1 /* crypto/bn/bn_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #ifndef BN_DEBUG
60 # undef NDEBUG /* avoid conflicting definitions */
61 # define NDEBUG
62 #endif
63
64 #include <assert.h>
65 #include <limits.h>
66 #include <stdio.h>
67 #include "cryptlib.h"
68 #include "bn_lcl.h"
69
70 const char BN_version[]="Big Number" OPENSSL_VERSION_PTEXT;
71
72 /* This stuff appears to be completely unused, so is deprecated */
73 #ifndef OPENSSL_NO_DEPRECATED
74 /* For a 32 bit machine
75 * 2 - 4 == 128
76 * 3 - 8 == 256
77 * 4 - 16 == 512
78 * 5 - 32 == 1024
79 * 6 - 64 == 2048
80 * 7 - 128 == 4096
81 * 8 - 256 == 8192
82 */
83 static int bn_limit_bits=0;
84 static int bn_limit_num=8; /* (1<<bn_limit_bits) */
85 static int bn_limit_bits_low=0;
86 static int bn_limit_num_low=8; /* (1<<bn_limit_bits_low) */
87 static int bn_limit_bits_high=0;
88 static int bn_limit_num_high=8; /* (1<<bn_limit_bits_high) */
89 static int bn_limit_bits_mont=0;
90 static int bn_limit_num_mont=8; /* (1<<bn_limit_bits_mont) */
91
92 void BN_set_params(int mult, int high, int low, int mont)
93 {
94 if (mult >= 0)
95 {
96 if (mult > (int)(sizeof(int)*8)-1)
97 mult=sizeof(int)*8-1;
98 bn_limit_bits=mult;
99 bn_limit_num=1<<mult;
100 }
101 if (high >= 0)
102 {
103 if (high > (int)(sizeof(int)*8)-1)
104 high=sizeof(int)*8-1;
105 bn_limit_bits_high=high;
106 bn_limit_num_high=1<<high;
107 }
108 if (low >= 0)
109 {
110 if (low > (int)(sizeof(int)*8)-1)
111 low=sizeof(int)*8-1;
112 bn_limit_bits_low=low;
113 bn_limit_num_low=1<<low;
114 }
115 if (mont >= 0)
116 {
117 if (mont > (int)(sizeof(int)*8)-1)
118 mont=sizeof(int)*8-1;
119 bn_limit_bits_mont=mont;
120 bn_limit_num_mont=1<<mont;
121 }
122 }
123
124 int BN_get_params(int which)
125 {
126 if (which == 0) return(bn_limit_bits);
127 else if (which == 1) return(bn_limit_bits_high);
128 else if (which == 2) return(bn_limit_bits_low);
129 else if (which == 3) return(bn_limit_bits_mont);
130 else return(0);
131 }
132 #endif
133
134 const BIGNUM *BN_value_one(void)
135 {
136 static const BN_ULONG data_one=1L;
137 static const BIGNUM const_one={(BN_ULONG *)&data_one,1,1,0,BN_FLG_STATIC_DATA};
138
139 return(&const_one);
140 }
141
142 int BN_num_bits_word(BN_ULONG l)
143 {
144 static const unsigned char bits[256]={
145 0,1,2,2,3,3,3,3,4,4,4,4,4,4,4,4,
146 5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,
147 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
148 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
149 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
150 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
151 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
152 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
153 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
154 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
155 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
156 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
157 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
158 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
159 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
160 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
161 };
162
163 #if defined(SIXTY_FOUR_BIT_LONG)
164 if (l & 0xffffffff00000000L)
165 {
166 if (l & 0xffff000000000000L)
167 {
168 if (l & 0xff00000000000000L)
169 {
170 return(bits[(int)(l>>56)]+56);
171 }
172 else return(bits[(int)(l>>48)]+48);
173 }
174 else
175 {
176 if (l & 0x0000ff0000000000L)
177 {
178 return(bits[(int)(l>>40)]+40);
179 }
180 else return(bits[(int)(l>>32)]+32);
181 }
182 }
183 else
184 #else
185 #ifdef SIXTY_FOUR_BIT
186 if (l & 0xffffffff00000000LL)
187 {
188 if (l & 0xffff000000000000LL)
189 {
190 if (l & 0xff00000000000000LL)
191 {
192 return(bits[(int)(l>>56)]+56);
193 }
194 else return(bits[(int)(l>>48)]+48);
195 }
196 else
197 {
198 if (l & 0x0000ff0000000000LL)
199 {
200 return(bits[(int)(l>>40)]+40);
201 }
202 else return(bits[(int)(l>>32)]+32);
203 }
204 }
205 else
206 #endif
207 #endif
208 {
209 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
210 if (l & 0xffff0000L)
211 {
212 if (l & 0xff000000L)
213 return(bits[(int)(l>>24L)]+24);
214 else return(bits[(int)(l>>16L)]+16);
215 }
216 else
217 #endif
218 {
219 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
220 if (l & 0xff00L)
221 return(bits[(int)(l>>8)]+8);
222 else
223 #endif
224 return(bits[(int)(l )] );
225 }
226 }
227 }
228
229 int BN_num_bits(const BIGNUM *a)
230 {
231 int i = a->top - 1;
232 bn_check_top(a);
233
234 if (BN_is_zero(a)) return 0;
235 return ((i*BN_BITS2) + BN_num_bits_word(a->d[i]));
236 }
237
238 void BN_clear_free(BIGNUM *a)
239 {
240 int i;
241
242 if (a == NULL) return;
243 bn_check_top(a);
244 if (a->d != NULL)
245 {
246 OPENSSL_cleanse(a->d,a->dmax*sizeof(a->d[0]));
247 if (!(BN_get_flags(a,BN_FLG_STATIC_DATA)))
248 OPENSSL_free(a->d);
249 }
250 i=BN_get_flags(a,BN_FLG_MALLOCED);
251 OPENSSL_cleanse(a,sizeof(BIGNUM));
252 if (i)
253 OPENSSL_free(a);
254 }
255
256 void BN_free(BIGNUM *a)
257 {
258 if (a == NULL) return;
259 bn_check_top(a);
260 if ((a->d != NULL) && !(BN_get_flags(a,BN_FLG_STATIC_DATA)))
261 OPENSSL_free(a->d);
262 if (a->flags & BN_FLG_MALLOCED)
263 OPENSSL_free(a);
264 else
265 {
266 #ifndef OPENSSL_NO_DEPRECATED
267 a->flags|=BN_FLG_FREE;
268 #endif
269 a->d = NULL;
270 }
271 }
272
273 void BN_init(BIGNUM *a)
274 {
275 memset(a,0,sizeof(BIGNUM));
276 bn_check_top(a);
277 }
278
279 BIGNUM *BN_new(void)
280 {
281 BIGNUM *ret;
282
283 if ((ret=(BIGNUM *)OPENSSL_malloc(sizeof(BIGNUM))) == NULL)
284 {
285 BNerr(BN_F_BN_NEW,ERR_R_MALLOC_FAILURE);
286 return(NULL);
287 }
288 ret->flags=BN_FLG_MALLOCED;
289 ret->top=0;
290 ret->neg=0;
291 ret->dmax=0;
292 ret->d=NULL;
293 bn_check_top(ret);
294 return(ret);
295 }
296
297 /* This is used both by bn_expand2() and bn_dup_expand() */
298 /* The caller MUST check that words > b->dmax before calling this */
299 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
300 {
301 BN_ULONG *A,*a = NULL;
302 const BN_ULONG *B;
303 int i;
304
305 bn_check_top(b);
306
307 if (words > (INT_MAX/(4*BN_BITS2)))
308 {
309 BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_BIGNUM_TOO_LONG);
310 return NULL;
311 }
312 if (BN_get_flags(b,BN_FLG_STATIC_DATA))
313 {
314 BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
315 return(NULL);
316 }
317 a=A=(BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG)*words);
318 if (A == NULL)
319 {
320 BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE);
321 return(NULL);
322 }
323 #ifdef PURIFY
324 /* Valgrind complains in BN_consttime_swap because we process the whole
325 * array even if it's not initialised yet. This doesn't matter in that
326 * function - what's important is constant time operation (we're not
327 * actually going to use the data)
328 */
329 memset(a, 0, sizeof(BN_ULONG)*words);
330 #endif
331
332 #if 1
333 B=b->d;
334 /* Check if the previous number needs to be copied */
335 if (B != NULL)
336 {
337 for (i=b->top>>2; i>0; i--,A+=4,B+=4)
338 {
339 /*
340 * The fact that the loop is unrolled
341 * 4-wise is a tribute to Intel. It's
342 * the one that doesn't have enough
343 * registers to accomodate more data.
344 * I'd unroll it 8-wise otherwise:-)
345 *
346 * <appro@fy.chalmers.se>
347 */
348 BN_ULONG a0,a1,a2,a3;
349 a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
350 A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
351 }
352 switch (b->top&3)
353 {
354 case 3: A[2]=B[2];
355 case 2: A[1]=B[1];
356 case 1: A[0]=B[0];
357 case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does
358 * the switch table by doing a=top&3; a--; goto jump_table[a];
359 * which fails for top== 0 */
360 ;
361 }
362 }
363
364 #else
365 memset(A,0,sizeof(BN_ULONG)*words);
366 memcpy(A,b->d,sizeof(b->d[0])*b->top);
367 #endif
368
369 return(a);
370 }
371
372 /* This is an internal function that can be used instead of bn_expand2()
373 * when there is a need to copy BIGNUMs instead of only expanding the
374 * data part, while still expanding them.
375 * Especially useful when needing to expand BIGNUMs that are declared
376 * 'const' and should therefore not be changed.
377 * The reason to use this instead of a BN_dup() followed by a bn_expand2()
378 * is memory allocation overhead. A BN_dup() followed by a bn_expand2()
379 * will allocate new memory for the BIGNUM data twice, and free it once,
380 * while bn_dup_expand() makes sure allocation is made only once.
381 */
382
383 #ifndef OPENSSL_NO_DEPRECATED
384 BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
385 {
386 BIGNUM *r = NULL;
387
388 bn_check_top(b);
389
390 /* This function does not work if
391 * words <= b->dmax && top < words
392 * because BN_dup() does not preserve 'dmax'!
393 * (But bn_dup_expand() is not used anywhere yet.)
394 */
395
396 if (words > b->dmax)
397 {
398 BN_ULONG *a = bn_expand_internal(b, words);
399
400 if (a)
401 {
402 r = BN_new();
403 if (r)
404 {
405 r->top = b->top;
406 r->dmax = words;
407 r->neg = b->neg;
408 r->d = a;
409 }
410 else
411 {
412 /* r == NULL, BN_new failure */
413 OPENSSL_free(a);
414 }
415 }
416 /* If a == NULL, there was an error in allocation in
417 bn_expand_internal(), and NULL should be returned */
418 }
419 else
420 {
421 r = BN_dup(b);
422 }
423
424 bn_check_top(r);
425 return r;
426 }
427 #endif
428
429 /* This is an internal function that should not be used in applications.
430 * It ensures that 'b' has enough room for a 'words' word number
431 * and initialises any unused part of b->d with leading zeros.
432 * It is mostly used by the various BIGNUM routines. If there is an error,
433 * NULL is returned. If not, 'b' is returned. */
434
435 BIGNUM *bn_expand2(BIGNUM *b, int words)
436 {
437 bn_check_top(b);
438
439 if (words > b->dmax)
440 {
441 BN_ULONG *a = bn_expand_internal(b, words);
442 if(!a) return NULL;
443 if(b->d) OPENSSL_free(b->d);
444 b->d=a;
445 b->dmax=words;
446 }
447
448 /* None of this should be necessary because of what b->top means! */
449 #if 0
450 /* NB: bn_wexpand() calls this only if the BIGNUM really has to grow */
451 if (b->top < b->dmax)
452 {
453 int i;
454 BN_ULONG *A = &(b->d[b->top]);
455 for (i=(b->dmax - b->top)>>3; i>0; i--,A+=8)
456 {
457 A[0]=0; A[1]=0; A[2]=0; A[3]=0;
458 A[4]=0; A[5]=0; A[6]=0; A[7]=0;
459 }
460 for (i=(b->dmax - b->top)&7; i>0; i--,A++)
461 A[0]=0;
462 assert(A == &(b->d[b->dmax]));
463 }
464 #endif
465 bn_check_top(b);
466 return b;
467 }
468
469 BIGNUM *BN_dup(const BIGNUM *a)
470 {
471 BIGNUM *t;
472
473 if (a == NULL) return NULL;
474 bn_check_top(a);
475
476 t = BN_new();
477 if (t == NULL) return NULL;
478 if(!BN_copy(t, a))
479 {
480 BN_free(t);
481 return NULL;
482 }
483 bn_check_top(t);
484 return t;
485 }
486
487 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
488 {
489 int i;
490 BN_ULONG *A;
491 const BN_ULONG *B;
492
493 bn_check_top(b);
494
495 if (a == b) return(a);
496 if (bn_wexpand(a,b->top) == NULL) return(NULL);
497
498 #if 1
499 A=a->d;
500 B=b->d;
501 for (i=b->top>>2; i>0; i--,A+=4,B+=4)
502 {
503 BN_ULONG a0,a1,a2,a3;
504 a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
505 A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
506 }
507 switch (b->top&3)
508 {
509 case 3: A[2]=B[2];
510 case 2: A[1]=B[1];
511 case 1: A[0]=B[0];
512 case 0: ; /* ultrix cc workaround, see comments in bn_expand_internal */
513 }
514 #else
515 memcpy(a->d,b->d,sizeof(b->d[0])*b->top);
516 #endif
517
518 a->top=b->top;
519 a->neg=b->neg;
520 bn_check_top(a);
521 return(a);
522 }
523
524 void BN_swap(BIGNUM *a, BIGNUM *b)
525 {
526 int flags_old_a, flags_old_b;
527 BN_ULONG *tmp_d;
528 int tmp_top, tmp_dmax, tmp_neg;
529
530 bn_check_top(a);
531 bn_check_top(b);
532
533 flags_old_a = a->flags;
534 flags_old_b = b->flags;
535
536 tmp_d = a->d;
537 tmp_top = a->top;
538 tmp_dmax = a->dmax;
539 tmp_neg = a->neg;
540
541 a->d = b->d;
542 a->top = b->top;
543 a->dmax = b->dmax;
544 a->neg = b->neg;
545
546 b->d = tmp_d;
547 b->top = tmp_top;
548 b->dmax = tmp_dmax;
549 b->neg = tmp_neg;
550
551 a->flags = (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
552 b->flags = (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
553 bn_check_top(a);
554 bn_check_top(b);
555 }
556
557 void BN_clear(BIGNUM *a)
558 {
559 bn_check_top(a);
560 if (a->d != NULL)
561 memset(a->d,0,a->dmax*sizeof(a->d[0]));
562 a->top=0;
563 a->neg=0;
564 }
565
566 BN_ULONG BN_get_word(const BIGNUM *a)
567 {
568 if (a->top > 1)
569 return BN_MASK2;
570 else if (a->top == 1)
571 return a->d[0];
572 /* a->top == 0 */
573 return 0;
574 }
575
576 int BN_set_word(BIGNUM *a, BN_ULONG w)
577 {
578 bn_check_top(a);
579 if (bn_expand(a,(int)sizeof(BN_ULONG)*8) == NULL) return(0);
580 a->neg = 0;
581 a->d[0] = w;
582 a->top = (w ? 1 : 0);
583 bn_check_top(a);
584 return(1);
585 }
586
587 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
588 {
589 unsigned int i,m;
590 unsigned int n;
591 BN_ULONG l;
592 BIGNUM *bn = NULL;
593
594 if (ret == NULL)
595 ret = bn = BN_new();
596 if (ret == NULL) return(NULL);
597 bn_check_top(ret);
598 l=0;
599 n=len;
600 if (n == 0)
601 {
602 ret->top=0;
603 return(ret);
604 }
605 i=((n-1)/BN_BYTES)+1;
606 m=((n-1)%(BN_BYTES));
607 if (bn_wexpand(ret, (int)i) == NULL)
608 {
609 if (bn) BN_free(bn);
610 return NULL;
611 }
612 ret->top=i;
613 ret->neg=0;
614 while (n--)
615 {
616 l=(l<<8L)| *(s++);
617 if (m-- == 0)
618 {
619 ret->d[--i]=l;
620 l=0;
621 m=BN_BYTES-1;
622 }
623 }
624 /* need to call this due to clear byte at top if avoiding
625 * having the top bit set (-ve number) */
626 bn_correct_top(ret);
627 return(ret);
628 }
629
630 /* ignore negative */
631 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
632 {
633 int n,i;
634 BN_ULONG l;
635
636 bn_check_top(a);
637 n=i=BN_num_bytes(a);
638 while (i--)
639 {
640 l=a->d[i/BN_BYTES];
641 *(to++)=(unsigned char)(l>>(8*(i%BN_BYTES)))&0xff;
642 }
643 return(n);
644 }
645
646 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
647 {
648 int i;
649 BN_ULONG t1,t2,*ap,*bp;
650
651 bn_check_top(a);
652 bn_check_top(b);
653
654 i=a->top-b->top;
655 if (i != 0) return(i);
656 ap=a->d;
657 bp=b->d;
658 for (i=a->top-1; i>=0; i--)
659 {
660 t1= ap[i];
661 t2= bp[i];
662 if (t1 != t2)
663 return((t1 > t2) ? 1 : -1);
664 }
665 return(0);
666 }
667
668 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
669 {
670 int i;
671 int gt,lt;
672 BN_ULONG t1,t2;
673
674 if ((a == NULL) || (b == NULL))
675 {
676 if (a != NULL)
677 return(-1);
678 else if (b != NULL)
679 return(1);
680 else
681 return(0);
682 }
683
684 bn_check_top(a);
685 bn_check_top(b);
686
687 if (a->neg != b->neg)
688 {
689 if (a->neg)
690 return(-1);
691 else return(1);
692 }
693 if (a->neg == 0)
694 { gt=1; lt= -1; }
695 else { gt= -1; lt=1; }
696
697 if (a->top > b->top) return(gt);
698 if (a->top < b->top) return(lt);
699 for (i=a->top-1; i>=0; i--)
700 {
701 t1=a->d[i];
702 t2=b->d[i];
703 if (t1 > t2) return(gt);
704 if (t1 < t2) return(lt);
705 }
706 return(0);
707 }
708
709 int BN_set_bit(BIGNUM *a, int n)
710 {
711 int i,j,k;
712
713 if (n < 0)
714 return 0;
715
716 i=n/BN_BITS2;
717 j=n%BN_BITS2;
718 if (a->top <= i)
719 {
720 if (bn_wexpand(a,i+1) == NULL) return(0);
721 for(k=a->top; k<i+1; k++)
722 a->d[k]=0;
723 a->top=i+1;
724 }
725
726 a->d[i]|=(((BN_ULONG)1)<<j);
727 bn_check_top(a);
728 return(1);
729 }
730
731 int BN_clear_bit(BIGNUM *a, int n)
732 {
733 int i,j;
734
735 bn_check_top(a);
736 if (n < 0) return 0;
737
738 i=n/BN_BITS2;
739 j=n%BN_BITS2;
740 if (a->top <= i) return(0);
741
742 a->d[i]&=(~(((BN_ULONG)1)<<j));
743 bn_correct_top(a);
744 return(1);
745 }
746
747 int BN_is_bit_set(const BIGNUM *a, int n)
748 {
749 int i,j;
750
751 bn_check_top(a);
752 if (n < 0) return 0;
753 i=n/BN_BITS2;
754 j=n%BN_BITS2;
755 if (a->top <= i) return 0;
756 return (int)(((a->d[i])>>j)&((BN_ULONG)1));
757 }
758
759 int BN_mask_bits(BIGNUM *a, int n)
760 {
761 int b,w;
762
763 bn_check_top(a);
764 if (n < 0) return 0;
765
766 w=n/BN_BITS2;
767 b=n%BN_BITS2;
768 if (w >= a->top) return 0;
769 if (b == 0)
770 a->top=w;
771 else
772 {
773 a->top=w+1;
774 a->d[w]&= ~(BN_MASK2<<b);
775 }
776 bn_correct_top(a);
777 return(1);
778 }
779
780 void BN_set_negative(BIGNUM *a, int b)
781 {
782 if (b && !BN_is_zero(a))
783 a->neg = 1;
784 else
785 a->neg = 0;
786 }
787
788 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
789 {
790 int i;
791 BN_ULONG aa,bb;
792
793 aa=a[n-1];
794 bb=b[n-1];
795 if (aa != bb) return((aa > bb)?1:-1);
796 for (i=n-2; i>=0; i--)
797 {
798 aa=a[i];
799 bb=b[i];
800 if (aa != bb) return((aa > bb)?1:-1);
801 }
802 return(0);
803 }
804
805 /* Here follows a specialised variants of bn_cmp_words(). It has the
806 property of performing the operation on arrays of different sizes.
807 The sizes of those arrays is expressed through cl, which is the
808 common length ( basicall, min(len(a),len(b)) ), and dl, which is the
809 delta between the two lengths, calculated as len(a)-len(b).
810 All lengths are the number of BN_ULONGs... */
811
812 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
813 int cl, int dl)
814 {
815 int n,i;
816 n = cl-1;
817
818 if (dl < 0)
819 {
820 for (i=dl; i<0; i++)
821 {
822 if (b[n-i] != 0)
823 return -1; /* a < b */
824 }
825 }
826 if (dl > 0)
827 {
828 for (i=dl; i>0; i--)
829 {
830 if (a[n+i] != 0)
831 return 1; /* a > b */
832 }
833 }
834 return bn_cmp_words(a,b,cl);
835 }
836
837 /*
838 * Constant-time conditional swap of a and b.
839 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
840 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
841 * and that no more than nwords are used by either a or b.
842 * a and b cannot be the same number
843 */
844 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
845 {
846 BN_ULONG t;
847 int i;
848
849 bn_wcheck_size(a, nwords);
850 bn_wcheck_size(b, nwords);
851
852 assert(a != b);
853 assert((condition & (condition - 1)) == 0);
854 assert(sizeof(BN_ULONG) >= sizeof(int));
855
856 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
857
858 t = (a->top^b->top) & condition;
859 a->top ^= t;
860 b->top ^= t;
861
862 #define BN_CONSTTIME_SWAP(ind) \
863 do { \
864 t = (a->d[ind] ^ b->d[ind]) & condition; \
865 a->d[ind] ^= t; \
866 b->d[ind] ^= t; \
867 } while (0)
868
869
870 switch (nwords) {
871 default:
872 for (i = 10; i < nwords; i++)
873 BN_CONSTTIME_SWAP(i);
874 /* Fallthrough */
875 case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
876 case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
877 case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
878 case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
879 case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
880 case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
881 case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
882 case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
883 case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
884 case 1: BN_CONSTTIME_SWAP(0);
885 }
886 #undef BN_CONSTTIME_SWAP
887 }