GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libcrypto/bn/bn_div.c Lines: 100 107 93.5 %
Date: 2017-11-13 Branches: 82 98 83.7 %

Line Branch Exec Source
1
/* $OpenBSD: bn_div.c,v 1.25 2017/01/29 17:49:22 beck Exp $ */
2
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3
 * All rights reserved.
4
 *
5
 * This package is an SSL implementation written
6
 * by Eric Young (eay@cryptsoft.com).
7
 * The implementation was written so as to conform with Netscapes SSL.
8
 *
9
 * This library is free for commercial and non-commercial use as long as
10
 * the following conditions are aheared to.  The following conditions
11
 * apply to all code found in this distribution, be it the RC4, RSA,
12
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13
 * included with this distribution is covered by the same copyright terms
14
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15
 *
16
 * Copyright remains Eric Young's, and as such any Copyright notices in
17
 * the code are not to be removed.
18
 * If this package is used in a product, Eric Young should be given attribution
19
 * as the author of the parts of the library used.
20
 * This can be in the form of a textual message at program startup or
21
 * in documentation (online or textual) provided with the package.
22
 *
23
 * Redistribution and use in source and binary forms, with or without
24
 * modification, are permitted provided that the following conditions
25
 * are met:
26
 * 1. Redistributions of source code must retain the copyright
27
 *    notice, this list of conditions and the following disclaimer.
28
 * 2. Redistributions in binary form must reproduce the above copyright
29
 *    notice, this list of conditions and the following disclaimer in the
30
 *    documentation and/or other materials provided with the distribution.
31
 * 3. All advertising materials mentioning features or use of this software
32
 *    must display the following acknowledgement:
33
 *    "This product includes cryptographic software written by
34
 *     Eric Young (eay@cryptsoft.com)"
35
 *    The word 'cryptographic' can be left out if the rouines from the library
36
 *    being used are not cryptographic related :-).
37
 * 4. If you include any Windows specific code (or a derivative thereof) from
38
 *    the apps directory (application code) you must include an acknowledgement:
39
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40
 *
41
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51
 * SUCH DAMAGE.
52
 *
53
 * The licence and distribution terms for any publically available version or
54
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55
 * copied and put under another distribution licence
56
 * [including the GNU Public Licence.]
57
 */
58
59
#include <stdio.h>
60
61
#include <openssl/opensslconf.h>
62
63
#include <openssl/bn.h>
64
#include <openssl/err.h>
65
66
#include "bn_lcl.h"
67
68
#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
69
    && !defined(BN_DIV3W)
70
# if defined(__GNUC__) && __GNUC__>=2
71
#  if defined(__i386) || defined (__i386__)
72
   /*
73
    * There were two reasons for implementing this template:
74
    * - GNU C generates a call to a function (__udivdi3 to be exact)
75
    *   in reply to ((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0 (I fail to
76
    *   understand why...);
77
    * - divl doesn't only calculate quotient, but also leaves
78
    *   remainder in %edx which we can definitely use here:-)
79
    *
80
    *					<appro@fy.chalmers.se>
81
    */
82
#undef bn_div_words
83
#  define bn_div_words(n0,n1,d0)		\
84
	({  asm volatile (			\
85
		"divl	%4"			\
86
		: "=a"(q), "=d"(rem)		\
87
		: "a"(n1), "d"(n0), "g"(d0)	\
88
		: "cc");			\
89
	    q;					\
90
	})
91
#  define REMAINDER_IS_ALREADY_CALCULATED
92
#  elif defined(__x86_64)
93
   /*
94
    * Same story here, but it's 128-bit by 64-bit division. Wow!
95
    *					<appro@fy.chalmers.se>
96
    */
97
#  undef bn_div_words
98
#  define bn_div_words(n0,n1,d0)		\
99
	({  asm volatile (			\
100
		"divq	%4"			\
101
		: "=a"(q), "=d"(rem)		\
102
		: "a"(n1), "d"(n0), "g"(d0)	\
103
		: "cc");			\
104
	    q;					\
105
	})
106
#  define REMAINDER_IS_ALREADY_CALCULATED
107
#  endif /* __<cpu> */
108
# endif /* __GNUC__ */
109
#endif /* OPENSSL_NO_ASM */
110
111
112
/* BN_div computes  dv := num / divisor,  rounding towards
113
 * zero, and sets up rm  such that  dv*divisor + rm = num  holds.
114
 * Thus:
115
 *     dv->neg == num->neg ^ divisor->neg  (unless the result is zero)
116
 *     rm->neg == num->neg                 (unless the remainder is zero)
117
 * If 'dv' or 'rm' is NULL, the respective value is not returned.
118
 */
119
static int
120
BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
121
    BN_CTX *ctx, int ct)
122
{
123
	int norm_shift, i, loop;
124
8687792
	BIGNUM *tmp, wnum, *snum, *sdiv, *res;
125
	BN_ULONG *resp, *wnump;
126
	BN_ULONG d0, d1;
127
	int num_n, div_n;
128
	int no_branch = 0;
129
130
	/* Invalid zero-padding would have particularly bad consequences
131
	 * in the case of 'num', so don't just rely on bn_check_top() for this one
132
	 * (bn_check_top() works only for BN_DEBUG builds) */
133

8662883
	if (num->top > 0 && num->d[num->top - 1] == 0) {
134
		BNerror(BN_R_NOT_INITIALIZED);
135
		return 0;
136
	}
137
138
	bn_check_top(num);
139
140
4343896
	if (ct)
141
4268991
		no_branch = 1;
142
143
	bn_check_top(dv);
144
	bn_check_top(rm);
145
	/* bn_check_top(num); */ /* 'num' has been checked already */
146
	bn_check_top(divisor);
147
148
4343896
	if (BN_is_zero(divisor)) {
149
18
		BNerror(BN_R_DIV_BY_ZERO);
150
18
		return (0);
151
	}
152
153

4418780
	if (!no_branch && BN_ucmp(num, divisor) < 0) {
154
5433
		if (rm != NULL) {
155
1659
			if (BN_copy(rm, num) == NULL)
156
				return (0);
157
		}
158
5433
		if (dv != NULL)
159
4331
			BN_zero(dv);
160
5433
		return (1);
161
	}
162
163
4338445
	BN_CTX_start(ctx);
164
4338445
	tmp = BN_CTX_get(ctx);
165
4338445
	snum = BN_CTX_get(ctx);
166
4338445
	sdiv = BN_CTX_get(ctx);
167
4338445
	if (dv == NULL)
168
634107
		res = BN_CTX_get(ctx);
169
	else
170
		res = dv;
171
4338445
	if (tmp == NULL || snum == NULL || sdiv == NULL || res == NULL)
172
		goto err;
173
174
	/* First we normalise the numbers */
175
4338445
	norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
176
4338445
	if (!(BN_lshift(sdiv, divisor, norm_shift)))
177
		goto err;
178
4338445
	sdiv->neg = 0;
179
4338445
	norm_shift += BN_BITS2;
180
4338445
	if (!(BN_lshift(snum, num, norm_shift)))
181
		goto err;
182
4338445
	snum->neg = 0;
183
184
4338445
	if (no_branch) {
185
		/* Since we don't know whether snum is larger than sdiv,
186
		 * we pad snum with enough zeroes without changing its
187
		 * value.
188
		 */
189
4268976
		if (snum->top <= sdiv->top + 1) {
190

1687573
			if (bn_wexpand(snum, sdiv->top + 2) == NULL)
191
				goto err;
192
4870044
			for (i = snum->top; i < sdiv->top + 2; i++)
193
1591266
				snum->d[i] = 0;
194
843756
			snum->top = sdiv->top + 2;
195
843756
		} else {
196

6858615
			if (bn_wexpand(snum, snum->top + 1) == NULL)
197
				goto err;
198
3425220
			snum->d[snum->top] = 0;
199
3425220
			snum->top ++;
200
		}
201
	}
202
203
4338445
	div_n = sdiv->top;
204
4338445
	num_n = snum->top;
205
4338445
	loop = num_n - div_n;
206
	/* Lets setup a 'window' into snum
207
	 * This is the part that corresponds to the current
208
	 * 'area' being divided */
209
4338445
	wnum.neg = 0;
210
4338445
	wnum.d = &(snum->d[loop]);
211
4338445
	wnum.top = div_n;
212
	/* only needed when BN_ucmp messes up the values between top and max */
213
4338445
	wnum.dmax  = snum->dmax - loop; /* so we don't step out of bounds */
214
4338445
	wnum.flags = snum->flags | BN_FLG_STATIC_DATA;
215
216
	/* Get the top 2 words of sdiv */
217
	/* div_n=sdiv->top; */
218
4338445
	d0 = sdiv->d[div_n - 1];
219
11476273
	d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
220
221
	/* pointer to the 'top' of snum */
222
4338445
	wnump = &(snum->d[num_n - 1]);
223
224
	/* Setup to 'res' */
225
4338445
	res->neg = (num->neg ^ divisor->neg);
226

8676890
	if (!bn_wexpand(res, (loop + 1)))
227
		goto err;
228
4338445
	res->top = loop - no_branch;
229
4338445
	resp = &(res->d[loop - 1]);
230
231
	/* space for temp */
232

8676890
	if (!bn_wexpand(tmp, (div_n + 1)))
233
		goto err;
234
235
4338445
	if (!no_branch) {
236
69469
		if (BN_ucmp(&wnum, sdiv) >= 0) {
237
			/* If BN_DEBUG_RAND is defined BN_ucmp changes (via
238
			 * bn_pollute) the const bignum arguments =>
239
			 * clean the values between top and max again */
240
			bn_clear_top2max(&wnum);
241
1331
			bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
242
1331
			*resp = 1;
243
1331
		} else
244
68138
			res->top--;
245
	}
246
247
	/* if res->top == 0 then clear the neg value otherwise decrease
248
	 * the resp pointer */
249
4338445
	if (res->top == 0)
250
		res->neg = 0;
251
	else
252
4338445
		resp--;
253
254
37141508
	for (i = 0; i < loop - 1; i++, wnump--, resp--) {
255
		BN_ULONG q, l0;
256
		/* the first part of the loop uses the top two words of
257
		 * snum and sdiv to calculate a BN_ULONG q such that
258
		 * | wnum - sdiv * q | < sdiv */
259
#if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
260
		BN_ULONG bn_div_3_words(BN_ULONG*, BN_ULONG, BN_ULONG);
261
		q = bn_div_3_words(wnump, d1, d0);
262
#else
263
		BN_ULONG n0, n1, rem = 0;
264
265
14232309
		n0 = wnump[0];
266
14232309
		n1 = wnump[-1];
267
14232309
		if (n0 == d0)
268
758
			q = BN_MASK2;
269
		else 			/* n0 < d0 */
270
		{
271
#ifdef BN_LLONG
272
			BN_ULLONG t2;
273
274
#if defined(BN_DIV2W) && !defined(bn_div_words)
275
			q = (BN_ULONG)(((((BN_ULLONG)n0) << BN_BITS2)|n1)/d0);
276
#else
277
			q = bn_div_words(n0, n1, d0);
278
#endif
279
280
#ifndef REMAINDER_IS_ALREADY_CALCULATED
281
			/*
282
			 * rem doesn't have to be BN_ULLONG. The least we
283
			 * know it's less that d0, isn't it?
284
			 */
285
			rem = (n1 - q * d0) & BN_MASK2;
286
#endif
287
			t2 = (BN_ULLONG)d1*q;
288
289
			for (;;) {
290
				if (t2 <= ((((BN_ULLONG)rem) << BN_BITS2) |
291
				    wnump[-2]))
292
					break;
293
				q--;
294
				rem += d0;
295
				if (rem < d0) break; /* don't let rem overflow */
296
					t2 -= d1;
297
			}
298
#else /* !BN_LLONG */
299
			BN_ULONG t2l, t2h;
300
301
14231551
			q = bn_div_words(n0, n1, d0);
302
#ifndef REMAINDER_IS_ALREADY_CALCULATED
303
			rem = (n1 - q*d0)&BN_MASK2;
304
#endif
305
306
#if defined(BN_UMULT_LOHI)
307
14231551
			BN_UMULT_LOHI(t2l, t2h, d1, q);
308
#elif defined(BN_UMULT_HIGH)
309
			t2l = d1 * q;
310
			t2h = BN_UMULT_HIGH(d1, q);
311
#else
312
			{
313
				BN_ULONG ql, qh;
314
				t2l = LBITS(d1);
315
				t2h = HBITS(d1);
316
				ql = LBITS(q);
317
				qh = HBITS(q);
318
				mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */
319
			}
320
#endif
321
322
15302245
			for (;;) {
323

15419179
				if ((t2h < rem) ||
324
1904332
				    ((t2h == rem) && (t2l <= wnump[-2])))
325
					break;
326
1670965
				q--;
327
1670965
				rem += d0;
328
1670965
				if (rem < d0)
329
					break; /* don't let rem overflow */
330
1070694
				if (t2l < d1)
331
509664
					t2h--;
332
1070694
				t2l -= d1;
333
			}
334
#endif /* !BN_LLONG */
335
		}
336
#endif /* !BN_DIV3W */
337
338
14232309
		l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
339
14232309
		tmp->d[div_n] = l0;
340
14232309
		wnum.d--;
341
		/* ingore top values of the bignums just sub the two
342
		 * BN_ULONG arrays with bn_sub_words */
343
14232309
		if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
344
			/* Note: As we have considered only the leading
345
			 * two BN_ULONGs in the calculation of q, sdiv * q
346
			 * might be greater than wnum (but then (q-1) * sdiv
347
			 * is less or equal than wnum)
348
			 */
349
3158
			q--;
350
3158
			if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
351
				/* we can't have an overflow here (assuming
352
				 * that q != 0, but if q == 0 then tmp is
353
				 * zero anyway) */
354
3158
				(*wnump)++;
355
		}
356
		/* store part of the result */
357
14232309
		*resp = q;
358
	}
359

67146649
	bn_correct_top(snum);
360
4338445
	if (rm != NULL) {
361
		/* Keep a copy of the neg flag in num because if rm==num
362
		 * BN_rshift() will overwrite it.
363
		 */
364
4242146
		int neg = num->neg;
365
4242146
		BN_rshift(rm, snum, norm_shift);
366
4242146
		if (!BN_is_zero(rm))
367
4173482
			rm->neg = neg;
368
		bn_check_top(rm);
369
4242146
	}
370
4338445
	if (no_branch)
371

35971119
		bn_correct_top(res);
372
4338445
	BN_CTX_end(ctx);
373
4338445
	return (1);
374
375
err:
376
	bn_check_top(rm);
377
	BN_CTX_end(ctx);
378
	return (0);
379
4343896
}
380
381
int
382
BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
383
    BN_CTX *ctx)
384
{
385
299620
	int ct = ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) ||
386
74905
	    (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0));
387
388
74905
	return BN_div_internal(dv, rm, num, divisor, ctx, ct);
389
}
390
391
int
392
BN_div_nonct(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
393
    BN_CTX *ctx)
394
{
395
	return BN_div_internal(dv, rm, num, divisor, ctx, 0);
396
}
397
398
int
399
BN_div_ct(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
400
    BN_CTX *ctx)
401
{
402
8537982
	return BN_div_internal(dv, rm, num, divisor, ctx, 1);
403
}