/* $OpenBSD: bn_exp.c,v 1.23 2015/09/10 15:56:25 jsing Exp $ */

/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

 * All rights reserved.

 *

 * This package is an SSL implementation written

 * by Eric Young (eay@cryptsoft.com).

 * The implementation was written so as to conform with Netscapes SSL.

 *

 * This library is free for commercial and non-commercial use as long as

 * the following conditions are aheared to.  The following conditions

 * apply to all code found in this distribution, be it the RC4, RSA,

 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

 * included with this distribution is covered by the same copyright terms

 * except that the holder is Tim Hudson (tjh@cryptsoft.com).

 *

 * Copyright remains Eric Young's, and as such any Copyright notices in

 * the code are not to be removed.

 * If this package is used in a product, Eric Young should be given attribution

 * as the author of the parts of the library used.

 * This can be in the form of a textual message at program startup or

 * in documentation (online or textual) provided with the package.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 * 1. Redistributions of source code must retain the copyright

 *    notice, this list of conditions and the following disclaimer.

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in the

 *    documentation and/or other materials provided with the distribution.

 * 3. All advertising materials mentioning features or use of this software

 *    must display the following acknowledgement:

 *    "This product includes cryptographic software written by

 *     Eric Young (eay@cryptsoft.com)"

 *    The word 'cryptographic' can be left out if the rouines from the library

 *    being used are not cryptographic related :-).

 * 4. If you include any Windows specific code (or a derivative thereof) from

 *    the apps directory (application code) you must include an acknowledgement:

 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

 *

 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

 * SUCH DAMAGE.

 *

 * The licence and distribution terms for any publically available version or

 * derivative of this code cannot be changed.  i.e. this code cannot simply be

 * copied and put under another distribution licence

 * [including the GNU Public Licence.]

 */

/* ====================================================================

 * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 *

 * 1. Redistributions of source code must retain the above copyright

 *    notice, this list of conditions and the following disclaimer.

 *

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in

 *    the documentation and/or other materials provided with the

 *    distribution.

 *

 * 3. All advertising materials mentioning features or use of this

 *    software must display the following acknowledgment:

 *    "This product includes software developed by the OpenSSL Project

 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

 *

 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

 *    endorse or promote products derived from this software without

 *    prior written permission. For written permission, please contact

 *    openssl-core@openssl.org.

 *

 * 5. Products derived from this software may not be called "OpenSSL"

 *    nor may "OpenSSL" appear in their names without prior written

 *    permission of the OpenSSL Project.

 *

 * 6. Redistributions of any form whatsoever must retain the following

 *    acknowledgment:

 *    "This product includes software developed by the OpenSSL Project

 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

 *

 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

 * OF THE POSSIBILITY OF SUCH DAMAGE.

 * ====================================================================

 *

 * This product includes cryptographic software written by Eric Young

 * (eay@cryptsoft.com).  This product includes software written by Tim

 * Hudson (tjh@cryptsoft.com).

 *

 */

#include <stdlib.h>

#include <string.h>

#include <openssl/err.h>

#include "bn_lcl.h"

/* maximum precomputation table size for *variable* sliding windows */

#define TABLE_SIZE	32

/* this one works - simple but works */

int

BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)

	BIGNUM *v, *rr;

		/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */

	}

	else

	} else {

	}

		}

	}

	bn_check_top(r);

}

int

BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,

    BN_CTX *ctx)

	int ret;

	bn_check_top(a);

	bn_check_top(p);

	bn_check_top(m);

	/* For even modulus  m = 2^k*m_odd,  it might make sense to compute

	 * a^p mod m_odd  and  a^p mod 2^k  separately (with Montgomery

	 * exponentiation for the odd part), using appropriate exponent

	 * reductions, and combine the results using the CRT.

	 *

	 * For now, we use Montgomery only if the modulus is odd; otherwise,

	 * exponentiation using the reciprocal-based quick remaindering

	 * algorithm is used.

	 *

	 * (Timing obtained with expspeed.c [computations  a^p mod m

	 * where  a, p, m  are of the same length: 256, 512, 1024, 2048,

	 * 4096, 8192 bits], compared to the running time of the

	 * standard algorithm:

	 *

	 *   BN_mod_exp_mont   33 .. 40 %  [AMD K6-2, Linux, debug configuration]

         *                     55 .. 77 %  [UltraSparc processor, but

	 *                                  debug-solaris-sparcv8-gcc conf.]

	 *

	 *   BN_mod_exp_recp   50 .. 70 %  [AMD K6-2, Linux, debug configuration]

	 *                     62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc]

	 *

	 * On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont

	 * at 2048 and more bits, but at 512 and 1024 bits, it was

	 * slower even than the standard algorithm!

	 *

	 * "Real" timings [linux-elf, solaris-sparcv9-gcc configurations]

	 * should be obtained when the new Montgomery reduction code

	 * has been integrated into OpenSSL.)

	 */

#define MONT_MUL_MOD

#define MONT_EXP_WORD

#define RECP_MUL_MOD

#ifdef MONT_MUL_MOD

	/* I have finally been able to take out this pre-condition of

	 * the top bit being set.  It was caused by an error in BN_div

	 * with negatives.  There was also another problem when for a^b%m

	 * a >= m.  eay 07-May-97 */

/*	if ((m->d[m->top-1]&BN_TBIT) && BN_is_odd(m)) */

#  ifdef MONT_EXP_WORD

		    (BN_get_flags(p, BN_FLG_CONSTTIME) == 0)) {

		} else

#  endif

	} else

#endif

#ifdef RECP_MUL_MOD

	{

	}

#else

	{

		ret = BN_mod_exp_simple(r, a,p, m, ctx);

	}

#endif

	bn_check_top(r);

}

int

BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,

    BN_CTX *ctx)

	BIGNUM *aa;

	/* Table of variables obtained from 'ctx' */

	BIGNUM *val[TABLE_SIZE];

	BN_RECP_CTX recp;

		/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */

	}

	}

		/* ignore sign of 'm' */

	} else {

	}

	}

			    !BN_mod_mul_reciprocal(val[i], val[i - 1],

			    aa, &recp, ctx))

				goto err;

		}

	}

				 * when there is only the value '1' in the

				 * buffer. */

	for (;;) {

		}

		/* We now have wstart on a 'set' bit, we now need to work out

		 * how bit a window to do.  To do this we need to scan

		 * forward until the last set bit before the end of the

		 * window */

			}

		}

		/* wend is the size of the current window */

		/* add the 'bytes above' */

			}

		/* wvalue will be an odd number < 2^window */

		/* move the 'window' down further */

	}

	bn_check_top(r);

}

int

BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,

    BN_CTX *ctx, BN_MONT_CTX *in_mont)

	BIGNUM *d, *r;

	const BIGNUM *aa;

	/* Table of variables obtained from 'ctx' */

	BIGNUM *val[TABLE_SIZE];

	}

	bn_check_top(a);

	bn_check_top(p);

	bn_check_top(m);

	}

	}

	/* If this is not done, things will break in the montgomery

	 * part */

	else {

	}

	} else

	}

			    !BN_mod_mul_montgomery(val[i], val[i - 1],

			    d, mont, ctx))

				goto err;

		}

	}

				 * when there is only the value '1' in the

				 * buffer. */

	for (;;) {

			}

		}

		/* We now have wstart on a 'set' bit, we now need to work out

		 * how bit a window to do.  To do this we need to scan

		 * forward until the last set bit before the end of the

		 * window */

			}

		}

		/* wend is the size of the current window */

		/* add the 'bytes above' */

			}

		/* wvalue will be an odd number < 2^window */

		/* move the 'window' down further */

	}

	bn_check_top(rr);

}

/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout

 * so that accessing any of these table values shows the same access pattern as far

 * as cache lines are concerned.  The following functions are used to transfer a BIGNUM

 * from/to that table. */

static int

MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top, unsigned char *buf,

    int idx, int width)

	size_t i, j;

	}

}

static int

MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx,

    int width)

	size_t i, j;

	}

}

/* Given a pointer value, compute the next address that is a cache line multiple. */

#define MOD_EXP_CTIME_ALIGN(x_) \

	((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((size_t)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))

/* This variant of BN_mod_exp_mont() uses fixed windows and the special

 * precomputation memory layout to limit data-dependency to a minimum

 * to protect secret exponents (cf. the hyper-threading timing attacks

 * pointed out by Colin Percival,

 * http://www.daemonology.net/hyperthreading-considered-harmful/)

 */

int

BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,

    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)

	int top;

	int numPowers;

	BIGNUM tmp, am;

	bn_check_top(a);

	bn_check_top(p);

	bn_check_top(m);

		    BN_R_CALLED_WITH_EVEN_MODULUS);

	}

	}

	/* Allocate a montgomery context if it was not supplied by the caller.

	 * If this is not done, things will break in the montgomery part.

 	 */

	else {

	}

	/* Get the window size to use with size of p. */

#if defined(OPENSSL_BN_ASM_MONT5)

#endif

	/* Allocate a buffer large enough to hold all of the pre-computed

	 * powers of am, am itself and tmp.

	 */

	    ((2*top) > numPowers ? (2*top) : numPowers));

	    MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL)

	/* lay down tmp and am right after powers table */

	/* prepare a^0 in Montgomery domain */

#if 1

#else

	tmp.d[0] = (0 - m - >d[0]) & BN_MASK2;	/* 2^(top*BN_BITS2) - m */

	for (i = 1; i < top; i++)

		tmp.d[i] = (~m->d[i]) & BN_MASK2;

	tmp.top = top;

#endif

	/* prepare a^1 in Montgomery domain */

#if defined(OPENSSL_BN_ASM_MONT5)

	/* This optimization uses ideas from http://eprint.iacr.org/2011/239,

	 * specifically optimization of cache-timing attack countermeasures

	 * and pre-computation optimization. */

	/* Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as

	 * 512-bit RSA is hardly relevant, we omit it to spare size... */

		void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap,

		    const void *table, const BN_ULONG *np,

		    const BN_ULONG *n0, int num, int power);

		void bn_scatter5(const BN_ULONG *inp, size_t num,

		    void *table, size_t power);

		void bn_gather5(BN_ULONG *out, size_t num,

		    void *table, size_t power);

		/* BN_to_montgomery can contaminate words above .top

		 * [in BN_DEBUG[_DEBUG] build]... */

#if 0

		for (i = 3; i < 32; i++) {

			/* Calculate a^i = a^(i-1) * a */

			bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np,

			    n0, top, i - 1);

			bn_scatter5(tmp.d, top, powerbuf, i);

		}

#else

		/* same as above, but uses squaring for 1/2 of operations */

		}

			int j;

			    n0, top, i - 1);

			}

		}

			    n0, top, i - 1);

		}

			    n0, top, i - 1);

		}

#endif

		/* Scan the exponent one window at a time starting from the most

		 * significant bits.

		 */

		}

	} else

#endif

	{

		    numPowers))

		    numPowers))

		/* If the window size is greater than 1, then calculate

		 * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)

		 * (even powers could instead be computed as (a^(i/2))^2

		 * to use the slight performance advantage of sqr over mul).

		 */

			    2, numPowers))

				/* Calculate a^i = a^(i-1) * a */

				    mont, ctx))

				    powerbuf, i, numPowers))

			}

		}

		    wvalue, numPowers))

		/* Scan the exponent one window at a time starting from the most

		 * significant bits.

		 */

			/* Scan the window, squaring the result as we go */

				    mont, ctx))

			}

			/* Fetch the appropriate pre-computed value from the pre-buf */

			    wvalue, numPowers))

			/* Multiply the result into the intermediate result */

		}

	}

	/* Convert the final result from montgomery to standard format */

	}

}

int

BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m,

    BN_CTX *ctx, BN_MONT_CTX *in_mont)

	int r_is_one;

	BN_ULONG w, next_w;

	BIGNUM *d, *r, *t;

	BIGNUM *swap_tmp;

#define BN_MOD_MUL_WORD(r, w, m) \

		(BN_mul_word(r, (w)) && \

		(/* BN_ucmp(r, (m)) < 0 ? 1 :*/  \

			(BN_mod(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))

		/* BN_MOD_MUL_WORD is only used with 'w' large,

		 * so the BN_ucmp test is probably more overhead

		 * than always using BN_mod (which uses BN_copy if

		 * a similar test returns true). */

		/* We can use BN_mod and do not need BN_nnmod because our

		 * accumulator is never negative (the result of BN_mod does

		 * not depend on the sign of the modulus).

		 */

#define BN_TO_MONTGOMERY_WORD(r, w, mont) \

		(BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))

		/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */

		    ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

	}

	bn_check_top(p);

	bn_check_top(m);

	}

	}

	}

	else {

	}

	/* bits-1 >= 0 */

	/* The result is accumulated in the product r*w. */

		/* First, square r*w. */

		{

					goto err;

			} else {

					goto err;

			}

		}

		}

		/* Second, multiply r*w by 'a' if exponent bit is set. */

			{

						goto err;

				} else {

						goto err;

				}

			}