1 /* crypto/bn/bn_exp.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
114 #include "cryptlib.h"
119 # include <security_utilities/simulatecrash_assert.h>
124 #define TABLE_SIZE 32
127 int BN_mod_mul(BIGNUM
*ret
, BIGNUM
*a
, BIGNUM
*b
, const BIGNUM
*m
, BN_CTX
*ctx
)
137 if ((t
= BN_CTX_get(ctx
)) == NULL
) goto err
;
139 { if (!BN_sqr(t
,a
,ctx
)) goto err
; }
141 { if (!BN_mul(t
,a
,b
,ctx
)) goto err
; }
142 if (!BN_mod(ret
,t
,m
,ctx
)) goto err
;
150 /* this one works - simple but works */
151 int BN_exp(BIGNUM
*r
, BIGNUM
*a
, BIGNUM
*p
, BN_CTX
*ctx
)
157 if ((r
== a
) || (r
== p
))
158 rr
= BN_CTX_get(ctx
);
161 if ((v
= BN_CTX_get(ctx
)) == NULL
) goto err
;
163 if (BN_copy(v
,a
) == NULL
) goto err
;
167 { if (BN_copy(rr
,a
) == NULL
) goto err
; }
168 else { if (!BN_one(rr
)) goto err
; }
170 for (i
=1; i
<bits
; i
++)
172 if (!BN_sqr(v
,v
,ctx
)) goto err
;
173 if (BN_is_bit_set(p
,i
))
175 if (!BN_mul(rr
,rr
,v
,ctx
)) goto err
;
180 if (r
!= rr
) BN_copy(r
,rr
);
189 * This routine will dynamically check for the existance of an Atalla AXL-200
190 * SSL accelerator module. If one is found, the variable
191 * asi_accelerator_present is set to 1 and the function pointers
192 * ptr_ASI_xxxxxx above will be initialized to corresponding ASI API calls.
194 typedef int tfnASI_GetPerformanceStatistics(int reset_flag
,
195 unsigned int *ret_buf
);
196 typedef int tfnASI_GetHardwareConfig(long card_num
, unsigned int *ret_buf
);
197 typedef int tfnASI_RSAPrivateKeyOpFn(RSAPrivateKey
* rsaKey
,
198 unsigned char *output
,
199 unsigned char *input
,
200 unsigned int modulus_len
);
202 static tfnASI_GetHardwareConfig
*ptr_ASI_GetHardwareConfig
;
203 static tfnASI_RSAPrivateKeyOpFn
*ptr_ASI_RSAPrivateKeyOpFn
;
204 static tfnASI_GetPerformanceStatistics
*ptr_ASI_GetPerformanceStatistics
;
205 static int asi_accelerator_present
;
206 static int tried_atalla
;
208 void atalla_initialize_accelerator_handle(void)
212 unsigned int config_buf
[1024];
220 bzero((void *)config_buf
, 1024);
223 * Check to see if the library is present on the system
225 dl_handle
= dlopen("atasi.so", RTLD_NOW
);
226 if (dl_handle
== (void *) NULL
)
228 /* printf("atasi.so library is not present on the system\n");
229 printf("No HW acceleration available\n");*/
234 * The library is present. Now we'll check to insure that the
235 * LDM is up and running. First we'll get the address of the
236 * function in the atasi library that we need to see if the
240 ptr_ASI_GetHardwareConfig
=
241 (tfnASI_GetHardwareConfig
*)dlsym(dl_handle
,"ASI_GetHardwareConfig");
243 if (ptr_ASI_GetHardwareConfig
)
246 * We found the call, now we'll get our config
247 * status. If we get a non 0 result, the LDM is not
248 * running and we cannot use the Atalla ASI *
251 status
= (*ptr_ASI_GetHardwareConfig
)(0L, config_buf
);
254 printf("atasi.so library is present but not initialized\n");
255 printf("No HW acceleration available\n");
261 /* printf("We found the library, but not the function. Very Strange!\n");*/
266 * It looks like we have acceleration capabilities. Load up the
267 * pointers to our ASI API calls.
269 ptr_ASI_RSAPrivateKeyOpFn
=
270 (tfnASI_RSAPrivateKeyOpFn
*)dlsym(dl_handle
, "ASI_RSAPrivateKeyOpFn");
271 if (ptr_ASI_RSAPrivateKeyOpFn
== NULL
)
273 /* printf("We found the library, but no RSA function. Very Strange!\n");*/
277 ptr_ASI_GetPerformanceStatistics
=
278 (tfnASI_GetPerformanceStatistics
*)dlsym(dl_handle
, "ASI_GetPerformanceStatistics");
279 if (ptr_ASI_GetPerformanceStatistics
== NULL
)
281 /* printf("We found the library, but no stat function. Very Strange!\n");*/
286 * Indicate that acceleration is available
288 asi_accelerator_present
= 1;
290 /* printf("This system has acceleration!\n");*/
295 /* make sure this only gets called once when bn_mod_exp calls bn_mod_exp_mont */
296 int BN_mod_exp_atalla(BIGNUM
*r
, BIGNUM
*a
, const BIGNUM
*p
, const BIGNUM
*m
)
303 RSAPrivateKey keydata
;
305 atalla_initialize_accelerator_handle();
306 if(!asi_accelerator_present
)
310 /* We should be able to run without size testing */
316 if(an
<= ASIZE
&& pn
<= ASIZE
&& mn
<= ASIZE
)
322 memset(abin
,'\0',mn
);
323 BN_bn2bin(a
,abin
+size
-an
);
329 memset(mbin
,'\0',mn
);
330 BN_bn2bin(m
,mbin
+size
-mn
);
334 memset(&keydata
,'\0',sizeof keydata
);
335 keydata
.privateExponent
.data
=pbin
;
336 keydata
.privateExponent
.len
=pn
;
337 keydata
.modulus
.data
=mbin
;
338 keydata
.modulus
.len
=size
;
340 ret
=(*ptr_ASI_RSAPrivateKeyOpFn
)(&keydata
,rbin
,abin
,keydata
.modulus
.len
);
341 /*fprintf(stderr,"!%s\n",BN_bn2hex(a));*/
344 BN_bin2bn(rbin
,keydata
.modulus
.len
,r
);
345 /*fprintf(stderr,"?%s\n",BN_bn2hex(r));*/
351 #endif /* def ATALLA */
354 int BN_mod_exp(BIGNUM
*r
, BIGNUM
*a
, const BIGNUM
*p
, const BIGNUM
*m
,
364 if(BN_mod_exp_atalla(r
,a
,p
,m
))
366 /* If it fails, try the other methods (but don't try atalla again) */
371 /* I have finally been able to take out this pre-condition of
372 * the top bit being set. It was caused by an error in BN_div
373 * with negatives. There was also another problem when for a^b%m
374 * a >= m. eay 07-May-97 */
375 /* if ((m->d[m->top-1]&BN_TBIT) && BN_is_odd(m)) */
381 BN_ULONG A
= a
->d
[0];
382 ret
=BN_mod_exp_mont_word(r
,A
,p
,m
,ctx
,NULL
);
385 ret
=BN_mod_exp_mont(r
,a
,p
,m
,ctx
,NULL
);
390 { ret
=BN_mod_exp_recp(r
,a
,p
,m
,ctx
); }
392 { ret
=BN_mod_exp_simple(r
,a
,p
,m
,ctx
); }
403 int BN_mod_exp_recp(BIGNUM
*r
, const BIGNUM
*a
, const BIGNUM
*p
,
404 const BIGNUM
*m
, BN_CTX
*ctx
)
406 int i
,j
,bits
,ret
=0,wstart
,wend
,window
,wvalue
;
409 BIGNUM val
[TABLE_SIZE
];
421 if ((aa
= BN_CTX_get(ctx
)) == NULL
) goto err
;
423 BN_RECP_CTX_init(&recp
);
424 if (BN_RECP_CTX_set(&recp
,m
,ctx
) <= 0) goto err
;
429 if (!BN_mod(&(val
[0]),a
,m
,ctx
)) goto err
; /* 1 */
431 window
= BN_window_bits_for_exponent_size(bits
);
434 if (!BN_mod_mul_reciprocal(aa
,&(val
[0]),&(val
[0]),&recp
,ctx
))
440 if (!BN_mod_mul_reciprocal(&(val
[i
]),&(val
[i
-1]),aa
,&recp
,ctx
))
446 start
=1; /* This is used to avoid multiplication etc
447 * when there is only the value '1' in the
449 wvalue
=0; /* The 'value' of the window */
450 wstart
=bits
-1; /* The top bit of the window */
451 wend
=0; /* The bottom bit of the window */
453 if (!BN_one(r
)) goto err
;
457 if (BN_is_bit_set(p
,wstart
) == 0)
460 if (!BN_mod_mul_reciprocal(r
,r
,r
,&recp
,ctx
))
462 if (wstart
== 0) break;
466 /* We now have wstart on a 'set' bit, we now need to work out
467 * how bit a window to do. To do this we need to scan
468 * forward until the last set bit before the end of the
473 for (i
=1; i
<window
; i
++)
475 if (wstart
-i
< 0) break;
476 if (BN_is_bit_set(p
,wstart
-i
))
484 /* wend is the size of the current window */
486 /* add the 'bytes above' */
490 if (!BN_mod_mul_reciprocal(r
,r
,r
,&recp
,ctx
))
494 /* wvalue will be an odd number < 2^window */
495 if (!BN_mod_mul_reciprocal(r
,r
,&(val
[wvalue
>>1]),&recp
,ctx
))
498 /* move the 'window' down further */
502 if (wstart
< 0) break;
508 BN_clear_free(&(val
[i
]));
509 BN_RECP_CTX_free(&recp
);
514 int BN_mod_exp_mont(BIGNUM
*rr
, BIGNUM
*a
, const BIGNUM
*p
,
515 const BIGNUM
*m
, BN_CTX
*ctx
, BN_MONT_CTX
*in_mont
)
517 int i
,j
,bits
,ret
=0,wstart
,wend
,window
,wvalue
;
521 BIGNUM val
[TABLE_SIZE
];
522 BN_MONT_CTX
*mont
=NULL
;
529 if(!tried_atalla
&& BN_mod_exp_atalla(rr
,a
,p
,m
))
531 /* If it fails, try the other methods */
536 BNerr(BN_F_BN_MOD_EXP_MONT
,BN_R_CALLED_WITH_EVEN_MODULUS
);
548 if (d
== NULL
|| r
== NULL
) goto err
;
550 /* If this is not done, things will break in the montgomery
557 if ((mont
=BN_MONT_CTX_new()) == NULL
) goto err
;
558 if (!BN_MONT_CTX_set(mont
,m
,ctx
)) goto err
;
563 if (BN_ucmp(a
,m
) >= 0)
565 if (!BN_mod(&(val
[0]),a
,m
,ctx
))
571 if (!BN_to_montgomery(&(val
[0]),aa
,mont
,ctx
)) goto err
; /* 1 */
573 window
= BN_window_bits_for_exponent_size(bits
);
576 if (!BN_mod_mul_montgomery(d
,&(val
[0]),&(val
[0]),mont
,ctx
)) goto err
; /* 2 */
581 if (!BN_mod_mul_montgomery(&(val
[i
]),&(val
[i
-1]),d
,mont
,ctx
))
587 start
=1; /* This is used to avoid multiplication etc
588 * when there is only the value '1' in the
590 wvalue
=0; /* The 'value' of the window */
591 wstart
=bits
-1; /* The top bit of the window */
592 wend
=0; /* The bottom bit of the window */
594 if (!BN_to_montgomery(r
,BN_value_one(),mont
,ctx
)) goto err
;
597 if (BN_is_bit_set(p
,wstart
) == 0)
601 if (!BN_mod_mul_montgomery(r
,r
,r
,mont
,ctx
))
604 if (wstart
== 0) break;
608 /* We now have wstart on a 'set' bit, we now need to work out
609 * how bit a window to do. To do this we need to scan
610 * forward until the last set bit before the end of the
615 for (i
=1; i
<window
; i
++)
617 if (wstart
-i
< 0) break;
618 if (BN_is_bit_set(p
,wstart
-i
))
626 /* wend is the size of the current window */
628 /* add the 'bytes above' */
632 if (!BN_mod_mul_montgomery(r
,r
,r
,mont
,ctx
))
636 /* wvalue will be an odd number < 2^window */
637 if (!BN_mod_mul_montgomery(r
,r
,&(val
[wvalue
>>1]),mont
,ctx
))
640 /* move the 'window' down further */
644 if (wstart
< 0) break;
646 if (!BN_from_montgomery(rr
,r
,mont
,ctx
)) goto err
;
649 if ((in_mont
== NULL
) && (mont
!= NULL
)) BN_MONT_CTX_free(mont
);
652 BN_clear_free(&(val
[i
]));
656 int BN_mod_exp_mont_word(BIGNUM
*rr
, BN_ULONG a
, const BIGNUM
*p
,
657 const BIGNUM
*m
, BN_CTX
*ctx
, BN_MONT_CTX
*in_mont
)
659 BN_MONT_CTX
*mont
= NULL
;
665 #define BN_MOD_MUL_WORD(r, w, m) \
666 (BN_mul_word(r, (w)) && \
667 (/* BN_ucmp(r, (m)) < 0 ? 1 :*/ \
668 (BN_mod(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))
669 /* BN_MOD_MUL_WORD is only used with 'w' large,
670 * so the BN_ucmp test is probably more overhead
671 * than always using BN_mod (which uses BN_copy if
672 * a similar test returns true). */
673 #define BN_TO_MONTGOMERY_WORD(r, w, mont) \
674 (BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))
681 BNerr(BN_F_BN_MOD_EXP_MONT_WORD
,BN_R_CALLED_WITH_EVEN_MODULUS
);
684 bits
= BN_num_bits(p
);
694 if (d
== NULL
|| r
== NULL
|| t
== NULL
) goto err
;
700 if (BN_mod_exp_atalla(rr
, t
, p
, m
))
706 /* If it fails, try the other methods */
713 if ((mont
= BN_MONT_CTX_new()) == NULL
) goto err
;
714 if (!BN_MONT_CTX_set(mont
, m
, ctx
)) goto err
;
717 r_is_one
= 1; /* except for Montgomery factor */
721 /* The result is accumulated in the product r*w. */
722 w
= a
; /* bit 'bits-1' of 'p' is always set */
723 for (b
= bits
-2; b
>= 0; b
--)
725 /* First, square r*w. */
727 if ((next_w
/w
) != w
) /* overflow */
731 if (!BN_TO_MONTGOMERY_WORD(r
, w
, mont
)) goto err
;
736 if (!BN_MOD_MUL_WORD(r
, w
, m
)) goto err
;
743 if (!BN_mod_mul_montgomery(r
, r
, r
, mont
, ctx
)) goto err
;
746 /* Second, multiply r*w by 'a' if exponent bit is set. */
747 if (BN_is_bit_set(p
, b
))
750 if ((next_w
/a
) != w
) /* overflow */
754 if (!BN_TO_MONTGOMERY_WORD(r
, w
, mont
)) goto err
;
759 if (!BN_MOD_MUL_WORD(r
, w
, m
)) goto err
;
767 /* Finally, set r:=r*w. */
772 if (!BN_TO_MONTGOMERY_WORD(r
, w
, mont
)) goto err
;
777 if (!BN_MOD_MUL_WORD(r
, w
, m
)) goto err
;
781 if (r_is_one
) /* can happen only if a == 1*/
783 if (!BN_one(rr
)) goto err
;
787 if (!BN_from_montgomery(rr
, r
, mont
, ctx
)) goto err
;
791 if ((in_mont
== NULL
) && (mont
!= NULL
)) BN_MONT_CTX_free(mont
);
797 /* The old fallback, simple version :-) */
798 int BN_mod_exp_simple(BIGNUM
*r
, BIGNUM
*a
, BIGNUM
*p
, BIGNUM
*m
,
801 int i
,j
,bits
,ret
=0,wstart
,wend
,window
,wvalue
,ts
=0;
804 BIGNUM val
[TABLE_SIZE
];
815 if ((d
= BN_CTX_get(ctx
)) == NULL
) goto err
;
819 if (!BN_mod(&(val
[0]),a
,m
,ctx
)) goto err
; /* 1 */
821 window
= BN_window_bits_for_exponent_size(bits
);
824 if (!BN_mod_mul(d
,&(val
[0]),&(val
[0]),m
,ctx
))
830 if (!BN_mod_mul(&(val
[i
]),&(val
[i
-1]),d
,m
,ctx
))
836 start
=1; /* This is used to avoid multiplication etc
837 * when there is only the value '1' in the
839 wvalue
=0; /* The 'value' of the window */
840 wstart
=bits
-1; /* The top bit of the window */
841 wend
=0; /* The bottom bit of the window */
843 if (!BN_one(r
)) goto err
;
847 if (BN_is_bit_set(p
,wstart
) == 0)
850 if (!BN_mod_mul(r
,r
,r
,m
,ctx
))
852 if (wstart
== 0) break;
856 /* We now have wstart on a 'set' bit, we now need to work out
857 * how bit a window to do. To do this we need to scan
858 * forward until the last set bit before the end of the
863 for (i
=1; i
<window
; i
++)
865 if (wstart
-i
< 0) break;
866 if (BN_is_bit_set(p
,wstart
-i
))
874 /* wend is the size of the current window */
876 /* add the 'bytes above' */
880 if (!BN_mod_mul(r
,r
,r
,m
,ctx
))
884 /* wvalue will be an odd number < 2^window */
885 if (!BN_mod_mul(r
,r
,&(val
[wvalue
>>1]),m
,ctx
))
888 /* move the 'window' down further */
892 if (wstart
< 0) break;
898 BN_clear_free(&(val
[i
]));