1 files changed, 195 insertions, 158 deletions
diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c
index d0adc4688f..7f0560f7c5 100644
--- a/src/lib/libcrypto/bn/bn_div.c
+++ b/src/lib/libcrypto/bn/bn_div.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_div.c,v 1.29 2022/12/26 07:18:51 jmc Exp $ */
+/* $OpenBSD: bn_div.c,v 1.30 2023/01/18 05:27:30 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -65,8 +65,11 @@
 #include "bn_local.h"
-#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
+BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0);
-    && !defined(BN_DIV3W)
+#ifndef BN_DIV3W
+#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
 # if defined(__GNUC__) && __GNUC__>=2
 #  if defined(__i386) || defined (__i386__)
   /*
@@ -108,17 +111,102 @@
 # endif /* __GNUC__ */
 #endif /* OPENSSL_NO_ASM */
+BN_ULONG
+bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0)
+{
+        BN_ULONG n0, n1, q;
+        BN_ULONG rem = 0;
+        n0 = m[0];
+        n1 = m[-1];
+        if (n0 == d0)
+                return BN_MASK2;
+        /* n0 < d0 */
+        {
+#ifdef BN_LLONG
+                BN_ULLONG t2;
-/* BN_div computes  dv := num / divisor,  rounding towards
+#if defined(BN_DIV2W) && !defined(bn_div_words)
- * zero, and sets up rm  such that  dv*divisor + rm = num  holds.
+                q = (BN_ULONG)((((BN_ULLONG)n0 << BN_BITS2) | n1) / d0);
- * Thus:
+#else
- *     dv->neg == num->neg ^ divisor->neg  (unless the result is zero)
+                q = bn_div_words(n0, n1, d0);
- *     rm->neg == num->neg                 (unless the remainder is zero)
+#endif
- * If 'dv' or 'rm' is NULL, the respective value is not returned.
+#ifndef REMAINDER_IS_ALREADY_CALCULATED
+                /*
+                 * rem doesn't have to be BN_ULLONG. The least we
+                 * know it's less that d0, isn't it?
+                 */
+                rem = (n1 - q * d0) & BN_MASK2;
+#endif
+                t2 = (BN_ULLONG)d1 * q;
+                for (;;) {
+                        if (t2 <= (((BN_ULLONG)rem << BN_BITS2) | m[-2]))
+                                break;
+                        q--;
+                        rem += d0;
+                        if (rem < d0) break; /* don't let rem overflow */
+                                t2 -= d1;
+                }
+#else /* !BN_LLONG */
+                BN_ULONG t2l, t2h;
+                q = bn_div_words(n0, n1, d0);
+#ifndef REMAINDER_IS_ALREADY_CALCULATED
+                rem = (n1 - q * d0) & BN_MASK2;
+#endif
+#if defined(BN_UMULT_LOHI)
+                BN_UMULT_LOHI(t2l, t2h, d1, q);
+#elif defined(BN_UMULT_HIGH)
+                t2l = d1 * q;
+                t2h = BN_UMULT_HIGH(d1, q);
+#else
+                {
+                        BN_ULONG ql, qh;
+                        t2l = LBITS(d1);
+                        t2h = HBITS(d1);
+                        ql = LBITS(q);
+                        qh = HBITS(q);
+                        mul64(t2l, t2h, ql, qh); /* t2 = (BN_ULLONG)d1 * q; */
+                }
+#endif
+                for (;;) {
+                        if (t2h < rem || (t2h == rem && t2l <= m[-2]))
+                                break;
+                        q--;
+                        rem += d0;
+                        if (rem < d0)
+                                break; /* don't let rem overflow */
+                        if (t2l < d1)
+                                t2h--;
+                        t2l -= d1;
+                }
+#endif /* !BN_LLONG */
+        }
+        return q;
+}
+#endif /* !BN_DIV3W */
+/*
+ * BN_div_internal computes quotient := numerator / divisor, rounding towards
+ * zero and setting remainder such that quotient * divisor + remainder equals
+ * the numerator. Thus:
+ *
+ *   quotient->neg  == numerator->neg ^ divisor->neg   (unless result is zero)
+ *   remainder->neg == numerator->neg           (unless the remainder is zero)
+ *
+ * If either the quotient or remainder is NULL, the respective value is not
+ * returned.
 */
 static int
-BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+BN_div_internal(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator,
-    BN_CTX *ctx, int ct)
+    const BIGNUM *divisor, BN_CTX *ctx, int ct)
 {
        int norm_shift, i, loop;
        BIGNUM *tmp, wnum, *snum, *sdiv, *res;
@@ -126,58 +214,62 @@ BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor
        BN_ULONG d0, d1;
        int num_n, div_n;
        int no_branch = 0;
+        int ret = 0;
+        BN_CTX_start(ctx);
        /* Invalid zero-padding would have particularly bad consequences. */
-        if (num->top > 0 && num->d[num->top - 1] == 0) {
+        if (numerator->top > 0 && numerator->d[numerator->top - 1] == 0) {
                BNerror(BN_R_NOT_INITIALIZED);
-                return 0;
+                goto err;
        }
        if (ct)
                no_branch = 1;
        if (BN_is_zero(divisor)) {
                BNerror(BN_R_DIV_BY_ZERO);
-                return (0);
+                goto err;
        }
-        if (!no_branch && BN_ucmp(num, divisor) < 0) {
+        if (!no_branch) {
-                if (rm != NULL) {
+                if (BN_ucmp(numerator, divisor) < 0) {
-                        if (BN_copy(rm, num) == NULL)
+                        if (remainder != NULL) {
-                                return (0);
+                                if (BN_copy(remainder, numerator) == NULL)
+                                        goto err;
+                        }
+                        if (quotient != NULL)
+                                BN_zero(quotient);
+                        goto done;
                }
-                if (dv != NULL)
-                        BN_zero(dv);
-                return (1);
        }
-        BN_CTX_start(ctx);
+        if ((tmp = BN_CTX_get(ctx)) == NULL)
-        tmp = BN_CTX_get(ctx);
+                goto err;
-        snum = BN_CTX_get(ctx);
+        if ((snum = BN_CTX_get(ctx)) == NULL)
-        sdiv = BN_CTX_get(ctx);
+                goto err;
-        if (dv == NULL)
+        if ((sdiv = BN_CTX_get(ctx)) == NULL)
-                res = BN_CTX_get(ctx);
-        else
-                res = dv;
-        if (tmp == NULL || snum == NULL || sdiv == NULL || res == NULL)
                goto err;
+        if ((res = quotient) == NULL) {
+                if ((res = BN_CTX_get(ctx)) == NULL)
+                        goto err;
+        }
-        /* First we normalise the numbers */
+        /* First we normalise the numbers. */
-        norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
+        norm_shift = BN_BITS2 - BN_num_bits(divisor) % BN_BITS2;
-        if (!(BN_lshift(sdiv, divisor, norm_shift)))
+        if (!BN_lshift(sdiv, divisor, norm_shift))
                goto err;
        sdiv->neg = 0;
        norm_shift += BN_BITS2;
-        if (!(BN_lshift(snum, num, norm_shift)))
+        if (!BN_lshift(snum, numerator, norm_shift))
                goto err;
        snum->neg = 0;
        if (no_branch) {
-                /* Since we don't know whether snum is larger than sdiv,
+                /*
-                 * we pad snum with enough zeroes without changing its
+                 * Since we don't know whether snum is larger than sdiv, we pad
-                 * value.
+                 * snum with enough zeroes without changing its value.
                 */
                if (snum->top <= sdiv->top + 1) {
                        if (!bn_wexpand(snum, sdiv->top + 2))
@@ -189,16 +281,18 @@ BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor
                        if (!bn_wexpand(snum, snum->top + 1))
                                goto err;
                        snum->d[snum->top] = 0;
-                        snum->top ++;
+                        snum->top++;
                }
        }
        div_n = sdiv->top;
        num_n = snum->top;
        loop = num_n - div_n;
-        /* Lets setup a 'window' into snum
-         * This is the part that corresponds to the current
+        /*
-         * 'area' being divided */
+         * Setup a 'window' into snum - this is the part that corresponds to the
+         * current 'area' being divided.
+         */
        wnum.neg = 0;
        wnum.d = &(snum->d[loop]);
        wnum.top = div_n;
@@ -215,7 +309,7 @@ BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor
        wnump = &(snum->d[num_n - 1]);
        /* Setup to 'res' */
-        res->neg = (num->neg ^ divisor->neg);
+        res->neg = (numerator->neg ^ divisor->neg);
        if (!bn_wexpand(res, (loop + 1)))
                goto err;
        res->top = loop - no_branch;
@@ -233,8 +327,10 @@ BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor
                        res->top--;
        }
-        /* if res->top == 0 then clear the neg value otherwise decrease
+        /*
-         * the resp pointer */
+         * If res->top == 0 then clear the neg value otherwise decrease the resp
+         * pointer.
+         */
        if (res->top == 0)
                res->neg = 0;
        else
@@ -242,149 +338,90 @@ BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor
        for (i = 0; i < loop - 1; i++, wnump--, resp--) {
                BN_ULONG q, l0;
-                /* the first part of the loop uses the top two words of
-                 * snum and sdiv to calculate a BN_ULONG q such that
-                 * | wnum - sdiv * q | < sdiv */
-#if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
-                BN_ULONG bn_div_3_words(BN_ULONG*, BN_ULONG, BN_ULONG);
-                q = bn_div_3_words(wnump, d1, d0);
-#else
-                BN_ULONG n0, n1, rem = 0;
-                n0 = wnump[0];
-                n1 = wnump[-1];
-                if (n0 == d0)
-                        q = BN_MASK2;
-                else                    /* n0 < d0 */
-                {
-#ifdef BN_LLONG
-                        BN_ULLONG t2;
-#if defined(BN_DIV2W) && !defined(bn_div_words)
-                        q = (BN_ULONG)(((((BN_ULLONG)n0) << BN_BITS2)|n1)/d0);
-#else
-                        q = bn_div_words(n0, n1, d0);
-#endif
-#ifndef REMAINDER_IS_ALREADY_CALCULATED
-                        /*
-                         * rem doesn't have to be BN_ULLONG. The least we
-                         * know it's less that d0, isn't it?
-                         */
-                        rem = (n1 - q * d0) & BN_MASK2;
-#endif
-                        t2 = (BN_ULLONG)d1*q;
-                        for (;;) {
-                                if (t2 <= ((((BN_ULLONG)rem) << BN_BITS2) |
-                                    wnump[-2]))
-                                        break;
-                                q--;
-                                rem += d0;
-                                if (rem < d0) break; /* don't let rem overflow */
-                                        t2 -= d1;
-                        }
-#else /* !BN_LLONG */
-                        BN_ULONG t2l, t2h;
-                        q = bn_div_words(n0, n1, d0);
-#ifndef REMAINDER_IS_ALREADY_CALCULATED
-                        rem = (n1 - q*d0)&BN_MASK2;
-#endif
-#if defined(BN_UMULT_LOHI)
-                        BN_UMULT_LOHI(t2l, t2h, d1, q);
-#elif defined(BN_UMULT_HIGH)
-                        t2l = d1 * q;
-                        t2h = BN_UMULT_HIGH(d1, q);
-#else
-                        {
-                                BN_ULONG ql, qh;
-                                t2l = LBITS(d1);
-                                t2h = HBITS(d1);
-                                ql = LBITS(q);
-                                qh = HBITS(q);
-                                mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */
-                        }
-#endif
-                        for (;;) {
-                                if ((t2h < rem) ||
-                                    ((t2h == rem) && (t2l <= wnump[-2])))
-                                        break;
-                                q--;
-                                rem += d0;
-                                if (rem < d0)
-                                        break; /* don't let rem overflow */
-                                if (t2l < d1)
-                                        t2h--;
-                                t2l -= d1;
-                        }
-#endif /* !BN_LLONG */
-                }
-#endif /* !BN_DIV3W */
+                /*
+                 * The first part of the loop uses the top two words of snum and
+                 * sdiv to calculate a BN_ULONG q such that:
+                 *
+                 *  | wnum - sdiv * q | < sdiv
+                 */
+                q = bn_div_3_words(wnump, d1, d0);
                l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
                tmp->d[div_n] = l0;
                wnum.d--;
-                /* ignore top values of the bignums just sub the two
-                 * BN_ULONG arrays with bn_sub_words */
+                /*
+                 * Ignore top values of the bignums just sub the two BN_ULONG
+                 * arrays with bn_sub_words.
+                 */
                if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
-                        /* Note: As we have considered only the leading
+                        /*
-                         * two BN_ULONGs in the calculation of q, sdiv * q
+                         * Note: As we have considered only the leading two
-                         * might be greater than wnum (but then (q-1) * sdiv
+                         * BN_ULONGs in the calculation of q, sdiv * q might be
-                         * is less or equal than wnum)
+                         * greater than wnum (but then (q-1) * sdiv is less or
+                         * equal than wnum).
                         */
                        q--;
-                        if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
+                        if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n)) {
-                                /* we can't have an overflow here (assuming
+                                /*
+                                 * We can't have an overflow here (assuming
                                 * that q != 0, but if q == 0 then tmp is
-                                 * zero anyway) */
+                                 * zero anyway).
+                                 */
                                (*wnump)++;
+                        }
                }
                /* store part of the result */
                *resp = q;
        }
        bn_correct_top(snum);
-        if (rm != NULL) {
-                /* Keep a copy of the neg flag in num because if rm==num
+        if (remainder != NULL) {
-                 * BN_rshift() will overwrite it.
+                /*
+                 * Keep a copy of the neg flag in numerator because if
+                 * remainder == numerator, BN_rshift() will overwrite it.
                 */
-                int neg = num->neg;
+                int neg = numerator->neg;
-                BN_rshift(rm, snum, norm_shift);
-                if (!BN_is_zero(rm))
+                BN_rshift(remainder, snum, norm_shift);
-                        rm->neg = neg;
+                if (!BN_is_zero(remainder))
+                        remainder->neg = neg;
        }
        if (no_branch)
                bn_correct_top(res);
-        BN_CTX_end(ctx);
-        return (1);
-err:
+ done:
+        ret = 1;
+ err:
        BN_CTX_end(ctx);
-        return (0);
+        return ret;
 }
 int
-BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+BN_div(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator,
-    BN_CTX *ctx)
+    const BIGNUM *divisor, BN_CTX *ctx)
 {
-        int ct = ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) ||
+        int ct;
-            (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0));
+        ct = BN_get_flags(numerator, BN_FLG_CONSTTIME) != 0 ||
+            BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0;
-        return BN_div_internal(dv, rm, num, divisor, ctx, ct);
+        return BN_div_internal(quotient, remainder, numerator, divisor, ctx, ct);
 }
 int
-BN_div_nonct(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+BN_div_nonct(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator,
-    BN_CTX *ctx)
+    const BIGNUM *divisor, BN_CTX *ctx)
 {
-        return BN_div_internal(dv, rm, num, divisor, ctx, 0);
+        return BN_div_internal(quotient, remainder, numerator, divisor, ctx, 0);
 }
 int
-BN_div_ct(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+BN_div_ct(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator,
-    BN_CTX *ctx)
+    const BIGNUM *divisor, BN_CTX *ctx)
 {
-        return BN_div_internal(dv, rm, num, divisor, ctx, 1);
+        return BN_div_internal(quotient, remainder, numerator, divisor, ctx, 1);
 }

diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c index d0adc4688f..7f0560f7c5 100644 --- a/src/lib/libcrypto/bn/bn_div.c +++ b/src/lib/libcrypto/bn/bn_div.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_div.c,v 1.29 2022/12/26 07:18:51 jmc Exp $ */	1	/* $OpenBSD: bn_div.c,v 1.30 2023/01/18 05:27:30 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -65,8 +65,11 @@
65		65
66	#include "bn_local.h"	66	#include "bn_local.h"
67		67
68	#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \	68	BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0);
69	&& !defined(BN_DIV3W)	69
		70	#ifndef BN_DIV3W
		71
		72	#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
70	# if defined(__GNUC__) && __GNUC__>=2	73	# if defined(__GNUC__) && __GNUC__>=2
71	# if defined(__i386) \|\| defined (__i386__)	74	# if defined(__i386) \|\| defined (__i386__)
72	/*	75	/*
@@ -108,17 +111,102 @@
108	# endif /* __GNUC__ */	111	# endif /* __GNUC__ */
109	#endif /* OPENSSL_NO_ASM */	112	#endif /* OPENSSL_NO_ASM */
110		113
		114	BN_ULONG
		115	bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0)
		116	{
		117	BN_ULONG n0, n1, q;
		118	BN_ULONG rem = 0;
		119
		120	n0 = m[0];
		121	n1 = m[-1];
		122
		123	if (n0 == d0)
		124	return BN_MASK2;
		125
		126	/* n0 < d0 */
		127	{
		128	#ifdef BN_LLONG
		129	BN_ULLONG t2;
111		130
112	/* BN_div computes dv := num / divisor, rounding towards	131	#if defined(BN_DIV2W) && !defined(bn_div_words)
113	* zero, and sets up rm such that dv*divisor + rm = num holds.	132	q = (BN_ULONG)((((BN_ULLONG)n0 << BN_BITS2) \| n1) / d0);
114	* Thus:	133	#else
115	* dv->neg == num->neg ^ divisor->neg (unless the result is zero)	134	q = bn_div_words(n0, n1, d0);
116	* rm->neg == num->neg (unless the remainder is zero)	135	#endif
117	* If 'dv' or 'rm' is NULL, the respective value is not returned.	136
		137	#ifndef REMAINDER_IS_ALREADY_CALCULATED
		138	/*
		139	* rem doesn't have to be BN_ULLONG. The least we
		140	* know it's less that d0, isn't it?
		141	*/
		142	rem = (n1 - q * d0) & BN_MASK2;
		143	#endif
		144	t2 = (BN_ULLONG)d1 * q;
		145
		146	for (;;) {
		147	if (t2 <= (((BN_ULLONG)rem << BN_BITS2) \| m[-2]))
		148	break;
		149	q--;
		150	rem += d0;
		151	if (rem < d0) break; /* don't let rem overflow */
		152	t2 -= d1;
		153	}
		154	#else /* !BN_LLONG */
		155	BN_ULONG t2l, t2h;
		156
		157	q = bn_div_words(n0, n1, d0);
		158	#ifndef REMAINDER_IS_ALREADY_CALCULATED
		159	rem = (n1 - q * d0) & BN_MASK2;
		160	#endif
		161
		162	#if defined(BN_UMULT_LOHI)
		163	BN_UMULT_LOHI(t2l, t2h, d1, q);
		164	#elif defined(BN_UMULT_HIGH)
		165	t2l = d1 * q;
		166	t2h = BN_UMULT_HIGH(d1, q);
		167	#else
		168	{
		169	BN_ULONG ql, qh;
		170	t2l = LBITS(d1);
		171	t2h = HBITS(d1);
		172	ql = LBITS(q);
		173	qh = HBITS(q);
		174	mul64(t2l, t2h, ql, qh); /* t2 = (BN_ULLONG)d1 * q; */
		175	}
		176	#endif
		177
		178	for (;;) {
		179	if (t2h < rem \|\| (t2h == rem && t2l <= m[-2]))
		180	break;
		181	q--;
		182	rem += d0;
		183	if (rem < d0)
		184	break; /* don't let rem overflow */
		185	if (t2l < d1)
		186	t2h--;
		187	t2l -= d1;
		188	}
		189	#endif /* !BN_LLONG */
		190	}
		191
		192	return q;
		193	}
		194	#endif /* !BN_DIV3W */
		195
		196	/*
		197	* BN_div_internal computes quotient := numerator / divisor, rounding towards
		198	* zero and setting remainder such that quotient * divisor + remainder equals
		199	* the numerator. Thus:
		200	*
		201	* quotient->neg == numerator->neg ^ divisor->neg (unless result is zero)
		202	* remainder->neg == numerator->neg (unless the remainder is zero)
		203	*
		204	* If either the quotient or remainder is NULL, the respective value is not
		205	* returned.
118	*/	206	*/
119	static int	207	static int
120	BN_div_internal(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor,	208	BN_div_internal(BIGNUM quotient, BIGNUM remainder, const BIGNUM *numerator,
121	BN_CTX *ctx, int ct)	209	const BIGNUM divisor, BN_CTX ctx, int ct)
122	{	210	{
123	int norm_shift, i, loop;	211	int norm_shift, i, loop;
124	BIGNUM tmp, wnum, snum, sdiv, res;	212	BIGNUM tmp, wnum, snum, sdiv, res;
@@ -126,58 +214,62 @@ BN_div_internal(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor
126	BN_ULONG d0, d1;	214	BN_ULONG d0, d1;
127	int num_n, div_n;	215	int num_n, div_n;
128	int no_branch = 0;	216	int no_branch = 0;
		217	int ret = 0;
		218
		219	BN_CTX_start(ctx);
129		220
130	/* Invalid zero-padding would have particularly bad consequences. */	221	/* Invalid zero-padding would have particularly bad consequences. */
131	if (num->top > 0 && num->d[num->top - 1] == 0) {	222	if (numerator->top > 0 && numerator->d[numerator->top - 1] == 0) {
132	BNerror(BN_R_NOT_INITIALIZED);	223	BNerror(BN_R_NOT_INITIALIZED);
133	return 0;	224	goto err;
134	}	225	}
135		226
136
137	if (ct)	227	if (ct)
138	no_branch = 1;	228	no_branch = 1;
139		229
140
141	if (BN_is_zero(divisor)) {	230	if (BN_is_zero(divisor)) {
142	BNerror(BN_R_DIV_BY_ZERO);	231	BNerror(BN_R_DIV_BY_ZERO);
143	return (0);	232	goto err;
144	}	233	}
145		234
146	if (!no_branch && BN_ucmp(num, divisor) < 0) {	235	if (!no_branch) {
147	if (rm != NULL) {	236	if (BN_ucmp(numerator, divisor) < 0) {
148	if (BN_copy(rm, num) == NULL)	237	if (remainder != NULL) {
149	return (0);	238	if (BN_copy(remainder, numerator) == NULL)
		239	goto err;
		240	}
		241	if (quotient != NULL)
		242	BN_zero(quotient);
		243
		244	goto done;
150	}	245	}
151	if (dv != NULL)
152	BN_zero(dv);
153	return (1);
154	}	246	}
155		247
156	BN_CTX_start(ctx);	248	if ((tmp = BN_CTX_get(ctx)) == NULL)
157	tmp = BN_CTX_get(ctx);	249	goto err;
158	snum = BN_CTX_get(ctx);	250	if ((snum = BN_CTX_get(ctx)) == NULL)
159	sdiv = BN_CTX_get(ctx);	251	goto err;
160	if (dv == NULL)	252	if ((sdiv = BN_CTX_get(ctx)) == NULL)
161	res = BN_CTX_get(ctx);
162	else
163	res = dv;
164	if (tmp == NULL \|\| snum == NULL \|\| sdiv == NULL \|\| res == NULL)
165	goto err;	253	goto err;
		254	if ((res = quotient) == NULL) {
		255	if ((res = BN_CTX_get(ctx)) == NULL)
		256	goto err;
		257	}
166		258
167	/* First we normalise the numbers */	259	/* First we normalise the numbers. */
168	norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);	260	norm_shift = BN_BITS2 - BN_num_bits(divisor) % BN_BITS2;
169	if (!(BN_lshift(sdiv, divisor, norm_shift)))	261	if (!BN_lshift(sdiv, divisor, norm_shift))
170	goto err;	262	goto err;
171	sdiv->neg = 0;	263	sdiv->neg = 0;
172	norm_shift += BN_BITS2;	264	norm_shift += BN_BITS2;
173	if (!(BN_lshift(snum, num, norm_shift)))	265	if (!BN_lshift(snum, numerator, norm_shift))
174	goto err;	266	goto err;
175	snum->neg = 0;	267	snum->neg = 0;
176		268
177	if (no_branch) {	269	if (no_branch) {
178	/* Since we don't know whether snum is larger than sdiv,	270	/*
179	* we pad snum with enough zeroes without changing its	271	* Since we don't know whether snum is larger than sdiv, we pad
180	* value.	272	* snum with enough zeroes without changing its value.
181	*/	273	*/
182	if (snum->top <= sdiv->top + 1) {	274	if (snum->top <= sdiv->top + 1) {
183	if (!bn_wexpand(snum, sdiv->top + 2))	275	if (!bn_wexpand(snum, sdiv->top + 2))
@@ -189,16 +281,18 @@ BN_div_internal(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor
189	if (!bn_wexpand(snum, snum->top + 1))	281	if (!bn_wexpand(snum, snum->top + 1))
190	goto err;	282	goto err;
191	snum->d[snum->top] = 0;	283	snum->d[snum->top] = 0;
192	snum->top ++;	284	snum->top++;
193	}	285	}
194	}	286	}
195		287
196	div_n = sdiv->top;	288	div_n = sdiv->top;
197	num_n = snum->top;	289	num_n = snum->top;
198	loop = num_n - div_n;	290	loop = num_n - div_n;
199	/* Lets setup a 'window' into snum	291
200	* This is the part that corresponds to the current	292	/*
201	* 'area' being divided */	293	* Setup a 'window' into snum - this is the part that corresponds to the
		294	* current 'area' being divided.
		295	*/
202	wnum.neg = 0;	296	wnum.neg = 0;
203	wnum.d = &(snum->d[loop]);	297	wnum.d = &(snum->d[loop]);
204	wnum.top = div_n;	298	wnum.top = div_n;
@@ -215,7 +309,7 @@ BN_div_internal(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor
215	wnump = &(snum->d[num_n - 1]);	309	wnump = &(snum->d[num_n - 1]);
216		310
217	/* Setup to 'res' */	311	/* Setup to 'res' */
218	res->neg = (num->neg ^ divisor->neg);	312	res->neg = (numerator->neg ^ divisor->neg);
219	if (!bn_wexpand(res, (loop + 1)))	313	if (!bn_wexpand(res, (loop + 1)))
220	goto err;	314	goto err;
221	res->top = loop - no_branch;	315	res->top = loop - no_branch;
@@ -233,8 +327,10 @@ BN_div_internal(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor
233	res->top--;	327	res->top--;
234	}	328	}
235		329
236	/* if res->top == 0 then clear the neg value otherwise decrease	330	/*
237	* the resp pointer */	331	* If res->top == 0 then clear the neg value otherwise decrease the resp
		332	* pointer.
		333	*/
238	if (res->top == 0)	334	if (res->top == 0)
239	res->neg = 0;	335	res->neg = 0;
240	else	336	else
@@ -242,149 +338,90 @@ BN_div_internal(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor
242		338
243	for (i = 0; i < loop - 1; i++, wnump--, resp--) {	339	for (i = 0; i < loop - 1; i++, wnump--, resp--) {
244	BN_ULONG q, l0;	340	BN_ULONG q, l0;
245	/* the first part of the loop uses the top two words of
246	* snum and sdiv to calculate a BN_ULONG q such that
247	* \| wnum - sdiv * q \| < sdiv */
248	#if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
249	BN_ULONG bn_div_3_words(BN_ULONG*, BN_ULONG, BN_ULONG);
250	q = bn_div_3_words(wnump, d1, d0);
251	#else
252	BN_ULONG n0, n1, rem = 0;
253
254	n0 = wnump[0];
255	n1 = wnump[-1];
256	if (n0 == d0)
257	q = BN_MASK2;
258	else /* n0 < d0 */
259	{
260	#ifdef BN_LLONG
261	BN_ULLONG t2;
262
263	#if defined(BN_DIV2W) && !defined(bn_div_words)
264	q = (BN_ULONG)(((((BN_ULLONG)n0) << BN_BITS2)\|n1)/d0);
265	#else
266	q = bn_div_words(n0, n1, d0);
267	#endif
268
269	#ifndef REMAINDER_IS_ALREADY_CALCULATED
270	/*
271	* rem doesn't have to be BN_ULLONG. The least we
272	* know it's less that d0, isn't it?
273	*/
274	rem = (n1 - q * d0) & BN_MASK2;
275	#endif
276	t2 = (BN_ULLONG)d1*q;
277
278	for (;;) {
279	if (t2 <= ((((BN_ULLONG)rem) << BN_BITS2) \|
280	wnump[-2]))
281	break;
282	q--;
283	rem += d0;
284	if (rem < d0) break; /* don't let rem overflow */
285	t2 -= d1;
286	}
287	#else /* !BN_LLONG */
288	BN_ULONG t2l, t2h;
289
290	q = bn_div_words(n0, n1, d0);
291	#ifndef REMAINDER_IS_ALREADY_CALCULATED
292	rem = (n1 - q*d0)&BN_MASK2;
293	#endif
294
295	#if defined(BN_UMULT_LOHI)
296	BN_UMULT_LOHI(t2l, t2h, d1, q);
297	#elif defined(BN_UMULT_HIGH)
298	t2l = d1 * q;
299	t2h = BN_UMULT_HIGH(d1, q);
300	#else
301	{
302	BN_ULONG ql, qh;
303	t2l = LBITS(d1);
304	t2h = HBITS(d1);
305	ql = LBITS(q);
306	qh = HBITS(q);
307	mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1q; /
308	}
309	#endif
310
311	for (;;) {
312	if ((t2h < rem) \|\|
313	((t2h == rem) && (t2l <= wnump[-2])))
314	break;
315	q--;
316	rem += d0;
317	if (rem < d0)
318	break; /* don't let rem overflow */
319	if (t2l < d1)
320	t2h--;
321	t2l -= d1;
322	}
323	#endif /* !BN_LLONG */
324	}
325	#endif /* !BN_DIV3W */
326		341
		342	/*
		343	* The first part of the loop uses the top two words of snum and
		344	* sdiv to calculate a BN_ULONG q such that:
		345	*
		346	* \| wnum - sdiv * q \| < sdiv
		347	*/
		348	q = bn_div_3_words(wnump, d1, d0);
327	l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);	349	l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
328	tmp->d[div_n] = l0;	350	tmp->d[div_n] = l0;
329	wnum.d--;	351	wnum.d--;
330	/* ignore top values of the bignums just sub the two	352
331	* BN_ULONG arrays with bn_sub_words */	353	/*
		354	* Ignore top values of the bignums just sub the two BN_ULONG
		355	* arrays with bn_sub_words.
		356	*/
332	if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {	357	if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
333	/* Note: As we have considered only the leading	358	/*
334	* two BN_ULONGs in the calculation of q, sdiv * q	359	* Note: As we have considered only the leading two
335	* might be greater than wnum (but then (q-1) * sdiv	360	* BN_ULONGs in the calculation of q, sdiv * q might be
336	* is less or equal than wnum)	361	* greater than wnum (but then (q-1) * sdiv is less or
		362	* equal than wnum).
337	*/	363	*/
338	q--;	364	q--;
339	if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))	365	if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n)) {
340	/* we can't have an overflow here (assuming	366	/*
		367	* We can't have an overflow here (assuming
341	* that q != 0, but if q == 0 then tmp is	368	* that q != 0, but if q == 0 then tmp is
342	* zero anyway) */	369	* zero anyway).
		370	*/
343	(*wnump)++;	371	(*wnump)++;
		372	}
344	}	373	}
345	/* store part of the result */	374	/* store part of the result */
346	*resp = q;	375	*resp = q;
347	}	376	}
		377
348	bn_correct_top(snum);	378	bn_correct_top(snum);
349	if (rm != NULL) {	379
350	/* Keep a copy of the neg flag in num because if rm==num	380	if (remainder != NULL) {
351	* BN_rshift() will overwrite it.	381	/*
		382	* Keep a copy of the neg flag in numerator because if
		383	* remainder == numerator, BN_rshift() will overwrite it.
352	*/	384	*/
353	int neg = num->neg;	385	int neg = numerator->neg;
354	BN_rshift(rm, snum, norm_shift);	386
355	if (!BN_is_zero(rm))	387	BN_rshift(remainder, snum, norm_shift);
356	rm->neg = neg;	388	if (!BN_is_zero(remainder))
		389	remainder->neg = neg;
357	}	390	}
		391
358	if (no_branch)	392	if (no_branch)
359	bn_correct_top(res);	393	bn_correct_top(res);
360	BN_CTX_end(ctx);
361	return (1);
362		394
363	err:	395	done:
		396	ret = 1;
		397	err:
364	BN_CTX_end(ctx);	398	BN_CTX_end(ctx);
365	return (0);	399
		400	return ret;
366	}	401	}
367		402
368	int	403	int
369	BN_div(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor,	404	BN_div(BIGNUM quotient, BIGNUM remainder, const BIGNUM *numerator,
370	BN_CTX *ctx)	405	const BIGNUM divisor, BN_CTX ctx)
371	{	406	{
372	int ct = ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) \|\|	407	int ct;
373	(BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0));	408
		409	ct = BN_get_flags(numerator, BN_FLG_CONSTTIME) != 0 \|\|
		410	BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0;
374		411
375	return BN_div_internal(dv, rm, num, divisor, ctx, ct);	412	return BN_div_internal(quotient, remainder, numerator, divisor, ctx, ct);
376	}	413	}
377		414
378	int	415	int
379	BN_div_nonct(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor,	416	BN_div_nonct(BIGNUM quotient, BIGNUM remainder, const BIGNUM *numerator,
380	BN_CTX *ctx)	417	const BIGNUM divisor, BN_CTX ctx)
381	{	418	{
382	return BN_div_internal(dv, rm, num, divisor, ctx, 0);	419	return BN_div_internal(quotient, remainder, numerator, divisor, ctx, 0);
383	}	420	}
384		421
385	int	422	int
386	BN_div_ct(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor,	423	BN_div_ct(BIGNUM quotient, BIGNUM remainder, const BIGNUM *numerator,
387	BN_CTX *ctx)	424	const BIGNUM divisor, BN_CTX ctx)
388	{	425	{
389	return BN_div_internal(dv, rm, num, divisor, ctx, 1);	426	return BN_div_internal(quotient, remainder, numerator, divisor, ctx, 1);
390	}	427	}