1 files changed, 52 insertions, 217 deletions
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index 4799b152dd..7224637ab3 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -122,26 +122,10 @@
 #define MONT_WORD /* use the faster word-based algorithm */
-#if defined(MONT_WORD) && defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
+#ifdef MONT_WORD
-/* This condition means we have a specific non-default build:
- * In the 0.9.8 branch, OPENSSL_BN_ASM_MONT is normally not set for any
- * BN_BITS2<=32 platform; an explicit "enable-montasm" is required.
- * I.e., if we are here, the user intentionally deviates from the
- * normal stable build to get better Montgomery performance from
- * the 0.9.9-dev backport.
- *
- * In this case only, we also enable BN_from_montgomery_word()
- * (another non-stable feature from 0.9.9-dev).
- */
-#define MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD
-#endif
-#ifdef MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD
 static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
 #endif
 int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
                          BN_MONT_CTX *mont, BN_CTX *ctx)
        {
@@ -153,11 +137,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
        if (num>1 && a->top==num && b->top==num)
                {
                if (bn_wexpand(r,num) == NULL) return(0);
-#if 0 /* for OpenSSL 0.9.9 mont->n0 */
                if (bn_mul_mont(r->d,a->d,b->d,mont->N.d,mont->n0,num))
-#else
-                if (bn_mul_mont(r->d,a->d,b->d,mont->N.d,&mont->n0,num))
-#endif
                        {
                        r->neg = a->neg^b->neg;
                        r->top = num;
@@ -181,7 +161,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
                if (!BN_mul(tmp,a,b,ctx)) goto err;
                }
        /* reduce from aRR to aR */
-#ifdef MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD
+#ifdef MONT_WORD
        if (!BN_from_montgomery_word(r,tmp,mont)) goto err;
 #else
        if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;
@@ -193,7 +173,7 @@ err:
        return(ret);
        }
-#ifdef MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD
+#ifdef MONT_WORD
 static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
        {
        BIGNUM *n;
@@ -217,15 +197,15 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
        nrp= &(r->d[nl]);
        /* clear the top words of T */
+#if 1
        for (i=r->top; i<max; i++) /* memset? XXX */
                r->d[i]=0;
+#else
+        memset(&(r->d[r->top]),0,(max-r->top)*sizeof(BN_ULONG)); 
+#endif
        r->top=max;
-#if 0 /* for OpenSSL 0.9.9 mont->n0 */
        n0=mont->n0[0];
-#else
-        n0=mont->n0;
-#endif
 #ifdef BN_COUNT
        fprintf(stderr,"word BN_from_montgomery_word %d * %d\n",nl,nl);
@@ -270,6 +250,8 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
                }
        al=r->top-ri;
+#define BRANCH_FREE 1
+#if BRANCH_FREE
        if (bn_wexpand(ret,ri) == NULL) return(0);
        x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
        ret->top=x=(ri&~x)|(al&x);      /* min(ri,al) */
@@ -317,164 +299,8 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
                rp[i]=nrp[i], ap[i]=0;
        bn_correct_top(r);
        bn_correct_top(ret);
-        bn_check_top(ret);
-        return(1);
-        }
-int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
-             BN_CTX *ctx)
-        {
-        int retn=0;
-        BIGNUM *t;
-        BN_CTX_start(ctx);
-        if ((t = BN_CTX_get(ctx)) && BN_copy(t,a))
-                retn = BN_from_montgomery_word(ret,t,mont);
-        BN_CTX_end(ctx);
-        return retn;
-        }
-#else /* !MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD */
-int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
-             BN_CTX *ctx)
-        {
-        int retn=0;
-#ifdef MONT_WORD
-        BIGNUM *n,*r;
-        BN_ULONG *ap,*np,*rp,n0,v,*nrp;
-        int al,nl,max,i,x,ri;
-        BN_CTX_start(ctx);
-        if ((r = BN_CTX_get(ctx)) == NULL) goto err;
-        if (!BN_copy(r,a)) goto err;
-        n= &(mont->N);
-        ap=a->d;
-        /* mont->ri is the size of mont->N in bits (rounded up
-           to the word size) */
-        al=ri=mont->ri/BN_BITS2;
-        
-        nl=n->top;
-        if ((al == 0) || (nl == 0)) { r->top=0; return(1); }
-        max=(nl+al+1); /* allow for overflow (no?) XXX */
-        if (bn_wexpand(r,max) == NULL) goto err;
-        r->neg=a->neg^n->neg;
-        np=n->d;
-        rp=r->d;
-        nrp= &(r->d[nl]);
-        /* clear the top words of T */
-#if 1
-        for (i=r->top; i<max; i++) /* memset? XXX */
-                r->d[i]=0;
 #else
-        memset(&(r->d[r->top]),0,(max-r->top)*sizeof(BN_ULONG)); 
+        if (bn_wexpand(ret,al) == NULL) return(0);
-#endif
-        r->top=max;
-        n0=mont->n0;
-#ifdef BN_COUNT
-        fprintf(stderr,"word BN_from_montgomery %d * %d\n",nl,nl);
-#endif
-        for (i=0; i<nl; i++)
-                {
-#ifdef __TANDEM
-                {
-                   long long t1;
-                   long long t2;
-                   long long t3;
-                   t1 = rp[0] * (n0 & 0177777);
-                   t2 = 037777600000l;
-                   t2 = n0 & t2;
-                   t3 = rp[0] & 0177777;
-                   t2 = (t3 * t2) & BN_MASK2;
-                   t1 = t1 + t2;
-                   v=bn_mul_add_words(rp,np,nl,(BN_ULONG) t1);
-                }
-#else
-                v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);
-#endif
-                nrp++;
-                rp++;
-                if (((nrp[-1]+=v)&BN_MASK2) >= v)
-                        continue;
-                else
-                        {
-                        if (((++nrp[0])&BN_MASK2) != 0) continue;
-                        if (((++nrp[1])&BN_MASK2) != 0) continue;
-                        for (x=2; (((++nrp[x])&BN_MASK2) == 0); x++) ;
-                        }
-                }
-        bn_correct_top(r);
-        
-        /* mont->ri will be a multiple of the word size and below code
-         * is kind of BN_rshift(ret,r,mont->ri) equivalent */
-        if (r->top <= ri)
-                {
-                ret->top=0;
-                retn=1;
-                goto err;
-                }
-        al=r->top-ri;
-# define BRANCH_FREE 1
-# if BRANCH_FREE
-        if (bn_wexpand(ret,ri) == NULL) goto err;
-        x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
-        ret->top=x=(ri&~x)|(al&x);      /* min(ri,al) */
-        ret->neg=r->neg;
-        rp=ret->d;
-        ap=&(r->d[ri]);
-        {
-        size_t m1,m2;
-        v=bn_sub_words(rp,ap,np,ri);
-        /* this ----------------^^ works even in al<ri case
-         * thanks to zealous zeroing of top of the vector in the
-         * beginning. */
-        /* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */
-        /* in other words if subtraction result is real, then
-         * trick unconditional memcpy below to perform in-place
-         * "refresh" instead of actual copy. */
-        m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1);   /* al<ri */
-        m2=0-(size_t)(((ri-al)>>(sizeof(al)*8-1))&1);   /* al>ri */
-        m1|=m2;                 /* (al!=ri) */
-        m1|=(0-(size_t)v);      /* (al!=ri || v) */
-        m1&=~m2;                /* (al!=ri || v) && !al>ri */
-        nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1));
-        }
-        /* 'i<ri' is chosen to eliminate dependency on input data, even
-         * though it results in redundant copy in al<ri case. */
-        for (i=0,ri-=4; i<ri; i+=4)
-                {
-                BN_ULONG t1,t2,t3,t4;
-                
-                t1=nrp[i+0];
-                t2=nrp[i+1];
-                t3=nrp[i+2];    ap[i+0]=0;
-                t4=nrp[i+3];    ap[i+1]=0;
-                rp[i+0]=t1;     ap[i+2]=0;
-                rp[i+1]=t2;     ap[i+3]=0;
-                rp[i+2]=t3;
-                rp[i+3]=t4;
-                }
-        for (ri+=4; i<ri; i++)
-                rp[i]=nrp[i], ap[i]=0;
-        bn_correct_top(r);
-        bn_correct_top(ret);
-# else
-        if (bn_wexpand(ret,al) == NULL) goto err;
        ret->top=al;
        ret->neg=r->neg;
@@ -497,8 +323,30 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
        al+=4;
        for (; i<al; i++)
                rp[i]=ap[i];
-# endif
-#else /* !MONT_WORD */ 
+        if (BN_ucmp(ret, &(mont->N)) >= 0)
+                {
+                if (!BN_usub(ret,ret,&(mont->N))) return(0);
+                }
+#endif
+        bn_check_top(ret);
+        return(1);
+        }
+#endif  /* MONT_WORD */
+int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
+             BN_CTX *ctx)
+        {
+        int retn=0;
+#ifdef MONT_WORD
+        BIGNUM *t;
+        BN_CTX_start(ctx);
+        if ((t = BN_CTX_get(ctx)) && BN_copy(t,a))
+                retn = BN_from_montgomery_word(ret,t,mont);
+        BN_CTX_end(ctx);
+#else /* !MONT_WORD */
        BIGNUM *t1,*t2;
        BN_CTX_start(ctx);
@@ -515,21 +363,18 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
        if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;
        if (!BN_add(t2,a,t1)) goto err;
        if (!BN_rshift(ret,t2,mont->ri)) goto err;
-#endif /* MONT_WORD */
-#if !defined(BRANCH_FREE) || BRANCH_FREE==0
        if (BN_ucmp(ret, &(mont->N)) >= 0)
                {
                if (!BN_usub(ret,ret,&(mont->N))) goto err;
                }
-#endif
        retn=1;
        bn_check_top(ret);
 err:
        BN_CTX_end(ctx);
+#endif /* MONT_WORD */
        return(retn);
        }
-#endif /* MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD */
 BN_MONT_CTX *BN_MONT_CTX_new(void)
        {
@@ -549,11 +394,7 @@ void BN_MONT_CTX_init(BN_MONT_CTX *ctx)
        BN_init(&(ctx->RR));
        BN_init(&(ctx->N));
        BN_init(&(ctx->Ni));
-#if 0 /* for OpenSSL 0.9.9 mont->n0 */
        ctx->n0[0] = ctx->n0[1] = 0;
-#else
-        ctx->n0 = 0;
-#endif
        ctx->flags=0;
        }
@@ -585,26 +426,22 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                BIGNUM tmod;
                BN_ULONG buf[2];
-                mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
-                BN_zero(R);
-#if 0 /* for OpenSSL 0.9.9 mont->n0, would be "#if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)",
-         only certain BN_BITS2<=32 platforms actually need this */
-                if (!(BN_set_bit(R,2*BN_BITS2))) goto err;      /* R */
-#else
-                if (!(BN_set_bit(R,BN_BITS2))) goto err;        /* R */
-#endif
-                buf[0]=mod->d[0]; /* tmod = N mod word size */
-                buf[1]=0;
                BN_init(&tmod);
                tmod.d=buf;
-                tmod.top = buf[0] != 0 ? 1 : 0;
                tmod.dmax=2;
                tmod.neg=0;
-#if 0 /* for OpenSSL 0.9.9 mont->n0, would be "#if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)";
+                mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
-         only certain BN_BITS2<=32 platforms actually need this */
+#if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
+                /* Only certain BN_BITS2<=32 platforms actually make use of
+                 * n0[1], and we could use the #else case (with a shorter R
+                 * value) for the others.  However, currently only the assembler
+                 * files do know which is which. */
+                BN_zero(R);
+                if (!(BN_set_bit(R,2*BN_BITS2))) goto err;
                                                                tmod.top=0;
                if ((buf[0] = mod->d[0]))                       tmod.top=1;
                if ((buf[1] = mod->top>1 ? mod->d[1] : 0))      tmod.top=2;
@@ -632,6 +469,12 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
                mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0;
 #else
+                BN_zero(R);
+                if (!(BN_set_bit(R,BN_BITS2))) goto err;        /* R */
+                buf[0]=mod->d[0]; /* tmod = N mod word size */
+                buf[1]=0;
+                tmod.top = buf[0] != 0 ? 1 : 0;
                                                        /* Ri = R^-1 mod N*/
                if ((BN_mod_inverse(Ri,R,&tmod,ctx)) == NULL)
                        goto err;
@@ -647,12 +490,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                if (!BN_div(Ri,NULL,Ri,&tmod,ctx)) goto err;
                /* Ni = (R*Ri-1)/N,
                 * keep only least significant word: */
-# if 0 /* for OpenSSL 0.9.9 mont->n0 */
                mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
                mont->n0[1] = 0;
-# else
-                mont->n0 = (Ri->top > 0) ? Ri->d[0] : 0;
-# endif
 #endif
                }
 #else /* !MONT_WORD */
@@ -689,12 +528,8 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
        if (!BN_copy(&(to->N),&(from->N))) return NULL;
        if (!BN_copy(&(to->Ni),&(from->Ni))) return NULL;
        to->ri=from->ri;
-#if 0 /* for OpenSSL 0.9.9 mont->n0 */
        to->n0[0]=from->n0[0];
        to->n0[1]=from->n0[1];
-#else
-        to->n0=from->n0;
-#endif
        return(to);
        }

diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c index 4799b152dd..7224637ab3 100644 --- a/src/lib/libcrypto/bn/bn_mont.c +++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -122,26 +122,10 @@
122		122
123	#define MONT_WORD /* use the faster word-based algorithm */	123	#define MONT_WORD /* use the faster word-based algorithm */
124		124
125	#if defined(MONT_WORD) && defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)	125	#ifdef MONT_WORD
126	/* This condition means we have a specific non-default build:
127	* In the 0.9.8 branch, OPENSSL_BN_ASM_MONT is normally not set for any
128	* BN_BITS2<=32 platform; an explicit "enable-montasm" is required.
129	* I.e., if we are here, the user intentionally deviates from the
130	* normal stable build to get better Montgomery performance from
131	* the 0.9.9-dev backport.
132	*
133	* In this case only, we also enable BN_from_montgomery_word()
134	* (another non-stable feature from 0.9.9-dev).
135	*/
136	#define MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD
137	#endif
138
139	#ifdef MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD
140	static int BN_from_montgomery_word(BIGNUM ret, BIGNUM r, BN_MONT_CTX *mont);	126	static int BN_from_montgomery_word(BIGNUM ret, BIGNUM r, BN_MONT_CTX *mont);
141	#endif	127	#endif
142		128
143
144
145	int BN_mod_mul_montgomery(BIGNUM r, const BIGNUM a, const BIGNUM *b,	129	int BN_mod_mul_montgomery(BIGNUM r, const BIGNUM a, const BIGNUM *b,
146	BN_MONT_CTX mont, BN_CTX ctx)	130	BN_MONT_CTX mont, BN_CTX ctx)
147	{	131	{
@@ -153,11 +137,7 @@ int BN_mod_mul_montgomery(BIGNUM r, const BIGNUM a, const BIGNUM *b,
153	if (num>1 && a->top==num && b->top==num)	137	if (num>1 && a->top==num && b->top==num)
154	{	138	{
155	if (bn_wexpand(r,num) == NULL) return(0);	139	if (bn_wexpand(r,num) == NULL) return(0);
156	#if 0 /* for OpenSSL 0.9.9 mont->n0 */
157	if (bn_mul_mont(r->d,a->d,b->d,mont->N.d,mont->n0,num))	140	if (bn_mul_mont(r->d,a->d,b->d,mont->N.d,mont->n0,num))
158	#else
159	if (bn_mul_mont(r->d,a->d,b->d,mont->N.d,&mont->n0,num))
160	#endif
161	{	141	{
162	r->neg = a->neg^b->neg;	142	r->neg = a->neg^b->neg;
163	r->top = num;	143	r->top = num;
@@ -181,7 +161,7 @@ int BN_mod_mul_montgomery(BIGNUM r, const BIGNUM a, const BIGNUM *b,
181	if (!BN_mul(tmp,a,b,ctx)) goto err;	161	if (!BN_mul(tmp,a,b,ctx)) goto err;
182	}	162	}
183	/* reduce from aRR to aR */	163	/* reduce from aRR to aR */
184	#ifdef MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD	164	#ifdef MONT_WORD
185	if (!BN_from_montgomery_word(r,tmp,mont)) goto err;	165	if (!BN_from_montgomery_word(r,tmp,mont)) goto err;
186	#else	166	#else
187	if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;	167	if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;
@@ -193,7 +173,7 @@ err:
193	return(ret);	173	return(ret);
194	}	174	}
195		175
196	#ifdef MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD	176	#ifdef MONT_WORD
197	static int BN_from_montgomery_word(BIGNUM ret, BIGNUM r, BN_MONT_CTX *mont)	177	static int BN_from_montgomery_word(BIGNUM ret, BIGNUM r, BN_MONT_CTX *mont)
198	{	178	{
199	BIGNUM *n;	179	BIGNUM *n;
@@ -217,15 +197,15 @@ static int BN_from_montgomery_word(BIGNUM ret, BIGNUM r, BN_MONT_CTX *mont)
217	nrp= &(r->d[nl]);	197	nrp= &(r->d[nl]);
218		198
219	/* clear the top words of T */	199	/* clear the top words of T */
		200	#if 1
220	for (i=r->top; i<max; i++) /* memset? XXX */	201	for (i=r->top; i<max; i++) /* memset? XXX */
221	r->d[i]=0;	202	r->d[i]=0;
		203	#else
		204	memset(&(r->d[r->top]),0,(max-r->top)*sizeof(BN_ULONG));
		205	#endif
222		206
223	r->top=max;	207	r->top=max;
224	#if 0 /* for OpenSSL 0.9.9 mont->n0 */
225	n0=mont->n0[0];	208	n0=mont->n0[0];
226	#else
227	n0=mont->n0;
228	#endif
229		209
230	#ifdef BN_COUNT	210	#ifdef BN_COUNT
231	fprintf(stderr,"word BN_from_montgomery_word %d * %d\n",nl,nl);	211	fprintf(stderr,"word BN_from_montgomery_word %d * %d\n",nl,nl);
@@ -270,6 +250,8 @@ static int BN_from_montgomery_word(BIGNUM ret, BIGNUM r, BN_MONT_CTX *mont)
270	}	250	}
271	al=r->top-ri;	251	al=r->top-ri;
272		252
		253	#define BRANCH_FREE 1
		254	#if BRANCH_FREE
273	if (bn_wexpand(ret,ri) == NULL) return(0);	255	if (bn_wexpand(ret,ri) == NULL) return(0);
274	x=0-(((al-ri)>>(sizeof(al)*8-1))&1);	256	x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
275	ret->top=x=(ri&~x)\|(al&x); /* min(ri,al) */	257	ret->top=x=(ri&~x)\|(al&x); /* min(ri,al) */
@@ -317,164 +299,8 @@ static int BN_from_montgomery_word(BIGNUM ret, BIGNUM r, BN_MONT_CTX *mont)
317	rp[i]=nrp[i], ap[i]=0;	299	rp[i]=nrp[i], ap[i]=0;
318	bn_correct_top(r);	300	bn_correct_top(r);
319	bn_correct_top(ret);	301	bn_correct_top(ret);
320	bn_check_top(ret);
321
322	return(1);
323	}
324
325	int BN_from_montgomery(BIGNUM ret, const BIGNUM a, BN_MONT_CTX *mont,
326	BN_CTX *ctx)
327	{
328	int retn=0;
329	BIGNUM *t;
330
331	BN_CTX_start(ctx);
332	if ((t = BN_CTX_get(ctx)) && BN_copy(t,a))
333	retn = BN_from_montgomery_word(ret,t,mont);
334	BN_CTX_end(ctx);
335	return retn;
336	}
337
338	#else /* !MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD */
339
340	int BN_from_montgomery(BIGNUM ret, const BIGNUM a, BN_MONT_CTX *mont,
341	BN_CTX *ctx)
342	{
343	int retn=0;
344
345	#ifdef MONT_WORD
346	BIGNUM n,r;
347	BN_ULONG ap,np,rp,n0,v,nrp;
348	int al,nl,max,i,x,ri;
349
350	BN_CTX_start(ctx);
351	if ((r = BN_CTX_get(ctx)) == NULL) goto err;
352
353	if (!BN_copy(r,a)) goto err;
354	n= &(mont->N);
355
356	ap=a->d;
357	/* mont->ri is the size of mont->N in bits (rounded up
358	to the word size) */
359	al=ri=mont->ri/BN_BITS2;
360
361	nl=n->top;
362	if ((al == 0) \|\| (nl == 0)) { r->top=0; return(1); }
363
364	max=(nl+al+1); /* allow for overflow (no?) XXX */
365	if (bn_wexpand(r,max) == NULL) goto err;
366
367	r->neg=a->neg^n->neg;
368	np=n->d;
369	rp=r->d;
370	nrp= &(r->d[nl]);
371
372	/* clear the top words of T */
373	#if 1
374	for (i=r->top; i<max; i++) /* memset? XXX */
375	r->d[i]=0;
376	#else	302	#else
377	memset(&(r->d[r->top]),0,(max-r->top)*sizeof(BN_ULONG));	303	if (bn_wexpand(ret,al) == NULL) return(0);
378	#endif
379
380	r->top=max;
381	n0=mont->n0;
382
383	#ifdef BN_COUNT
384	fprintf(stderr,"word BN_from_montgomery %d * %d\n",nl,nl);
385	#endif
386	for (i=0; i<nl; i++)
387	{
388	#ifdef __TANDEM
389	{
390	long long t1;
391	long long t2;
392	long long t3;
393	t1 = rp[0] * (n0 & 0177777);
394	t2 = 037777600000l;
395	t2 = n0 & t2;
396	t3 = rp[0] & 0177777;
397	t2 = (t3 * t2) & BN_MASK2;
398	t1 = t1 + t2;
399	v=bn_mul_add_words(rp,np,nl,(BN_ULONG) t1);
400	}
401	#else
402	v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);
403	#endif
404	nrp++;
405	rp++;
406	if (((nrp[-1]+=v)&BN_MASK2) >= v)
407	continue;
408	else
409	{
410	if (((++nrp[0])&BN_MASK2) != 0) continue;
411	if (((++nrp[1])&BN_MASK2) != 0) continue;
412	for (x=2; (((++nrp[x])&BN_MASK2) == 0); x++) ;
413	}
414	}
415	bn_correct_top(r);
416
417	/* mont->ri will be a multiple of the word size and below code
418	* is kind of BN_rshift(ret,r,mont->ri) equivalent */
419	if (r->top <= ri)
420	{
421	ret->top=0;
422	retn=1;
423	goto err;
424	}
425	al=r->top-ri;
426
427	# define BRANCH_FREE 1
428	# if BRANCH_FREE
429	if (bn_wexpand(ret,ri) == NULL) goto err;
430	x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
431	ret->top=x=(ri&~x)\|(al&x); /* min(ri,al) */
432	ret->neg=r->neg;
433
434	rp=ret->d;
435	ap=&(r->d[ri]);
436
437	{
438	size_t m1,m2;
439
440	v=bn_sub_words(rp,ap,np,ri);
441	/* this ----------------^^ works even in al<ri case
442	* thanks to zealous zeroing of top of the vector in the
443	* beginning. */
444
445	/* if (al==ri && !v) \|\| al>ri) nrp=rp; else nrp=ap; */
446	/* in other words if subtraction result is real, then
447	* trick unconditional memcpy below to perform in-place
448	* "refresh" instead of actual copy. */
449	m1=0-(size_t)(((al-ri)>>(sizeof(al)8-1))&1); / al<ri */
450	m2=0-(size_t)(((ri-al)>>(sizeof(al)8-1))&1); / al>ri */
451	m1\|=m2; /* (al!=ri) */
452	m1\|=(0-(size_t)v); /* (al!=ri \|\| v) */
453	m1&=~m2; /* (al!=ri \|\| v) && !al>ri */
454	nrp=(BN_ULONG *)(((size_t)rp&~m1)\|((size_t)ap&m1));
455	}
456
457	/* 'i<ri' is chosen to eliminate dependency on input data, even
458	* though it results in redundant copy in al<ri case. */
459	for (i=0,ri-=4; i<ri; i+=4)
460	{
461	BN_ULONG t1,t2,t3,t4;
462
463	t1=nrp[i+0];
464	t2=nrp[i+1];
465	t3=nrp[i+2]; ap[i+0]=0;
466	t4=nrp[i+3]; ap[i+1]=0;
467	rp[i+0]=t1; ap[i+2]=0;
468	rp[i+1]=t2; ap[i+3]=0;
469	rp[i+2]=t3;
470	rp[i+3]=t4;
471	}
472	for (ri+=4; i<ri; i++)
473	rp[i]=nrp[i], ap[i]=0;
474	bn_correct_top(r);
475	bn_correct_top(ret);
476	# else
477	if (bn_wexpand(ret,al) == NULL) goto err;
478	ret->top=al;	304	ret->top=al;
479	ret->neg=r->neg;	305	ret->neg=r->neg;
480		306
@@ -497,8 +323,30 @@ int BN_from_montgomery(BIGNUM ret, const BIGNUM a, BN_MONT_CTX *mont,
497	al+=4;	323	al+=4;
498	for (; i<al; i++)	324	for (; i<al; i++)
499	rp[i]=ap[i];	325	rp[i]=ap[i];
500	# endif	326
501	#else /* !MONT_WORD */	327	if (BN_ucmp(ret, &(mont->N)) >= 0)
		328	{
		329	if (!BN_usub(ret,ret,&(mont->N))) return(0);
		330	}
		331	#endif
		332	bn_check_top(ret);
		333
		334	return(1);
		335	}
		336	#endif /* MONT_WORD */
		337
		338	int BN_from_montgomery(BIGNUM ret, const BIGNUM a, BN_MONT_CTX *mont,
		339	BN_CTX *ctx)
		340	{
		341	int retn=0;
		342	#ifdef MONT_WORD
		343	BIGNUM *t;
		344
		345	BN_CTX_start(ctx);
		346	if ((t = BN_CTX_get(ctx)) && BN_copy(t,a))
		347	retn = BN_from_montgomery_word(ret,t,mont);
		348	BN_CTX_end(ctx);
		349	#else /* !MONT_WORD */
502	BIGNUM t1,t2;	350	BIGNUM t1,t2;
503		351
504	BN_CTX_start(ctx);	352	BN_CTX_start(ctx);
@@ -515,21 +363,18 @@ int BN_from_montgomery(BIGNUM ret, const BIGNUM a, BN_MONT_CTX *mont,
515	if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;	363	if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;
516	if (!BN_add(t2,a,t1)) goto err;	364	if (!BN_add(t2,a,t1)) goto err;
517	if (!BN_rshift(ret,t2,mont->ri)) goto err;	365	if (!BN_rshift(ret,t2,mont->ri)) goto err;
518	#endif /* MONT_WORD */
519		366
520	#if !defined(BRANCH_FREE) \|\| BRANCH_FREE==0
521	if (BN_ucmp(ret, &(mont->N)) >= 0)	367	if (BN_ucmp(ret, &(mont->N)) >= 0)
522	{	368	{
523	if (!BN_usub(ret,ret,&(mont->N))) goto err;	369	if (!BN_usub(ret,ret,&(mont->N))) goto err;
524	}	370	}
525	#endif
526	retn=1;	371	retn=1;
527	bn_check_top(ret);	372	bn_check_top(ret);
528	err:	373	err:
529	BN_CTX_end(ctx);	374	BN_CTX_end(ctx);
		375	#endif /* MONT_WORD */
530	return(retn);	376	return(retn);
531	}	377	}
532	#endif /* MONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD */
533		378
534	BN_MONT_CTX *BN_MONT_CTX_new(void)	379	BN_MONT_CTX *BN_MONT_CTX_new(void)
535	{	380	{
@@ -549,11 +394,7 @@ void BN_MONT_CTX_init(BN_MONT_CTX *ctx)
549	BN_init(&(ctx->RR));	394	BN_init(&(ctx->RR));
550	BN_init(&(ctx->N));	395	BN_init(&(ctx->N));
551	BN_init(&(ctx->Ni));	396	BN_init(&(ctx->Ni));
552	#if 0 /* for OpenSSL 0.9.9 mont->n0 */
553	ctx->n0[0] = ctx->n0[1] = 0;	397	ctx->n0[0] = ctx->n0[1] = 0;
554	#else
555	ctx->n0 = 0;
556	#endif
557	ctx->flags=0;	398	ctx->flags=0;
558	}	399	}
559		400
@@ -585,26 +426,22 @@ int BN_MONT_CTX_set(BN_MONT_CTX mont, const BIGNUM mod, BN_CTX *ctx)
585	BIGNUM tmod;	426	BIGNUM tmod;
586	BN_ULONG buf[2];	427	BN_ULONG buf[2];
587		428
588	mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
589	BN_zero(R);
590	#if 0 /* for OpenSSL 0.9.9 mont->n0, would be "#if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)",
591	only certain BN_BITS2<=32 platforms actually need this */
592	if (!(BN_set_bit(R,2BN_BITS2))) goto err; / R */
593	#else
594	if (!(BN_set_bit(R,BN_BITS2))) goto err; /* R */
595	#endif
596
597	buf[0]=mod->d[0]; /* tmod = N mod word size */
598	buf[1]=0;
599
600	BN_init(&tmod);	429	BN_init(&tmod);
601	tmod.d=buf;	430	tmod.d=buf;
602	tmod.top = buf[0] != 0 ? 1 : 0;
603	tmod.dmax=2;	431	tmod.dmax=2;
604	tmod.neg=0;	432	tmod.neg=0;
605		433
606	#if 0 /* for OpenSSL 0.9.9 mont->n0, would be "#if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)";	434	mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
607	only certain BN_BITS2<=32 platforms actually need this */	435
		436	#if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
		437	/* Only certain BN_BITS2<=32 platforms actually make use of
		438	* n0[1], and we could use the #else case (with a shorter R
		439	* value) for the others. However, currently only the assembler
		440	* files do know which is which. */
		441
		442	BN_zero(R);
		443	if (!(BN_set_bit(R,2*BN_BITS2))) goto err;
		444
608	tmod.top=0;	445	tmod.top=0;
609	if ((buf[0] = mod->d[0])) tmod.top=1;	446	if ((buf[0] = mod->d[0])) tmod.top=1;
610	if ((buf[1] = mod->top>1 ? mod->d[1] : 0)) tmod.top=2;	447	if ((buf[1] = mod->top>1 ? mod->d[1] : 0)) tmod.top=2;
@@ -632,6 +469,12 @@ int BN_MONT_CTX_set(BN_MONT_CTX mont, const BIGNUM mod, BN_CTX *ctx)
632	mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;	469	mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
633	mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0;	470	mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0;
634	#else	471	#else
		472	BN_zero(R);
		473	if (!(BN_set_bit(R,BN_BITS2))) goto err; /* R */
		474
		475	buf[0]=mod->d[0]; /* tmod = N mod word size */
		476	buf[1]=0;
		477	tmod.top = buf[0] != 0 ? 1 : 0;
635	/* Ri = R^-1 mod N*/	478	/* Ri = R^-1 mod N*/
636	if ((BN_mod_inverse(Ri,R,&tmod,ctx)) == NULL)	479	if ((BN_mod_inverse(Ri,R,&tmod,ctx)) == NULL)
637	goto err;	480	goto err;
@@ -647,12 +490,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX mont, const BIGNUM mod, BN_CTX *ctx)
647	if (!BN_div(Ri,NULL,Ri,&tmod,ctx)) goto err;	490	if (!BN_div(Ri,NULL,Ri,&tmod,ctx)) goto err;
648	/* Ni = (R*Ri-1)/N,	491	/* Ni = (R*Ri-1)/N,
649	* keep only least significant word: */	492	* keep only least significant word: */
650	# if 0 /* for OpenSSL 0.9.9 mont->n0 */
651	mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;	493	mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
652	mont->n0[1] = 0;	494	mont->n0[1] = 0;
653	# else
654	mont->n0 = (Ri->top > 0) ? Ri->d[0] : 0;
655	# endif
656	#endif	495	#endif
657	}	496	}
658	#else /* !MONT_WORD */	497	#else /* !MONT_WORD */
@@ -689,12 +528,8 @@ BN_MONT_CTX BN_MONT_CTX_copy(BN_MONT_CTX to, BN_MONT_CTX *from)
689	if (!BN_copy(&(to->N),&(from->N))) return NULL;	528	if (!BN_copy(&(to->N),&(from->N))) return NULL;
690	if (!BN_copy(&(to->Ni),&(from->Ni))) return NULL;	529	if (!BN_copy(&(to->Ni),&(from->Ni))) return NULL;
691	to->ri=from->ri;	530	to->ri=from->ri;
692	#if 0 /* for OpenSSL 0.9.9 mont->n0 */
693	to->n0[0]=from->n0[0];	531	to->n0[0]=from->n0[0];
694	to->n0[1]=from->n0[1];	532	to->n0[1]=from->n0[1];
695	#else
696	to->n0=from->n0;
697	#endif
698	return(to);	533	return(to);
699	}	534	}
700		535