GCC Code Coverage Report | |||||||||||||||||||||
|
|||||||||||||||||||||
Line | Branch | Exec | Source |
1 |
/* $OpenBSD: bn_div.c,v 1.25 2017/01/29 17:49:22 beck Exp $ */ |
||
2 |
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
||
3 |
* All rights reserved. |
||
4 |
* |
||
5 |
* This package is an SSL implementation written |
||
6 |
* by Eric Young (eay@cryptsoft.com). |
||
7 |
* The implementation was written so as to conform with Netscapes SSL. |
||
8 |
* |
||
9 |
* This library is free for commercial and non-commercial use as long as |
||
10 |
* the following conditions are aheared to. The following conditions |
||
11 |
* apply to all code found in this distribution, be it the RC4, RSA, |
||
12 |
* lhash, DES, etc., code; not just the SSL code. The SSL documentation |
||
13 |
* included with this distribution is covered by the same copyright terms |
||
14 |
* except that the holder is Tim Hudson (tjh@cryptsoft.com). |
||
15 |
* |
||
16 |
* Copyright remains Eric Young's, and as such any Copyright notices in |
||
17 |
* the code are not to be removed. |
||
18 |
* If this package is used in a product, Eric Young should be given attribution |
||
19 |
* as the author of the parts of the library used. |
||
20 |
* This can be in the form of a textual message at program startup or |
||
21 |
* in documentation (online or textual) provided with the package. |
||
22 |
* |
||
23 |
* Redistribution and use in source and binary forms, with or without |
||
24 |
* modification, are permitted provided that the following conditions |
||
25 |
* are met: |
||
26 |
* 1. Redistributions of source code must retain the copyright |
||
27 |
* notice, this list of conditions and the following disclaimer. |
||
28 |
* 2. Redistributions in binary form must reproduce the above copyright |
||
29 |
* notice, this list of conditions and the following disclaimer in the |
||
30 |
* documentation and/or other materials provided with the distribution. |
||
31 |
* 3. All advertising materials mentioning features or use of this software |
||
32 |
* must display the following acknowledgement: |
||
33 |
* "This product includes cryptographic software written by |
||
34 |
* Eric Young (eay@cryptsoft.com)" |
||
35 |
* The word 'cryptographic' can be left out if the rouines from the library |
||
36 |
* being used are not cryptographic related :-). |
||
37 |
* 4. If you include any Windows specific code (or a derivative thereof) from |
||
38 |
* the apps directory (application code) you must include an acknowledgement: |
||
39 |
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
||
40 |
* |
||
41 |
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
||
42 |
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
||
43 |
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
||
44 |
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
||
45 |
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
||
46 |
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
||
47 |
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
||
48 |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
||
49 |
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
||
50 |
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
||
51 |
* SUCH DAMAGE. |
||
52 |
* |
||
53 |
* The licence and distribution terms for any publically available version or |
||
54 |
* derivative of this code cannot be changed. i.e. this code cannot simply be |
||
55 |
* copied and put under another distribution licence |
||
56 |
* [including the GNU Public Licence.] |
||
57 |
*/ |
||
58 |
|||
59 |
#include <stdio.h> |
||
60 |
|||
61 |
#include <openssl/opensslconf.h> |
||
62 |
|||
63 |
#include <openssl/bn.h> |
||
64 |
#include <openssl/err.h> |
||
65 |
|||
66 |
#include "bn_lcl.h" |
||
67 |
|||
68 |
#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \ |
||
69 |
&& !defined(BN_DIV3W) |
||
70 |
# if defined(__GNUC__) && __GNUC__>=2 |
||
71 |
# if defined(__i386) || defined (__i386__) |
||
72 |
/* |
||
73 |
* There were two reasons for implementing this template: |
||
74 |
* - GNU C generates a call to a function (__udivdi3 to be exact) |
||
75 |
* in reply to ((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0 (I fail to |
||
76 |
* understand why...); |
||
77 |
* - divl doesn't only calculate quotient, but also leaves |
||
78 |
* remainder in %edx which we can definitely use here:-) |
||
79 |
* |
||
80 |
* <appro@fy.chalmers.se> |
||
81 |
*/ |
||
82 |
#undef bn_div_words |
||
83 |
# define bn_div_words(n0,n1,d0) \ |
||
84 |
({ asm volatile ( \ |
||
85 |
"divl %4" \ |
||
86 |
: "=a"(q), "=d"(rem) \ |
||
87 |
: "a"(n1), "d"(n0), "g"(d0) \ |
||
88 |
: "cc"); \ |
||
89 |
q; \ |
||
90 |
}) |
||
91 |
# define REMAINDER_IS_ALREADY_CALCULATED |
||
92 |
# elif defined(__x86_64) |
||
93 |
/* |
||
94 |
* Same story here, but it's 128-bit by 64-bit division. Wow! |
||
95 |
* <appro@fy.chalmers.se> |
||
96 |
*/ |
||
97 |
# undef bn_div_words |
||
98 |
# define bn_div_words(n0,n1,d0) \ |
||
99 |
({ asm volatile ( \ |
||
100 |
"divq %4" \ |
||
101 |
: "=a"(q), "=d"(rem) \ |
||
102 |
: "a"(n1), "d"(n0), "g"(d0) \ |
||
103 |
: "cc"); \ |
||
104 |
q; \ |
||
105 |
}) |
||
106 |
# define REMAINDER_IS_ALREADY_CALCULATED |
||
107 |
# endif /* __<cpu> */ |
||
108 |
# endif /* __GNUC__ */ |
||
109 |
#endif /* OPENSSL_NO_ASM */ |
||
110 |
|||
111 |
|||
112 |
/* BN_div computes dv := num / divisor, rounding towards |
||
113 |
* zero, and sets up rm such that dv*divisor + rm = num holds. |
||
114 |
* Thus: |
||
115 |
* dv->neg == num->neg ^ divisor->neg (unless the result is zero) |
||
116 |
* rm->neg == num->neg (unless the remainder is zero) |
||
117 |
* If 'dv' or 'rm' is NULL, the respective value is not returned. |
||
118 |
*/ |
||
119 |
static int |
||
120 |
BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, |
||
121 |
BN_CTX *ctx, int ct) |
||
122 |
{ |
||
123 |
int norm_shift, i, loop; |
||
124 |
8687792 |
BIGNUM *tmp, wnum, *snum, *sdiv, *res; |
|
125 |
BN_ULONG *resp, *wnump; |
||
126 |
BN_ULONG d0, d1; |
||
127 |
int num_n, div_n; |
||
128 |
int no_branch = 0; |
||
129 |
|||
130 |
/* Invalid zero-padding would have particularly bad consequences |
||
131 |
* in the case of 'num', so don't just rely on bn_check_top() for this one |
||
132 |
* (bn_check_top() works only for BN_DEBUG builds) */ |
||
133 |
✓✓✗✓ |
8662883 |
if (num->top > 0 && num->d[num->top - 1] == 0) { |
134 |
BNerror(BN_R_NOT_INITIALIZED); |
||
135 |
return 0; |
||
136 |
} |
||
137 |
|||
138 |
bn_check_top(num); |
||
139 |
|||
140 |
✓✓ | 4343896 |
if (ct) |
141 |
4268991 |
no_branch = 1; |
|
142 |
|||
143 |
bn_check_top(dv); |
||
144 |
bn_check_top(rm); |
||
145 |
/* bn_check_top(num); */ /* 'num' has been checked already */ |
||
146 |
bn_check_top(divisor); |
||
147 |
|||
148 |
✓✓ | 4343896 |
if (BN_is_zero(divisor)) { |
149 |
18 |
BNerror(BN_R_DIV_BY_ZERO); |
|
150 |
18 |
return (0); |
|
151 |
} |
||
152 |
|||
153 |
✓✓✓✓ |
4418780 |
if (!no_branch && BN_ucmp(num, divisor) < 0) { |
154 |
✓✓ | 5433 |
if (rm != NULL) { |
155 |
✗✓ | 1659 |
if (BN_copy(rm, num) == NULL) |
156 |
return (0); |
||
157 |
} |
||
158 |
✓✓ | 5433 |
if (dv != NULL) |
159 |
4331 |
BN_zero(dv); |
|
160 |
5433 |
return (1); |
|
161 |
} |
||
162 |
|||
163 |
4338445 |
BN_CTX_start(ctx); |
|
164 |
4338445 |
tmp = BN_CTX_get(ctx); |
|
165 |
4338445 |
snum = BN_CTX_get(ctx); |
|
166 |
4338445 |
sdiv = BN_CTX_get(ctx); |
|
167 |
✓✓ | 4338445 |
if (dv == NULL) |
168 |
634107 |
res = BN_CTX_get(ctx); |
|
169 |
else |
||
170 |
res = dv; |
||
171 |
✓✗ | 4338445 |
if (tmp == NULL || snum == NULL || sdiv == NULL || res == NULL) |
172 |
goto err; |
||
173 |
|||
174 |
/* First we normalise the numbers */ |
||
175 |
4338445 |
norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2); |
|
176 |
✓✗ | 4338445 |
if (!(BN_lshift(sdiv, divisor, norm_shift))) |
177 |
goto err; |
||
178 |
4338445 |
sdiv->neg = 0; |
|
179 |
4338445 |
norm_shift += BN_BITS2; |
|
180 |
✓✗ | 4338445 |
if (!(BN_lshift(snum, num, norm_shift))) |
181 |
goto err; |
||
182 |
4338445 |
snum->neg = 0; |
|
183 |
|||
184 |
✓✓ | 4338445 |
if (no_branch) { |
185 |
/* Since we don't know whether snum is larger than sdiv, |
||
186 |
* we pad snum with enough zeroes without changing its |
||
187 |
* value. |
||
188 |
*/ |
||
189 |
✓✓ | 4268976 |
if (snum->top <= sdiv->top + 1) { |
190 |
✓✓✓✗ |
1687573 |
if (bn_wexpand(snum, sdiv->top + 2) == NULL) |
191 |
goto err; |
||
192 |
✓✓ | 4870044 |
for (i = snum->top; i < sdiv->top + 2; i++) |
193 |
1591266 |
snum->d[i] = 0; |
|
194 |
843756 |
snum->top = sdiv->top + 2; |
|
195 |
843756 |
} else { |
|
196 |
✓✓✓✗ |
6858615 |
if (bn_wexpand(snum, snum->top + 1) == NULL) |
197 |
goto err; |
||
198 |
3425220 |
snum->d[snum->top] = 0; |
|
199 |
3425220 |
snum->top ++; |
|
200 |
} |
||
201 |
} |
||
202 |
|||
203 |
4338445 |
div_n = sdiv->top; |
|
204 |
4338445 |
num_n = snum->top; |
|
205 |
4338445 |
loop = num_n - div_n; |
|
206 |
/* Lets setup a 'window' into snum |
||
207 |
* This is the part that corresponds to the current |
||
208 |
* 'area' being divided */ |
||
209 |
4338445 |
wnum.neg = 0; |
|
210 |
4338445 |
wnum.d = &(snum->d[loop]); |
|
211 |
4338445 |
wnum.top = div_n; |
|
212 |
/* only needed when BN_ucmp messes up the values between top and max */ |
||
213 |
4338445 |
wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */ |
|
214 |
4338445 |
wnum.flags = snum->flags | BN_FLG_STATIC_DATA; |
|
215 |
|||
216 |
/* Get the top 2 words of sdiv */ |
||
217 |
/* div_n=sdiv->top; */ |
||
218 |
4338445 |
d0 = sdiv->d[div_n - 1]; |
|
219 |
✓✓ | 11476273 |
d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2]; |
220 |
|||
221 |
/* pointer to the 'top' of snum */ |
||
222 |
4338445 |
wnump = &(snum->d[num_n - 1]); |
|
223 |
|||
224 |
/* Setup to 'res' */ |
||
225 |
4338445 |
res->neg = (num->neg ^ divisor->neg); |
|
226 |
✓✓✓✗ ✓✗ |
8676890 |
if (!bn_wexpand(res, (loop + 1))) |
227 |
goto err; |
||
228 |
4338445 |
res->top = loop - no_branch; |
|
229 |
4338445 |
resp = &(res->d[loop - 1]); |
|
230 |
|||
231 |
/* space for temp */ |
||
232 |
✓✓✓✗ ✓✗ |
8676890 |
if (!bn_wexpand(tmp, (div_n + 1))) |
233 |
goto err; |
||
234 |
|||
235 |
✓✓ | 4338445 |
if (!no_branch) { |
236 |
✓✓ | 69469 |
if (BN_ucmp(&wnum, sdiv) >= 0) { |
237 |
/* If BN_DEBUG_RAND is defined BN_ucmp changes (via |
||
238 |
* bn_pollute) the const bignum arguments => |
||
239 |
* clean the values between top and max again */ |
||
240 |
bn_clear_top2max(&wnum); |
||
241 |
1331 |
bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n); |
|
242 |
1331 |
*resp = 1; |
|
243 |
1331 |
} else |
|
244 |
68138 |
res->top--; |
|
245 |
} |
||
246 |
|||
247 |
/* if res->top == 0 then clear the neg value otherwise decrease |
||
248 |
* the resp pointer */ |
||
249 |
✗✓ | 4338445 |
if (res->top == 0) |
250 |
res->neg = 0; |
||
251 |
else |
||
252 |
4338445 |
resp--; |
|
253 |
|||
254 |
✓✓ | 37141508 |
for (i = 0; i < loop - 1; i++, wnump--, resp--) { |
255 |
BN_ULONG q, l0; |
||
256 |
/* the first part of the loop uses the top two words of |
||
257 |
* snum and sdiv to calculate a BN_ULONG q such that |
||
258 |
* | wnum - sdiv * q | < sdiv */ |
||
259 |
#if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM) |
||
260 |
BN_ULONG bn_div_3_words(BN_ULONG*, BN_ULONG, BN_ULONG); |
||
261 |
q = bn_div_3_words(wnump, d1, d0); |
||
262 |
#else |
||
263 |
BN_ULONG n0, n1, rem = 0; |
||
264 |
|||
265 |
14232309 |
n0 = wnump[0]; |
|
266 |
14232309 |
n1 = wnump[-1]; |
|
267 |
✓✓ | 14232309 |
if (n0 == d0) |
268 |
758 |
q = BN_MASK2; |
|
269 |
else /* n0 < d0 */ |
||
270 |
{ |
||
271 |
#ifdef BN_LLONG |
||
272 |
BN_ULLONG t2; |
||
273 |
|||
274 |
#if defined(BN_DIV2W) && !defined(bn_div_words) |
||
275 |
q = (BN_ULONG)(((((BN_ULLONG)n0) << BN_BITS2)|n1)/d0); |
||
276 |
#else |
||
277 |
q = bn_div_words(n0, n1, d0); |
||
278 |
#endif |
||
279 |
|||
280 |
#ifndef REMAINDER_IS_ALREADY_CALCULATED |
||
281 |
/* |
||
282 |
* rem doesn't have to be BN_ULLONG. The least we |
||
283 |
* know it's less that d0, isn't it? |
||
284 |
*/ |
||
285 |
rem = (n1 - q * d0) & BN_MASK2; |
||
286 |
#endif |
||
287 |
t2 = (BN_ULLONG)d1*q; |
||
288 |
|||
289 |
for (;;) { |
||
290 |
if (t2 <= ((((BN_ULLONG)rem) << BN_BITS2) | |
||
291 |
wnump[-2])) |
||
292 |
break; |
||
293 |
q--; |
||
294 |
rem += d0; |
||
295 |
if (rem < d0) break; /* don't let rem overflow */ |
||
296 |
t2 -= d1; |
||
297 |
} |
||
298 |
#else /* !BN_LLONG */ |
||
299 |
BN_ULONG t2l, t2h; |
||
300 |
|||
301 |
14231551 |
q = bn_div_words(n0, n1, d0); |
|
302 |
#ifndef REMAINDER_IS_ALREADY_CALCULATED |
||
303 |
rem = (n1 - q*d0)&BN_MASK2; |
||
304 |
#endif |
||
305 |
|||
306 |
#if defined(BN_UMULT_LOHI) |
||
307 |
14231551 |
BN_UMULT_LOHI(t2l, t2h, d1, q); |
|
308 |
#elif defined(BN_UMULT_HIGH) |
||
309 |
t2l = d1 * q; |
||
310 |
t2h = BN_UMULT_HIGH(d1, q); |
||
311 |
#else |
||
312 |
{ |
||
313 |
BN_ULONG ql, qh; |
||
314 |
t2l = LBITS(d1); |
||
315 |
t2h = HBITS(d1); |
||
316 |
ql = LBITS(q); |
||
317 |
qh = HBITS(q); |
||
318 |
mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */ |
||
319 |
} |
||
320 |
#endif |
||
321 |
|||
322 |
15302245 |
for (;;) { |
|
323 |
✓✓✓✓ |
15419179 |
if ((t2h < rem) || |
324 |
✓✓ | 1904332 |
((t2h == rem) && (t2l <= wnump[-2]))) |
325 |
break; |
||
326 |
1670965 |
q--; |
|
327 |
1670965 |
rem += d0; |
|
328 |
✓✓ | 1670965 |
if (rem < d0) |
329 |
break; /* don't let rem overflow */ |
||
330 |
✓✓ | 1070694 |
if (t2l < d1) |
331 |
509664 |
t2h--; |
|
332 |
1070694 |
t2l -= d1; |
|
333 |
} |
||
334 |
#endif /* !BN_LLONG */ |
||
335 |
} |
||
336 |
#endif /* !BN_DIV3W */ |
||
337 |
|||
338 |
14232309 |
l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q); |
|
339 |
14232309 |
tmp->d[div_n] = l0; |
|
340 |
14232309 |
wnum.d--; |
|
341 |
/* ingore top values of the bignums just sub the two |
||
342 |
* BN_ULONG arrays with bn_sub_words */ |
||
343 |
✓✓ | 14232309 |
if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) { |
344 |
/* Note: As we have considered only the leading |
||
345 |
* two BN_ULONGs in the calculation of q, sdiv * q |
||
346 |
* might be greater than wnum (but then (q-1) * sdiv |
||
347 |
* is less or equal than wnum) |
||
348 |
*/ |
||
349 |
3158 |
q--; |
|
350 |
✓✗ | 3158 |
if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n)) |
351 |
/* we can't have an overflow here (assuming |
||
352 |
* that q != 0, but if q == 0 then tmp is |
||
353 |
* zero anyway) */ |
||
354 |
3158 |
(*wnump)++; |
|
355 |
} |
||
356 |
/* store part of the result */ |
||
357 |
14232309 |
*resp = q; |
|
358 |
} |
||
359 |
✓✗✓✓ ✓✓ |
67146649 |
bn_correct_top(snum); |
360 |
✓✓ | 4338445 |
if (rm != NULL) { |
361 |
/* Keep a copy of the neg flag in num because if rm==num |
||
362 |
* BN_rshift() will overwrite it. |
||
363 |
*/ |
||
364 |
4242146 |
int neg = num->neg; |
|
365 |
4242146 |
BN_rshift(rm, snum, norm_shift); |
|
366 |
✓✓ | 4242146 |
if (!BN_is_zero(rm)) |
367 |
4173482 |
rm->neg = neg; |
|
368 |
bn_check_top(rm); |
||
369 |
4242146 |
} |
|
370 |
✓✓ | 4338445 |
if (no_branch) |
371 |
✓✗✓✓ ✓✓ |
35971119 |
bn_correct_top(res); |
372 |
4338445 |
BN_CTX_end(ctx); |
|
373 |
4338445 |
return (1); |
|
374 |
|||
375 |
err: |
||
376 |
bn_check_top(rm); |
||
377 |
BN_CTX_end(ctx); |
||
378 |
return (0); |
||
379 |
4343896 |
} |
|
380 |
|||
381 |
int |
||
382 |
BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, |
||
383 |
BN_CTX *ctx) |
||
384 |
{ |
||
385 |
✓✗ | 299620 |
int ct = ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || |
386 |
74905 |
(BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)); |
|
387 |
|||
388 |
74905 |
return BN_div_internal(dv, rm, num, divisor, ctx, ct); |
|
389 |
} |
||
390 |
|||
391 |
int |
||
392 |
BN_div_nonct(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, |
||
393 |
BN_CTX *ctx) |
||
394 |
{ |
||
395 |
return BN_div_internal(dv, rm, num, divisor, ctx, 0); |
||
396 |
} |
||
397 |
|||
398 |
int |
||
399 |
BN_div_ct(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, |
||
400 |
BN_CTX *ctx) |
||
401 |
{ |
||
402 |
8537982 |
return BN_div_internal(dv, rm, num, divisor, ctx, 1); |
|
403 |
} |
Generated by: GCOVR (Version 3.3) |