libcrypto/bn/bn_recp.c

*b4a69cdbStb/* $OpenBSD: bn_recp.c,v 1.30 2025/01/22 12:53:16 tb Exp $ */
5b37fcf3Sryker/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5b37fcf3Sryker * All rights reserved.
5b37fcf3Sryker *
5b37fcf3Sryker * This package is an SSL implementation written
5b37fcf3Sryker * by Eric Young (eay@cryptsoft.com).
5b37fcf3Sryker * The implementation was written so as to conform with Netscapes SSL.
5b37fcf3Sryker *
5b37fcf3Sryker * This library is free for commercial and non-commercial use as long as
5b37fcf3Sryker * the following conditions are aheared to.  The following conditions
5b37fcf3Sryker * apply to all code found in this distribution, be it the RC4, RSA,
5b37fcf3Sryker * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
5b37fcf3Sryker * included with this distribution is covered by the same copyright terms
5b37fcf3Sryker * except that the holder is Tim Hudson (tjh@cryptsoft.com).
5b37fcf3Sryker *
5b37fcf3Sryker * Copyright remains Eric Young's, and as such any Copyright notices in
5b37fcf3Sryker * the code are not to be removed.
5b37fcf3Sryker * If this package is used in a product, Eric Young should be given attribution
5b37fcf3Sryker * as the author of the parts of the library used.
5b37fcf3Sryker * This can be in the form of a textual message at program startup or
5b37fcf3Sryker * in documentation (online or textual) provided with the package.
5b37fcf3Sryker *
5b37fcf3Sryker * Redistribution and use in source and binary forms, with or without
5b37fcf3Sryker * modification, are permitted provided that the following conditions
5b37fcf3Sryker * are met:
5b37fcf3Sryker * 1. Redistributions of source code must retain the copyright
5b37fcf3Sryker *    notice, this list of conditions and the following disclaimer.
5b37fcf3Sryker * 2. Redistributions in binary form must reproduce the above copyright
5b37fcf3Sryker *    notice, this list of conditions and the following disclaimer in the
5b37fcf3Sryker *    documentation and/or other materials provided with the distribution.
5b37fcf3Sryker * 3. All advertising materials mentioning features or use of this software
5b37fcf3Sryker *    must display the following acknowledgement:
5b37fcf3Sryker *    "This product includes cryptographic software written by
5b37fcf3Sryker *     Eric Young (eay@cryptsoft.com)"
5b37fcf3Sryker *    The word 'cryptographic' can be left out if the rouines from the library
5b37fcf3Sryker *    being used are not cryptographic related :-).
5b37fcf3Sryker * 4. If you include any Windows specific code (or a derivative thereof) from
5b37fcf3Sryker *    the apps directory (application code) you must include an acknowledgement:
5b37fcf3Sryker *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
5b37fcf3Sryker *
5b37fcf3Sryker * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
5b37fcf3Sryker * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
5b37fcf3Sryker * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
5b37fcf3Sryker * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
5b37fcf3Sryker * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
5b37fcf3Sryker * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
5b37fcf3Sryker * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
5b37fcf3Sryker * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
5b37fcf3Sryker * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
5b37fcf3Sryker * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
5b37fcf3Sryker * SUCH DAMAGE.
5b37fcf3Sryker *
5b37fcf3Sryker * The licence and distribution terms for any publically available version or
5b37fcf3Sryker * derivative of this code cannot be changed.  i.e. this code cannot simply be
5b37fcf3Sryker * copied and put under another distribution licence
5b37fcf3Sryker * [including the GNU Public Licence.]
5b37fcf3Sryker */
5b37fcf3Sryker
5b37fcf3Sryker#include <stdio.h>
b6ab114eSjsing
b6ab114eSjsing#include <openssl/err.h>
b6ab114eSjsing
c9675a23Stb#include "bn_local.h"
5b37fcf3Sryker
05328004Stbstruct bn_recp_ctx_st {
05328004Stb	BIGNUM *N;	/* the divisor */
05328004Stb	BIGNUM *Nr;	/* the reciprocal 2^shift / N */
05328004Stb	int num_bits;	/* number of bits in N */
05328004Stb	int shift;
05328004Stb} /* BN_RECP_CTX */;
5b37fcf3Sryker
2bd9bb84SjsingBN_RECP_CTX *
05328004StbBN_RECP_CTX_create(const BIGNUM *N)
913ec974Sbeck{
05328004Stb	BN_RECP_CTX *recp;
5b37fcf3Sryker
05328004Stb	if ((recp = calloc(1, sizeof(*recp))) == NULL)
05328004Stb		goto err;
05328004Stb
05328004Stb	if ((recp->N = BN_dup(N)) == NULL)
05328004Stb		goto err;
*b4a69cdbStb	BN_set_negative(recp->N, 0);
05328004Stb	recp->num_bits = BN_num_bits(recp->N);
05328004Stb
05328004Stb	if ((recp->Nr = BN_new()) == NULL)
05328004Stb		goto err;
05328004Stb
05328004Stb	return recp;
05328004Stb
05328004Stb err:
05328004Stb	BN_RECP_CTX_free(recp);
05328004Stb
59c697bfStb	return NULL;
913ec974Sbeck}
913ec974Sbeck
2bd9bb84Sjsingvoid
2bd9bb84SjsingBN_RECP_CTX_free(BN_RECP_CTX *recp)
913ec974Sbeck{
913ec974Sbeck	if (recp == NULL)
913ec974Sbeck		return;
913ec974Sbeck
05328004Stb	BN_free(recp->N);
05328004Stb	BN_free(recp->Nr);
05328004Stb	freezero(recp, sizeof(*recp));
913ec974Sbeck}
913ec974Sbeck
abfe84ecStb/* len is the expected size of the result
abfe84ecStb * We actually calculate with an extra word of precision, so
abfe84ecStb * we can do faster division if the remainder is not required.
abfe84ecStb */
abfe84ecStb/* r := 2^len / m */
abfe84ecStbstatic int
abfe84ecStbBN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx)
913ec974Sbeck{
abfe84ecStb	int ret = -1;
abfe84ecStb	BIGNUM *t;
913ec974Sbeck
ba5406e9Sbeck	BN_CTX_start(ctx);
abfe84ecStb	if ((t = BN_CTX_get(ctx)) == NULL)
2bd9bb84Sjsing		goto err;
913ec974Sbeck
abfe84ecStb	if (!BN_set_bit(t, len))
abfe84ecStb		goto err;
abfe84ecStb
abfe84ecStb	if (!BN_div_ct(r, NULL, t, m, ctx))
abfe84ecStb		goto err;
abfe84ecStb
abfe84ecStb	ret = len;
2bd9bb84Sjsing
913ec974Sbeckerr:
ba5406e9Sbeck	BN_CTX_end(ctx);
59c697bfStb	return ret;
913ec974Sbeck}
913ec974Sbeck
9d6e4a9aStbint
47537ea9StbBN_div_reciprocal(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, BN_RECP_CTX *recp,
2bd9bb84Sjsing    BN_CTX *ctx)
913ec974Sbeck{
ba5406e9Sbeck	int i, j, ret = 0;
913ec974Sbeck	BIGNUM *a, *b, *d, *r;
913ec974Sbeck
ba5406e9Sbeck	BN_CTX_start(ctx);
ba5406e9Sbeck	a = BN_CTX_get(ctx);
ba5406e9Sbeck	b = BN_CTX_get(ctx);
913ec974Sbeck	if (dv != NULL)
913ec974Sbeck		d = dv;
913ec974Sbeck	else
ba5406e9Sbeck		d = BN_CTX_get(ctx);
913ec974Sbeck	if (rem != NULL)
913ec974Sbeck		r = rem;
913ec974Sbeck	else
ba5406e9Sbeck		r = BN_CTX_get(ctx);
2bd9bb84Sjsing	if (a == NULL || b == NULL || d == NULL || r == NULL)
2bd9bb84Sjsing		goto err;
913ec974Sbeck
05328004Stb	if (BN_ucmp(m, recp->N) < 0) {
4fcf65c5Sdjm		BN_zero(d);
cef8f41dStb		if (!bn_copy(r, m)) {
4c1eb2ebSdoug			BN_CTX_end(ctx);
2bd9bb84Sjsing			return 0;
4c1eb2ebSdoug		}
ba5406e9Sbeck		BN_CTX_end(ctx);
59c697bfStb		return 1;
913ec974Sbeck	}
913ec974Sbeck
913ec974Sbeck	/* We want the remainder
913ec974Sbeck	 * Given input of ABCDEF / ab
913ec974Sbeck	 * we need multiply ABCDEF by 3 digests of the reciprocal of ab
913ec974Sbeck	 *
913ec974Sbeck	 */
913ec974Sbeck
da347917Sbeck	/* i := max(BN_num_bits(m), 2*BN_num_bits(N)) */
da347917Sbeck	i = BN_num_bits(m);
ba5406e9Sbeck	j = recp->num_bits << 1;
2bd9bb84Sjsing	if (j > i)
2bd9bb84Sjsing		i = j;
913ec974Sbeck
da347917Sbeck	/* Nr := round(2^i / N) */
913ec974Sbeck	if (i != recp->shift)
05328004Stb		recp->shift = BN_reciprocal(recp->Nr, recp->N, i, ctx);
bb2f0c56Sdoug
bb2f0c56Sdoug	/* BN_reciprocal returns i, or -1 for an error */
2bd9bb84Sjsing	if (recp->shift == -1)
2bd9bb84Sjsing		goto err;
913ec974Sbeck
da347917Sbeck	/* d := |round(round(m / 2^BN_num_bits(N)) * recp->Nr / 2^(i - BN_num_bits(N)))|
da347917Sbeck	 *    = |round(round(m / 2^BN_num_bits(N)) * round(2^i / N) / 2^(i - BN_num_bits(N)))|
da347917Sbeck	 *   <= |(m / 2^BN_num_bits(N)) * (2^i / N) * (2^BN_num_bits(N) / 2^i)|
da347917Sbeck	 *    = |m/N|
da347917Sbeck	 */
2bd9bb84Sjsing	if (!BN_rshift(a, m, recp->num_bits))
2bd9bb84Sjsing		goto err;
05328004Stb	if (!BN_mul(b, a, recp->Nr, ctx))
2bd9bb84Sjsing		goto err;
2bd9bb84Sjsing	if (!BN_rshift(d, b, i - recp->num_bits))
2bd9bb84Sjsing		goto err;
913ec974Sbeck	d->neg = 0;
da347917Sbeck
05328004Stb	if (!BN_mul(b, recp->N, d, ctx))
2bd9bb84Sjsing		goto err;
2bd9bb84Sjsing	if (!BN_usub(r, m, b))
2bd9bb84Sjsing		goto err;
913ec974Sbeck	r->neg = 0;
913ec974Sbeck
913ec974Sbeck#if 1
ba5406e9Sbeck	j = 0;
05328004Stb	while (BN_ucmp(r, recp->N) >= 0) {
2bd9bb84Sjsing		if (j++ > 2) {
5067ae9fSbeck			BNerror(BN_R_BAD_RECIPROCAL);
5b37fcf3Sryker			goto err;
5b37fcf3Sryker		}
05328004Stb		if (!BN_usub(r, r, recp->N))
2bd9bb84Sjsing			goto err;
2bd9bb84Sjsing		if (!BN_add_word(d, 1))
2bd9bb84Sjsing			goto err;
5b37fcf3Sryker	}
913ec974Sbeck#endif
5b37fcf3Sryker
896da13fSjsing	BN_set_negative(r, m->neg);
05328004Stb	BN_set_negative(d, m->neg ^ recp->N->neg);
896da13fSjsing
5b37fcf3Sryker	ret = 1;
2bd9bb84Sjsing
5b37fcf3Srykererr:
ba5406e9Sbeck	BN_CTX_end(ctx);
59c697bfStb	return ret;
5b37fcf3Sryker}
5b37fcf3Sryker
e9711763Stb/* Compute r = (x * y) % m. */
2bd9bb84Sjsingint
abfe84ecStbBN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,
abfe84ecStb    BN_RECP_CTX *recp, BN_CTX *ctx)
5b37fcf3Sryker{
02fba168Stb	if (!BN_mul(r, x, y, ctx))
02fba168Stb		return 0;
5b37fcf3Sryker
47537ea9Stb	return BN_div_reciprocal(NULL, r, r, recp, ctx);
abfe84ecStb}
da347917Sbeck
02fba168Stb/* Compute r = x^2 % m. */
02fba168Stbint
02fba168StbBN_mod_sqr_reciprocal(BIGNUM *r, const BIGNUM *x, BN_RECP_CTX *recp, BN_CTX *ctx)
02fba168Stb{
02fba168Stb	if (!BN_sqr(r, x, ctx))
02fba168Stb		return 0;
2bd9bb84Sjsing
47537ea9Stb	return BN_div_reciprocal(NULL, r, r, recp, ctx);
5b37fcf3Sryker}