Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(6)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: openssl/crypto/bn/bn_nist.c

Issue 2072073002: Delete bundled copy of OpenSSL and replace with README. (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/openssl@master
Patch Set: Delete bundled copy of OpenSSL and replace with README. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « openssl/crypto/bn/bn_mul.c ('k') | openssl/crypto/bn/bn_prime.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* crypto/bn/bn_nist.c */
2 /*
3 * Written by Nils Larsch for the OpenSSL project
4 */
5 /* ====================================================================
6 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59 #include "bn_lcl.h"
60 #include "cryptlib.h"
61
62
63 #define BN_NIST_192_TOP (192+BN_BITS2-1)/BN_BITS2
64 #define BN_NIST_224_TOP (224+BN_BITS2-1)/BN_BITS2
65 #define BN_NIST_256_TOP (256+BN_BITS2-1)/BN_BITS2
66 #define BN_NIST_384_TOP (384+BN_BITS2-1)/BN_BITS2
67 #define BN_NIST_521_TOP (521+BN_BITS2-1)/BN_BITS2
68
69 /* pre-computed tables are "carry-less" values of modulus*(i+1) */
70 #if BN_BITS2 == 64
71 static const BN_ULONG _nist_p_192[][BN_NIST_192_TOP] = {
72 {0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFFULL},
73 {0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFDULL,0xFFFFFFFFFFFFFFFFULL},
74 {0xFFFFFFFFFFFFFFFDULL,0xFFFFFFFFFFFFFFFCULL,0xFFFFFFFFFFFFFFFFULL}
75 };
76 static const BN_ULONG _nist_p_192_sqr[] = {
77 0x0000000000000001ULL,0x0000000000000002ULL,0x0000000000000001ULL,
78 0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFDULL,0xFFFFFFFFFFFFFFFFULL
79 };
80 static const BN_ULONG _nist_p_224[][BN_NIST_224_TOP] = {
81 {0x0000000000000001ULL,0xFFFFFFFF00000000ULL,
82 0xFFFFFFFFFFFFFFFFULL,0x00000000FFFFFFFFULL},
83 {0x0000000000000002ULL,0xFFFFFFFE00000000ULL,
84 0xFFFFFFFFFFFFFFFFULL,0x00000001FFFFFFFFULL} /* this one is "carry-full " */
85 };
86 static const BN_ULONG _nist_p_224_sqr[] = {
87 0x0000000000000001ULL,0xFFFFFFFE00000000ULL,
88 0xFFFFFFFFFFFFFFFFULL,0x0000000200000000ULL,
89 0x0000000000000000ULL,0xFFFFFFFFFFFFFFFEULL,
90 0xFFFFFFFFFFFFFFFFULL
91 };
92 static const BN_ULONG _nist_p_256[][BN_NIST_256_TOP] = {
93 {0xFFFFFFFFFFFFFFFFULL,0x00000000FFFFFFFFULL,
94 0x0000000000000000ULL,0xFFFFFFFF00000001ULL},
95 {0xFFFFFFFFFFFFFFFEULL,0x00000001FFFFFFFFULL,
96 0x0000000000000000ULL,0xFFFFFFFE00000002ULL},
97 {0xFFFFFFFFFFFFFFFDULL,0x00000002FFFFFFFFULL,
98 0x0000000000000000ULL,0xFFFFFFFD00000003ULL},
99 {0xFFFFFFFFFFFFFFFCULL,0x00000003FFFFFFFFULL,
100 0x0000000000000000ULL,0xFFFFFFFC00000004ULL},
101 {0xFFFFFFFFFFFFFFFBULL,0x00000004FFFFFFFFULL,
102 0x0000000000000000ULL,0xFFFFFFFB00000005ULL},
103 };
104 static const BN_ULONG _nist_p_256_sqr[] = {
105 0x0000000000000001ULL,0xFFFFFFFE00000000ULL,
106 0xFFFFFFFFFFFFFFFFULL,0x00000001FFFFFFFEULL,
107 0x00000001FFFFFFFEULL,0x00000001FFFFFFFEULL,
108 0xFFFFFFFE00000001ULL,0xFFFFFFFE00000002ULL
109 };
110 static const BN_ULONG _nist_p_384[][BN_NIST_384_TOP] = {
111 {0x00000000FFFFFFFFULL,0xFFFFFFFF00000000ULL,0xFFFFFFFFFFFFFFFEULL,
112 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
113 {0x00000001FFFFFFFEULL,0xFFFFFFFE00000000ULL,0xFFFFFFFFFFFFFFFDULL,
114 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
115 {0x00000002FFFFFFFDULL,0xFFFFFFFD00000000ULL,0xFFFFFFFFFFFFFFFCULL,
116 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
117 {0x00000003FFFFFFFCULL,0xFFFFFFFC00000000ULL,0xFFFFFFFFFFFFFFFBULL,
118 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
119 {0x00000004FFFFFFFBULL,0xFFFFFFFB00000000ULL,0xFFFFFFFFFFFFFFFAULL,
120 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
121 };
122 static const BN_ULONG _nist_p_384_sqr[] = {
123 0xFFFFFFFE00000001ULL,0x0000000200000000ULL,0xFFFFFFFE00000000ULL,
124 0x0000000200000000ULL,0x0000000000000001ULL,0x0000000000000000ULL,
125 0x00000001FFFFFFFEULL,0xFFFFFFFE00000000ULL,0xFFFFFFFFFFFFFFFDULL,
126 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL
127 };
128 static const BN_ULONG _nist_p_521[] =
129 {0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
130 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
131 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
132 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
133 0x00000000000001FFULL};
134 static const BN_ULONG _nist_p_521_sqr[] = {
135 0x0000000000000001ULL,0x0000000000000000ULL,0x0000000000000000ULL,
136 0x0000000000000000ULL,0x0000000000000000ULL,0x0000000000000000ULL,
137 0x0000000000000000ULL,0x0000000000000000ULL,0xFFFFFFFFFFFFFC00ULL,
138 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
139 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
140 0xFFFFFFFFFFFFFFFFULL,0x000000000003FFFFULL
141 };
142 #elif BN_BITS2 == 32
143 static const BN_ULONG _nist_p_192[][BN_NIST_192_TOP] = {
144 {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
145 {0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFD,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
146 {0xFFFFFFFD,0xFFFFFFFF,0xFFFFFFFC,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF}
147 };
148 static const BN_ULONG _nist_p_192_sqr[] = {
149 0x00000001,0x00000000,0x00000002,0x00000000,0x00000001,0x00000000,
150 0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFD,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF
151 };
152 static const BN_ULONG _nist_p_224[][BN_NIST_224_TOP] = {
153 {0x00000001,0x00000000,0x00000000,0xFFFFFFFF,
154 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
155 {0x00000002,0x00000000,0x00000000,0xFFFFFFFE,
156 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF}
157 };
158 static const BN_ULONG _nist_p_224_sqr[] = {
159 0x00000001,0x00000000,0x00000000,0xFFFFFFFE,
160 0xFFFFFFFF,0xFFFFFFFF,0x00000000,0x00000002,
161 0x00000000,0x00000000,0xFFFFFFFE,0xFFFFFFFF,
162 0xFFFFFFFF,0xFFFFFFFF
163 };
164 static const BN_ULONG _nist_p_256[][BN_NIST_256_TOP] = {
165 {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0x00000000,
166 0x00000000,0x00000000,0x00000001,0xFFFFFFFF},
167 {0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFF,0x00000001,
168 0x00000000,0x00000000,0x00000002,0xFFFFFFFE},
169 {0xFFFFFFFD,0xFFFFFFFF,0xFFFFFFFF,0x00000002,
170 0x00000000,0x00000000,0x00000003,0xFFFFFFFD},
171 {0xFFFFFFFC,0xFFFFFFFF,0xFFFFFFFF,0x00000003,
172 0x00000000,0x00000000,0x00000004,0xFFFFFFFC},
173 {0xFFFFFFFB,0xFFFFFFFF,0xFFFFFFFF,0x00000004,
174 0x00000000,0x00000000,0x00000005,0xFFFFFFFB},
175 };
176 static const BN_ULONG _nist_p_256_sqr[] = {
177 0x00000001,0x00000000,0x00000000,0xFFFFFFFE,
178 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFE,0x00000001,
179 0xFFFFFFFE,0x00000001,0xFFFFFFFE,0x00000001,
180 0x00000001,0xFFFFFFFE,0x00000002,0xFFFFFFFE
181 };
182 static const BN_ULONG _nist_p_384[][BN_NIST_384_TOP] = {
183 {0xFFFFFFFF,0x00000000,0x00000000,0xFFFFFFFF,0xFFFFFFFE,0xFFFFFFFF,
184 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
185 {0xFFFFFFFE,0x00000001,0x00000000,0xFFFFFFFE,0xFFFFFFFD,0xFFFFFFFF,
186 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
187 {0xFFFFFFFD,0x00000002,0x00000000,0xFFFFFFFD,0xFFFFFFFC,0xFFFFFFFF,
188 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
189 {0xFFFFFFFC,0x00000003,0x00000000,0xFFFFFFFC,0xFFFFFFFB,0xFFFFFFFF,
190 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
191 {0xFFFFFFFB,0x00000004,0x00000000,0xFFFFFFFB,0xFFFFFFFA,0xFFFFFFFF,
192 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
193 };
194 static const BN_ULONG _nist_p_384_sqr[] = {
195 0x00000001,0xFFFFFFFE,0x00000000,0x00000002,0x00000000,0xFFFFFFFE,
196 0x00000000,0x00000002,0x00000001,0x00000000,0x00000000,0x00000000,
197 0xFFFFFFFE,0x00000001,0x00000000,0xFFFFFFFE,0xFFFFFFFD,0xFFFFFFFF,
198 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF
199 };
200 static const BN_ULONG _nist_p_521[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
201 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
202 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
203 0xFFFFFFFF,0x000001FF};
204 static const BN_ULONG _nist_p_521_sqr[] = {
205 0x00000001,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
206 0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
207 0x00000000,0x00000000,0x00000000,0x00000000,0xFFFFFC00,0xFFFFFFFF,
208 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
209 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
210 0xFFFFFFFF,0xFFFFFFFF,0x0003FFFF
211 };
212 #else
213 #error "unsupported BN_BITS2"
214 #endif
215
216
217 static const BIGNUM _bignum_nist_p_192 =
218 {
219 (BN_ULONG *)_nist_p_192[0],
220 BN_NIST_192_TOP,
221 BN_NIST_192_TOP,
222 0,
223 BN_FLG_STATIC_DATA
224 };
225
226 static const BIGNUM _bignum_nist_p_224 =
227 {
228 (BN_ULONG *)_nist_p_224[0],
229 BN_NIST_224_TOP,
230 BN_NIST_224_TOP,
231 0,
232 BN_FLG_STATIC_DATA
233 };
234
235 static const BIGNUM _bignum_nist_p_256 =
236 {
237 (BN_ULONG *)_nist_p_256[0],
238 BN_NIST_256_TOP,
239 BN_NIST_256_TOP,
240 0,
241 BN_FLG_STATIC_DATA
242 };
243
244 static const BIGNUM _bignum_nist_p_384 =
245 {
246 (BN_ULONG *)_nist_p_384[0],
247 BN_NIST_384_TOP,
248 BN_NIST_384_TOP,
249 0,
250 BN_FLG_STATIC_DATA
251 };
252
253 static const BIGNUM _bignum_nist_p_521 =
254 {
255 (BN_ULONG *)_nist_p_521,
256 BN_NIST_521_TOP,
257 BN_NIST_521_TOP,
258 0,
259 BN_FLG_STATIC_DATA
260 };
261
262
263 const BIGNUM *BN_get0_nist_prime_192(void)
264 {
265 return &_bignum_nist_p_192;
266 }
267
268 const BIGNUM *BN_get0_nist_prime_224(void)
269 {
270 return &_bignum_nist_p_224;
271 }
272
273 const BIGNUM *BN_get0_nist_prime_256(void)
274 {
275 return &_bignum_nist_p_256;
276 }
277
278 const BIGNUM *BN_get0_nist_prime_384(void)
279 {
280 return &_bignum_nist_p_384;
281 }
282
283 const BIGNUM *BN_get0_nist_prime_521(void)
284 {
285 return &_bignum_nist_p_521;
286 }
287
288
289 static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max)
290 {
291 int i;
292 BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
293
294 #ifdef BN_DEBUG
295 OPENSSL_assert(top <= max);
296 #endif
297 for (i = (top); i != 0; i--)
298 *_tmp1++ = *_tmp2++;
299 for (i = (max) - (top); i != 0; i--)
300 *_tmp1++ = (BN_ULONG) 0;
301 }
302
303 static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
304 {
305 int i;
306 BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
307 for (i = (top); i != 0; i--)
308 *_tmp1++ = *_tmp2++;
309 }
310
311 #if BN_BITS2 == 64
312 #define bn_cp_64(to, n, from, m) (to)[n] = (m>=0)?((from)[m]):0;
313 #define bn_64_set_0(to, n) (to)[n] = (BN_ULONG)0;
314 /*
315 * two following macros are implemented under assumption that they
316 * are called in a sequence with *ascending* n, i.e. as they are...
317 */
318 #define bn_cp_32_naked(to, n, from, m) (((n)&1)?(to[(n)/2]|=((m)&1)?(from[(m)/2 ]&BN_MASK2h):(from[(m)/2]<<32))\
319 :(to[(n)/2] =((m)&1)?(from[(m)/2 ]>>32):(from[(m)/2]&BN_MASK2l)))
320 #define bn_32_set_0(to, n) (((n)&1)?(to[(n)/2]&=BN_MASK2l):(to[(n)/ 2]=0));
321 #define bn_cp_32(to,n,from,m) ((m)>=0)?bn_cp_32_naked(to,n,from,m):bn_ 32_set_0(to,n)
322 # if defined(L_ENDIAN)
323 # if defined(__arch64__)
324 # define NIST_INT64 long
325 # else
326 # define NIST_INT64 long long
327 # endif
328 # endif
329 #else
330 #define bn_cp_64(to, n, from, m) \
331 { \
332 bn_cp_32(to, (n)*2, from, (m)*2); \
333 bn_cp_32(to, (n)*2+1, from, (m)*2+1); \
334 }
335 #define bn_64_set_0(to, n) \
336 { \
337 bn_32_set_0(to, (n)*2); \
338 bn_32_set_0(to, (n)*2+1); \
339 }
340 #define bn_cp_32(to, n, from, m) (to)[n] = (m>=0)?((from)[m]):0;
341 #define bn_32_set_0(to, n) (to)[n] = (BN_ULONG)0;
342 # if defined(_WIN32) && !defined(__GNUC__)
343 # define NIST_INT64 __int64
344 # elif defined(BN_LLONG)
345 # define NIST_INT64 long long
346 # endif
347 #endif /* BN_BITS2 != 64 */
348
349 #define nist_set_192(to, from, a1, a2, a3) \
350 { \
351 bn_cp_64(to, 0, from, (a3) - 3) \
352 bn_cp_64(to, 1, from, (a2) - 3) \
353 bn_cp_64(to, 2, from, (a1) - 3) \
354 }
355
356 int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
357 BN_CTX *ctx)
358 {
359 int top = a->top, i;
360 int carry;
361 register BN_ULONG *r_d, *a_d = a->d;
362 union {
363 BN_ULONG bn[BN_NIST_192_TOP];
364 unsigned int ui[BN_NIST_192_TOP*sizeof(BN_ULONG)/sizeof(unsig ned int)];
365 } buf;
366 BN_ULONG c_d[BN_NIST_192_TOP],
367 *res;
368 PTR_SIZE_INT mask;
369 static const BIGNUM _bignum_nist_p_192_sqr = {
370 (BN_ULONG *)_nist_p_192_sqr,
371 sizeof(_nist_p_192_sqr)/sizeof(_nist_p_192_sqr[0]),
372 sizeof(_nist_p_192_sqr)/sizeof(_nist_p_192_sqr[0]),
373 0,BN_FLG_STATIC_DATA };
374
375 field = &_bignum_nist_p_192; /* just to make sure */
376
377 if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_192_sqr)>=0)
378 return BN_nnmod(r, a, field, ctx);
379
380 i = BN_ucmp(field, a);
381 if (i == 0)
382 {
383 BN_zero(r);
384 return 1;
385 }
386 else if (i > 0)
387 return (r == a) ? 1 : (BN_copy(r ,a) != NULL);
388
389 if (r != a)
390 {
391 if (!bn_wexpand(r, BN_NIST_192_TOP))
392 return 0;
393 r_d = r->d;
394 nist_cp_bn(r_d, a_d, BN_NIST_192_TOP);
395 }
396 else
397 r_d = a_d;
398
399 nist_cp_bn_0(buf.bn, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, BN_NI ST_192_TOP);
400
401 #if defined(NIST_INT64)
402 {
403 NIST_INT64 acc; /* accumulator */
404 unsigned int *rp=(unsigned int *)r_d;
405 const unsigned int *bp=(const unsigned int *)buf.ui;
406
407 acc = rp[0]; acc += bp[3*2-6];
408 acc += bp[5*2-6]; rp[0] = (unsigned int)acc; acc >>= 32;
409
410 acc += rp[1]; acc += bp[3*2-5];
411 acc += bp[5*2-5]; rp[1] = (unsigned int)acc; acc >>= 32;
412
413 acc += rp[2]; acc += bp[3*2-6];
414 acc += bp[4*2-6];
415 acc += bp[5*2-6]; rp[2] = (unsigned int)acc; acc >>= 32;
416
417 acc += rp[3]; acc += bp[3*2-5];
418 acc += bp[4*2-5];
419 acc += bp[5*2-5]; rp[3] = (unsigned int)acc; acc >>= 32;
420
421 acc += rp[4]; acc += bp[4*2-6];
422 acc += bp[5*2-6]; rp[4] = (unsigned int)acc; acc >>= 32;
423
424 acc += rp[5]; acc += bp[4*2-5];
425 acc += bp[5*2-5]; rp[5] = (unsigned int)acc;
426
427 carry = (int)(acc>>32);
428 }
429 #else
430 {
431 BN_ULONG t_d[BN_NIST_192_TOP];
432
433 nist_set_192(t_d, buf.bn, 0, 3, 3);
434 carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
435 nist_set_192(t_d, buf.bn, 4, 4, 0);
436 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
437 nist_set_192(t_d, buf.bn, 5, 5, 5)
438 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
439 }
440 #endif
441 if (carry > 0)
442 carry = (int)bn_sub_words(r_d,r_d,_nist_p_192[carry-1],BN_NIST_1 92_TOP);
443 else
444 carry = 1;
445
446 /*
447 * we need 'if (carry==0 || result>=modulus) result-=modulus;'
448 * as comparison implies subtraction, we can write
449 * 'tmp=result-modulus; if (!carry || !borrow) result=tmp;'
450 * this is what happens below, but without explicit if:-) a.
451 */
452 mask = 0-(PTR_SIZE_INT)bn_sub_words(c_d,r_d,_nist_p_192[0],BN_NIST_192_ TOP);
453 mask &= 0-(PTR_SIZE_INT)carry;
454 res = (BN_ULONG *)
455 (((PTR_SIZE_INT)c_d&~mask) | ((PTR_SIZE_INT)r_d&mask));
456 nist_cp_bn(r_d, res, BN_NIST_192_TOP);
457 r->top = BN_NIST_192_TOP;
458 bn_correct_top(r);
459
460 return 1;
461 }
462
463 typedef BN_ULONG (*bn_addsub_f)(BN_ULONG *,const BN_ULONG *,const BN_ULONG *,int );
464
465 #define nist_set_224(to, from, a1, a2, a3, a4, a5, a6, a7) \
466 { \
467 bn_cp_32(to, 0, from, (a7) - 7) \
468 bn_cp_32(to, 1, from, (a6) - 7) \
469 bn_cp_32(to, 2, from, (a5) - 7) \
470 bn_cp_32(to, 3, from, (a4) - 7) \
471 bn_cp_32(to, 4, from, (a3) - 7) \
472 bn_cp_32(to, 5, from, (a2) - 7) \
473 bn_cp_32(to, 6, from, (a1) - 7) \
474 }
475
476 int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
477 BN_CTX *ctx)
478 {
479 int top = a->top, i;
480 int carry;
481 BN_ULONG *r_d, *a_d = a->d;
482 BN_ULONG buf[BN_NIST_224_TOP],
483 c_d[BN_NIST_224_TOP],
484 *res;
485 PTR_SIZE_INT mask;
486 union { bn_addsub_f f; PTR_SIZE_INT p; } u;
487 static const BIGNUM _bignum_nist_p_224_sqr = {
488 (BN_ULONG *)_nist_p_224_sqr,
489 sizeof(_nist_p_224_sqr)/sizeof(_nist_p_224_sqr[0]),
490 sizeof(_nist_p_224_sqr)/sizeof(_nist_p_224_sqr[0]),
491 0,BN_FLG_STATIC_DATA };
492
493
494 field = &_bignum_nist_p_224; /* just to make sure */
495
496 if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_224_sqr)>=0)
497 return BN_nnmod(r, a, field, ctx);
498
499 i = BN_ucmp(field, a);
500 if (i == 0)
501 {
502 BN_zero(r);
503 return 1;
504 }
505 else if (i > 0)
506 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
507
508 if (r != a)
509 {
510 if (!bn_wexpand(r, BN_NIST_224_TOP))
511 return 0;
512 r_d = r->d;
513 nist_cp_bn(r_d, a_d, BN_NIST_224_TOP);
514 }
515 else
516 r_d = a_d;
517
518 #if BN_BITS2==64
519 /* copy upper 256 bits of 448 bit number ... */
520 nist_cp_bn_0(c_d, a_d + (BN_NIST_224_TOP-1), top - (BN_NIST_224_TOP-1), BN_NIST_224_TOP);
521 /* ... and right shift by 32 to obtain upper 224 bits */
522 nist_set_224(buf, c_d, 14, 13, 12, 11, 10, 9, 8);
523 /* truncate lower part to 224 bits too */
524 r_d[BN_NIST_224_TOP-1] &= BN_MASK2l;
525 #else
526 nist_cp_bn_0(buf, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_ 224_TOP);
527 #endif
528
529 #if defined(NIST_INT64) && BN_BITS2!=64
530 {
531 NIST_INT64 acc; /* accumulator */
532 unsigned int *rp=(unsigned int *)r_d;
533 const unsigned int *bp=(const unsigned int *)buf;
534
535 acc = rp[0]; acc -= bp[7-7];
536 acc -= bp[11-7]; rp[0] = (unsigned int)acc; acc >>= 32;
537
538 acc += rp[1]; acc -= bp[8-7];
539 acc -= bp[12-7]; rp[1] = (unsigned int)acc; acc >>= 32;
540
541 acc += rp[2]; acc -= bp[9-7];
542 acc -= bp[13-7]; rp[2] = (unsigned int)acc; acc >>= 32;
543
544 acc += rp[3]; acc += bp[7-7];
545 acc += bp[11-7];
546 acc -= bp[10-7]; rp[3] = (unsigned int)acc; acc>>= 32;
547
548 acc += rp[4]; acc += bp[8-7];
549 acc += bp[12-7];
550 acc -= bp[11-7]; rp[4] = (unsigned int)acc; acc >>= 32;
551
552 acc += rp[5]; acc += bp[9-7];
553 acc += bp[13-7];
554 acc -= bp[12-7]; rp[5] = (unsigned int)acc; acc >>= 32;
555
556 acc += rp[6]; acc += bp[10-7];
557 acc -= bp[13-7]; rp[6] = (unsigned int)acc;
558
559 carry = (int)(acc>>32);
560 # if BN_BITS2==64
561 rp[7] = carry;
562 # endif
563 }
564 #else
565 {
566 BN_ULONG t_d[BN_NIST_224_TOP];
567
568 nist_set_224(t_d, buf, 10, 9, 8, 7, 0, 0, 0);
569 carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
570 nist_set_224(t_d, buf, 0, 13, 12, 11, 0, 0, 0);
571 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
572 nist_set_224(t_d, buf, 13, 12, 11, 10, 9, 8, 7);
573 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
574 nist_set_224(t_d, buf, 0, 0, 0, 0, 13, 12, 11);
575 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
576
577 #if BN_BITS2==64
578 carry = (int)(r_d[BN_NIST_224_TOP-1]>>32);
579 #endif
580 }
581 #endif
582 u.f = bn_sub_words;
583 if (carry > 0)
584 {
585 carry = (int)bn_sub_words(r_d,r_d,_nist_p_224[carry-1],BN_NIST_2 24_TOP);
586 #if BN_BITS2==64
587 carry=(int)(~(r_d[BN_NIST_224_TOP-1]>>32))&1;
588 #endif
589 }
590 else if (carry < 0)
591 {
592 /* it's a bit more comlicated logic in this case.
593 * if bn_add_words yields no carry, then result
594 * has to be adjusted by unconditionally *adding*
595 * the modulus. but if it does, then result has
596 * to be compared to the modulus and conditionally
597 * adjusted by *subtracting* the latter. */
598 carry = (int)bn_add_words(r_d,r_d,_nist_p_224[-carry-1],BN_NIST_ 224_TOP);
599 mask = 0-(PTR_SIZE_INT)carry;
600 u.p = ((PTR_SIZE_INT)bn_sub_words&mask) |
601 ((PTR_SIZE_INT)bn_add_words&~mask);
602 }
603 else
604 carry = 1;
605
606 /* otherwise it's effectively same as in BN_nist_mod_192... */
607 mask = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_224[0],BN_NIST_224_TOP);
608 mask &= 0-(PTR_SIZE_INT)carry;
609 res = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) |
610 ((PTR_SIZE_INT)r_d&mask));
611 nist_cp_bn(r_d, res, BN_NIST_224_TOP);
612 r->top = BN_NIST_224_TOP;
613 bn_correct_top(r);
614
615 return 1;
616 }
617
618 #define nist_set_256(to, from, a1, a2, a3, a4, a5, a6, a7, a8) \
619 { \
620 bn_cp_32(to, 0, from, (a8) - 8) \
621 bn_cp_32(to, 1, from, (a7) - 8) \
622 bn_cp_32(to, 2, from, (a6) - 8) \
623 bn_cp_32(to, 3, from, (a5) - 8) \
624 bn_cp_32(to, 4, from, (a4) - 8) \
625 bn_cp_32(to, 5, from, (a3) - 8) \
626 bn_cp_32(to, 6, from, (a2) - 8) \
627 bn_cp_32(to, 7, from, (a1) - 8) \
628 }
629
630 int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
631 BN_CTX *ctx)
632 {
633 int i, top = a->top;
634 int carry = 0;
635 register BN_ULONG *a_d = a->d, *r_d;
636 union {
637 BN_ULONG bn[BN_NIST_256_TOP];
638 unsigned int ui[BN_NIST_256_TOP*sizeof(BN_ULONG)/sizeof(unsigned int)];
639 } buf;
640 BN_ULONG c_d[BN_NIST_256_TOP],
641 *res;
642 PTR_SIZE_INT mask;
643 union { bn_addsub_f f; PTR_SIZE_INT p; } u;
644 static const BIGNUM _bignum_nist_p_256_sqr = {
645 (BN_ULONG *)_nist_p_256_sqr,
646 sizeof(_nist_p_256_sqr)/sizeof(_nist_p_256_sqr[0]),
647 sizeof(_nist_p_256_sqr)/sizeof(_nist_p_256_sqr[0]),
648 0,BN_FLG_STATIC_DATA };
649
650 field = &_bignum_nist_p_256; /* just to make sure */
651
652 if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_256_sqr)>=0)
653 return BN_nnmod(r, a, field, ctx);
654
655 i = BN_ucmp(field, a);
656 if (i == 0)
657 {
658 BN_zero(r);
659 return 1;
660 }
661 else if (i > 0)
662 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
663
664 if (r != a)
665 {
666 if (!bn_wexpand(r, BN_NIST_256_TOP))
667 return 0;
668 r_d = r->d;
669 nist_cp_bn(r_d, a_d, BN_NIST_256_TOP);
670 }
671 else
672 r_d = a_d;
673
674 nist_cp_bn_0(buf.bn, a_d + BN_NIST_256_TOP, top - BN_NIST_256_TOP, BN_NI ST_256_TOP);
675
676 #if defined(NIST_INT64)
677 {
678 NIST_INT64 acc; /* accumulator */
679 unsigned int *rp=(unsigned int *)r_d;
680 const unsigned int *bp=(const unsigned int *)buf.ui;
681
682 acc = rp[0]; acc += bp[8-8];
683 acc += bp[9-8];
684 acc -= bp[11-8];
685 acc -= bp[12-8];
686 acc -= bp[13-8];
687 acc -= bp[14-8]; rp[0] = (unsigned int)acc; acc >>= 32;
688
689 acc += rp[1]; acc += bp[9-8];
690 acc += bp[10-8];
691 acc -= bp[12-8];
692 acc -= bp[13-8];
693 acc -= bp[14-8];
694 acc -= bp[15-8]; rp[1] = (unsigned int)acc; acc >>= 32;
695
696 acc += rp[2]; acc += bp[10-8];
697 acc += bp[11-8];
698 acc -= bp[13-8];
699 acc -= bp[14-8];
700 acc -= bp[15-8]; rp[2] = (unsigned int)acc; acc >>= 32;
701
702 acc += rp[3]; acc += bp[11-8];
703 acc += bp[11-8];
704 acc += bp[12-8];
705 acc += bp[12-8];
706 acc += bp[13-8];
707 acc -= bp[15-8];
708 acc -= bp[8-8];
709 acc -= bp[9-8]; rp[3] = (unsigned int)acc; acc >>= 32;
710
711 acc += rp[4]; acc += bp[12-8];
712 acc += bp[12-8];
713 acc += bp[13-8];
714 acc += bp[13-8];
715 acc += bp[14-8];
716 acc -= bp[9-8];
717 acc -= bp[10-8]; rp[4] = (unsigned int)acc; acc >>= 32;
718
719 acc += rp[5]; acc += bp[13-8];
720 acc += bp[13-8];
721 acc += bp[14-8];
722 acc += bp[14-8];
723 acc += bp[15-8];
724 acc -= bp[10-8];
725 acc -= bp[11-8]; rp[5] = (unsigned int)acc; acc >>= 32;
726
727 acc += rp[6]; acc += bp[14-8];
728 acc += bp[14-8];
729 acc += bp[15-8];
730 acc += bp[15-8];
731 acc += bp[14-8];
732 acc += bp[13-8];
733 acc -= bp[8-8];
734 acc -= bp[9-8]; rp[6] = (unsigned int)acc; acc >>= 32;
735
736 acc += rp[7]; acc += bp[15-8];
737 acc += bp[15-8];
738 acc += bp[15-8];
739 acc += bp[8 -8];
740 acc -= bp[10-8];
741 acc -= bp[11-8];
742 acc -= bp[12-8];
743 acc -= bp[13-8]; rp[7] = (unsigned int)acc;
744
745 carry = (int)(acc>>32);
746 }
747 #else
748 {
749 BN_ULONG t_d[BN_NIST_256_TOP];
750
751 /*S1*/
752 nist_set_256(t_d, buf.bn, 15, 14, 13, 12, 11, 0, 0, 0);
753 /*S2*/
754 nist_set_256(c_d, buf.bn, 0, 15, 14, 13, 12, 0, 0, 0);
755 carry = (int)bn_add_words(t_d, t_d, c_d, BN_NIST_256_TOP);
756 /* left shift */
757 {
758 register BN_ULONG *ap,t,c;
759 ap = t_d;
760 c=0;
761 for (i = BN_NIST_256_TOP; i != 0; --i)
762 {
763 t= *ap;
764 *(ap++)=((t<<1)|c)&BN_MASK2;
765 c=(t & BN_TBIT)?1:0;
766 }
767 carry <<= 1;
768 carry |= c;
769 }
770 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
771 /*S3*/
772 nist_set_256(t_d, buf.bn, 15, 14, 0, 0, 0, 10, 9, 8);
773 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
774 /*S4*/
775 nist_set_256(t_d, buf.bn, 8, 13, 15, 14, 13, 11, 10, 9);
776 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
777 /*D1*/
778 nist_set_256(t_d, buf.bn, 10, 8, 0, 0, 0, 13, 12, 11);
779 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
780 /*D2*/
781 nist_set_256(t_d, buf.bn, 11, 9, 0, 0, 15, 14, 13, 12);
782 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
783 /*D3*/
784 nist_set_256(t_d, buf.bn, 12, 0, 10, 9, 8, 15, 14, 13);
785 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
786 /*D4*/
787 nist_set_256(t_d, buf.bn, 13, 0, 11, 10, 9, 0, 15, 14);
788 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
789
790 }
791 #endif
792 /* see BN_nist_mod_224 for explanation */
793 u.f = bn_sub_words;
794 if (carry > 0)
795 carry = (int)bn_sub_words(r_d,r_d,_nist_p_256[carry-1],BN_NIST_2 56_TOP);
796 else if (carry < 0)
797 {
798 carry = (int)bn_add_words(r_d,r_d,_nist_p_256[-carry-1],BN_NIST_ 256_TOP);
799 mask = 0-(PTR_SIZE_INT)carry;
800 u.p = ((PTR_SIZE_INT)bn_sub_words&mask) |
801 ((PTR_SIZE_INT)bn_add_words&~mask);
802 }
803 else
804 carry = 1;
805
806 mask = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_256[0],BN_NIST_256_TOP);
807 mask &= 0-(PTR_SIZE_INT)carry;
808 res = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) |
809 ((PTR_SIZE_INT)r_d&mask));
810 nist_cp_bn(r_d, res, BN_NIST_256_TOP);
811 r->top = BN_NIST_256_TOP;
812 bn_correct_top(r);
813
814 return 1;
815 }
816
817 #define nist_set_384(to,from,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12) \
818 { \
819 bn_cp_32(to, 0, from, (a12) - 12) \
820 bn_cp_32(to, 1, from, (a11) - 12) \
821 bn_cp_32(to, 2, from, (a10) - 12) \
822 bn_cp_32(to, 3, from, (a9) - 12) \
823 bn_cp_32(to, 4, from, (a8) - 12) \
824 bn_cp_32(to, 5, from, (a7) - 12) \
825 bn_cp_32(to, 6, from, (a6) - 12) \
826 bn_cp_32(to, 7, from, (a5) - 12) \
827 bn_cp_32(to, 8, from, (a4) - 12) \
828 bn_cp_32(to, 9, from, (a3) - 12) \
829 bn_cp_32(to, 10, from, (a2) - 12) \
830 bn_cp_32(to, 11, from, (a1) - 12) \
831 }
832
833 int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
834 BN_CTX *ctx)
835 {
836 int i, top = a->top;
837 int carry = 0;
838 register BN_ULONG *r_d, *a_d = a->d;
839 union {
840 BN_ULONG bn[BN_NIST_384_TOP];
841 unsigned int ui[BN_NIST_384_TOP*sizeof(BN_ULONG)/sizeof(unsigned int)];
842 } buf;
843 BN_ULONG c_d[BN_NIST_384_TOP],
844 *res;
845 PTR_SIZE_INT mask;
846 union { bn_addsub_f f; PTR_SIZE_INT p; } u;
847 static const BIGNUM _bignum_nist_p_384_sqr = {
848 (BN_ULONG *)_nist_p_384_sqr,
849 sizeof(_nist_p_384_sqr)/sizeof(_nist_p_384_sqr[0]),
850 sizeof(_nist_p_384_sqr)/sizeof(_nist_p_384_sqr[0]),
851 0,BN_FLG_STATIC_DATA };
852
853
854 field = &_bignum_nist_p_384; /* just to make sure */
855
856 if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_384_sqr)>=0)
857 return BN_nnmod(r, a, field, ctx);
858
859 i = BN_ucmp(field, a);
860 if (i == 0)
861 {
862 BN_zero(r);
863 return 1;
864 }
865 else if (i > 0)
866 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
867
868 if (r != a)
869 {
870 if (!bn_wexpand(r, BN_NIST_384_TOP))
871 return 0;
872 r_d = r->d;
873 nist_cp_bn(r_d, a_d, BN_NIST_384_TOP);
874 }
875 else
876 r_d = a_d;
877
878 nist_cp_bn_0(buf.bn, a_d + BN_NIST_384_TOP, top - BN_NIST_384_TOP, BN_NI ST_384_TOP);
879
880 #if defined(NIST_INT64)
881 {
882 NIST_INT64 acc; /* accumulator */
883 unsigned int *rp=(unsigned int *)r_d;
884 const unsigned int *bp=(const unsigned int *)buf.ui;
885
886 acc = rp[0]; acc += bp[12-12];
887 acc += bp[21-12];
888 acc += bp[20-12];
889 acc -= bp[23-12]; rp[0] = (unsigned int)acc; acc >>= 32;
890
891 acc += rp[1]; acc += bp[13-12];
892 acc += bp[22-12];
893 acc += bp[23-12];
894 acc -= bp[12-12];
895 acc -= bp[20-12]; rp[1] = (unsigned int)acc; acc >>= 32;
896
897 acc += rp[2]; acc += bp[14-12];
898 acc += bp[23-12];
899 acc -= bp[13-12];
900 acc -= bp[21-12]; rp[2] = (unsigned int)acc; acc >>= 32;
901
902 acc += rp[3]; acc += bp[15-12];
903 acc += bp[12-12];
904 acc += bp[20-12];
905 acc += bp[21-12];
906 acc -= bp[14-12];
907 acc -= bp[22-12];
908 acc -= bp[23-12]; rp[3] = (unsigned int)acc; acc >>= 32;
909
910 acc += rp[4]; acc += bp[21-12];
911 acc += bp[21-12];
912 acc += bp[16-12];
913 acc += bp[13-12];
914 acc += bp[12-12];
915 acc += bp[20-12];
916 acc += bp[22-12];
917 acc -= bp[15-12];
918 acc -= bp[23-12];
919 acc -= bp[23-12]; rp[4] = (unsigned int)acc; acc >>= 32;
920
921 acc += rp[5]; acc += bp[22-12];
922 acc += bp[22-12];
923 acc += bp[17-12];
924 acc += bp[14-12];
925 acc += bp[13-12];
926 acc += bp[21-12];
927 acc += bp[23-12];
928 acc -= bp[16-12]; rp[5] = (unsigned int)acc; acc >>= 32;
929
930 acc += rp[6]; acc += bp[23-12];
931 acc += bp[23-12];
932 acc += bp[18-12];
933 acc += bp[15-12];
934 acc += bp[14-12];
935 acc += bp[22-12];
936 acc -= bp[17-12]; rp[6] = (unsigned int)acc; acc >>= 32;
937
938 acc += rp[7]; acc += bp[19-12];
939 acc += bp[16-12];
940 acc += bp[15-12];
941 acc += bp[23-12];
942 acc -= bp[18-12]; rp[7] = (unsigned int)acc; acc >>= 32;
943
944 acc += rp[8]; acc += bp[20-12];
945 acc += bp[17-12];
946 acc += bp[16-12];
947 acc -= bp[19-12]; rp[8] = (unsigned int)acc; acc >>= 32;
948
949 acc += rp[9]; acc += bp[21-12];
950 acc += bp[18-12];
951 acc += bp[17-12];
952 acc -= bp[20-12]; rp[9] = (unsigned int)acc; acc >>= 32;
953
954 acc += rp[10]; acc += bp[22-12];
955 acc += bp[19-12];
956 acc += bp[18-12];
957 acc -= bp[21-12]; rp[10] = (unsigned int)acc; acc >>= 32 ;
958
959 acc += rp[11]; acc += bp[23-12];
960 acc += bp[20-12];
961 acc += bp[19-12];
962 acc -= bp[22-12]; rp[11] = (unsigned int)acc;
963
964 carry = (int)(acc>>32);
965 }
966 #else
967 {
968 BN_ULONG t_d[BN_NIST_384_TOP];
969
970 /*S1*/
971 nist_set_256(t_d, buf.bn, 0, 0, 0, 0, 0, 23-4, 22-4, 21-4);
972 /* left shift */
973 {
974 register BN_ULONG *ap,t,c;
975 ap = t_d;
976 c=0;
977 for (i = 3; i != 0; --i)
978 {
979 t= *ap;
980 *(ap++)=((t<<1)|c)&BN_MASK2;
981 c=(t & BN_TBIT)?1:0;
982 }
983 *ap=c;
984 }
985 carry = (int)bn_add_words(r_d+(128/BN_BITS2), r_d+(128/BN_BITS2),
986 t_d, BN_NIST_256_TOP);
987 /*S2 */
988 carry += (int)bn_add_words(r_d, r_d, buf.bn, BN_NIST_384_TOP);
989 /*S3*/
990 nist_set_384(t_d,buf.bn,20,19,18,17,16,15,14,13,12,23,22,21);
991 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
992 /*S4*/
993 nist_set_384(t_d,buf.bn,19,18,17,16,15,14,13,12,20,0,23,0);
994 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
995 /*S5*/
996 nist_set_384(t_d, buf.bn,0,0,0,0,23,22,21,20,0,0,0,0);
997 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
998 /*S6*/
999 nist_set_384(t_d,buf.bn,0,0,0,0,0,0,23,22,21,0,0,20);
1000 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
1001 /*D1*/
1002 nist_set_384(t_d,buf.bn,22,21,20,19,18,17,16,15,14,13,12,23);
1003 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
1004 /*D2*/
1005 nist_set_384(t_d,buf.bn,0,0,0,0,0,0,0,23,22,21,20,0);
1006 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
1007 /*D3*/
1008 nist_set_384(t_d,buf.bn,0,0,0,0,0,0,0,23,23,0,0,0);
1009 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
1010
1011 }
1012 #endif
1013 /* see BN_nist_mod_224 for explanation */
1014 u.f = bn_sub_words;
1015 if (carry > 0)
1016 carry = (int)bn_sub_words(r_d,r_d,_nist_p_384[carry-1],BN_NIST_3 84_TOP);
1017 else if (carry < 0)
1018 {
1019 carry = (int)bn_add_words(r_d,r_d,_nist_p_384[-carry-1],BN_NIST_ 384_TOP);
1020 mask = 0-(PTR_SIZE_INT)carry;
1021 u.p = ((PTR_SIZE_INT)bn_sub_words&mask) |
1022 ((PTR_SIZE_INT)bn_add_words&~mask);
1023 }
1024 else
1025 carry = 1;
1026
1027 mask = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_384[0],BN_NIST_384_TOP);
1028 mask &= 0-(PTR_SIZE_INT)carry;
1029 res = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) |
1030 ((PTR_SIZE_INT)r_d&mask));
1031 nist_cp_bn(r_d, res, BN_NIST_384_TOP);
1032 r->top = BN_NIST_384_TOP;
1033 bn_correct_top(r);
1034
1035 return 1;
1036 }
1037
1038 #define BN_NIST_521_RSHIFT (521%BN_BITS2)
1039 #define BN_NIST_521_LSHIFT (BN_BITS2-BN_NIST_521_RSHIFT)
1040 #define BN_NIST_521_TOP_MASK ((BN_ULONG)BN_MASK2>>BN_NIST_521_LSHIFT)
1041
1042 int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
1043 BN_CTX *ctx)
1044 {
1045 int top = a->top, i;
1046 BN_ULONG *r_d, *a_d = a->d,
1047 t_d[BN_NIST_521_TOP],
1048 val,tmp,*res;
1049 PTR_SIZE_INT mask;
1050 static const BIGNUM _bignum_nist_p_521_sqr = {
1051 (BN_ULONG *)_nist_p_521_sqr,
1052 sizeof(_nist_p_521_sqr)/sizeof(_nist_p_521_sqr[0]),
1053 sizeof(_nist_p_521_sqr)/sizeof(_nist_p_521_sqr[0]),
1054 0,BN_FLG_STATIC_DATA };
1055
1056 field = &_bignum_nist_p_521; /* just to make sure */
1057
1058 if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_521_sqr)>=0)
1059 return BN_nnmod(r, a, field, ctx);
1060
1061 i = BN_ucmp(field, a);
1062 if (i == 0)
1063 {
1064 BN_zero(r);
1065 return 1;
1066 }
1067 else if (i > 0)
1068 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
1069
1070 if (r != a)
1071 {
1072 if (!bn_wexpand(r,BN_NIST_521_TOP))
1073 return 0;
1074 r_d = r->d;
1075 nist_cp_bn(r_d,a_d, BN_NIST_521_TOP);
1076 }
1077 else
1078 r_d = a_d;
1079
1080 /* upper 521 bits, copy ... */
1081 nist_cp_bn_0(t_d,a_d + (BN_NIST_521_TOP-1), top - (BN_NIST_521_TOP-1),BN _NIST_521_TOP);
1082 /* ... and right shift */
1083 for (val=t_d[0],i=0; i<BN_NIST_521_TOP-1; i++)
1084 {
1085 tmp = val>>BN_NIST_521_RSHIFT;
1086 val = t_d[i+1];
1087 t_d[i] = (tmp | val<<BN_NIST_521_LSHIFT) & BN_MASK2;
1088 }
1089 t_d[i] = val>>BN_NIST_521_RSHIFT;
1090 /* lower 521 bits */
1091 r_d[i] &= BN_NIST_521_TOP_MASK;
1092
1093 bn_add_words(r_d,r_d,t_d,BN_NIST_521_TOP);
1094 mask = 0-(PTR_SIZE_INT)bn_sub_words(t_d,r_d,_nist_p_521,BN_NIST_521_TOP) ;
1095 res = (BN_ULONG *)(((PTR_SIZE_INT)t_d&~mask) |
1096 ((PTR_SIZE_INT)r_d&mask));
1097 nist_cp_bn(r_d,res,BN_NIST_521_TOP);
1098 r->top = BN_NIST_521_TOP;
1099 bn_correct_top(r);
1100
1101 return 1;
1102 }
OLDNEW
« no previous file with comments | « openssl/crypto/bn/bn_mul.c ('k') | openssl/crypto/bn/bn_prime.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698