1 /* $OpenBSD: bn.h,v 1.39 2019/08/25 19:23:59 schwarze Exp $ */ 2 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the Eric Young open source 118 * license provided above. 119 * 120 * The binary polynomial arithmetic software is originally written by 121 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. 122 * 123 */ 124 125 #ifndef HEADER_BN_H 126 #define HEADER_BN_H 127 128 #include <stdio.h> 129 #include <stdlib.h> 130 131 #include <openssl/opensslconf.h> 132 133 #include <openssl/ossl_typ.h> 134 #include <openssl/crypto.h> 135 #include <openssl/bio.h> 136 137 #ifdef __cplusplus 138 extern "C" { 139 #endif 140 141 /* These preprocessor symbols control various aspects of the bignum headers and 142 * library code. They're not defined by any "normal" configuration, as they are 143 * intended for development and testing purposes. NB: defining all three can be 144 * useful for debugging application code as well as openssl itself. 145 * 146 * BN_DEBUG - turn on various debugging alterations to the bignum code 147 * BN_DEBUG_RAND - uses random poisoning of unused words to trip up 148 * mismanagement of bignum internals. You must also define BN_DEBUG. 149 */ 150 /* #define BN_DEBUG */ 151 /* #define BN_DEBUG_RAND */ 152 153 #ifndef OPENSSL_SMALL_FOOTPRINT 154 #define BN_MUL_COMBA 155 #define BN_SQR_COMBA 156 #define BN_RECURSION 157 #endif 158 159 /* This next option uses the C libraries (2 word)/(1 word) function. 160 * If it is not defined, I use my C version (which is slower). 161 * The reason for this flag is that when the particular C compiler 162 * library routine is used, and the library is linked with a different 163 * compiler, the library is missing. This mostly happens when the 164 * library is built with gcc and then linked using normal cc. This would 165 * be a common occurrence because gcc normally produces code that is 166 * 2 times faster than system compilers for the big number stuff. 167 * For machines with only one compiler (or shared libraries), this should 168 * be on. Again this in only really a problem on machines 169 * using "long long's", are 32bit, and are not using my assembler code. */ 170 /* #define BN_DIV2W */ 171 172 #ifdef _LP64 173 #undef BN_LLONG 174 #define BN_ULONG unsigned long 175 #define BN_LONG long 176 #define BN_BITS 128 177 #define BN_BYTES 8 178 #define BN_BITS2 64 179 #define BN_BITS4 32 180 #define BN_MASK2 (0xffffffffffffffffL) 181 #define BN_MASK2l (0xffffffffL) 182 #define BN_MASK2h (0xffffffff00000000L) 183 #define BN_MASK2h1 (0xffffffff80000000L) 184 #define BN_TBIT (0x8000000000000000L) 185 #define BN_DEC_CONV (10000000000000000000UL) 186 #define BN_DEC_FMT1 "%lu" 187 #define BN_DEC_FMT2 "%019lu" 188 #define BN_DEC_NUM 19 189 #define BN_HEX_FMT1 "%lX" 190 #define BN_HEX_FMT2 "%016lX" 191 #else 192 #define BN_ULLONG unsigned long long 193 #define BN_LLONG 194 #define BN_ULONG unsigned int 195 #define BN_LONG int 196 #define BN_BITS 64 197 #define BN_BYTES 4 198 #define BN_BITS2 32 199 #define BN_BITS4 16 200 #define BN_MASK (0xffffffffffffffffLL) 201 #define BN_MASK2 (0xffffffffL) 202 #define BN_MASK2l (0xffff) 203 #define BN_MASK2h1 (0xffff8000L) 204 #define BN_MASK2h (0xffff0000L) 205 #define BN_TBIT (0x80000000L) 206 #define BN_DEC_CONV (1000000000L) 207 #define BN_DEC_FMT1 "%u" 208 #define BN_DEC_FMT2 "%09u" 209 #define BN_DEC_NUM 9 210 #define BN_HEX_FMT1 "%X" 211 #define BN_HEX_FMT2 "%08X" 212 #endif 213 214 #define BN_FLG_MALLOCED 0x01 215 #define BN_FLG_STATIC_DATA 0x02 216 #define BN_FLG_CONSTTIME 0x04 /* avoid leaking exponent information through timing, 217 * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime, 218 * BN_div() will call BN_div_no_branch, 219 * BN_mod_inverse() will call BN_mod_inverse_no_branch. 220 */ 221 222 #ifndef OPENSSL_NO_DEPRECATED 223 #define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME /* deprecated name for the flag */ 224 /* avoid leaking exponent information through timings 225 * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */ 226 #endif 227 228 #ifndef OPENSSL_NO_DEPRECATED 229 #define BN_FLG_FREE 0x8000 /* used for debuging */ 230 #endif 231 #define BN_set_flags(b,n) ((b)->flags|=(n)) 232 #define BN_get_flags(b,n) ((b)->flags&(n)) 233 234 /* get a clone of a BIGNUM with changed flags, for *temporary* use only 235 * (the two BIGNUMs cannot not be used in parallel!) */ 236 #define BN_with_flags(dest,b,n) ((dest)->d=(b)->d, \ 237 (dest)->top=(b)->top, \ 238 (dest)->dmax=(b)->dmax, \ 239 (dest)->neg=(b)->neg, \ 240 (dest)->flags=(((dest)->flags & BN_FLG_MALLOCED) \ 241 | ((b)->flags & ~BN_FLG_MALLOCED) \ 242 | BN_FLG_STATIC_DATA \ 243 | (n))) 244 245 struct bignum_st { 246 BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit chunks. */ 247 int top; /* Index of last used d +1. */ 248 /* The next are internal book keeping for bn_expand. */ 249 int dmax; /* Size of the d array. */ 250 int neg; /* one if the number is negative */ 251 int flags; 252 }; 253 254 /* Used for montgomery multiplication */ 255 struct bn_mont_ctx_st { 256 int ri; /* number of bits in R */ 257 BIGNUM RR; /* used to convert to montgomery form */ 258 BIGNUM N; /* The modulus */ 259 BIGNUM Ni; /* R*(1/R mod N) - N*Ni = 1 260 * (Ni is only stored for bignum algorithm) */ 261 BN_ULONG n0[2];/* least significant word(s) of Ni; 262 (type changed with 0.9.9, was "BN_ULONG n0;" before) */ 263 int flags; 264 }; 265 266 /* Used for reciprocal division/mod functions 267 * It cannot be shared between threads 268 */ 269 struct bn_recp_ctx_st { 270 BIGNUM N; /* the divisor */ 271 BIGNUM Nr; /* the reciprocal */ 272 int num_bits; 273 int shift; 274 int flags; 275 }; 276 277 /* Used for slow "generation" functions. */ 278 struct bn_gencb_st { 279 unsigned int ver; /* To handle binary (in)compatibility */ 280 void *arg; /* callback-specific data */ 281 union { 282 /* if(ver==1) - handles old style callbacks */ 283 void (*cb_1)(int, int, void *); 284 /* if(ver==2) - new callback style */ 285 int (*cb_2)(int, int, BN_GENCB *); 286 } cb; 287 }; 288 289 BN_GENCB *BN_GENCB_new(void); 290 void BN_GENCB_free(BN_GENCB *cb); 291 void *BN_GENCB_get_arg(BN_GENCB *cb); 292 293 /* Wrapper function to make using BN_GENCB easier, */ 294 int BN_GENCB_call(BN_GENCB *cb, int a, int b); 295 /* Macro to populate a BN_GENCB structure with an "old"-style callback */ 296 #define BN_GENCB_set_old(gencb, callback, cb_arg) { \ 297 BN_GENCB *tmp_gencb = (gencb); \ 298 tmp_gencb->ver = 1; \ 299 tmp_gencb->arg = (cb_arg); \ 300 tmp_gencb->cb.cb_1 = (callback); } 301 /* Macro to populate a BN_GENCB structure with a "new"-style callback */ 302 #define BN_GENCB_set(gencb, callback, cb_arg) { \ 303 BN_GENCB *tmp_gencb = (gencb); \ 304 tmp_gencb->ver = 2; \ 305 tmp_gencb->arg = (cb_arg); \ 306 tmp_gencb->cb.cb_2 = (callback); } 307 308 #define BN_prime_checks 0 /* default: select number of iterations 309 based on the size of the number */ 310 311 /* 312 * BN_prime_checks_for_size() returns the number of Miller-Rabin 313 * iterations that will be done for checking that a random number 314 * is probably prime. The error rate for accepting a composite 315 * number as prime depends on the size of the prime |b|. The error 316 * rates used are for calculating an RSA key with 2 primes, and so 317 * the level is what you would expect for a key of double the size 318 * of the prime. 319 * 320 * This table is generated using the algorithm of FIPS PUB 186-4 321 * Digital Signature Standard (DSS), section F.1, page 117. 322 * (https://dx.doi.org/10.6028/NIST.FIPS.186-4) 323 * 324 * The following magma script was used to generate the output: 325 * securitybits:=125; 326 * k:=1024; 327 * for t:=1 to 65 do 328 * for M:=3 to Floor(2*Sqrt(k-1)-1) do 329 * S:=0; 330 * // Sum over m 331 * for m:=3 to M do 332 * s:=0; 333 * // Sum over j 334 * for j:=2 to m do 335 * s+:=(RealField(32)!2)^-(j+(k-1)/j); 336 * end for; 337 * S+:=2^(m-(m-1)*t)*s; 338 * end for; 339 * A:=2^(k-2-M*t); 340 * B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S; 341 * pkt:=2.00743*Log(2)*k*2^-k*(A+B); 342 * seclevel:=Floor(-Log(2,pkt)); 343 * if seclevel ge securitybits then 344 * printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M; 345 * break; 346 * end if; 347 * end for; 348 * if seclevel ge securitybits then break; end if; 349 * end for; 350 * 351 * It can be run online at: 352 * http://magma.maths.usyd.edu.au/calc 353 * 354 * And will output: 355 * k: 1024, security: 129 bits (t: 6, M: 23) 356 * 357 * k is the number of bits of the prime, securitybits is the level 358 * we want to reach. 359 * 360 * prime length | RSA key size | # MR tests | security level 361 * -------------+--------------|------------+--------------- 362 * (b) >= 6394 | >= 12788 | 3 | 256 bit 363 * (b) >= 3747 | >= 7494 | 3 | 192 bit 364 * (b) >= 1345 | >= 2690 | 4 | 128 bit 365 * (b) >= 1080 | >= 2160 | 5 | 128 bit 366 * (b) >= 852 | >= 1704 | 5 | 112 bit 367 * (b) >= 476 | >= 952 | 5 | 80 bit 368 * (b) >= 400 | >= 800 | 6 | 80 bit 369 * (b) >= 347 | >= 694 | 7 | 80 bit 370 * (b) >= 308 | >= 616 | 8 | 80 bit 371 * (b) >= 55 | >= 110 | 27 | 64 bit 372 * (b) >= 6 | >= 12 | 34 | 64 bit 373 */ 374 375 #define BN_prime_checks_for_size(b) ((b) >= 3747 ? 3 : \ 376 (b) >= 1345 ? 4 : \ 377 (b) >= 476 ? 5 : \ 378 (b) >= 400 ? 6 : \ 379 (b) >= 347 ? 7 : \ 380 (b) >= 308 ? 8 : \ 381 (b) >= 55 ? 27 : \ 382 /* b >= 6 */ 34) 383 384 #define BN_num_bytes(a) ((BN_num_bits(a)+7)/8) 385 386 /* Note that BN_abs_is_word didn't work reliably for w == 0 until 0.9.8 */ 387 #define BN_abs_is_word(a,w) ((((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w))) || \ 388 (((w) == 0) && ((a)->top == 0))) 389 #define BN_is_zero(a) ((a)->top == 0) 390 #define BN_is_one(a) (BN_abs_is_word((a),1) && !(a)->neg) 391 #define BN_is_word(a,w) (BN_abs_is_word((a),(w)) && (!(w) || !(a)->neg)) 392 #define BN_is_odd(a) (((a)->top > 0) && ((a)->d[0] & 1)) 393 394 #define BN_one(a) (BN_set_word((a),1)) 395 #define BN_zero_ex(a) \ 396 do { \ 397 BIGNUM *_tmp_bn = (a); \ 398 _tmp_bn->top = 0; \ 399 _tmp_bn->neg = 0; \ 400 } while(0) 401 402 #ifdef OPENSSL_NO_DEPRECATED 403 #define BN_zero(a) BN_zero_ex(a) 404 #else 405 #define BN_zero(a) (BN_set_word((a),0)) 406 #endif 407 408 const BIGNUM *BN_value_one(void); 409 char * BN_options(void); 410 BN_CTX *BN_CTX_new(void); 411 #ifndef OPENSSL_NO_DEPRECATED 412 void BN_CTX_init(BN_CTX *c); 413 #endif 414 void BN_CTX_free(BN_CTX *c); 415 void BN_CTX_start(BN_CTX *ctx); 416 BIGNUM *BN_CTX_get(BN_CTX *ctx); 417 void BN_CTX_end(BN_CTX *ctx); 418 int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); 419 int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); 420 int BN_rand_range(BIGNUM *rnd, const BIGNUM *range); 421 int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range); 422 int BN_num_bits(const BIGNUM *a); 423 int BN_num_bits_word(BN_ULONG); 424 BIGNUM *BN_new(void); 425 void BN_init(BIGNUM *); 426 void BN_clear_free(BIGNUM *a); 427 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b); 428 void BN_swap(BIGNUM *a, BIGNUM *b); 429 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret); 430 int BN_bn2bin(const BIGNUM *a, unsigned char *to); 431 BIGNUM *BN_mpi2bn(const unsigned char *s, int len, BIGNUM *ret); 432 int BN_bn2mpi(const BIGNUM *a, unsigned char *to); 433 int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); 434 int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); 435 int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); 436 int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); 437 int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); 438 int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); 439 /** BN_set_negative sets sign of a BIGNUM 440 * \param b pointer to the BIGNUM object 441 * \param n 0 if the BIGNUM b should be positive and a value != 0 otherwise 442 */ 443 void BN_set_negative(BIGNUM *b, int n); 444 /** BN_is_negative returns 1 if the BIGNUM is negative 445 * \param a pointer to the BIGNUM object 446 * \return 1 if a < 0 and 0 otherwise 447 */ 448 #define BN_is_negative(a) ((a)->neg != 0) 449 450 #ifndef LIBRESSL_INTERNAL 451 int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, 452 BN_CTX *ctx); 453 #define BN_mod(rem,m,d,ctx) BN_div(NULL,(rem),(m),(d),(ctx)) 454 #endif 455 int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx); 456 int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); 457 int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m); 458 int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); 459 int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m); 460 int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, 461 const BIGNUM *m, BN_CTX *ctx); 462 int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); 463 int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); 464 int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m); 465 int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx); 466 int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m); 467 468 BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w); 469 BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w); 470 int BN_mul_word(BIGNUM *a, BN_ULONG w); 471 int BN_add_word(BIGNUM *a, BN_ULONG w); 472 int BN_sub_word(BIGNUM *a, BN_ULONG w); 473 int BN_set_word(BIGNUM *a, BN_ULONG w); 474 BN_ULONG BN_get_word(const BIGNUM *a); 475 476 int BN_cmp(const BIGNUM *a, const BIGNUM *b); 477 void BN_free(BIGNUM *a); 478 int BN_is_bit_set(const BIGNUM *a, int n); 479 int BN_lshift(BIGNUM *r, const BIGNUM *a, int n); 480 int BN_lshift1(BIGNUM *r, const BIGNUM *a); 481 int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); 482 483 #ifndef LIBRESSL_INTERNAL 484 int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 485 const BIGNUM *m, BN_CTX *ctx); 486 int BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 487 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); 488 #endif 489 int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 490 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont); 491 int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p, 492 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); 493 int BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1, 494 const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m, 495 BN_CTX *ctx, BN_MONT_CTX *m_ctx); 496 int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 497 const BIGNUM *m, BN_CTX *ctx); 498 499 int BN_mask_bits(BIGNUM *a, int n); 500 int BN_print_fp(FILE *fp, const BIGNUM *a); 501 int BN_print(BIO *fp, const BIGNUM *a); 502 int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx); 503 int BN_rshift(BIGNUM *r, const BIGNUM *a, int n); 504 int BN_rshift1(BIGNUM *r, const BIGNUM *a); 505 void BN_clear(BIGNUM *a); 506 BIGNUM *BN_dup(const BIGNUM *a); 507 int BN_ucmp(const BIGNUM *a, const BIGNUM *b); 508 int BN_set_bit(BIGNUM *a, int n); 509 int BN_clear_bit(BIGNUM *a, int n); 510 char * BN_bn2hex(const BIGNUM *a); 511 char * BN_bn2dec(const BIGNUM *a); 512 int BN_hex2bn(BIGNUM **a, const char *str); 513 int BN_dec2bn(BIGNUM **a, const char *str); 514 int BN_asc2bn(BIGNUM **a, const char *str); 515 #ifndef LIBRESSL_INTERNAL 516 int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); 517 #endif 518 int BN_kronecker(const BIGNUM *a,const BIGNUM *b,BN_CTX *ctx); /* returns -2 for error */ 519 #ifndef LIBRESSL_INTERNAL 520 BIGNUM *BN_mod_inverse(BIGNUM *ret, 521 const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); 522 #endif 523 BIGNUM *BN_mod_sqrt(BIGNUM *ret, 524 const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); 525 526 void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords); 527 528 /* Deprecated versions */ 529 #ifndef OPENSSL_NO_DEPRECATED 530 BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, 531 const BIGNUM *add, const BIGNUM *rem, 532 void (*callback)(int, int, void *), void *cb_arg); 533 int BN_is_prime(const BIGNUM *p, int nchecks, 534 void (*callback)(int, int, void *), 535 BN_CTX *ctx, void *cb_arg); 536 int BN_is_prime_fasttest(const BIGNUM *p, int nchecks, 537 void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg, 538 int do_trial_division); 539 #endif /* !defined(OPENSSL_NO_DEPRECATED) */ 540 541 /* Newer versions */ 542 int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, 543 const BIGNUM *rem, BN_GENCB *cb); 544 int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb); 545 int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, 546 int do_trial_division, BN_GENCB *cb); 547 548 int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx); 549 550 int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, 551 const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, 552 const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb); 553 int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, 554 BIGNUM *Xp1, BIGNUM *Xp2, 555 const BIGNUM *Xp, 556 const BIGNUM *e, BN_CTX *ctx, 557 BN_GENCB *cb); 558 559 BN_MONT_CTX *BN_MONT_CTX_new(void ); 560 void BN_MONT_CTX_init(BN_MONT_CTX *ctx); 561 int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, 562 BN_MONT_CTX *mont, BN_CTX *ctx); 563 #define BN_to_montgomery(r,a,mont,ctx) BN_mod_mul_montgomery(\ 564 (r),(a),&((mont)->RR),(mont),(ctx)) 565 int BN_from_montgomery(BIGNUM *r, const BIGNUM *a, 566 BN_MONT_CTX *mont, BN_CTX *ctx); 567 void BN_MONT_CTX_free(BN_MONT_CTX *mont); 568 int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx); 569 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from); 570 BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, 571 const BIGNUM *mod, BN_CTX *ctx); 572 573 /* BN_BLINDING flags */ 574 #define BN_BLINDING_NO_UPDATE 0x00000001 575 #define BN_BLINDING_NO_RECREATE 0x00000002 576 577 BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod); 578 void BN_BLINDING_free(BN_BLINDING *b); 579 int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx); 580 int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); 581 int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); 582 int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *); 583 int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *); 584 #ifndef OPENSSL_NO_DEPRECATED 585 unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); 586 void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); 587 #endif 588 CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); 589 unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); 590 void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); 591 BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, 592 const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, 593 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 594 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), 595 BN_MONT_CTX *m_ctx); 596 597 #ifndef OPENSSL_NO_DEPRECATED 598 void BN_set_params(int mul, int high, int low, int mont); 599 int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */ 600 #endif 601 602 void BN_RECP_CTX_init(BN_RECP_CTX *recp); 603 BN_RECP_CTX *BN_RECP_CTX_new(void); 604 void BN_RECP_CTX_free(BN_RECP_CTX *recp); 605 int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *rdiv, BN_CTX *ctx); 606 int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y, 607 BN_RECP_CTX *recp, BN_CTX *ctx); 608 int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 609 const BIGNUM *m, BN_CTX *ctx); 610 int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, 611 BN_RECP_CTX *recp, BN_CTX *ctx); 612 613 #ifndef OPENSSL_NO_EC2M 614 615 /* Functions for arithmetic over binary polynomials represented by BIGNUMs. 616 * 617 * The BIGNUM::neg property of BIGNUMs representing binary polynomials is 618 * ignored. 619 * 620 * Note that input arguments are not const so that their bit arrays can 621 * be expanded to the appropriate size if needed. 622 */ 623 624 int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); /*r = a + b*/ 625 #define BN_GF2m_sub(r, a, b) BN_GF2m_add(r, a, b) 626 int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p); /*r=a mod p*/ 627 int 628 BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, 629 const BIGNUM *p, BN_CTX *ctx); /* r = (a * b) mod p */ 630 int 631 BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 632 BN_CTX *ctx); /* r = (a * a) mod p */ 633 int 634 BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *b, const BIGNUM *p, 635 BN_CTX *ctx); /* r = (1 / b) mod p */ 636 int 637 BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, 638 const BIGNUM *p, BN_CTX *ctx); /* r = (a / b) mod p */ 639 int 640 BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, 641 const BIGNUM *p, BN_CTX *ctx); /* r = (a ^ b) mod p */ 642 int 643 BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 644 BN_CTX *ctx); /* r = sqrt(a) mod p */ 645 int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 646 BN_CTX *ctx); /* r^2 + r = a mod p */ 647 #define BN_GF2m_cmp(a, b) BN_ucmp((a), (b)) 648 /* Some functions allow for representation of the irreducible polynomials 649 * as an unsigned int[], say p. The irreducible f(t) is then of the form: 650 * t^p[0] + t^p[1] + ... + t^p[k] 651 * where m = p[0] > p[1] > ... > p[k] = 0. 652 */ 653 int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[]); 654 /* r = a mod p */ 655 int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, 656 const int p[], BN_CTX *ctx); /* r = (a * b) mod p */ 657 int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[], 658 BN_CTX *ctx); /* r = (a * a) mod p */ 659 int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *b, const int p[], 660 BN_CTX *ctx); /* r = (1 / b) mod p */ 661 int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, 662 const int p[], BN_CTX *ctx); /* r = (a / b) mod p */ 663 int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, 664 const int p[], BN_CTX *ctx); /* r = (a ^ b) mod p */ 665 int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, 666 const int p[], BN_CTX *ctx); /* r = sqrt(a) mod p */ 667 int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a, 668 const int p[], BN_CTX *ctx); /* r^2 + r = a mod p */ 669 int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max); 670 int BN_GF2m_arr2poly(const int p[], BIGNUM *a); 671 672 #endif 673 674 /* faster mod functions for the 'NIST primes' 675 * 0 <= a < p^2 */ 676 int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); 677 int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); 678 int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); 679 int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); 680 int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); 681 682 const BIGNUM *BN_get0_nist_prime_192(void); 683 const BIGNUM *BN_get0_nist_prime_224(void); 684 const BIGNUM *BN_get0_nist_prime_256(void); 685 const BIGNUM *BN_get0_nist_prime_384(void); 686 const BIGNUM *BN_get0_nist_prime_521(void); 687 688 /* Primes from RFC 2409 */ 689 BIGNUM *get_rfc2409_prime_768(BIGNUM *bn); 690 BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn); 691 BIGNUM *BN_get_rfc2409_prime_768(BIGNUM *bn); 692 BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM *bn); 693 694 /* Primes from RFC 3526 */ 695 BIGNUM *get_rfc3526_prime_1536(BIGNUM *bn); 696 BIGNUM *get_rfc3526_prime_2048(BIGNUM *bn); 697 BIGNUM *get_rfc3526_prime_3072(BIGNUM *bn); 698 BIGNUM *get_rfc3526_prime_4096(BIGNUM *bn); 699 BIGNUM *get_rfc3526_prime_6144(BIGNUM *bn); 700 BIGNUM *get_rfc3526_prime_8192(BIGNUM *bn); 701 BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn); 702 BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn); 703 BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn); 704 BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn); 705 BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn); 706 BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn); 707 708 /* BEGIN ERROR CODES */ 709 /* The following lines are auto generated by the script mkerr.pl. Any changes 710 * made after this point may be overwritten when the script is next run. 711 */ 712 void ERR_load_BN_strings(void); 713 714 /* Error codes for the BN functions. */ 715 716 /* Function codes. */ 717 #define BN_F_BNRAND 127 718 #define BN_F_BN_BLINDING_CONVERT_EX 100 719 #define BN_F_BN_BLINDING_CREATE_PARAM 128 720 #define BN_F_BN_BLINDING_INVERT_EX 101 721 #define BN_F_BN_BLINDING_NEW 102 722 #define BN_F_BN_BLINDING_UPDATE 103 723 #define BN_F_BN_BN2DEC 104 724 #define BN_F_BN_BN2HEX 105 725 #define BN_F_BN_CTX_GET 116 726 #define BN_F_BN_CTX_NEW 106 727 #define BN_F_BN_CTX_START 129 728 #define BN_F_BN_DIV 107 729 #define BN_F_BN_DIV_NO_BRANCH 138 730 #define BN_F_BN_DIV_RECP 130 731 #define BN_F_BN_EXP 123 732 #define BN_F_BN_EXPAND2 108 733 #define BN_F_BN_GENERATE_PRIME_EX 140 734 #define BN_F_BN_EXPAND_INTERNAL 120 735 #define BN_F_BN_GF2M_MOD 131 736 #define BN_F_BN_GF2M_MOD_EXP 132 737 #define BN_F_BN_GF2M_MOD_MUL 133 738 #define BN_F_BN_GF2M_MOD_SOLVE_QUAD 134 739 #define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR 135 740 #define BN_F_BN_GF2M_MOD_SQR 136 741 #define BN_F_BN_GF2M_MOD_SQRT 137 742 #define BN_F_BN_MOD_EXP2_MONT 118 743 #define BN_F_BN_MOD_EXP_MONT 109 744 #define BN_F_BN_MOD_EXP_MONT_CONSTTIME 124 745 #define BN_F_BN_MOD_EXP_MONT_WORD 117 746 #define BN_F_BN_MOD_EXP_RECP 125 747 #define BN_F_BN_MOD_EXP_SIMPLE 126 748 #define BN_F_BN_MOD_INVERSE 110 749 #define BN_F_BN_MOD_INVERSE_NO_BRANCH 139 750 #define BN_F_BN_MOD_LSHIFT_QUICK 119 751 #define BN_F_BN_MOD_MUL_RECIPROCAL 111 752 #define BN_F_BN_MOD_SQRT 121 753 #define BN_F_BN_MPI2BN 112 754 #define BN_F_BN_NEW 113 755 #define BN_F_BN_RAND 114 756 #define BN_F_BN_RAND_RANGE 122 757 #define BN_F_BN_USUB 115 758 759 /* Reason codes. */ 760 #define BN_R_ARG2_LT_ARG3 100 761 #define BN_R_BAD_RECIPROCAL 101 762 #define BN_R_BIGNUM_TOO_LONG 114 763 #define BN_R_BITS_TOO_SMALL 117 764 #define BN_R_CALLED_WITH_EVEN_MODULUS 102 765 #define BN_R_DIV_BY_ZERO 103 766 #define BN_R_ENCODING_ERROR 104 767 #define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105 768 #define BN_R_INPUT_NOT_REDUCED 110 769 #define BN_R_INVALID_LENGTH 106 770 #define BN_R_INVALID_RANGE 115 771 #define BN_R_NOT_A_SQUARE 111 772 #define BN_R_NOT_INITIALIZED 107 773 #define BN_R_NO_INVERSE 108 774 #define BN_R_NO_SOLUTION 116 775 #define BN_R_P_IS_NOT_PRIME 112 776 #define BN_R_TOO_MANY_ITERATIONS 113 777 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109 778 779 #ifdef __cplusplus 780 } 781 #endif 782 #endif 783