessor symbols control various aspects of the bignum headers
+ * and library code. They're not defined by any "normal" configuration, as
+ * they are intended for development and testing purposes. NB: defining all
+ * three can be useful for debugging application code as well as openssl
+ * itself. BN_DEBUG - turn on various debugging alterations to the bignum
+ * code BN_DEBUG_RAND - uses random poisoning of unused words to trip up
* mismanagement of bignum internals. You must also define BN_DEBUG.
*/
/* #define BN_DEBUG */
/* #define BN_DEBUG_RAND */
-#define BN_MUL_COMBA
-#define BN_SQR_COMBA
-#define BN_RECURSION
-
-/* This next option uses the C libraries (2 word)/(1 word) function.
- * If it is not defined, I use my C version (which is slower).
- * The reason for this flag is that when the particular C compiler
- * library routine is used, and the library is linked with a different
- * compiler, the library is missing. This mostly happens when the
- * library is built with gcc and then linked using normal cc. This would
- * be a common occurrence because gcc normally produces code that is
- * 2 times faster than system compilers for the big number stuff.
- * For machines with only one compiler (or shared libraries), this should
- * be on. Again this in only really a problem on machines
- * using "long long's", are 32bit, and are not using my assembler code. */
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || \
- defined(OPENSSL_SYS_WIN32) || defined(linux)
-# ifndef BN_DIV2W
-# define BN_DIV2W
+# ifndef OPENSSL_SMALL_FOOTPRINT
+# define BN_MUL_COMBA
+# define BN_SQR_COMBA
+# define BN_RECURSION
# endif
-#endif
-/* assuming long is 64bit - this is the DEC Alpha
- * unsigned long long is only 64 bits :-(, don't define
- * BN_LLONG for the DEC Alpha */
-#ifdef SIXTY_FOUR_BIT_LONG
-#define BN_ULLONG unsigned long long
-#define BN_ULONG unsigned long
-#define BN_LONG long
-#define BN_BITS 128
-#define BN_BYTES 8
-#define BN_BITS2 64
-#define BN_BITS4 32
-#define BN_MASK (0xffffffffffffffffffffffffffffffffLL)
-#define BN_MASK2 (0xffffffffffffffffL)
-#define BN_MASK2l (0xffffffffL)
-#define BN_MASK2h (0xffffffff00000000L)
-#define BN_MASK2h1 (0xffffffff80000000L)
-#define BN_TBIT (0x8000000000000000L)
-#define BN_DEC_CONV (10000000000000000000UL)
-#define BN_DEC_FMT1 "%lu"
-#define BN_DEC_FMT2 "%019lu"
-#define BN_DEC_NUM 19
-#endif
-
-/* This is where the long long data type is 64 bits, but long is 32.
- * For machines where there are 64bit registers, this is the mode to use.
- * IRIX, on R4000 and above should use this mode, along with the relevant
- * assembler code :-). Do NOT define BN_LLONG.
+/*
+ * This next option uses the C libraries (2 word)/(1 word) function. If it is
+ * not defined, I use my C version (which is slower). The reason for this
+ * flag is that when the particular C compiler library routine is used, and
+ * the library is linked with a different compiler, the library is missing.
+ * This mostly happens when the library is built with gcc and then linked
+ * using normal cc. This would be a common occurrence because gcc normally
+ * produces code that is 2 times faster than system compilers for the big
+ * number stuff. For machines with only one compiler (or shared libraries),
+ * this should be on. Again this in only really a problem on machines using
+ * "long long's", are 32bit, and are not using my assembler code.
*/
-#ifdef SIXTY_FOUR_BIT
-#undef BN_LLONG
-#undef BN_ULLONG
-#define BN_ULONG unsigned long long
-#define BN_LONG long long
-#define BN_BITS 128
-#define BN_BYTES 8
-#define BN_BITS2 64
-#define BN_BITS4 32
-#define BN_MASK2 (0xffffffffffffffffLL)
-#define BN_MASK2l (0xffffffffL)
-#define BN_MASK2h (0xffffffff00000000LL)
-#define BN_MASK2h1 (0xffffffff80000000LL)
-#define BN_TBIT (0x8000000000000000LL)
-#define BN_DEC_CONV (10000000000000000000ULL)
-#define BN_DEC_FMT1 "%llu"
-#define BN_DEC_FMT2 "%019llu"
-#define BN_DEC_NUM 19
-#endif
+# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || \
+ defined(OPENSSL_SYS_WIN32) || defined(linux)
+# ifndef BN_DIV2W
+# define BN_DIV2W
+# endif
+# endif
-#ifdef THIRTY_TWO_BIT
-#ifdef BN_LLONG
-# if defined(OPENSSL_SYS_WIN32) && !defined(__GNUC__)
-# define BN_ULLONG unsigned __int64
-# else
-# define BN_ULLONG unsigned long long
+/*
+ * assuming long is 64bit - this is the DEC Alpha unsigned long long is only
+ * 64 bits :-(, don't define BN_LLONG for the DEC Alpha
+ */
+# ifdef SIXTY_FOUR_BIT_LONG
+# define BN_ULLONG unsigned long long
+# define BN_ULONG unsigned long
+# define BN_LONG long
+# define BN_BITS 128
+# define BN_BYTES 8
+# define BN_BITS2 64
+# define BN_BITS4 32
+# define BN_MASK (0xffffffffffffffffffffffffffffffffLL)
+# define BN_MASK2 (0xffffffffffffffffL)
+# define BN_MASK2l (0xffffffffL)
+# define BN_MASK2h (0xffffffff00000000L)
+# define BN_MASK2h1 (0xffffffff80000000L)
+# define BN_TBIT (0x8000000000000000L)
+# define BN_DEC_CONV (10000000000000000000UL)
+# define BN_DEC_FMT1 "%lu"
+# define BN_DEC_FMT2 "%019lu"
+# define BN_DEC_NUM 19
+# define BN_HEX_FMT1 "%lX"
+# define BN_HEX_FMT2 "%016lX"
# endif
-#endif
-#define BN_ULONG unsigned long
-#define BN_LONG long
-#define BN_BITS 64
-#define BN_BYTES 4
-#define BN_BITS2 32
-#define BN_BITS4 16
-#ifdef OPENSSL_SYS_WIN32
-/* VC++ doesn't like the LL suffix */
-#define BN_MASK (0xffffffffffffffffL)
-#else
-#define BN_MASK (0xffffffffffffffffLL)
-#endif
-#define BN_MASK2 (0xffffffffL)
-#define BN_MASK2l (0xffff)
-#define BN_MASK2h1 (0xffff8000L)
-#define BN_MASK2h (0xffff0000L)
-#define BN_TBIT (0x80000000L)
-#define BN_DEC_CONV (1000000000L)
-#define BN_DEC_FMT1 "%lu"
-#define BN_DEC_FMT2 "%09lu"
-#define BN_DEC_NUM 9
-#endif
-#ifdef SIXTEEN_BIT
-#ifndef BN_DIV2W
-#define BN_DIV2W
-#endif
-#define BN_ULLONG unsigned long
-#define BN_ULONG unsigned short
-#define BN_LONG short
-#define BN_BITS 32
-#define BN_BYTES 2
-#define BN_BITS2 16
-#define BN_BITS4 8
-#define BN_MASK (0xffffffff)
-#define BN_MASK2 (0xffff)
-#define BN_MASK2l (0xff)
-#define BN_MASK2h1 (0xff80)
-#define BN_MASK2h (0xff00)
-#define BN_TBIT (0x8000)
-#define BN_DEC_CONV (100000)
-#define BN_DEC_FMT1 "%u"
-#define BN_DEC_FMT2 "%05u"
-#define BN_DEC_NUM 5
-#endif
+/*
+ * This is where the long long data type is 64 bits, but long is 32. For
+ * machines where there are 64bit registers, this is the mode to use. IRIX,
+ * on R4000 and above should use this mode, along with the relevant assembler
+ * code :-). Do NOT define BN_LLONG.
+ */
+# ifdef SIXTY_FOUR_BIT
+# undef BN_LLONG
+# undef BN_ULLONG
+# define BN_ULONG unsigned long long
+# define BN_LONG long long
+# define BN_BITS 128
+# define BN_BYTES 8
+# define BN_BITS2 64
+# define BN_BITS4 32
+# define BN_MASK2 (0xffffffffffffffffLL)
+# define BN_MASK2l (0xffffffffL)
+# define BN_MASK2h (0xffffffff00000000LL)
+# define BN_MASK2h1 (0xffffffff80000000LL)
+# define BN_TBIT (0x8000000000000000LL)
+# define BN_DEC_CONV (10000000000000000000ULL)
+# define BN_DEC_FMT1 "%llu"
+# define BN_DEC_FMT2 "%019llu"
+# define BN_DEC_NUM 19
+# define BN_HEX_FMT1 "%llX"
+# define BN_HEX_FMT2 "%016llX"
+# endif
-#ifdef EIGHT_BIT
-#ifndef BN_DIV2W
-#define BN_DIV2W
-#endif
-#define BN_ULLONG unsigned short
-#define BN_ULONG unsigned char
-#define BN_LONG char
-#define BN_BITS 16
-#define BN_BYTES 1
-#define BN_BITS2 8
-#define BN_BITS4 4
-#define BN_MASK (0xffff)
-#define BN_MASK2 (0xff)
-#define BN_MASK2l (0xf)
-#define BN_MASK2h1 (0xf8)
-#define BN_MASK2h (0xf0)
-#define BN_TBIT (0x80)
-#define BN_DEC_CONV (100)
-#define BN_DEC_FMT1 "%u"
-#define BN_DEC_FMT2 "%02u"
-#define BN_DEC_NUM 2
-#endif
+# ifdef THIRTY_TWO_BIT
+# ifdef BN_LLONG
+# if defined(_WIN32) && !defined(__GNUC__)
+# define BN_ULLONG unsigned __int64
+# define BN_MASK (0xffffffffffffffffI64)
+# else
+# define BN_ULLONG unsigned long long
+# define BN_MASK (0xffffffffffffffffLL)
+# endif
+# endif
+# define BN_ULONG unsigned int
+# define BN_LONG int
+# define BN_BITS 64
+# define BN_BYTES 4
+# define BN_BITS2 32
+# define BN_BITS4 16
+# define BN_MASK2 (0xffffffffL)
+# define BN_MASK2l (0xffff)
+# define BN_MASK2h1 (0xffff8000L)
+# define BN_MASK2h (0xffff0000L)
+# define BN_TBIT (0x80000000L)
+# define BN_DEC_CONV (1000000000L)
+# define BN_DEC_FMT1 "%u"
+# define BN_DEC_FMT2 "%09u"
+# define BN_DEC_NUM 9
+# define BN_HEX_FMT1 "%X"
+# define BN_HEX_FMT2 "%08X"
+# endif
-#define BN_DEFAULT_BITS 1280
+# define BN_DEFAULT_BITS 1280
-#define BN_FLG_MALLOCED 0x01
-#define BN_FLG_STATIC_DATA 0x02
-#define BN_FLG_CONSTTIME 0x04 /* avoid leaking exponent information through timing,
- * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime,
- * BN_div() will call BN_div_no_branch,
- * BN_mod_inverse() will call BN_mod_inverse_no_branch.
- */
+# define BN_FLG_MALLOCED 0x01
+# define BN_FLG_STATIC_DATA 0x02
-#ifndef OPENSSL_NO_DEPRECATED
-#define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME /* deprecated name for the flag */
- /* avoid leaking exponent information through timings
- * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */
-#endif
+/*
+ * avoid leaking exponent information through timing,
+ * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime,
+ * BN_div() will call BN_div_no_branch,
+ * BN_mod_inverse() will call BN_mod_inverse_no_branch.
+ */
+# define BN_FLG_CONSTTIME 0x04
+
+# ifdef OPENSSL_NO_DEPRECATED
+/* deprecated name for the flag */
+# define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME
+/*
+ * avoid leaking exponent information through timings
+ * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime)
+ */
+# endif
-#ifndef OPENSSL_NO_DEPRECATED
-#define BN_FLG_FREE 0x8000 /* used for debuging */
-#endif
-#define BN_set_flags(b,n) ((b)->flags|=(n))
-#define BN_get_flags(b,n) ((b)->flags&(n))
+# ifndef OPENSSL_NO_DEPRECATED
+# define BN_FLG_FREE 0x8000
+ /* used for debuging */
+# endif
+# define BN_set_flags(b,n) ((b)->flags|=(n))
+# define BN_get_flags(b,n) ((b)->flags&(n))
-/* get a clone of a BIGNUM with changed flags, for *temporary* use only
- * (the two BIGNUMs cannot not be used in parallel!) */
-#define BN_with_flags(dest,b,n) ((dest)->d=(b)->d, \
+/*
+ * get a clone of a BIGNUM with changed flags, for *temporary* use only (the
+ * two BIGNUMs cannot not be used in parallel!)
+ */
+# define BN_with_flags(dest,b,n) ((dest)->d=(b)->d, \
(dest)->top=(b)->top, \
(dest)->dmax=(b)->dmax, \
(dest)->neg=(b)->neg, \
@@ -275,7 +299,7 @@ extern "C" {
| (n)))
/* Already declared in ossl_typ.h */
-#if 0
+# if 0
typedef struct bignum_st BIGNUM;
/* Used for temp variables (declaration hidden in bn_lcl.h) */
typedef struct bignum_ctx BN_CTX;
@@ -283,84 +307,81 @@ typedef struct bn_blinding_st BN_BLINDING;
typedef struct bn_mont_ctx_st BN_MONT_CTX;
typedef struct bn_recp_ctx_st BN_RECP_CTX;
typedef struct bn_gencb_st BN_GENCB;
-#endif
+# endif
-struct bignum_st
- {
- BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit chunks. */
- int top; /* Index of last used d +1. */
- /* The next are internal book keeping for bn_expand. */
- int dmax; /* Size of the d array. */
- int neg; /* one if the number is negative */
- int flags;
- };
+struct bignum_st {
+ BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit
+ * chunks. */
+ int top; /* Index of last used d +1. */
+ /* The next are internal book keeping for bn_expand. */
+ int dmax; /* Size of the d array. */
+ int neg; /* one if the number is negative */
+ int flags;
+};
/* Used for montgomery multiplication */
-struct bn_mont_ctx_st
- {
- int ri; /* number of bits in R */
- BIGNUM RR; /* used to convert to montgomery form */
- BIGNUM N; /* The modulus */
- BIGNUM Ni; /* R*(1/R mod N) - N*Ni = 1
- * (Ni is only stored for bignum algorithm) */
-#if 0
- /* OpenSSL 0.9.9 preview: */
- BN_ULONG n0[2];/* least significant word(s) of Ni */
-#else
- BN_ULONG n0; /* least significant word of Ni */
-#endif
- int flags;
- };
-
-/* Used for reciprocal division/mod functions
- * It cannot be shared between threads
+struct bn_mont_ctx_st {
+ int ri; /* number of bits in R */
+ BIGNUM RR; /* used to convert to montgomery form */
+ BIGNUM N; /* The modulus */
+ BIGNUM Ni; /* R*(1/R mod N) - N*Ni = 1 (Ni is only
+ * stored for bignum algorithm) */
+ BN_ULONG n0[2]; /* least significant word(s) of Ni; (type
+ * changed with 0.9.9, was "BN_ULONG n0;"
+ * before) */
+ int flags;
+};
+
+/*
+ * Used for reciprocal division/mod functions It cannot be shared between
+ * threads
*/
-struct bn_recp_ctx_st
- {
- BIGNUM N; /* the divisor */
- BIGNUM Nr; /* the reciprocal */
- int num_bits;
- int shift;
- int flags;
- };
+struct bn_recp_ctx_st {
+ BIGNUM N; /* the divisor */
+ BIGNUM Nr; /* the reciprocal */
+ int num_bits;
+ int shift;
+ int flags;
+};
/* Used for slow "generation" functions. */
-struct bn_gencb_st
- {
- unsigned int ver; /* To handle binary (in)compatibility */
- void *arg; /* callback-specific data */
- union
- {
- /* if(ver==1) - handles old style callbacks */
- void (*cb_1)(int, int, void *);
- /* if(ver==2) - new callback style */
- int (*cb_2)(int, int, BN_GENCB *);
- } cb;
- };
+struct bn_gencb_st {
+ unsigned int ver; /* To handle binary (in)compatibility */
+ void *arg; /* callback-specific data */
+ union {
+ /* if(ver==1) - handles old style callbacks */
+ void (*cb_1) (int, int, void *);
+ /* if(ver==2) - new callback style */
+ int (*cb_2) (int, int, BN_GENCB *);
+ } cb;
+};
/* Wrapper function to make using BN_GENCB easier, */
int BN_GENCB_call(BN_GENCB *cb, int a, int b);
/* Macro to populate a BN_GENCB structure with an "old"-style callback */
-#define BN_GENCB_set_old(gencb, callback, cb_arg) { \
- BN_GENCB *tmp_gencb = (gencb); \
- tmp_gencb->ver = 1; \
- tmp_gencb->arg = (cb_arg); \
- tmp_gencb->cb.cb_1 = (callback); }
+# define BN_GENCB_set_old(gencb, callback, cb_arg) { \
+ BN_GENCB *tmp_gencb = (gencb); \
+ tmp_gencb->ver = 1; \
+ tmp_gencb->arg = (cb_arg); \
+ tmp_gencb->cb.cb_1 = (callback); }
/* Macro to populate a BN_GENCB structure with a "new"-style callback */
-#define BN_GENCB_set(gencb, callback, cb_arg) { \
- BN_GENCB *tmp_gencb = (gencb); \
- tmp_gencb->ver = 2; \
- tmp_gencb->arg = (cb_arg); \
- tmp_gencb->cb.cb_2 = (callback); }
-
-#define BN_prime_checks 0 /* default: select number of iterations
- based on the size of the number */
-
-/* number of Miller-Rabin iterations for an error rate of less than 2^-80
- * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook
- * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
- * original paper: Damgaard, Landrock, Pomerance: Average case error estimates
- * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */
-#define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \
+# define BN_GENCB_set(gencb, callback, cb_arg) { \
+ BN_GENCB *tmp_gencb = (gencb); \
+ tmp_gencb->ver = 2; \
+ tmp_gencb->arg = (cb_arg); \
+ tmp_gencb->cb.cb_2 = (callback); }
+
+# define BN_prime_checks 0 /* default: select number of iterations based
+ * on the size of the number */
+
+/*
+ * number of Miller-Rabin iterations for an error rate of less than 2^-80 for
+ * random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook of
+ * Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
+ * original paper: Damgaard, Landrock, Pomerance: Average case error
+ * estimates for the strong probable prime test. -- Math. Comp. 61 (1993)
+ * 177-194)
+ */
+# define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \
(b) >= 850 ? 3 : \
(b) >= 650 ? 4 : \
(b) >= 550 ? 5 : \
@@ -373,279 +394,319 @@ int BN_GENCB_call(BN_GENCB *cb, int a, int b);
(b) >= 150 ? 18 : \
/* b >= 100 */ 27)
-#define BN_num_bytes(a) ((BN_num_bits(a)+7)/8)
+# define BN_num_bytes(a) ((BN_num_bits(a)+7)/8)
/* Note that BN_abs_is_word didn't work reliably for w == 0 until 0.9.8 */
-#define BN_abs_is_word(a,w) ((((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w))) || \
- (((w) == 0) && ((a)->top == 0)))
-#define BN_is_zero(a) ((a)->top == 0)
-#define BN_is_one(a) (BN_abs_is_word((a),1) && !(a)->neg)
-#define BN_is_word(a,w) (BN_abs_is_word((a),(w)) && (!(w) || !(a)->neg))
-#define BN_is_odd(a) (((a)->top > 0) && ((a)->d[0] & 1))
-
-#define BN_one(a) (BN_set_word((a),1))
-#define BN_zero_ex(a) \
- do { \
- BIGNUM *_tmp_bn = (a); \
- _tmp_bn->top = 0; \
- _tmp_bn->neg = 0; \
- } while(0)
-#ifdef OPENSSL_NO_DEPRECATED
-#define BN_zero(a) BN_zero_ex(a)
-#else
-#define BN_zero(a) (BN_set_word((a),0))
-#endif
+# define BN_abs_is_word(a,w) ((((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w))) || \
+ (((w) == 0) && ((a)->top == 0)))
+# define BN_is_zero(a) ((a)->top == 0)
+# define BN_is_one(a) (BN_abs_is_word((a),1) && !(a)->neg)
+# define BN_is_word(a,w) (BN_abs_is_word((a),(w)) && (!(w) || !(a)->neg))
+# define BN_is_odd(a) (((a)->top > 0) && ((a)->d[0] & 1))
+
+# define BN_one(a) (BN_set_word((a),1))
+# define BN_zero_ex(a) \
+ do { \
+ BIGNUM *_tmp_bn = (a); \
+ _tmp_bn->top = 0; \
+ _tmp_bn->neg = 0; \
+ } while(0)
+# ifdef OPENSSL_NO_DEPRECATED
+# define BN_zero(a) BN_zero_ex(a)
+# else
+# define BN_zero(a) (BN_set_word((a),0))
+# endif
const BIGNUM *BN_value_one(void);
-char * BN_options(void);
+char *BN_options(void);
BN_CTX *BN_CTX_new(void);
-#ifndef OPENSSL_NO_DEPRECATED
-void BN_CTX_init(BN_CTX *c);
-#endif
-void BN_CTX_free(BN_CTX *c);
-void BN_CTX_start(BN_CTX *ctx);
+# ifndef OPENSSL_NO_DEPRECATED
+void BN_CTX_init(BN_CTX *c);
+# endif
+void BN_CTX_free(BN_CTX *c);
+void BN_CTX_start(BN_CTX *ctx);
BIGNUM *BN_CTX_get(BN_CTX *ctx);
-void BN_CTX_end(BN_CTX *ctx);
-int BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
-int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom);
-int BN_rand_range(BIGNUM *rnd, const BIGNUM *range);
-int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range);
-int BN_num_bits(const BIGNUM *a);
-int BN_num_bits_word(BN_ULONG);
+void BN_CTX_end(BN_CTX *ctx);
+int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
+int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
+int BN_rand_range(BIGNUM *rnd, const BIGNUM *range);
+int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range);
+int BN_num_bits(const BIGNUM *a);
+int BN_num_bits_word(BN_ULONG);
BIGNUM *BN_new(void);
-void BN_init(BIGNUM *);
-void BN_clear_free(BIGNUM *a);
+void BN_init(BIGNUM *);
+void BN_clear_free(BIGNUM *a);
BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
-void BN_swap(BIGNUM *a, BIGNUM *b);
-BIGNUM *BN_bin2bn(const unsigned char *s,int len,BIGNUM *ret);
-int BN_bn2bin(const BIGNUM *a, unsigned char *to);
-BIGNUM *BN_mpi2bn(const unsigned char *s,int len,BIGNUM *ret);
-int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
-int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
-int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
-int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
-int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
-int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
-int BN_sqr(BIGNUM *r, const BIGNUM *a,BN_CTX *ctx);
+void BN_swap(BIGNUM *a, BIGNUM *b);
+BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
+int BN_bn2bin(const BIGNUM *a, unsigned char *to);
+BIGNUM *BN_mpi2bn(const unsigned char *s, int len, BIGNUM *ret);
+int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
+int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
/** BN_set_negative sets sign of a BIGNUM
* \param b pointer to the BIGNUM object
- * \param n 0 if the BIGNUM b should be positive and a value != 0 otherwise
+ * \param n 0 if the BIGNUM b should be positive and a value != 0 otherwise
*/
-void BN_set_negative(BIGNUM *b, int n);
+void BN_set_negative(BIGNUM *b, int n);
/** BN_is_negative returns 1 if the BIGNUM is negative
* \param a pointer to the BIGNUM object
* \return 1 if a < 0 and 0 otherwise
*/
-#define BN_is_negative(a) ((a)->neg != 0)
-
-int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
- BN_CTX *ctx);
-#define BN_mod(rem,m,d,ctx) BN_div(NULL,(rem),(m),(d),(ctx))
-int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx);
-int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
-int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m);
-int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
-int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m);
-int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
- const BIGNUM *m, BN_CTX *ctx);
-int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
-int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
-int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m);
-int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx);
-int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m);
+# define BN_is_negative(a) ((a)->neg != 0)
+
+int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
+ BN_CTX *ctx);
+# define BN_mod(rem,m,d,ctx) BN_div(NULL,(rem),(m),(d),(ctx))
+int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx);
+int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
+ BN_CTX *ctx);
+int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ const BIGNUM *m);
+int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
+ BN_CTX *ctx);
+int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ const BIGNUM *m);
+int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
+ BN_CTX *ctx);
+int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m);
+int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m,
+ BN_CTX *ctx);
+int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m);
BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
-int BN_mul_word(BIGNUM *a, BN_ULONG w);
-int BN_add_word(BIGNUM *a, BN_ULONG w);
-int BN_sub_word(BIGNUM *a, BN_ULONG w);
-int BN_set_word(BIGNUM *a, BN_ULONG w);
+int BN_mul_word(BIGNUM *a, BN_ULONG w);
+int BN_add_word(BIGNUM *a, BN_ULONG w);
+int BN_sub_word(BIGNUM *a, BN_ULONG w);
+int BN_set_word(BIGNUM *a, BN_ULONG w);
BN_ULONG BN_get_word(const BIGNUM *a);
-int BN_cmp(const BIGNUM *a, const BIGNUM *b);
-void BN_free(BIGNUM *a);
-int BN_is_bit_set(const BIGNUM *a, int n);
-int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
-int BN_lshift1(BIGNUM *r, const BIGNUM *a);
-int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,BN_CTX *ctx);
-
-int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m,BN_CTX *ctx);
-int BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_cmp(const BIGNUM *a, const BIGNUM *b);
+void BN_free(BIGNUM *a);
+int BN_is_bit_set(const BIGNUM *a, int n);
+int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
+int BN_lshift1(BIGNUM *r, const BIGNUM *a);
+int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+
+int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont);
-int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-int BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1,
- const BIGNUM *a2, const BIGNUM *p2,const BIGNUM *m,
- BN_CTX *ctx,BN_MONT_CTX *m_ctx);
-int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m,BN_CTX *ctx);
-
-int BN_mask_bits(BIGNUM *a,int n);
-#ifndef OPENSSL_NO_FP_API
-int BN_print_fp(FILE *fp, const BIGNUM *a);
-#endif
-#ifdef HEADER_BIO_H
-int BN_print(BIO *fp, const BIGNUM *a);
-#else
-int BN_print(void *fp, const BIGNUM *a);
-#endif
-int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx);
-int BN_rshift(BIGNUM *r, const BIGNUM *a, int n);
-int BN_rshift1(BIGNUM *r, const BIGNUM *a);
-void BN_clear(BIGNUM *a);
+ const BIGNUM *m, BN_CTX *ctx,
+ BN_MONT_CTX *in_mont);
+int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1,
+ const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m,
+ BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx);
+
+int BN_mask_bits(BIGNUM *a, int n);
+# ifndef OPENSSL_NO_FP_API
+int BN_print_fp(FILE *fp, const BIGNUM *a);
+# endif
+# ifdef HEADER_BIO_H
+int BN_print(BIO *fp, const BIGNUM *a);
+# else
+int BN_print(void *fp, const BIGNUM *a);
+# endif
+int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx);
+int BN_rshift(BIGNUM *r, const BIGNUM *a, int n);
+int BN_rshift1(BIGNUM *r, const BIGNUM *a);
+void BN_clear(BIGNUM *a);
BIGNUM *BN_dup(const BIGNUM *a);
-int BN_ucmp(const BIGNUM *a, const BIGNUM *b);
-int BN_set_bit(BIGNUM *a, int n);
-int BN_clear_bit(BIGNUM *a, int n);
-char * BN_bn2hex(const BIGNUM *a);
-char * BN_bn2dec(const BIGNUM *a);
-int BN_hex2bn(BIGNUM **a, const char *str);
-int BN_dec2bn(BIGNUM **a, const char *str);
-int BN_gcd(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,BN_CTX *ctx);
-int BN_kronecker(const BIGNUM *a,const BIGNUM *b,BN_CTX *ctx); /* returns -2 for error */
+int BN_ucmp(const BIGNUM *a, const BIGNUM *b);
+int BN_set_bit(BIGNUM *a, int n);
+int BN_clear_bit(BIGNUM *a, int n);
+char *BN_bn2hex(const BIGNUM *a);
+char *BN_bn2dec(const BIGNUM *a);
+int BN_hex2bn(BIGNUM **a, const char *str);
+int BN_dec2bn(BIGNUM **a, const char *str);
+int BN_asc2bn(BIGNUM **a, const char *str);
+int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); /* returns
+ * -2 for
+ * error */
BIGNUM *BN_mod_inverse(BIGNUM *ret,
- const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
+ const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
BIGNUM *BN_mod_sqrt(BIGNUM *ret,
- const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
+ const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
+
+void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
/* Deprecated versions */
-#ifndef OPENSSL_NO_DEPRECATED
-BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
- const BIGNUM *add, const BIGNUM *rem,
- void (*callback)(int,int,void *),void *cb_arg);
-int BN_is_prime(const BIGNUM *p,int nchecks,
- void (*callback)(int,int,void *),
- BN_CTX *ctx,void *cb_arg);
-int BN_is_prime_fasttest(const BIGNUM *p,int nchecks,
- void (*callback)(int,int,void *),BN_CTX *ctx,void *cb_arg,
- int do_trial_division);
-#endif /* !defined(OPENSSL_NO_DEPRECATED) */
+# ifndef OPENSSL_NO_DEPRECATED
+BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
+ const BIGNUM *add, const BIGNUM *rem,
+ void (*callback) (int, int, void *), void *cb_arg);
+int BN_is_prime(const BIGNUM *p, int nchecks,
+ void (*callback) (int, int, void *),
+ BN_CTX *ctx, void *cb_arg);
+int BN_is_prime_fasttest(const BIGNUM *p, int nchecks,
+ void (*callback) (int, int, void *), BN_CTX *ctx,
+ void *cb_arg, int do_trial_division);
+# endif /* !defined(OPENSSL_NO_DEPRECATED) */
/* Newer versions */
-int BN_generate_prime_ex(BIGNUM *ret,int bits,int safe, const BIGNUM *add,
- const BIGNUM *rem, BN_GENCB *cb);
-int BN_is_prime_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, BN_GENCB *cb);
-int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx,
- int do_trial_division, BN_GENCB *cb);
+int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
+ const BIGNUM *rem, BN_GENCB *cb);
+int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb);
+int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx,
+ int do_trial_division, BN_GENCB *cb);
int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx);
int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
- const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
- const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb);
-int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
- BIGNUM *Xp1, BIGNUM *Xp2,
- const BIGNUM *Xp,
- const BIGNUM *e, BN_CTX *ctx,
- BN_GENCB *cb);
-
-BN_MONT_CTX *BN_MONT_CTX_new(void );
+ const BIGNUM *Xp, const BIGNUM *Xp1,
+ const BIGNUM *Xp2, const BIGNUM *e, BN_CTX *ctx,
+ BN_GENCB *cb);
+int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, BIGNUM *Xp1,
+ BIGNUM *Xp2, const BIGNUM *Xp, const BIGNUM *e,
+ BN_CTX *ctx, BN_GENCB *cb);
+
+BN_MONT_CTX *BN_MONT_CTX_new(void);
void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
-int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,
- BN_MONT_CTX *mont, BN_CTX *ctx);
-#define BN_to_montgomery(r,a,mont,ctx) BN_mod_mul_montgomery(\
- (r),(a),&((mont)->RR),(mont),(ctx))
-int BN_from_montgomery(BIGNUM *r,const BIGNUM *a,
- BN_MONT_CTX *mont, BN_CTX *ctx);
+int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ BN_MONT_CTX *mont, BN_CTX *ctx);
+# define BN_to_montgomery(r,a,mont,ctx) BN_mod_mul_montgomery(\
+ (r),(a),&((mont)->RR),(mont),(ctx))
+int BN_from_montgomery(BIGNUM *r, const BIGNUM *a,
+ BN_MONT_CTX *mont, BN_CTX *ctx);
void BN_MONT_CTX_free(BN_MONT_CTX *mont);
-int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *mod,BN_CTX *ctx);
-BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
+int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx);
+BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from);
BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
- const BIGNUM *mod, BN_CTX *ctx);
+ const BIGNUM *mod, BN_CTX *ctx);
/* BN_BLINDING flags */
-#define BN_BLINDING_NO_UPDATE 0x00000001
-#define BN_BLINDING_NO_RECREATE 0x00000002
+# define BN_BLINDING_NO_UPDATE 0x00000001
+# define BN_BLINDING_NO_RECREATE 0x00000002
-BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, /* const */ BIGNUM *mod);
+BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod);
void BN_BLINDING_free(BN_BLINDING *b);
-int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
+int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx);
int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *);
-int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *);
+int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
+ BN_CTX *);
+# ifndef OPENSSL_NO_DEPRECATED
unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
+# endif
+CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
- const BIGNUM *e, /* const */ BIGNUM *m, BN_CTX *ctx,
- int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
- BN_MONT_CTX *m_ctx);
-
-#ifndef OPENSSL_NO_DEPRECATED
-void BN_set_params(int mul,int high,int low,int mont);
-int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */
-#endif
+ const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
+ int (*bn_mod_exp) (BIGNUM *r,
+ const BIGNUM *a,
+ const BIGNUM *p,
+ const BIGNUM *m,
+ BN_CTX *ctx,
+ BN_MONT_CTX *m_ctx),
+ BN_MONT_CTX *m_ctx);
+
+# ifndef OPENSSL_NO_DEPRECATED
+void BN_set_params(int mul, int high, int low, int mont);
+int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */
+# endif
-void BN_RECP_CTX_init(BN_RECP_CTX *recp);
+void BN_RECP_CTX_init(BN_RECP_CTX *recp);
BN_RECP_CTX *BN_RECP_CTX_new(void);
-void BN_RECP_CTX_free(BN_RECP_CTX *recp);
-int BN_RECP_CTX_set(BN_RECP_CTX *recp,const BIGNUM *rdiv,BN_CTX *ctx);
-int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,
- BN_RECP_CTX *recp,BN_CTX *ctx);
-int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx);
-int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
- BN_RECP_CTX *recp, BN_CTX *ctx);
-
-/* Functions for arithmetic over binary polynomials represented by BIGNUMs.
- *
+void BN_RECP_CTX_free(BN_RECP_CTX *recp);
+int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *rdiv, BN_CTX *ctx);
+int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,
+ BN_RECP_CTX *recp, BN_CTX *ctx);
+int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx);
+int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
+ BN_RECP_CTX *recp, BN_CTX *ctx);
+
+# ifndef OPENSSL_NO_EC2M
+
+/*
+ * Functions for arithmetic over binary polynomials represented by BIGNUMs.
* The BIGNUM::neg property of BIGNUMs representing binary polynomials is
- * ignored.
- *
- * Note that input arguments are not const so that their bit arrays can
- * be expanded to the appropriate size if needed.
+ * ignored. Note that input arguments are not const so that their bit arrays
+ * can be expanded to the appropriate size if needed.
*/
-int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); /*r = a + b*/
-#define BN_GF2m_sub(r, a, b) BN_GF2m_add(r, a, b)
-int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p); /*r=a mod p*/
-int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
- const BIGNUM *p, BN_CTX *ctx); /* r = (a * b) mod p */
-int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- BN_CTX *ctx); /* r = (a * a) mod p */
-int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *b, const BIGNUM *p,
- BN_CTX *ctx); /* r = (1 / b) mod p */
-int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
- const BIGNUM *p, BN_CTX *ctx); /* r = (a / b) mod p */
-int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
- const BIGNUM *p, BN_CTX *ctx); /* r = (a ^ b) mod p */
-int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- BN_CTX *ctx); /* r = sqrt(a) mod p */
-int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- BN_CTX *ctx); /* r^2 + r = a mod p */
-#define BN_GF2m_cmp(a, b) BN_ucmp((a), (b))
-/* Some functions allow for representation of the irreducible polynomials
+/*
+ * r = a + b
+ */
+int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+# define BN_GF2m_sub(r, a, b) BN_GF2m_add(r, a, b)
+/*
+ * r=a mod p
+ */
+int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p);
+/* r = (a * b) mod p */
+int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ const BIGNUM *p, BN_CTX *ctx);
+/* r = (a * a) mod p */
+int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+/* r = (1 / b) mod p */
+int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx);
+/* r = (a / b) mod p */
+int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ const BIGNUM *p, BN_CTX *ctx);
+/* r = (a ^ b) mod p */
+int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ const BIGNUM *p, BN_CTX *ctx);
+/* r = sqrt(a) mod p */
+int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ BN_CTX *ctx);
+/* r^2 + r = a mod p */
+int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ BN_CTX *ctx);
+# define BN_GF2m_cmp(a, b) BN_ucmp((a), (b))
+/*-
+ * Some functions allow for representation of the irreducible polynomials
* as an unsigned int[], say p. The irreducible f(t) is then of the form:
* t^p[0] + t^p[1] + ... + t^p[k]
* where m = p[0] > p[1] > ... > p[k] = 0.
*/
-int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[]);
- /* r = a mod p */
-int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
- const unsigned int p[], BN_CTX *ctx); /* r = (a * b) mod p */
-int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[],
- BN_CTX *ctx); /* r = (a * a) mod p */
-int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *b, const unsigned int p[],
- BN_CTX *ctx); /* r = (1 / b) mod p */
-int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
- const unsigned int p[], BN_CTX *ctx); /* r = (a / b) mod p */
-int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
- const unsigned int p[], BN_CTX *ctx); /* r = (a ^ b) mod p */
-int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a,
- const unsigned int p[], BN_CTX *ctx); /* r = sqrt(a) mod p */
-int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a,
- const unsigned int p[], BN_CTX *ctx); /* r^2 + r = a mod p */
-int BN_GF2m_poly2arr(const BIGNUM *a, unsigned int p[], int max);
-int BN_GF2m_arr2poly(const unsigned int p[], BIGNUM *a);
-
-/* faster mod functions for the 'NIST primes'
- * 0 <= a < p^2 */
+/* r = a mod p */
+int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[]);
+/* r = (a * b) mod p */
+int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ const int p[], BN_CTX *ctx);
+/* r = (a * a) mod p */
+int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[],
+ BN_CTX *ctx);
+/* r = (1 / b) mod p */
+int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *b, const int p[],
+ BN_CTX *ctx);
+/* r = (a / b) mod p */
+int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ const int p[], BN_CTX *ctx);
+/* r = (a ^ b) mod p */
+int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ const int p[], BN_CTX *ctx);
+/* r = sqrt(a) mod p */
+int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a,
+ const int p[], BN_CTX *ctx);
+/* r^2 + r = a mod p */
+int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a,
+ const int p[], BN_CTX *ctx);
+int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max);
+int BN_GF2m_arr2poly(const int p[], BIGNUM *a);
+
+# endif
+
+/*
+ * faster mod functions for the 'NIST primes' 0 <= a < p^2
+ */
int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
@@ -660,15 +721,16 @@ const BIGNUM *BN_get0_nist_prime_521(void);
/* library internal functions */
-#define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
- (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
-#define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
+# define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
+ (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
+# define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
BIGNUM *bn_expand2(BIGNUM *a, int words);
-#ifndef OPENSSL_NO_DEPRECATED
+# ifndef OPENSSL_NO_DEPRECATED
BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */
-#endif
+# endif
-/* Bignum consistency macros
+/*-
+ * Bignum consistency macros
* There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
* bignum data after direct manipulations on the data. There is also an
* "internal" macro, bn_check_top(), for verifying that there are no leading
@@ -696,75 +758,92 @@ BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */
* coverage for openssl's own code.
*/
-#ifdef BN_DEBUG
+# ifdef BN_DEBUG
/* We only need assert() when debugging */
-#include <assert.h>
+# include <assert.h>
-#ifdef BN_DEBUG_RAND
+# ifdef BN_DEBUG_RAND
/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
-#ifndef RAND_pseudo_bytes
-int RAND_pseudo_bytes(unsigned char *buf,int num);
-#define BN_DEBUG_TRIX
-#endif
-#define bn_pollute(a) \
- do { \
- const BIGNUM *_bnum1 = (a); \
- if(_bnum1->top < _bnum1->dmax) { \
- unsigned char _tmp_char; \
- /* We cast away const without the compiler knowing, any \
- * *genuinely* constant variables that aren't mutable \
- * wouldn't be constructed with top!=dmax. */ \
- BN_ULONG *_not_const; \
- memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \
- RAND_pseudo_bytes(&_tmp_char, 1); \
- memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \
- (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \
- } \
- } while(0)
-#ifdef BN_DEBUG_TRIX
-#undef RAND_pseudo_bytes
-#endif
-#else
-#define bn_pollute(a)
-#endif
-#define bn_check_top(a) \
- do { \
- const BIGNUM *_bnum2 = (a); \
- if (_bnum2 != NULL) { \
- assert((_bnum2->top == 0) || \
- (_bnum2->d[_bnum2->top - 1] != 0)); \
- bn_pollute(_bnum2); \
- } \
- } while(0)
+# ifndef RAND_pseudo_bytes
+int RAND_pseudo_bytes(unsigned char *buf, int num);
+# define BN_DEBUG_TRIX
+# endif
+# define bn_pollute(a) \
+ do { \
+ const BIGNUM *_bnum1 = (a); \
+ if(_bnum1->top < _bnum1->dmax) { \
+ unsigned char _tmp_char; \
+ /* We cast away const without the compiler knowing, any \
+ * *genuinely* constant variables that aren't mutable \
+ * wouldn't be constructed with top!=dmax. */ \
+ BN_ULONG *_not_const; \
+ memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \
+ /* Debug only - safe to ignore error return */ \
+ RAND_pseudo_bytes(&_tmp_char, 1); \
+ memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \
+ (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \
+ } \
+ } while(0)
+# ifdef BN_DEBUG_TRIX
+# undef RAND_pseudo_bytes
+# endif
+# else
+# define bn_pollute(a)
+# endif
+# define bn_check_top(a) \
+ do { \
+ const BIGNUM *_bnum2 = (a); \
+ if (_bnum2 != NULL) { \
+ assert((_bnum2->top == 0) || \
+ (_bnum2->d[_bnum2->top - 1] != 0)); \
+ bn_pollute(_bnum2); \
+ } \
+ } while(0)
+
+# define bn_fix_top(a) bn_check_top(a)
+
+# define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
+# define bn_wcheck_size(bn, words) \
+ do { \
+ const BIGNUM *_bnum2 = (bn); \
+ assert((words) <= (_bnum2)->dmax && (words) >= (_bnum2)->top); \
+ /* avoid unused variable warning with NDEBUG */ \
+ (void)(_bnum2); \
+ } while(0)
+
+# else /* !BN_DEBUG */
+
+# define bn_pollute(a)
+# define bn_check_top(a)
+# define bn_fix_top(a) bn_correct_top(a)
+# define bn_check_size(bn, bits)
+# define bn_wcheck_size(bn, words)
-#define bn_fix_top(a) bn_check_top(a)
-
-#else /* !BN_DEBUG */
-
-#define bn_pollute(a)
-#define bn_check_top(a)
-#define bn_fix_top(a) bn_correct_top(a)
-
-#endif
+# endif
-#define bn_correct_top(a) \
+# define bn_correct_top(a) \
{ \
BN_ULONG *ftl; \
- if ((a)->top > 0) \
- { \
- for (ftl= &((a)->d[(a)->top-1]); (a)->top > 0; (a)->top--) \
- if (*(ftl--)) break; \
- } \
- bn_pollute(a); \
- }
-
-BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
+ int tmp_top = (a)->top; \
+ if (tmp_top > 0) \
+ { \
+ for (ftl= &((a)->d[tmp_top-1]); tmp_top > 0; tmp_top--) \
+ if (*(ftl--)) break; \
+ (a)->top = tmp_top; \
+ } \
+ bn_pollute(a); \
+ }
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
+ BN_ULONG w);
BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
-void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
+void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
-BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
-BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
+BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+ int num);
+BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+ int num);
/* Primes from RFC 2409 */
BIGNUM *get_rfc2409_prime_768(BIGNUM *bn);
@@ -778,10 +857,11 @@ BIGNUM *get_rfc3526_prime_4096(BIGNUM *bn);
BIGNUM *get_rfc3526_prime_6144(BIGNUM *bn);
BIGNUM *get_rfc3526_prime_8192(BIGNUM *bn);
-int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom);
+int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
/* BEGIN ERROR CODES */
-/* The following lines are auto generated by the script mkerr.pl. Any changes
+/*
+ * The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_BN_strings(void);
@@ -789,65 +869,69 @@ void ERR_load_BN_strings(void);
/* Error codes for the BN functions. */
/* Function codes. */
-#define BN_F_BNRAND 127
-#define BN_F_BN_BLINDING_CONVERT_EX 100
-#define BN_F_BN_BLINDING_CREATE_PARAM 128
-#define BN_F_BN_BLINDING_INVERT_EX 101
-#define BN_F_BN_BLINDING_NEW 102
-#define BN_F_BN_BLINDING_UPDATE 103
-#define BN_F_BN_BN2DEC 104
-#define BN_F_BN_BN2HEX 105
-#define BN_F_BN_CTX_GET 116
-#define BN_F_BN_CTX_NEW 106
-#define BN_F_BN_CTX_START 129
-#define BN_F_BN_DIV 107
-#define BN_F_BN_DIV_NO_BRANCH 138
-#define BN_F_BN_DIV_RECP 130
-#define BN_F_BN_EXP 123
-#define BN_F_BN_EXPAND2 108
-#define BN_F_BN_EXPAND_INTERNAL 120
-#define BN_F_BN_GF2M_MOD 131
-#define BN_F_BN_GF2M_MOD_EXP 132
-#define BN_F_BN_GF2M_MOD_MUL 133
-#define BN_F_BN_GF2M_MOD_SOLVE_QUAD 134
-#define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR 135
-#define BN_F_BN_GF2M_MOD_SQR 136
-#define BN_F_BN_GF2M_MOD_SQRT 137
-#define BN_F_BN_MOD_EXP2_MONT 118
-#define BN_F_BN_MOD_EXP_MONT 109
-#define BN_F_BN_MOD_EXP_MONT_CONSTTIME 124
-#define BN_F_BN_MOD_EXP_MONT_WORD 117
-#define BN_F_BN_MOD_EXP_RECP 125
-#define BN_F_BN_MOD_EXP_SIMPLE 126
-#define BN_F_BN_MOD_INVERSE 110
-#define BN_F_BN_MOD_INVERSE_NO_BRANCH 139
-#define BN_F_BN_MOD_LSHIFT_QUICK 119
-#define BN_F_BN_MOD_MUL_RECIPROCAL 111
-#define BN_F_BN_MOD_SQRT 121
-#define BN_F_BN_MPI2BN 112
-#define BN_F_BN_NEW 113
-#define BN_F_BN_RAND 114
-#define BN_F_BN_RAND_RANGE 122
-#define BN_F_BN_USUB 115
+# define BN_F_BNRAND 127
+# define BN_F_BN_BLINDING_CONVERT_EX 100
+# define BN_F_BN_BLINDING_CREATE_PARAM 128
+# define BN_F_BN_BLINDING_INVERT_EX 101
+# define BN_F_BN_BLINDING_NEW 102
+# define BN_F_BN_BLINDING_UPDATE 103
+# define BN_F_BN_BN2DEC 104
+# define BN_F_BN_BN2HEX 105
+# define BN_F_BN_CTX_GET 116
+# define BN_F_BN_CTX_NEW 106
+# define BN_F_BN_CTX_START 129
+# define BN_F_BN_DIV 107
+# define BN_F_BN_DIV_NO_BRANCH 138
+# define BN_F_BN_DIV_RECP 130
+# define BN_F_BN_EXP 123
+# define BN_F_BN_EXPAND2 108
+# define BN_F_BN_EXPAND_INTERNAL 120
+# define BN_F_BN_GF2M_MOD 131
+# define BN_F_BN_GF2M_MOD_EXP 132
+# define BN_F_BN_GF2M_MOD_MUL 133
+# define BN_F_BN_GF2M_MOD_SOLVE_QUAD 134
+# define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR 135
+# define BN_F_BN_GF2M_MOD_SQR 136
+# define BN_F_BN_GF2M_MOD_SQRT 137
+# define BN_F_BN_LSHIFT 145
+# define BN_F_BN_MOD_EXP2_MONT 118
+# define BN_F_BN_MOD_EXP_MONT 109
+# define BN_F_BN_MOD_EXP_MONT_CONSTTIME 124
+# define BN_F_BN_MOD_EXP_MONT_WORD 117
+# define BN_F_BN_MOD_EXP_RECP 125
+# define BN_F_BN_MOD_EXP_SIMPLE 126
+# define BN_F_BN_MOD_INVERSE 110
+# define BN_F_BN_MOD_INVERSE_NO_BRANCH 139
+# define BN_F_BN_MOD_LSHIFT_QUICK 119
+# define BN_F_BN_MOD_MUL_RECIPROCAL 111
+# define BN_F_BN_MOD_SQRT 121
+# define BN_F_BN_MPI2BN 112
+# define BN_F_BN_NEW 113
+# define BN_F_BN_RAND 114
+# define BN_F_BN_RAND_RANGE 122
+# define BN_F_BN_RSHIFT 146
+# define BN_F_BN_USUB 115
/* Reason codes. */
-#define BN_R_ARG2_LT_ARG3 100
-#define BN_R_BAD_RECIPROCAL 101
-#define BN_R_BIGNUM_TOO_LONG 114
-#define BN_R_CALLED_WITH_EVEN_MODULUS 102
-#define BN_R_DIV_BY_ZERO 103
-#define BN_R_ENCODING_ERROR 104
-#define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105
-#define BN_R_INPUT_NOT_REDUCED 110
-#define BN_R_INVALID_LENGTH 106
-#define BN_R_INVALID_RANGE 115
-#define BN_R_NOT_A_SQUARE 111
-#define BN_R_NOT_INITIALIZED 107
-#define BN_R_NO_INVERSE 108
-#define BN_R_NO_SOLUTION 116
-#define BN_R_P_IS_NOT_PRIME 112
-#define BN_R_TOO_MANY_ITERATIONS 113
-#define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109
+# define BN_R_ARG2_LT_ARG3 100
+# define BN_R_BAD_RECIPROCAL 101
+# define BN_R_BIGNUM_TOO_LONG 114
+# define BN_R_BITS_TOO_SMALL 118
+# define BN_R_CALLED_WITH_EVEN_MODULUS 102
+# define BN_R_DIV_BY_ZERO 103
+# define BN_R_ENCODING_ERROR 104
+# define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105
+# define BN_R_INPUT_NOT_REDUCED 110
+# define BN_R_INVALID_LENGTH 106
+# define BN_R_INVALID_RANGE 115
+# define BN_R_INVALID_SHIFT 119
+# define BN_R_NOT_A_SQUARE 111
+# define BN_R_NOT_INITIALIZED 107
+# define BN_R_NO_INVERSE 108
+# define BN_R_NO_SOLUTION 116
+# define BN_R_P_IS_NOT_PRIME 112
+# define BN_R_TOO_MANY_ITERATIONS 113
+# define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109
#ifdef __cplusplus
}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_asm.c b/Cryptlib/OpenSSL/crypto/bn/bn_asm.c
index 92e9539c..03a33cff 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_asm.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_asm.c
@@ -77,6 +77,7 @@ BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
if (num <= 0)
return (c1);
+# ifndef OPENSSL_SMALL_FOOTPRINT
while (num & ~3) {
mul_add(rp[0], ap[0], w, c1);
mul_add(rp[1], ap[1], w, c1);
@@ -86,15 +87,12 @@ BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
rp += 4;
num -= 4;
}
- if (num) {
+# endif
+ while (num) {
mul_add(rp[0], ap[0], w, c1);
- if (--num == 0)
- return c1;
- mul_add(rp[1], ap[1], w, c1);
- if (--num == 0)
- return c1;
- mul_add(rp[2], ap[2], w, c1);
- return c1;
+ ap++;
+ rp++;
+ num--;
}
return (c1);
@@ -108,6 +106,7 @@ BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w)
if (num <= 0)
return (c1);
+# ifndef OPENSSL_SMALL_FOOTPRINT
while (num & ~3) {
mul(rp[0], ap[0], w, c1);
mul(rp[1], ap[1], w, c1);
@@ -117,14 +116,12 @@ BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w)
rp += 4;
num -= 4;
}
- if (num) {
+# endif
+ while (num) {
mul(rp[0], ap[0], w, c1);
- if (--num == 0)
- return c1;
- mul(rp[1], ap[1], w, c1);
- if (--num == 0)
- return c1;
- mul(rp[2], ap[2], w, c1);
+ ap++;
+ rp++;
+ num--;
}
return (c1);
}
@@ -134,6 +131,8 @@ void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n)
assert(n >= 0);
if (n <= 0)
return;
+
+# ifndef OPENSSL_SMALL_FOOTPRINT
while (n & ~3) {
sqr(r[0], r[1], a[0]);
sqr(r[2], r[3], a[1]);
@@ -143,14 +142,12 @@ void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n)
r += 8;
n -= 4;
}
- if (n) {
+# endif
+ while (n) {
sqr(r[0], r[1], a[0]);
- if (--n == 0)
- return;
- sqr(r[2], r[3], a[1]);
- if (--n == 0)
- return;
- sqr(r[4], r[5], a[2]);
+ a++;
+ r += 2;
+ n--;
}
}
@@ -170,21 +167,22 @@ BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
bl = LBITS(w);
bh = HBITS(w);
- for (;;) {
+# ifndef OPENSSL_SMALL_FOOTPRINT
+ while (num & ~3) {
mul_add(rp[0], ap[0], bl, bh, c);
- if (--num == 0)
- break;
mul_add(rp[1], ap[1], bl, bh, c);
- if (--num == 0)
- break;
mul_add(rp[2], ap[2], bl, bh, c);
- if (--num == 0)
- break;
mul_add(rp[3], ap[3], bl, bh, c);
- if (--num == 0)
- break;
ap += 4;
rp += 4;
+ num -= 4;
+ }
+# endif
+ while (num) {
+ mul_add(rp[0], ap[0], bl, bh, c);
+ ap++;
+ rp++;
+ num--;
}
return (c);
}
@@ -201,21 +199,22 @@ BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w)
bl = LBITS(w);
bh = HBITS(w);
- for (;;) {
+# ifndef OPENSSL_SMALL_FOOTPRINT
+ while (num & ~3) {
mul(rp[0], ap[0], bl, bh, carry);
- if (--num == 0)
- break;
mul(rp[1], ap[1], bl, bh, carry);
- if (--num == 0)
- break;
mul(rp[2], ap[2], bl, bh, carry);
- if (--num == 0)
- break;
mul(rp[3], ap[3], bl, bh, carry);
- if (--num == 0)
- break;
ap += 4;
rp += 4;
+ num -= 4;
+ }
+# endif
+ while (num) {
+ mul(rp[0], ap[0], bl, bh, carry);
+ ap++;
+ rp++;
+ num--;
}
return (carry);
}
@@ -225,25 +224,23 @@ void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n)
assert(n >= 0);
if (n <= 0)
return;
- for (;;) {
- sqr64(r[0], r[1], a[0]);
- if (--n == 0)
- break;
+# ifndef OPENSSL_SMALL_FOOTPRINT
+ while (n & ~3) {
+ sqr64(r[0], r[1], a[0]);
sqr64(r[2], r[3], a[1]);
- if (--n == 0)
- break;
-
sqr64(r[4], r[5], a[2]);
- if (--n == 0)
- break;
-
sqr64(r[6], r[7], a[3]);
- if (--n == 0)
- break;
-
a += 4;
r += 8;
+ n -= 4;
+ }
+# endif
+ while (n) {
+ sqr64(r[0], r[1], a[0]);
+ a++;
+ r += 2;
+ n--;
}
}
@@ -335,34 +332,34 @@ BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
if (n <= 0)
return ((BN_ULONG)0);
- for (;;) {
+# ifndef OPENSSL_SMALL_FOOTPRINT
+ while (n & ~3) {
ll += (BN_ULLONG) a[0] + b[0];
r[0] = (BN_ULONG)ll & BN_MASK2;
ll >>= BN_BITS2;
- if (--n <= 0)
- break;
-
ll += (BN_ULLONG) a[1] + b[1];
r[1] = (BN_ULONG)ll & BN_MASK2;
ll >>= BN_BITS2;
- if (--n <= 0)
- break;
-
ll += (BN_ULLONG) a[2] + b[2];
r[2] = (BN_ULONG)ll & BN_MASK2;
ll >>= BN_BITS2;
- if (--n <= 0)
- break;
-
ll += (BN_ULLONG) a[3] + b[3];
r[3] = (BN_ULONG)ll & BN_MASK2;
ll >>= BN_BITS2;
- if (--n <= 0)
- break;
-
a += 4;
b += 4;
r += 4;
+ n -= 4;
+ }
+# endif
+ while (n) {
+ ll += (BN_ULLONG) a[0] + b[0];
+ r[0] = (BN_ULONG)ll & BN_MASK2;
+ ll >>= BN_BITS2;
+ a++;
+ b++;
+ r++;
+ n--;
}
return ((BN_ULONG)ll);
}
@@ -377,46 +374,49 @@ BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
return ((BN_ULONG)0);
c = 0;
- for (;;) {
+# ifndef OPENSSL_SMALL_FOOTPRINT
+ while (n & ~3) {
t = a[0];
t = (t + c) & BN_MASK2;
c = (t < c);
l = (t + b[0]) & BN_MASK2;
c += (l < t);
r[0] = l;
- if (--n <= 0)
- break;
-
t = a[1];
t = (t + c) & BN_MASK2;
c = (t < c);
l = (t + b[1]) & BN_MASK2;
c += (l < t);
r[1] = l;
- if (--n <= 0)
- break;
-
t = a[2];
t = (t + c) & BN_MASK2;
c = (t < c);
l = (t + b[2]) & BN_MASK2;
c += (l < t);
r[2] = l;
- if (--n <= 0)
- break;
-
t = a[3];
t = (t + c) & BN_MASK2;
c = (t < c);
l = (t + b[3]) & BN_MASK2;
c += (l < t);
r[3] = l;
- if (--n <= 0)
- break;
-
a += 4;
b += 4;
r += 4;
+ n -= 4;
+ }
+# endif
+ while (n) {
+ t = a[0];
+ t = (t + c) & BN_MASK2;
+ c = (t < c);
+ l = (t + b[0]) & BN_MASK2;
+ c += (l < t);
+ r[0] = l;
+ a++;
+ b++;
+ r++;
+ n--;
}
return ((BN_ULONG)c);
}
@@ -432,47 +432,49 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
if (n <= 0)
return ((BN_ULONG)0);
- for (;;) {
+#ifndef OPENSSL_SMALL_FOOTPRINT
+ while (n & ~3) {
t1 = a[0];
t2 = b[0];
r[0] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
- if (--n <= 0)
- break;
-
t1 = a[1];
t2 = b[1];
r[1] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
- if (--n <= 0)
- break;
-
t1 = a[2];
t2 = b[2];
r[2] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
- if (--n <= 0)
- break;
-
t1 = a[3];
t2 = b[3];
r[3] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
- if (--n <= 0)
- break;
-
a += 4;
b += 4;
r += 4;
+ n -= 4;
+ }
+#endif
+ while (n) {
+ t1 = a[0];
+ t2 = b[0];
+ r[0] = (t1 - t2 - c) & BN_MASK2;
+ if (t1 != t2)
+ c = (t1 < t2);
+ a++;
+ b++;
+ r++;
+ n--;
}
return (c);
}
-#ifdef BN_MUL_COMBA
+#if defined(BN_MUL_COMBA) && !defined(OPENSSL_SMALL_FOOTPRINT)
# undef bn_mul_comba8
# undef bn_mul_comba4
@@ -487,121 +489,144 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
* c=(c2,c1,c0)
*/
+# ifdef BN_LLONG
/*
- * Keep in mind that carrying into high part of multiplication result
- * can not overflow, because it cannot be all-ones.
+ * Keep in mind that additions to multiplication result can not
+ * overflow, because its high half cannot be all-ones.
*/
-# ifdef BN_LLONG
-# define mul_add_c(a,b,c0,c1,c2) \
- t=(BN_ULLONG)a*b; \
- t1=(BN_ULONG)Lw(t); \
- t2=(BN_ULONG)Hw(t); \
- c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
- c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-# define mul_add_c2(a,b,c0,c1,c2) \
- t=(BN_ULLONG)a*b; \
- tt=(t+t)&BN_MASK; \
- if (tt < t) c2++; \
- t1=(BN_ULONG)Lw(tt); \
- t2=(BN_ULONG)Hw(tt); \
- c0=(c0+t1)&BN_MASK2; \
- if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \
- c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-# define sqr_add_c(a,i,c0,c1,c2) \
- t=(BN_ULLONG)a[i]*a[i]; \
- t1=(BN_ULONG)Lw(t); \
- t2=(BN_ULONG)Hw(t); \
- c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
- c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+# define mul_add_c(a,b,c0,c1,c2) do { \
+ BN_ULONG hi; \
+ BN_ULLONG t = (BN_ULLONG)(a)*(b); \
+ t += c0; /* no carry */ \
+ c0 = (BN_ULONG)Lw(t); \
+ hi = (BN_ULONG)Hw(t); \
+ c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
+ } while(0)
+
+# define mul_add_c2(a,b,c0,c1,c2) do { \
+ BN_ULONG hi; \
+ BN_ULLONG t = (BN_ULLONG)(a)*(b); \
+ BN_ULLONG tt = t+c0; /* no carry */ \
+ c0 = (BN_ULONG)Lw(tt); \
+ hi = (BN_ULONG)Hw(tt); \
+ c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
+ t += c0; /* no carry */ \
+ c0 = (BN_ULONG)Lw(t); \
+ hi = (BN_ULONG)Hw(t); \
+ c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
+ } while(0)
+
+# define sqr_add_c(a,i,c0,c1,c2) do { \
+ BN_ULONG hi; \
+ BN_ULLONG t = (BN_ULLONG)a[i]*a[i]; \
+ t += c0; /* no carry */ \
+ c0 = (BN_ULONG)Lw(t); \
+ hi = (BN_ULONG)Hw(t); \
+ c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
+ } while(0)
# define sqr_add_c2(a,i,j,c0,c1,c2) \
mul_add_c2((a)[i],(a)[j],c0,c1,c2)
# elif defined(BN_UMULT_LOHI)
-
-# define mul_add_c(a,b,c0,c1,c2) { \
- BN_ULONG ta=(a),tb=(b); \
- BN_UMULT_LOHI(t1,t2,ta,tb); \
- c0 += t1; t2 += (c0<t1)?1:0; \
- c1 += t2; c2 += (c1<t2)?1:0; \
- }
-
-# define mul_add_c2(a,b,c0,c1,c2) { \
- BN_ULONG ta=(a),tb=(b),t0; \
- BN_UMULT_LOHI(t0,t1,ta,tb); \
- c0 += t0; t2 = t1+((c0<t0)?1:0);\
- c1 += t2; c2 += (c1<t2)?1:0; \
- c0 += t0; t1 += (c0<t0)?1:0; \
- c1 += t1; c2 += (c1<t1)?1:0; \
- }
-
-# define sqr_add_c(a,i,c0,c1,c2) { \
- BN_ULONG ta=(a)[i]; \
- BN_UMULT_LOHI(t1,t2,ta,ta); \
- c0 += t1; t2 += (c0<t1)?1:0; \
- c1 += t2; c2 += (c1<t2)?1:0; \
- }
+/*
+ * Keep in mind that additions to hi can not overflow, because
+ * the high word of a multiplication result cannot be all-ones.
+ */
+# define mul_add_c(a,b,c0,c1,c2) do { \
+ BN_ULONG ta = (a), tb = (b); \
+ BN_ULONG lo, hi; \
+ BN_UMULT_LOHI(lo,hi,ta,tb); \
+ c0 += lo; hi += (c0<lo)?1:0; \
+ c1 += hi; c2 += (c1<hi)?1:0; \
+ } while(0)
+
+# define mul_add_c2(a,b,c0,c1,c2) do { \
+ BN_ULONG ta = (a), tb = (b); \
+ BN_ULONG lo, hi, tt; \
+ BN_UMULT_LOHI(lo,hi,ta,tb); \
+ c0 += lo; tt = hi+((c0<lo)?1:0); \
+ c1 += tt; c2 += (c1<tt)?1:0; \
+ c0 += lo; hi += (c0<lo)?1:0; \
+ c1 += hi; c2 += (c1<hi)?1:0; \
+ } while(0)
+
+# define sqr_add_c(a,i,c0,c1,c2) do { \
+ BN_ULONG ta = (a)[i]; \
+ BN_ULONG lo, hi; \
+ BN_UMULT_LOHI(lo,hi,ta,ta); \
+ c0 += lo; hi += (c0<lo)?1:0; \
+ c1 += hi; c2 += (c1<hi)?1:0; \
+ } while(0)
# define sqr_add_c2(a,i,j,c0,c1,c2) \
mul_add_c2((a)[i],(a)[j],c0,c1,c2)
# elif defined(BN_UMULT_HIGH)
-
-# define mul_add_c(a,b,c0,c1,c2) { \
- BN_ULONG ta=(a),tb=(b); \
- t1 = ta * tb; \
- t2 = BN_UMULT_HIGH(ta,tb); \
- c0 += t1; t2 += (c0<t1)?1:0; \
- c1 += t2; c2 += (c1<t2)?1:0; \
- }
-
-# define mul_add_c2(a,b,c0,c1,c2) { \
- BN_ULONG ta=(a),tb=(b),t0; \
- t1 = BN_UMULT_HIGH(ta,tb); \
- t0 = ta * tb; \
- c0 += t0; t2 = t1+((c0<t0)?1:0);\
- c1 += t2; c2 += (c1<t2)?1:0; \
- c0 += t0; t1 += (c0<t0)?1:0; \
- c1 += t1; c2 += (c1<t1)?1:0; \
- }
-
-# define sqr_add_c(a,i,c0,c1,c2) { \
- BN_ULONG ta=(a)[i]; \
- t1 = ta * ta; \
- t2 = BN_UMULT_HIGH(ta,ta); \
- c0 += t1; t2 += (c0<t1)?1:0; \
- c1 += t2; c2 += (c1<t2)?1:0; \
- }
+/*
+ * Keep in mind that additions to hi can not overflow, because
+ * the high word of a multiplication result cannot be all-ones.
+ */
+# define mul_add_c(a,b,c0,c1,c2) do { \
+ BN_ULONG ta = (a), tb = (b); \
+ BN_ULONG lo = ta * tb; \
+ BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \
+ c0 += lo; hi += (c0<lo)?1:0; \
+ c1 += hi; c2 += (c1<hi)?1:0; \
+ } while(0)
+
+# define mul_add_c2(a,b,c0,c1,c2) do { \
+ BN_ULONG ta = (a), tb = (b), tt; \
+ BN_ULONG lo = ta * tb; \
+ BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \
+ c0 += lo; tt = hi + ((c0<lo)?1:0); \
+ c1 += tt; c2 += (c1<tt)?1:0; \
+ c0 += lo; hi += (c0<lo)?1:0; \
+ c1 += hi; c2 += (c1<hi)?1:0; \
+ } while(0)
+
+# define sqr_add_c(a,i,c0,c1,c2) do { \
+ BN_ULONG ta = (a)[i]; \
+ BN_ULONG lo = ta * ta; \
+ BN_ULONG hi = BN_UMULT_HIGH(ta,ta); \
+ c0 += lo; hi += (c0<lo)?1:0; \
+ c1 += hi; c2 += (c1<hi)?1:0; \
+ } while(0)
# define sqr_add_c2(a,i,j,c0,c1,c2) \
mul_add_c2((a)[i],(a)[j],c0,c1,c2)
# else /* !BN_LLONG */
-# define mul_add_c(a,b,c0,c1,c2) \
- t1=LBITS(a); t2=HBITS(a); \
- bl=LBITS(b); bh=HBITS(b); \
- mul64(t1,t2,bl,bh); \
- c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
- c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-# define mul_add_c2(a,b,c0,c1,c2) \
- t1=LBITS(a); t2=HBITS(a); \
- bl=LBITS(b); bh=HBITS(b); \
- mul64(t1,t2,bl,bh); \
- if (t2 & BN_TBIT) c2++; \
- t2=(t2+t2)&BN_MASK2; \
- if (t1 & BN_TBIT) t2++; \
- t1=(t1+t1)&BN_MASK2; \
- c0=(c0+t1)&BN_MASK2; \
- if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \
- c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-# define sqr_add_c(a,i,c0,c1,c2) \
- sqr64(t1,t2,(a)[i]); \
- c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
- c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+/*
+ * Keep in mind that additions to hi can not overflow, because
+ * the high word of a multiplication result cannot be all-ones.
+ */
+# define mul_add_c(a,b,c0,c1,c2) do { \
+ BN_ULONG lo = LBITS(a), hi = HBITS(a); \
+ BN_ULONG bl = LBITS(b), bh = HBITS(b); \
+ mul64(lo,hi,bl,bh); \
+ c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
+ c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
+ } while(0)
+
+# define mul_add_c2(a,b,c0,c1,c2) do { \
+ BN_ULONG tt; \
+ BN_ULONG lo = LBITS(a), hi = HBITS(a); \
+ BN_ULONG bl = LBITS(b), bh = HBITS(b); \
+ mul64(lo,hi,bl,bh); \
+ tt = hi; \
+ c0 = (c0+lo)&BN_MASK2; if (c0<lo) tt++; \
+ c1 = (c1+tt)&BN_MASK2; if (c1<tt) c2++; \
+ c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
+ c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
+ } while(0)
+
+# define sqr_add_c(a,i,c0,c1,c2) do { \
+ BN_ULONG lo, hi; \
+ sqr64(lo,hi,(a)[i]); \
+ c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
+ c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
+ } while(0)
# define sqr_add_c2(a,i,j,c0,c1,c2) \
mul_add_c2((a)[i],(a)[j],c0,c1,c2)
@@ -609,12 +634,6 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
{
-# ifdef BN_LLONG
- BN_ULLONG t;
-# else
- BN_ULONG bl, bh;
-# endif
- BN_ULONG t1, t2;
BN_ULONG c1, c2, c3;
c1 = 0;
@@ -718,12 +737,6 @@ void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
{
-# ifdef BN_LLONG
- BN_ULLONG t;
-# else
- BN_ULONG bl, bh;
-# endif
- BN_ULONG t1, t2;
BN_ULONG c1, c2, c3;
c1 = 0;
@@ -763,12 +776,6 @@ void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a)
{
-# ifdef BN_LLONG
- BN_ULLONG t, tt;
-# else
- BN_ULONG bl, bh;
-# endif
- BN_ULONG t1, t2;
BN_ULONG c1, c2, c3;
c1 = 0;
@@ -844,12 +851,6 @@ void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a)
void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a)
{
-# ifdef BN_LLONG
- BN_ULLONG t, tt;
-# else
- BN_ULONG bl, bh;
-# endif
- BN_ULONG t1, t2;
BN_ULONG c1, c2, c3;
c1 = 0;
@@ -880,18 +881,138 @@ void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a)
r[6] = c1;
r[7] = c2;
}
+
+# ifdef OPENSSL_NO_ASM
+# ifdef OPENSSL_BN_ASM_MONT
+# include <alloca.h>
+/*
+ * This is essentially reference implementation, which may or may not
+ * result in performance improvement. E.g. on IA-32 this routine was
+ * observed to give 40% faster rsa1024 private key operations and 10%
+ * faster rsa4096 ones, while on AMD64 it improves rsa1024 sign only
+ * by 10% and *worsens* rsa4096 sign by 15%. Once again, it's a
+ * reference implementation, one to be used as starting point for
+ * platform-specific assembler. Mentioned numbers apply to compiler
+ * generated code compiled with and without -DOPENSSL_BN_ASM_MONT and
+ * can vary not only from platform to platform, but even for compiler
+ * versions. Assembler vs. assembler improvement coefficients can
+ * [and are known to] differ and are to be documented elsewhere.
+ */
+int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+ const BN_ULONG *np, const BN_ULONG *n0p, int num)
+{
+ BN_ULONG c0, c1, ml, *tp, n0;
+# ifdef mul64
+ BN_ULONG mh;
+# endif
+ volatile BN_ULONG *vp;
+ int i = 0, j;
+
+# if 0 /* template for platform-specific
+ * implementation */
+ if (ap == bp)
+ return bn_sqr_mont(rp, ap, np, n0p, num);
+# endif
+ vp = tp = alloca((num + 2) * sizeof(BN_ULONG));
+
+ n0 = *n0p;
+
+ c0 = 0;
+ ml = bp[0];
+# ifdef mul64
+ mh = HBITS(ml);
+ ml = LBITS(ml);
+ for (j = 0; j < num; ++j)
+ mul(tp[j], ap[j], ml, mh, c0);
+# else
+ for (j = 0; j < num; ++j)
+ mul(tp[j], ap[j], ml, c0);
+# endif
+
+ tp[num] = c0;
+ tp[num + 1] = 0;
+ goto enter;
+
+ for (i = 0; i < num; i++) {
+ c0 = 0;
+ ml = bp[i];
+# ifdef mul64
+ mh = HBITS(ml);
+ ml = LBITS(ml);
+ for (j = 0; j < num; ++j)
+ mul_add(tp[j], ap[j], ml, mh, c0);
+# else
+ for (j = 0; j < num; ++j)
+ mul_add(tp[j], ap[j], ml, c0);
+# endif
+ c1 = (tp[num] + c0) & BN_MASK2;
+ tp[num] = c1;
+ tp[num + 1] = (c1 < c0 ? 1 : 0);
+ enter:
+ c1 = tp[0];
+ ml = (c1 * n0) & BN_MASK2;
+ c0 = 0;
+# ifdef mul64
+ mh = HBITS(ml);
+ ml = LBITS(ml);
+ mul_add(c1, np[0], ml, mh, c0);
+# else
+ mul_add(c1, ml, np[0], c0);
+# endif
+ for (j = 1; j < num; j++) {
+ c1 = tp[j];
+# ifdef mul64
+ mul_add(c1, np[j], ml, mh, c0);
+# else
+ mul_add(c1, ml, np[j], c0);
+# endif
+ tp[j - 1] = c1 & BN_MASK2;
+ }
+ c1 = (tp[num] + c0) & BN_MASK2;
+ tp[num - 1] = c1;
+ tp[num] = tp[num + 1] + (c1 < c0 ? 1 : 0);
+ }
+
+ if (tp[num] != 0 || tp[num - 1] >= np[num - 1]) {
+ c0 = bn_sub_words(rp, tp, np, num);
+ if (tp[num] != 0 || c0 == 0) {
+ for (i = 0; i < num + 2; i++)
+ vp[i] = 0;
+ return 1;
+ }
+ }
+ for (i = 0; i < num; i++)
+ rp[i] = tp[i], vp[i] = 0;
+ vp[num] = 0;
+ vp[num + 1] = 0;
+ return 1;
+}
+# else
+/*
+ * Return value of 0 indicates that multiplication/convolution was not
+ * performed to signal the caller to fall down to alternative/original
+ * code-path.
+ */
+int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+ const BN_ULONG *np, const BN_ULONG *n0, int num)
+{
+ return 0;
+}
+# endif /* OPENSSL_BN_ASM_MONT */
+# endif
+
#else /* !BN_MUL_COMBA */
/* hmm... is it faster just to do a multiply? */
# undef bn_sqr_comba4
-void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a)
{
BN_ULONG t[8];
bn_sqr_normal(r, a, 4, t);
}
# undef bn_sqr_comba8
-void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a)
{
BN_ULONG t[16];
bn_sqr_normal(r, a, 8, t);
@@ -917,4 +1038,56 @@ void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
r[15] = bn_mul_add_words(&(r[7]), a, 8, b[7]);
}
+# ifdef OPENSSL_NO_ASM
+# ifdef OPENSSL_BN_ASM_MONT
+# include <alloca.h>
+int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+ const BN_ULONG *np, const BN_ULONG *n0p, int num)
+{
+ BN_ULONG c0, c1, *tp, n0 = *n0p;
+ volatile BN_ULONG *vp;
+ int i = 0, j;
+
+ vp = tp = alloca((num + 2) * sizeof(BN_ULONG));
+
+ for (i = 0; i <= num; i++)
+ tp[i] = 0;
+
+ for (i = 0; i < num; i++) {
+ c0 = bn_mul_add_words(tp, ap, num, bp[i]);
+ c1 = (tp[num] + c0) & BN_MASK2;
+ tp[num] = c1;
+ tp[num + 1] = (c1 < c0 ? 1 : 0);
+
+ c0 = bn_mul_add_words(tp, np, num, tp[0] * n0);
+ c1 = (tp[num] + c0) & BN_MASK2;
+ tp[num] = c1;
+ tp[num + 1] += (c1 < c0 ? 1 : 0);
+ for (j = 0; j <= num; j++)
+ tp[j] = tp[j + 1];
+ }
+
+ if (tp[num] != 0 || tp[num - 1] >= np[num - 1]) {
+ c0 = bn_sub_words(rp, tp, np, num);
+ if (tp[num] != 0 || c0 == 0) {
+ for (i = 0; i < num + 2; i++)
+ vp[i] = 0;
+ return 1;
+ }
+ }
+ for (i = 0; i < num; i++)
+ rp[i] = tp[i], vp[i] = 0;
+ vp[num] = 0;
+ vp[num + 1] = 0;
+ return 1;
+}
+# else
+int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+ const BN_ULONG *np, const BN_ULONG *n0, int num)
+{
+ return 0;
+}
+# endif /* OPENSSL_BN_ASM_MONT */
+# endif
+
#endif /* !BN_MUL_COMBA */
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_blind.c b/Cryptlib/OpenSSL/crypto/bn/bn_blind.c
index d74ad2ce..d448daa3 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_blind.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_blind.c
@@ -1,6 +1,6 @@
/* crypto/bn/bn_blind.c */
/* ====================================================================
- * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -120,8 +120,11 @@ struct bn_blinding_st {
BIGNUM *Ai;
BIGNUM *e;
BIGNUM *mod; /* just a reference */
+#ifndef OPENSSL_NO_DEPRECATED
unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b; used
* only by crypto/rsa/rsa_eay.c, rsa_lib.c */
+#endif
+ CRYPTO_THREADID tid;
int counter;
unsigned long flags;
BN_MONT_CTX *m_ctx;
@@ -161,6 +164,7 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
* use.
*/
ret->counter = -1;
+ CRYPTO_THREADID_current(&ret->tid);
return (ret);
err:
if (ret != NULL)
@@ -274,6 +278,7 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
return (ret);
}
+#ifndef OPENSSL_NO_DEPRECATED
unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b)
{
return b->thread_id;
@@ -283,6 +288,12 @@ void BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n)
{
b->thread_id = n;
}
+#endif
+
+CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *b)
+{
+ return &b->tid;
+}
unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b)
{
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_ctx.c b/Cryptlib/OpenSSL/crypto/bn/bn_ctx.c
index 1d756a0b..526c6a04 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_ctx.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_ctx.c
@@ -155,9 +155,9 @@ static void ctxdbg(BN_CTX *ctx)
unsigned int bnidx = 0, fpidx = 0;
BN_POOL_ITEM *item = ctx->pool.head;
BN_STACK *stack = &ctx->stack;
- fprintf(stderr, "(%08x): ", (unsigned int)ctx);
+ fprintf(stderr, "(%16p): ", ctx);
while (bnidx < ctx->used) {
- fprintf(stderr, "%02x ", item->vals[bnidx++ % BN_CTX_POOL_SIZE].dmax);
+ fprintf(stderr, "%03x ", item->vals[bnidx++ % BN_CTX_POOL_SIZE].dmax);
if (!(bnidx % BN_CTX_POOL_SIZE))
item = item->next;
}
@@ -166,8 +166,8 @@ static void ctxdbg(BN_CTX *ctx)
fprintf(stderr, " : ");
while (fpidx < stack->depth) {
while (bnidx++ < stack->indexes[fpidx])
- fprintf(stderr, " ");
- fprintf(stderr, "^^ ");
+ fprintf(stderr, " ");
+ fprintf(stderr, "^^^ ");
bnidx++;
fpidx++;
}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_div.c b/Cryptlib/OpenSSL/crypto/bn/bn_div.c
index 836e046a..72e6ce3f 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_div.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_div.c
@@ -150,6 +150,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
*
* <appro@fy.chalmers.se>
*/
+# undef bn_div_words
# define bn_div_words(n0,n1,d0) \
({ asm volatile ( \
"divl %4" \
@@ -164,6 +165,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
* Same story here, but it's 128-bit by 64-bit division. Wow!
* <appro@fy.chalmers.se>
*/
+# undef bn_div_words
# define bn_div_words(n0,n1,d0) \
({ asm volatile ( \
"divq %4" \
@@ -178,15 +180,13 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
# endif /* OPENSSL_NO_ASM */
/*-
- * BN_div[_no_branch] computes dv := num / divisor, rounding towards
+ * BN_div computes dv := num / divisor, rounding towards
* zero, and sets up rm such that dv*divisor + rm = num holds.
* Thus:
* dv->neg == num->neg ^ divisor->neg (unless the result is zero)
* rm->neg == num->neg (unless the remainder is zero)
* If 'dv' or 'rm' is NULL, the respective value is not returned.
*/
-static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
- const BIGNUM *divisor, BN_CTX *ctx);
int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
BN_CTX *ctx)
{
@@ -195,22 +195,25 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
BN_ULONG *resp, *wnump;
BN_ULONG d0, d1;
int num_n, div_n;
+ int no_branch = 0;
/*
- * Invalid zero-padding would have particularly bad consequences in the
- * case of 'num', so don't just rely on bn_check_top() for this one
- * (bn_check_top() works only for BN_DEBUG builds)
+ * Invalid zero-padding would have particularly bad consequences so don't
+ * just rely on bn_check_top() here (bn_check_top() works only for
+ * BN_DEBUG builds)
*/
- if (num->top > 0 && num->d[num->top - 1] == 0) {
+ if ((num->top > 0 && num->d[num->top - 1] == 0) ||
+ (divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
return 0;
}
bn_check_top(num);
+ bn_check_top(divisor);
if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
|| (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
- return BN_div_no_branch(dv, rm, num, divisor, ctx);
+ no_branch = 1;
}
bn_check_top(dv);
@@ -218,14 +221,16 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
/*- bn_check_top(num); *//*
* 'num' has been checked already
*/
- bn_check_top(divisor);
+ /*- bn_check_top(divisor); *//*
+ * 'divisor' has been checked already
+ */
if (BN_is_zero(divisor)) {
BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
return (0);
}
- if (BN_ucmp(num, divisor) < 0) {
+ if (!no_branch && BN_ucmp(num, divisor) < 0) {
if (rm != NULL) {
if (BN_copy(rm, num) == NULL)
return (0);
@@ -255,257 +260,24 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
if (!(BN_lshift(snum, num, norm_shift)))
goto err;
snum->neg = 0;
- div_n = sdiv->top;
- num_n = snum->top;
- loop = num_n - div_n;
- /*
- * Lets setup a 'window' into snum This is the part that corresponds to
- * the current 'area' being divided
- */
- wnum.neg = 0;
- wnum.d = &(snum->d[loop]);
- wnum.top = div_n;
- /*
- * only needed when BN_ucmp messes up the values between top and max
- */
- wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
-
- /* Get the top 2 words of sdiv */
- /* div_n=sdiv->top; */
- d0 = sdiv->d[div_n - 1];
- d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
-
- /* pointer to the 'top' of snum */
- wnump = &(snum->d[num_n - 1]);
- /* Setup to 'res' */
- res->neg = (num->neg ^ divisor->neg);
- if (!bn_wexpand(res, (loop + 1)))
- goto err;
- res->top = loop;
- resp = &(res->d[loop - 1]);
-
- /* space for temp */
- if (!bn_wexpand(tmp, (div_n + 1)))
- goto err;
-
- if (BN_ucmp(&wnum, sdiv) >= 0) {
+ if (no_branch) {
/*
- * If BN_DEBUG_RAND is defined BN_ucmp changes (via bn_pollute) the
- * const bignum arguments => clean the values between top and max
- * again
+ * Since we don't know whether snum is larger than sdiv, we pad snum
+ * with enough zeroes without changing its value.
*/
- bn_clear_top2max(&wnum);
- bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
- *resp = 1;
- } else
- res->top--;
- /*
- * if res->top == 0 then clear the neg value otherwise decrease the resp
- * pointer
- */
- if (res->top == 0)
- res->neg = 0;
- else
- resp--;
-
- for (i = 0; i < loop - 1; i++, wnump--, resp--) {
- BN_ULONG q, l0;
- /*
- * the first part of the loop uses the top two words of snum and sdiv
- * to calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv
- */
-# if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
- BN_ULONG bn_div_3_words(BN_ULONG *, BN_ULONG, BN_ULONG);
- q = bn_div_3_words(wnump, d1, d0);
-# else
- BN_ULONG n0, n1, rem = 0;
-
- n0 = wnump[0];
- n1 = wnump[-1];
- if (n0 == d0)
- q = BN_MASK2;
- else { /* n0 < d0 */
-
-# ifdef BN_LLONG
- BN_ULLONG t2;
-
-# if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
- q = (BN_ULONG)(((((BN_ULLONG) n0) << BN_BITS2) | n1) / d0);
-# else
- q = bn_div_words(n0, n1, d0);
-# ifdef BN_DEBUG_LEVITTE
- fprintf(stderr, "DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
-X) -> 0x%08X\n", n0, n1, d0, q);
-# endif
-# endif
-
-# ifndef REMAINDER_IS_ALREADY_CALCULATED
- /*
- * rem doesn't have to be BN_ULLONG. The least we
- * know it's less that d0, isn't it?
- */
- rem = (n1 - q * d0) & BN_MASK2;
-# endif
- t2 = (BN_ULLONG) d1 *q;
-
- for (;;) {
- if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | wnump[-2]))
- break;
- q--;
- rem += d0;
- if (rem < d0)
- break; /* don't let rem overflow */
- t2 -= d1;
- }
-# else /* !BN_LLONG */
- BN_ULONG t2l, t2h;
-# if !defined(BN_UMULT_LOHI) && !defined(BN_UMULT_HIGH)
- BN_ULONG ql, qh;
-# endif
-
- q = bn_div_words(n0, n1, d0);
-# ifdef BN_DEBUG_LEVITTE
- fprintf(stderr, "DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
-X) -> 0x%08X\n", n0, n1, d0, q);
-# endif
-# ifndef REMAINDER_IS_ALREADY_CALCULATED
- rem = (n1 - q * d0) & BN_MASK2;
-# endif
-
-# if defined(BN_UMULT_LOHI)
- BN_UMULT_LOHI(t2l, t2h, d1, q);
-# elif defined(BN_UMULT_HIGH)
- t2l = d1 * q;
- t2h = BN_UMULT_HIGH(d1, q);
-# else
- t2l = LBITS(d1);
- t2h = HBITS(d1);
- ql = LBITS(q);
- qh = HBITS(q);
- mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */
-# endif
-
- for (;;) {
- if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2])))
- break;
- q--;
- rem += d0;
- if (rem < d0)
- break; /* don't let rem overflow */
- if (t2l < d1)
- t2h--;
- t2l -= d1;
- }
-# endif /* !BN_LLONG */
+ if (snum->top <= sdiv->top + 1) {
+ if (bn_wexpand(snum, sdiv->top + 2) == NULL)
+ goto err;
+ for (i = snum->top; i < sdiv->top + 2; i++)
+ snum->d[i] = 0;
+ snum->top = sdiv->top + 2;
+ } else {
+ if (bn_wexpand(snum, snum->top + 1) == NULL)
+ goto err;
+ snum->d[snum->top] = 0;
+ snum->top++;
}
-# endif /* !BN_DIV3W */
-
- l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
- tmp->d[div_n] = l0;
- wnum.d--;
- /*
- * ingore top values of the bignums just sub the two BN_ULONG arrays
- * with bn_sub_words
- */
- if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
- /*
- * Note: As we have considered only the leading two BN_ULONGs in
- * the calculation of q, sdiv * q might be greater than wnum (but
- * then (q-1) * sdiv is less or equal than wnum)
- */
- q--;
- if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
- /*
- * we can't have an overflow here (assuming that q != 0, but
- * if q == 0 then tmp is zero anyway)
- */
- (*wnump)++;
- }
- /* store part of the result */
- *resp = q;
- }
- bn_correct_top(snum);
- if (rm != NULL) {
- /*
- * Keep a copy of the neg flag in num because if rm==num BN_rshift()
- * will overwrite it.
- */
- int neg = num->neg;
- BN_rshift(rm, snum, norm_shift);
- if (!BN_is_zero(rm))
- rm->neg = neg;
- bn_check_top(rm);
- }
- BN_CTX_end(ctx);
- return (1);
- err:
- bn_check_top(rm);
- BN_CTX_end(ctx);
- return (0);
-}
-
-/*
- * BN_div_no_branch is a special version of BN_div. It does not contain
- * branches that may leak sensitive information.
- */
-static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
- const BIGNUM *divisor, BN_CTX *ctx)
-{
- int norm_shift, i, loop;
- BIGNUM *tmp, wnum, *snum, *sdiv, *res;
- BN_ULONG *resp, *wnump;
- BN_ULONG d0, d1;
- int num_n, div_n;
-
- bn_check_top(dv);
- bn_check_top(rm);
- /*- bn_check_top(num); *//*
- * 'num' has been checked in BN_div()
- */
- bn_check_top(divisor);
-
- if (BN_is_zero(divisor)) {
- BNerr(BN_F_BN_DIV_NO_BRANCH, BN_R_DIV_BY_ZERO);
- return (0);
- }
-
- BN_CTX_start(ctx);
- tmp = BN_CTX_get(ctx);
- snum = BN_CTX_get(ctx);
- sdiv = BN_CTX_get(ctx);
- if (dv == NULL)
- res = BN_CTX_get(ctx);
- else
- res = dv;
- if (sdiv == NULL || res == NULL)
- goto err;
-
- /* First we normalise the numbers */
- norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
- if (!(BN_lshift(sdiv, divisor, norm_shift)))
- goto err;
- sdiv->neg = 0;
- norm_shift += BN_BITS2;
- if (!(BN_lshift(snum, num, norm_shift)))
- goto err;
- snum->neg = 0;
-
- /*
- * Since we don't know whether snum is larger than sdiv, we pad snum with
- * enough zeroes without changing its value.
- */
- if (snum->top <= sdiv->top + 1) {
- if (bn_wexpand(snum, sdiv->top + 2) == NULL)
- goto err;
- for (i = snum->top; i < sdiv->top + 2; i++)
- snum->d[i] = 0;
- snum->top = sdiv->top + 2;
- } else {
- if (bn_wexpand(snum, snum->top + 1) == NULL)
- goto err;
- snum->d[snum->top] = 0;
- snum->top++;
}
div_n = sdiv->top;
@@ -535,13 +307,27 @@ static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
res->neg = (num->neg ^ divisor->neg);
if (!bn_wexpand(res, (loop + 1)))
goto err;
- res->top = loop - 1;
+ res->top = loop - no_branch;
resp = &(res->d[loop - 1]);
/* space for temp */
if (!bn_wexpand(tmp, (div_n + 1)))
goto err;
+ if (!no_branch) {
+ if (BN_ucmp(&wnum, sdiv) >= 0) {
+ /*
+ * If BN_DEBUG_RAND is defined BN_ucmp changes (via bn_pollute)
+ * the const bignum arguments => clean the values between top and
+ * max again
+ */
+ bn_clear_top2max(&wnum);
+ bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
+ *resp = 1;
+ } else
+ res->top--;
+ }
+
/*
* if res->top == 0 then clear the neg value otherwise decrease the resp
* pointer
@@ -602,9 +388,6 @@ X) -> 0x%08X\n", n0, n1, d0, q);
}
# else /* !BN_LLONG */
BN_ULONG t2l, t2h;
-# if !defined(BN_UMULT_LOHI) && !defined(BN_UMULT_HIGH)
- BN_ULONG ql, qh;
-# endif
q = bn_div_words(n0, n1, d0);
# ifdef BN_DEBUG_LEVITTE
@@ -621,11 +404,14 @@ X) -> 0x%08X\n", n0, n1, d0, q);
t2l = d1 * q;
t2h = BN_UMULT_HIGH(d1, q);
# else
- t2l = LBITS(d1);
- t2h = HBITS(d1);
- ql = LBITS(q);
- qh = HBITS(q);
- mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */
+ {
+ BN_ULONG ql, qh;
+ t2l = LBITS(d1);
+ t2h = HBITS(d1);
+ ql = LBITS(q);
+ qh = HBITS(q);
+ mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */
+ }
# endif
for (;;) {
@@ -679,7 +465,8 @@ X) -> 0x%08X\n", n0, n1, d0, q);
rm->neg = neg;
bn_check_top(rm);
}
- bn_correct_top(res);
+ if (no_branch)
+ bn_correct_top(res);
BN_CTX_end(ctx);
return (1);
err:
@@ -687,5 +474,4 @@ X) -> 0x%08X\n", n0, n1, d0, q);
BN_CTX_end(ctx);
return (0);
}
-
#endif
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_err.c b/Cryptlib/OpenSSL/crypto/bn/bn_err.c
index faa7e226..e7a70382 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_err.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_err.c
@@ -1,6 +1,6 @@
/* crypto/bn/bn_err.c */
/* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -94,6 +94,7 @@ static ERR_STRING_DATA BN_str_functs[] = {
{ERR_FUNC(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR), "BN_GF2m_mod_solve_quad_arr"},
{ERR_FUNC(BN_F_BN_GF2M_MOD_SQR), "BN_GF2m_mod_sqr"},
{ERR_FUNC(BN_F_BN_GF2M_MOD_SQRT), "BN_GF2m_mod_sqrt"},
+ {ERR_FUNC(BN_F_BN_LSHIFT), "BN_lshift"},
{ERR_FUNC(BN_F_BN_MOD_EXP2_MONT), "BN_mod_exp2_mont"},
{ERR_FUNC(BN_F_BN_MOD_EXP_MONT), "BN_mod_exp_mont"},
{ERR_FUNC(BN_F_BN_MOD_EXP_MONT_CONSTTIME), "BN_mod_exp_mont_consttime"},
@@ -109,6 +110,7 @@ static ERR_STRING_DATA BN_str_functs[] = {
{ERR_FUNC(BN_F_BN_NEW), "BN_new"},
{ERR_FUNC(BN_F_BN_RAND), "BN_rand"},
{ERR_FUNC(BN_F_BN_RAND_RANGE), "BN_rand_range"},
+ {ERR_FUNC(BN_F_BN_RSHIFT), "BN_rshift"},
{ERR_FUNC(BN_F_BN_USUB), "BN_usub"},
{0, NULL}
};
@@ -117,6 +119,7 @@ static ERR_STRING_DATA BN_str_reasons[] = {
{ERR_REASON(BN_R_ARG2_LT_ARG3), "arg2 lt arg3"},
{ERR_REASON(BN_R_BAD_RECIPROCAL), "bad reciprocal"},
{ERR_REASON(BN_R_BIGNUM_TOO_LONG), "bignum too long"},
+ {ERR_REASON(BN_R_BITS_TOO_SMALL), "bits too small"},
{ERR_REASON(BN_R_CALLED_WITH_EVEN_MODULUS), "called with even modulus"},
{ERR_REASON(BN_R_DIV_BY_ZERO), "div by zero"},
{ERR_REASON(BN_R_ENCODING_ERROR), "encoding error"},
@@ -125,6 +128,7 @@ static ERR_STRING_DATA BN_str_reasons[] = {
{ERR_REASON(BN_R_INPUT_NOT_REDUCED), "input not reduced"},
{ERR_REASON(BN_R_INVALID_LENGTH), "invalid length"},
{ERR_REASON(BN_R_INVALID_RANGE), "invalid range"},
+ {ERR_REASON(BN_R_INVALID_SHIFT), "invalid shift"},
{ERR_REASON(BN_R_NOT_A_SQUARE), "not a square"},
{ERR_REASON(BN_R_NOT_INITIALIZED), "not initialized"},
{ERR_REASON(BN_R_NO_INVERSE), "no inverse"},
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_exp.c b/Cryptlib/OpenSSL/crypto/bn/bn_exp.c
index ef67843f..24afdd60 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_exp.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_exp.c
@@ -112,6 +112,29 @@
#include "cryptlib.h"
#include "bn_lcl.h"
+#include <stdlib.h>
+#ifdef _WIN32
+# include <malloc.h>
+# ifndef alloca
+# define alloca _alloca
+# endif
+#elif defined(__GNUC__)
+# ifndef alloca
+# define alloca(s) __builtin_alloca((s))
+# endif
+#elif defined(__sun)
+# include <alloca.h>
+#endif
+
+#include "rsaz_exp.h"
+
+#undef SPARC_T4_MONT
+#if defined(OPENSSL_BN_ASM_MONT) && (defined(__sparc__) || defined(__sparc))
+# include "sparc_arch.h"
+extern unsigned int OPENSSL_sparcv9cap_P[];
+# define SPARC_T4_MONT
+#endif
+
/* maximum precomputation table size for *variable* sliding windows */
#define TABLE_SIZE 32
@@ -156,10 +179,10 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
goto err;
}
}
- ret = 1;
- err:
if (r != rr)
BN_copy(r, rr);
+ ret = 1;
+ err:
BN_CTX_end(ctx);
bn_check_top(r);
return (ret);
@@ -452,6 +475,23 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
wstart = bits - 1; /* The top bit of the window */
wend = 0; /* The bottom bit of the window */
+#if 1 /* by Shay Gueron's suggestion */
+ j = m->top; /* borrow j */
+ if (m->d[j - 1] & (((BN_ULONG)1) << (BN_BITS2 - 1))) {
+ if (bn_wexpand(r, j) == NULL)
+ goto err;
+ /* 2^(top*BN_BITS2) - m */
+ r->d[0] = (0 - m->d[0]) & BN_MASK2;
+ for (i = 1; i < j; i++)
+ r->d[i] = (~m->d[i]) & BN_MASK2;
+ r->top = j;
+ /*
+ * Upper words will be zero if the corresponding words of 'm' were
+ * 0xfff[...], so decrement r->top accordingly.
+ */
+ bn_correct_top(r);
+ } else
+#endif
if (!BN_to_montgomery(r, BN_value_one(), mont, ctx))
goto err;
for (;;) {
@@ -503,6 +543,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
if (wstart < 0)
break;
}
+#if defined(SPARC_T4_MONT)
+ if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) {
+ j = mont->N.top; /* borrow j */
+ val[0]->d[0] = 1; /* borrow val[0] */
+ for (i = 1; i < j; i++)
+ val[0]->d[i] = 0;
+ val[0]->top = j;
+ if (!BN_mod_mul_montgomery(rr, r, val[0], mont, ctx))
+ goto err;
+ } else
+#endif
if (!BN_from_montgomery(rr, r, mont, ctx))
goto err;
ret = 1;
@@ -514,6 +565,27 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
return (ret);
}
+#if defined(SPARC_T4_MONT)
+static BN_ULONG bn_get_bits(const BIGNUM *a, int bitpos)
+{
+ BN_ULONG ret = 0;
+ int wordpos;
+
+ wordpos = bitpos / BN_BITS2;
+ bitpos %= BN_BITS2;
+ if (wordpos >= 0 && wordpos < a->top) {
+ ret = a->d[wordpos] & BN_MASK2;
+ if (bitpos) {
+ ret >>= bitpos;
+ if (++wordpos < a->top)
+ ret |= a->d[wordpos] << (BN_BITS2 - bitpos);
+ }
+ }
+
+ return ret & BN_MASK2;
+}
+#endif
+
/*
* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific
* layout so that accessing any of these table values shows the same access
@@ -521,23 +593,19 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
* used to transfer a BIGNUM from/to that table.
*/
-static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top,
+static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top,
unsigned char *buf, int idx,
int width)
{
size_t i, j;
- if (bn_wexpand(b, top) == NULL)
- return 0;
- while (b->top < top) {
- b->d[b->top++] = 0;
- }
-
+ if (top > b->top)
+ top = b->top; /* this works because 'buf' is explicitly
+ * zeroed */
for (i = 0, j = idx; i < top * sizeof b->d[0]; i++, j += width) {
buf[j] = ((unsigned char *)b->d)[i];
}
- bn_correct_top(b);
return 1;
}
@@ -564,7 +632,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
* multiple.
*/
#define MOD_EXP_CTIME_ALIGN(x_) \
- ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ULONG)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
+ ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((size_t)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
/*
* This variant of BN_mod_exp_mont() uses fixed windows and the special
@@ -577,17 +645,18 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *in_mont)
{
- int i, bits, ret = 0, idx, window, wvalue;
+ int i, bits, ret = 0, window, wvalue;
int top;
- BIGNUM *r;
- const BIGNUM *aa;
BN_MONT_CTX *mont = NULL;
int numPowers;
unsigned char *powerbufFree = NULL;
int powerbufLen = 0;
unsigned char *powerbuf = NULL;
- BIGNUM *computeTemp = NULL, *am = NULL;
+ BIGNUM tmp, am;
+#if defined(SPARC_T4_MONT)
+ unsigned int t4 = 0;
+#endif
bn_check_top(a);
bn_check_top(p);
@@ -605,11 +674,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
return ret;
}
- /* Initialize BIGNUM context and allocate intermediate result */
BN_CTX_start(ctx);
- r = BN_CTX_get(ctx);
- if (r == NULL)
- goto err;
/*
* Allocate a montgomery context if it was not supplied by the caller. If
@@ -624,111 +689,436 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
goto err;
}
+#ifdef RSAZ_ENABLED
+ /*
+ * If the size of the operands allow it, perform the optimized
+ * RSAZ exponentiation. For further information see
+ * crypto/bn/rsaz_exp.c and accompanying assembly modules.
+ */
+ if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024)
+ && rsaz_avx2_eligible()) {
+ if (NULL == bn_wexpand(rr, 16))
+ goto err;
+ RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d,
+ mont->n0[0]);
+ rr->top = 16;
+ rr->neg = 0;
+ bn_correct_top(rr);
+ ret = 1;
+ goto err;
+ } else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) {
+ if (NULL == bn_wexpand(rr, 8))
+ goto err;
+ RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d);
+ rr->top = 8;
+ rr->neg = 0;
+ bn_correct_top(rr);
+ ret = 1;
+ goto err;
+ }
+#endif
+
/* Get the window size to use with size of p. */
window = BN_window_bits_for_ctime_exponent_size(bits);
+#if defined(SPARC_T4_MONT)
+ if (window >= 5 && (top & 15) == 0 && top <= 64 &&
+ (OPENSSL_sparcv9cap_P[1] & (CFR_MONTMUL | CFR_MONTSQR)) ==
+ (CFR_MONTMUL | CFR_MONTSQR) && (t4 = OPENSSL_sparcv9cap_P[0]))
+ window = 5;
+ else
+#endif
+#if defined(OPENSSL_BN_ASM_MONT5)
+ if (window >= 5) {
+ window = 5; /* ~5% improvement for RSA2048 sign, and even
+ * for RSA4096 */
+ if ((top & 7) == 0)
+ powerbufLen += 2 * top * sizeof(m->d[0]);
+ }
+#endif
+ (void)0;
/*
* Allocate a buffer large enough to hold all of the pre-computed powers
- * of a.
+ * of am, am itself and tmp.
*/
numPowers = 1 << window;
- powerbufLen = sizeof(m->d[0]) * top * numPowers;
- if ((powerbufFree =
- (unsigned char *)OPENSSL_malloc(powerbufLen +
- MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH))
- == NULL)
+ powerbufLen += sizeof(m->d[0]) * (top * numPowers +
+ ((2 * top) >
+ numPowers ? (2 * top) : numPowers));
+#ifdef alloca
+ if (powerbufLen < 3072)
+ powerbufFree =
+ alloca(powerbufLen + MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH);
+ else
+#endif
+ if ((powerbufFree =
+ (unsigned char *)OPENSSL_malloc(powerbufLen +
+ MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH))
+ == NULL)
goto err;
powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
memset(powerbuf, 0, powerbufLen);
- /*
- * Initialize the intermediate result. Do this early to save double
- * conversion, once each for a^0 and intermediate result.
- */
- if (!BN_to_montgomery(r, BN_value_one(), mont, ctx))
- goto err;
- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, numPowers))
- goto err;
+#ifdef alloca
+ if (powerbufLen < 3072)
+ powerbufFree = NULL;
+#endif
- /* Initialize computeTemp as a^1 with montgomery precalcs */
- computeTemp = BN_CTX_get(ctx);
- am = BN_CTX_get(ctx);
- if (computeTemp == NULL || am == NULL)
+ /* lay down tmp and am right after powers table */
+ tmp.d = (BN_ULONG *)(powerbuf + sizeof(m->d[0]) * top * numPowers);
+ am.d = tmp.d + top;
+ tmp.top = am.top = 0;
+ tmp.dmax = am.dmax = top;
+ tmp.neg = am.neg = 0;
+ tmp.flags = am.flags = BN_FLG_STATIC_DATA;
+
+ /* prepare a^0 in Montgomery domain */
+#if 1 /* by Shay Gueron's suggestion */
+ if (m->d[top - 1] & (((BN_ULONG)1) << (BN_BITS2 - 1))) {
+ /* 2^(top*BN_BITS2) - m */
+ tmp.d[0] = (0 - m->d[0]) & BN_MASK2;
+ for (i = 1; i < top; i++)
+ tmp.d[i] = (~m->d[i]) & BN_MASK2;
+ tmp.top = top;
+ } else
+#endif
+ if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx))
goto err;
+ /* prepare a^1 in Montgomery domain */
if (a->neg || BN_ucmp(a, m) >= 0) {
- if (!BN_mod(am, a, m, ctx))
+ if (!BN_mod(&am, a, m, ctx))
goto err;
- aa = am;
- } else
- aa = a;
- if (!BN_to_montgomery(am, aa, mont, ctx))
- goto err;
- if (!BN_copy(computeTemp, am))
- goto err;
- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, numPowers))
+ if (!BN_to_montgomery(&am, &am, mont, ctx))
+ goto err;
+ } else if (!BN_to_montgomery(&am, a, mont, ctx))
goto err;
- /*
- * If the window size is greater than 1, then calculate
- * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1) (even powers
- * could instead be computed as (a^(i/2))^2 to use the slight performance
- * advantage of sqr over mul).
- */
- if (window > 1) {
- for (i = 2; i < numPowers; i++) {
+#if defined(SPARC_T4_MONT)
+ if (t4) {
+ typedef int (*bn_pwr5_mont_f) (BN_ULONG *tp, const BN_ULONG *np,
+ const BN_ULONG *n0, const void *table,
+ int power, int bits);
+ int bn_pwr5_mont_t4_8(BN_ULONG *tp, const BN_ULONG *np,
+ const BN_ULONG *n0, const void *table,
+ int power, int bits);
+ int bn_pwr5_mont_t4_16(BN_ULONG *tp, const BN_ULONG *np,
+ const BN_ULONG *n0, const void *table,
+ int power, int bits);
+ int bn_pwr5_mont_t4_24(BN_ULONG *tp, const BN_ULONG *np,
+ const BN_ULONG *n0, const void *table,
+ int power, int bits);
+ int bn_pwr5_mont_t4_32(BN_ULONG *tp, const BN_ULONG *np,
+ const BN_ULONG *n0, const void *table,
+ int power, int bits);
+ static const bn_pwr5_mont_f pwr5_funcs[4] = {
+ bn_pwr5_mont_t4_8, bn_pwr5_mont_t4_16,
+ bn_pwr5_mont_t4_24, bn_pwr5_mont_t4_32
+ };
+ bn_pwr5_mont_f pwr5_worker = pwr5_funcs[top / 16 - 1];
+
+ typedef int (*bn_mul_mont_f) (BN_ULONG *rp, const BN_ULONG *ap,
+ const void *bp, const BN_ULONG *np,
+ const BN_ULONG *n0);
+ int bn_mul_mont_t4_8(BN_ULONG *rp, const BN_ULONG *ap, const void *bp,
+ const BN_ULONG *np, const BN_ULONG *n0);
+ int bn_mul_mont_t4_16(BN_ULONG *rp, const BN_ULONG *ap,
+ const void *bp, const BN_ULONG *np,
+ const BN_ULONG *n0);
+ int bn_mul_mont_t4_24(BN_ULONG *rp, const BN_ULONG *ap,
+ const void *bp, const BN_ULONG *np,
+ const BN_ULONG *n0);
+ int bn_mul_mont_t4_32(BN_ULONG *rp, const BN_ULONG *ap,
+ const void *bp, const BN_ULONG *np,
+ const BN_ULONG *n0);
+ static const bn_mul_mont_f mul_funcs[4] = {
+ bn_mul_mont_t4_8, bn_mul_mont_t4_16,
+ bn_mul_mont_t4_24, bn_mul_mont_t4_32
+ };
+ bn_mul_mont_f mul_worker = mul_funcs[top / 16 - 1];
+
+ void bn_mul_mont_vis3(BN_ULONG *rp, const BN_ULONG *ap,
+ const void *bp, const BN_ULONG *np,
+ const BN_ULONG *n0, int num);
+ void bn_mul_mont_t4(BN_ULONG *rp, const BN_ULONG *ap,
+ const void *bp, const BN_ULONG *np,
+ const BN_ULONG *n0, int num);
+ void bn_mul_mont_gather5_t4(BN_ULONG *rp, const BN_ULONG *ap,
+ const void *table, const BN_ULONG *np,
+ const BN_ULONG *n0, int num, int power);
+ void bn_flip_n_scatter5_t4(const BN_ULONG *inp, size_t num,
+ void *table, size_t power);
+ void bn_gather5_t4(BN_ULONG *out, size_t num,
+ void *table, size_t power);
+ void bn_flip_t4(BN_ULONG *dst, BN_ULONG *src, size_t num);
+
+ BN_ULONG *np = mont->N.d, *n0 = mont->n0;
+ int stride = 5 * (6 - (top / 16 - 1)); /* multiple of 5, but less
+ * than 32 */
+
+ /*
+ * BN_to_montgomery can contaminate words above .top [in
+ * BN_DEBUG[_DEBUG] build]...
+ */
+ for (i = am.top; i < top; i++)
+ am.d[i] = 0;
+ for (i = tmp.top; i < top; i++)
+ tmp.d[i] = 0;
+
+ bn_flip_n_scatter5_t4(tmp.d, top, powerbuf, 0);
+ bn_flip_n_scatter5_t4(am.d, top, powerbuf, 1);
+ if (!(*mul_worker) (tmp.d, am.d, am.d, np, n0) &&
+ !(*mul_worker) (tmp.d, am.d, am.d, np, n0))
+ bn_mul_mont_vis3(tmp.d, am.d, am.d, np, n0, top);
+ bn_flip_n_scatter5_t4(tmp.d, top, powerbuf, 2);
+
+ for (i = 3; i < 32; i++) {
/* Calculate a^i = a^(i-1) * a */
- if (!BN_mod_mul_montgomery
- (computeTemp, am, computeTemp, mont, ctx))
- goto err;
- if (!MOD_EXP_CTIME_COPY_TO_PREBUF
- (computeTemp, top, powerbuf, i, numPowers))
- goto err;
+ if (!(*mul_worker) (tmp.d, tmp.d, am.d, np, n0) &&
+ !(*mul_worker) (tmp.d, tmp.d, am.d, np, n0))
+ bn_mul_mont_vis3(tmp.d, tmp.d, am.d, np, n0, top);
+ bn_flip_n_scatter5_t4(tmp.d, top, powerbuf, i);
}
- }
- /*
- * Adjust the number of bits up to a multiple of the window size. If the
- * exponent length is not a multiple of the window size, then this pads
- * the most significant bits with zeros to normalize the scanning loop to
- * there's no special cases. * NOTE: Making the window size a power of
- * two less than the native * word size ensures that the padded bits
- * won't go past the last * word in the internal BIGNUM structure. Going
- * past the end will * still produce the correct result, but causes a
- * different branch * to be taken in the BN_is_bit_set function.
- */
- bits = ((bits + window - 1) / window) * window;
- idx = bits - 1; /* The top bit of the window */
+ /* switch to 64-bit domain */
+ np = alloca(top * sizeof(BN_ULONG));
+ top /= 2;
+ bn_flip_t4(np, mont->N.d, top);
- /*
- * Scan the exponent one window at a time starting from the most
- * significant bits.
- */
- while (idx >= 0) {
- wvalue = 0; /* The 'value' of the window */
+ bits--;
+ for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--)
+ wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
+ bn_gather5_t4(tmp.d, top, powerbuf, wvalue);
- /* Scan the window, squaring the result as we go */
- for (i = 0; i < window; i++, idx--) {
- if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
- goto err;
- wvalue = (wvalue << 1) + BN_is_bit_set(p, idx);
+ /*
+ * Scan the exponent one window at a time starting from the most
+ * significant bits.
+ */
+ while (bits >= 0) {
+ if (bits < stride)
+ stride = bits + 1;
+ bits -= stride;
+ wvalue = bn_get_bits(p, bits + 1);
+
+ if ((*pwr5_worker) (tmp.d, np, n0, powerbuf, wvalue, stride))
+ continue;
+ /* retry once and fall back */
+ if ((*pwr5_worker) (tmp.d, np, n0, powerbuf, wvalue, stride))
+ continue;
+
+ bits += stride - 5;
+ wvalue >>= stride - 5;
+ wvalue &= 31;
+ bn_mul_mont_t4(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_mul_mont_t4(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_mul_mont_t4(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_mul_mont_t4(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_mul_mont_t4(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_mul_mont_gather5_t4(tmp.d, tmp.d, powerbuf, np, n0, top,
+ wvalue);
}
+ bn_flip_t4(tmp.d, tmp.d, top);
+ top *= 2;
+ /* back to 32-bit domain */
+ tmp.top = top;
+ bn_correct_top(&tmp);
+ OPENSSL_cleanse(np, top * sizeof(BN_ULONG));
+ } else
+#endif
+#if defined(OPENSSL_BN_ASM_MONT5)
+ if (window == 5 && top > 1) {
/*
- * Fetch the appropriate pre-computed value from the pre-buf
+ * This optimization uses ideas from http://eprint.iacr.org/2011/239,
+ * specifically optimization of cache-timing attack countermeasures
+ * and pre-computation optimization.
*/
- if (!MOD_EXP_CTIME_COPY_FROM_PREBUF
- (computeTemp, top, powerbuf, wvalue, numPowers))
+
+ /*
+ * Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
+ * 512-bit RSA is hardly relevant, we omit it to spare size...
+ */
+ void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap,
+ const void *table, const BN_ULONG *np,
+ const BN_ULONG *n0, int num, int power);
+ void bn_scatter5(const BN_ULONG *inp, size_t num,
+ void *table, size_t power);
+ void bn_gather5(BN_ULONG *out, size_t num, void *table, size_t power);
+ void bn_power5(BN_ULONG *rp, const BN_ULONG *ap,
+ const void *table, const BN_ULONG *np,
+ const BN_ULONG *n0, int num, int power);
+ int bn_get_bits5(const BN_ULONG *ap, int off);
+ int bn_from_montgomery(BN_ULONG *rp, const BN_ULONG *ap,
+ const BN_ULONG *not_used, const BN_ULONG *np,
+ const BN_ULONG *n0, int num);
+
+ BN_ULONG *np = mont->N.d, *n0 = mont->n0, *np2;
+
+ /*
+ * BN_to_montgomery can contaminate words above .top [in
+ * BN_DEBUG[_DEBUG] build]...
+ */
+ for (i = am.top; i < top; i++)
+ am.d[i] = 0;
+ for (i = tmp.top; i < top; i++)
+ tmp.d[i] = 0;
+
+ if (top & 7)
+ np2 = np;
+ else
+ for (np2 = am.d + top, i = 0; i < top; i++)
+ np2[2 * i] = np[i];
+
+ bn_scatter5(tmp.d, top, powerbuf, 0);
+ bn_scatter5(am.d, am.top, powerbuf, 1);
+ bn_mul_mont(tmp.d, am.d, am.d, np, n0, top);
+ bn_scatter5(tmp.d, top, powerbuf, 2);
+
+# if 0
+ for (i = 3; i < 32; i++) {
+ /* Calculate a^i = a^(i-1) * a */
+ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
+ bn_scatter5(tmp.d, top, powerbuf, i);
+ }
+# else
+ /* same as above, but uses squaring for 1/2 of operations */
+ for (i = 4; i < 32; i *= 2) {
+ bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_scatter5(tmp.d, top, powerbuf, i);
+ }
+ for (i = 3; i < 8; i += 2) {
+ int j;
+ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
+ bn_scatter5(tmp.d, top, powerbuf, i);
+ for (j = 2 * i; j < 32; j *= 2) {
+ bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_scatter5(tmp.d, top, powerbuf, j);
+ }
+ }
+ for (; i < 16; i += 2) {
+ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
+ bn_scatter5(tmp.d, top, powerbuf, i);
+ bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_scatter5(tmp.d, top, powerbuf, 2 * i);
+ }
+ for (; i < 32; i += 2) {
+ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
+ bn_scatter5(tmp.d, top, powerbuf, i);
+ }
+# endif
+ bits--;
+ for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--)
+ wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
+ bn_gather5(tmp.d, top, powerbuf, wvalue);
+
+ /*
+ * Scan the exponent one window at a time starting from the most
+ * significant bits.
+ */
+ if (top & 7)
+ while (bits >= 0) {
+ for (wvalue = 0, i = 0; i < 5; i++, bits--)
+ wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
+
+ bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
+ bn_mul_mont_gather5(tmp.d, tmp.d, powerbuf, np, n0, top,
+ wvalue);
+ } else {
+ while (bits >= 0) {
+ wvalue = bn_get_bits5(p->d, bits - 4);
+ bits -= 5;
+ bn_power5(tmp.d, tmp.d, powerbuf, np2, n0, top, wvalue);
+ }
+ }
+
+ ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np2, n0, top);
+ tmp.top = top;
+ bn_correct_top(&tmp);
+ if (ret) {
+ if (!BN_copy(rr, &tmp))
+ ret = 0;
+ goto err; /* non-zero ret means it's not error */
+ }
+ } else
+#endif
+ {
+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, numPowers))
goto err;
+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, numPowers))
+ goto err;
+
+ /*
+ * If the window size is greater than 1, then calculate
+ * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1) (even
+ * powers could instead be computed as (a^(i/2))^2 to use the slight
+ * performance advantage of sqr over mul).
+ */
+ if (window > 1) {
+ if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx))
+ goto err;
+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF
+ (&tmp, top, powerbuf, 2, numPowers))
+ goto err;
+ for (i = 3; i < numPowers; i++) {
+ /* Calculate a^i = a^(i-1) * a */
+ if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx))
+ goto err;
+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF
+ (&tmp, top, powerbuf, i, numPowers))
+ goto err;
+ }
+ }
- /* Multiply the result into the intermediate result */
- if (!BN_mod_mul_montgomery(r, r, computeTemp, mont, ctx))
+ bits--;
+ for (wvalue = 0, i = bits % window; i >= 0; i--, bits--)
+ wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
+ if (!MOD_EXP_CTIME_COPY_FROM_PREBUF
+ (&tmp, top, powerbuf, wvalue, numPowers))
goto err;
+
+ /*
+ * Scan the exponent one window at a time starting from the most
+ * significant bits.
+ */
+ while (bits >= 0) {
+ wvalue = 0; /* The 'value' of the window */
+
+ /* Scan the window, squaring the result as we go */
+ for (i = 0; i < window; i++, bits--) {
+ if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx))
+ goto err;
+ wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
+ }
+
+ /*
+ * Fetch the appropriate pre-computed value from the pre-buf
+ */
+ if (!MOD_EXP_CTIME_COPY_FROM_PREBUF
+ (&am, top, powerbuf, wvalue, numPowers))
+ goto err;
+
+ /* Multiply the result into the intermediate result */
+ if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx))
+ goto err;
+ }
}
/* Convert the final result from montgomery to standard format */
- if (!BN_from_montgomery(rr, r, mont, ctx))
+#if defined(SPARC_T4_MONT)
+ if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) {
+ am.d[0] = 1; /* borrow am */
+ for (i = 1; i < top; i++)
+ am.d[i] = 0;
+ if (!BN_mod_mul_montgomery(rr, &tmp, &am, mont, ctx))
+ goto err;
+ } else
+#endif
+ if (!BN_from_montgomery(rr, &tmp, mont, ctx))
goto err;
ret = 1;
err:
@@ -736,12 +1126,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
BN_MONT_CTX_free(mont);
if (powerbuf != NULL) {
OPENSSL_cleanse(powerbuf, powerbufLen);
- OPENSSL_free(powerbufFree);
+ if (powerbufFree)
+ OPENSSL_free(powerbufFree);
}
- if (am != NULL)
- BN_clear(am);
- if (computeTemp != NULL)
- BN_clear(computeTemp);
BN_CTX_end(ctx);
return (ret);
}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c b/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c
index cd5f86b0..97c55ab7 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c
@@ -222,8 +222,9 @@ static BIGNUM *euclid(BIGNUM *a, BIGNUM *b)
static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
const BIGNUM *a, const BIGNUM *n,
BN_CTX *ctx);
-BIGNUM *BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
- BN_CTX *ctx)
+
+BIGNUM *BN_mod_inverse(BIGNUM *in,
+ const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
{
BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
BIGNUM *ret = NULL;
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c b/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c
index 3386f726..cfa1c7ce 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c
@@ -95,146 +95,47 @@
#include "cryptlib.h"
#include "bn_lcl.h"
+#ifndef OPENSSL_NO_EC2M
+
/*
* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
* fail.
*/
-#define MAX_ITERATIONS 50
+# define MAX_ITERATIONS 50
static const BN_ULONG SQR_tb[16] = { 0, 1, 4, 5, 16, 17, 20, 21,
64, 65, 68, 69, 80, 81, 84, 85
};
/* Platform-specific macros to accelerate squaring. */
-#if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
-# define SQR1(w) \
+# if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
+# define SQR1(w) \
SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \
SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \
SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \
SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF]
-# define SQR0(w) \
+# define SQR0(w) \
SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \
SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \
SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
-#endif
-#ifdef THIRTY_TWO_BIT
-# define SQR1(w) \
+# endif
+# ifdef THIRTY_TWO_BIT
+# define SQR1(w) \
SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \
SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF]
-# define SQR0(w) \
+# define SQR0(w) \
SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
-#endif
-#ifdef SIXTEEN_BIT
-# define SQR1(w) \
- SQR_tb[(w) >> 12 & 0xF] << 8 | SQR_tb[(w) >> 8 & 0xF]
-# define SQR0(w) \
- SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
-#endif
-#ifdef EIGHT_BIT
-# define SQR1(w) \
- SQR_tb[(w) >> 4 & 0xF]
-# define SQR0(w) \
- SQR_tb[(w) & 15]
-#endif
+# endif
+# if !defined(OPENSSL_BN_ASM_GF2m)
/*
* Product of two polynomials a, b each with degree < BN_BITS2 - 1, result is
* a polynomial r with degree < 2 * BN_BITS - 1 The caller MUST ensure that
* the variables have the right amount of space allocated.
*/
-#ifdef EIGHT_BIT
-static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a,
- const BN_ULONG b)
-{
- register BN_ULONG h, l, s;
- BN_ULONG tab[4], top1b = a >> 7;
- register BN_ULONG a1, a2;
-
- a1 = a & (0x7F);
- a2 = a1 << 1;
-
- tab[0] = 0;
- tab[1] = a1;
- tab[2] = a2;
- tab[3] = a1 ^ a2;
-
- s = tab[b & 0x3];
- l = s;
- s = tab[b >> 2 & 0x3];
- l ^= s << 2;
- h = s >> 6;
- s = tab[b >> 4 & 0x3];
- l ^= s << 4;
- h ^= s >> 4;
- s = tab[b >> 6];
- l ^= s << 6;
- h ^= s >> 2;
-
- /* compensate for the top bit of a */
-
- if (top1b & 01) {
- l ^= b << 7;
- h ^= b >> 1;
- }
-
- *r1 = h;
- *r0 = l;
-}
-#endif
-#ifdef SIXTEEN_BIT
-static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a,
- const BN_ULONG b)
-{
- register BN_ULONG h, l, s;
- BN_ULONG tab[4], top1b = a >> 15;
- register BN_ULONG a1, a2;
-
- a1 = a & (0x7FFF);
- a2 = a1 << 1;
-
- tab[0] = 0;
- tab[1] = a1;
- tab[2] = a2;
- tab[3] = a1 ^ a2;
-
- s = tab[b & 0x3];
- l = s;
- s = tab[b >> 2 & 0x3];
- l ^= s << 2;
- h = s >> 14;
- s = tab[b >> 4 & 0x3];
- l ^= s << 4;
- h ^= s >> 12;
- s = tab[b >> 6 & 0x3];
- l ^= s << 6;
- h ^= s >> 10;
- s = tab[b >> 8 & 0x3];
- l ^= s << 8;
- h ^= s >> 8;
- s = tab[b >> 10 & 0x3];
- l ^= s << 10;
- h ^= s >> 6;
- s = tab[b >> 12 & 0x3];
- l ^= s << 12;
- h ^= s >> 4;
- s = tab[b >> 14];
- l ^= s << 14;
- h ^= s >> 2;
-
- /* compensate for the top bit of a */
-
- if (top1b & 01) {
- l ^= b << 15;
- h ^= b >> 1;
- }
-
- *r1 = h;
- *r0 = l;
-}
-#endif
-#ifdef THIRTY_TWO_BIT
+# ifdef THIRTY_TWO_BIT
static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a,
const BN_ULONG b)
{
@@ -302,8 +203,8 @@ static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a,
*r1 = h;
*r0 = l;
}
-#endif
-#if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
+# endif
+# if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a,
const BN_ULONG b)
{
@@ -399,7 +300,7 @@ static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a,
*r1 = h;
*r0 = l;
}
-#endif
+# endif
/*
* Product of two polynomials a, b each with degree < 2 * BN_BITS2 - 1,
@@ -418,6 +319,10 @@ static void bn_GF2m_mul_2x2(BN_ULONG *r, const BN_ULONG a1, const BN_ULONG a0,
r[2] ^= m1 ^ r[1] ^ r[3]; /* h0 ^= m1 ^ l1 ^ h1; */
r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */
}
+# else
+void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1,
+ BN_ULONG b0);
+# endif
/*
* Add polynomials a and b and store result in r; r could be a or b, a and b
@@ -463,7 +368,7 @@ int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
*/
/* Performs modular reduction of a and store result in r. r could be a. */
-int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[])
+int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[])
{
int j, k;
int n, dN, d0, d1;
@@ -545,8 +450,7 @@ int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[])
d0 = p[k] % BN_BITS2;
d1 = BN_BITS2 - d0;
z[n] ^= (zz << d0);
- tmp_ulong = zz >> d1;
- if (d0 && tmp_ulong)
+ if (d0 && (tmp_ulong = zz >> d1))
z[n + 1] ^= tmp_ulong;
}
@@ -565,23 +469,16 @@ int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[])
int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p)
{
int ret = 0;
- const int max = BN_num_bits(p);
- unsigned int *arr = NULL;
+ int arr[6];
bn_check_top(a);
bn_check_top(p);
- if ((arr =
- (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL)
- goto err;
- ret = BN_GF2m_poly2arr(p, arr, max);
- if (!ret || ret > max) {
+ ret = BN_GF2m_poly2arr(p, arr, sizeof(arr) / sizeof(arr[0]));
+ if (!ret || ret > (int)(sizeof(arr) / sizeof(arr[0]))) {
BNerr(BN_F_BN_GF2M_MOD, BN_R_INVALID_LENGTH);
- goto err;
+ return 0;
}
ret = BN_GF2m_mod_arr(r, a, arr);
bn_check_top(r);
- err:
- if (arr)
- OPENSSL_free(arr);
return ret;
}
@@ -590,7 +487,7 @@ int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p)
* the result in r. r could be a or b; a could be b.
*/
int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
- const unsigned int p[], BN_CTX *ctx)
+ const int p[], BN_CTX *ctx)
{
int zlen, i, j, k, ret = 0;
BIGNUM *s;
@@ -648,13 +545,12 @@ int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *p, BN_CTX *ctx)
{
int ret = 0;
- const int max = BN_num_bits(p);
- unsigned int *arr = NULL;
+ const int max = BN_num_bits(p) + 1;
+ int *arr = NULL;
bn_check_top(a);
bn_check_top(b);
bn_check_top(p);
- if ((arr =
- (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL)
+ if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL)
goto err;
ret = BN_GF2m_poly2arr(p, arr, max);
if (!ret || ret > max) {
@@ -670,7 +566,7 @@ int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
}
/* Square a, reduce the result mod p, and store it in a. r could be a. */
-int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[],
+int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[],
BN_CTX *ctx)
{
int i, ret = 0;
@@ -708,13 +604,12 @@ int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[],
int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
{
int ret = 0;
- const int max = BN_num_bits(p);
- unsigned int *arr = NULL;
+ const int max = BN_num_bits(p) + 1;
+ int *arr = NULL;
bn_check_top(a);
bn_check_top(p);
- if ((arr =
- (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL)
+ if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL)
goto err;
ret = BN_GF2m_poly2arr(p, arr, max);
if (!ret || ret > max) {
@@ -737,7 +632,7 @@ int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
*/
int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
{
- BIGNUM *b, *c, *u, *v, *tmp;
+ BIGNUM *b, *c = NULL, *u = NULL, *v = NULL, *tmp;
int ret = 0;
bn_check_top(a);
@@ -745,23 +640,26 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
BN_CTX_start(ctx);
- b = BN_CTX_get(ctx);
- c = BN_CTX_get(ctx);
- u = BN_CTX_get(ctx);
- v = BN_CTX_get(ctx);
- if (v == NULL)
+ if ((b = BN_CTX_get(ctx)) == NULL)
goto err;
-
- if (!BN_one(b))
+ if ((c = BN_CTX_get(ctx)) == NULL)
goto err;
- if (!BN_GF2m_mod(u, a, p))
+ if ((u = BN_CTX_get(ctx)) == NULL)
goto err;
- if (!BN_copy(v, p))
+ if ((v = BN_CTX_get(ctx)) == NULL)
goto err;
+ if (!BN_GF2m_mod(u, a, p))
+ goto err;
if (BN_is_zero(u))
goto err;
+ if (!BN_copy(v, p))
+ goto err;
+# if 0
+ if (!BN_one(b))
+ goto err;
+
while (1) {
while (!BN_is_odd(u)) {
if (BN_is_zero(u))
@@ -793,6 +691,93 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
if (!BN_GF2m_add(b, b, c))
goto err;
}
+# else
+ {
+ int i;
+ int ubits = BN_num_bits(u);
+ int vbits = BN_num_bits(v); /* v is copy of p */
+ int top = p->top;
+ BN_ULONG *udp, *bdp, *vdp, *cdp;
+
+ bn_wexpand(u, top);
+ udp = u->d;
+ for (i = u->top; i < top; i++)
+ udp[i] = 0;
+ u->top = top;
+ bn_wexpand(b, top);
+ bdp = b->d;
+ bdp[0] = 1;
+ for (i = 1; i < top; i++)
+ bdp[i] = 0;
+ b->top = top;
+ bn_wexpand(c, top);
+ cdp = c->d;
+ for (i = 0; i < top; i++)
+ cdp[i] = 0;
+ c->top = top;
+ vdp = v->d; /* It pays off to "cache" *->d pointers,
+ * because it allows optimizer to be more
+ * aggressive. But we don't have to "cache"
+ * p->d, because *p is declared 'const'... */
+ while (1) {
+ while (ubits && !(udp[0] & 1)) {
+ BN_ULONG u0, u1, b0, b1, mask;
+
+ u0 = udp[0];
+ b0 = bdp[0];
+ mask = (BN_ULONG)0 - (b0 & 1);
+ b0 ^= p->d[0] & mask;
+ for (i = 0; i < top - 1; i++) {
+ u1 = udp[i + 1];
+ udp[i] = ((u0 >> 1) | (u1 << (BN_BITS2 - 1))) & BN_MASK2;
+ u0 = u1;
+ b1 = bdp[i + 1] ^ (p->d[i + 1] & mask);
+ bdp[i] = ((b0 >> 1) | (b1 << (BN_BITS2 - 1))) & BN_MASK2;
+ b0 = b1;
+ }
+ udp[i] = u0 >> 1;
+ bdp[i] = b0 >> 1;
+ ubits--;
+ }
+
+ if (ubits <= BN_BITS2) {
+ if (udp[0] == 0) /* poly was reducible */
+ goto err;
+ if (udp[0] == 1)
+ break;
+ }
+
+ if (ubits < vbits) {
+ i = ubits;
+ ubits = vbits;
+ vbits = i;
+ tmp = u;
+ u = v;
+ v = tmp;
+ tmp = b;
+ b = c;
+ c = tmp;
+ udp = vdp;
+ vdp = v->d;
+ bdp = cdp;
+ cdp = c->d;
+ }
+ for (i = 0; i < top; i++) {
+ udp[i] ^= vdp[i];
+ bdp[i] ^= cdp[i];
+ }
+ if (ubits == vbits) {
+ BN_ULONG ul;
+ int utop = (ubits - 1) / BN_BITS2;
+
+ while ((ul = udp[utop]) == 0 && utop)
+ utop--;
+ ubits = utop * BN_BITS2 + BN_num_bits_word(ul);
+ }
+ }
+ bn_correct_top(b);
+ }
+# endif
if (!BN_copy(r, b))
goto err;
@@ -800,6 +785,12 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
ret = 1;
err:
+# ifdef BN_DEBUG /* BN_CTX_end would complain about the
+ * expanded form */
+ bn_correct_top(c);
+ bn_correct_top(u);
+ bn_correct_top(v);
+# endif
BN_CTX_end(ctx);
return ret;
}
@@ -810,7 +801,7 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
* wrapper function is only provided for convenience; for best performance,
* use the BN_GF2m_mod_inv function.
*/
-int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const unsigned int p[],
+int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const int p[],
BN_CTX *ctx)
{
BIGNUM *field;
@@ -831,7 +822,7 @@ int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const unsigned int p[],
return ret;
}
-#ifndef OPENSSL_SUN_GF2M_DIV
+# ifndef OPENSSL_SUN_GF2M_DIV
/*
* Divide y by x, reduce modulo p, and store the result in r. r could be x
* or y, x could equal y.
@@ -862,7 +853,7 @@ int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x,
BN_CTX_end(ctx);
return ret;
}
-#else
+# else
/*
* Divide y by x, reduce modulo p, and store the result in r. r could be x
* or y, x could equal y. Uses algorithm Modular_Division_GF(2^m) from
@@ -949,7 +940,7 @@ int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x,
BN_CTX_end(ctx);
return ret;
}
-#endif
+# endif
/*
* Divide yy by xx, reduce modulo p, and store the result in r. r could be xx
@@ -958,7 +949,7 @@ int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x,
* convenience; for best performance, use the BN_GF2m_mod_div function.
*/
int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *yy, const BIGNUM *xx,
- const unsigned int p[], BN_CTX *ctx)
+ const int p[], BN_CTX *ctx)
{
BIGNUM *field;
int ret = 0;
@@ -986,7 +977,7 @@ int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *yy, const BIGNUM *xx,
* P1363.
*/
int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
- const unsigned int p[], BN_CTX *ctx)
+ const int p[], BN_CTX *ctx)
{
int ret = 0, i, n;
BIGNUM *u;
@@ -1035,13 +1026,12 @@ int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *p, BN_CTX *ctx)
{
int ret = 0;
- const int max = BN_num_bits(p);
- unsigned int *arr = NULL;
+ const int max = BN_num_bits(p) + 1;
+ int *arr = NULL;
bn_check_top(a);
bn_check_top(b);
bn_check_top(p);
- if ((arr =
- (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL)
+ if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL)
goto err;
ret = BN_GF2m_poly2arr(p, arr, max);
if (!ret || ret > max) {
@@ -1060,7 +1050,7 @@ int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
* Compute the square root of a, reduce modulo p, and store the result in r.
* r could be a. Uses exponentiation as in algorithm A.4.1 from IEEE P1363.
*/
-int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[],
+int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const int p[],
BN_CTX *ctx)
{
int ret = 0;
@@ -1097,12 +1087,11 @@ int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[],
int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
{
int ret = 0;
- const int max = BN_num_bits(p);
- unsigned int *arr = NULL;
+ const int max = BN_num_bits(p) + 1;
+ int *arr = NULL;
bn_check_top(a);
bn_check_top(p);
- if ((arr =
- (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL)
+ if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL)
goto err;
ret = BN_GF2m_poly2arr(p, arr, max);
if (!ret || ret > max) {
@@ -1121,11 +1110,10 @@ int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
* Find r such that r^2 + r = a mod p. r could be a. If no r exists returns
* 0. Uses algorithms A.4.7 and A.4.6 from IEEE P1363.
*/
-int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_,
- const unsigned int p[], BN_CTX *ctx)
+int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const int p[],
+ BN_CTX *ctx)
{
- int ret = 0, count = 0;
- unsigned int j;
+ int ret = 0, count = 0, j;
BIGNUM *a, *z, *rho, *w, *w2, *tmp;
bn_check_top(a_);
@@ -1230,12 +1218,11 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
BN_CTX *ctx)
{
int ret = 0;
- const int max = BN_num_bits(p);
- unsigned int *arr = NULL;
+ const int max = BN_num_bits(p) + 1;
+ int *arr = NULL;
bn_check_top(a);
bn_check_top(p);
- if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) *
- max)) == NULL)
+ if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL)
goto err;
ret = BN_GF2m_poly2arr(p, arr, max);
if (!ret || ret > max) {
@@ -1252,21 +1239,17 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
/*
* Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
- * x^i , where a_0 is *not* zero) into an array of integers corresponding to
- * the bits with non-zero coefficient. Up to max elements of the array will
- * be filled. Return value is total number of coefficients that would be
- * extracted if array was large enough.
+ * x^i) into an array of integers corresponding to the bits with non-zero
+ * coefficient. Array is terminated with -1. Up to max elements of the array
+ * will be filled. Return value is total number of array elements that would
+ * be filled if array was large enough.
*/
-int BN_GF2m_poly2arr(const BIGNUM *a, unsigned int p[], int max)
+int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
{
int i, j, k = 0;
BN_ULONG mask;
- if (BN_is_zero(a) || !BN_is_bit_set(a, 0))
- /*
- * a_0 == 0 => return error (the unsigned int array must be
- * terminated by 0)
- */
+ if (BN_is_zero(a))
return 0;
for (i = a->top - 1; i >= 0; i--) {
@@ -1284,86 +1267,31 @@ int BN_GF2m_poly2arr(const BIGNUM *a, unsigned int p[], int max)
}
}
+ if (k < max) {
+ p[k] = -1;
+ k++;
+ }
+
return k;
}
/*
* Convert the coefficient array representation of a polynomial to a
- * bit-string. The array must be terminated by 0.
+ * bit-string. The array must be terminated by -1.
*/
-int BN_GF2m_arr2poly(const unsigned int p[], BIGNUM *a)
+int BN_GF2m_arr2poly(const int p[], BIGNUM *a)
{
int i;
bn_check_top(a);
BN_zero(a);
- for (i = 0; p[i] != 0; i++) {
+ for (i = 0; p[i] != -1; i++) {
if (BN_set_bit(a, p[i]) == 0)
return 0;
}
- BN_set_bit(a, 0);
bn_check_top(a);
return 1;
}
-/*
- * Constant-time conditional swap of a and b.
- * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
- * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
- * and that no more than nwords are used by either a or b.
- * a and b cannot be the same number
- */
-void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
-{
- BN_ULONG t;
- int i;
-
- bn_wcheck_size(a, nwords);
- bn_wcheck_size(b, nwords);
-
- assert(a != b);
- assert((condition & (condition - 1)) == 0);
- assert(sizeof(BN_ULONG) >= sizeof(int));
-
- condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
-
- t = (a->top ^ b->top) & condition;
- a->top ^= t;
- b->top ^= t;
-
-#define BN_CONSTTIME_SWAP(ind) \
- do { \
- t = (a->d[ind] ^ b->d[ind]) & condition; \
- a->d[ind] ^= t; \
- b->d[ind] ^= t; \
- } while (0)
-
- switch (nwords) {
- default:
- for (i = 10; i < nwords; i++)
- BN_CONSTTIME_SWAP(i);
- /* Fallthrough */
- case 10:
- BN_CONSTTIME_SWAP(9); /* Fallthrough */
- case 9:
- BN_CONSTTIME_SWAP(8); /* Fallthrough */
- case 8:
- BN_CONSTTIME_SWAP(7); /* Fallthrough */
- case 7:
- BN_CONSTTIME_SWAP(6); /* Fallthrough */
- case 6:
- BN_CONSTTIME_SWAP(5); /* Fallthrough */
- case 5:
- BN_CONSTTIME_SWAP(4); /* Fallthrough */
- case 4:
- BN_CONSTTIME_SWAP(3); /* Fallthrough */
- case 3:
- BN_CONSTTIME_SWAP(2); /* Fallthrough */
- case 2:
- BN_CONSTTIME_SWAP(1); /* Fallthrough */
- case 1:
- BN_CONSTTIME_SWAP(0);
- }
-#undef BN_CONSTTIME_SWAP
-}
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_lcl.h b/Cryptlib/OpenSSL/crypto/bn/bn_lcl.h
index 27ac4397..00f4f099 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_lcl.h
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_lcl.h
@@ -5,21 +5,21 @@
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -34,10 +34,10 @@
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
@@ -63,7 +63,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -110,16 +110,15 @@
*/
#ifndef HEADER_BN_LCL_H
-#define HEADER_BN_LCL_H
+# define HEADER_BN_LCL_H
-#include <openssl/bn.h>
+# include <openssl/bn.h>
#ifdef __cplusplus
extern "C" {
#endif
-
-/*
+/*-
* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
*
*
@@ -144,73 +143,86 @@ extern "C" {
* (with draws in between). Very small exponents are often selected
* with low Hamming weight, so we use w = 1 for b <= 23.
*/
-#if 1
-#define BN_window_bits_for_exponent_size(b) \
- ((b) > 671 ? 6 : \
- (b) > 239 ? 5 : \
- (b) > 79 ? 4 : \
- (b) > 23 ? 3 : 1)
-#else
-/* Old SSLeay/OpenSSL table.
- * Maximum window size was 5, so this table differs for b==1024;
- * but it coincides for other interesting values (b==160, b==512).
+# if 1
+# define BN_window_bits_for_exponent_size(b) \
+ ((b) > 671 ? 6 : \
+ (b) > 239 ? 5 : \
+ (b) > 79 ? 4 : \
+ (b) > 23 ? 3 : 1)
+# else
+/*
+ * Old SSLeay/OpenSSL table. Maximum window size was 5, so this table differs
+ * for b==1024; but it coincides for other interesting values (b==160,
+ * b==512).
*/
-#define BN_window_bits_for_exponent_size(b) \
- ((b) > 255 ? 5 : \
- (b) > 127 ? 4 : \
- (b) > 17 ? 3 : 1)
-#endif
-
-
+# define BN_window_bits_for_exponent_size(b) \
+ ((b) > 255 ? 5 : \
+ (b) > 127 ? 4 : \
+ (b) > 17 ? 3 : 1)
+# endif
-/* BN_mod_exp_mont_conttime is based on the assumption that the
- * L1 data cache line width of the target processor is at least
- * the following value.
+/*
+ * BN_mod_exp_mont_conttime is based on the assumption that the L1 data cache
+ * line width of the target processor is at least the following value.
*/
-#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 )
-#define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
+# define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 )
+# define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
-/* Window sizes optimized for fixed window size modular exponentiation
- * algorithm (BN_mod_exp_mont_consttime).
- *
- * To achieve the security goals of BN_mode_exp_mont_consttime, the
- * maximum size of the window must not exceed
- * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH).
- *
- * Window size thresholds are defined for cache line sizes of 32 and 64,
- * cache line sizes where log_2(32)=5 and log_2(64)=6 respectively. A
- * window size of 7 should only be used on processors that have a 128
- * byte or greater cache line size.
+/*
+ * Window sizes optimized for fixed window size modular exponentiation
+ * algorithm (BN_mod_exp_mont_consttime). To achieve the security goals of
+ * BN_mode_exp_mont_consttime, the maximum size of the window must not exceed
+ * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH). Window size thresholds are
+ * defined for cache line sizes of 32 and 64, cache line sizes where
+ * log_2(32)=5 and log_2(64)=6 respectively. A window size of 7 should only be
+ * used on processors that have a 128 byte or greater cache line size.
*/
-#if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
+# if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
# define BN_window_bits_for_ctime_exponent_size(b) \
- ((b) > 937 ? 6 : \
- (b) > 306 ? 5 : \
- (b) > 89 ? 4 : \
- (b) > 22 ? 3 : 1)
-# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (6)
+ ((b) > 937 ? 6 : \
+ (b) > 306 ? 5 : \
+ (b) > 89 ? 4 : \
+ (b) > 22 ? 3 : 1)
+# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (6)
-#elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32
+# elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32
# define BN_window_bits_for_ctime_exponent_size(b) \
- ((b) > 306 ? 5 : \
- (b) > 89 ? 4 : \
- (b) > 22 ? 3 : 1)
-# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (5)
-
-#endif
+ ((b) > 306 ? 5 : \
+ (b) > 89 ? 4 : \
+ (b) > 22 ? 3 : 1)
+# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (5)
+# endif
/* Pentium pro 16,16,16,32,64 */
/* Alpha 16,16,16,16.64 */
-#define BN_MULL_SIZE_NORMAL (16) /* 32 */
-#define BN_MUL_RECURSIVE_SIZE_NORMAL (16) /* 32 less than */
-#define BN_SQR_RECURSIVE_SIZE_NORMAL (16) /* 32 */
-#define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32) /* 32 */
-#define BN_MONT_CTX_SET_SIZE_WORD (64) /* 32 */
+# define BN_MULL_SIZE_NORMAL (16)/* 32 */
+# define BN_MUL_RECURSIVE_SIZE_NORMAL (16)/* 32 less than */
+# define BN_SQR_RECURSIVE_SIZE_NORMAL (16)/* 32 */
+# define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32)/* 32 */
+# define BN_MONT_CTX_SET_SIZE_WORD (64)/* 32 */
-#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
+/*
+ * 2011-02-22 SMS. In various places, a size_t variable or a type cast to
+ * size_t was used to perform integer-only operations on pointers. This
+ * failed on VMS with 64-bit pointers (CC /POINTER_SIZE = 64) because size_t
+ * is still only 32 bits. What's needed in these cases is an integer type
+ * with the same size as a pointer, which size_t is not certain to be. The
+ * only fix here is VMS-specific.
+ */
+# if defined(OPENSSL_SYS_VMS)
+# if __INITIAL_POINTER_SIZE == 64
+# define PTR_SIZE_INT long long
+# else /* __INITIAL_POINTER_SIZE == 64 */
+# define PTR_SIZE_INT int
+# endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+# elif !defined(PTR_SIZE_INT) /* defined(OPENSSL_SYS_VMS) */
+# define PTR_SIZE_INT size_t
+# endif /* defined(OPENSSL_SYS_VMS) [else] */
+
+# if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
/*
* BN_UMULT_HIGH section.
*
@@ -232,256 +244,291 @@ extern "C" {
* exhibiting "native" performance in C. That's what BN_UMULT_HIGH
* macro is about:-)
*
- * <appro@fy.chalmers.se>
+ * <appro@fy.chalmers.se>
*/
-# if defined(__alpha) && (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
-# if defined(__DECC)
-# include <c_asm.h>
-# define BN_UMULT_HIGH(a,b) (BN_ULONG)asm("umulh %a0,%a1,%v0",(a),(b))
-# elif defined(__GNUC__)
-# define BN_UMULT_HIGH(a,b) ({ \
- register BN_ULONG ret; \
- asm ("umulh %1,%2,%0" \
- : "=r"(ret) \
- : "r"(a), "r"(b)); \
- ret; })
-# endif /* compiler */
-# elif defined(_ARCH_PPC) && defined(__64BIT__) && defined(SIXTY_FOUR_BIT_LONG)
-# if defined(__GNUC__)
-# define BN_UMULT_HIGH(a,b) ({ \
- register BN_ULONG ret; \
- asm ("mulhdu %0,%1,%2" \
- : "=r"(ret) \
- : "r"(a), "r"(b)); \
- ret; })
-# endif /* compiler */
-# elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG)
-# if defined(__GNUC__)
-# define BN_UMULT_HIGH(a,b) ({ \
- register BN_ULONG ret,discard; \
- asm ("mulq %3" \
- : "=a"(discard),"=d"(ret) \
- : "a"(a), "g"(b) \
- : "cc"); \
- ret; })
-# define BN_UMULT_LOHI(low,high,a,b) \
- asm ("mulq %3" \
- : "=a"(low),"=d"(high) \
- : "a"(a),"g"(b) \
- : "cc");
-# endif
-# elif (defined(_M_AMD64) || defined(_M_X64)) && defined(SIXTY_FOUR_BIT)
-# if defined(_MSC_VER) && _MSC_VER>=1400
- unsigned __int64 __umulh (unsigned __int64 a,unsigned __int64 b);
- unsigned __int64 _umul128 (unsigned __int64 a,unsigned __int64 b,
- unsigned __int64 *h);
-# pragma intrinsic(__umulh,_umul128)
-# define BN_UMULT_HIGH(a,b) __umulh((a),(b))
-# define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high)))
-# endif
-# endif /* cpu */
-#endif /* OPENSSL_NO_ASM */
+# if defined(__alpha) && (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
+# if defined(__DECC)
+# include <c_asm.h>
+# define BN_UMULT_HIGH(a,b) (BN_ULONG)asm("umulh %a0,%a1,%v0",(a),(b))
+# elif defined(__GNUC__) && __GNUC__>=2
+# define BN_UMULT_HIGH(a,b) ({ \
+ register BN_ULONG ret; \
+ asm ("umulh %1,%2,%0" \
+ : "=r"(ret) \
+ : "r"(a), "r"(b)); \
+ ret; })
+# endif /* compiler */
+# elif defined(_ARCH_PPC) && defined(__64BIT__) && defined(SIXTY_FOUR_BIT_LONG)
+# if defined(__GNUC__) && __GNUC__>=2
+# define BN_UMULT_HIGH(a,b) ({ \
+ register BN_ULONG ret; \
+ asm ("mulhdu %0,%1,%2" \
+ : "=r"(ret) \
+ : "r"(a), "r"(b)); \
+ ret; })
+# endif /* compiler */
+# elif (defined(__x86_64) || defined(__x86_64__)) && \
+ (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
+# if defined(__GNUC__) && __GNUC__>=2
+# define BN_UMULT_HIGH(a,b) ({ \
+ register BN_ULONG ret,discard; \
+ asm ("mulq %3" \
+ : "=a"(discard),"=d"(ret) \
+ : "a"(a), "g"(b) \
+ : "cc"); \
+ ret; })
+# define BN_UMULT_LOHI(low,high,a,b) \
+ asm ("mulq %3" \
+ : "=a"(low),"=d"(high) \
+ : "a"(a),"g"(b) \
+ : "cc");
+# endif
+# elif (defined(_M_AMD64) || defined(_M_X64)) && defined(SIXTY_FOUR_BIT)
+# if defined(_MSC_VER) && _MSC_VER>=1400
+unsigned __int64 __umulh(unsigned __int64 a, unsigned __int64 b);
+unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
+ unsigned __int64 *h);
+# pragma intrinsic(__umulh,_umul128)
+# define BN_UMULT_HIGH(a,b) __umulh((a),(b))
+# define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high)))
+# endif
+# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
+# if defined(__GNUC__) && __GNUC__>=2
+# if __GNUC__>4 || (__GNUC__>=4 && __GNUC_MINOR__>=4)
+ /* "h" constraint is no more since 4.4 */
+# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64)
+# define BN_UMULT_LOHI(low,high,a,b) ({ \
+ __uint128_t ret=(__uint128_t)(a)*(b); \
+ (high)=ret>>64; (low)=ret; })
+# else
+# define BN_UMULT_HIGH(a,b) ({ \
+ register BN_ULONG ret; \
+ asm ("dmultu %1,%2" \
+ : "=h"(ret) \
+ : "r"(a), "r"(b) : "l"); \
+ ret; })
+# define BN_UMULT_LOHI(low,high,a,b)\
+ asm ("dmultu %2,%3" \
+ : "=l"(low),"=h"(high) \
+ : "r"(a), "r"(b));
+# endif
+# endif
+# elif defined(__aarch64__) && defined(SIXTY_FOUR_BIT_LONG)
+# if defined(__GNUC__) && __GNUC__>=2
+# define BN_UMULT_HIGH(a,b) ({ \
+ register BN_ULONG ret; \
+ asm ("umulh %0,%1,%2" \
+ : "=r"(ret) \
+ : "r"(a), "r"(b)); \
+ ret; })
+# endif
+# endif /* cpu */
+# endif /* OPENSSL_NO_ASM */
/*************************************************************
* Using the long long type
*/
-#define Lw(t) (((BN_ULONG)(t))&BN_MASK2)
-#define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
-
-#ifdef BN_DEBUG_RAND
-#define bn_clear_top2max(a) \
- { \
- int ind = (a)->dmax - (a)->top; \
- BN_ULONG *ftl = &(a)->d[(a)->top-1]; \
- for (; ind != 0; ind--) \
- *(++ftl) = 0x0; \
- }
-#else
-#define bn_clear_top2max(a)
-#endif
-
-#ifdef BN_LLONG
-#define mul_add(r,a,w,c) { \
- BN_ULLONG t; \
- t=(BN_ULLONG)w * (a) + (r) + (c); \
- (r)= Lw(t); \
- (c)= Hw(t); \
- }
-
-#define mul(r,a,w,c) { \
- BN_ULLONG t; \
- t=(BN_ULLONG)w * (a) + (c); \
- (r)= Lw(t); \
- (c)= Hw(t); \
- }
-
-#define sqr(r0,r1,a) { \
- BN_ULLONG t; \
- t=(BN_ULLONG)(a)*(a); \
- (r0)=Lw(t); \
- (r1)=Hw(t); \
- }
-
-#elif defined(BN_UMULT_LOHI)
-#define mul_add(r,a,w,c) { \
- BN_ULONG high,low,ret,tmp=(a); \
- ret = (r); \
- BN_UMULT_LOHI(low,high,w,tmp); \
- ret += (c); \
- (c) = (ret<(c))?1:0; \
- (c) += high; \
- ret += low; \
- (c) += (ret<low)?1:0; \
- (r) = ret; \
- }
-
-#define mul(r,a,w,c) { \
- BN_ULONG high,low,ret,ta=(a); \
- BN_UMULT_LOHI(low,high,w,ta); \
- ret = low + (c); \
- (c) = high; \
- (c) += (ret<low)?1:0; \
- (r) = ret; \
- }
-
-#define sqr(r0,r1,a) { \
- BN_ULONG tmp=(a); \
- BN_UMULT_LOHI(r0,r1,tmp,tmp); \
- }
-
-#elif defined(BN_UMULT_HIGH)
-#define mul_add(r,a,w,c) { \
- BN_ULONG high,low,ret,tmp=(a); \
- ret = (r); \
- high= BN_UMULT_HIGH(w,tmp); \
- ret += (c); \
- low = (w) * tmp; \
- (c) = (ret<(c))?1:0; \
- (c) += high; \
- ret += low; \
- (c) += (ret<low)?1:0; \
- (r) = ret; \
- }
-
-#define mul(r,a,w,c) { \
- BN_ULONG high,low,ret,ta=(a); \
- low = (w) * ta; \
- high= BN_UMULT_HIGH(w,ta); \
- ret = low + (c); \
- (c) = high; \
- (c) += (ret<low)?1:0; \
- (r) = ret; \
- }
-
-#define sqr(r0,r1,a) { \
- BN_ULONG tmp=(a); \
- (r0) = tmp * tmp; \
- (r1) = BN_UMULT_HIGH(tmp,tmp); \
- }
-
-#else
+# define Lw(t) (((BN_ULONG)(t))&BN_MASK2)
+# define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
+
+# ifdef BN_DEBUG_RAND
+# define bn_clear_top2max(a) \
+ { \
+ int ind = (a)->dmax - (a)->top; \
+ BN_ULONG *ftl = &(a)->d[(a)->top-1]; \
+ for (; ind != 0; ind--) \
+ *(++ftl) = 0x0; \
+ }
+# else
+# define bn_clear_top2max(a)
+# endif
+
+# ifdef BN_LLONG
+# define mul_add(r,a,w,c) { \
+ BN_ULLONG t; \
+ t=(BN_ULLONG)w * (a) + (r) + (c); \
+ (r)= Lw(t); \
+ (c)= Hw(t); \
+ }
+
+# define mul(r,a,w,c) { \
+ BN_ULLONG t; \
+ t=(BN_ULLONG)w * (a) + (c); \
+ (r)= Lw(t); \
+ (c)= Hw(t); \
+ }
+
+# define sqr(r0,r1,a) { \
+ BN_ULLONG t; \
+ t=(BN_ULLONG)(a)*(a); \
+ (r0)=Lw(t); \
+ (r1)=Hw(t); \
+ }
+
+# elif defined(BN_UMULT_LOHI)
+# define mul_add(r,a,w,c) { \
+ BN_ULONG high,low,ret,tmp=(a); \
+ ret = (r); \
+ BN_UMULT_LOHI(low,high,w,tmp); \
+ ret += (c); \
+ (c) = (ret<(c))?1:0; \
+ (c) += high; \
+ ret += low; \
+ (c) += (ret<low)?1:0; \
+ (r) = ret; \
+ }
+
+# define mul(r,a,w,c) { \
+ BN_ULONG high,low,ret,ta=(a); \
+ BN_UMULT_LOHI(low,high,w,ta); \
+ ret = low + (c); \
+ (c) = high; \
+ (c) += (ret<low)?1:0; \
+ (r) = ret; \
+ }
+
+# define sqr(r0,r1,a) { \
+ BN_ULONG tmp=(a); \
+ BN_UMULT_LOHI(r0,r1,tmp,tmp); \
+ }
+
+# elif defined(BN_UMULT_HIGH)
+# define mul_add(r,a,w,c) { \
+ BN_ULONG high,low,ret,tmp=(a); \
+ ret = (r); \
+ high= BN_UMULT_HIGH(w,tmp); \
+ ret += (c); \
+ low = (w) * tmp; \
+ (c) = (ret<(c))?1:0; \
+ (c) += high; \
+ ret += low; \
+ (c) += (ret<low)?1:0; \
+ (r) = ret; \
+ }
+
+# define mul(r,a,w,c) { \
+ BN_ULONG high,low,ret,ta=(a); \
+ low = (w) * ta; \
+ high= BN_UMULT_HIGH(w,ta); \
+ ret = low + (c); \
+ (c) = high; \
+ (c) += (ret<low)?1:0; \
+ (r) = ret; \
+ }
+
+# define sqr(r0,r1,a) { \
+ BN_ULONG tmp=(a); \
+ (r0) = tmp * tmp; \
+ (r1) = BN_UMULT_HIGH(tmp,tmp); \
+ }
+
+# else
/*************************************************************
* No long long type
*/
-#define LBITS(a) ((a)&BN_MASK2l)
-#define HBITS(a) (((a)>>BN_BITS4)&BN_MASK2l)
-#define L2HBITS(a) (((a)<<BN_BITS4)&BN_MASK2)
+# define LBITS(a) ((a)&BN_MASK2l)
+# define HBITS(a) (((a)>>BN_BITS4)&BN_MASK2l)
+# define L2HBITS(a) (((a)<<BN_BITS4)&BN_MASK2)
-#define LLBITS(a) ((a)&BN_MASKl)
-#define LHBITS(a) (((a)>>BN_BITS2)&BN_MASKl)
-#define LL2HBITS(a) ((BN_ULLONG)((a)&BN_MASKl)<<BN_BITS2)
+# define LLBITS(a) ((a)&BN_MASKl)
+# define LHBITS(a) (((a)>>BN_BITS2)&BN_MASKl)
+# define LL2HBITS(a) ((BN_ULLONG)((a)&BN_MASKl)<<BN_BITS2)
-#define mul64(l,h,bl,bh) \
- { \
- BN_ULONG m,m1,lt,ht; \
+# define mul64(l,h,bl,bh) \
+ { \
+ BN_ULONG m,m1,lt,ht; \
\
- lt=l; \
- ht=h; \
- m =(bh)*(lt); \
- lt=(bl)*(lt); \
- m1=(bl)*(ht); \
- ht =(bh)*(ht); \
- m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \
- ht+=HBITS(m); \
- m1=L2HBITS(m); \
- lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \
- (l)=lt; \
- (h)=ht; \
- }
-
-#define sqr64(lo,ho,in) \
- { \
- BN_ULONG l,h,m; \
+ lt=l; \
+ ht=h; \
+ m =(bh)*(lt); \
+ lt=(bl)*(lt); \
+ m1=(bl)*(ht); \
+ ht =(bh)*(ht); \
+ m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \
+ ht+=HBITS(m); \
+ m1=L2HBITS(m); \
+ lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \
+ (l)=lt; \
+ (h)=ht; \
+ }
+
+# define sqr64(lo,ho,in) \
+ { \
+ BN_ULONG l,h,m; \
\
- h=(in); \
- l=LBITS(h); \
- h=HBITS(h); \
- m =(l)*(h); \
- l*=l; \
- h*=h; \
- h+=(m&BN_MASK2h1)>>(BN_BITS4-1); \
- m =(m&BN_MASK2l)<<(BN_BITS4+1); \
- l=(l+m)&BN_MASK2; if (l < m) h++; \
- (lo)=l; \
- (ho)=h; \
- }
-
-#define mul_add(r,a,bl,bh,c) { \
- BN_ULONG l,h; \
+ h=(in); \
+ l=LBITS(h); \
+ h=HBITS(h); \
+ m =(l)*(h); \
+ l*=l; \
+ h*=h; \
+ h+=(m&BN_MASK2h1)>>(BN_BITS4-1); \
+ m =(m&BN_MASK2l)<<(BN_BITS4+1); \
+ l=(l+m)&BN_MASK2; if (l < m) h++; \
+ (lo)=l; \
+ (ho)=h; \
+ }
+
+# define mul_add(r,a,bl,bh,c) { \
+ BN_ULONG l,h; \
\
- h= (a); \
- l=LBITS(h); \
- h=HBITS(h); \
- mul64(l,h,(bl),(bh)); \
+ h= (a); \
+ l=LBITS(h); \
+ h=HBITS(h); \
+ mul64(l,h,(bl),(bh)); \
\
- /* non-multiply part */ \
- l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
- (c)=(r); \
- l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
- (c)=h&BN_MASK2; \
- (r)=l; \
- }
-
-#define mul(r,a,bl,bh,c) { \
- BN_ULONG l,h; \
+ /* non-multiply part */ \
+ l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
+ (c)=(r); \
+ l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
+ (c)=h&BN_MASK2; \
+ (r)=l; \
+ }
+
+# define mul(r,a,bl,bh,c) { \
+ BN_ULONG l,h; \
\
- h= (a); \
- l=LBITS(h); \
- h=HBITS(h); \
- mul64(l,h,(bl),(bh)); \
+ h= (a); \
+ l=LBITS(h); \
+ h=HBITS(h); \
+ mul64(l,h,(bl),(bh)); \
\
- /* non-multiply part */ \
- l+=(c); if ((l&BN_MASK2) < (c)) h++; \
- (c)=h&BN_MASK2; \
- (r)=l&BN_MASK2; \
- }
-#endif /* !BN_LLONG */
-
-void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb);
-void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
-void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
+ /* non-multiply part */ \
+ l+=(c); if ((l&BN_MASK2) < (c)) h++; \
+ (c)=h&BN_MASK2; \
+ (r)=l&BN_MASK2; \
+ }
+# endif /* !BN_LLONG */
+
+# if defined(OPENSSL_DOING_MAKEDEPEND) && defined(OPENSSL_FIPS)
+# undef bn_div_words
+# endif
+
+void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb);
+void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
+void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp);
-void bn_sqr_comba8(BN_ULONG *r,const BN_ULONG *a);
-void bn_sqr_comba4(BN_ULONG *r,const BN_ULONG *a);
-int bn_cmp_words(const BN_ULONG *a,const BN_ULONG *b,int n);
-int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
- int cl, int dl);
-void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
- int dna,int dnb,BN_ULONG *t);
-void bn_mul_part_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,
- int n,int tna,int tnb,BN_ULONG *t);
-void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t);
-void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n);
-void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
- BN_ULONG *t);
-void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2,
- BN_ULONG *t);
+void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a);
+void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a);
+int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n);
+int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl);
+void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
+ int dna, int dnb, BN_ULONG *t);
+void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b,
+ int n, int tna, int tnb, BN_ULONG *t);
+void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t);
+void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n);
+void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
+ BN_ULONG *t);
+void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
+ BN_ULONG *t);
BN_ULONG bn_add_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
- int cl, int dl);
+ int cl, int dl);
BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
- int cl, int dl);
-int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np,const BN_ULONG *n0, int num);
+ int cl, int dl);
+int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+ const BN_ULONG *np, const BN_ULONG *n0, int num);
#ifdef __cplusplus
}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_lib.c b/Cryptlib/OpenSSL/crypto/bn/bn_lib.c
index becb9571..80105fff 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_lib.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_lib.c
@@ -135,15 +135,16 @@ int BN_get_params(int which)
const BIGNUM *BN_value_one(void)
{
- static BN_ULONG data_one = 1L;
- static BIGNUM const_one = { &data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
+ static const BN_ULONG data_one = 1L;
+ static const BIGNUM const_one =
+ { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
return (&const_one);
}
int BN_num_bits_word(BN_ULONG l)
{
- static const char bits[256] = {
+ static const unsigned char bits[256] = {
0, 1, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4,
5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
@@ -203,7 +204,7 @@ int BN_num_bits_word(BN_ULONG l)
} else
#endif
{
-#if defined(SIXTEEN_BIT) || defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
+#if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
if (l & 0xff00L)
return (bits[(int)(l >> 8)] + 8);
else
@@ -773,7 +774,7 @@ int BN_is_bit_set(const BIGNUM *a, int n)
j = n % BN_BITS2;
if (a->top <= i)
return 0;
- return (((a->d[i]) >> j) & ((BN_ULONG)1));
+ return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
}
int BN_mask_bits(BIGNUM *a, int n)
@@ -852,3 +853,64 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
}
return bn_cmp_words(a, b, cl);
}
+
+/*
+ * Constant-time conditional swap of a and b.
+ * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
+ * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
+ * and that no more than nwords are used by either a or b.
+ * a and b cannot be the same number
+ */
+void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
+{
+ BN_ULONG t;
+ int i;
+
+ bn_wcheck_size(a, nwords);
+ bn_wcheck_size(b, nwords);
+
+ assert(a != b);
+ assert((condition & (condition - 1)) == 0);
+ assert(sizeof(BN_ULONG) >= sizeof(int));
+
+ condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
+
+ t = (a->top ^ b->top) & condition;
+ a->top ^= t;
+ b->top ^= t;
+
+#define BN_CONSTTIME_SWAP(ind) \
+ do { \
+ t = (a->d[ind] ^ b->d[ind]) & condition; \
+ a->d[ind] ^= t; \
+ b->d[ind] ^= t; \
+ } while (0)
+
+ switch (nwords) {
+ default:
+ for (i = 10; i < nwords; i++)
+ BN_CONSTTIME_SWAP(i);
+ /* Fallthrough */
+ case 10:
+ BN_CONSTTIME_SWAP(9); /* Fallthrough */
+ case 9:
+ BN_CONSTTIME_SWAP(8); /* Fallthrough */
+ case 8:
+ BN_CONSTTIME_SWAP(7); /* Fallthrough */
+ case 7:
+ BN_CONSTTIME_SWAP(6); /* Fallthrough */
+ case 6:
+ BN_CONSTTIME_SWAP(5); /* Fallthrough */
+ case 5:
+ BN_CONSTTIME_SWAP(4); /* Fallthrough */
+ case 4:
+ BN_CONSTTIME_SWAP(3); /* Fallthrough */
+ case 3:
+ BN_CONSTTIME_SWAP(2); /* Fallthrough */
+ case 2:
+ BN_CONSTTIME_SWAP(1); /* Fallthrough */
+ case 1:
+ BN_CONSTTIME_SWAP(0);
+ }
+#undef BN_CONSTTIME_SWAP
+}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mont.c b/Cryptlib/OpenSSL/crypto/bn/bn_mont.c
index bf40e823..aadd5db1 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_mont.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_mont.c
@@ -122,20 +122,7 @@
#define MONT_WORD /* use the faster word-based algorithm */
-#if defined(MONT_WORD) && defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
-/*
- * This condition means we have a specific non-default build: In the 0.9.8
- * branch, OPENSSL_BN_ASM_MONT is normally not set for any BN_BITS2<=32
- * platform; an explicit "enable-montasm" is required. I.e., if we are here,
- * the user intentionally deviates from the normal stable build to get better
- * Montgomery performance from the 0.9.9-dev backport. In this case only, we
- * also enable BN_from_montgomery_word() (another non-stable feature from
- * 0.9.9-dev).
- */
-# define MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD
-#endif
-
-#ifdef MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD
+#ifdef MONT_WORD
static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
#endif
@@ -150,12 +137,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
if (num > 1 && a->top == num && b->top == num) {
if (bn_wexpand(r, num) == NULL)
return (0);
-# if 0 /* for OpenSSL 0.9.9 mont->n0 */
- if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num))
-# else
- if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, &mont->n0, num))
-# endif
- {
+ if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {
r->neg = a->neg ^ b->neg;
r->top = num;
bn_correct_top(r);
@@ -178,7 +160,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
goto err;
}
/* reduce from aRR to aR */
-#ifdef MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD
+#ifdef MONT_WORD
if (!BN_from_montgomery_word(r, tmp, mont))
goto err;
#else
@@ -192,49 +174,43 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
return (ret);
}
-#ifdef MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD
+#ifdef MONT_WORD
static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
{
BIGNUM *n;
- BN_ULONG *ap, *np, *rp, n0, v, *nrp;
- int al, nl, max, i, x, ri;
+ BN_ULONG *ap, *np, *rp, n0, v, carry;
+ int nl, max, i;
n = &(mont->N);
- /*
- * mont->ri is the size of mont->N in bits (rounded up to the word size)
- */
- al = ri = mont->ri / BN_BITS2;
-
nl = n->top;
- if ((al == 0) || (nl == 0)) {
+ if (nl == 0) {
ret->top = 0;
return (1);
}
- max = (nl + al + 1); /* allow for overflow (no?) XXX */
+ max = (2 * nl); /* carry is stored separately */
if (bn_wexpand(r, max) == NULL)
return (0);
r->neg ^= n->neg;
np = n->d;
rp = r->d;
- nrp = &(r->d[nl]);
/* clear the top words of T */
+# if 1
for (i = r->top; i < max; i++) /* memset? XXX */
- r->d[i] = 0;
+ rp[i] = 0;
+# else
+ memset(&(rp[r->top]), 0, (max - r->top) * sizeof(BN_ULONG));
+# endif
r->top = max;
-# if 0 /* for OpenSSL 0.9.9 mont->n0 */
n0 = mont->n0[0];
-# else
- n0 = mont->n0;
-# endif
# ifdef BN_COUNT
fprintf(stderr, "word BN_from_montgomery_word %d * %d\n", nl, nl);
# endif
- for (i = 0; i < nl; i++) {
+ for (carry = 0, i = 0; i < nl; i++, rp++) {
# ifdef __TANDEM
{
long long t1;
@@ -251,285 +227,78 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
# else
v = bn_mul_add_words(rp, np, nl, (rp[0] * n0) & BN_MASK2);
# endif
- nrp++;
- rp++;
- if (((nrp[-1] += v) & BN_MASK2) >= v)
- continue;
- else {
- if (((++nrp[0]) & BN_MASK2) != 0)
- continue;
- if (((++nrp[1]) & BN_MASK2) != 0)
- continue;
- for (x = 2; (((++nrp[x]) & BN_MASK2) == 0); x++) ;
- }
- }
- bn_correct_top(r);
-
- /*
- * mont->ri will be a multiple of the word size and below code is kind of
- * BN_rshift(ret,r,mont->ri) equivalent
- */
- if (r->top <= ri) {
- ret->top = 0;
- return (1);
+ v = (v + carry + rp[nl]) & BN_MASK2;
+ carry |= (v != rp[nl]);
+ carry &= (v <= rp[nl]);
+ rp[nl] = v;
}
- al = r->top - ri;
- if (bn_wexpand(ret, ri) == NULL)
+ if (bn_wexpand(ret, nl) == NULL)
return (0);
- x = 0 - (((al - ri) >> (sizeof(al) * 8 - 1)) & 1);
- ret->top = x = (ri & ~x) | (al & x); /* min(ri,al) */
+ ret->top = nl;
ret->neg = r->neg;
rp = ret->d;
- ap = &(r->d[ri]);
+ ap = &(r->d[nl]);
+# define BRANCH_FREE 1
+# if BRANCH_FREE
{
- size_t m1, m2;
+ BN_ULONG *nrp;
+ size_t m;
- v = bn_sub_words(rp, ap, np, ri);
+ v = bn_sub_words(rp, ap, np, nl) - carry;
/*
- * this ----------------^^ works even in al<ri case thanks to zealous
- * zeroing of top of the vector in the beginning.
+ * if subtraction result is real, then trick unconditional memcpy
+ * below to perform in-place "refresh" instead of actual copy.
*/
-
- /* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */
- /*
- * in other words if subtraction result is real, then trick
- * unconditional memcpy below to perform in-place "refresh" instead
- * of actual copy.
- */
- m1 = 0 - (size_t)(((al - ri) >> (sizeof(al) * 8 - 1)) & 1); /* al<ri */
- m2 = 0 - (size_t)(((ri - al) >> (sizeof(al) * 8 - 1)) & 1); /* al>ri */
- m1 |= m2; /* (al!=ri) */
- m1 |= (0 - (size_t)v); /* (al!=ri || v) */
- m1 &= ~m2; /* (al!=ri || v) && !al>ri */
- nrp = (BN_ULONG *)(((size_t)rp & ~m1) | ((size_t)ap & m1));
- }
-
- /*
- * 'i<ri' is chosen to eliminate dependency on input data, even though it
- * results in redundant copy in al<ri case.
- */
- for (i = 0, ri -= 4; i < ri; i += 4) {
- BN_ULONG t1, t2, t3, t4;
-
- t1 = nrp[i + 0];
- t2 = nrp[i + 1];
- t3 = nrp[i + 2];
- ap[i + 0] = 0;
- t4 = nrp[i + 3];
- ap[i + 1] = 0;
- rp[i + 0] = t1;
- ap[i + 2] = 0;
- rp[i + 1] = t2;
- ap[i + 3] = 0;
- rp[i + 2] = t3;
- rp[i + 3] = t4;
+ m = (0 - (size_t)v);
+ nrp =
+ (BN_ULONG *)(((PTR_SIZE_INT) rp & ~m) | ((PTR_SIZE_INT) ap & m));
+
+ for (i = 0, nl -= 4; i < nl; i += 4) {
+ BN_ULONG t1, t2, t3, t4;
+
+ t1 = nrp[i + 0];
+ t2 = nrp[i + 1];
+ t3 = nrp[i + 2];
+ ap[i + 0] = 0;
+ t4 = nrp[i + 3];
+ ap[i + 1] = 0;
+ rp[i + 0] = t1;
+ ap[i + 2] = 0;
+ rp[i + 1] = t2;
+ ap[i + 3] = 0;
+ rp[i + 2] = t3;
+ rp[i + 3] = t4;
+ }
+ for (nl += 4; i < nl; i++)
+ rp[i] = nrp[i], ap[i] = 0;
}
- for (ri += 4; i < ri; i++)
- rp[i] = nrp[i], ap[i] = 0;
+# else
+ if (bn_sub_words(rp, ap, np, nl) - carry)
+ memcpy(rp, ap, nl * sizeof(BN_ULONG));
+# endif
bn_correct_top(r);
bn_correct_top(ret);
bn_check_top(ret);
return (1);
}
+#endif /* MONT_WORD */
int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX *ctx)
{
int retn = 0;
+#ifdef MONT_WORD
BIGNUM *t;
BN_CTX_start(ctx);
if ((t = BN_CTX_get(ctx)) && BN_copy(t, a))
retn = BN_from_montgomery_word(ret, t, mont);
BN_CTX_end(ctx);
- return retn;
-}
-
-#else /* !MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD */
-
-int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
- BN_CTX *ctx)
-{
- int retn = 0;
-
-# ifdef MONT_WORD
- BIGNUM *n, *r;
- BN_ULONG *ap, *np, *rp, n0, v, *nrp;
- int al, nl, max, i, x, ri;
-
- BN_CTX_start(ctx);
- if ((r = BN_CTX_get(ctx)) == NULL)
- goto err;
-
- if (!BN_copy(r, a))
- goto err;
- n = &(mont->N);
-
- ap = a->d;
- /*
- * mont->ri is the size of mont->N in bits (rounded up to the word size)
- */
- al = ri = mont->ri / BN_BITS2;
-
- nl = n->top;
- if ((al == 0) || (nl == 0)) {
- r->top = 0;
- return (1);
- }
-
- max = (nl + al + 1); /* allow for overflow (no?) XXX */
- if (bn_wexpand(r, max) == NULL)
- goto err;
-
- r->neg = a->neg ^ n->neg;
- np = n->d;
- rp = r->d;
- nrp = &(r->d[nl]);
-
- /* clear the top words of T */
-# if 1
- for (i = r->top; i < max; i++) /* memset? XXX */
- r->d[i] = 0;
-# else
- memset(&(r->d[r->top]), 0, (max - r->top) * sizeof(BN_ULONG));
-# endif
-
- r->top = max;
- n0 = mont->n0;
-
-# ifdef BN_COUNT
- fprintf(stderr, "word BN_from_montgomery %d * %d\n", nl, nl);
-# endif
- for (i = 0; i < nl; i++) {
-# ifdef __TANDEM
- {
- long long t1;
- long long t2;
- long long t3;
- t1 = rp[0] * (n0 & 0177777);
- t2 = 037777600000l;
- t2 = n0 & t2;
- t3 = rp[0] & 0177777;
- t2 = (t3 * t2) & BN_MASK2;
- t1 = t1 + t2;
- v = bn_mul_add_words(rp, np, nl, (BN_ULONG)t1);
- }
-# else
- v = bn_mul_add_words(rp, np, nl, (rp[0] * n0) & BN_MASK2);
-# endif
- nrp++;
- rp++;
- if (((nrp[-1] += v) & BN_MASK2) >= v)
- continue;
- else {
- if (((++nrp[0]) & BN_MASK2) != 0)
- continue;
- if (((++nrp[1]) & BN_MASK2) != 0)
- continue;
- for (x = 2; (((++nrp[x]) & BN_MASK2) == 0); x++) ;
- }
- }
- bn_correct_top(r);
-
- /*
- * mont->ri will be a multiple of the word size and below code is kind of
- * BN_rshift(ret,r,mont->ri) equivalent
- */
- if (r->top <= ri) {
- ret->top = 0;
- retn = 1;
- goto err;
- }
- al = r->top - ri;
-
-# define BRANCH_FREE 1
-# if BRANCH_FREE
- if (bn_wexpand(ret, ri) == NULL)
- goto err;
- x = 0 - (((al - ri) >> (sizeof(al) * 8 - 1)) & 1);
- ret->top = x = (ri & ~x) | (al & x); /* min(ri,al) */
- ret->neg = r->neg;
-
- rp = ret->d;
- ap = &(r->d[ri]);
-
- {
- size_t m1, m2;
-
- v = bn_sub_words(rp, ap, np, ri);
- /*
- * this ----------------^^ works even in al<ri case thanks to zealous
- * zeroing of top of the vector in the beginning.
- */
-
- /* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */
- /*
- * in other words if subtraction result is real, then trick
- * unconditional memcpy below to perform in-place "refresh" instead
- * of actual copy.
- */
- m1 = 0 - (size_t)(((al - ri) >> (sizeof(al) * 8 - 1)) & 1); /* al<ri */
- m2 = 0 - (size_t)(((ri - al) >> (sizeof(al) * 8 - 1)) & 1); /* al>ri */
- m1 |= m2; /* (al!=ri) */
- m1 |= (0 - (size_t)v); /* (al!=ri || v) */
- m1 &= ~m2; /* (al!=ri || v) && !al>ri */
- nrp = (BN_ULONG *)(((size_t)rp & ~m1) | ((size_t)ap & m1));
- }
-
- /*
- * 'i<ri' is chosen to eliminate dependency on input data, even though it
- * results in redundant copy in al<ri case.
- */
- for (i = 0, ri -= 4; i < ri; i += 4) {
- BN_ULONG t1, t2, t3, t4;
-
- t1 = nrp[i + 0];
- t2 = nrp[i + 1];
- t3 = nrp[i + 2];
- ap[i + 0] = 0;
- t4 = nrp[i + 3];
- ap[i + 1] = 0;
- rp[i + 0] = t1;
- ap[i + 2] = 0;
- rp[i + 1] = t2;
- ap[i + 3] = 0;
- rp[i + 2] = t3;
- rp[i + 3] = t4;
- }
- for (ri += 4; i < ri; i++)
- rp[i] = nrp[i], ap[i] = 0;
- bn_correct_top(r);
- bn_correct_top(ret);
-# else
- if (bn_wexpand(ret, al) == NULL)
- goto err;
- ret->top = al;
- ret->neg = r->neg;
-
- rp = ret->d;
- ap = &(r->d[ri]);
- al -= 4;
- for (i = 0; i < al; i += 4) {
- BN_ULONG t1, t2, t3, t4;
-
- t1 = ap[i + 0];
- t2 = ap[i + 1];
- t3 = ap[i + 2];
- t4 = ap[i + 3];
- rp[i + 0] = t1;
- rp[i + 1] = t2;
- rp[i + 2] = t3;
- rp[i + 3] = t4;
- }
- al += 4;
- for (; i < al; i++)
- rp[i] = ap[i];
-# endif
-# else /* !MONT_WORD */
+#else /* !MONT_WORD */
BIGNUM *t1, *t2;
BN_CTX_start(ctx);
@@ -552,21 +321,18 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
goto err;
if (!BN_rshift(ret, t2, mont->ri))
goto err;
-# endif /* MONT_WORD */
-# if !defined(BRANCH_FREE) || BRANCH_FREE==0
if (BN_ucmp(ret, &(mont->N)) >= 0) {
if (!BN_usub(ret, ret, &(mont->N)))
goto err;
}
-# endif
retn = 1;
bn_check_top(ret);
err:
BN_CTX_end(ctx);
+#endif /* MONT_WORD */
return (retn);
}
-#endif /* MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD */
BN_MONT_CTX *BN_MONT_CTX_new(void)
{
@@ -586,11 +352,7 @@ void BN_MONT_CTX_init(BN_MONT_CTX *ctx)
BN_init(&(ctx->RR));
BN_init(&(ctx->N));
BN_init(&(ctx->Ni));
-#if 0 /* for OpenSSL 0.9.9 mont->n0 */
ctx->n0[0] = ctx->n0[1] = 0;
-#else
- ctx->n0 = 0;
-#endif
ctx->flags = 0;
}
@@ -624,32 +386,25 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
BIGNUM tmod;
BN_ULONG buf[2];
- mont->ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
- BN_zero(R);
-# if 0 /* for OpenSSL 0.9.9 mont->n0, would be "#if
- * defined(OPENSSL_BN_ASM_MONT) &&
- * (BN_BITS2<=32)", only certain BN_BITS2<=32
- * platforms actually need this */
- if (!(BN_set_bit(R, 2 * BN_BITS2)))
- goto err; /* R */
-# else
- if (!(BN_set_bit(R, BN_BITS2)))
- goto err; /* R */
-# endif
-
- buf[0] = mod->d[0]; /* tmod = N mod word size */
- buf[1] = 0;
-
BN_init(&tmod);
tmod.d = buf;
- tmod.top = buf[0] != 0 ? 1 : 0;
tmod.dmax = 2;
tmod.neg = 0;
-# if 0 /* for OpenSSL 0.9.9 mont->n0, would be "#if
- * defined(OPENSSL_BN_ASM_MONT) &&
- * (BN_BITS2<=32)"; only certain BN_BITS2<=32
- * platforms actually need this */
+ mont->ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
+
+# if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
+ /*
+ * Only certain BN_BITS2<=32 platforms actually make use of n0[1],
+ * and we could use the #else case (with a shorter R value) for the
+ * others. However, currently only the assembler files do know which
+ * is which.
+ */
+
+ BN_zero(R);
+ if (!(BN_set_bit(R, 2 * BN_BITS2)))
+ goto err;
+
tmod.top = 0;
if ((buf[0] = mod->d[0]))
tmod.top = 1;
@@ -681,6 +436,13 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0;
# else
+ BN_zero(R);
+ if (!(BN_set_bit(R, BN_BITS2)))
+ goto err; /* R */
+
+ buf[0] = mod->d[0]; /* tmod = N mod word size */
+ buf[1] = 0;
+ tmod.top = buf[0] != 0 ? 1 : 0;
/* Ri = R^-1 mod N */
if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL)
goto err;
@@ -699,12 +461,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
/*
* Ni = (R*Ri-1)/N, keep only least significant word:
*/
-# if 0 /* for OpenSSL 0.9.9 mont->n0 */
mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
mont->n0[1] = 0;
-# else
- mont->n0 = (Ri->top > 0) ? Ri->d[0] : 0;
-# endif
# endif
}
#else /* !MONT_WORD */
@@ -753,12 +511,8 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
if (!BN_copy(&(to->Ni), &(from->Ni)))
return NULL;
to->ri = from->ri;
-#if 0 /* for OpenSSL 0.9.9 mont->n0 */
to->n0[0] = from->n0[0];
to->n0[1] = from->n0[1];
-#else
- to->n0 = from->n0;
-#endif
return (to);
}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_nist.c b/Cryptlib/OpenSSL/crypto/bn/bn_nist.c
index 66b2eb6f..4a45404c 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_nist.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_nist.c
@@ -298,26 +298,25 @@ const BIGNUM *BN_get0_nist_prime_521(void)
return &_bignum_nist_p_521;
}
-static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max)
+static void nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max)
{
int i;
- BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
#ifdef BN_DEBUG
OPENSSL_assert(top <= max);
#endif
- for (i = (top); i != 0; i--)
- *_tmp1++ = *_tmp2++;
- for (i = (max) - (top); i != 0; i--)
- *_tmp1++ = (BN_ULONG)0;
+ for (i = 0; i < top; i++)
+ dst[i] = src[i];
+ for (; i < max; i++)
+ dst[i] = 0;
}
-static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
+static void nist_cp_bn(BN_ULONG *dst, const BN_ULONG *src, int top)
{
int i;
- BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
- for (i = (top); i != 0; i--)
- *_tmp1++ = *_tmp2++;
+
+ for (i = 0; i < top; i++)
+ dst[i] = src[i];
}
#if BN_BITS2 == 64
@@ -331,6 +330,13 @@ static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
:(to[(n)/2] =((m)&1)?(from[(m)/2]>>32):(from[(m)/2]&BN_MASK2l)))
# define bn_32_set_0(to, n) (((n)&1)?(to[(n)/2]&=BN_MASK2l):(to[(n)/2]=0));
# define bn_cp_32(to,n,from,m) ((m)>=0)?bn_cp_32_naked(to,n,from,m):bn_32_set_0(to,n)
+# if defined(L_ENDIAN)
+# if defined(__arch64__)
+# define NIST_INT64 long
+# else
+# define NIST_INT64 long long
+# endif
+# endif
#else
# define bn_cp_64(to, n, from, m) \
{ \
@@ -342,9 +348,12 @@ static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
bn_32_set_0(to, (n)*2); \
bn_32_set_0(to, (n)*2+1); \
}
-# if BN_BITS2 == 32
-# define bn_cp_32(to, n, from, m) (to)[n] = (m>=0)?((from)[m]):0;
-# define bn_32_set_0(to, n) (to)[n] = (BN_ULONG)0;
+# define bn_cp_32(to, n, from, m) (to)[n] = (m>=0)?((from)[m]):0;
+# define bn_32_set_0(to, n) (to)[n] = (BN_ULONG)0;
+# if defined(_WIN32) && !defined(__GNUC__)
+# define NIST_INT64 __int64
+# elif defined(BN_LLONG)
+# define NIST_INT64 long long
# endif
#endif /* BN_BITS2 != 64 */
@@ -361,9 +370,13 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
int top = a->top, i;
int carry;
register BN_ULONG *r_d, *a_d = a->d;
- BN_ULONG t_d[BN_NIST_192_TOP],
- buf[BN_NIST_192_TOP], c_d[BN_NIST_192_TOP], *res;
- size_t mask;
+ union {
+ BN_ULONG bn[BN_NIST_192_TOP];
+ unsigned int ui[BN_NIST_192_TOP * sizeof(BN_ULONG) /
+ sizeof(unsigned int)];
+ } buf;
+ BN_ULONG c_d[BN_NIST_192_TOP], *res;
+ PTR_SIZE_INT mask;
static const BIGNUM _bignum_nist_p_192_sqr = {
(BN_ULONG *)_nist_p_192_sqr,
sizeof(_nist_p_192_sqr) / sizeof(_nist_p_192_sqr[0]),
@@ -391,16 +404,66 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
} else
r_d = a_d;
- nist_cp_bn_0(buf, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP,
+ nist_cp_bn_0(buf.bn, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP,
BN_NIST_192_TOP);
- nist_set_192(t_d, buf, 0, 3, 3);
- carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
- nist_set_192(t_d, buf, 4, 4, 0);
- carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
- nist_set_192(t_d, buf, 5, 5, 5)
- carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
+#if defined(NIST_INT64)
+ {
+ NIST_INT64 acc; /* accumulator */
+ unsigned int *rp = (unsigned int *)r_d;
+ const unsigned int *bp = (const unsigned int *)buf.ui;
+
+ acc = rp[0];
+ acc += bp[3 * 2 - 6];
+ acc += bp[5 * 2 - 6];
+ rp[0] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[1];
+ acc += bp[3 * 2 - 5];
+ acc += bp[5 * 2 - 5];
+ rp[1] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[2];
+ acc += bp[3 * 2 - 6];
+ acc += bp[4 * 2 - 6];
+ acc += bp[5 * 2 - 6];
+ rp[2] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[3];
+ acc += bp[3 * 2 - 5];
+ acc += bp[4 * 2 - 5];
+ acc += bp[5 * 2 - 5];
+ rp[3] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[4];
+ acc += bp[4 * 2 - 6];
+ acc += bp[5 * 2 - 6];
+ rp[4] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[5];
+ acc += bp[4 * 2 - 5];
+ acc += bp[5 * 2 - 5];
+ rp[5] = (unsigned int)acc;
+
+ carry = (int)(acc >> 32);
+ }
+#else
+ {
+ BN_ULONG t_d[BN_NIST_192_TOP];
+ nist_set_192(t_d, buf.bn, 0, 3, 3);
+ carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
+ nist_set_192(t_d, buf.bn, 4, 4, 0);
+ carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
+ nist_set_192(t_d, buf.bn, 5, 5, 5)
+ carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
+ }
+#endif
if (carry > 0)
carry =
(int)bn_sub_words(r_d, r_d, _nist_p_192[carry - 1],
@@ -415,9 +478,12 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
* this is what happens below, but without explicit if:-) a.
*/
mask =
- 0 - (size_t)bn_sub_words(c_d, r_d, _nist_p_192[0], BN_NIST_192_TOP);
- mask &= 0 - (size_t)carry;
- res = (BN_ULONG *)(((size_t)c_d & ~mask) | ((size_t)r_d & mask));
+ 0 - (PTR_SIZE_INT) bn_sub_words(c_d, r_d, _nist_p_192[0],
+ BN_NIST_192_TOP);
+ mask &= 0 - (PTR_SIZE_INT) carry;
+ res = c_d;
+ res = (BN_ULONG *)
+ (((PTR_SIZE_INT) res & ~mask) | ((PTR_SIZE_INT) r_d & mask));
nist_cp_bn(r_d, res, BN_NIST_192_TOP);
r->top = BN_NIST_192_TOP;
bn_correct_top(r);
@@ -445,12 +511,16 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
int top = a->top, i;
int carry;
BN_ULONG *r_d, *a_d = a->d;
- BN_ULONG t_d[BN_NIST_224_TOP],
- buf[BN_NIST_224_TOP], c_d[BN_NIST_224_TOP], *res;
- size_t mask;
+ union {
+ BN_ULONG bn[BN_NIST_224_TOP];
+ unsigned int ui[BN_NIST_224_TOP * sizeof(BN_ULONG) /
+ sizeof(unsigned int)];
+ } buf;
+ BN_ULONG c_d[BN_NIST_224_TOP], *res;
+ PTR_SIZE_INT mask;
union {
bn_addsub_f f;
- size_t p;
+ PTR_SIZE_INT p;
} u;
static const BIGNUM _bignum_nist_p_224_sqr = {
(BN_ULONG *)_nist_p_224_sqr,
@@ -481,27 +551,89 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
#if BN_BITS2==64
/* copy upper 256 bits of 448 bit number ... */
- nist_cp_bn_0(t_d, a_d + (BN_NIST_224_TOP - 1),
+ nist_cp_bn_0(c_d, a_d + (BN_NIST_224_TOP - 1),
top - (BN_NIST_224_TOP - 1), BN_NIST_224_TOP);
/* ... and right shift by 32 to obtain upper 224 bits */
- nist_set_224(buf, t_d, 14, 13, 12, 11, 10, 9, 8);
+ nist_set_224(buf.bn, c_d, 14, 13, 12, 11, 10, 9, 8);
/* truncate lower part to 224 bits too */
r_d[BN_NIST_224_TOP - 1] &= BN_MASK2l;
#else
- nist_cp_bn_0(buf, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP,
+ nist_cp_bn_0(buf.bn, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP,
BN_NIST_224_TOP);
#endif
- nist_set_224(t_d, buf, 10, 9, 8, 7, 0, 0, 0);
- carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
- nist_set_224(t_d, buf, 0, 13, 12, 11, 0, 0, 0);
- carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
- nist_set_224(t_d, buf, 13, 12, 11, 10, 9, 8, 7);
- carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
- nist_set_224(t_d, buf, 0, 0, 0, 0, 13, 12, 11);
- carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
-#if BN_BITS2==64
- carry = (int)(r_d[BN_NIST_224_TOP - 1] >> 32);
+#if defined(NIST_INT64) && BN_BITS2!=64
+ {
+ NIST_INT64 acc; /* accumulator */
+ unsigned int *rp = (unsigned int *)r_d;
+ const unsigned int *bp = (const unsigned int *)buf.ui;
+
+ acc = rp[0];
+ acc -= bp[7 - 7];
+ acc -= bp[11 - 7];
+ rp[0] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[1];
+ acc -= bp[8 - 7];
+ acc -= bp[12 - 7];
+ rp[1] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[2];
+ acc -= bp[9 - 7];
+ acc -= bp[13 - 7];
+ rp[2] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[3];
+ acc += bp[7 - 7];
+ acc += bp[11 - 7];
+ acc -= bp[10 - 7];
+ rp[3] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[4];
+ acc += bp[8 - 7];
+ acc += bp[12 - 7];
+ acc -= bp[11 - 7];
+ rp[4] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[5];
+ acc += bp[9 - 7];
+ acc += bp[13 - 7];
+ acc -= bp[12 - 7];
+ rp[5] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[6];
+ acc += bp[10 - 7];
+ acc -= bp[13 - 7];
+ rp[6] = (unsigned int)acc;
+
+ carry = (int)(acc >> 32);
+# if BN_BITS2==64
+ rp[7] = carry;
+# endif
+ }
+#else
+ {
+ BN_ULONG t_d[BN_NIST_224_TOP];
+
+ nist_set_224(t_d, buf.bn, 10, 9, 8, 7, 0, 0, 0);
+ carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
+ nist_set_224(t_d, buf.bn, 0, 13, 12, 11, 0, 0, 0);
+ carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
+ nist_set_224(t_d, buf.bn, 13, 12, 11, 10, 9, 8, 7);
+ carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
+ nist_set_224(t_d, buf.bn, 0, 0, 0, 0, 13, 12, 11);
+ carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
+
+# if BN_BITS2==64
+ carry = (int)(r_d[BN_NIST_224_TOP - 1] >> 32);
+# endif
+ }
#endif
u.f = bn_sub_words;
if (carry > 0) {
@@ -522,15 +654,19 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
carry =
(int)bn_add_words(r_d, r_d, _nist_p_224[-carry - 1],
BN_NIST_224_TOP);
- mask = 0 - (size_t)carry;
- u.p = ((size_t)bn_sub_words & mask) | ((size_t)bn_add_words & ~mask);
+ mask = 0 - (PTR_SIZE_INT) carry;
+ u.p = ((PTR_SIZE_INT) bn_sub_words & mask) |
+ ((PTR_SIZE_INT) bn_add_words & ~mask);
} else
carry = 1;
/* otherwise it's effectively same as in BN_nist_mod_192... */
- mask = 0 - (size_t)(*u.f) (c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP);
- mask &= 0 - (size_t)carry;
- res = (BN_ULONG *)(((size_t)c_d & ~mask) | ((size_t)r_d & mask));
+ mask =
+ 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP);
+ mask &= 0 - (PTR_SIZE_INT) carry;
+ res = c_d;
+ res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) |
+ ((PTR_SIZE_INT) r_d & mask));
nist_cp_bn(r_d, res, BN_NIST_224_TOP);
r->top = BN_NIST_224_TOP;
bn_correct_top(r);
@@ -556,12 +692,16 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
int i, top = a->top;
int carry = 0;
register BN_ULONG *a_d = a->d, *r_d;
- BN_ULONG t_d[BN_NIST_256_TOP],
- buf[BN_NIST_256_TOP], c_d[BN_NIST_256_TOP], *res;
- size_t mask;
+ union {
+ BN_ULONG bn[BN_NIST_256_TOP];
+ unsigned int ui[BN_NIST_256_TOP * sizeof(BN_ULONG) /
+ sizeof(unsigned int)];
+ } buf;
+ BN_ULONG c_d[BN_NIST_256_TOP], *res;
+ PTR_SIZE_INT mask;
union {
bn_addsub_f f;
- size_t p;
+ PTR_SIZE_INT p;
} u;
static const BIGNUM _bignum_nist_p_256_sqr = {
(BN_ULONG *)_nist_p_256_sqr,
@@ -590,63 +730,163 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
} else
r_d = a_d;
- nist_cp_bn_0(buf, a_d + BN_NIST_256_TOP, top - BN_NIST_256_TOP,
+ nist_cp_bn_0(buf.bn, a_d + BN_NIST_256_TOP, top - BN_NIST_256_TOP,
BN_NIST_256_TOP);
- /*
- * S1
- */
- nist_set_256(t_d, buf, 15, 14, 13, 12, 11, 0, 0, 0);
- /*
- * S2
- */
- nist_set_256(c_d, buf, 0, 15, 14, 13, 12, 0, 0, 0);
- carry = (int)bn_add_words(t_d, t_d, c_d, BN_NIST_256_TOP);
- /* left shift */
+#if defined(NIST_INT64)
{
- register BN_ULONG *ap, t, c;
- ap = t_d;
- c = 0;
- for (i = BN_NIST_256_TOP; i != 0; --i) {
- t = *ap;
- *(ap++) = ((t << 1) | c) & BN_MASK2;
- c = (t & BN_TBIT) ? 1 : 0;
- }
- carry <<= 1;
- carry |= c;
+ NIST_INT64 acc; /* accumulator */
+ unsigned int *rp = (unsigned int *)r_d;
+ const unsigned int *bp = (const unsigned int *)buf.ui;
+
+ acc = rp[0];
+ acc += bp[8 - 8];
+ acc += bp[9 - 8];
+ acc -= bp[11 - 8];
+ acc -= bp[12 - 8];
+ acc -= bp[13 - 8];
+ acc -= bp[14 - 8];
+ rp[0] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[1];
+ acc += bp[9 - 8];
+ acc += bp[10 - 8];
+ acc -= bp[12 - 8];
+ acc -= bp[13 - 8];
+ acc -= bp[14 - 8];
+ acc -= bp[15 - 8];
+ rp[1] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[2];
+ acc += bp[10 - 8];
+ acc += bp[11 - 8];
+ acc -= bp[13 - 8];
+ acc -= bp[14 - 8];
+ acc -= bp[15 - 8];
+ rp[2] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[3];
+ acc += bp[11 - 8];
+ acc += bp[11 - 8];
+ acc += bp[12 - 8];
+ acc += bp[12 - 8];
+ acc += bp[13 - 8];
+ acc -= bp[15 - 8];
+ acc -= bp[8 - 8];
+ acc -= bp[9 - 8];
+ rp[3] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[4];
+ acc += bp[12 - 8];
+ acc += bp[12 - 8];
+ acc += bp[13 - 8];
+ acc += bp[13 - 8];
+ acc += bp[14 - 8];
+ acc -= bp[9 - 8];
+ acc -= bp[10 - 8];
+ rp[4] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[5];
+ acc += bp[13 - 8];
+ acc += bp[13 - 8];
+ acc += bp[14 - 8];
+ acc += bp[14 - 8];
+ acc += bp[15 - 8];
+ acc -= bp[10 - 8];
+ acc -= bp[11 - 8];
+ rp[5] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[6];
+ acc += bp[14 - 8];
+ acc += bp[14 - 8];
+ acc += bp[15 - 8];
+ acc += bp[15 - 8];
+ acc += bp[14 - 8];
+ acc += bp[13 - 8];
+ acc -= bp[8 - 8];
+ acc -= bp[9 - 8];
+ rp[6] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[7];
+ acc += bp[15 - 8];
+ acc += bp[15 - 8];
+ acc += bp[15 - 8];
+ acc += bp[8 - 8];
+ acc -= bp[10 - 8];
+ acc -= bp[11 - 8];
+ acc -= bp[12 - 8];
+ acc -= bp[13 - 8];
+ rp[7] = (unsigned int)acc;
+
+ carry = (int)(acc >> 32);
}
- carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
- /*
- * S3
- */
- nist_set_256(t_d, buf, 15, 14, 0, 0, 0, 10, 9, 8);
- carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
- /*
- * S4
- */
- nist_set_256(t_d, buf, 8, 13, 15, 14, 13, 11, 10, 9);
- carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
- /*
- * D1
- */
- nist_set_256(t_d, buf, 10, 8, 0, 0, 0, 13, 12, 11);
- carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
- /*
- * D2
- */
- nist_set_256(t_d, buf, 11, 9, 0, 0, 15, 14, 13, 12);
- carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
- /*
- * D3
- */
- nist_set_256(t_d, buf, 12, 0, 10, 9, 8, 15, 14, 13);
- carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
- /*
- * D4
- */
- nist_set_256(t_d, buf, 13, 0, 11, 10, 9, 0, 15, 14);
- carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
+#else
+ {
+ BN_ULONG t_d[BN_NIST_256_TOP];
+ /*
+ * S1
+ */
+ nist_set_256(t_d, buf.bn, 15, 14, 13, 12, 11, 0, 0, 0);
+ /*
+ * S2
+ */
+ nist_set_256(c_d, buf.bn, 0, 15, 14, 13, 12, 0, 0, 0);
+ carry = (int)bn_add_words(t_d, t_d, c_d, BN_NIST_256_TOP);
+ /* left shift */
+ {
+ register BN_ULONG *ap, t, c;
+ ap = t_d;
+ c = 0;
+ for (i = BN_NIST_256_TOP; i != 0; --i) {
+ t = *ap;
+ *(ap++) = ((t << 1) | c) & BN_MASK2;
+ c = (t & BN_TBIT) ? 1 : 0;
+ }
+ carry <<= 1;
+ carry |= c;
+ }
+ carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
+ /*
+ * S3
+ */
+ nist_set_256(t_d, buf.bn, 15, 14, 0, 0, 0, 10, 9, 8);
+ carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
+ /*
+ * S4
+ */
+ nist_set_256(t_d, buf.bn, 8, 13, 15, 14, 13, 11, 10, 9);
+ carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
+ /*
+ * D1
+ */
+ nist_set_256(t_d, buf.bn, 10, 8, 0, 0, 0, 13, 12, 11);
+ carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
+ /*
+ * D2
+ */
+ nist_set_256(t_d, buf.bn, 11, 9, 0, 0, 15, 14, 13, 12);
+ carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
+ /*
+ * D3
+ */
+ nist_set_256(t_d, buf.bn, 12, 0, 10, 9, 8, 15, 14, 13);
+ carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
+ /*
+ * D4
+ */
+ nist_set_256(t_d, buf.bn, 13, 0, 11, 10, 9, 0, 15, 14);
+ carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
+
+ }
+#endif
/* see BN_nist_mod_224 for explanation */
u.f = bn_sub_words;
if (carry > 0)
@@ -657,14 +897,18 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
carry =
(int)bn_add_words(r_d, r_d, _nist_p_256[-carry - 1],
BN_NIST_256_TOP);
- mask = 0 - (size_t)carry;
- u.p = ((size_t)bn_sub_words & mask) | ((size_t)bn_add_words & ~mask);
+ mask = 0 - (PTR_SIZE_INT) carry;
+ u.p = ((PTR_SIZE_INT) bn_sub_words & mask) |
+ ((PTR_SIZE_INT) bn_add_words & ~mask);
} else
carry = 1;
- mask = 0 - (size_t)(*u.f) (c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP);
- mask &= 0 - (size_t)carry;
- res = (BN_ULONG *)(((size_t)c_d & ~mask) | ((size_t)r_d & mask));
+ mask =
+ 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP);
+ mask &= 0 - (PTR_SIZE_INT) carry;
+ res = c_d;
+ res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) |
+ ((PTR_SIZE_INT) r_d & mask));
nist_cp_bn(r_d, res, BN_NIST_256_TOP);
r->top = BN_NIST_256_TOP;
bn_correct_top(r);
@@ -694,12 +938,16 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
int i, top = a->top;
int carry = 0;
register BN_ULONG *r_d, *a_d = a->d;
- BN_ULONG t_d[BN_NIST_384_TOP],
- buf[BN_NIST_384_TOP], c_d[BN_NIST_384_TOP], *res;
- size_t mask;
+ union {
+ BN_ULONG bn[BN_NIST_384_TOP];
+ unsigned int ui[BN_NIST_384_TOP * sizeof(BN_ULONG) /
+ sizeof(unsigned int)];
+ } buf;
+ BN_ULONG c_d[BN_NIST_384_TOP], *res;
+ PTR_SIZE_INT mask;
union {
bn_addsub_f f;
- size_t p;
+ PTR_SIZE_INT p;
} u;
static const BIGNUM _bignum_nist_p_384_sqr = {
(BN_ULONG *)_nist_p_384_sqr,
@@ -728,67 +976,198 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
} else
r_d = a_d;
- nist_cp_bn_0(buf, a_d + BN_NIST_384_TOP, top - BN_NIST_384_TOP,
+ nist_cp_bn_0(buf.bn, a_d + BN_NIST_384_TOP, top - BN_NIST_384_TOP,
BN_NIST_384_TOP);
- /*
- * S1
- */
- nist_set_256(t_d, buf, 0, 0, 0, 0, 0, 23 - 4, 22 - 4, 21 - 4);
- /* left shift */
+#if defined(NIST_INT64)
{
- register BN_ULONG *ap, t, c;
- ap = t_d;
- c = 0;
- for (i = 3; i != 0; --i) {
- t = *ap;
- *(ap++) = ((t << 1) | c) & BN_MASK2;
- c = (t & BN_TBIT) ? 1 : 0;
- }
- *ap = c;
+ NIST_INT64 acc; /* accumulator */
+ unsigned int *rp = (unsigned int *)r_d;
+ const unsigned int *bp = (const unsigned int *)buf.ui;
+
+ acc = rp[0];
+ acc += bp[12 - 12];
+ acc += bp[21 - 12];
+ acc += bp[20 - 12];
+ acc -= bp[23 - 12];
+ rp[0] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[1];
+ acc += bp[13 - 12];
+ acc += bp[22 - 12];
+ acc += bp[23 - 12];
+ acc -= bp[12 - 12];
+ acc -= bp[20 - 12];
+ rp[1] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[2];
+ acc += bp[14 - 12];
+ acc += bp[23 - 12];
+ acc -= bp[13 - 12];
+ acc -= bp[21 - 12];
+ rp[2] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[3];
+ acc += bp[15 - 12];
+ acc += bp[12 - 12];
+ acc += bp[20 - 12];
+ acc += bp[21 - 12];
+ acc -= bp[14 - 12];
+ acc -= bp[22 - 12];
+ acc -= bp[23 - 12];
+ rp[3] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[4];
+ acc += bp[21 - 12];
+ acc += bp[21 - 12];
+ acc += bp[16 - 12];
+ acc += bp[13 - 12];
+ acc += bp[12 - 12];
+ acc += bp[20 - 12];
+ acc += bp[22 - 12];
+ acc -= bp[15 - 12];
+ acc -= bp[23 - 12];
+ acc -= bp[23 - 12];
+ rp[4] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[5];
+ acc += bp[22 - 12];
+ acc += bp[22 - 12];
+ acc += bp[17 - 12];
+ acc += bp[14 - 12];
+ acc += bp[13 - 12];
+ acc += bp[21 - 12];
+ acc += bp[23 - 12];
+ acc -= bp[16 - 12];
+ rp[5] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[6];
+ acc += bp[23 - 12];
+ acc += bp[23 - 12];
+ acc += bp[18 - 12];
+ acc += bp[15 - 12];
+ acc += bp[14 - 12];
+ acc += bp[22 - 12];
+ acc -= bp[17 - 12];
+ rp[6] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[7];
+ acc += bp[19 - 12];
+ acc += bp[16 - 12];
+ acc += bp[15 - 12];
+ acc += bp[23 - 12];
+ acc -= bp[18 - 12];
+ rp[7] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[8];
+ acc += bp[20 - 12];
+ acc += bp[17 - 12];
+ acc += bp[16 - 12];
+ acc -= bp[19 - 12];
+ rp[8] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[9];
+ acc += bp[21 - 12];
+ acc += bp[18 - 12];
+ acc += bp[17 - 12];
+ acc -= bp[20 - 12];
+ rp[9] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[10];
+ acc += bp[22 - 12];
+ acc += bp[19 - 12];
+ acc += bp[18 - 12];
+ acc -= bp[21 - 12];
+ rp[10] = (unsigned int)acc;
+ acc >>= 32;
+
+ acc += rp[11];
+ acc += bp[23 - 12];
+ acc += bp[20 - 12];
+ acc += bp[19 - 12];
+ acc -= bp[22 - 12];
+ rp[11] = (unsigned int)acc;
+
+ carry = (int)(acc >> 32);
}
- carry = (int)bn_add_words(r_d + (128 / BN_BITS2), r_d + (128 / BN_BITS2),
+#else
+ {
+ BN_ULONG t_d[BN_NIST_384_TOP];
+
+ /*
+ * S1
+ */
+ nist_set_256(t_d, buf.bn, 0, 0, 0, 0, 0, 23 - 4, 22 - 4, 21 - 4);
+ /* left shift */
+ {
+ register BN_ULONG *ap, t, c;
+ ap = t_d;
+ c = 0;
+ for (i = 3; i != 0; --i) {
+ t = *ap;
+ *(ap++) = ((t << 1) | c) & BN_MASK2;
+ c = (t & BN_TBIT) ? 1 : 0;
+ }
+ *ap = c;
+ }
+ carry =
+ (int)bn_add_words(r_d + (128 / BN_BITS2), r_d + (128 / BN_BITS2),
t_d, BN_NIST_256_TOP);
- /*
- * S2
- */
- carry += (int)bn_add_words(r_d, r_d, buf, BN_NIST_384_TOP);
- /*
- * S3
- */
- nist_set_384(t_d, buf, 20, 19, 18, 17, 16, 15, 14, 13, 12, 23, 22, 21);
- carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
- /*
- * S4
- */
- nist_set_384(t_d, buf, 19, 18, 17, 16, 15, 14, 13, 12, 20, 0, 23, 0);
- carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
- /*
- * S5
- */
- nist_set_384(t_d, buf, 0, 0, 0, 0, 23, 22, 21, 20, 0, 0, 0, 0);
- carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
- /*
- * S6
- */
- nist_set_384(t_d, buf, 0, 0, 0, 0, 0, 0, 23, 22, 21, 0, 0, 20);
- carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
- /*
- * D1
- */
- nist_set_384(t_d, buf, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 23);
- carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
- /*
- * D2
- */
- nist_set_384(t_d, buf, 0, 0, 0, 0, 0, 0, 0, 23, 22, 21, 20, 0);
- carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
- /*
- * D3
- */
- nist_set_384(t_d, buf, 0, 0, 0, 0, 0, 0, 0, 23, 23, 0, 0, 0);
- carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
+ /*
+ * S2
+ */
+ carry += (int)bn_add_words(r_d, r_d, buf.bn, BN_NIST_384_TOP);
+ /*
+ * S3
+ */
+ nist_set_384(t_d, buf.bn, 20, 19, 18, 17, 16, 15, 14, 13, 12, 23, 22,
+ 21);
+ carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
+ /*
+ * S4
+ */
+ nist_set_384(t_d, buf.bn, 19, 18, 17, 16, 15, 14, 13, 12, 20, 0, 23,
+ 0);
+ carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
+ /*
+ * S5
+ */
+ nist_set_384(t_d, buf.bn, 0, 0, 0, 0, 23, 22, 21, 20, 0, 0, 0, 0);
+ carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
+ /*
+ * S6
+ */
+ nist_set_384(t_d, buf.bn, 0, 0, 0, 0, 0, 0, 23, 22, 21, 0, 0, 20);
+ carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
+ /*
+ * D1
+ */
+ nist_set_384(t_d, buf.bn, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12,
+ 23);
+ carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
+ /*
+ * D2
+ */
+ nist_set_384(t_d, buf.bn, 0, 0, 0, 0, 0, 0, 0, 23, 22, 21, 20, 0);
+ carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
+ /*
+ * D3
+ */
+ nist_set_384(t_d, buf.bn, 0, 0, 0, 0, 0, 0, 0, 23, 23, 0, 0, 0);
+ carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
+ }
+#endif
/* see BN_nist_mod_224 for explanation */
u.f = bn_sub_words;
if (carry > 0)
@@ -799,14 +1178,18 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
carry =
(int)bn_add_words(r_d, r_d, _nist_p_384[-carry - 1],
BN_NIST_384_TOP);
- mask = 0 - (size_t)carry;
- u.p = ((size_t)bn_sub_words & mask) | ((size_t)bn_add_words & ~mask);
+ mask = 0 - (PTR_SIZE_INT) carry;
+ u.p = ((PTR_SIZE_INT) bn_sub_words & mask) |
+ ((PTR_SIZE_INT) bn_add_words & ~mask);
} else
carry = 1;
- mask = 0 - (size_t)(*u.f) (c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP);
- mask &= 0 - (size_t)carry;
- res = (BN_ULONG *)(((size_t)c_d & ~mask) | ((size_t)r_d & mask));
+ mask =
+ 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP);
+ mask &= 0 - (PTR_SIZE_INT) carry;
+ res = c_d;
+ res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) |
+ ((PTR_SIZE_INT) r_d & mask));
nist_cp_bn(r_d, res, BN_NIST_384_TOP);
r->top = BN_NIST_384_TOP;
bn_correct_top(r);
@@ -823,7 +1206,7 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
{
int top = a->top, i;
BN_ULONG *r_d, *a_d = a->d, t_d[BN_NIST_521_TOP], val, tmp, *res;
- size_t mask;
+ PTR_SIZE_INT mask;
static const BIGNUM _bignum_nist_p_521_sqr = {
(BN_ULONG *)_nist_p_521_sqr,
sizeof(_nist_p_521_sqr) / sizeof(_nist_p_521_sqr[0]),
@@ -856,17 +1239,21 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
top - (BN_NIST_521_TOP - 1), BN_NIST_521_TOP);
/* ... and right shift */
for (val = t_d[0], i = 0; i < BN_NIST_521_TOP - 1; i++) {
- tmp = val >> BN_NIST_521_RSHIFT;
- val = t_d[i + 1];
- t_d[i] = (tmp | val << BN_NIST_521_LSHIFT) & BN_MASK2;
+ t_d[i] = (val >> BN_NIST_521_RSHIFT |
+ (tmp = t_d[i + 1]) << BN_NIST_521_LSHIFT) & BN_MASK2;
+ val = tmp;
}
t_d[i] = val >> BN_NIST_521_RSHIFT;
/* lower 521 bits */
r_d[i] &= BN_NIST_521_TOP_MASK;
bn_add_words(r_d, r_d, t_d, BN_NIST_521_TOP);
- mask = 0 - (size_t)bn_sub_words(t_d, r_d, _nist_p_521, BN_NIST_521_TOP);
- res = (BN_ULONG *)(((size_t)t_d & ~mask) | ((size_t)r_d & mask));
+ mask =
+ 0 - (PTR_SIZE_INT) bn_sub_words(t_d, r_d, _nist_p_521,
+ BN_NIST_521_TOP);
+ res = t_d;
+ res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) |
+ ((PTR_SIZE_INT) r_d & mask));
nist_cp_bn(r_d, res, BN_NIST_521_TOP);
r->top = BN_NIST_521_TOP;
bn_correct_top(r);
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_opt.c b/Cryptlib/OpenSSL/crypto/bn/bn_opt.c
deleted file mode 100644
index efdebdd6..00000000
--- a/Cryptlib/OpenSSL/crypto/bn/bn_opt.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/* crypto/bn/bn_opt.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef BN_DEBUG
-# undef NDEBUG /* avoid conflicting definitions */
-# define NDEBUG
-#endif
-
-#include <assert.h>
-#include <limits.h>
-#include <stdio.h>
-#include "cryptlib.h"
-#include "bn_lcl.h"
-
-char *BN_options(void)
-{
- static int init = 0;
- static char data[16];
-
- if (!init) {
- init++;
-#ifdef BN_LLONG
- BIO_snprintf(data, sizeof data, "bn(%d,%d)",
- (int)sizeof(BN_ULLONG) * 8, (int)sizeof(BN_ULONG) * 8);
-#else
- BIO_snprintf(data, sizeof data, "bn(%d,%d)",
- (int)sizeof(BN_ULONG) * 8, (int)sizeof(BN_ULONG) * 8);
-#endif
- }
- return (data);
-}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_prime.h b/Cryptlib/OpenSSL/crypto/bn/bn_prime.h
index 51d2194f..5cf0de16 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_prime.h
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_prime.h
@@ -5,21 +5,21 @@
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -34,10 +34,10 @@
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
@@ -57,271 +57,270 @@
*/
#ifndef EIGHT_BIT
-#define NUMPRIMES 2048
+# define NUMPRIMES 2048
typedef unsigned short prime_t;
#else
-#define NUMPRIMES 54
+# define NUMPRIMES 54
typedef unsigned char prime_t;
#endif
-static const prime_t primes[NUMPRIMES]=
- {
- 2, 3, 5, 7, 11, 13, 17, 19,
- 23, 29, 31, 37, 41, 43, 47, 53,
- 59, 61, 67, 71, 73, 79, 83, 89,
- 97, 101, 103, 107, 109, 113, 127, 131,
- 137, 139, 149, 151, 157, 163, 167, 173,
- 179, 181, 191, 193, 197, 199, 211, 223,
- 227, 229, 233, 239, 241, 251,
+static const prime_t primes[NUMPRIMES] = {
+ 2, 3, 5, 7, 11, 13, 17, 19,
+ 23, 29, 31, 37, 41, 43, 47, 53,
+ 59, 61, 67, 71, 73, 79, 83, 89,
+ 97, 101, 103, 107, 109, 113, 127, 131,
+ 137, 139, 149, 151, 157, 163, 167, 173,
+ 179, 181, 191, 193, 197, 199, 211, 223,
+ 227, 229, 233, 239, 241, 251,
#ifndef EIGHT_BIT
- 257, 263,
- 269, 271, 277, 281, 283, 293, 307, 311,
- 313, 317, 331, 337, 347, 349, 353, 359,
- 367, 373, 379, 383, 389, 397, 401, 409,
- 419, 421, 431, 433, 439, 443, 449, 457,
- 461, 463, 467, 479, 487, 491, 499, 503,
- 509, 521, 523, 541, 547, 557, 563, 569,
- 571, 577, 587, 593, 599, 601, 607, 613,
- 617, 619, 631, 641, 643, 647, 653, 659,
- 661, 673, 677, 683, 691, 701, 709, 719,
- 727, 733, 739, 743, 751, 757, 761, 769,
- 773, 787, 797, 809, 811, 821, 823, 827,
- 829, 839, 853, 857, 859, 863, 877, 881,
- 883, 887, 907, 911, 919, 929, 937, 941,
- 947, 953, 967, 971, 977, 983, 991, 997,
- 1009,1013,1019,1021,1031,1033,1039,1049,
- 1051,1061,1063,1069,1087,1091,1093,1097,
- 1103,1109,1117,1123,1129,1151,1153,1163,
- 1171,1181,1187,1193,1201,1213,1217,1223,
- 1229,1231,1237,1249,1259,1277,1279,1283,
- 1289,1291,1297,1301,1303,1307,1319,1321,
- 1327,1361,1367,1373,1381,1399,1409,1423,
- 1427,1429,1433,1439,1447,1451,1453,1459,
- 1471,1481,1483,1487,1489,1493,1499,1511,
- 1523,1531,1543,1549,1553,1559,1567,1571,
- 1579,1583,1597,1601,1607,1609,1613,1619,
- 1621,1627,1637,1657,1663,1667,1669,1693,
- 1697,1699,1709,1721,1723,1733,1741,1747,
- 1753,1759,1777,1783,1787,1789,1801,1811,
- 1823,1831,1847,1861,1867,1871,1873,1877,
- 1879,1889,1901,1907,1913,1931,1933,1949,
- 1951,1973,1979,1987,1993,1997,1999,2003,
- 2011,2017,2027,2029,2039,2053,2063,2069,
- 2081,2083,2087,2089,2099,2111,2113,2129,
- 2131,2137,2141,2143,2153,2161,2179,2203,
- 2207,2213,2221,2237,2239,2243,2251,2267,
- 2269,2273,2281,2287,2293,2297,2309,2311,
- 2333,2339,2341,2347,2351,2357,2371,2377,
- 2381,2383,2389,2393,2399,2411,2417,2423,
- 2437,2441,2447,2459,2467,2473,2477,2503,
- 2521,2531,2539,2543,2549,2551,2557,2579,
- 2591,2593,2609,2617,2621,2633,2647,2657,
- 2659,2663,2671,2677,2683,2687,2689,2693,
- 2699,2707,2711,2713,2719,2729,2731,2741,
- 2749,2753,2767,2777,2789,2791,2797,2801,
- 2803,2819,2833,2837,2843,2851,2857,2861,
- 2879,2887,2897,2903,2909,2917,2927,2939,
- 2953,2957,2963,2969,2971,2999,3001,3011,
- 3019,3023,3037,3041,3049,3061,3067,3079,
- 3083,3089,3109,3119,3121,3137,3163,3167,
- 3169,3181,3187,3191,3203,3209,3217,3221,
- 3229,3251,3253,3257,3259,3271,3299,3301,
- 3307,3313,3319,3323,3329,3331,3343,3347,
- 3359,3361,3371,3373,3389,3391,3407,3413,
- 3433,3449,3457,3461,3463,3467,3469,3491,
- 3499,3511,3517,3527,3529,3533,3539,3541,
- 3547,3557,3559,3571,3581,3583,3593,3607,
- 3613,3617,3623,3631,3637,3643,3659,3671,
- 3673,3677,3691,3697,3701,3709,3719,3727,
- 3733,3739,3761,3767,3769,3779,3793,3797,
- 3803,3821,3823,3833,3847,3851,3853,3863,
- 3877,3881,3889,3907,3911,3917,3919,3923,
- 3929,3931,3943,3947,3967,3989,4001,4003,
- 4007,4013,4019,4021,4027,4049,4051,4057,
- 4073,4079,4091,4093,4099,4111,4127,4129,
- 4133,4139,4153,4157,4159,4177,4201,4211,
- 4217,4219,4229,4231,4241,4243,4253,4259,
- 4261,4271,4273,4283,4289,4297,4327,4337,
- 4339,4349,4357,4363,4373,4391,4397,4409,
- 4421,4423,4441,4447,4451,4457,4463,4481,
- 4483,4493,4507,4513,4517,4519,4523,4547,
- 4549,4561,4567,4583,4591,4597,4603,4621,
- 4637,4639,4643,4649,4651,4657,4663,4673,
- 4679,4691,4703,4721,4723,4729,4733,4751,
- 4759,4783,4787,4789,4793,4799,4801,4813,
- 4817,4831,4861,4871,4877,4889,4903,4909,
- 4919,4931,4933,4937,4943,4951,4957,4967,
- 4969,4973,4987,4993,4999,5003,5009,5011,
- 5021,5023,5039,5051,5059,5077,5081,5087,
- 5099,5101,5107,5113,5119,5147,5153,5167,
- 5171,5179,5189,5197,5209,5227,5231,5233,
- 5237,5261,5273,5279,5281,5297,5303,5309,
- 5323,5333,5347,5351,5381,5387,5393,5399,
- 5407,5413,5417,5419,5431,5437,5441,5443,
- 5449,5471,5477,5479,5483,5501,5503,5507,
- 5519,5521,5527,5531,5557,5563,5569,5573,
- 5581,5591,5623,5639,5641,5647,5651,5653,
- 5657,5659,5669,5683,5689,5693,5701,5711,
- 5717,5737,5741,5743,5749,5779,5783,5791,
- 5801,5807,5813,5821,5827,5839,5843,5849,
- 5851,5857,5861,5867,5869,5879,5881,5897,
- 5903,5923,5927,5939,5953,5981,5987,6007,
- 6011,6029,6037,6043,6047,6053,6067,6073,
- 6079,6089,6091,6101,6113,6121,6131,6133,
- 6143,6151,6163,6173,6197,6199,6203,6211,
- 6217,6221,6229,6247,6257,6263,6269,6271,
- 6277,6287,6299,6301,6311,6317,6323,6329,
- 6337,6343,6353,6359,6361,6367,6373,6379,
- 6389,6397,6421,6427,6449,6451,6469,6473,
- 6481,6491,6521,6529,6547,6551,6553,6563,
- 6569,6571,6577,6581,6599,6607,6619,6637,
- 6653,6659,6661,6673,6679,6689,6691,6701,
- 6703,6709,6719,6733,6737,6761,6763,6779,
- 6781,6791,6793,6803,6823,6827,6829,6833,
- 6841,6857,6863,6869,6871,6883,6899,6907,
- 6911,6917,6947,6949,6959,6961,6967,6971,
- 6977,6983,6991,6997,7001,7013,7019,7027,
- 7039,7043,7057,7069,7079,7103,7109,7121,
- 7127,7129,7151,7159,7177,7187,7193,7207,
- 7211,7213,7219,7229,7237,7243,7247,7253,
- 7283,7297,7307,7309,7321,7331,7333,7349,
- 7351,7369,7393,7411,7417,7433,7451,7457,
- 7459,7477,7481,7487,7489,7499,7507,7517,
- 7523,7529,7537,7541,7547,7549,7559,7561,
- 7573,7577,7583,7589,7591,7603,7607,7621,
- 7639,7643,7649,7669,7673,7681,7687,7691,
- 7699,7703,7717,7723,7727,7741,7753,7757,
- 7759,7789,7793,7817,7823,7829,7841,7853,
- 7867,7873,7877,7879,7883,7901,7907,7919,
- 7927,7933,7937,7949,7951,7963,7993,8009,
- 8011,8017,8039,8053,8059,8069,8081,8087,
- 8089,8093,8101,8111,8117,8123,8147,8161,
- 8167,8171,8179,8191,8209,8219,8221,8231,
- 8233,8237,8243,8263,8269,8273,8287,8291,
- 8293,8297,8311,8317,8329,8353,8363,8369,
- 8377,8387,8389,8419,8423,8429,8431,8443,
- 8447,8461,8467,8501,8513,8521,8527,8537,
- 8539,8543,8563,8573,8581,8597,8599,8609,
- 8623,8627,8629,8641,8647,8663,8669,8677,
- 8681,8689,8693,8699,8707,8713,8719,8731,
- 8737,8741,8747,8753,8761,8779,8783,8803,
- 8807,8819,8821,8831,8837,8839,8849,8861,
- 8863,8867,8887,8893,8923,8929,8933,8941,
- 8951,8963,8969,8971,8999,9001,9007,9011,
- 9013,9029,9041,9043,9049,9059,9067,9091,
- 9103,9109,9127,9133,9137,9151,9157,9161,
- 9173,9181,9187,9199,9203,9209,9221,9227,
- 9239,9241,9257,9277,9281,9283,9293,9311,
- 9319,9323,9337,9341,9343,9349,9371,9377,
- 9391,9397,9403,9413,9419,9421,9431,9433,
- 9437,9439,9461,9463,9467,9473,9479,9491,
- 9497,9511,9521,9533,9539,9547,9551,9587,
- 9601,9613,9619,9623,9629,9631,9643,9649,
- 9661,9677,9679,9689,9697,9719,9721,9733,
- 9739,9743,9749,9767,9769,9781,9787,9791,
- 9803,9811,9817,9829,9833,9839,9851,9857,
- 9859,9871,9883,9887,9901,9907,9923,9929,
- 9931,9941,9949,9967,9973,10007,10009,10037,
- 10039,10061,10067,10069,10079,10091,10093,10099,
- 10103,10111,10133,10139,10141,10151,10159,10163,
- 10169,10177,10181,10193,10211,10223,10243,10247,
- 10253,10259,10267,10271,10273,10289,10301,10303,
- 10313,10321,10331,10333,10337,10343,10357,10369,
- 10391,10399,10427,10429,10433,10453,10457,10459,
- 10463,10477,10487,10499,10501,10513,10529,10531,
- 10559,10567,10589,10597,10601,10607,10613,10627,
- 10631,10639,10651,10657,10663,10667,10687,10691,
- 10709,10711,10723,10729,10733,10739,10753,10771,
- 10781,10789,10799,10831,10837,10847,10853,10859,
- 10861,10867,10883,10889,10891,10903,10909,10937,
- 10939,10949,10957,10973,10979,10987,10993,11003,
- 11027,11047,11057,11059,11069,11071,11083,11087,
- 11093,11113,11117,11119,11131,11149,11159,11161,
- 11171,11173,11177,11197,11213,11239,11243,11251,
- 11257,11261,11273,11279,11287,11299,11311,11317,
- 11321,11329,11351,11353,11369,11383,11393,11399,
- 11411,11423,11437,11443,11447,11467,11471,11483,
- 11489,11491,11497,11503,11519,11527,11549,11551,
- 11579,11587,11593,11597,11617,11621,11633,11657,
- 11677,11681,11689,11699,11701,11717,11719,11731,
- 11743,11777,11779,11783,11789,11801,11807,11813,
- 11821,11827,11831,11833,11839,11863,11867,11887,
- 11897,11903,11909,11923,11927,11933,11939,11941,
- 11953,11959,11969,11971,11981,11987,12007,12011,
- 12037,12041,12043,12049,12071,12073,12097,12101,
- 12107,12109,12113,12119,12143,12149,12157,12161,
- 12163,12197,12203,12211,12227,12239,12241,12251,
- 12253,12263,12269,12277,12281,12289,12301,12323,
- 12329,12343,12347,12373,12377,12379,12391,12401,
- 12409,12413,12421,12433,12437,12451,12457,12473,
- 12479,12487,12491,12497,12503,12511,12517,12527,
- 12539,12541,12547,12553,12569,12577,12583,12589,
- 12601,12611,12613,12619,12637,12641,12647,12653,
- 12659,12671,12689,12697,12703,12713,12721,12739,
- 12743,12757,12763,12781,12791,12799,12809,12821,
- 12823,12829,12841,12853,12889,12893,12899,12907,
- 12911,12917,12919,12923,12941,12953,12959,12967,
- 12973,12979,12983,13001,13003,13007,13009,13033,
- 13037,13043,13049,13063,13093,13099,13103,13109,
- 13121,13127,13147,13151,13159,13163,13171,13177,
- 13183,13187,13217,13219,13229,13241,13249,13259,
- 13267,13291,13297,13309,13313,13327,13331,13337,
- 13339,13367,13381,13397,13399,13411,13417,13421,
- 13441,13451,13457,13463,13469,13477,13487,13499,
- 13513,13523,13537,13553,13567,13577,13591,13597,
- 13613,13619,13627,13633,13649,13669,13679,13681,
- 13687,13691,13693,13697,13709,13711,13721,13723,
- 13729,13751,13757,13759,13763,13781,13789,13799,
- 13807,13829,13831,13841,13859,13873,13877,13879,
- 13883,13901,13903,13907,13913,13921,13931,13933,
- 13963,13967,13997,13999,14009,14011,14029,14033,
- 14051,14057,14071,14081,14083,14087,14107,14143,
- 14149,14153,14159,14173,14177,14197,14207,14221,
- 14243,14249,14251,14281,14293,14303,14321,14323,
- 14327,14341,14347,14369,14387,14389,14401,14407,
- 14411,14419,14423,14431,14437,14447,14449,14461,
- 14479,14489,14503,14519,14533,14537,14543,14549,
- 14551,14557,14561,14563,14591,14593,14621,14627,
- 14629,14633,14639,14653,14657,14669,14683,14699,
- 14713,14717,14723,14731,14737,14741,14747,14753,
- 14759,14767,14771,14779,14783,14797,14813,14821,
- 14827,14831,14843,14851,14867,14869,14879,14887,
- 14891,14897,14923,14929,14939,14947,14951,14957,
- 14969,14983,15013,15017,15031,15053,15061,15073,
- 15077,15083,15091,15101,15107,15121,15131,15137,
- 15139,15149,15161,15173,15187,15193,15199,15217,
- 15227,15233,15241,15259,15263,15269,15271,15277,
- 15287,15289,15299,15307,15313,15319,15329,15331,
- 15349,15359,15361,15373,15377,15383,15391,15401,
- 15413,15427,15439,15443,15451,15461,15467,15473,
- 15493,15497,15511,15527,15541,15551,15559,15569,
- 15581,15583,15601,15607,15619,15629,15641,15643,
- 15647,15649,15661,15667,15671,15679,15683,15727,
- 15731,15733,15737,15739,15749,15761,15767,15773,
- 15787,15791,15797,15803,15809,15817,15823,15859,
- 15877,15881,15887,15889,15901,15907,15913,15919,
- 15923,15937,15959,15971,15973,15991,16001,16007,
- 16033,16057,16061,16063,16067,16069,16073,16087,
- 16091,16097,16103,16111,16127,16139,16141,16183,
- 16187,16189,16193,16217,16223,16229,16231,16249,
- 16253,16267,16273,16301,16319,16333,16339,16349,
- 16361,16363,16369,16381,16411,16417,16421,16427,
- 16433,16447,16451,16453,16477,16481,16487,16493,
- 16519,16529,16547,16553,16561,16567,16573,16603,
- 16607,16619,16631,16633,16649,16651,16657,16661,
- 16673,16691,16693,16699,16703,16729,16741,16747,
- 16759,16763,16787,16811,16823,16829,16831,16843,
- 16871,16879,16883,16889,16901,16903,16921,16927,
- 16931,16937,16943,16963,16979,16981,16987,16993,
- 17011,17021,17027,17029,17033,17041,17047,17053,
- 17077,17093,17099,17107,17117,17123,17137,17159,
- 17167,17183,17189,17191,17203,17207,17209,17231,
- 17239,17257,17291,17293,17299,17317,17321,17327,
- 17333,17341,17351,17359,17377,17383,17387,17389,
- 17393,17401,17417,17419,17431,17443,17449,17467,
- 17471,17477,17483,17489,17491,17497,17509,17519,
- 17539,17551,17569,17573,17579,17581,17597,17599,
- 17609,17623,17627,17657,17659,17669,17681,17683,
- 17707,17713,17729,17737,17747,17749,17761,17783,
- 17789,17791,17807,17827,17837,17839,17851,17863,
+ 257, 263,
+ 269, 271, 277, 281, 283, 293, 307, 311,
+ 313, 317, 331, 337, 347, 349, 353, 359,
+ 367, 373, 379, 383, 389, 397, 401, 409,
+ 419, 421, 431, 433, 439, 443, 449, 457,
+ 461, 463, 467, 479, 487, 491, 499, 503,
+ 509, 521, 523, 541, 547, 557, 563, 569,
+ 571, 577, 587, 593, 599, 601, 607, 613,
+ 617, 619, 631, 641, 643, 647, 653, 659,
+ 661, 673, 677, 683, 691, 701, 709, 719,
+ 727, 733, 739, 743, 751, 757, 761, 769,
+ 773, 787, 797, 809, 811, 821, 823, 827,
+ 829, 839, 853, 857, 859, 863, 877, 881,
+ 883, 887, 907, 911, 919, 929, 937, 941,
+ 947, 953, 967, 971, 977, 983, 991, 997,
+ 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049,
+ 1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097,
+ 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163,
+ 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223,
+ 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283,
+ 1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321,
+ 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423,
+ 1427, 1429, 1433, 1439, 1447, 1451, 1453, 1459,
+ 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511,
+ 1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571,
+ 1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619,
+ 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693,
+ 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747,
+ 1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811,
+ 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877,
+ 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949,
+ 1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003,
+ 2011, 2017, 2027, 2029, 2039, 2053, 2063, 2069,
+ 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129,
+ 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203,
+ 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267,
+ 2269, 2273, 2281, 2287, 2293, 2297, 2309, 2311,
+ 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377,
+ 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423,
+ 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503,
+ 2521, 2531, 2539, 2543, 2549, 2551, 2557, 2579,
+ 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657,
+ 2659, 2663, 2671, 2677, 2683, 2687, 2689, 2693,
+ 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741,
+ 2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801,
+ 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861,
+ 2879, 2887, 2897, 2903, 2909, 2917, 2927, 2939,
+ 2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011,
+ 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079,
+ 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167,
+ 3169, 3181, 3187, 3191, 3203, 3209, 3217, 3221,
+ 3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301,
+ 3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347,
+ 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413,
+ 3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491,
+ 3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541,
+ 3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607,
+ 3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671,
+ 3673, 3677, 3691, 3697, 3701, 3709, 3719, 3727,
+ 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797,
+ 3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863,
+ 3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923,
+ 3929, 3931, 3943, 3947, 3967, 3989, 4001, 4003,
+ 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057,
+ 4073, 4079, 4091, 4093, 4099, 4111, 4127, 4129,
+ 4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211,
+ 4217, 4219, 4229, 4231, 4241, 4243, 4253, 4259,
+ 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337,
+ 4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409,
+ 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481,
+ 4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547,
+ 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621,
+ 4637, 4639, 4643, 4649, 4651, 4657, 4663, 4673,
+ 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751,
+ 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813,
+ 4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909,
+ 4919, 4931, 4933, 4937, 4943, 4951, 4957, 4967,
+ 4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011,
+ 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087,
+ 5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167,
+ 5171, 5179, 5189, 5197, 5209, 5227, 5231, 5233,
+ 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309,
+ 5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399,
+ 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443,
+ 5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507,
+ 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573,
+ 5581, 5591, 5623, 5639, 5641, 5647, 5651, 5653,
+ 5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711,
+ 5717, 5737, 5741, 5743, 5749, 5779, 5783, 5791,
+ 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849,
+ 5851, 5857, 5861, 5867, 5869, 5879, 5881, 5897,
+ 5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007,
+ 6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073,
+ 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133,
+ 6143, 6151, 6163, 6173, 6197, 6199, 6203, 6211,
+ 6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271,
+ 6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329,
+ 6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379,
+ 6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473,
+ 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563,
+ 6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637,
+ 6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701,
+ 6703, 6709, 6719, 6733, 6737, 6761, 6763, 6779,
+ 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833,
+ 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907,
+ 6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971,
+ 6977, 6983, 6991, 6997, 7001, 7013, 7019, 7027,
+ 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121,
+ 7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207,
+ 7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253,
+ 7283, 7297, 7307, 7309, 7321, 7331, 7333, 7349,
+ 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457,
+ 7459, 7477, 7481, 7487, 7489, 7499, 7507, 7517,
+ 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561,
+ 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621,
+ 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691,
+ 7699, 7703, 7717, 7723, 7727, 7741, 7753, 7757,
+ 7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853,
+ 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919,
+ 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009,
+ 8011, 8017, 8039, 8053, 8059, 8069, 8081, 8087,
+ 8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161,
+ 8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231,
+ 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291,
+ 8293, 8297, 8311, 8317, 8329, 8353, 8363, 8369,
+ 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443,
+ 8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537,
+ 8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609,
+ 8623, 8627, 8629, 8641, 8647, 8663, 8669, 8677,
+ 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731,
+ 8737, 8741, 8747, 8753, 8761, 8779, 8783, 8803,
+ 8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861,
+ 8863, 8867, 8887, 8893, 8923, 8929, 8933, 8941,
+ 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011,
+ 9013, 9029, 9041, 9043, 9049, 9059, 9067, 9091,
+ 9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161,
+ 9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227,
+ 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311,
+ 9319, 9323, 9337, 9341, 9343, 9349, 9371, 9377,
+ 9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433,
+ 9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491,
+ 9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587,
+ 9601, 9613, 9619, 9623, 9629, 9631, 9643, 9649,
+ 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733,
+ 9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791,
+ 9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857,
+ 9859, 9871, 9883, 9887, 9901, 9907, 9923, 9929,
+ 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037,
+ 10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099,
+ 10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163,
+ 10169, 10177, 10181, 10193, 10211, 10223, 10243, 10247,
+ 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303,
+ 10313, 10321, 10331, 10333, 10337, 10343, 10357, 10369,
+ 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459,
+ 10463, 10477, 10487, 10499, 10501, 10513, 10529, 10531,
+ 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627,
+ 10631, 10639, 10651, 10657, 10663, 10667, 10687, 10691,
+ 10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771,
+ 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859,
+ 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937,
+ 10939, 10949, 10957, 10973, 10979, 10987, 10993, 11003,
+ 11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087,
+ 11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161,
+ 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251,
+ 11257, 11261, 11273, 11279, 11287, 11299, 11311, 11317,
+ 11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399,
+ 11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483,
+ 11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551,
+ 11579, 11587, 11593, 11597, 11617, 11621, 11633, 11657,
+ 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731,
+ 11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813,
+ 11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887,
+ 11897, 11903, 11909, 11923, 11927, 11933, 11939, 11941,
+ 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011,
+ 12037, 12041, 12043, 12049, 12071, 12073, 12097, 12101,
+ 12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161,
+ 12163, 12197, 12203, 12211, 12227, 12239, 12241, 12251,
+ 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323,
+ 12329, 12343, 12347, 12373, 12377, 12379, 12391, 12401,
+ 12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473,
+ 12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527,
+ 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589,
+ 12601, 12611, 12613, 12619, 12637, 12641, 12647, 12653,
+ 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739,
+ 12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821,
+ 12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907,
+ 12911, 12917, 12919, 12923, 12941, 12953, 12959, 12967,
+ 12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033,
+ 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109,
+ 13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177,
+ 13183, 13187, 13217, 13219, 13229, 13241, 13249, 13259,
+ 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337,
+ 13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421,
+ 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499,
+ 13513, 13523, 13537, 13553, 13567, 13577, 13591, 13597,
+ 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681,
+ 13687, 13691, 13693, 13697, 13709, 13711, 13721, 13723,
+ 13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799,
+ 13807, 13829, 13831, 13841, 13859, 13873, 13877, 13879,
+ 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933,
+ 13963, 13967, 13997, 13999, 14009, 14011, 14029, 14033,
+ 14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143,
+ 14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221,
+ 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323,
+ 14327, 14341, 14347, 14369, 14387, 14389, 14401, 14407,
+ 14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461,
+ 14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549,
+ 14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627,
+ 14629, 14633, 14639, 14653, 14657, 14669, 14683, 14699,
+ 14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753,
+ 14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821,
+ 14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887,
+ 14891, 14897, 14923, 14929, 14939, 14947, 14951, 14957,
+ 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073,
+ 15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137,
+ 15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217,
+ 15227, 15233, 15241, 15259, 15263, 15269, 15271, 15277,
+ 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331,
+ 15349, 15359, 15361, 15373, 15377, 15383, 15391, 15401,
+ 15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473,
+ 15493, 15497, 15511, 15527, 15541, 15551, 15559, 15569,
+ 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643,
+ 15647, 15649, 15661, 15667, 15671, 15679, 15683, 15727,
+ 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773,
+ 15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859,
+ 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919,
+ 15923, 15937, 15959, 15971, 15973, 15991, 16001, 16007,
+ 16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087,
+ 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183,
+ 16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249,
+ 16253, 16267, 16273, 16301, 16319, 16333, 16339, 16349,
+ 16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427,
+ 16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493,
+ 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603,
+ 16607, 16619, 16631, 16633, 16649, 16651, 16657, 16661,
+ 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747,
+ 16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843,
+ 16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927,
+ 16931, 16937, 16943, 16963, 16979, 16981, 16987, 16993,
+ 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053,
+ 17077, 17093, 17099, 17107, 17117, 17123, 17137, 17159,
+ 17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231,
+ 17239, 17257, 17291, 17293, 17299, 17317, 17321, 17327,
+ 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389,
+ 17393, 17401, 17417, 17419, 17431, 17443, 17449, 17467,
+ 17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519,
+ 17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599,
+ 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683,
+ 17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783,
+ 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863,
#endif
- };
+};
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_print.c b/Cryptlib/OpenSSL/crypto/bn/bn_print.c
index 15bc51af..ab10b957 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_print.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_print.c
@@ -71,7 +71,12 @@ char *BN_bn2hex(const BIGNUM *a)
char *buf;
char *p;
- buf = (char *)OPENSSL_malloc(a->top * BN_BYTES * 2 + 2);
+ if (a->neg && BN_is_zero(a)) {
+ /* "-0" == 3 bytes including NULL terminator */
+ buf = OPENSSL_malloc(3);
+ } else {
+ buf = OPENSSL_malloc(a->top * BN_BYTES * 2 + 2);
+ }
if (buf == NULL) {
BNerr(BN_F_BN_BN2HEX, ERR_R_MALLOC_FAILURE);
goto err;
@@ -304,6 +309,24 @@ int BN_dec2bn(BIGNUM **bn, const char *a)
return (0);
}
+int BN_asc2bn(BIGNUM **bn, const char *a)
+{
+ const char *p = a;
+ if (*p == '-')
+ p++;
+
+ if (p[0] == '0' && (p[1] == 'X' || p[1] == 'x')) {
+ if (!BN_hex2bn(bn, p + 2))
+ return 0;
+ } else {
+ if (!BN_dec2bn(bn, p))
+ return 0;
+ }
+ if (*a == '-')
+ (*bn)->neg = 1;
+ return 1;
+}
+
#ifndef OPENSSL_NO_BIO
# ifndef OPENSSL_NO_FP_API
int BN_print_fp(FILE *fp, const BIGNUM *a)
@@ -345,3 +368,21 @@ int BN_print(BIO *bp, const BIGNUM *a)
return (ret);
}
#endif
+
+char *BN_options(void)
+{
+ static int init = 0;
+ static char data[16];
+
+ if (!init) {
+ init++;
+#ifdef BN_LLONG
+ BIO_snprintf(data, sizeof data, "bn(%d,%d)",
+ (int)sizeof(BN_ULLONG) * 8, (int)sizeof(BN_ULONG) * 8);
+#else
+ BIO_snprintf(data, sizeof data, "bn(%d,%d)",
+ (int)sizeof(BN_ULONG) * 8, (int)sizeof(BN_ULONG) * 8);
+#endif
+ }
+ return (data);
+}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_rand.c b/Cryptlib/OpenSSL/crypto/bn/bn_rand.c
index 7ac71ec8..f9fb2e9e 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_rand.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_rand.c
@@ -121,6 +121,11 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
int ret = 0, bit, bytes, mask;
time_t tim;
+ if (bits < 0 || (bits == 1 && top > 0)) {
+ BNerr(BN_F_BNRAND, BN_R_BITS_TOO_SMALL);
+ return 0;
+ }
+
if (bits == 0) {
BN_zero(rnd);
return 1;
@@ -157,7 +162,8 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
unsigned char c;
for (i = 0; i < bytes; i++) {
- RAND_pseudo_bytes(&c, 1);
+ if (RAND_pseudo_bytes(&c, 1) < 0)
+ goto err;
if (c >= 128 && i > 0)
buf[i] = buf[i - 1];
else if (c < 42)
@@ -168,7 +174,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
}
#endif
- if (top != -1) {
+ if (top >= 0) {
if (top) {
if (bit == 0) {
buf[0] = 1;
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_shift.c b/Cryptlib/OpenSSL/crypto/bn/bn_shift.c
index 67904c99..9673d9a3 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_shift.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_shift.c
@@ -96,7 +96,7 @@ int BN_lshift1(BIGNUM *r, const BIGNUM *a)
int BN_rshift1(BIGNUM *r, const BIGNUM *a)
{
BN_ULONG *ap, *rp, t, c;
- int i;
+ int i, j;
bn_check_top(r);
bn_check_top(a);
@@ -105,21 +105,25 @@ int BN_rshift1(BIGNUM *r, const BIGNUM *a)
BN_zero(r);
return (1);
}
+ i = a->top;
+ ap = a->d;
+ j = i - (ap[i - 1] == 1);
if (a != r) {
- if (bn_wexpand(r, a->top) == NULL)
+ if (bn_wexpand(r, j) == NULL)
return (0);
- r->top = a->top;
r->neg = a->neg;
}
- ap = a->d;
rp = r->d;
- c = 0;
- for (i = a->top - 1; i >= 0; i--) {
- t = ap[i];
+ t = ap[--i];
+ c = (t & 1) ? BN_TBIT : 0;
+ if (t >>= 1)
+ rp[i] = t;
+ while (i > 0) {
+ t = ap[--i];
rp[i] = ((t >> 1) & BN_MASK2) | c;
c = (t & 1) ? BN_TBIT : 0;
}
- bn_correct_top(r);
+ r->top = j;
bn_check_top(r);
return (1);
}
@@ -133,6 +137,11 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
bn_check_top(r);
bn_check_top(a);
+ if (n < 0) {
+ BNerr(BN_F_BN_LSHIFT, BN_R_INVALID_SHIFT);
+ return 0;
+ }
+
r->neg = a->neg;
nw = n / BN_BITS2;
if (bn_wexpand(r, a->top + nw + 1) == NULL)
@@ -170,6 +179,11 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
bn_check_top(r);
bn_check_top(a);
+ if (n < 0) {
+ BNerr(BN_F_BN_RSHIFT, BN_R_INVALID_SHIFT);
+ return 0;
+ }
+
nw = n / BN_BITS2;
rb = n % BN_BITS2;
lb = BN_BITS2 - rb;
@@ -177,9 +191,10 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
BN_zero(r);
return (1);
}
+ i = (BN_num_bits(a) - n + (BN_BITS2 - 1)) / BN_BITS2;
if (r != a) {
r->neg = a->neg;
- if (bn_wexpand(r, a->top - nw + 1) == NULL)
+ if (bn_wexpand(r, i) == NULL)
return (0);
} else {
if (n == 0)
@@ -189,7 +204,7 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
f = &(a->d[nw]);
t = r->d;
j = a->top - nw;
- r->top = j;
+ r->top = i;
if (rb == 0) {
for (i = j; i != 0; i--)
@@ -201,9 +216,9 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
l = *(f++);
*(t++) = (tmp | (l << lb)) & BN_MASK2;
}
- *(t++) = (l >> rb) & BN_MASK2;
+ if ((l = (l >> rb) & BN_MASK2))
+ *(t) = l;
}
- bn_correct_top(r);
bn_check_top(r);
return (1);
}
diff --git a/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h b/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h
new file mode 100644
index 00000000..33361de9
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h
@@ -0,0 +1,56 @@
+/******************************************************************************
+* Copyright(c) 2012, Intel Corp.
+* Developers and authors:
+* Shay Gueron (1, 2), and Vlad Krasnov (1)
+* (1) Intel Corporation, Israel Development Center, Haifa, Israel
+* (2) University of Haifa, Israel
+******************************************************************************
+* LICENSE:
+* This submission to OpenSSL is to be made available under the OpenSSL
+* license, and only to the OpenSSL project, in order to allow integration
+* into the publicly distributed code.
+* The use of this code, or portions of this code, or concepts embedded in
+* this code, or modification of this code and/or algorithm(s) in it, or the
+* use of this code for any other purpose than stated above, requires special
+* licensing.
+******************************************************************************
+* DISCLAIMER:
+* THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS AND THE COPYRIGHT OWNERS
+* ``AS IS''. ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS OR THE COPYRIGHT
+* OWNERS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+* POSSIBILITY OF SUCH DAMAGE.
+******************************************************************************/
+
+#ifndef RSAZ_EXP_H
+# define RSAZ_EXP_H
+
+# undef RSAZ_ENABLED
+# if defined(OPENSSL_BN_ASM_MONT) && \
+ (defined(__x86_64) || defined(__x86_64__) || \
+ defined(_M_AMD64) || defined(_M_X64))
+# define RSAZ_ENABLED
+
+# include <openssl/bn.h>
+
+void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16],
+ const BN_ULONG base_norm[16],
+ const BN_ULONG exponent[16],
+ const BN_ULONG m_norm[16], const BN_ULONG RR[16],
+ BN_ULONG k0);
+int rsaz_avx2_eligible();
+
+void RSAZ_512_mod_exp(BN_ULONG result[8],
+ const BN_ULONG base_norm[8], const BN_ULONG exponent[8],
+ const BN_ULONG m_norm[8], BN_ULONG k0,
+ const BN_ULONG RR[8]);
+
+# endif
+
+#endif
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-17 13:53:14 +0000