/src/libressl/crypto/bn/bn_mont.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: bn_mont.c,v 1.28 2022/02/07 19:44:23 tb Exp $ */ |
2 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | | * All rights reserved. |
4 | | * |
5 | | * This package is an SSL implementation written |
6 | | * by Eric Young (eay@cryptsoft.com). |
7 | | * The implementation was written so as to conform with Netscapes SSL. |
8 | | * |
9 | | * This library is free for commercial and non-commercial use as long as |
10 | | * the following conditions are aheared to. The following conditions |
11 | | * apply to all code found in this distribution, be it the RC4, RSA, |
12 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 | | * included with this distribution is covered by the same copyright terms |
14 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 | | * |
16 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | | * the code are not to be removed. |
18 | | * If this package is used in a product, Eric Young should be given attribution |
19 | | * as the author of the parts of the library used. |
20 | | * This can be in the form of a textual message at program startup or |
21 | | * in documentation (online or textual) provided with the package. |
22 | | * |
23 | | * Redistribution and use in source and binary forms, with or without |
24 | | * modification, are permitted provided that the following conditions |
25 | | * are met: |
26 | | * 1. Redistributions of source code must retain the copyright |
27 | | * notice, this list of conditions and the following disclaimer. |
28 | | * 2. Redistributions in binary form must reproduce the above copyright |
29 | | * notice, this list of conditions and the following disclaimer in the |
30 | | * documentation and/or other materials provided with the distribution. |
31 | | * 3. All advertising materials mentioning features or use of this software |
32 | | * must display the following acknowledgement: |
33 | | * "This product includes cryptographic software written by |
34 | | * Eric Young (eay@cryptsoft.com)" |
35 | | * The word 'cryptographic' can be left out if the rouines from the library |
36 | | * being used are not cryptographic related :-). |
37 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
38 | | * the apps directory (application code) you must include an acknowledgement: |
39 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 | | * |
41 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 | | * SUCH DAMAGE. |
52 | | * |
53 | | * The licence and distribution terms for any publically available version or |
54 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 | | * copied and put under another distribution licence |
56 | | * [including the GNU Public Licence.] |
57 | | */ |
58 | | /* ==================================================================== |
59 | | * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. |
60 | | * |
61 | | * Redistribution and use in source and binary forms, with or without |
62 | | * modification, are permitted provided that the following conditions |
63 | | * are met: |
64 | | * |
65 | | * 1. Redistributions of source code must retain the above copyright |
66 | | * notice, this list of conditions and the following disclaimer. |
67 | | * |
68 | | * 2. Redistributions in binary form must reproduce the above copyright |
69 | | * notice, this list of conditions and the following disclaimer in |
70 | | * the documentation and/or other materials provided with the |
71 | | * distribution. |
72 | | * |
73 | | * 3. All advertising materials mentioning features or use of this |
74 | | * software must display the following acknowledgment: |
75 | | * "This product includes software developed by the OpenSSL Project |
76 | | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
77 | | * |
78 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
79 | | * endorse or promote products derived from this software without |
80 | | * prior written permission. For written permission, please contact |
81 | | * openssl-core@openssl.org. |
82 | | * |
83 | | * 5. Products derived from this software may not be called "OpenSSL" |
84 | | * nor may "OpenSSL" appear in their names without prior written |
85 | | * permission of the OpenSSL Project. |
86 | | * |
87 | | * 6. Redistributions of any form whatsoever must retain the following |
88 | | * acknowledgment: |
89 | | * "This product includes software developed by the OpenSSL Project |
90 | | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
91 | | * |
92 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
93 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
94 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
95 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
96 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
97 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
98 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
99 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
100 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
101 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
102 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
103 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
104 | | * ==================================================================== |
105 | | * |
106 | | * This product includes cryptographic software written by Eric Young |
107 | | * (eay@cryptsoft.com). This product includes software written by Tim |
108 | | * Hudson (tjh@cryptsoft.com). |
109 | | * |
110 | | */ |
111 | | |
112 | | /* |
113 | | * Details about Montgomery multiplication algorithms can be found at |
114 | | * http://security.ece.orst.edu/publications.html, e.g. |
115 | | * http://security.ece.orst.edu/koc/papers/j37acmon.pdf and |
116 | | * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf |
117 | | */ |
118 | | |
119 | | #include <stdio.h> |
120 | | #include <stdint.h> |
121 | | |
122 | | #include "bn_lcl.h" |
123 | | |
124 | | #define MONT_WORD /* use the faster word-based algorithm */ |
125 | | |
126 | | #ifdef MONT_WORD |
127 | | static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont); |
128 | | #endif |
129 | | |
130 | | int |
131 | | BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, |
132 | | BN_MONT_CTX *mont, BN_CTX *ctx) |
133 | 148M | { |
134 | 148M | BIGNUM *tmp; |
135 | 148M | int ret = 0; |
136 | 148M | #if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD) |
137 | 148M | int num = mont->N.top; |
138 | | |
139 | 148M | if (num > 1 && a->top == num && b->top == num) { |
140 | 146M | if (bn_wexpand(r, num) == NULL) |
141 | 0 | return (0); |
142 | 146M | if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) { |
143 | 146M | r->neg = a->neg^b->neg; |
144 | 146M | r->top = num; |
145 | 146M | bn_correct_top(r); |
146 | 146M | return (1); |
147 | 146M | } |
148 | 146M | } |
149 | 1.92M | #endif |
150 | | |
151 | 1.92M | BN_CTX_start(ctx); |
152 | 1.92M | if ((tmp = BN_CTX_get(ctx)) == NULL) |
153 | 0 | goto err; |
154 | | |
155 | 1.92M | bn_check_top(tmp); |
156 | 1.92M | if (a == b) { |
157 | 1.03M | if (!BN_sqr(tmp, a, ctx)) |
158 | 0 | goto err; |
159 | 1.03M | } else { |
160 | 889k | if (!BN_mul(tmp, a,b, ctx)) |
161 | 0 | goto err; |
162 | 889k | } |
163 | | /* reduce from aRR to aR */ |
164 | 1.92M | #ifdef MONT_WORD |
165 | 1.92M | if (!BN_from_montgomery_word(r, tmp, mont)) |
166 | 0 | goto err; |
167 | | #else |
168 | | if (!BN_from_montgomery(r, tmp, mont, ctx)) |
169 | | goto err; |
170 | | #endif |
171 | 1.92M | bn_check_top(r); |
172 | 1.92M | ret = 1; |
173 | 1.92M | err: |
174 | 1.92M | BN_CTX_end(ctx); |
175 | 1.92M | return (ret); |
176 | 1.92M | } |
177 | | |
178 | | int |
179 | | BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx) |
180 | 286k | { |
181 | 286k | return BN_mod_mul_montgomery(r, a, &mont->RR, mont, ctx); |
182 | 286k | } |
183 | | |
184 | | #ifdef MONT_WORD |
185 | | static int |
186 | | BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) |
187 | 2.02M | { |
188 | 2.02M | BIGNUM *n; |
189 | 2.02M | BN_ULONG *ap, *np, *rp, n0, v, carry; |
190 | 2.02M | int nl, max, i; |
191 | | |
192 | 2.02M | n = &(mont->N); |
193 | 2.02M | nl = n->top; |
194 | 2.02M | if (nl == 0) { |
195 | 0 | ret->top = 0; |
196 | 0 | return (1); |
197 | 0 | } |
198 | | |
199 | 2.02M | max = (2 * nl); /* carry is stored separately */ |
200 | 2.02M | if (bn_wexpand(r, max) == NULL) |
201 | 0 | return (0); |
202 | | |
203 | 2.02M | r->neg ^= n->neg; |
204 | 2.02M | np = n->d; |
205 | 2.02M | rp = r->d; |
206 | | |
207 | | /* clear the top words of T */ |
208 | 2.02M | #if 1 |
209 | 32.5M | for (i=r->top; i<max; i++) /* memset? XXX */ |
210 | 30.5M | rp[i] = 0; |
211 | | #else |
212 | | memset(&(rp[r->top]), 0, (max - r->top) * sizeof(BN_ULONG)); |
213 | | #endif |
214 | | |
215 | 2.02M | r->top = max; |
216 | 2.02M | n0 = mont->n0[0]; |
217 | | |
218 | | #ifdef BN_COUNT |
219 | | fprintf(stderr, "word BN_from_montgomery_word %d * %d\n", nl, nl); |
220 | | #endif |
221 | 48.9M | for (carry = 0, i = 0; i < nl; i++, rp++) { |
222 | 46.9M | v = bn_mul_add_words(rp, np, nl, (rp[0] * n0) & BN_MASK2); |
223 | 46.9M | v = (v + carry + rp[nl]) & BN_MASK2; |
224 | 46.9M | carry |= (v != rp[nl]); |
225 | 46.9M | carry &= (v <= rp[nl]); |
226 | 46.9M | rp[nl] = v; |
227 | 46.9M | } |
228 | | |
229 | 2.02M | if (bn_wexpand(ret, nl) == NULL) |
230 | 0 | return (0); |
231 | 2.02M | ret->top = nl; |
232 | 2.02M | ret->neg = r->neg; |
233 | | |
234 | 2.02M | rp = ret->d; |
235 | 2.02M | ap = &(r->d[nl]); |
236 | | |
237 | 2.02M | #define BRANCH_FREE 1 |
238 | 2.02M | #if BRANCH_FREE |
239 | 2.02M | { |
240 | 2.02M | BN_ULONG *nrp; |
241 | 2.02M | size_t m; |
242 | | |
243 | 2.02M | v = bn_sub_words(rp, ap, np, nl) - carry; |
244 | | /* if subtraction result is real, then |
245 | | * trick unconditional memcpy below to perform in-place |
246 | | * "refresh" instead of actual copy. */ |
247 | 2.02M | m = (0 - (size_t)v); |
248 | 2.02M | nrp = (BN_ULONG *)(((uintptr_t)rp & ~m)|((uintptr_t)ap & m)); |
249 | | |
250 | 12.6M | for (i = 0, nl -= 4; i < nl; i += 4) { |
251 | 10.6M | BN_ULONG t1, t2, t3, t4; |
252 | | |
253 | 10.6M | t1 = nrp[i + 0]; |
254 | 10.6M | t2 = nrp[i + 1]; |
255 | 10.6M | t3 = nrp[i + 2]; |
256 | 10.6M | ap[i + 0] = 0; |
257 | 10.6M | t4 = nrp[i + 3]; |
258 | 10.6M | ap[i + 1] = 0; |
259 | 10.6M | rp[i + 0] = t1; |
260 | 10.6M | ap[i + 2] = 0; |
261 | 10.6M | rp[i + 1] = t2; |
262 | 10.6M | ap[i + 3] = 0; |
263 | 10.6M | rp[i + 2] = t3; |
264 | 10.6M | rp[i + 3] = t4; |
265 | 10.6M | } |
266 | 6.52M | for (nl += 4; i < nl; i++) |
267 | 4.49M | rp[i] = nrp[i], ap[i] = 0; |
268 | 2.02M | } |
269 | | #else |
270 | | if (bn_sub_words (rp, ap, np, nl) - carry) |
271 | | memcpy(rp, ap, nl*sizeof(BN_ULONG)); |
272 | | #endif |
273 | 2.02M | bn_correct_top(r); |
274 | 2.02M | bn_correct_top(ret); |
275 | 2.02M | bn_check_top(ret); |
276 | | |
277 | 2.02M | return (1); |
278 | 2.02M | } |
279 | | #endif /* MONT_WORD */ |
280 | | |
281 | | int |
282 | | BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx) |
283 | 102k | { |
284 | 102k | int retn = 0; |
285 | 102k | #ifdef MONT_WORD |
286 | 102k | BIGNUM *t; |
287 | | |
288 | 102k | BN_CTX_start(ctx); |
289 | 102k | if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) |
290 | 102k | retn = BN_from_montgomery_word(ret, t, mont); |
291 | 102k | BN_CTX_end(ctx); |
292 | | #else /* !MONT_WORD */ |
293 | | BIGNUM *t1, *t2; |
294 | | |
295 | | BN_CTX_start(ctx); |
296 | | if ((t1 = BN_CTX_get(ctx)) == NULL) |
297 | | goto err; |
298 | | if ((t2 = BN_CTX_get(ctx)) == NULL) |
299 | | goto err; |
300 | | |
301 | | if (!BN_copy(t1, a)) |
302 | | goto err; |
303 | | BN_mask_bits(t1, mont->ri); |
304 | | |
305 | | if (!BN_mul(t2, t1, &mont->Ni, ctx)) |
306 | | goto err; |
307 | | BN_mask_bits(t2, mont->ri); |
308 | | |
309 | | if (!BN_mul(t1, t2, &mont->N, ctx)) |
310 | | goto err; |
311 | | if (!BN_add(t2, a, t1)) |
312 | | goto err; |
313 | | if (!BN_rshift(ret, t2, mont->ri)) |
314 | | goto err; |
315 | | |
316 | | if (BN_ucmp(ret, &(mont->N)) >= 0) { |
317 | | if (!BN_usub(ret, ret, &(mont->N))) |
318 | | goto err; |
319 | | } |
320 | | retn = 1; |
321 | | bn_check_top(ret); |
322 | | |
323 | | err: |
324 | | BN_CTX_end(ctx); |
325 | | #endif /* MONT_WORD */ |
326 | 102k | return (retn); |
327 | 102k | } |
328 | | |
329 | | BN_MONT_CTX * |
330 | | BN_MONT_CTX_new(void) |
331 | 94.2k | { |
332 | 94.2k | BN_MONT_CTX *ret; |
333 | | |
334 | 94.2k | if ((ret = malloc(sizeof(BN_MONT_CTX))) == NULL) |
335 | 0 | return (NULL); |
336 | | |
337 | 94.2k | BN_MONT_CTX_init(ret); |
338 | 94.2k | ret->flags = BN_FLG_MALLOCED; |
339 | 94.2k | return (ret); |
340 | 94.2k | } |
341 | | |
342 | | void |
343 | | BN_MONT_CTX_init(BN_MONT_CTX *ctx) |
344 | 94.2k | { |
345 | 94.2k | ctx->ri = 0; |
346 | 94.2k | BN_init(&(ctx->RR)); |
347 | 94.2k | BN_init(&(ctx->N)); |
348 | 94.2k | BN_init(&(ctx->Ni)); |
349 | 94.2k | ctx->n0[0] = ctx->n0[1] = 0; |
350 | 94.2k | ctx->flags = 0; |
351 | 94.2k | } |
352 | | |
353 | | void |
354 | | BN_MONT_CTX_free(BN_MONT_CTX *mont) |
355 | 371k | { |
356 | 371k | if (mont == NULL) |
357 | 277k | return; |
358 | | |
359 | 94.2k | BN_clear_free(&(mont->RR)); |
360 | 94.2k | BN_clear_free(&(mont->N)); |
361 | 94.2k | BN_clear_free(&(mont->Ni)); |
362 | 94.2k | if (mont->flags & BN_FLG_MALLOCED) |
363 | 94.2k | free(mont); |
364 | 94.2k | } |
365 | | |
366 | | int |
367 | | BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) |
368 | 64.3k | { |
369 | 64.3k | int ret = 0; |
370 | 64.3k | BIGNUM *Ri, *R; |
371 | | |
372 | 64.3k | if (BN_is_zero(mod)) |
373 | 36 | return 0; |
374 | | |
375 | 64.2k | BN_CTX_start(ctx); |
376 | 64.2k | if ((Ri = BN_CTX_get(ctx)) == NULL) |
377 | 0 | goto err; |
378 | 64.2k | R = &(mont->RR); /* grab RR as a temp */ |
379 | 64.2k | if (!BN_copy(&(mont->N), mod)) |
380 | 0 | goto err; /* Set N */ |
381 | 64.2k | mont->N.neg = 0; |
382 | | |
383 | 64.2k | #ifdef MONT_WORD |
384 | 64.2k | { |
385 | 64.2k | BIGNUM tmod; |
386 | 64.2k | BN_ULONG buf[2]; |
387 | | |
388 | 64.2k | BN_init(&tmod); |
389 | 64.2k | tmod.d = buf; |
390 | 64.2k | tmod.dmax = 2; |
391 | 64.2k | tmod.neg = 0; |
392 | | |
393 | 64.2k | mont->ri = (BN_num_bits(mod) + |
394 | 64.2k | (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2; |
395 | | |
396 | | #if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32) |
397 | | /* Only certain BN_BITS2<=32 platforms actually make use of |
398 | | * n0[1], and we could use the #else case (with a shorter R |
399 | | * value) for the others. However, currently only the assembler |
400 | | * files do know which is which. */ |
401 | | |
402 | | BN_zero(R); |
403 | | if (!(BN_set_bit(R, 2 * BN_BITS2))) |
404 | | goto err; |
405 | | |
406 | | tmod.top = 0; |
407 | | if ((buf[0] = mod->d[0])) |
408 | | tmod.top = 1; |
409 | | if ((buf[1] = mod->top > 1 ? mod->d[1] : 0)) |
410 | | tmod.top = 2; |
411 | | |
412 | | if ((BN_mod_inverse_ct(Ri, R, &tmod, ctx)) == NULL) |
413 | | goto err; |
414 | | if (!BN_lshift(Ri, Ri, 2 * BN_BITS2)) |
415 | | goto err; /* R*Ri */ |
416 | | if (!BN_is_zero(Ri)) { |
417 | | if (!BN_sub_word(Ri, 1)) |
418 | | goto err; |
419 | | } |
420 | | else /* if N mod word size == 1 */ |
421 | | { |
422 | | if (bn_expand(Ri, (int)sizeof(BN_ULONG) * 2) == NULL) |
423 | | goto err; |
424 | | /* Ri-- (mod double word size) */ |
425 | | Ri->neg = 0; |
426 | | Ri->d[0] = BN_MASK2; |
427 | | Ri->d[1] = BN_MASK2; |
428 | | Ri->top = 2; |
429 | | } |
430 | | if (!BN_div_ct(Ri, NULL, Ri, &tmod, ctx)) |
431 | | goto err; |
432 | | /* Ni = (R*Ri-1)/N, |
433 | | * keep only couple of least significant words: */ |
434 | | mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0; |
435 | | mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0; |
436 | | #else |
437 | 64.2k | BN_zero(R); |
438 | 64.2k | if (!(BN_set_bit(R, BN_BITS2))) |
439 | 0 | goto err; /* R */ |
440 | | |
441 | 64.2k | buf[0] = mod->d[0]; /* tmod = N mod word size */ |
442 | 64.2k | buf[1] = 0; |
443 | 64.2k | tmod.top = buf[0] != 0 ? 1 : 0; |
444 | | /* Ri = R^-1 mod N*/ |
445 | 64.2k | if ((BN_mod_inverse_ct(Ri, R, &tmod, ctx)) == NULL) |
446 | 78 | goto err; |
447 | 64.2k | if (!BN_lshift(Ri, Ri, BN_BITS2)) |
448 | 0 | goto err; /* R*Ri */ |
449 | 64.2k | if (!BN_is_zero(Ri)) { |
450 | 58.5k | if (!BN_sub_word(Ri, 1)) |
451 | 0 | goto err; |
452 | 58.5k | } |
453 | 5.68k | else /* if N mod word size == 1 */ |
454 | 5.68k | { |
455 | 5.68k | if (!BN_set_word(Ri, BN_MASK2)) |
456 | 0 | goto err; /* Ri-- (mod word size) */ |
457 | 5.68k | } |
458 | 64.2k | if (!BN_div_ct(Ri, NULL, Ri, &tmod, ctx)) |
459 | 0 | goto err; |
460 | | /* Ni = (R*Ri-1)/N, |
461 | | * keep only least significant word: */ |
462 | 64.2k | mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0; |
463 | 64.2k | mont->n0[1] = 0; |
464 | 64.2k | #endif |
465 | 64.2k | } |
466 | | #else /* !MONT_WORD */ |
467 | | { /* bignum version */ |
468 | | mont->ri = BN_num_bits(&mont->N); |
469 | | BN_zero(R); |
470 | | if (!BN_set_bit(R, mont->ri)) |
471 | | goto err; /* R = 2^ri */ |
472 | | /* Ri = R^-1 mod N*/ |
473 | | if ((BN_mod_inverse_ct(Ri, R, &mont->N, ctx)) == NULL) |
474 | | goto err; |
475 | | if (!BN_lshift(Ri, Ri, mont->ri)) |
476 | | goto err; /* R*Ri */ |
477 | | if (!BN_sub_word(Ri, 1)) |
478 | | goto err; |
479 | | /* Ni = (R*Ri-1) / N */ |
480 | | if (!BN_div_ct(&(mont->Ni), NULL, Ri, &mont->N, ctx)) |
481 | | goto err; |
482 | | } |
483 | | #endif |
484 | | |
485 | | /* setup RR for conversions */ |
486 | 64.2k | BN_zero(&(mont->RR)); |
487 | 64.2k | if (!BN_set_bit(&(mont->RR), mont->ri*2)) |
488 | 0 | goto err; |
489 | 64.2k | if (!BN_mod_ct(&(mont->RR), &(mont->RR), &(mont->N), ctx)) |
490 | 0 | goto err; |
491 | | |
492 | 64.2k | ret = 1; |
493 | | |
494 | 64.2k | err: |
495 | 64.2k | BN_CTX_end(ctx); |
496 | 64.2k | return ret; |
497 | 64.2k | } |
498 | | |
499 | | BN_MONT_CTX * |
500 | | BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from) |
501 | 29.8k | { |
502 | 29.8k | if (to == from) |
503 | 0 | return (to); |
504 | | |
505 | 29.8k | if (!BN_copy(&(to->RR), &(from->RR))) |
506 | 0 | return NULL; |
507 | 29.8k | if (!BN_copy(&(to->N), &(from->N))) |
508 | 0 | return NULL; |
509 | 29.8k | if (!BN_copy(&(to->Ni), &(from->Ni))) |
510 | 0 | return NULL; |
511 | 29.8k | to->ri = from->ri; |
512 | 29.8k | to->n0[0] = from->n0[0]; |
513 | 29.8k | to->n0[1] = from->n0[1]; |
514 | 29.8k | return (to); |
515 | 29.8k | } |
516 | | |
517 | | BN_MONT_CTX * |
518 | | BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, const BIGNUM *mod, |
519 | | BN_CTX *ctx) |
520 | 12.8k | { |
521 | 12.8k | int got_write_lock = 0; |
522 | 12.8k | BN_MONT_CTX *ret; |
523 | | |
524 | 12.8k | CRYPTO_r_lock(lock); |
525 | 12.8k | if (!*pmont) { |
526 | 12.2k | CRYPTO_r_unlock(lock); |
527 | 12.2k | CRYPTO_w_lock(lock); |
528 | 12.2k | got_write_lock = 1; |
529 | | |
530 | 12.2k | if (!*pmont) { |
531 | 12.2k | ret = BN_MONT_CTX_new(); |
532 | 12.2k | if (ret && !BN_MONT_CTX_set(ret, mod, ctx)) |
533 | 89 | BN_MONT_CTX_free(ret); |
534 | 12.1k | else |
535 | 12.1k | *pmont = ret; |
536 | 12.2k | } |
537 | 12.2k | } |
538 | | |
539 | 12.8k | ret = *pmont; |
540 | | |
541 | 12.8k | if (got_write_lock) |
542 | 12.2k | CRYPTO_w_unlock(lock); |
543 | 604 | else |
544 | 604 | CRYPTO_r_unlock(lock); |
545 | | |
546 | 12.8k | return ret; |
547 | 12.8k | } |