From eb8dd9dca1228af0cd132f515509051ecfabf6f6 Mon Sep 17 00:00:00 2001 From: cvs2svn Date: Mon, 14 Apr 2025 17:32:06 +0000 Subject: This commit was manufactured by cvs2git to create tag 'tb_20250414'. --- src/lib/libcrypto/bn/arch/aarch64/bn_arch.h | 369 ---- src/lib/libcrypto/bn/arch/alpha/bn_arch.h | 44 - src/lib/libcrypto/bn/arch/amd64/bignum_add.S | 165 -- src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S | 155 -- src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S | 138 -- src/lib/libcrypto/bn/arch/amd64/bignum_mul.S | 167 -- .../libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S | 157 -- .../libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S | 244 --- src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S | 197 -- .../libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S | 145 -- .../libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S | 242 --- src/lib/libcrypto/bn/arch/amd64/bignum_sub.S | 153 -- src/lib/libcrypto/bn/arch/amd64/bn_arch.c | 131 -- src/lib/libcrypto/bn/arch/amd64/bn_arch.h | 109 - src/lib/libcrypto/bn/arch/amd64/word_clz.S | 60 - src/lib/libcrypto/bn/arch/arm/bn_arch.h | 73 - src/lib/libcrypto/bn/arch/hppa/bn_arch.h | 24 - src/lib/libcrypto/bn/arch/i386/bn_arch.h | 86 - src/lib/libcrypto/bn/arch/m88k/bn_arch.h | 24 - src/lib/libcrypto/bn/arch/mips64/bn_arch.h | 40 - src/lib/libcrypto/bn/arch/powerpc/bn_arch.h | 39 - src/lib/libcrypto/bn/arch/powerpc64/bn_arch.h | 44 - src/lib/libcrypto/bn/arch/riscv64/bn_arch.h | 86 - src/lib/libcrypto/bn/arch/sh/bn_arch.h | 24 - src/lib/libcrypto/bn/arch/sparc64/bn_arch.h | 24 - src/lib/libcrypto/bn/asm/alpha-mont.pl | 315 --- src/lib/libcrypto/bn/asm/armv4-mont.pl | 204 -- src/lib/libcrypto/bn/asm/bn-586.pl | 567 ----- src/lib/libcrypto/bn/asm/co-586.pl | 287 --- src/lib/libcrypto/bn/asm/mips-mont.pl | 426 ---- src/lib/libcrypto/bn/asm/mips.pl | 2234 -------------------- src/lib/libcrypto/bn/asm/modexp512-x86_64.pl | 1393 ------------ src/lib/libcrypto/bn/asm/parisc-mont.pl | 985 --------- src/lib/libcrypto/bn/asm/ppc-mont.pl | 329 --- src/lib/libcrypto/bn/asm/ppc.pl | 1968 ----------------- src/lib/libcrypto/bn/asm/x86-mont.pl | 592 ------ src/lib/libcrypto/bn/asm/x86_64-mont.pl | 1503 ------------- src/lib/libcrypto/bn/asm/x86_64-mont5.pl | 1192 ----------- src/lib/libcrypto/bn/bn.h | 520 ----- src/lib/libcrypto/bn/bn_add.c | 341 --- src/lib/libcrypto/bn/bn_bpsw.c | 531 ----- src/lib/libcrypto/bn/bn_const.c | 433 ---- src/lib/libcrypto/bn/bn_convert.c | 757 ------- src/lib/libcrypto/bn/bn_ctx.c | 161 -- src/lib/libcrypto/bn/bn_div.c | 458 ---- src/lib/libcrypto/bn/bn_err.c | 110 - src/lib/libcrypto/bn/bn_exp.c | 1330 ------------ src/lib/libcrypto/bn/bn_gcd.c | 818 ------- src/lib/libcrypto/bn/bn_internal.h | 568 ----- src/lib/libcrypto/bn/bn_isqrt.c | 234 -- src/lib/libcrypto/bn/bn_kron.c | 195 -- src/lib/libcrypto/bn/bn_lib.c | 752 ------- src/lib/libcrypto/bn/bn_local.h | 335 --- src/lib/libcrypto/bn/bn_mod.c | 369 ---- src/lib/libcrypto/bn/bn_mod_sqrt.c | 723 ------- src/lib/libcrypto/bn/bn_mont.c | 621 ------ src/lib/libcrypto/bn/bn_mul.c | 370 ---- src/lib/libcrypto/bn/bn_prime.c | 423 ---- src/lib/libcrypto/bn/bn_prime.h | 14 - src/lib/libcrypto/bn/bn_prime.pl | 100 - src/lib/libcrypto/bn/bn_primitives.c | 65 - src/lib/libcrypto/bn/bn_print.c | 191 -- src/lib/libcrypto/bn/bn_rand.c | 340 --- src/lib/libcrypto/bn/bn_recp.c | 222 -- src/lib/libcrypto/bn/bn_shift.c | 175 -- src/lib/libcrypto/bn/bn_small_primes.c | 265 --- src/lib/libcrypto/bn/bn_sqr.c | 305 --- src/lib/libcrypto/bn/bn_word.c | 245 --- src/lib/libcrypto/bn/s2n_bignum.h | 856 -------- src/lib/libcrypto/bn/s2n_bignum_internal.h | 36 - 70 files changed, 27798 deletions(-) delete mode 100644 src/lib/libcrypto/bn/arch/aarch64/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/arch/alpha/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/arch/amd64/bignum_add.S delete mode 100644 src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S delete mode 100644 src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S delete mode 100644 src/lib/libcrypto/bn/arch/amd64/bignum_mul.S delete mode 100644 src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S delete mode 100644 src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S delete mode 100644 src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S delete mode 100644 src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S delete mode 100644 src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S delete mode 100644 src/lib/libcrypto/bn/arch/amd64/bignum_sub.S delete mode 100644 src/lib/libcrypto/bn/arch/amd64/bn_arch.c delete mode 100644 src/lib/libcrypto/bn/arch/amd64/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/arch/amd64/word_clz.S delete mode 100644 src/lib/libcrypto/bn/arch/arm/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/arch/hppa/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/arch/i386/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/arch/m88k/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/arch/mips64/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/arch/powerpc/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/arch/powerpc64/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/arch/riscv64/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/arch/sh/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/arch/sparc64/bn_arch.h delete mode 100644 src/lib/libcrypto/bn/asm/alpha-mont.pl delete mode 100644 src/lib/libcrypto/bn/asm/armv4-mont.pl delete mode 100644 src/lib/libcrypto/bn/asm/bn-586.pl delete mode 100644 src/lib/libcrypto/bn/asm/co-586.pl delete mode 100644 src/lib/libcrypto/bn/asm/mips-mont.pl delete mode 100644 src/lib/libcrypto/bn/asm/mips.pl delete mode 100644 src/lib/libcrypto/bn/asm/modexp512-x86_64.pl delete mode 100644 src/lib/libcrypto/bn/asm/parisc-mont.pl delete mode 100644 src/lib/libcrypto/bn/asm/ppc-mont.pl delete mode 100644 src/lib/libcrypto/bn/asm/ppc.pl delete mode 100755 src/lib/libcrypto/bn/asm/x86-mont.pl delete mode 100755 src/lib/libcrypto/bn/asm/x86_64-mont.pl delete mode 100755 src/lib/libcrypto/bn/asm/x86_64-mont5.pl delete mode 100644 src/lib/libcrypto/bn/bn.h delete mode 100644 src/lib/libcrypto/bn/bn_add.c delete mode 100644 src/lib/libcrypto/bn/bn_bpsw.c delete mode 100644 src/lib/libcrypto/bn/bn_const.c delete mode 100644 src/lib/libcrypto/bn/bn_convert.c delete mode 100644 src/lib/libcrypto/bn/bn_ctx.c delete mode 100644 src/lib/libcrypto/bn/bn_div.c delete mode 100644 src/lib/libcrypto/bn/bn_err.c delete mode 100644 src/lib/libcrypto/bn/bn_exp.c delete mode 100644 src/lib/libcrypto/bn/bn_gcd.c delete mode 100644 src/lib/libcrypto/bn/bn_internal.h delete mode 100644 src/lib/libcrypto/bn/bn_isqrt.c delete mode 100644 src/lib/libcrypto/bn/bn_kron.c delete mode 100644 src/lib/libcrypto/bn/bn_lib.c delete mode 100644 src/lib/libcrypto/bn/bn_local.h delete mode 100644 src/lib/libcrypto/bn/bn_mod.c delete mode 100644 src/lib/libcrypto/bn/bn_mod_sqrt.c delete mode 100644 src/lib/libcrypto/bn/bn_mont.c delete mode 100644 src/lib/libcrypto/bn/bn_mul.c delete mode 100644 src/lib/libcrypto/bn/bn_prime.c delete mode 100644 src/lib/libcrypto/bn/bn_prime.h delete mode 100644 src/lib/libcrypto/bn/bn_prime.pl delete mode 100644 src/lib/libcrypto/bn/bn_primitives.c delete mode 100644 src/lib/libcrypto/bn/bn_print.c delete mode 100644 src/lib/libcrypto/bn/bn_rand.c delete mode 100644 src/lib/libcrypto/bn/bn_recp.c delete mode 100644 src/lib/libcrypto/bn/bn_shift.c delete mode 100644 src/lib/libcrypto/bn/bn_small_primes.c delete mode 100644 src/lib/libcrypto/bn/bn_sqr.c delete mode 100644 src/lib/libcrypto/bn/bn_word.c delete mode 100644 src/lib/libcrypto/bn/s2n_bignum.h delete mode 100644 src/lib/libcrypto/bn/s2n_bignum_internal.h (limited to 'src/lib/libcrypto/bn') diff --git a/src/lib/libcrypto/bn/arch/aarch64/bn_arch.h b/src/lib/libcrypto/bn/arch/aarch64/bn_arch.h deleted file mode 100644 index fe6f8a3aea..0000000000 --- a/src/lib/libcrypto/bn/arch/aarch64/bn_arch.h +++ /dev/null @@ -1,369 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.13 2023/07/24 10:21:29 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#if defined(__GNUC__) - -#define HAVE_BN_CLZW - -static inline int -bn_clzw(BN_ULONG w) -{ - BN_ULONG n; - - __asm__ ("clz %[n], %[w]" - : [n]"=r"(n) - : [w]"r"(w)); - - return n; -} - -#define HAVE_BN_ADDW - -static inline void -bn_addw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG carry, r0; - - __asm__ ( - "adds %[r0], %[a], %[b] \n" - "cset %[carry], cs \n" - : [carry]"=r"(carry), [r0]"=r"(r0) - : [a]"r"(a), [b]"r"(b) - : "cc"); - - *out_r1 = carry; - *out_r0 = r0; -} - -#define HAVE_BN_ADDW_ADDW - -static inline void -bn_addw_addw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG *out_r1, - BN_ULONG *out_r0) -{ - BN_ULONG carry, r0; - - __asm__ ( - "adds %[r0], %[a], %[b] \n" - "cset %[carry], cs \n" - "adds %[r0], %[r0], %[c] \n" - "cinc %[carry], %[carry], cs \n" - : [carry]"=&r"(carry), [r0]"=&r"(r0) - : [a]"r"(a), [b]"r"(b), [c]"r"(c) - : "cc"); - - *out_r1 = carry; - *out_r0 = r0; -} - -#define HAVE_BN_QWADDQW - -static inline void -bn_qwaddqw(BN_ULONG a3, BN_ULONG a2, BN_ULONG a1, BN_ULONG a0, BN_ULONG b3, - BN_ULONG b2, BN_ULONG b1, BN_ULONG b0, BN_ULONG carry, BN_ULONG *out_carry, - BN_ULONG *out_r3, BN_ULONG *out_r2, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r3, r2, r1, r0; - - __asm__ ( - "adds xzr, %[carry], #-1 \n" - "adcs %[r0], %[a0], %[b0] \n" - "adcs %[r1], %[a1], %[b1] \n" - "adcs %[r2], %[a2], %[b2] \n" - "adcs %[r3], %[a3], %[b3] \n" - "cset %[carry], cs \n" - : [carry]"+r"(carry), [r3]"=&r"(r3), [r2]"=&r"(r2), - [r1]"=&r"(r1), [r0]"=&r"(r0) - : [a3]"r"(a3), [a2]"r"(a2), [a1]"r"(a1), [a0]"r"(a0), - [b3]"r"(b3), [b2]"r"(b2), [b1]"r"(b1), [b0]"r"(b0) - : "cc"); - - *out_carry = carry; - *out_r3 = r3; - *out_r2 = r2; - *out_r1 = r1; - *out_r0 = r0; -} - -#define HAVE_BN_MULW - -static inline void -bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r1, r0; - - /* Unsigned multiplication using a umulh/mul pair. */ - __asm__ ( - "umulh %[r1], %[a], %[b] \n" - "mul %[r0], %[a], %[b] \n" - : [r1]"=&r"(r1), [r0]"=r"(r0) - : [a]"r"(a), [b]"r"(b)); - - *out_r1 = r1; - *out_r0 = r0; -} - -#define HAVE_BN_MULW_ADDW - -static inline void -bn_mulw_addw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG *out_r1, - BN_ULONG *out_r0) -{ - BN_ULONG r1, r0; - - __asm__ ( - "umulh %[r1], %[a], %[b] \n" - "mul %[r0], %[a], %[b] \n" - "adds %[r0], %[r0], %[c] \n" - "adc %[r1], %[r1], xzr \n" - : [r1]"=&r"(r1), [r0]"=&r"(r0) - : [a]"r"(a), [b]"r"(b), [c]"r"(c) - : "cc"); - - *out_r1 = r1; - *out_r0 = r0; -} - -#define HAVE_BN_MULW_ADDW_ADDW - -static inline void -bn_mulw_addw_addw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG d, - BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r1, r0; - - __asm__ ( - "umulh %[r1], %[a], %[b] \n" - "mul %[r0], %[a], %[b] \n" - "adds %[r0], %[r0], %[c] \n" - "adc %[r1], %[r1], xzr \n" - "adds %[r0], %[r0], %[d] \n" - "adc %[r1], %[r1], xzr \n" - : [r1]"=&r"(r1), [r0]"=&r"(r0) - : [a]"r"(a), [b]"r"(b), [c]"r"(c), [d]"r"(d) - : "cc"); - - *out_r1 = r1; - *out_r0 = r0; -} - -#define HAVE_BN_MULW_ADDTW - -static inline void -bn_mulw_addtw(BN_ULONG a, BN_ULONG b, BN_ULONG c2, BN_ULONG c1, BN_ULONG c0, - BN_ULONG *out_r2, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r2, r1, r0; - - __asm__ ( - "umulh %[r1], %[a], %[b] \n" - "mul %[r0], %[a], %[b] \n" - "adds %[r0], %[r0], %[c0] \n" - "adcs %[r1], %[r1], %[c1] \n" - "adc %[r2], xzr, %[c2] \n" - : [r2]"=&r"(r2), [r1]"=&r"(r1), [r0]"=&r"(r0) - : [a]"r"(a), [b]"r"(b), [c2]"r"(c2), [c1]"r"(c1), [c0]"r"(c0) - : "cc"); - - *out_r2 = r2; - *out_r1 = r1; - *out_r0 = r0; -} - -#define HAVE_BN_MUL2_MULW_ADDTW - -static inline void -bn_mul2_mulw_addtw(BN_ULONG a, BN_ULONG b, BN_ULONG c2, BN_ULONG c1, BN_ULONG c0, - BN_ULONG *out_r2, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r2, r1, r0, x1, x0; - - __asm__ ( - "umulh %[x1], %[a], %[b] \n" - "mul %[x0], %[a], %[b] \n" - "adds %[r0], %[c0], %[x0] \n" - "adcs %[r1], %[c1], %[x1] \n" - "adc %[r2], xzr, %[c2] \n" - "adds %[r0], %[r0], %[x0] \n" - "adcs %[r1], %[r1], %[x1] \n" - "adc %[r2], xzr, %[r2] \n" - : [r2]"=&r"(r2), [r1]"=&r"(r1), [r0]"=&r"(r0), [x1]"=&r"(x1), - [x0]"=&r"(x0) - : [a]"r"(a), [b]"r"(b), [c2]"r"(c2), [c1]"r"(c1), [c0]"r"(c0) - : "cc"); - - *out_r2 = r2; - *out_r1 = r1; - *out_r0 = r0; -} - -#define HAVE_BN_QWMULW_ADDW - -static inline void -bn_qwmulw_addw(BN_ULONG a3, BN_ULONG a2, BN_ULONG a1, BN_ULONG a0, BN_ULONG b, - BN_ULONG c, BN_ULONG *out_r4, BN_ULONG *out_r3, BN_ULONG *out_r2, - BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r4, r3, r2, r1, r0; - - __asm__ ( - "umulh %[r1], %[a0], %[b] \n" - "mul %[r0], %[a0], %[b] \n" - "adds %[r0], %[r0], %[c] \n" - "umulh %[r2], %[a1], %[b] \n" - "mul %[c], %[a1], %[b] \n" - "adcs %[r1], %[r1], %[c] \n" - "umulh %[r3], %[a2], %[b] \n" - "mul %[c], %[a2], %[b] \n" - "adcs %[r2], %[r2], %[c] \n" - "umulh %[r4], %[a3], %[b] \n" - "mul %[c], %[a3], %[b] \n" - "adcs %[r3], %[r3], %[c] \n" - "adc %[r4], %[r4], xzr \n" - : [c]"+&r"(c), [r4]"=&r"(r4), [r3]"=&r"(r3), [r2]"=&r"(r2), - [r1]"=&r"(r1), [r0]"=&r"(r0) - : [a3]"r"(a3), [a2]"r"(a2), [a1]"r"(a1), [a0]"r"(a0), [b]"r"(b) - : "cc"); - - *out_r4 = r4; - *out_r3 = r3; - *out_r2 = r2; - *out_r1 = r1; - *out_r0 = r0; -} - -#define HAVE_BN_QWMULW_ADDQW_ADDW - -static inline void -bn_qwmulw_addqw_addw(BN_ULONG a3, BN_ULONG a2, BN_ULONG a1, BN_ULONG a0, - BN_ULONG b, BN_ULONG c3, BN_ULONG c2, BN_ULONG c1, BN_ULONG c0, BN_ULONG d, - BN_ULONG *out_r4, BN_ULONG *out_r3, BN_ULONG *out_r2, BN_ULONG *out_r1, - BN_ULONG *out_r0) -{ - BN_ULONG r4, r3, r2, r1, r0; - - __asm__ ( - "umulh %[r1], %[a0], %[b] \n" - "mul %[r0], %[a0], %[b] \n" - "adds %[r0], %[r0], %[d] \n" - "umulh %[r2], %[a1], %[b] \n" - "mul %[d], %[a1], %[b] \n" - "adcs %[r1], %[r1], %[d] \n" - "umulh %[r3], %[a2], %[b] \n" - "mul %[d], %[a2], %[b] \n" - "adcs %[r2], %[r2], %[d] \n" - "umulh %[r4], %[a3], %[b] \n" - "mul %[d], %[a3], %[b] \n" - "adcs %[r3], %[r3], %[d] \n" - "adc %[r4], %[r4], xzr \n" - "adds %[r0], %[r0], %[c0] \n" - "adcs %[r1], %[r1], %[c1] \n" - "adcs %[r2], %[r2], %[c2] \n" - "adcs %[r3], %[r3], %[c3] \n" - "adc %[r4], %[r4], xzr \n" - : [d]"+&r"(d), [r4]"=&r"(r4), [r3]"=&r"(r3), [r2]"=&r"(r2), - [r1]"=&r"(r1), [r0]"=&r"(r0) - : [a3]"r"(a3), [a2]"r"(a2), [a1]"r"(a1), [a0]"r"(a0), [b]"r"(b), - [c3]"r"(c3), [c2]"r"(c2), [c1]"r"(c1), [c0]"r"(c0) - : "cc"); - - *out_r4 = r4; - *out_r3 = r3; - *out_r2 = r2; - *out_r1 = r1; - *out_r0 = r0; -} - -#define HAVE_BN_SUBW - -static inline void -bn_subw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_borrow, BN_ULONG *out_r0) -{ - BN_ULONG borrow, r0; - - __asm__ ( - "subs %[r0], %[a], %[b] \n" - "cset %[borrow], cc \n" - : [borrow]"=r"(borrow), [r0]"=r"(r0) - : [a]"r"(a), [b]"r"(b) - : "cc"); - - *out_borrow = borrow; - *out_r0 = r0; -} - -#define HAVE_BN_SUBW_SUBW - -static inline void -bn_subw_subw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG *out_borrow, - BN_ULONG *out_r0) -{ - BN_ULONG borrow, r0; - - __asm__ ( - "subs %[r0], %[a], %[b] \n" - "cset %[borrow], cc \n" - "subs %[r0], %[r0], %[c] \n" - "cinc %[borrow], %[borrow], cc \n" - : [borrow]"=&r"(borrow), [r0]"=&r"(r0) - : [a]"r"(a), [b]"r"(b), [c]"r"(c) - : "cc"); - - *out_borrow = borrow; - *out_r0 = r0; -} - -#define HAVE_BN_QWSUBQW - -static inline void -bn_qwsubqw(BN_ULONG a3, BN_ULONG a2, BN_ULONG a1, BN_ULONG a0, BN_ULONG b3, - BN_ULONG b2, BN_ULONG b1, BN_ULONG b0, BN_ULONG borrow, BN_ULONG *out_borrow, - BN_ULONG *out_r3, BN_ULONG *out_r2, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r3, r2, r1, r0; - - __asm__ ( - "subs xzr, xzr, %[borrow] \n" - "sbcs %[r0], %[a0], %[b0] \n" - "sbcs %[r1], %[a1], %[b1] \n" - "sbcs %[r2], %[a2], %[b2] \n" - "sbcs %[r3], %[a3], %[b3] \n" - "cset %[borrow], cc \n" - : [borrow]"+r"(borrow), [r3]"=&r"(r3), [r2]"=&r"(r2), - [r1]"=&r"(r1), [r0]"=&r"(r0) - : [a3]"r"(a3), [a2]"r"(a2), [a1]"r"(a1), [a0]"r"(a0), - [b3]"r"(b3), [b2]"r"(b2), [b1]"r"(b1), [b0]"r"(b0) - : "cc"); - - *out_borrow = borrow; - *out_r3 = r3; - *out_r2 = r2; - *out_r1 = r1; - *out_r0 = r0; -} - -#endif /* __GNUC__ */ - -#endif -#endif diff --git a/src/lib/libcrypto/bn/arch/alpha/bn_arch.h b/src/lib/libcrypto/bn/arch/alpha/bn_arch.h deleted file mode 100644 index 5bf4ba8722..0000000000 --- a/src/lib/libcrypto/bn/arch/alpha/bn_arch.h +++ /dev/null @@ -1,44 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.4 2023/02/16 10:41:03 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#if 0 /* Needs testing and enabling. */ -#if defined(__GNUC__) -#define HAVE_BN_MULW - -static inline void -bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r1, r0; - - /* Unsigned multiplication using a umulh/mulq pair. */ - __asm__ ("umulh %2, %3, %0; mulq %2, %3, %1" - : "=&r"(r1), "=r"(r0) - : "r"(a), "r"(b)); - - *out_r1 = r1; - *out_r0 = r0; -} -#endif /* __GNUC__ */ -#endif - -#endif -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_add.S b/src/lib/libcrypto/bn/arch/amd64/bignum_add.S deleted file mode 100644 index 5fe4aae7a1..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/bignum_add.S +++ /dev/null @@ -1,165 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -// ---------------------------------------------------------------------------- -// Add, z := x + y -// Inputs x[m], y[n]; outputs function return (carry-out) and z[p] -// -// extern uint64_t bignum_add -// (uint64_t p, uint64_t *z, -// uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); -// -// Does the z := x + y operation, truncating modulo p words in general and -// returning a top carry (0 or 1) in the p'th place, only adding the input -// words below p (as well as m and n respectively) to get the sum and carry. -// -// Standard x86-64 ABI: RDI = p, RSI = z, RDX = m, RCX = x, R8 = n, R9 = y, returns RAX -// Microsoft x64 ABI: RCX = p, RDX = z, R8 = m, R9 = x, [RSP+40] = n, [RSP+48] = y, returns RAX -// ---------------------------------------------------------------------------- - -#include "s2n_bignum_internal.h" - - .intel_syntax noprefix - S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_add) - S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_add) - .text - -#define p rdi -#define z rsi -#define m rdx -#define x rcx -#define n r8 -#define y r9 -#define i r10 -#define a rax - -#define ashort eax - - - -S2N_BN_SYMBOL(bignum_add): - _CET_ENDBR - -#if WINDOWS_ABI - push rdi - push rsi - mov rdi, rcx - mov rsi, rdx - mov rdx, r8 - mov rcx, r9 - mov r8, [rsp+56] - mov r9, [rsp+64] -#endif - -// Zero the main index counter for both branches - - xor i, i - -// First clamp the two input sizes m := min(p,m) and n := min(p,n) since -// we'll never need words past the p'th. Can now assume m <= p and n <= p. -// Then compare the modified m and n and branch accordingly - - cmp p, m - cmovc m, p - cmp p, n - cmovc n, p - cmp m, n - jc ylonger - -// The case where x is longer or of the same size (p >= m >= n) - - sub p, m - sub m, n - inc m - test n, n - jz xtest -xmainloop: - mov a, [x+8*i] - adc a, [y+8*i] - mov [z+8*i],a - inc i - dec n - jnz xmainloop - jmp xtest -xtoploop: - mov a, [x+8*i] - adc a, 0 - mov [z+8*i],a - inc i -xtest: - dec m - jnz xtoploop - mov ashort, 0 - adc a, 0 - test p, p - jnz tails -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -// The case where y is longer (p >= n > m) - -ylonger: - - sub p, n - sub n, m - test m, m - jz ytoploop -ymainloop: - mov a, [x+8*i] - adc a, [y+8*i] - mov [z+8*i],a - inc i - dec m - jnz ymainloop -ytoploop: - mov a, [y+8*i] - adc a, 0 - mov [z+8*i],a - inc i - dec n - jnz ytoploop - mov ashort, 0 - adc a, 0 - test p, p - jnz tails -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -// Adding a non-trivial tail, when p > max(m,n) - -tails: - mov [z+8*i],a - xor a, a - jmp tail -tailloop: - mov [z+8*i],a -tail: - inc i - dec p - jnz tailloop -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S b/src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S deleted file mode 100644 index 25ba17bce2..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S +++ /dev/null @@ -1,155 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -// ---------------------------------------------------------------------------- -// Multiply-add with single-word multiplier, z := z + c * y -// Inputs c, y[n]; outputs function return (carry-out) and z[k] -// -// extern uint64_t bignum_cmadd -// (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y); -// -// Does the "z := z + c * y" operation where y is n digits, result z is p. -// Truncates the result in general. -// -// The return value is a high/carry word that is meaningful when p = n + 1, or -// more generally when n <= p and the result fits in p + 1 digits. In these -// cases it gives the top digit of the (p + 1)-digit result. -// -// Standard x86-64 ABI: RDI = k, RSI = z, RDX = c, RCX = n, R8 = y, returns RAX -// Microsoft x64 ABI: RCX = k, RDX = z, R8 = c, R9 = n, [RSP+40] = y, returns RAX -// ---------------------------------------------------------------------------- - -#include "s2n_bignum_internal.h" - - .intel_syntax noprefix - S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_cmadd) - S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_cmadd) - .text - -#define p rdi -#define z rsi -#define c r9 -#define n rcx -#define x r8 - -#define i r10 -#define h r11 - -#define r rbx - -#define hshort r11d -#define ishort r10d - - - -S2N_BN_SYMBOL(bignum_cmadd): - _CET_ENDBR - -#if WINDOWS_ABI - push rdi - push rsi - mov rdi, rcx - mov rsi, rdx - mov rdx, r8 - mov rcx, r9 - mov r8, [rsp+56] -#endif - -// Seems hard to avoid one more register - - push rbx - -// First clamp the input size n := min(p,n) since we can never need to read -// past the p'th term of the input to generate p-digit output. -// Subtract p := p - min(n,p) so it holds the size of the extra tail needed - - cmp p, n - cmovc n, p - sub p, n - -// Initialize high part h = 0; if n = 0 do nothing but return that zero - - xor h, h - test n, n - jz end - -// Move c into a safer register as multiplies overwrite rdx - - mov c, rdx - -// Initialization of the loop: 2^64 * CF + [h,z_0'] = z_0 + c * x_0 - - mov rax, [x] - mul c - add [z], rax - mov h, rdx - mov ishort, 1 - dec n - jz hightail - -// Main loop, where we always have CF + previous high part h to add in - -loop: - adc h, [z+8*i] - sbb r, r - mov rax, [x+8*i] - mul c - sub rdx, r - add rax, h - mov [z+8*i], rax - mov h, rdx - inc i - dec n - jnz loop - -hightail: - adc h, 0 - -// Propagate the carry all the way to the end with h as extra carry word - -tail: - test p, p - jz end - - add [z+8*i], h - mov hshort, 0 - inc i - dec p - jz highend - -tloop: - adc [z+8*i], h - inc i - dec p - jnz tloop - -highend: - - adc h, 0 - -// Return the high/carry word - -end: - mov rax, h - - pop rbx -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S b/src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S deleted file mode 100644 index 12f785d63a..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S +++ /dev/null @@ -1,138 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -// ---------------------------------------------------------------------------- -// Multiply by a single word, z := c * y -// Inputs c, y[n]; outputs function return (carry-out) and z[k] -// -// extern uint64_t bignum_cmul -// (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y); -// -// Does the "z := c * y" operation where y is n digits, result z is p. -// Truncates the result in general unless p >= n + 1. -// -// The return value is a high/carry word that is meaningful when p >= n as -// giving the high part of the result. Since this is always zero if p > n, -// it is mainly of interest in the special case p = n, i.e. where the source -// and destination have the same nominal size, when it gives the extra word -// of the full result. -// -// Standard x86-64 ABI: RDI = k, RSI = z, RDX = c, RCX = n, R8 = y, returns RAX -// Microsoft x64 ABI: RCX = k, RDX = z, R8 = c, R9 = n, [RSP+40] = y, returns RAX -// ---------------------------------------------------------------------------- - -#include "s2n_bignum_internal.h" - - .intel_syntax noprefix - S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_cmul) - S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_cmul) - .text - -#define p rdi -#define z rsi -#define c r9 -#define n rcx -#define x r8 - -#define i r10 -#define h r11 - - - -S2N_BN_SYMBOL(bignum_cmul): - _CET_ENDBR - -#if WINDOWS_ABI - push rdi - push rsi - mov rdi, rcx - mov rsi, rdx - mov rdx, r8 - mov rcx, r9 - mov r8, [rsp+56] -#endif - -// First clamp the input size n := min(p,n) since we can never need to read -// past the p'th term of the input to generate p-digit output. Now we can -// assume that n <= p - - cmp p, n - cmovc n, p - -// Initialize current input/output pointer offset i and high part h. -// But then if n = 0 skip the multiplication and go to the tail part - - xor h, h - xor i, i - test n, n - jz tail - -// Move c into a safer register as multiplies overwrite rdx - - mov c, rdx - -// Initialization of the loop: [h,l] = c * x_0 - - mov rax, [x] - mul c - mov [z], rax - mov h, rdx - inc i - cmp i, n - jz tail - -// Main loop doing the multiplications - -loop: - mov rax, [x+8*i] - mul c - add rax, h - adc rdx, 0 - mov [z+8*i], rax - mov h, rdx - inc i - cmp i, n - jc loop - -// Add a tail when the destination is longer - -tail: - cmp i, p - jnc end - mov [z+8*i], h - xor h, h - inc i - cmp i, p - jnc end - -tloop: - mov [z+8*i], h - inc i - cmp i, p - jc tloop - -// Return the high/carry word - -end: - mov rax, h - -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul.S deleted file mode 100644 index a3552679a2..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/bignum_mul.S +++ /dev/null @@ -1,167 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -// ---------------------------------------------------------------------------- -// Multiply z := x * y -// Inputs x[m], y[n]; output z[k] -// -// extern void bignum_mul -// (uint64_t k, uint64_t *z, -// uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); -// -// Does the "z := x * y" operation where x is m digits, y is n, result z is k. -// Truncates the result in general unless k >= m + n -// -// Standard x86-64 ABI: RDI = k, RSI = z, RDX = m, RCX = x, R8 = n, R9 = y -// Microsoft x64 ABI: RCX = k, RDX = z, R8 = m, R9 = x, [RSP+40] = n, [RSP+48] = y -// ---------------------------------------------------------------------------- - -#include "s2n_bignum_internal.h" - - .intel_syntax noprefix - S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul) - S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul) - .text - -// These are actually right - -#define p rdi -#define z rsi -#define n r8 - -// These are not - -#define c r15 -#define h r14 -#define l r13 -#define x r12 -#define y r11 -#define i rbx -#define k r10 -#define m rbp - -// These are always local scratch since multiplier result is in these - -#define a rax -#define d rdx - - - -S2N_BN_SYMBOL(bignum_mul): - _CET_ENDBR - -#if WINDOWS_ABI - push rdi - push rsi - mov rdi, rcx - mov rsi, rdx - mov rdx, r8 - mov rcx, r9 - mov r8, [rsp+56] - mov r9, [rsp+64] -#endif - -// We use too many registers, and also we need rax:rdx for multiplications - - push rbx - push rbp - push r12 - push r13 - push r14 - push r15 - mov m, rdx - -// If the result size is zero, do nothing -// Note that even if either or both inputs has size zero, we can't -// just give up because we at least need to zero the output array -// If we did a multiply-add variant, however, then we could - - test p, p - jz end - -// Set initial 2-part sum to zero (we zero c inside the body) - - xor h,h - xor l,l - -// Otherwise do outer loop k = 0 ... k = p - 1 - - xor k, k - -outerloop: - -// Zero our carry term first; we eventually want it and a zero is useful now -// Set a = max 0 (k + 1 - n), i = min (k + 1) m -// This defines the range a <= j < i for the inner summation -// Note that since k < p < 2^64 we can assume k + 1 doesn't overflow -// And since we want to increment it anyway, we might as well do it now - - xor c, c // c = 0 - inc k // k = k + 1 - - mov a, k // a = k + 1 - sub a, n // a = k + 1 - n - cmovc a, c // a = max 0 (k + 1 - n) - - mov i, m // i = m - cmp k, m // CF <=> k + 1 < m - cmovc i, k // i = min (k + 1) m - -// Turn i into a loop count, and skip things if it's <= 0 -// Otherwise set up initial pointers x -> x0[a] and y -> y0[k - a] -// and then launch into the main inner loop, postdecrementing i - - mov d, k - sub d, i - sub i, a - jbe innerend - lea x,[rcx+8*a] - lea y,[r9+8*d-8] - -innerloop: - mov rax, [y+8*i] - mul QWORD PTR [x] - add x, 8 - add l, rax - adc h, rdx - adc c, 0 - dec i - jnz innerloop - -innerend: - - mov [z], l - mov l, h - mov h, c - add z, 8 - - cmp k, p - jc outerloop - -end: - pop r15 - pop r14 - pop r13 - pop r12 - pop rbp - pop rbx -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S deleted file mode 100644 index 70ff69e372..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S +++ /dev/null @@ -1,157 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -// ---------------------------------------------------------------------------- -// Multiply z := x * y -// Inputs x[4], y[4]; output z[8] -// -// extern void bignum_mul_4_8_alt -// (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]); -// -// Standard x86-64 ABI: RDI = z, RSI = x, RDX = y -// Microsoft x64 ABI: RCX = z, RDX = x, R8 = y -// ---------------------------------------------------------------------------- - -#include "s2n_bignum_internal.h" - - .intel_syntax noprefix - S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul_4_8_alt) - S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul_4_8_alt) - .text - -// These are actually right - -#define z rdi -#define x rsi - -// This is moved from rdx to free it for muls - -#define y rcx - -// Other variables used as a rotating 3-word window to add terms to - -#define t0 r8 -#define t1 r9 -#define t2 r10 - -// Macro for the key "multiply and add to (c,h,l)" step - -#define combadd(c,h,l,numa,numb) \ - mov rax, numa; \ - mul QWORD PTR numb; \ - add l, rax; \ - adc h, rdx; \ - adc c, 0 - -// A minutely shorter form for when c = 0 initially - -#define combadz(c,h,l,numa,numb) \ - mov rax, numa; \ - mul QWORD PTR numb; \ - add l, rax; \ - adc h, rdx; \ - adc c, c - -// A short form where we don't expect a top carry - -#define combads(h,l,numa,numb) \ - mov rax, numa; \ - mul QWORD PTR numb; \ - add l, rax; \ - adc h, rdx - -S2N_BN_SYMBOL(bignum_mul_4_8_alt): - _CET_ENDBR - -#if WINDOWS_ABI - push rdi - push rsi - mov rdi, rcx - mov rsi, rdx - mov rdx, r8 -#endif - -// Copy y into a safe register to start with - - mov y, rdx - -// Result term 0 - - mov rax, [x] - mul QWORD PTR [y] - - mov [z], rax - mov t0, rdx - xor t1, t1 - -// Result term 1 - - xor t2, t2 - combads(t1,t0,[x],[y+8]) - combadz(t2,t1,t0,[x+8],[y]) - mov [z+8], t0 - -// Result term 2 - - xor t0, t0 - combadz(t0,t2,t1,[x],[y+16]) - combadd(t0,t2,t1,[x+8],[y+8]) - combadd(t0,t2,t1,[x+16],[y]) - mov [z+16], t1 - -// Result term 3 - - xor t1, t1 - combadz(t1,t0,t2,[x],[y+24]) - combadd(t1,t0,t2,[x+8],[y+16]) - combadd(t1,t0,t2,[x+16],[y+8]) - combadd(t1,t0,t2,[x+24],[y]) - mov [z+24], t2 - -// Result term 4 - - xor t2, t2 - combadz(t2,t1,t0,[x+8],[y+24]) - combadd(t2,t1,t0,[x+16],[y+16]) - combadd(t2,t1,t0,[x+24],[y+8]) - mov [z+32], t0 - -// Result term 5 - - xor t0, t0 - combadz(t0,t2,t1,[x+16],[y+24]) - combadd(t0,t2,t1,[x+24],[y+16]) - mov [z+40], t1 - -// Result term 6 - - xor t1, t1 - combads(t0,t2,[x+24],[y+24]) - mov [z+48], t2 - -// Result term 7 - - mov [z+56], t0 - -// Return - -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S deleted file mode 100644 index 066403b074..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S +++ /dev/null @@ -1,244 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -// ---------------------------------------------------------------------------- -// Multiply z := x * y -// Inputs x[8], y[8]; output z[16] -// -// extern void bignum_mul_8_16_alt -// (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]); -// -// Standard x86-64 ABI: RDI = z, RSI = x, RDX = y -// Microsoft x64 ABI: RCX = z, RDX = x, R8 = y -// ---------------------------------------------------------------------------- - -#include "s2n_bignum_internal.h" - - .intel_syntax noprefix - S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul_8_16_alt) - S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul_8_16_alt) - .text - -// These are actually right - -#define z rdi -#define x rsi - -// This is moved from rdx to free it for muls - -#define y rcx - -// Other variables used as a rotating 3-word window to add terms to - -#define t0 r8 -#define t1 r9 -#define t2 r10 - -// Macro for the key "multiply and add to (c,h,l)" step - -#define combadd(c,h,l,numa,numb) \ - mov rax, numa; \ - mul QWORD PTR numb; \ - add l, rax; \ - adc h, rdx; \ - adc c, 0 - -// A minutely shorter form for when c = 0 initially - -#define combadz(c,h,l,numa,numb) \ - mov rax, numa; \ - mul QWORD PTR numb; \ - add l, rax; \ - adc h, rdx; \ - adc c, c - -// A short form where we don't expect a top carry - -#define combads(h,l,numa,numb) \ - mov rax, numa; \ - mul QWORD PTR numb; \ - add l, rax; \ - adc h, rdx - -S2N_BN_SYMBOL(bignum_mul_8_16_alt): - _CET_ENDBR - -#if WINDOWS_ABI - push rdi - push rsi - mov rdi, rcx - mov rsi, rdx - mov rdx, r8 -#endif - -// Copy y into a safe register to start with - - mov y, rdx - -// Result term 0 - - mov rax, [x] - mul QWORD PTR [y] - - mov [z], rax - mov t0, rdx - xor t1, t1 - -// Result term 1 - - xor t2, t2 - combads(t1,t0,[x],[y+8]) - combadz(t2,t1,t0,[x+8],[y]) - mov [z+8], t0 - -// Result term 2 - - xor t0, t0 - combadz(t0,t2,t1,[x],[y+16]) - combadd(t0,t2,t1,[x+8],[y+8]) - combadd(t0,t2,t1,[x+16],[y]) - mov [z+16], t1 - -// Result term 3 - - xor t1, t1 - combadz(t1,t0,t2,[x],[y+24]) - combadd(t1,t0,t2,[x+8],[y+16]) - combadd(t1,t0,t2,[x+16],[y+8]) - combadd(t1,t0,t2,[x+24],[y]) - mov [z+24], t2 - -// Result term 4 - - xor t2, t2 - combadz(t2,t1,t0,[x],[y+32]) - combadd(t2,t1,t0,[x+8],[y+24]) - combadd(t2,t1,t0,[x+16],[y+16]) - combadd(t2,t1,t0,[x+24],[y+8]) - combadd(t2,t1,t0,[x+32],[y]) - mov [z+32], t0 - -// Result term 5 - - xor t0, t0 - combadz(t0,t2,t1,[x],[y+40]) - combadd(t0,t2,t1,[x+8],[y+32]) - combadd(t0,t2,t1,[x+16],[y+24]) - combadd(t0,t2,t1,[x+24],[y+16]) - combadd(t0,t2,t1,[x+32],[y+8]) - combadd(t0,t2,t1,[x+40],[y]) - mov [z+40], t1 - -// Result term 6 - - xor t1, t1 - combadz(t1,t0,t2,[x],[y+48]) - combadd(t1,t0,t2,[x+8],[y+40]) - combadd(t1,t0,t2,[x+16],[y+32]) - combadd(t1,t0,t2,[x+24],[y+24]) - combadd(t1,t0,t2,[x+32],[y+16]) - combadd(t1,t0,t2,[x+40],[y+8]) - combadd(t1,t0,t2,[x+48],[y]) - mov [z+48], t2 - -// Result term 7 - - xor t2, t2 - combadz(t2,t1,t0,[x],[y+56]) - combadd(t2,t1,t0,[x+8],[y+48]) - combadd(t2,t1,t0,[x+16],[y+40]) - combadd(t2,t1,t0,[x+24],[y+32]) - combadd(t2,t1,t0,[x+32],[y+24]) - combadd(t2,t1,t0,[x+40],[y+16]) - combadd(t2,t1,t0,[x+48],[y+8]) - combadd(t2,t1,t0,[x+56],[y]) - mov [z+56], t0 - -// Result term 8 - - xor t0, t0 - combadz(t0,t2,t1,[x+8],[y+56]) - combadd(t0,t2,t1,[x+16],[y+48]) - combadd(t0,t2,t1,[x+24],[y+40]) - combadd(t0,t2,t1,[x+32],[y+32]) - combadd(t0,t2,t1,[x+40],[y+24]) - combadd(t0,t2,t1,[x+48],[y+16]) - combadd(t0,t2,t1,[x+56],[y+8]) - mov [z+64], t1 - -// Result term 9 - - xor t1, t1 - combadz(t1,t0,t2,[x+16],[y+56]) - combadd(t1,t0,t2,[x+24],[y+48]) - combadd(t1,t0,t2,[x+32],[y+40]) - combadd(t1,t0,t2,[x+40],[y+32]) - combadd(t1,t0,t2,[x+48],[y+24]) - combadd(t1,t0,t2,[x+56],[y+16]) - mov [z+72], t2 - -// Result term 10 - - xor t2, t2 - combadz(t2,t1,t0,[x+24],[y+56]) - combadd(t2,t1,t0,[x+32],[y+48]) - combadd(t2,t1,t0,[x+40],[y+40]) - combadd(t2,t1,t0,[x+48],[y+32]) - combadd(t2,t1,t0,[x+56],[y+24]) - mov [z+80], t0 - -// Result term 11 - - xor t0, t0 - combadz(t0,t2,t1,[x+32],[y+56]) - combadd(t0,t2,t1,[x+40],[y+48]) - combadd(t0,t2,t1,[x+48],[y+40]) - combadd(t0,t2,t1,[x+56],[y+32]) - mov [z+88], t1 - -// Result term 12 - - xor t1, t1 - combadz(t1,t0,t2,[x+40],[y+56]) - combadd(t1,t0,t2,[x+48],[y+48]) - combadd(t1,t0,t2,[x+56],[y+40]) - mov [z+96], t2 - -// Result term 13 - - xor t2, t2 - combadz(t2,t1,t0,[x+48],[y+56]) - combadd(t2,t1,t0,[x+56],[y+48]) - mov [z+104], t0 - -// Result term 14 - - combads(t2,t1,[x+56],[y+56]) - mov [z+112], t1 - -// Result term 11 - - mov [z+120], t2 - -// Return - -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S deleted file mode 100644 index 54e3f59442..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S +++ /dev/null @@ -1,197 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -// ---------------------------------------------------------------------------- -// Square z := x^2 -// Input x[n]; output z[k] -// -// extern void bignum_sqr -// (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x); -// -// Does the "z := x^2" operation where x is n digits and result z is k. -// Truncates the result in general unless k >= 2 * n -// -// Standard x86-64 ABI: RDI = k, RSI = z, RDX = n, RCX = x -// Microsoft x64 ABI: RCX = k, RDX = z, R8 = n, R9 = x -// ---------------------------------------------------------------------------- - -#include "s2n_bignum_internal.h" - - .intel_syntax noprefix - S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr) - S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr) - .text - -// First three are where arguments come in, but n is moved. - -#define p rdi -#define z rsi -#define x rcx -#define n r8 - -// These are always local scratch since multiplier result is in these - -#define a rax -#define d rdx - -// Other variables - -#define i rbx -#define ll rbp -#define hh r9 -#define k r10 -#define y r11 -#define htop r12 -#define l r13 -#define h r14 -#define c r15 - -// Short versions - -#define llshort ebp - -S2N_BN_SYMBOL(bignum_sqr): - _CET_ENDBR - -#if WINDOWS_ABI - push rdi - push rsi - mov rdi, rcx - mov rsi, rdx - mov rdx, r8 - mov rcx, r9 -#endif - -// We use too many registers, and also we need rax:rdx for multiplications - - push rbx - push rbp - push r12 - push r13 - push r14 - push r15 - mov n, rdx - -// If p = 0 the result is trivial and nothing needs doing - - test p, p - jz end - -// initialize (hh,ll) = 0 - - xor llshort, llshort - xor hh, hh - -// Iterate outer loop from k = 0 ... k = p - 1 producing result digits - - xor k, k - -outerloop: - -// First let bot = MAX 0 (k + 1 - n) and top = MIN (k + 1) n -// We want to accumulate all x[i] * x[k - i] for bot <= i < top -// For the optimization of squaring we avoid duplication and do -// 2 * x[i] * x[k - i] for i < htop, where htop = MIN ((k+1)/2) n -// Initialize i = bot; in fact just compute bot as i directly. - - xor c, c - lea i, [k+1] - mov htop, i - shr htop, 1 - sub i, n - cmovc i, c - cmp htop, n - cmovnc htop, n - -// Initialize the three-part local sum (c,h,l); c was already done above - - xor l, l - xor h, h - -// If htop <= bot then main doubled part of the sum is empty - - cmp i, htop - jnc nosumming - -// Use a moving pointer for [y] = x[k-i] for the cofactor - - mov a, k - sub a, i - lea y, [x+8*a] - -// Do the main part of the sum x[i] * x[k - i] for 2 * i < k - -innerloop: - mov a, [x+8*i] - mul QWORD PTR [y] - add l, a - adc h, d - adc c, 0 - sub y, 8 - inc i - cmp i, htop - jc innerloop - -// Now double it - - add l, l - adc h, h - adc c, c - -// If k is even (which means 2 * i = k) and i < n add the extra x[i]^2 term - -nosumming: - test k, 1 - jnz innerend - cmp i, n - jnc innerend - - mov a, [x+8*i] - mul a - add l, a - adc h, d - adc c, 0 - -// Now add the local sum into the global sum, store and shift - -innerend: - add l, ll - mov [z+8*k], l - adc h, hh - mov ll, h - adc c, 0 - mov hh, c - - inc k - cmp k, p - jc outerloop - -// Restore registers and return - -end: - pop r15 - pop r14 - pop r13 - pop r12 - pop rbp - pop rbx -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S deleted file mode 100644 index 7c534ae907..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S +++ /dev/null @@ -1,145 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -// ---------------------------------------------------------------------------- -// Square, z := x^2 -// Input x[4]; output z[8] -// -// extern void bignum_sqr_4_8_alt -// (uint64_t z[static 8], uint64_t x[static 4]); -// -// Standard x86-64 ABI: RDI = z, RSI = x -// Microsoft x64 ABI: RCX = z, RDX = x -// ---------------------------------------------------------------------------- - -#include "s2n_bignum_internal.h" - - .intel_syntax noprefix - S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr_4_8_alt) - S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr_4_8_alt) - .text - -// Input arguments - -#define z rdi -#define x rsi - -// Other variables used as a rotating 3-word window to add terms to - -#define t0 rcx -#define t1 r8 -#define t2 r9 - -// Macro for the key "multiply and add to (c,h,l)" step, for square term - -#define combadd1(c,h,l,numa) \ - mov rax, numa; \ - mul rax; \ - add l, rax; \ - adc h, rdx; \ - adc c, 0 - -// A short form where we don't expect a top carry - -#define combads(h,l,numa) \ - mov rax, numa; \ - mul rax; \ - add l, rax; \ - adc h, rdx - -// A version doubling before adding, for non-square terms - -#define combadd2(c,h,l,numa,numb) \ - mov rax, numa; \ - mul QWORD PTR numb; \ - add rax, rax; \ - adc rdx, rdx; \ - adc c, 0; \ - add l, rax; \ - adc h, rdx; \ - adc c, 0 - -S2N_BN_SYMBOL(bignum_sqr_4_8_alt): - _CET_ENDBR - -#if WINDOWS_ABI - push rdi - push rsi - mov rdi, rcx - mov rsi, rdx -#endif - -// Result term 0 - - mov rax, [x] - mul rax - - mov [z], rax - mov t0, rdx - xor t1, t1 - -// Result term 1 - - xor t2, t2 - combadd2(t2,t1,t0,[x],[x+8]) - mov [z+8], t0 - -// Result term 2 - - xor t0, t0 - combadd1(t0,t2,t1,[x+8]) - combadd2(t0,t2,t1,[x],[x+16]) - mov [z+16], t1 - -// Result term 3 - - xor t1, t1 - combadd2(t1,t0,t2,[x],[x+24]) - combadd2(t1,t0,t2,[x+8],[x+16]) - mov [z+24], t2 - -// Result term 4 - - xor t2, t2 - combadd2(t2,t1,t0,[x+8],[x+24]) - combadd1(t2,t1,t0,[x+16]) - mov [z+32], t0 - -// Result term 5 - - xor t0, t0 - combadd2(t0,t2,t1,[x+16],[x+24]) - mov [z+40], t1 - -// Result term 6 - - xor t1, t1 - combads(t0,t2,[x+24]) - mov [z+48], t2 - -// Result term 7 - - mov [z+56], t0 - -// Return - -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S deleted file mode 100644 index ac0b6f96c2..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S +++ /dev/null @@ -1,242 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -// ---------------------------------------------------------------------------- -// Square, z := x^2 -// Input x[8]; output z[16] -// -// extern void bignum_sqr_8_16_alt (uint64_t z[static 16], uint64_t x[static 8]); -// -// Standard x86-64 ABI: RDI = z, RSI = x -// Microsoft x64 ABI: RCX = z, RDX = x -// ---------------------------------------------------------------------------- - -#include "s2n_bignum_internal.h" - - .intel_syntax noprefix - S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr_8_16_alt) - S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr_8_16_alt) - .text - -// Input arguments - -#define z rdi -#define x rsi - -// Other variables used as a rotating 3-word window to add terms to - -#define t0 r8 -#define t1 r9 -#define t2 r10 - -// Additional temporaries for local windows to share doublings - -#define u0 rcx -#define u1 r11 - -// Macro for the key "multiply and add to (c,h,l)" step - -#define combadd(c,h,l,numa,numb) \ - mov rax, numa; \ - mul QWORD PTR numb; \ - add l, rax; \ - adc h, rdx; \ - adc c, 0 - -// Set up initial window (c,h,l) = numa * numb - -#define combaddz(c,h,l,numa,numb) \ - mov rax, numa; \ - mul QWORD PTR numb; \ - xor c, c; \ - mov l, rax; \ - mov h, rdx - -// Doubling step (c,h,l) = 2 * (c,hh,ll) + (0,h,l) - -#define doubladd(c,h,l,hh,ll) \ - add ll, ll; \ - adc hh, hh; \ - adc c, c; \ - add l, ll; \ - adc h, hh; \ - adc c, 0 - -// Square term incorporation (c,h,l) += numba^2 - -#define combadd1(c,h,l,numa) \ - mov rax, numa; \ - mul rax; \ - add l, rax; \ - adc h, rdx; \ - adc c, 0 - -// A short form where we don't expect a top carry - -#define combads(h,l,numa) \ - mov rax, numa; \ - mul rax; \ - add l, rax; \ - adc h, rdx - -// A version doubling directly before adding, for single non-square terms - -#define combadd2(c,h,l,numa,numb) \ - mov rax, numa; \ - mul QWORD PTR numb; \ - add rax, rax; \ - adc rdx, rdx; \ - adc c, 0; \ - add l, rax; \ - adc h, rdx; \ - adc c, 0 - -S2N_BN_SYMBOL(bignum_sqr_8_16_alt): - _CET_ENDBR - -#if WINDOWS_ABI - push rdi - push rsi - mov rdi, rcx - mov rsi, rdx -#endif - -// Result term 0 - - mov rax, [x] - mul rax - - mov [z], rax - mov t0, rdx - xor t1, t1 - -// Result term 1 - - xor t2, t2 - combadd2(t2,t1,t0,[x],[x+8]) - mov [z+8], t0 - -// Result term 2 - - xor t0, t0 - combadd1(t0,t2,t1,[x+8]) - combadd2(t0,t2,t1,[x],[x+16]) - mov [z+16], t1 - -// Result term 3 - - combaddz(t1,u1,u0,[x],[x+24]) - combadd(t1,u1,u0,[x+8],[x+16]) - doubladd(t1,t0,t2,u1,u0) - mov [z+24], t2 - -// Result term 4 - - combaddz(t2,u1,u0,[x],[x+32]) - combadd(t2,u1,u0,[x+8],[x+24]) - doubladd(t2,t1,t0,u1,u0) - combadd1(t2,t1,t0,[x+16]) - mov [z+32], t0 - -// Result term 5 - - combaddz(t0,u1,u0,[x],[x+40]) - combadd(t0,u1,u0,[x+8],[x+32]) - combadd(t0,u1,u0,[x+16],[x+24]) - doubladd(t0,t2,t1,u1,u0) - mov [z+40], t1 - -// Result term 6 - - combaddz(t1,u1,u0,[x],[x+48]) - combadd(t1,u1,u0,[x+8],[x+40]) - combadd(t1,u1,u0,[x+16],[x+32]) - doubladd(t1,t0,t2,u1,u0) - combadd1(t1,t0,t2,[x+24]) - mov [z+48], t2 - -// Result term 7 - - combaddz(t2,u1,u0,[x],[x+56]) - combadd(t2,u1,u0,[x+8],[x+48]) - combadd(t2,u1,u0,[x+16],[x+40]) - combadd(t2,u1,u0,[x+24],[x+32]) - doubladd(t2,t1,t0,u1,u0) - mov [z+56], t0 - -// Result term 8 - - combaddz(t0,u1,u0,[x+8],[x+56]) - combadd(t0,u1,u0,[x+16],[x+48]) - combadd(t0,u1,u0,[x+24],[x+40]) - doubladd(t0,t2,t1,u1,u0) - combadd1(t0,t2,t1,[x+32]) - mov [z+64], t1 - -// Result term 9 - - combaddz(t1,u1,u0,[x+16],[x+56]) - combadd(t1,u1,u0,[x+24],[x+48]) - combadd(t1,u1,u0,[x+32],[x+40]) - doubladd(t1,t0,t2,u1,u0) - mov [z+72], t2 - -// Result term 10 - - combaddz(t2,u1,u0,[x+24],[x+56]) - combadd(t2,u1,u0,[x+32],[x+48]) - doubladd(t2,t1,t0,u1,u0) - combadd1(t2,t1,t0,[x+40]) - mov [z+80], t0 - -// Result term 11 - - combaddz(t0,u1,u0,[x+32],[x+56]) - combadd(t0,u1,u0,[x+40],[x+48]) - doubladd(t0,t2,t1,u1,u0) - mov [z+88], t1 - -// Result term 12 - - xor t1, t1 - combadd2(t1,t0,t2,[x+40],[x+56]) - combadd1(t1,t0,t2,[x+48]) - mov [z+96], t2 - -// Result term 13 - - xor t2, t2 - combadd2(t2,t1,t0,[x+48],[x+56]) - mov [z+104], t0 - -// Result term 14 - - combads(t2,t1,[x+56]) - mov [z+112], t1 - -// Result term 15 - - mov [z+120], t2 - -// Return - -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sub.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sub.S deleted file mode 100644 index 3ff8a30510..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/bignum_sub.S +++ /dev/null @@ -1,153 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -// ---------------------------------------------------------------------------- -// Subtract, z := x - y -// Inputs x[m], y[n]; outputs function return (carry-out) and z[p] -// -// extern uint64_t bignum_sub -// (uint64_t p, uint64_t *z, -// uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); -// -// Does the z := x - y operation, truncating modulo p words in general and -// returning a top borrow (0 or 1) in the p'th place, only subtracting input -// words below p (as well as m and n respectively) to get the diff and borrow. -// -// Standard x86-64 ABI: RDI = p, RSI = z, RDX = m, RCX = x, R8 = n, R9 = y, returns RAX -// Microsoft x64 ABI: RCX = p, RDX = z, R8 = m, R9 = x, [RSP+40] = n, [RSP+48] = y, returns RAX -// ---------------------------------------------------------------------------- - -#include "s2n_bignum_internal.h" - - .intel_syntax noprefix - S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sub) - S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sub) - .text - -#define p rdi -#define z rsi -#define m rdx -#define x rcx -#define n r8 -#define y r9 -#define i r10 -#define a rax - -#define ashort eax - - - -S2N_BN_SYMBOL(bignum_sub): - _CET_ENDBR - -#if WINDOWS_ABI - push rdi - push rsi - mov rdi, rcx - mov rsi, rdx - mov rdx, r8 - mov rcx, r9 - mov r8, [rsp+56] - mov r9, [rsp+64] -#endif - -// Zero the main index counter for both branches - - xor i, i - -// First clamp the two input sizes m := min(p,m) and n := min(p,n) since -// we'll never need words past the p'th. Can now assume m <= p and n <= p. -// Then compare the modified m and n and branch accordingly - - cmp p, m - cmovc m, p - cmp p, n - cmovc n, p - cmp m, n - jc ylonger - -// The case where x is longer or of the same size (p >= m >= n) - - sub p, m - sub m, n - inc m - test n, n - jz xtest -xmainloop: - mov a, [x+8*i] - sbb a, [y+8*i] - mov [z+8*i],a - inc i - dec n - jnz xmainloop - jmp xtest -xtoploop: - mov a, [x+8*i] - sbb a, 0 - mov [z+8*i],a - inc i -xtest: - dec m - jnz xtoploop - sbb a, a - test p, p - jz tailskip -tailloop: - mov [z+8*i],a - inc i - dec p - jnz tailloop -tailskip: - neg a -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -// The case where y is longer (p >= n > m) - -ylonger: - - sub p, n - sub n, m - test m, m - jz ytoploop -ymainloop: - mov a, [x+8*i] - sbb a, [y+8*i] - mov [z+8*i],a - inc i - dec m - jnz ymainloop -ytoploop: - mov ashort, 0 - sbb a, [y+8*i] - mov [z+8*i],a - inc i - dec n - jnz ytoploop - sbb a, a - test p, p - jnz tailloop - neg a -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/bn_arch.c b/src/lib/libcrypto/bn/arch/amd64/bn_arch.c deleted file mode 100644 index a377a05681..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/bn_arch.c +++ /dev/null @@ -1,131 +0,0 @@ -/* $OpenBSD: bn_arch.c,v 1.7 2023/06/24 16:01:44 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include "bn_arch.h" -#include "bn_local.h" -#include "s2n_bignum.h" - -#ifdef HAVE_BN_ADD -BN_ULONG -bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b, - int b_len) -{ - return bignum_add(r_len, (uint64_t *)r, a_len, (uint64_t *)a, - b_len, (uint64_t *)b); -} -#endif - - -#ifdef HAVE_BN_ADD_WORDS -BN_ULONG -bn_add_words(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd, int n) -{ - return bignum_add(n, (uint64_t *)rd, n, (uint64_t *)ad, n, - (uint64_t *)bd); -} -#endif - -#ifdef HAVE_BN_SUB -BN_ULONG -bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b, - int b_len) -{ - return bignum_sub(r_len, (uint64_t *)r, a_len, (uint64_t *)a, - b_len, (uint64_t *)b); -} -#endif - -#ifdef HAVE_BN_SUB_WORDS -BN_ULONG -bn_sub_words(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd, int n) -{ - return bignum_sub(n, (uint64_t *)rd, n, (uint64_t *)ad, n, - (uint64_t *)bd); -} -#endif - -#ifdef HAVE_BN_MUL_ADD_WORDS -BN_ULONG -bn_mul_add_words(BN_ULONG *rd, const BN_ULONG *ad, int num, BN_ULONG w) -{ - return bignum_cmadd(num, (uint64_t *)rd, w, num, (uint64_t *)ad); -} -#endif - -#ifdef HAVE_BN_MUL_WORDS -BN_ULONG -bn_mul_words(BN_ULONG *rd, const BN_ULONG *ad, int num, BN_ULONG w) -{ - return bignum_cmul(num, (uint64_t *)rd, w, num, (uint64_t *)ad); -} -#endif - -#ifdef HAVE_BN_MUL_COMBA4 -void -bn_mul_comba4(BN_ULONG *rd, BN_ULONG *ad, BN_ULONG *bd) -{ - /* XXX - consider using non-alt on CPUs that have the ADX extension. */ - bignum_mul_4_8_alt((uint64_t *)rd, (uint64_t *)ad, (uint64_t *)bd); -} -#endif - -#ifdef HAVE_BN_MUL_COMBA8 -void -bn_mul_comba8(BN_ULONG *rd, BN_ULONG *ad, BN_ULONG *bd) -{ - /* XXX - consider using non-alt on CPUs that have the ADX extension. */ - bignum_mul_8_16_alt((uint64_t *)rd, (uint64_t *)ad, (uint64_t *)bd); -} -#endif - -#ifdef HAVE_BN_SQR -int -bn_sqr(BIGNUM *r, const BIGNUM *a, int r_len, BN_CTX *ctx) -{ - bignum_sqr(r_len, (uint64_t *)r->d, a->top, (uint64_t *)a->d); - - return 1; -} -#endif - -#ifdef HAVE_BN_SQR_COMBA4 -void -bn_sqr_comba4(BN_ULONG *rd, const BN_ULONG *ad) -{ - /* XXX - consider using non-alt on CPUs that have the ADX extension. */ - bignum_sqr_4_8_alt((uint64_t *)rd, (uint64_t *)ad); -} -#endif - -#ifdef HAVE_BN_SQR_COMBA8 -void -bn_sqr_comba8(BN_ULONG *rd, const BN_ULONG *ad) -{ - /* XXX - consider using non-alt on CPUs that have the ADX extension. */ - bignum_sqr_8_16_alt((uint64_t *)rd, (uint64_t *)ad); -} -#endif - -#ifdef HAVE_BN_WORD_CLZ -int -bn_word_clz(BN_ULONG w) -{ - return word_clz(w); -} -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/bn_arch.h b/src/lib/libcrypto/bn/arch/amd64/bn_arch.h deleted file mode 100644 index 927cd75208..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/bn_arch.h +++ /dev/null @@ -1,109 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.14 2024/03/26 06:09:25 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#define HAVE_BN_ADD -#define HAVE_BN_ADD_WORDS - -#define HAVE_BN_DIV_WORDS - -#define HAVE_BN_MUL_ADD_WORDS -#define HAVE_BN_MUL_COMBA4 -#define HAVE_BN_MUL_COMBA8 -#define HAVE_BN_MUL_WORDS - -#define HAVE_BN_SQR -#define HAVE_BN_SQR_COMBA4 -#define HAVE_BN_SQR_COMBA8 - -#define HAVE_BN_SUB -#define HAVE_BN_SUB_WORDS - -#define HAVE_BN_WORD_CLZ - -#if defined(__GNUC__) - -#define HAVE_BN_DIV_REM_WORDS_INLINE - -static inline void -bn_div_rem_words_inline(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q, - BN_ULONG *out_r) -{ - BN_ULONG q, r; - - /* - * Unsigned division of %rdx:%rax by d with quotient being stored in - * %rax and remainder in %rdx. - */ - __asm__ volatile ("divq %4" - : "=a"(q), "=d"(r) - : "d"(h), "a"(l), "rm"(d) - : "cc"); - - *out_q = q; - *out_r = r; -} - -#define HAVE_BN_MULW - -static inline void -bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r1, r0; - - /* - * Unsigned multiplication of %rax, with the double word result being - * stored in %rdx:%rax. - */ - __asm__ ("mulq %3" - : "=d"(r1), "=a"(r0) - : "a"(a), "rm"(b) - : "cc"); - - *out_r1 = r1; - *out_r0 = r0; -} - -#define HAVE_BN_SUBW - -static inline void -bn_subw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_borrow, BN_ULONG *out_r0) -{ - BN_ULONG borrow, r0; - - __asm__ ( - "subq %3, %1 \n" - "setb %b0 \n" - "and $1, %0 \n" - : "=r"(borrow), "=r"(r0) - : "1"(a), "rm"(b) - : "cc"); - - *out_borrow = borrow; - *out_r0 = r0; -} - -#endif /* __GNUC__ */ - -#endif -#endif diff --git a/src/lib/libcrypto/bn/arch/amd64/word_clz.S b/src/lib/libcrypto/bn/arch/amd64/word_clz.S deleted file mode 100644 index 3926fcd4b0..0000000000 --- a/src/lib/libcrypto/bn/arch/amd64/word_clz.S +++ /dev/null @@ -1,60 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -// ---------------------------------------------------------------------------- -// Count leading zero bits in a single word -// Input a; output function return -// -// extern uint64_t word_clz (uint64_t a); -// -// Standard x86-64 ABI: RDI = a, returns RAX -// Microsoft x64 ABI: RCX = a, returns RAX -// ---------------------------------------------------------------------------- - -#include "s2n_bignum_internal.h" - - .intel_syntax noprefix - S2N_BN_SYM_VISIBILITY_DIRECTIVE(word_clz) - S2N_BN_SYM_PRIVACY_DIRECTIVE(word_clz) - .text - -S2N_BN_SYMBOL(word_clz): - _CET_ENDBR - -#if WINDOWS_ABI - push rdi - push rsi - mov rdi, rcx -#endif - -// First do rax = 63 - bsr(a), which is right except (maybe) for zero inputs - - bsr rax, rdi - xor rax, 63 - -// Force return of 64 in the zero-input case - - mov edx, 64 - test rdi, rdi - cmove rax, rdx - -#if WINDOWS_ABI - pop rsi - pop rdi -#endif - ret - -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/src/lib/libcrypto/bn/arch/arm/bn_arch.h b/src/lib/libcrypto/bn/arch/arm/bn_arch.h deleted file mode 100644 index ef9bf7f156..0000000000 --- a/src/lib/libcrypto/bn/arch/arm/bn_arch.h +++ /dev/null @@ -1,73 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.2 2023/06/24 15:51:47 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#if defined(__GNUC__) - -#define HAVE_BN_SUBW - -static inline void -bn_subw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_borrow, BN_ULONG *out_r0) -{ - BN_ULONG borrow, r0; - - __asm__ ( - "mov %[borrow], #0 \n" - "subs %[r0], %[a], %[b] \n" - "sbc %[borrow], %[borrow], #0 \n" - "neg %[borrow], %[borrow] \n" - : [borrow]"=&r"(borrow), [r0]"=r"(r0) - : [a]"r"(a), [b]"r"(b) - : "cc"); - - *out_borrow = borrow; - *out_r0 = r0; -} - -#define HAVE_BN_SUBW_SUBW - -static inline void -bn_subw_subw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG *out_borrow, - BN_ULONG *out_r0) -{ - BN_ULONG borrow, r0; - - __asm__ ( - "mov %[borrow], #0 \n" - "subs %[r0], %[a], %[b] \n" - "sbc %[borrow], %[borrow], #0 \n" - "subs %[r0], %[r0], %[c] \n" - "sbc %[borrow], %[borrow], #0 \n" - "neg %[borrow], %[borrow] \n" - : [borrow]"=&r"(borrow), [r0]"=&r"(r0) - : [a]"r"(a), [b]"r"(b), [c]"r"(c) - : "cc"); - - *out_borrow = borrow; - *out_r0 = r0; -} - -#endif /* __GNUC__ */ - -#endif -#endif diff --git a/src/lib/libcrypto/bn/arch/hppa/bn_arch.h b/src/lib/libcrypto/bn/arch/hppa/bn_arch.h deleted file mode 100644 index 136adf0e97..0000000000 --- a/src/lib/libcrypto/bn/arch/hppa/bn_arch.h +++ /dev/null @@ -1,24 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.1 2023/01/20 10:04:33 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#endif -#endif diff --git a/src/lib/libcrypto/bn/arch/i386/bn_arch.h b/src/lib/libcrypto/bn/arch/i386/bn_arch.h deleted file mode 100644 index eef519fcc7..0000000000 --- a/src/lib/libcrypto/bn/arch/i386/bn_arch.h +++ /dev/null @@ -1,86 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.9 2023/02/16 10:41:03 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#define HAVE_BN_ADD_WORDS - -#define HAVE_BN_DIV_WORDS - -#define HAVE_BN_MUL_ADD_WORDS -#define HAVE_BN_MUL_COMBA4 -#define HAVE_BN_MUL_COMBA8 -#define HAVE_BN_MUL_WORDS - -#define HAVE_BN_SQR_COMBA4 -#define HAVE_BN_SQR_COMBA8 -#define HAVE_BN_SQR_WORDS - -#define HAVE_BN_SUB_WORDS - -#if defined(__GNUC__) -#define HAVE_BN_DIV_REM_WORDS_INLINE - -static inline void -bn_div_rem_words_inline(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q, - BN_ULONG *out_r) -{ - BN_ULONG q, r; - - /* - * Unsigned division of %edx:%eax by d with quotient being stored in - * %eax and remainder in %edx. - */ - __asm__ volatile ("divl %4" - : "=a"(q), "=d"(r) - : "a"(l), "d"(h), "rm"(d) - : "cc"); - - *out_q = q; - *out_r = r; -} -#endif /* __GNUC__ */ - -#if defined(__GNUC__) -#define HAVE_BN_MULW - -static inline void -bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r1, r0; - - /* - * Unsigned multiplication of %eax, with the double word result being - * stored in %edx:%eax. - */ - __asm__ ("mull %3" - : "=d"(r1), "=a"(r0) - : "a"(a), "rm"(b) - : "cc"); - - *out_r1 = r1; - *out_r0 = r0; -} -#endif /* __GNUC__ */ - -#endif -#endif diff --git a/src/lib/libcrypto/bn/arch/m88k/bn_arch.h b/src/lib/libcrypto/bn/arch/m88k/bn_arch.h deleted file mode 100644 index 136adf0e97..0000000000 --- a/src/lib/libcrypto/bn/arch/m88k/bn_arch.h +++ /dev/null @@ -1,24 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.1 2023/01/20 10:04:33 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#endif -#endif diff --git a/src/lib/libcrypto/bn/arch/mips64/bn_arch.h b/src/lib/libcrypto/bn/arch/mips64/bn_arch.h deleted file mode 100644 index 53771bce1e..0000000000 --- a/src/lib/libcrypto/bn/arch/mips64/bn_arch.h +++ /dev/null @@ -1,40 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.7 2023/01/23 12:17:58 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#define HAVE_BN_ADD_WORDS - -#define HAVE_BN_DIV_WORDS -#define HAVE_BN_DIV_3_WORDS - -#define HAVE_BN_MUL_ADD_WORDS -#define HAVE_BN_MUL_COMBA4 -#define HAVE_BN_MUL_COMBA8 -#define HAVE_BN_MUL_WORDS - -#define HAVE_BN_SQR_COMBA4 -#define HAVE_BN_SQR_COMBA8 -#define HAVE_BN_SQR_WORDS - -#define HAVE_BN_SUB_WORDS - -#endif -#endif diff --git a/src/lib/libcrypto/bn/arch/powerpc/bn_arch.h b/src/lib/libcrypto/bn/arch/powerpc/bn_arch.h deleted file mode 100644 index 46e932a2d5..0000000000 --- a/src/lib/libcrypto/bn/arch/powerpc/bn_arch.h +++ /dev/null @@ -1,39 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.6 2023/01/23 12:17:58 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#define HAVE_BN_ADD_WORDS - -#define HAVE_BN_DIV_WORDS - -#define HAVE_BN_MUL_ADD_WORDS -#define HAVE_BN_MUL_COMBA4 -#define HAVE_BN_MUL_COMBA8 -#define HAVE_BN_MUL_WORDS - -#define HAVE_BN_SQR_COMBA4 -#define HAVE_BN_SQR_COMBA8 -#define HAVE_BN_SQR_WORDS - -#define HAVE_BN_SUB_WORDS - -#endif -#endif diff --git a/src/lib/libcrypto/bn/arch/powerpc64/bn_arch.h b/src/lib/libcrypto/bn/arch/powerpc64/bn_arch.h deleted file mode 100644 index 18bac203eb..0000000000 --- a/src/lib/libcrypto/bn/arch/powerpc64/bn_arch.h +++ /dev/null @@ -1,44 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.4 2023/02/16 10:41:03 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#if 0 /* Needs testing and enabling. */ -#if defined(__GNUC__) -#define HAVE_BN_MULW - -static inline void -bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r1, r0; - - /* Unsigned multiplication using a mulhdu/mul pair. */ - __asm__ ("mulhdu %0, %2, %3; mul %1, %2, %3" - : "=&r"(r1), "=r"(r0) - : "r"(a), "r"(b)); - - *out_r1 = r1; - *out_r0 = r0; -} -#endif /* __GNUC__ */ -#endif - -#endif -#endif diff --git a/src/lib/libcrypto/bn/arch/riscv64/bn_arch.h b/src/lib/libcrypto/bn/arch/riscv64/bn_arch.h deleted file mode 100644 index e67de835cf..0000000000 --- a/src/lib/libcrypto/bn/arch/riscv64/bn_arch.h +++ /dev/null @@ -1,86 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.7 2023/07/09 10:37:32 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#if defined(__GNUC__) - -#define HAVE_BN_ADDW - -static inline void -bn_addw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG carry, r0; - - __asm__ ( - "add %[r0], %[a], %[b] \n" - "sltu %[carry], %[r0], %[a] \n" - : [carry]"=r"(carry), [r0]"=&r"(r0) - : [a]"r"(a), [b]"r"(b)); - - *out_r1 = carry; - *out_r0 = r0; -} - -#define HAVE_BN_MULW - -static inline void -bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r1, r0; - - /* - * Unsigned multiplication using a mulh/mul pair. Note that the order - * of these instructions is important, as they can potentially be fused - * into a single operation. - */ - __asm__ ( - "mulhu %[r1], %[a], %[b] \n" - "mul %[r0], %[a], %[b] \n" - : [r1]"=&r"(r1), [r0]"=r"(r0) - : [a]"r"(a), [b]"r"(b)); - - *out_r1 = r1; - *out_r0 = r0; -} - -#define HAVE_BN_SUBW - -static inline void -bn_subw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_borrow, BN_ULONG *out_r0) -{ - BN_ULONG borrow, r0; - - __asm__ ( - "sub %[r0], %[a], %[b] \n" - "sltu %[borrow], %[a], %[r0] \n" - : [borrow]"=r"(borrow), [r0]"=&r"(r0) - : [a]"r"(a), [b]"r"(b)); - - *out_borrow = borrow; - *out_r0 = r0; -} - -#endif /* __GNUC__ */ - -#endif -#endif diff --git a/src/lib/libcrypto/bn/arch/sh/bn_arch.h b/src/lib/libcrypto/bn/arch/sh/bn_arch.h deleted file mode 100644 index 4d6571f9cb..0000000000 --- a/src/lib/libcrypto/bn/arch/sh/bn_arch.h +++ /dev/null @@ -1,24 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.1 2023/01/20 10:04:34 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#endif -#endif diff --git a/src/lib/libcrypto/bn/arch/sparc64/bn_arch.h b/src/lib/libcrypto/bn/arch/sparc64/bn_arch.h deleted file mode 100644 index 4d6571f9cb..0000000000 --- a/src/lib/libcrypto/bn/arch/sparc64/bn_arch.h +++ /dev/null @@ -1,24 +0,0 @@ -/* $OpenBSD: bn_arch.h,v 1.1 2023/01/20 10:04:34 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef HEADER_BN_ARCH_H -#define HEADER_BN_ARCH_H - -#ifndef OPENSSL_NO_ASM - -#endif -#endif diff --git a/src/lib/libcrypto/bn/asm/alpha-mont.pl b/src/lib/libcrypto/bn/asm/alpha-mont.pl deleted file mode 100644 index 874597f1c0..0000000000 --- a/src/lib/libcrypto/bn/asm/alpha-mont.pl +++ /dev/null @@ -1,315 +0,0 @@ -#!/usr/bin/env perl -# -# ==================================================================== -# Written by Andy Polyakov for the OpenSSL -# project. The module is, however, dual licensed under OpenSSL and -# CRYPTOGAMS licenses depending on where you obtain it. For further -# details see http://www.openssl.org/~appro/cryptogams/. -# ==================================================================== -# -# On 21264 RSA sign performance improves by 70/35/20/15 percent for -# 512/1024/2048/4096 bit key lengths. This is against vendor compiler -# instructed to '-tune host' code with in-line assembler. Other -# benchmarks improve by 15-20%. To anchor it to something else, the -# code provides approximately the same performance per GHz as AMD64. -# I.e. if you compare 1GHz 21264 and 2GHz Opteron, you'll observe ~2x -# difference. - -# int bn_mul_mont( -$rp="a0"; # BN_ULONG *rp, -$ap="a1"; # const BN_ULONG *ap, -$bp="a2"; # const BN_ULONG *bp, -$np="a3"; # const BN_ULONG *np, -$n0="a4"; # const BN_ULONG *n0, -$num="a5"; # int num); - -$lo0="t0"; -$hi0="t1"; -$lo1="t2"; -$hi1="t3"; -$aj="t4"; -$bi="t5"; -$nj="t6"; -$tp="t7"; -$alo="t8"; -$ahi="t9"; -$nlo="t10"; -$nhi="t11"; -$tj="t12"; -$i="s3"; -$j="s4"; -$m1="s5"; - -$code=<<___; -#include - -.text - -.set noat -.set noreorder - -.globl bn_mul_mont -.align 5 -.ent bn_mul_mont -bn_mul_mont: - lda sp,-48(sp) - stq ra,0(sp) - stq s3,8(sp) - stq s4,16(sp) - stq s5,24(sp) - stq fp,32(sp) - mov sp,fp - .mask 0x0400f000,-48 - .frame fp,48,ra - .prologue 0 - - .align 4 - .set reorder - sextl $num,$num - mov 0,v0 - cmplt $num,4,AT - bne AT,.Lexit - - ldq $hi0,0($ap) # ap[0] - s8addq $num,16,AT - ldq $aj,8($ap) - subq sp,AT,sp - ldq $bi,0($bp) # bp[0] - lda AT,-4096(zero) # mov -4096,AT - ldq $n0,0($n0) - and sp,AT,sp - - mulq $hi0,$bi,$lo0 - ldq $hi1,0($np) # np[0] - umulh $hi0,$bi,$hi0 - ldq $nj,8($np) - - mulq $lo0,$n0,$m1 - - mulq $hi1,$m1,$lo1 - umulh $hi1,$m1,$hi1 - - addq $lo1,$lo0,$lo1 - cmpult $lo1,$lo0,AT - addq $hi1,AT,$hi1 - - mulq $aj,$bi,$alo - mov 2,$j - umulh $aj,$bi,$ahi - mov sp,$tp - - mulq $nj,$m1,$nlo - s8addq $j,$ap,$aj - umulh $nj,$m1,$nhi - s8addq $j,$np,$nj -.align 4 -.L1st: - .set noreorder - ldq $aj,0($aj) - addl $j,1,$j - ldq $nj,0($nj) - lda $tp,8($tp) - - addq $alo,$hi0,$lo0 - mulq $aj,$bi,$alo - cmpult $lo0,$hi0,AT - addq $nlo,$hi1,$lo1 - - mulq $nj,$m1,$nlo - addq $ahi,AT,$hi0 - cmpult $lo1,$hi1,v0 - cmplt $j,$num,$tj - - umulh $aj,$bi,$ahi - addq $nhi,v0,$hi1 - addq $lo1,$lo0,$lo1 - s8addq $j,$ap,$aj - - umulh $nj,$m1,$nhi - cmpult $lo1,$lo0,v0 - addq $hi1,v0,$hi1 - s8addq $j,$np,$nj - - stq $lo1,-8($tp) - nop - unop - bne $tj,.L1st - .set reorder - - addq $alo,$hi0,$lo0 - addq $nlo,$hi1,$lo1 - cmpult $lo0,$hi0,AT - cmpult $lo1,$hi1,v0 - addq $ahi,AT,$hi0 - addq $nhi,v0,$hi1 - - addq $lo1,$lo0,$lo1 - cmpult $lo1,$lo0,v0 - addq $hi1,v0,$hi1 - - stq $lo1,0($tp) - - addq $hi1,$hi0,$hi1 - cmpult $hi1,$hi0,AT - stq $hi1,8($tp) - stq AT,16($tp) - - mov 1,$i -.align 4 -.Louter: - s8addq $i,$bp,$bi - ldq $hi0,0($ap) - ldq $aj,8($ap) - ldq $bi,0($bi) - ldq $hi1,0($np) - ldq $nj,8($np) - ldq $tj,0(sp) - - mulq $hi0,$bi,$lo0 - umulh $hi0,$bi,$hi0 - - addq $lo0,$tj,$lo0 - cmpult $lo0,$tj,AT - addq $hi0,AT,$hi0 - - mulq $lo0,$n0,$m1 - - mulq $hi1,$m1,$lo1 - umulh $hi1,$m1,$hi1 - - addq $lo1,$lo0,$lo1 - cmpult $lo1,$lo0,AT - mov 2,$j - addq $hi1,AT,$hi1 - - mulq $aj,$bi,$alo - mov sp,$tp - umulh $aj,$bi,$ahi - - mulq $nj,$m1,$nlo - s8addq $j,$ap,$aj - umulh $nj,$m1,$nhi -.align 4 -.Linner: - .set noreorder - ldq $tj,8($tp) #L0 - nop #U1 - ldq $aj,0($aj) #L1 - s8addq $j,$np,$nj #U0 - - ldq $nj,0($nj) #L0 - nop #U1 - addq $alo,$hi0,$lo0 #L1 - lda $tp,8($tp) - - mulq $aj,$bi,$alo #U1 - cmpult $lo0,$hi0,AT #L0 - addq $nlo,$hi1,$lo1 #L1 - addl $j,1,$j - - mulq $nj,$m1,$nlo #U1 - addq $ahi,AT,$hi0 #L0 - addq $lo0,$tj,$lo0 #L1 - cmpult $lo1,$hi1,v0 #U0 - - umulh $aj,$bi,$ahi #U1 - cmpult $lo0,$tj,AT #L0 - addq $lo1,$lo0,$lo1 #L1 - addq $nhi,v0,$hi1 #U0 - - umulh $nj,$m1,$nhi #U1 - s8addq $j,$ap,$aj #L0 - cmpult $lo1,$lo0,v0 #L1 - cmplt $j,$num,$tj #U0 # borrow $tj - - addq $hi0,AT,$hi0 #L0 - addq $hi1,v0,$hi1 #U1 - stq $lo1,-8($tp) #L1 - bne $tj,.Linner #U0 - .set reorder - - ldq $tj,8($tp) - addq $alo,$hi0,$lo0 - addq $nlo,$hi1,$lo1 - cmpult $lo0,$hi0,AT - cmpult $lo1,$hi1,v0 - addq $ahi,AT,$hi0 - addq $nhi,v0,$hi1 - - addq $lo0,$tj,$lo0 - cmpult $lo0,$tj,AT - addq $hi0,AT,$hi0 - - ldq $tj,16($tp) - addq $lo1,$lo0,$j - cmpult $j,$lo0,v0 - addq $hi1,v0,$hi1 - - addq $hi1,$hi0,$lo1 - stq $j,0($tp) - cmpult $lo1,$hi0,$hi1 - addq $lo1,$tj,$lo1 - cmpult $lo1,$tj,AT - addl $i,1,$i - addq $hi1,AT,$hi1 - stq $lo1,8($tp) - cmplt $i,$num,$tj # borrow $tj - stq $hi1,16($tp) - bne $tj,.Louter - - s8addq $num,sp,$tj # &tp[num] - mov $rp,$bp # put rp aside - mov sp,$tp - mov sp,$ap - mov 0,$hi0 # clear borrow bit - -.align 4 -.Lsub: ldq $lo0,0($tp) - ldq $lo1,0($np) - lda $tp,8($tp) - lda $np,8($np) - subq $lo0,$lo1,$lo1 # tp[i]-np[i] - cmpult $lo0,$lo1,AT - subq $lo1,$hi0,$lo0 - cmpult $lo1,$lo0,$hi0 - or $hi0,AT,$hi0 - stq $lo0,0($rp) - cmpult $tp,$tj,v0 - lda $rp,8($rp) - bne v0,.Lsub - - subq $hi1,$hi0,$hi0 # handle upmost overflow bit - mov sp,$tp - mov $bp,$rp # restore rp - - and sp,$hi0,$ap - bic $bp,$hi0,$bp - bis $bp,$ap,$ap # ap=borrow?tp:rp - -.align 4 -.Lcopy: ldq $aj,0($ap) # copy or in-place refresh - lda $tp,8($tp) - lda $rp,8($rp) - lda $ap,8($ap) - stq zero,-8($tp) # zap tp - cmpult $tp,$tj,AT - stq $aj,-8($rp) - bne AT,.Lcopy - mov 1,v0 - -.Lexit: - .set noreorder - mov fp,sp - /*ldq ra,0(sp)*/ - ldq s3,8(sp) - ldq s4,16(sp) - ldq s5,24(sp) - ldq fp,32(sp) - lda sp,48(sp) - ret (ra) -.end bn_mul_mont -.align 2 -___ - -print $code; -close STDOUT; diff --git a/src/lib/libcrypto/bn/asm/armv4-mont.pl b/src/lib/libcrypto/bn/asm/armv4-mont.pl deleted file mode 100644 index f78a8b5f0f..0000000000 --- a/src/lib/libcrypto/bn/asm/armv4-mont.pl +++ /dev/null @@ -1,204 +0,0 @@ -#!/usr/bin/env perl - -# ==================================================================== -# Written by Andy Polyakov for the OpenSSL -# project. The module is, however, dual licensed under OpenSSL and -# CRYPTOGAMS licenses depending on where you obtain it. For further -# details see http://www.openssl.org/~appro/cryptogams/. -# ==================================================================== - -# January 2007. - -# Montgomery multiplication for ARMv4. -# -# Performance improvement naturally varies among CPU implementations -# and compilers. The code was observed to provide +65-35% improvement -# [depending on key length, less for longer keys] on ARM920T, and -# +115-80% on Intel IXP425. This is compared to pre-bn_mul_mont code -# base and compiler generated code with in-lined umull and even umlal -# instructions. The latter means that this code didn't really have an -# "advantage" of utilizing some "secret" instruction. -# -# The code is interoperable with Thumb ISA and is rather compact, less -# than 1/2KB. Windows CE port would be trivial, as it's exclusively -# about decorations, ABI and instruction syntax are identical. - -while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; - -$num="r0"; # starts as num argument, but holds &tp[num-1] -$ap="r1"; -$bp="r2"; $bi="r2"; $rp="r2"; -$np="r3"; -$tp="r4"; -$aj="r5"; -$nj="r6"; -$tj="r7"; -$n0="r8"; -########### # r9 is reserved by ELF as platform specific, e.g. TLS pointer -$alo="r10"; # sl, gcc uses it to keep @GOT -$ahi="r11"; # fp -$nlo="r12"; # ip -########### # r13 is stack pointer -$nhi="r14"; # lr -########### # r15 is program counter - -#### argument block layout relative to &tp[num-1], a.k.a. $num -$_rp="$num,#12*4"; -# ap permanently resides in r1 -$_bp="$num,#13*4"; -# np permanently resides in r3 -$_n0="$num,#14*4"; -$_num="$num,#15*4"; $_bpend=$_num; - -$code=<<___; -.text - -.global bn_mul_mont -.type bn_mul_mont,%function - -.align 2 -bn_mul_mont: - stmdb sp!,{r0,r2} @ sp points at argument block - ldr $num,[sp,#3*4] @ load num - cmp $num,#2 - movlt r0,#0 - addlt sp,sp,#2*4 - blt .Labrt - - stmdb sp!,{r4-r12,lr} @ save 10 registers - - mov $num,$num,lsl#2 @ rescale $num for byte count - sub sp,sp,$num @ alloca(4*num) - sub sp,sp,#4 @ +extra dword - sub $num,$num,#4 @ "num=num-1" - add $tp,$bp,$num @ &bp[num-1] - - add $num,sp,$num @ $num to point at &tp[num-1] - ldr $n0,[$_n0] @ &n0 - ldr $bi,[$bp] @ bp[0] - ldr $aj,[$ap],#4 @ ap[0],ap++ - ldr $nj,[$np],#4 @ np[0],np++ - ldr $n0,[$n0] @ *n0 - str $tp,[$_bpend] @ save &bp[num] - - umull $alo,$ahi,$aj,$bi @ ap[0]*bp[0] - str $n0,[$_n0] @ save n0 value - mul $n0,$alo,$n0 @ "tp[0]"*n0 - mov $nlo,#0 - umlal $alo,$nlo,$nj,$n0 @ np[0]*n0+"t[0]" - mov $tp,sp - -.L1st: - ldr $aj,[$ap],#4 @ ap[j],ap++ - mov $alo,$ahi - ldr $nj,[$np],#4 @ np[j],np++ - mov $ahi,#0 - umlal $alo,$ahi,$aj,$bi @ ap[j]*bp[0] - mov $nhi,#0 - umlal $nlo,$nhi,$nj,$n0 @ np[j]*n0 - adds $nlo,$nlo,$alo - str $nlo,[$tp],#4 @ tp[j-1]=,tp++ - adc $nlo,$nhi,#0 - cmp $tp,$num - bne .L1st - - adds $nlo,$nlo,$ahi - ldr $tp,[$_bp] @ restore bp - mov $nhi,#0 - ldr $n0,[$_n0] @ restore n0 - adc $nhi,$nhi,#0 - str $nlo,[$num] @ tp[num-1]= - str $nhi,[$num,#4] @ tp[num]= - -.Louter: - sub $tj,$num,sp @ "original" $num-1 value - sub $ap,$ap,$tj @ "rewind" ap to &ap[1] - ldr $bi,[$tp,#4]! @ *(++bp) - sub $np,$np,$tj @ "rewind" np to &np[1] - ldr $aj,[$ap,#-4] @ ap[0] - ldr $alo,[sp] @ tp[0] - ldr $nj,[$np,#-4] @ np[0] - ldr $tj,[sp,#4] @ tp[1] - - mov $ahi,#0 - umlal $alo,$ahi,$aj,$bi @ ap[0]*bp[i]+tp[0] - str $tp,[$_bp] @ save bp - mul $n0,$alo,$n0 - mov $nlo,#0 - umlal $alo,$nlo,$nj,$n0 @ np[0]*n0+"tp[0]" - mov $tp,sp - -.Linner: - ldr $aj,[$ap],#4 @ ap[j],ap++ - adds $alo,$ahi,$tj @ +=tp[j] - ldr $nj,[$np],#4 @ np[j],np++ - mov $ahi,#0 - umlal $alo,$ahi,$aj,$bi @ ap[j]*bp[i] - mov $nhi,#0 - umlal $nlo,$nhi,$nj,$n0 @ np[j]*n0 - adc $ahi,$ahi,#0 - ldr $tj,[$tp,#8] @ tp[j+1] - adds $nlo,$nlo,$alo - str $nlo,[$tp],#4 @ tp[j-1]=,tp++ - adc $nlo,$nhi,#0 - cmp $tp,$num - bne .Linner - - adds $nlo,$nlo,$ahi - mov $nhi,#0 - ldr $tp,[$_bp] @ restore bp - adc $nhi,$nhi,#0 - ldr $n0,[$_n0] @ restore n0 - adds $nlo,$nlo,$tj - ldr $tj,[$_bpend] @ restore &bp[num] - adc $nhi,$nhi,#0 - str $nlo,[$num] @ tp[num-1]= - str $nhi,[$num,#4] @ tp[num]= - - cmp $tp,$tj - bne .Louter - - ldr $rp,[$_rp] @ pull rp - add $num,$num,#4 @ $num to point at &tp[num] - sub $aj,$num,sp @ "original" num value - mov $tp,sp @ "rewind" $tp - mov $ap,$tp @ "borrow" $ap - sub $np,$np,$aj @ "rewind" $np to &np[0] - - subs $tj,$tj,$tj @ "clear" carry flag -.Lsub: ldr $tj,[$tp],#4 - ldr $nj,[$np],#4 - sbcs $tj,$tj,$nj @ tp[j]-np[j] - str $tj,[$rp],#4 @ rp[j]= - teq $tp,$num @ preserve carry - bne .Lsub - sbcs $nhi,$nhi,#0 @ upmost carry - mov $tp,sp @ "rewind" $tp - sub $rp,$rp,$aj @ "rewind" $rp - - and $ap,$tp,$nhi - bic $np,$rp,$nhi - orr $ap,$ap,$np @ ap=borrow?tp:rp - -.Lcopy: ldr $tj,[$ap],#4 @ copy or in-place refresh - str sp,[$tp],#4 @ zap tp - str $tj,[$rp],#4 - cmp $tp,$num - bne .Lcopy - - add sp,$num,#4 @ skip over tp[num+1] - ldmia sp!,{r4-r12,lr} @ restore registers - add sp,sp,#2*4 @ skip over {r0,r2} - mov r0,#1 -.Labrt: tst lr,#1 - moveq pc,lr @ be binary compatible with V4, yet - bx lr @ interoperable with Thumb ISA:-) -.size bn_mul_mont,.-bn_mul_mont -.asciz "Montgomery multiplication for ARMv4, CRYPTOGAMS by " -.align 2 -___ - -$code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm; # make it possible to compile with -march=armv4 -print $code; -close STDOUT; diff --git a/src/lib/libcrypto/bn/asm/bn-586.pl b/src/lib/libcrypto/bn/asm/bn-586.pl deleted file mode 100644 index 71b775af8d..0000000000 --- a/src/lib/libcrypto/bn/asm/bn-586.pl +++ /dev/null @@ -1,567 +0,0 @@ -#!/usr/local/bin/perl - -$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -push(@INC,"${dir}","${dir}../../perlasm"); -require "x86asm.pl"; - -&asm_init($ARGV[0],$0); - -$sse2=0; -for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } - -&external_label("OPENSSL_ia32cap_P") if ($sse2); - -&bn_mul_add_words("bn_mul_add_words"); -&bn_mul_words("bn_mul_words"); -&bn_sqr_words("bn_sqr_words"); -&bn_div_words("bn_div_words"); -&bn_add_words("bn_add_words"); -&bn_sub_words("bn_sub_words"); - -&asm_finish(); - -sub bn_mul_add_words - { - local($name)=@_; - - &function_begin_B($name,""); - - $r="eax"; - $a="edx"; - $c="ecx"; - - if ($sse2) { - &picsetup("eax"); - &picsymbol("eax", "OPENSSL_ia32cap_P", "eax"); - &bt(&DWP(0,"eax"),"\$IA32CAP_BIT0_SSE2"); - &jnc(&label("maw_non_sse2")); - - &mov($r,&wparam(0)); - &mov($a,&wparam(1)); - &mov($c,&wparam(2)); - &movd("mm0",&wparam(3)); # mm0 = w - &pxor("mm1","mm1"); # mm1 = carry_in - &jmp(&label("maw_sse2_entry")); - - &set_label("maw_sse2_unrolled",16); - &movd("mm3",&DWP(0,$r,"",0)); # mm3 = r[0] - &paddq("mm1","mm3"); # mm1 = carry_in + r[0] - &movd("mm2",&DWP(0,$a,"",0)); # mm2 = a[0] - &pmuludq("mm2","mm0"); # mm2 = w*a[0] - &movd("mm4",&DWP(4,$a,"",0)); # mm4 = a[1] - &pmuludq("mm4","mm0"); # mm4 = w*a[1] - &movd("mm6",&DWP(8,$a,"",0)); # mm6 = a[2] - &pmuludq("mm6","mm0"); # mm6 = w*a[2] - &movd("mm7",&DWP(12,$a,"",0)); # mm7 = a[3] - &pmuludq("mm7","mm0"); # mm7 = w*a[3] - &paddq("mm1","mm2"); # mm1 = carry_in + r[0] + w*a[0] - &movd("mm3",&DWP(4,$r,"",0)); # mm3 = r[1] - &paddq("mm3","mm4"); # mm3 = r[1] + w*a[1] - &movd("mm5",&DWP(8,$r,"",0)); # mm5 = r[2] - &paddq("mm5","mm6"); # mm5 = r[2] + w*a[2] - &movd("mm4",&DWP(12,$r,"",0)); # mm4 = r[3] - &paddq("mm7","mm4"); # mm7 = r[3] + w*a[3] - &movd(&DWP(0,$r,"",0),"mm1"); - &movd("mm2",&DWP(16,$a,"",0)); # mm2 = a[4] - &pmuludq("mm2","mm0"); # mm2 = w*a[4] - &psrlq("mm1",32); # mm1 = carry0 - &movd("mm4",&DWP(20,$a,"",0)); # mm4 = a[5] - &pmuludq("mm4","mm0"); # mm4 = w*a[5] - &paddq("mm1","mm3"); # mm1 = carry0 + r[1] + w*a[1] - &movd("mm6",&DWP(24,$a,"",0)); # mm6 = a[6] - &pmuludq("mm6","mm0"); # mm6 = w*a[6] - &movd(&DWP(4,$r,"",0),"mm1"); - &psrlq("mm1",32); # mm1 = carry1 - &movd("mm3",&DWP(28,$a,"",0)); # mm3 = a[7] - &add($a,32); - &pmuludq("mm3","mm0"); # mm3 = w*a[7] - &paddq("mm1","mm5"); # mm1 = carry1 + r[2] + w*a[2] - &movd("mm5",&DWP(16,$r,"",0)); # mm5 = r[4] - &paddq("mm2","mm5"); # mm2 = r[4] + w*a[4] - &movd(&DWP(8,$r,"",0),"mm1"); - &psrlq("mm1",32); # mm1 = carry2 - &paddq("mm1","mm7"); # mm1 = carry2 + r[3] + w*a[3] - &movd("mm5",&DWP(20,$r,"",0)); # mm5 = r[5] - &paddq("mm4","mm5"); # mm4 = r[5] + w*a[5] - &movd(&DWP(12,$r,"",0),"mm1"); - &psrlq("mm1",32); # mm1 = carry3 - &paddq("mm1","mm2"); # mm1 = carry3 + r[4] + w*a[4] - &movd("mm5",&DWP(24,$r,"",0)); # mm5 = r[6] - &paddq("mm6","mm5"); # mm6 = r[6] + w*a[6] - &movd(&DWP(16,$r,"",0),"mm1"); - &psrlq("mm1",32); # mm1 = carry4 - &paddq("mm1","mm4"); # mm1 = carry4 + r[5] + w*a[5] - &movd("mm5",&DWP(28,$r,"",0)); # mm5 = r[7] - &paddq("mm3","mm5"); # mm3 = r[7] + w*a[7] - &movd(&DWP(20,$r,"",0),"mm1"); - &psrlq("mm1",32); # mm1 = carry5 - &paddq("mm1","mm6"); # mm1 = carry5 + r[6] + w*a[6] - &movd(&DWP(24,$r,"",0),"mm1"); - &psrlq("mm1",32); # mm1 = carry6 - &paddq("mm1","mm3"); # mm1 = carry6 + r[7] + w*a[7] - &movd(&DWP(28,$r,"",0),"mm1"); - &lea($r,&DWP(32,$r)); - &psrlq("mm1",32); # mm1 = carry_out - - &sub($c,8); - &jz(&label("maw_sse2_exit")); - &set_label("maw_sse2_entry"); - &test($c,0xfffffff8); - &jnz(&label("maw_sse2_unrolled")); - - &set_label("maw_sse2_loop",4); - &movd("mm2",&DWP(0,$a)); # mm2 = a[i] - &movd("mm3",&DWP(0,$r)); # mm3 = r[i] - &pmuludq("mm2","mm0"); # a[i] *= w - &lea($a,&DWP(4,$a)); - &paddq("mm1","mm3"); # carry += r[i] - &paddq("mm1","mm2"); # carry += a[i]*w - &movd(&DWP(0,$r),"mm1"); # r[i] = carry_low - &sub($c,1); - &psrlq("mm1",32); # carry = carry_high - &lea($r,&DWP(4,$r)); - &jnz(&label("maw_sse2_loop")); - &set_label("maw_sse2_exit"); - &movd("eax","mm1"); # c = carry_out - &emms(); - &ret(); - - &set_label("maw_non_sse2",16); - } - - # function_begin prologue - &push("ebp"); - &push("ebx"); - &push("esi"); - &push("edi"); - - &comment(""); - $Low="eax"; - $High="edx"; - $a="ebx"; - $w="ebp"; - $r="edi"; - $c="esi"; - - &xor($c,$c); # clear carry - &mov($r,&wparam(0)); # - - &mov("ecx",&wparam(2)); # - &mov($a,&wparam(1)); # - - &and("ecx",0xfffffff8); # num / 8 - &mov($w,&wparam(3)); # - - &push("ecx"); # Up the stack for a tmp variable - - &jz(&label("maw_finish")); - - &set_label("maw_loop",16); - - for ($i=0; $i<32; $i+=4) - { - &comment("Round $i"); - - &mov("eax",&DWP($i,$a)); # *a - &mul($w); # *a * w - &add("eax",$c); # L(t)+= c - &adc("edx",0); # H(t)+=carry - &add("eax",&DWP($i,$r)); # L(t)+= *r - &adc("edx",0); # H(t)+=carry - &mov(&DWP($i,$r),"eax"); # *r= L(t); - &mov($c,"edx"); # c= H(t); - } - - &comment(""); - &sub("ecx",8); - &lea($a,&DWP(32,$a)); - &lea($r,&DWP(32,$r)); - &jnz(&label("maw_loop")); - - &set_label("maw_finish",0); - &mov("ecx",&wparam(2)); # get num - &and("ecx",7); - &jnz(&label("maw_finish2")); # helps branch prediction - &jmp(&label("maw_end")); - - &set_label("maw_finish2",1); - for ($i=0; $i<7; $i++) - { - &comment("Tail Round $i"); - &mov("eax",&DWP($i*4,$a)); # *a - &mul($w); # *a * w - &add("eax",$c); # L(t)+=c - &adc("edx",0); # H(t)+=carry - &add("eax",&DWP($i*4,$r)); # L(t)+= *r - &adc("edx",0); # H(t)+=carry - &dec("ecx") if ($i != 7-1); - &mov(&DWP($i*4,$r),"eax"); # *r= L(t); - &mov($c,"edx"); # c= H(t); - &jz(&label("maw_end")) if ($i != 7-1); - } - &set_label("maw_end",0); - &mov("eax",$c); - - &pop("ecx"); # clear variable from - - &function_end($name); - } - -sub bn_mul_words - { - local($name)=@_; - - &function_begin_B($name,""); - - $r="eax"; - $a="edx"; - $c="ecx"; - - if ($sse2) { - &picsetup("eax"); - &picsymbol("eax", "OPENSSL_ia32cap_P", "eax"); - &bt(&DWP(0,"eax"),"\$IA32CAP_BIT0_SSE2"); - &jnc(&label("mw_non_sse2")); - - &mov($r,&wparam(0)); - &mov($a,&wparam(1)); - &mov($c,&wparam(2)); - &movd("mm0",&wparam(3)); # mm0 = w - &pxor("mm1","mm1"); # mm1 = carry = 0 - - &set_label("mw_sse2_loop",16); - &movd("mm2",&DWP(0,$a)); # mm2 = a[i] - &pmuludq("mm2","mm0"); # a[i] *= w - &lea($a,&DWP(4,$a)); - &paddq("mm1","mm2"); # carry += a[i]*w - &movd(&DWP(0,$r),"mm1"); # r[i] = carry_low - &sub($c,1); - &psrlq("mm1",32); # carry = carry_high - &lea($r,&DWP(4,$r)); - &jnz(&label("mw_sse2_loop")); - - &movd("eax","mm1"); # return carry - &emms(); - &ret(); - &set_label("mw_non_sse2",16); - } - - # function_begin prologue - &push("ebp"); - &push("ebx"); - &push("esi"); - &push("edi"); - - &comment(""); - $Low="eax"; - $High="edx"; - $a="ebx"; - $w="ecx"; - $r="edi"; - $c="esi"; - $num="ebp"; - - &xor($c,$c); # clear carry - &mov($r,&wparam(0)); # - &mov($a,&wparam(1)); # - &mov($num,&wparam(2)); # - &mov($w,&wparam(3)); # - - &and($num,0xfffffff8); # num / 8 - &jz(&label("mw_finish")); - - &set_label("mw_loop",0); - for ($i=0; $i<32; $i+=4) - { - &comment("Round $i"); - - &mov("eax",&DWP($i,$a,"",0)); # *a - &mul($w); # *a * w - &add("eax",$c); # L(t)+=c - # XXX - - &adc("edx",0); # H(t)+=carry - &mov(&DWP($i,$r,"",0),"eax"); # *r= L(t); - - &mov($c,"edx"); # c= H(t); - } - - &comment(""); - &add($a,32); - &add($r,32); - &sub($num,8); - &jz(&label("mw_finish")); - &jmp(&label("mw_loop")); - - &set_label("mw_finish",0); - &mov($num,&wparam(2)); # get num - &and($num,7); - &jnz(&label("mw_finish2")); - &jmp(&label("mw_end")); - - &set_label("mw_finish2",1); - for ($i=0; $i<7; $i++) - { - &comment("Tail Round $i"); - &mov("eax",&DWP($i*4,$a,"",0));# *a - &mul($w); # *a * w - &add("eax",$c); # L(t)+=c - # XXX - &adc("edx",0); # H(t)+=carry - &mov(&DWP($i*4,$r,"",0),"eax");# *r= L(t); - &mov($c,"edx"); # c= H(t); - &dec($num) if ($i != 7-1); - &jz(&label("mw_end")) if ($i != 7-1); - } - &set_label("mw_end",0); - &mov("eax",$c); - - &function_end($name); - } - -sub bn_sqr_words - { - local($name)=@_; - - &function_begin_B($name,""); - - $r="eax"; - $a="edx"; - $c="ecx"; - - if ($sse2) { - &picsetup("eax"); - &picsymbol("eax", "OPENSSL_ia32cap_P", "eax"); - &bt(&DWP(0,"eax"),"\$IA32CAP_BIT0_SSE2"); - &jnc(&label("sqr_non_sse2")); - - &mov($r,&wparam(0)); - &mov($a,&wparam(1)); - &mov($c,&wparam(2)); - - &set_label("sqr_sse2_loop",16); - &movd("mm0",&DWP(0,$a)); # mm0 = a[i] - &pmuludq("mm0","mm0"); # a[i] *= a[i] - &lea($a,&DWP(4,$a)); # a++ - &movq(&QWP(0,$r),"mm0"); # r[i] = a[i]*a[i] - &sub($c,1); - &lea($r,&DWP(8,$r)); # r += 2 - &jnz(&label("sqr_sse2_loop")); - - &emms(); - &ret(); - &set_label("sqr_non_sse2",16); - } - - # function_begin prologue - &push("ebp"); - &push("ebx"); - &push("esi"); - &push("edi"); - - &comment(""); - $r="esi"; - $a="edi"; - $num="ebx"; - - &mov($r,&wparam(0)); # - &mov($a,&wparam(1)); # - &mov($num,&wparam(2)); # - - &and($num,0xfffffff8); # num / 8 - &jz(&label("sw_finish")); - - &set_label("sw_loop",0); - for ($i=0; $i<32; $i+=4) - { - &comment("Round $i"); - &mov("eax",&DWP($i,$a,"",0)); # *a - # XXX - &mul("eax"); # *a * *a - &mov(&DWP($i*2,$r,"",0),"eax"); # - &mov(&DWP($i*2+4,$r,"",0),"edx");# - } - - &comment(""); - &add($a,32); - &add($r,64); - &sub($num,8); - &jnz(&label("sw_loop")); - - &set_label("sw_finish",0); - &mov($num,&wparam(2)); # get num - &and($num,7); - &jz(&label("sw_end")); - - for ($i=0; $i<7; $i++) - { - &comment("Tail Round $i"); - &mov("eax",&DWP($i*4,$a,"",0)); # *a - # XXX - &mul("eax"); # *a * *a - &mov(&DWP($i*8,$r,"",0),"eax"); # - &dec($num) if ($i != 7-1); - &mov(&DWP($i*8+4,$r,"",0),"edx"); - &jz(&label("sw_end")) if ($i != 7-1); - } - &set_label("sw_end",0); - - &function_end($name); - } - -sub bn_div_words - { - local($name)=@_; - - &function_begin_B($name,""); - &mov("edx",&wparam(0)); # - &mov("eax",&wparam(1)); # - &mov("ecx",&wparam(2)); # - &div("ecx"); - &ret(); - &function_end_B($name); - } - -sub bn_add_words - { - local($name)=@_; - - &function_begin($name,""); - - &comment(""); - $a="esi"; - $b="edi"; - $c="eax"; - $r="ebx"; - $tmp1="ecx"; - $tmp2="edx"; - $num="ebp"; - - &mov($r,&wparam(0)); # get r - &mov($a,&wparam(1)); # get a - &mov($b,&wparam(2)); # get b - &mov($num,&wparam(3)); # get num - &xor($c,$c); # clear carry - &and($num,0xfffffff8); # num / 8 - - &jz(&label("aw_finish")); - - &set_label("aw_loop",0); - for ($i=0; $i<8; $i++) - { - &comment("Round $i"); - - &mov($tmp1,&DWP($i*4,$a,"",0)); # *a - &mov($tmp2,&DWP($i*4,$b,"",0)); # *b - &add($tmp1,$c); - &mov($c,0); - &adc($c,$c); - &add($tmp1,$tmp2); - &adc($c,0); - &mov(&DWP($i*4,$r,"",0),$tmp1); # *r - } - - &comment(""); - &add($a,32); - &add($b,32); - &add($r,32); - &sub($num,8); - &jnz(&label("aw_loop")); - - &set_label("aw_finish",0); - &mov($num,&wparam(3)); # get num - &and($num,7); - &jz(&label("aw_end")); - - for ($i=0; $i<7; $i++) - { - &comment("Tail Round $i"); - &mov($tmp1,&DWP($i*4,$a,"",0)); # *a - &mov($tmp2,&DWP($i*4,$b,"",0));# *b - &add($tmp1,$c); - &mov($c,0); - &adc($c,$c); - &add($tmp1,$tmp2); - &adc($c,0); - &dec($num) if ($i != 6); - &mov(&DWP($i*4,$r,"",0),$tmp1); # *r - &jz(&label("aw_end")) if ($i != 6); - } - &set_label("aw_end",0); - -# &mov("eax",$c); # $c is "eax" - - &function_end($name); - } - -sub bn_sub_words - { - local($name)=@_; - - &function_begin($name,""); - - &comment(""); - $a="esi"; - $b="edi"; - $c="eax"; - $r="ebx"; - $tmp1="ecx"; - $tmp2="edx"; - $num="ebp"; - - &mov($r,&wparam(0)); # get r - &mov($a,&wparam(1)); # get a - &mov($b,&wparam(2)); # get b - &mov($num,&wparam(3)); # get num - &xor($c,$c); # clear carry - &and($num,0xfffffff8); # num / 8 - - &jz(&label("aw_finish")); - - &set_label("aw_loop",0); - for ($i=0; $i<8; $i++) - { - &comment("Round $i"); - - &mov($tmp1,&DWP($i*4,$a,"",0)); # *a - &mov($tmp2,&DWP($i*4,$b,"",0)); # *b - &sub($tmp1,$c); - &mov($c,0); - &adc($c,$c); - &sub($tmp1,$tmp2); - &adc($c,0); - &mov(&DWP($i*4,$r,"",0),$tmp1); # *r - } - - &comment(""); - &add($a,32); - &add($b,32); - &add($r,32); - &sub($num,8); - &jnz(&label("aw_loop")); - - &set_label("aw_finish",0); - &mov($num,&wparam(3)); # get num - &and($num,7); - &jz(&label("aw_end")); - - for ($i=0; $i<7; $i++) - { - &comment("Tail Round $i"); - &mov($tmp1,&DWP($i*4,$a,"",0)); # *a - &mov($tmp2,&DWP($i*4,$b,"",0));# *b - &sub($tmp1,$c); - &mov($c,0); - &adc($c,$c); - &sub($tmp1,$tmp2); - &adc($c,0); - &dec($num) if ($i != 6); - &mov(&DWP($i*4,$r,"",0),$tmp1); # *r - &jz(&label("aw_end")) if ($i != 6); - } - &set_label("aw_end",0); - -# &mov("eax",$c); # $c is "eax" - - &function_end($name); - } diff --git a/src/lib/libcrypto/bn/asm/co-586.pl b/src/lib/libcrypto/bn/asm/co-586.pl deleted file mode 100644 index 37d79cc0c1..0000000000 --- a/src/lib/libcrypto/bn/asm/co-586.pl +++ /dev/null @@ -1,287 +0,0 @@ -#!/usr/local/bin/perl - -$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -push(@INC,"${dir}","${dir}../../perlasm"); -require "x86asm.pl"; - -&asm_init($ARGV[0],$0); - -&bn_mul_comba("bn_mul_comba8",8); -&bn_mul_comba("bn_mul_comba4",4); -&bn_sqr_comba("bn_sqr_comba8",8); -&bn_sqr_comba("bn_sqr_comba4",4); - -&asm_finish(); - -sub mul_add_c - { - local($a,$ai,$b,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_; - - # pos == -1 if eax and edx are pre-loaded, 0 to load from next - # words, and 1 if load return value - - &comment("mul a[$ai]*b[$bi]"); - - # "eax" and "edx" will always be pre-loaded. - # &mov("eax",&DWP($ai*4,$a,"",0)) ; - # &mov("edx",&DWP($bi*4,$b,"",0)); - - &mul("edx"); - &add($c0,"eax"); - &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0; # load next a - &mov("eax",&wparam(0)) if $pos > 0; # load r[] - ### - &adc($c1,"edx"); - &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 0; # load next b - &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 1; # load next b - ### - &adc($c2,0); - # is pos > 1, it means it is the last loop - &mov(&DWP($i*4,"eax","",0),$c0) if $pos > 0; # save r[]; - &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1; # load next a - } - -sub sqr_add_c - { - local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_; - - # pos == -1 if eax and edx are pre-loaded, 0 to load from next - # words, and 1 if load return value - - &comment("sqr a[$ai]*a[$bi]"); - - # "eax" and "edx" will always be pre-loaded. - # &mov("eax",&DWP($ai*4,$a,"",0)) ; - # &mov("edx",&DWP($bi*4,$b,"",0)); - - if ($ai == $bi) - { &mul("eax");} - else - { &mul("edx");} - &add($c0,"eax"); - &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0; # load next a - ### - &adc($c1,"edx"); - &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos == 1) && ($na != $nb); - ### - &adc($c2,0); - # is pos > 1, it means it is the last loop - &mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0; # save r[]; - &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1; # load next b - } - -sub sqr_add_c2 - { - local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_; - - # pos == -1 if eax and edx are pre-loaded, 0 to load from next - # words, and 1 if load return value - - &comment("sqr a[$ai]*a[$bi]"); - - # "eax" and "edx" will always be pre-loaded. - # &mov("eax",&DWP($ai*4,$a,"",0)) ; - # &mov("edx",&DWP($bi*4,$a,"",0)); - - if ($ai == $bi) - { &mul("eax");} - else - { &mul("edx");} - &add("eax","eax"); - ### - &adc("edx","edx"); - ### - &adc($c2,0); - &add($c0,"eax"); - &adc($c1,"edx"); - &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0; # load next a - &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1; # load next b - &adc($c2,0); - &mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0; # save r[]; - &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos <= 1) && ($na != $nb); - ### - } - -sub bn_mul_comba - { - local($name,$num)=@_; - local($a,$b,$c0,$c1,$c2); - local($i,$as,$ae,$bs,$be,$ai,$bi); - local($tot,$end); - - &function_begin_B($name,""); - - $c0="ebx"; - $c1="ecx"; - $c2="ebp"; - $a="esi"; - $b="edi"; - - $as=0; - $ae=0; - $bs=0; - $be=0; - $tot=$num+$num-1; - - &push("esi"); - &mov($a,&wparam(1)); - &push("edi"); - &mov($b,&wparam(2)); - &push("ebp"); - &push("ebx"); - - &xor($c0,$c0); - &mov("eax",&DWP(0,$a,"",0)); # load the first word - &xor($c1,$c1); - &mov("edx",&DWP(0,$b,"",0)); # load the first second - - for ($i=0; $i<$tot; $i++) - { - $ai=$as; - $bi=$bs; - $end=$be+1; - - &comment("################## Calculate word $i"); - - for ($j=$bs; $j<$end; $j++) - { - &xor($c2,$c2) if ($j == $bs); - if (($j+1) == $end) - { - $v=1; - $v=2 if (($i+1) == $tot); - } - else - { $v=0; } - if (($j+1) != $end) - { - $na=($ai-1); - $nb=($bi+1); - } - else - { - $na=$as+($i < ($num-1)); - $nb=$bs+($i >= ($num-1)); - } -#printf STDERR "[$ai,$bi] -> [$na,$nb]\n"; - &mul_add_c($a,$ai,$b,$bi,$c0,$c1,$c2,$v,$i,$na,$nb); - if ($v) - { - &comment("saved r[$i]"); - # &mov("eax",&wparam(0)); - # &mov(&DWP($i*4,"eax","",0),$c0); - ($c0,$c1,$c2)=($c1,$c2,$c0); - } - $ai--; - $bi++; - } - $as++ if ($i < ($num-1)); - $ae++ if ($i >= ($num-1)); - - $bs++ if ($i >= ($num-1)); - $be++ if ($i < ($num-1)); - } - &comment("save r[$i]"); - # &mov("eax",&wparam(0)); - &mov(&DWP($i*4,"eax","",0),$c0); - - &pop("ebx"); - &pop("ebp"); - &pop("edi"); - &pop("esi"); - &ret(); - &function_end_B($name); - } - -sub bn_sqr_comba - { - local($name,$num)=@_; - local($r,$a,$c0,$c1,$c2)=@_; - local($i,$as,$ae,$bs,$be,$ai,$bi); - local($b,$tot,$end,$half); - - &function_begin_B($name,""); - - $c0="ebx"; - $c1="ecx"; - $c2="ebp"; - $a="esi"; - $r="edi"; - - &push("esi"); - &push("edi"); - &push("ebp"); - &push("ebx"); - &mov($r,&wparam(0)); - &mov($a,&wparam(1)); - &xor($c0,$c0); - &xor($c1,$c1); - &mov("eax",&DWP(0,$a,"",0)); # load the first word - - $as=0; - $ae=0; - $bs=0; - $be=0; - $tot=$num+$num-1; - - for ($i=0; $i<$tot; $i++) - { - $ai=$as; - $bi=$bs; - $end=$be+1; - - &comment("############### Calculate word $i"); - for ($j=$bs; $j<$end; $j++) - { - &xor($c2,$c2) if ($j == $bs); - if (($ai-1) < ($bi+1)) - { - $v=1; - $v=2 if ($i+1) == $tot; - } - else - { $v=0; } - if (!$v) - { - $na=$ai-1; - $nb=$bi+1; - } - else - { - $na=$as+($i < ($num-1)); - $nb=$bs+($i >= ($num-1)); - } - if ($ai == $bi) - { - &sqr_add_c($r,$a,$ai,$bi, - $c0,$c1,$c2,$v,$i,$na,$nb); - } - else - { - &sqr_add_c2($r,$a,$ai,$bi, - $c0,$c1,$c2,$v,$i,$na,$nb); - } - if ($v) - { - &comment("saved r[$i]"); - #&mov(&DWP($i*4,$r,"",0),$c0); - ($c0,$c1,$c2)=($c1,$c2,$c0); - last; - } - $ai--; - $bi++; - } - $as++ if ($i < ($num-1)); - $ae++ if ($i >= ($num-1)); - - $bs++ if ($i >= ($num-1)); - $be++ if ($i < ($num-1)); - } - &mov(&DWP($i*4,$r,"",0),$c0); - &pop("ebx"); - &pop("ebp"); - &pop("edi"); - &pop("esi"); - &ret(); - &function_end_B($name); - } diff --git a/src/lib/libcrypto/bn/asm/mips-mont.pl b/src/lib/libcrypto/bn/asm/mips-mont.pl deleted file mode 100644 index caae04ed3a..0000000000 --- a/src/lib/libcrypto/bn/asm/mips-mont.pl +++ /dev/null @@ -1,426 +0,0 @@ -#!/usr/bin/env perl -# -# ==================================================================== -# Written by Andy Polyakov for the OpenSSL -# project. The module is, however, dual licensed under OpenSSL and -# CRYPTOGAMS licenses depending on where you obtain it. For further -# details see http://www.openssl.org/~appro/cryptogams/. -# ==================================================================== - -# This module doesn't present direct interest for OpenSSL, because it -# doesn't provide better performance for longer keys, at least not on -# in-order-execution cores. While 512-bit RSA sign operations can be -# 65% faster in 64-bit mode, 1024-bit ones are only 15% faster, and -# 4096-bit ones are up to 15% slower. In 32-bit mode it varies from -# 16% improvement for 512-bit RSA sign to -33% for 4096-bit RSA -# verify:-( All comparisons are against bn_mul_mont-free assembler. -# The module might be of interest to embedded system developers, as -# the code is smaller than 1KB, yet offers >3x improvement on MIPS64 -# and 75-30% [less for longer keys] on MIPS32 over compiler-generated -# code. - -###################################################################### -# There is a number of MIPS ABI in use, O32 and N32/64 are most -# widely used. Then there is a new contender: NUBI. It appears that if -# one picks the latter, it's possible to arrange code in ABI neutral -# manner. Therefore let's stick to NUBI register layout: -# -($zero,$at,$t0,$t1,$t2)=map("\$$_",(0..2,24,25)); -($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$$_",(4..11)); -($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7,$s8,$s9,$s10,$s11)=map("\$$_",(12..23)); -($gp,$tp,$sp,$fp,$ra)=map("\$$_",(3,28..31)); -# -# The return value is placed in $a0. Following coding rules facilitate -# interoperability: -# -# - never ever touch $tp, "thread pointer", former $gp; -# - copy return value to $t0, former $v0 [or to $a0 if you're adapting -# old code]; -# - on O32 populate $a4-$a7 with 'lw $aN,4*N($sp)' if necessary; -# -# For reference here is register layout for N32/64 MIPS ABIs: -# -# ($zero,$at,$v0,$v1)=map("\$$_",(0..3)); -# ($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$$_",(4..11)); -# ($t0,$t1,$t2,$t3,$t8,$t9)=map("\$$_",(12..15,24,25)); -# ($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7)=map("\$$_",(16..23)); -# ($gp,$sp,$fp,$ra)=map("\$$_",(28..31)); -# -$flavour = shift; # supported flavours are o32,n32,64,nubi32,nubi64 - -if ($flavour =~ /64|n32/i) { - $PTR_ADD="dadd"; # incidentally works even on n32 - $PTR_SUB="dsub"; # incidentally works even on n32 - $REG_S="sd"; - $REG_L="ld"; - $SZREG=8; -} else { - $PTR_ADD="add"; - $PTR_SUB="sub"; - $REG_S="sw"; - $REG_L="lw"; - $SZREG=4; -} -$SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? 0x00fff000 : 0x00ff0000; -# -# -# -###################################################################### - -while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; - -if ($flavour =~ /64|n32/i) { - $LD="ld"; - $ST="sd"; - $MULTU="dmultu"; - $ADDU="daddu"; - $SUBU="dsubu"; - $BNSZ=8; -} else { - $LD="lw"; - $ST="sw"; - $MULTU="multu"; - $ADDU="addu"; - $SUBU="subu"; - $BNSZ=4; -} - -# int bn_mul_mont( -$rp=$a0; # BN_ULONG *rp, -$ap=$a1; # const BN_ULONG *ap, -$bp=$a2; # const BN_ULONG *bp, -$np=$a3; # const BN_ULONG *np, -$n0=$a4; # const BN_ULONG *n0, -$num=$a5; # int num); - -$lo0=$a6; -$hi0=$a7; -$lo1=$t1; -$hi1=$t2; -$aj=$s0; -$bi=$s1; -$nj=$s2; -$tp=$s3; -$alo=$s4; -$ahi=$s5; -$nlo=$s6; -$nhi=$s7; -$tj=$s8; -$i=$s9; -$j=$s10; -$m1=$s11; - -$FRAMESIZE=14; - -$code=<<___; -.text - -.set noat -.set noreorder - -.align 5 -.globl bn_mul_mont -.ent bn_mul_mont -bn_mul_mont: -___ -$code.=<<___ if ($flavour =~ /o32/i); - lw $n0,16($sp) - lw $num,20($sp) -___ -$code.=<<___; - slt $at,$num,4 - bnez $at,1f - li $t0,0 - slt $at,$num,17 # on in-order CPU - bnez $at,bn_mul_mont_internal - nop -1: jr $ra - li $a0,0 -.end bn_mul_mont - -.align 5 -.ent bn_mul_mont_internal -bn_mul_mont_internal: - .frame $fp,$FRAMESIZE*$SZREG,$ra - .mask 0x40000000|$SAVED_REGS_MASK,-$SZREG - $PTR_SUB $sp,$FRAMESIZE*$SZREG - $REG_S $fp,($FRAMESIZE-1)*$SZREG($sp) - $REG_S $s11,($FRAMESIZE-2)*$SZREG($sp) - $REG_S $s10,($FRAMESIZE-3)*$SZREG($sp) - $REG_S $s9,($FRAMESIZE-4)*$SZREG($sp) - $REG_S $s8,($FRAMESIZE-5)*$SZREG($sp) - $REG_S $s7,($FRAMESIZE-6)*$SZREG($sp) - $REG_S $s6,($FRAMESIZE-7)*$SZREG($sp) - $REG_S $s5,($FRAMESIZE-8)*$SZREG($sp) - $REG_S $s4,($FRAMESIZE-9)*$SZREG($sp) -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_S $s3,($FRAMESIZE-10)*$SZREG($sp) - $REG_S $s2,($FRAMESIZE-11)*$SZREG($sp) - $REG_S $s1,($FRAMESIZE-12)*$SZREG($sp) - $REG_S $s0,($FRAMESIZE-13)*$SZREG($sp) -___ -$code.=<<___; - move $fp,$sp - - .set reorder - $LD $n0,0($n0) - $LD $bi,0($bp) # bp[0] - $LD $aj,0($ap) # ap[0] - $LD $nj,0($np) # np[0] - - $PTR_SUB $sp,2*$BNSZ # place for two extra words - sll $num,`log($BNSZ)/log(2)` - li $at,-4096 - $PTR_SUB $sp,$num - and $sp,$at - - $MULTU $aj,$bi - $LD $alo,$BNSZ($ap) - $LD $nlo,$BNSZ($np) - mflo $lo0 - mfhi $hi0 - $MULTU $lo0,$n0 - mflo $m1 - - $MULTU $alo,$bi - mflo $alo - mfhi $ahi - - $MULTU $nj,$m1 - mflo $lo1 - mfhi $hi1 - $MULTU $nlo,$m1 - $ADDU $lo1,$lo0 - sltu $at,$lo1,$lo0 - $ADDU $hi1,$at - mflo $nlo - mfhi $nhi - - move $tp,$sp - li $j,2*$BNSZ -.align 4 -.L1st: - .set noreorder - $PTR_ADD $aj,$ap,$j - $PTR_ADD $nj,$np,$j - $LD $aj,($aj) - $LD $nj,($nj) - - $MULTU $aj,$bi - $ADDU $lo0,$alo,$hi0 - $ADDU $lo1,$nlo,$hi1 - sltu $at,$lo0,$hi0 - sltu $t0,$lo1,$hi1 - $ADDU $hi0,$ahi,$at - $ADDU $hi1,$nhi,$t0 - mflo $alo - mfhi $ahi - - $ADDU $lo1,$lo0 - sltu $at,$lo1,$lo0 - $MULTU $nj,$m1 - $ADDU $hi1,$at - addu $j,$BNSZ - $ST $lo1,($tp) - sltu $t0,$j,$num - mflo $nlo - mfhi $nhi - - bnez $t0,.L1st - $PTR_ADD $tp,$BNSZ - .set reorder - - $ADDU $lo0,$alo,$hi0 - sltu $at,$lo0,$hi0 - $ADDU $hi0,$ahi,$at - - $ADDU $lo1,$nlo,$hi1 - sltu $t0,$lo1,$hi1 - $ADDU $hi1,$nhi,$t0 - $ADDU $lo1,$lo0 - sltu $at,$lo1,$lo0 - $ADDU $hi1,$at - - $ST $lo1,($tp) - - $ADDU $hi1,$hi0 - sltu $at,$hi1,$hi0 - $ST $hi1,$BNSZ($tp) - $ST $at,2*$BNSZ($tp) - - li $i,$BNSZ -.align 4 -.Louter: - $PTR_ADD $bi,$bp,$i - $LD $bi,($bi) - $LD $aj,($ap) - $LD $alo,$BNSZ($ap) - $LD $tj,($sp) - - $MULTU $aj,$bi - $LD $nj,($np) - $LD $nlo,$BNSZ($np) - mflo $lo0 - mfhi $hi0 - $ADDU $lo0,$tj - $MULTU $lo0,$n0 - sltu $at,$lo0,$tj - $ADDU $hi0,$at - mflo $m1 - - $MULTU $alo,$bi - mflo $alo - mfhi $ahi - - $MULTU $nj,$m1 - mflo $lo1 - mfhi $hi1 - - $MULTU $nlo,$m1 - $ADDU $lo1,$lo0 - sltu $at,$lo1,$lo0 - $ADDU $hi1,$at - mflo $nlo - mfhi $nhi - - move $tp,$sp - li $j,2*$BNSZ - $LD $tj,$BNSZ($tp) -.align 4 -.Linner: - .set noreorder - $PTR_ADD $aj,$ap,$j - $PTR_ADD $nj,$np,$j - $LD $aj,($aj) - $LD $nj,($nj) - - $MULTU $aj,$bi - $ADDU $lo0,$alo,$hi0 - $ADDU $lo1,$nlo,$hi1 - sltu $at,$lo0,$hi0 - sltu $t0,$lo1,$hi1 - $ADDU $hi0,$ahi,$at - $ADDU $hi1,$nhi,$t0 - mflo $alo - mfhi $ahi - - $ADDU $lo0,$tj - addu $j,$BNSZ - $MULTU $nj,$m1 - sltu $at,$lo0,$tj - $ADDU $lo1,$lo0 - $ADDU $hi0,$at - sltu $t0,$lo1,$lo0 - $LD $tj,2*$BNSZ($tp) - $ADDU $hi1,$t0 - sltu $at,$j,$num - mflo $nlo - mfhi $nhi - $ST $lo1,($tp) - bnez $at,.Linner - $PTR_ADD $tp,$BNSZ - .set reorder - - $ADDU $lo0,$alo,$hi0 - sltu $at,$lo0,$hi0 - $ADDU $hi0,$ahi,$at - $ADDU $lo0,$tj - sltu $t0,$lo0,$tj - $ADDU $hi0,$t0 - - $LD $tj,2*$BNSZ($tp) - $ADDU $lo1,$nlo,$hi1 - sltu $at,$lo1,$hi1 - $ADDU $hi1,$nhi,$at - $ADDU $lo1,$lo0 - sltu $t0,$lo1,$lo0 - $ADDU $hi1,$t0 - $ST $lo1,($tp) - - $ADDU $lo1,$hi1,$hi0 - sltu $hi1,$lo1,$hi0 - $ADDU $lo1,$tj - sltu $at,$lo1,$tj - $ADDU $hi1,$at - $ST $lo1,$BNSZ($tp) - $ST $hi1,2*$BNSZ($tp) - - addu $i,$BNSZ - sltu $t0,$i,$num - bnez $t0,.Louter - - .set noreorder - $PTR_ADD $tj,$sp,$num # &tp[num] - move $tp,$sp - move $ap,$sp - li $hi0,0 # clear borrow bit - -.align 4 -.Lsub: $LD $lo0,($tp) - $LD $lo1,($np) - $PTR_ADD $tp,$BNSZ - $PTR_ADD $np,$BNSZ - $SUBU $lo1,$lo0,$lo1 # tp[i]-np[i] - sgtu $at,$lo1,$lo0 - $SUBU $lo0,$lo1,$hi0 - sgtu $hi0,$lo0,$lo1 - $ST $lo0,($rp) - or $hi0,$at - sltu $at,$tp,$tj - bnez $at,.Lsub - $PTR_ADD $rp,$BNSZ - - $SUBU $hi0,$hi1,$hi0 # handle upmost overflow bit - move $tp,$sp - $PTR_SUB $rp,$num # restore rp - not $hi1,$hi0 - - and $ap,$hi0,$sp - and $bp,$hi1,$rp - or $ap,$ap,$bp # ap=borrow?tp:rp - -.align 4 -.Lcopy: $LD $aj,($ap) - $PTR_ADD $ap,$BNSZ - $ST $zero,($tp) - $PTR_ADD $tp,$BNSZ - sltu $at,$tp,$tj - $ST $aj,($rp) - bnez $at,.Lcopy - $PTR_ADD $rp,$BNSZ - - li $a0,1 - li $t0,1 - - .set noreorder - move $sp,$fp - $REG_L $fp,($FRAMESIZE-1)*$SZREG($sp) - $REG_L $s11,($FRAMESIZE-2)*$SZREG($sp) - $REG_L $s10,($FRAMESIZE-3)*$SZREG($sp) - $REG_L $s9,($FRAMESIZE-4)*$SZREG($sp) - $REG_L $s8,($FRAMESIZE-5)*$SZREG($sp) - $REG_L $s7,($FRAMESIZE-6)*$SZREG($sp) - $REG_L $s6,($FRAMESIZE-7)*$SZREG($sp) - $REG_L $s5,($FRAMESIZE-8)*$SZREG($sp) - $REG_L $s4,($FRAMESIZE-9)*$SZREG($sp) -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_L $s3,($FRAMESIZE-10)*$SZREG($sp) - $REG_L $s2,($FRAMESIZE-11)*$SZREG($sp) - $REG_L $s1,($FRAMESIZE-12)*$SZREG($sp) - $REG_L $s0,($FRAMESIZE-13)*$SZREG($sp) -___ -$code.=<<___; - jr $ra - $PTR_ADD $sp,$FRAMESIZE*$SZREG -.end bn_mul_mont_internal -.rdata -.asciiz "Montgomery Multiplication for MIPS, CRYPTOGAMS by " -___ - -$code =~ s/\`([^\`]*)\`/eval $1/gem; - -print $code; -close STDOUT; diff --git a/src/lib/libcrypto/bn/asm/mips.pl b/src/lib/libcrypto/bn/asm/mips.pl deleted file mode 100644 index 02d43e15b0..0000000000 --- a/src/lib/libcrypto/bn/asm/mips.pl +++ /dev/null @@ -1,2234 +0,0 @@ -#!/usr/bin/env perl -# -# ==================================================================== -# Written by Andy Polyakov for the OpenSSL -# project. -# -# Rights for redistribution and usage in source and binary forms are -# granted according to the OpenSSL license. Warranty of any kind is -# disclaimed. -# ==================================================================== - - -# July 1999 -# -# This is drop-in MIPS III/IV ISA replacement for crypto/bn/bn_asm.c. -# -# The module is designed to work with either of the "new" MIPS ABI(5), -# namely N32 or N64, offered by IRIX 6.x. It's not meant to work under -# IRIX 5.x not only because it doesn't support new ABIs but also -# because 5.x kernels put R4x00 CPU into 32-bit mode and all those -# 64-bit instructions (daddu, dmultu, etc.) found below gonna only -# cause illegal instruction exception:-( -# -# In addition the code depends on preprocessor flags set up by MIPSpro -# compiler driver (either as or cc) and therefore (probably?) can't be -# compiled by the GNU assembler. GNU C driver manages fine though... -# I mean as long as -mmips-as is specified or is the default option, -# because then it simply invokes /usr/bin/as which in turn takes -# perfect care of the preprocessor definitions. Another neat feature -# offered by the MIPSpro assembler is an optimization pass. This gave -# me the opportunity to have the code looking more regular as all those -# architecture dependent instruction rescheduling details were left to -# the assembler. Cool, huh? -# -# Performance improvement is astonishing! 'apps/openssl speed rsa dsa' -# goes way over 3 times faster! -# -# - -# October 2010 -# -# Adapt the module even for 32-bit ABIs and other OSes. The former was -# achieved by mechanical replacement of 64-bit arithmetic instructions -# such as dmultu, daddu, etc. with their 32-bit counterparts and -# adjusting offsets denoting multiples of BN_ULONG. Above mentioned -# >3x performance improvement naturally does not apply to 32-bit code -# [because there is no instruction 32-bit compiler can't use], one -# has to content with 40-85% improvement depending on benchmark and -# key length, more for longer keys. - -$flavour = shift; -while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; - -if ($flavour =~ /64|n32/i) { - $LD="ld"; - $ST="sd"; - $MULTU="dmultu"; - $DIVU="ddivu"; - $ADDU="daddu"; - $SUBU="dsubu"; - $SRL="dsrl"; - $SLL="dsll"; - $BNSZ=8; - $PTR_ADD="daddu"; - $PTR_SUB="dsubu"; - $SZREG=8; - $REG_S="sd"; - $REG_L="ld"; -} else { - $LD="lw"; - $ST="sw"; - $MULTU="multu"; - $DIVU="divu"; - $ADDU="addu"; - $SUBU="subu"; - $SRL="srl"; - $SLL="sll"; - $BNSZ=4; - $PTR_ADD="addu"; - $PTR_SUB="subu"; - $SZREG=4; - $REG_S="sw"; - $REG_L="lw"; - $code=".set mips2\n"; -} - -# Below is N32/64 register layout used in the original module. -# -($zero,$at,$v0,$v1)=map("\$$_",(0..3)); -($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$$_",(4..11)); -($t0,$t1,$t2,$t3,$t8,$t9)=map("\$$_",(12..15,24,25)); -($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7)=map("\$$_",(16..23)); -($gp,$sp,$fp,$ra)=map("\$$_",(28..31)); -($ta0,$ta1,$ta2,$ta3)=($a4,$a5,$a6,$a7); -# -# No special adaptation is required for O32. NUBI on the other hand -# is treated by saving/restoring ($v1,$t0..$t3). - -$gp=$v1 if ($flavour =~ /nubi/i); - -$minus4=$v1; - -$code.=<<___; -.rdata -.asciiz "mips3.s, Version 1.2" -.asciiz "MIPS II/III/IV ISA artwork by Andy Polyakov " - -.text -.set noat - -.align 5 -.globl bn_mul_add_words -.ent bn_mul_add_words -bn_mul_add_words: - .set noreorder - bgtz $a2,bn_mul_add_words_internal - move $v0,$zero - jr $ra - move $a0,$v0 -.end bn_mul_add_words - -.align 5 -.ent bn_mul_add_words_internal -bn_mul_add_words_internal: -___ -$code.=<<___ if ($flavour =~ /nubi/i); - .frame $sp,6*$SZREG,$ra - .mask 0x8000f008,-$SZREG - .set noreorder - $PTR_SUB $sp,6*$SZREG - $REG_S $ra,5*$SZREG($sp) - $REG_S $t3,4*$SZREG($sp) - $REG_S $t2,3*$SZREG($sp) - $REG_S $t1,2*$SZREG($sp) - $REG_S $t0,1*$SZREG($sp) - $REG_S $gp,0*$SZREG($sp) -___ -$code.=<<___; - .set reorder - li $minus4,-4 - and $ta0,$a2,$minus4 - beqz $ta0,.L_bn_mul_add_words_tail - -.L_bn_mul_add_words_loop: - $LD $t0,0($a1) - $MULTU $t0,$a3 - $LD $t1,0($a0) - $LD $t2,$BNSZ($a1) - $LD $t3,$BNSZ($a0) - $LD $ta0,2*$BNSZ($a1) - $LD $ta1,2*$BNSZ($a0) - $ADDU $t1,$v0 - sltu $v0,$t1,$v0 # All manuals say it "compares 32-bit - # values", but it seems to work fine - # even on 64-bit registers. - mflo $at - mfhi $t0 - $ADDU $t1,$at - $ADDU $v0,$t0 - $MULTU $t2,$a3 - sltu $at,$t1,$at - $ST $t1,0($a0) - $ADDU $v0,$at - - $LD $ta2,3*$BNSZ($a1) - $LD $ta3,3*$BNSZ($a0) - $ADDU $t3,$v0 - sltu $v0,$t3,$v0 - mflo $at - mfhi $t2 - $ADDU $t3,$at - $ADDU $v0,$t2 - $MULTU $ta0,$a3 - sltu $at,$t3,$at - $ST $t3,$BNSZ($a0) - $ADDU $v0,$at - - subu $a2,4 - $PTR_ADD $a0,4*$BNSZ - $PTR_ADD $a1,4*$BNSZ - $ADDU $ta1,$v0 - sltu $v0,$ta1,$v0 - mflo $at - mfhi $ta0 - $ADDU $ta1,$at - $ADDU $v0,$ta0 - $MULTU $ta2,$a3 - sltu $at,$ta1,$at - $ST $ta1,-2*$BNSZ($a0) - $ADDU $v0,$at - - - and $ta0,$a2,$minus4 - $ADDU $ta3,$v0 - sltu $v0,$ta3,$v0 - mflo $at - mfhi $ta2 - $ADDU $ta3,$at - $ADDU $v0,$ta2 - sltu $at,$ta3,$at - $ST $ta3,-$BNSZ($a0) - .set noreorder - bgtz $ta0,.L_bn_mul_add_words_loop - $ADDU $v0,$at - - beqz $a2,.L_bn_mul_add_words_return - nop - -.L_bn_mul_add_words_tail: - .set reorder - $LD $t0,0($a1) - $MULTU $t0,$a3 - $LD $t1,0($a0) - subu $a2,1 - $ADDU $t1,$v0 - sltu $v0,$t1,$v0 - mflo $at - mfhi $t0 - $ADDU $t1,$at - $ADDU $v0,$t0 - sltu $at,$t1,$at - $ST $t1,0($a0) - $ADDU $v0,$at - beqz $a2,.L_bn_mul_add_words_return - - $LD $t0,$BNSZ($a1) - $MULTU $t0,$a3 - $LD $t1,$BNSZ($a0) - subu $a2,1 - $ADDU $t1,$v0 - sltu $v0,$t1,$v0 - mflo $at - mfhi $t0 - $ADDU $t1,$at - $ADDU $v0,$t0 - sltu $at,$t1,$at - $ST $t1,$BNSZ($a0) - $ADDU $v0,$at - beqz $a2,.L_bn_mul_add_words_return - - $LD $t0,2*$BNSZ($a1) - $MULTU $t0,$a3 - $LD $t1,2*$BNSZ($a0) - $ADDU $t1,$v0 - sltu $v0,$t1,$v0 - mflo $at - mfhi $t0 - $ADDU $t1,$at - $ADDU $v0,$t0 - sltu $at,$t1,$at - $ST $t1,2*$BNSZ($a0) - $ADDU $v0,$at - -.L_bn_mul_add_words_return: - .set noreorder -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_L $t3,4*$SZREG($sp) - $REG_L $t2,3*$SZREG($sp) - $REG_L $t1,2*$SZREG($sp) - $REG_L $t0,1*$SZREG($sp) - $REG_L $gp,0*$SZREG($sp) - $PTR_ADD $sp,6*$SZREG -___ -$code.=<<___; - jr $ra - move $a0,$v0 -.end bn_mul_add_words_internal - -.align 5 -.globl bn_mul_words -.ent bn_mul_words -bn_mul_words: - .set noreorder - bgtz $a2,bn_mul_words_internal - move $v0,$zero - jr $ra - move $a0,$v0 -.end bn_mul_words - -.align 5 -.ent bn_mul_words_internal -bn_mul_words_internal: -___ -$code.=<<___ if ($flavour =~ /nubi/i); - .frame $sp,6*$SZREG,$ra - .mask 0x8000f008,-$SZREG - .set noreorder - $PTR_SUB $sp,6*$SZREG - $REG_S $ra,5*$SZREG($sp) - $REG_S $t3,4*$SZREG($sp) - $REG_S $t2,3*$SZREG($sp) - $REG_S $t1,2*$SZREG($sp) - $REG_S $t0,1*$SZREG($sp) - $REG_S $gp,0*$SZREG($sp) -___ -$code.=<<___; - .set reorder - li $minus4,-4 - and $ta0,$a2,$minus4 - beqz $ta0,.L_bn_mul_words_tail - -.L_bn_mul_words_loop: - $LD $t0,0($a1) - $MULTU $t0,$a3 - $LD $t2,$BNSZ($a1) - $LD $ta0,2*$BNSZ($a1) - $LD $ta2,3*$BNSZ($a1) - mflo $at - mfhi $t0 - $ADDU $v0,$at - sltu $t1,$v0,$at - $MULTU $t2,$a3 - $ST $v0,0($a0) - $ADDU $v0,$t1,$t0 - - subu $a2,4 - $PTR_ADD $a0,4*$BNSZ - $PTR_ADD $a1,4*$BNSZ - mflo $at - mfhi $t2 - $ADDU $v0,$at - sltu $t3,$v0,$at - $MULTU $ta0,$a3 - $ST $v0,-3*$BNSZ($a0) - $ADDU $v0,$t3,$t2 - - mflo $at - mfhi $ta0 - $ADDU $v0,$at - sltu $ta1,$v0,$at - $MULTU $ta2,$a3 - $ST $v0,-2*$BNSZ($a0) - $ADDU $v0,$ta1,$ta0 - - and $ta0,$a2,$minus4 - mflo $at - mfhi $ta2 - $ADDU $v0,$at - sltu $ta3,$v0,$at - $ST $v0,-$BNSZ($a0) - .set noreorder - bgtz $ta0,.L_bn_mul_words_loop - $ADDU $v0,$ta3,$ta2 - - beqz $a2,.L_bn_mul_words_return - nop - -.L_bn_mul_words_tail: - .set reorder - $LD $t0,0($a1) - $MULTU $t0,$a3 - subu $a2,1 - mflo $at - mfhi $t0 - $ADDU $v0,$at - sltu $t1,$v0,$at - $ST $v0,0($a0) - $ADDU $v0,$t1,$t0 - beqz $a2,.L_bn_mul_words_return - - $LD $t0,$BNSZ($a1) - $MULTU $t0,$a3 - subu $a2,1 - mflo $at - mfhi $t0 - $ADDU $v0,$at - sltu $t1,$v0,$at - $ST $v0,$BNSZ($a0) - $ADDU $v0,$t1,$t0 - beqz $a2,.L_bn_mul_words_return - - $LD $t0,2*$BNSZ($a1) - $MULTU $t0,$a3 - mflo $at - mfhi $t0 - $ADDU $v0,$at - sltu $t1,$v0,$at - $ST $v0,2*$BNSZ($a0) - $ADDU $v0,$t1,$t0 - -.L_bn_mul_words_return: - .set noreorder -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_L $t3,4*$SZREG($sp) - $REG_L $t2,3*$SZREG($sp) - $REG_L $t1,2*$SZREG($sp) - $REG_L $t0,1*$SZREG($sp) - $REG_L $gp,0*$SZREG($sp) - $PTR_ADD $sp,6*$SZREG -___ -$code.=<<___; - jr $ra - move $a0,$v0 -.end bn_mul_words_internal - -.align 5 -.globl bn_sqr_words -.ent bn_sqr_words -bn_sqr_words: - .set noreorder - bgtz $a2,bn_sqr_words_internal - move $v0,$zero - jr $ra - move $a0,$v0 -.end bn_sqr_words - -.align 5 -.ent bn_sqr_words_internal -bn_sqr_words_internal: -___ -$code.=<<___ if ($flavour =~ /nubi/i); - .frame $sp,6*$SZREG,$ra - .mask 0x8000f008,-$SZREG - .set noreorder - $PTR_SUB $sp,6*$SZREG - $REG_S $ra,5*$SZREG($sp) - $REG_S $t3,4*$SZREG($sp) - $REG_S $t2,3*$SZREG($sp) - $REG_S $t1,2*$SZREG($sp) - $REG_S $t0,1*$SZREG($sp) - $REG_S $gp,0*$SZREG($sp) -___ -$code.=<<___; - .set reorder - li $minus4,-4 - and $ta0,$a2,$minus4 - beqz $ta0,.L_bn_sqr_words_tail - -.L_bn_sqr_words_loop: - $LD $t0,0($a1) - $MULTU $t0,$t0 - $LD $t2,$BNSZ($a1) - $LD $ta0,2*$BNSZ($a1) - $LD $ta2,3*$BNSZ($a1) - mflo $t1 - mfhi $t0 - $ST $t1,0($a0) - $ST $t0,$BNSZ($a0) - - $MULTU $t2,$t2 - subu $a2,4 - $PTR_ADD $a0,8*$BNSZ - $PTR_ADD $a1,4*$BNSZ - mflo $t3 - mfhi $t2 - $ST $t3,-6*$BNSZ($a0) - $ST $t2,-5*$BNSZ($a0) - - $MULTU $ta0,$ta0 - mflo $ta1 - mfhi $ta0 - $ST $ta1,-4*$BNSZ($a0) - $ST $ta0,-3*$BNSZ($a0) - - - $MULTU $ta2,$ta2 - and $ta0,$a2,$minus4 - mflo $ta3 - mfhi $ta2 - $ST $ta3,-2*$BNSZ($a0) - - .set noreorder - bgtz $ta0,.L_bn_sqr_words_loop - $ST $ta2,-$BNSZ($a0) - - beqz $a2,.L_bn_sqr_words_return - nop - -.L_bn_sqr_words_tail: - .set reorder - $LD $t0,0($a1) - $MULTU $t0,$t0 - subu $a2,1 - mflo $t1 - mfhi $t0 - $ST $t1,0($a0) - $ST $t0,$BNSZ($a0) - beqz $a2,.L_bn_sqr_words_return - - $LD $t0,$BNSZ($a1) - $MULTU $t0,$t0 - subu $a2,1 - mflo $t1 - mfhi $t0 - $ST $t1,2*$BNSZ($a0) - $ST $t0,3*$BNSZ($a0) - beqz $a2,.L_bn_sqr_words_return - - $LD $t0,2*$BNSZ($a1) - $MULTU $t0,$t0 - mflo $t1 - mfhi $t0 - $ST $t1,4*$BNSZ($a0) - $ST $t0,5*$BNSZ($a0) - -.L_bn_sqr_words_return: - .set noreorder -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_L $t3,4*$SZREG($sp) - $REG_L $t2,3*$SZREG($sp) - $REG_L $t1,2*$SZREG($sp) - $REG_L $t0,1*$SZREG($sp) - $REG_L $gp,0*$SZREG($sp) - $PTR_ADD $sp,6*$SZREG -___ -$code.=<<___; - jr $ra - move $a0,$v0 - -.end bn_sqr_words_internal - -.align 5 -.globl bn_add_words -.ent bn_add_words -bn_add_words: - .set noreorder - bgtz $a3,bn_add_words_internal - move $v0,$zero - jr $ra - move $a0,$v0 -.end bn_add_words - -.align 5 -.ent bn_add_words_internal -bn_add_words_internal: -___ -$code.=<<___ if ($flavour =~ /nubi/i); - .frame $sp,6*$SZREG,$ra - .mask 0x8000f008,-$SZREG - .set noreorder - $PTR_SUB $sp,6*$SZREG - $REG_S $ra,5*$SZREG($sp) - $REG_S $t3,4*$SZREG($sp) - $REG_S $t2,3*$SZREG($sp) - $REG_S $t1,2*$SZREG($sp) - $REG_S $t0,1*$SZREG($sp) - $REG_S $gp,0*$SZREG($sp) -___ -$code.=<<___; - .set reorder - li $minus4,-4 - and $at,$a3,$minus4 - beqz $at,.L_bn_add_words_tail - -.L_bn_add_words_loop: - $LD $t0,0($a1) - $LD $ta0,0($a2) - subu $a3,4 - $LD $t1,$BNSZ($a1) - and $at,$a3,$minus4 - $LD $t2,2*$BNSZ($a1) - $PTR_ADD $a2,4*$BNSZ - $LD $t3,3*$BNSZ($a1) - $PTR_ADD $a0,4*$BNSZ - $LD $ta1,-3*$BNSZ($a2) - $PTR_ADD $a1,4*$BNSZ - $LD $ta2,-2*$BNSZ($a2) - $LD $ta3,-$BNSZ($a2) - $ADDU $ta0,$t0 - sltu $t8,$ta0,$t0 - $ADDU $t0,$ta0,$v0 - sltu $v0,$t0,$ta0 - $ST $t0,-4*$BNSZ($a0) - $ADDU $v0,$t8 - - $ADDU $ta1,$t1 - sltu $t9,$ta1,$t1 - $ADDU $t1,$ta1,$v0 - sltu $v0,$t1,$ta1 - $ST $t1,-3*$BNSZ($a0) - $ADDU $v0,$t9 - - $ADDU $ta2,$t2 - sltu $t8,$ta2,$t2 - $ADDU $t2,$ta2,$v0 - sltu $v0,$t2,$ta2 - $ST $t2,-2*$BNSZ($a0) - $ADDU $v0,$t8 - - $ADDU $ta3,$t3 - sltu $t9,$ta3,$t3 - $ADDU $t3,$ta3,$v0 - sltu $v0,$t3,$ta3 - $ST $t3,-$BNSZ($a0) - - .set noreorder - bgtz $at,.L_bn_add_words_loop - $ADDU $v0,$t9 - - beqz $a3,.L_bn_add_words_return - nop - -.L_bn_add_words_tail: - .set reorder - $LD $t0,0($a1) - $LD $ta0,0($a2) - $ADDU $ta0,$t0 - subu $a3,1 - sltu $t8,$ta0,$t0 - $ADDU $t0,$ta0,$v0 - sltu $v0,$t0,$ta0 - $ST $t0,0($a0) - $ADDU $v0,$t8 - beqz $a3,.L_bn_add_words_return - - $LD $t1,$BNSZ($a1) - $LD $ta1,$BNSZ($a2) - $ADDU $ta1,$t1 - subu $a3,1 - sltu $t9,$ta1,$t1 - $ADDU $t1,$ta1,$v0 - sltu $v0,$t1,$ta1 - $ST $t1,$BNSZ($a0) - $ADDU $v0,$t9 - beqz $a3,.L_bn_add_words_return - - $LD $t2,2*$BNSZ($a1) - $LD $ta2,2*$BNSZ($a2) - $ADDU $ta2,$t2 - sltu $t8,$ta2,$t2 - $ADDU $t2,$ta2,$v0 - sltu $v0,$t2,$ta2 - $ST $t2,2*$BNSZ($a0) - $ADDU $v0,$t8 - -.L_bn_add_words_return: - .set noreorder -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_L $t3,4*$SZREG($sp) - $REG_L $t2,3*$SZREG($sp) - $REG_L $t1,2*$SZREG($sp) - $REG_L $t0,1*$SZREG($sp) - $REG_L $gp,0*$SZREG($sp) - $PTR_ADD $sp,6*$SZREG -___ -$code.=<<___; - jr $ra - move $a0,$v0 - -.end bn_add_words_internal - -.align 5 -.globl bn_sub_words -.ent bn_sub_words -bn_sub_words: - .set noreorder - bgtz $a3,bn_sub_words_internal - move $v0,$zero - jr $ra - move $a0,$zero -.end bn_sub_words - -.align 5 -.ent bn_sub_words_internal -bn_sub_words_internal: -___ -$code.=<<___ if ($flavour =~ /nubi/i); - .frame $sp,6*$SZREG,$ra - .mask 0x8000f008,-$SZREG - .set noreorder - $PTR_SUB $sp,6*$SZREG - $REG_S $ra,5*$SZREG($sp) - $REG_S $t3,4*$SZREG($sp) - $REG_S $t2,3*$SZREG($sp) - $REG_S $t1,2*$SZREG($sp) - $REG_S $t0,1*$SZREG($sp) - $REG_S $gp,0*$SZREG($sp) -___ -$code.=<<___; - .set reorder - li $minus4,-4 - and $at,$a3,$minus4 - beqz $at,.L_bn_sub_words_tail - -.L_bn_sub_words_loop: - $LD $t0,0($a1) - $LD $ta0,0($a2) - subu $a3,4 - $LD $t1,$BNSZ($a1) - and $at,$a3,$minus4 - $LD $t2,2*$BNSZ($a1) - $PTR_ADD $a2,4*$BNSZ - $LD $t3,3*$BNSZ($a1) - $PTR_ADD $a0,4*$BNSZ - $LD $ta1,-3*$BNSZ($a2) - $PTR_ADD $a1,4*$BNSZ - $LD $ta2,-2*$BNSZ($a2) - $LD $ta3,-$BNSZ($a2) - sltu $t8,$t0,$ta0 - $SUBU $ta0,$t0,$ta0 - $SUBU $t0,$ta0,$v0 - sgtu $v0,$t0,$ta0 - $ST $t0,-4*$BNSZ($a0) - $ADDU $v0,$t8 - - sltu $t9,$t1,$ta1 - $SUBU $ta1,$t1,$ta1 - $SUBU $t1,$ta1,$v0 - sgtu $v0,$t1,$ta1 - $ST $t1,-3*$BNSZ($a0) - $ADDU $v0,$t9 - - - sltu $t8,$t2,$ta2 - $SUBU $ta2,$t2,$ta2 - $SUBU $t2,$ta2,$v0 - sgtu $v0,$t2,$ta2 - $ST $t2,-2*$BNSZ($a0) - $ADDU $v0,$t8 - - sltu $t9,$t3,$ta3 - $SUBU $ta3,$t3,$ta3 - $SUBU $t3,$ta3,$v0 - sgtu $v0,$t3,$ta3 - $ST $t3,-$BNSZ($a0) - - .set noreorder - bgtz $at,.L_bn_sub_words_loop - $ADDU $v0,$t9 - - beqz $a3,.L_bn_sub_words_return - nop - -.L_bn_sub_words_tail: - .set reorder - $LD $t0,0($a1) - $LD $ta0,0($a2) - subu $a3,1 - sltu $t8,$t0,$ta0 - $SUBU $ta0,$t0,$ta0 - $SUBU $t0,$ta0,$v0 - sgtu $v0,$t0,$ta0 - $ST $t0,0($a0) - $ADDU $v0,$t8 - beqz $a3,.L_bn_sub_words_return - - $LD $t1,$BNSZ($a1) - subu $a3,1 - $LD $ta1,$BNSZ($a2) - sltu $t9,$t1,$ta1 - $SUBU $ta1,$t1,$ta1 - $SUBU $t1,$ta1,$v0 - sgtu $v0,$t1,$ta1 - $ST $t1,$BNSZ($a0) - $ADDU $v0,$t9 - beqz $a3,.L_bn_sub_words_return - - $LD $t2,2*$BNSZ($a1) - $LD $ta2,2*$BNSZ($a2) - sltu $t8,$t2,$ta2 - $SUBU $ta2,$t2,$ta2 - $SUBU $t2,$ta2,$v0 - sgtu $v0,$t2,$ta2 - $ST $t2,2*$BNSZ($a0) - $ADDU $v0,$t8 - -.L_bn_sub_words_return: - .set noreorder -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_L $t3,4*$SZREG($sp) - $REG_L $t2,3*$SZREG($sp) - $REG_L $t1,2*$SZREG($sp) - $REG_L $t0,1*$SZREG($sp) - $REG_L $gp,0*$SZREG($sp) - $PTR_ADD $sp,6*$SZREG -___ -$code.=<<___; - jr $ra - move $a0,$v0 -.end bn_sub_words_internal - -.align 5 -.globl bn_div_3_words -.ent bn_div_3_words -bn_div_3_words: - .set noreorder - move $a3,$a0 # we know that bn_div_words does not - # touch $a3, $ta2, $ta3 and preserves $a2 - # so that we can save two arguments - # and return address in registers - # instead of stack:-) - - $LD $a0,($a3) - move $ta2,$a1 - bne $a0,$a2,bn_div_3_words_internal - $LD $a1,-$BNSZ($a3) - li $v0,-1 - jr $ra - move $a0,$v0 -.end bn_div_3_words - -.align 5 -.ent bn_div_3_words_internal -bn_div_3_words_internal: -___ -$code.=<<___ if ($flavour =~ /nubi/i); - .frame $sp,6*$SZREG,$ra - .mask 0x8000f008,-$SZREG - .set noreorder - $PTR_SUB $sp,6*$SZREG - $REG_S $ra,5*$SZREG($sp) - $REG_S $t3,4*$SZREG($sp) - $REG_S $t2,3*$SZREG($sp) - $REG_S $t1,2*$SZREG($sp) - $REG_S $t0,1*$SZREG($sp) - $REG_S $gp,0*$SZREG($sp) -___ -$code.=<<___; - .set reorder - move $ta3,$ra - bal bn_div_words_internal - move $ra,$ta3 - $MULTU $ta2,$v0 - $LD $t2,-2*$BNSZ($a3) - move $ta0,$zero - mfhi $t1 - mflo $t0 - sltu $t8,$t1,$a1 -.L_bn_div_3_words_inner_loop: - bnez $t8,.L_bn_div_3_words_inner_loop_done - sgeu $at,$t2,$t0 - seq $t9,$t1,$a1 - and $at,$t9 - sltu $t3,$t0,$ta2 - $ADDU $a1,$a2 - $SUBU $t1,$t3 - $SUBU $t0,$ta2 - sltu $t8,$t1,$a1 - sltu $ta0,$a1,$a2 - or $t8,$ta0 - .set noreorder - beqz $at,.L_bn_div_3_words_inner_loop - $SUBU $v0,1 - $ADDU $v0,1 - .set reorder -.L_bn_div_3_words_inner_loop_done: - .set noreorder -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_L $t3,4*$SZREG($sp) - $REG_L $t2,3*$SZREG($sp) - $REG_L $t1,2*$SZREG($sp) - $REG_L $t0,1*$SZREG($sp) - $REG_L $gp,0*$SZREG($sp) - $PTR_ADD $sp,6*$SZREG -___ -$code.=<<___; - jr $ra - move $a0,$v0 -.end bn_div_3_words_internal - -.align 5 -.globl bn_div_words -.ent bn_div_words -bn_div_words: - .set noreorder - bnez $a2,bn_div_words_internal - li $v0,-1 # I would rather signal div-by-zero - # which can be done with 'break 7' - jr $ra - move $a0,$v0 -.end bn_div_words - -.align 5 -.ent bn_div_words_internal -bn_div_words_internal: -___ -$code.=<<___ if ($flavour =~ /nubi/i); - .frame $sp,6*$SZREG,$ra - .mask 0x8000f008,-$SZREG - .set noreorder - $PTR_SUB $sp,6*$SZREG - $REG_S $ra,5*$SZREG($sp) - $REG_S $t3,4*$SZREG($sp) - $REG_S $t2,3*$SZREG($sp) - $REG_S $t1,2*$SZREG($sp) - $REG_S $t0,1*$SZREG($sp) - $REG_S $gp,0*$SZREG($sp) -___ -$code.=<<___; - move $v1,$zero - bltz $a2,.L_bn_div_words_body - move $t9,$v1 - $SLL $a2,1 - bgtz $a2,.-4 - addu $t9,1 - - .set reorder - negu $t1,$t9 - li $t2,-1 - $SLL $t2,$t1 - and $t2,$a0 - $SRL $at,$a1,$t1 - .set noreorder - beqz $t2,.+12 - nop - break 6 # signal overflow - .set reorder - $SLL $a0,$t9 - $SLL $a1,$t9 - or $a0,$at -___ -$QT=$ta0; -$HH=$ta1; -$DH=$v1; -$code.=<<___; -.L_bn_div_words_body: - $SRL $DH,$a2,4*$BNSZ # bits - sgeu $at,$a0,$a2 - .set noreorder - beqz $at,.+12 - nop - $SUBU $a0,$a2 - .set reorder - - li $QT,-1 - $SRL $HH,$a0,4*$BNSZ # bits - $SRL $QT,4*$BNSZ # q=0xffffffff - beq $DH,$HH,.L_bn_div_words_skip_div1 - $DIVU $zero,$a0,$DH - mflo $QT -.L_bn_div_words_skip_div1: - $MULTU $a2,$QT - $SLL $t3,$a0,4*$BNSZ # bits - $SRL $at,$a1,4*$BNSZ # bits - or $t3,$at - mflo $t0 - mfhi $t1 -.L_bn_div_words_inner_loop1: - sltu $t2,$t3,$t0 - seq $t8,$HH,$t1 - sltu $at,$HH,$t1 - and $t2,$t8 - sltu $v0,$t0,$a2 - or $at,$t2 - .set noreorder - beqz $at,.L_bn_div_words_inner_loop1_done - $SUBU $t1,$v0 - $SUBU $t0,$a2 - b .L_bn_div_words_inner_loop1 - $SUBU $QT,1 - .set reorder -.L_bn_div_words_inner_loop1_done: - - $SLL $a1,4*$BNSZ # bits - $SUBU $a0,$t3,$t0 - $SLL $v0,$QT,4*$BNSZ # bits - - li $QT,-1 - $SRL $HH,$a0,4*$BNSZ # bits - $SRL $QT,4*$BNSZ # q=0xffffffff - beq $DH,$HH,.L_bn_div_words_skip_div2 - $DIVU $zero,$a0,$DH - mflo $QT -.L_bn_div_words_skip_div2: - $MULTU $a2,$QT - $SLL $t3,$a0,4*$BNSZ # bits - $SRL $at,$a1,4*$BNSZ # bits - or $t3,$at - mflo $t0 - mfhi $t1 -.L_bn_div_words_inner_loop2: - sltu $t2,$t3,$t0 - seq $t8,$HH,$t1 - sltu $at,$HH,$t1 - and $t2,$t8 - sltu $v1,$t0,$a2 - or $at,$t2 - .set noreorder - beqz $at,.L_bn_div_words_inner_loop2_done - $SUBU $t1,$v1 - $SUBU $t0,$a2 - b .L_bn_div_words_inner_loop2 - $SUBU $QT,1 - .set reorder -.L_bn_div_words_inner_loop2_done: - - $SUBU $a0,$t3,$t0 - or $v0,$QT - $SRL $v1,$a0,$t9 # $v1 contains remainder if anybody wants it - $SRL $a2,$t9 # restore $a2 - - .set noreorder - move $a1,$v1 -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_L $t3,4*$SZREG($sp) - $REG_L $t2,3*$SZREG($sp) - $REG_L $t1,2*$SZREG($sp) - $REG_L $t0,1*$SZREG($sp) - $REG_L $gp,0*$SZREG($sp) - $PTR_ADD $sp,6*$SZREG -___ -$code.=<<___; - jr $ra - move $a0,$v0 -.end bn_div_words_internal -___ -undef $HH; undef $QT; undef $DH; - -($a_0,$a_1,$a_2,$a_3)=($t0,$t1,$t2,$t3); -($b_0,$b_1,$b_2,$b_3)=($ta0,$ta1,$ta2,$ta3); - -($a_4,$a_5,$a_6,$a_7)=($s0,$s2,$s4,$a1); # once we load a[7], no use for $a1 -($b_4,$b_5,$b_6,$b_7)=($s1,$s3,$s5,$a2); # once we load b[7], no use for $a2 - -($t_1,$t_2,$c_1,$c_2,$c_3)=($t8,$t9,$v0,$v1,$a3); - -$code.=<<___; - -.align 5 -.globl bn_mul_comba8 -.ent bn_mul_comba8 -bn_mul_comba8: - .set noreorder -___ -$code.=<<___ if ($flavour =~ /nubi/i); - .frame $sp,12*$SZREG,$ra - .mask 0x803ff008,-$SZREG - $PTR_SUB $sp,12*$SZREG - $REG_S $ra,11*$SZREG($sp) - $REG_S $s5,10*$SZREG($sp) - $REG_S $s4,9*$SZREG($sp) - $REG_S $s3,8*$SZREG($sp) - $REG_S $s2,7*$SZREG($sp) - $REG_S $s1,6*$SZREG($sp) - $REG_S $s0,5*$SZREG($sp) - $REG_S $t3,4*$SZREG($sp) - $REG_S $t2,3*$SZREG($sp) - $REG_S $t1,2*$SZREG($sp) - $REG_S $t0,1*$SZREG($sp) - $REG_S $gp,0*$SZREG($sp) -___ -$code.=<<___ if ($flavour !~ /nubi/i); - .frame $sp,6*$SZREG,$ra - .mask 0x003f0000,-$SZREG - $PTR_SUB $sp,6*$SZREG - $REG_S $s5,5*$SZREG($sp) - $REG_S $s4,4*$SZREG($sp) - $REG_S $s3,3*$SZREG($sp) - $REG_S $s2,2*$SZREG($sp) - $REG_S $s1,1*$SZREG($sp) - $REG_S $s0,0*$SZREG($sp) -___ -$code.=<<___; - - .set reorder - $LD $a_0,0($a1) # If compiled with -mips3 option on - # R5000 box assembler barks on this - # 1ine with "should not have mult/div - # as last instruction in bb (R10K - # bug)" warning. If anybody out there - # has a clue about how to circumvent - # this do send me a note. - # - - $LD $b_0,0($a2) - $LD $a_1,$BNSZ($a1) - $LD $a_2,2*$BNSZ($a1) - $MULTU $a_0,$b_0 # mul_add_c(a[0],b[0],c1,c2,c3); - $LD $a_3,3*$BNSZ($a1) - $LD $b_1,$BNSZ($a2) - $LD $b_2,2*$BNSZ($a2) - $LD $b_3,3*$BNSZ($a2) - mflo $c_1 - mfhi $c_2 - - $LD $a_4,4*$BNSZ($a1) - $LD $a_5,5*$BNSZ($a1) - $MULTU $a_0,$b_1 # mul_add_c(a[0],b[1],c2,c3,c1); - $LD $a_6,6*$BNSZ($a1) - $LD $a_7,7*$BNSZ($a1) - $LD $b_4,4*$BNSZ($a2) - $LD $b_5,5*$BNSZ($a2) - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_1,$b_0 # mul_add_c(a[1],b[0],c2,c3,c1); - $ADDU $c_3,$t_2,$at - $LD $b_6,6*$BNSZ($a2) - $LD $b_7,7*$BNSZ($a2) - $ST $c_1,0($a0) # r[0]=c1; - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_2,$b_0 # mul_add_c(a[2],b[0],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $c_1,$c_3,$t_2 - $ST $c_2,$BNSZ($a0) # r[1]=c2; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_1,$b_1 # mul_add_c(a[1],b[1],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_0,$b_2 # mul_add_c(a[0],b[2],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $c_2,$c_1,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_0,$b_3 # mul_add_c(a[0],b[3],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - $ST $c_3,2*$BNSZ($a0) # r[2]=c3; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_1,$b_2 # mul_add_c(a[1],b[2],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $c_3,$c_2,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_2,$b_1 # mul_add_c(a[2],b[1],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_3,$b_0 # mul_add_c(a[3],b[0],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_4,$b_0 # mul_add_c(a[4],b[0],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - $ST $c_1,3*$BNSZ($a0) # r[3]=c1; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_3,$b_1 # mul_add_c(a[3],b[1],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $c_1,$c_3,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_2,$b_2 # mul_add_c(a[2],b[2],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_1,$b_3 # mul_add_c(a[1],b[3],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_0,$b_4 # mul_add_c(a[0],b[4],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_0,$b_5 # mul_add_c(a[0],b[5],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - $ST $c_2,4*$BNSZ($a0) # r[4]=c2; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_1,$b_4 # mul_add_c(a[1],b[4],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $c_2,$c_1,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_2,$b_3 # mul_add_c(a[2],b[3],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_3,$b_2 # mul_add_c(a[3],b[2],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_4,$b_1 # mul_add_c(a[4],b[1],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_5,$b_0 # mul_add_c(a[5],b[0],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_6,$b_0 # mul_add_c(a[6],b[0],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - $ST $c_3,5*$BNSZ($a0) # r[5]=c3; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_5,$b_1 # mul_add_c(a[5],b[1],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $c_3,$c_2,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_4,$b_2 # mul_add_c(a[4],b[2],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_3,$b_3 # mul_add_c(a[3],b[3],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_2,$b_4 # mul_add_c(a[2],b[4],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_1,$b_5 # mul_add_c(a[1],b[5],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_0,$b_6 # mul_add_c(a[0],b[6],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_0,$b_7 # mul_add_c(a[0],b[7],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - $ST $c_1,6*$BNSZ($a0) # r[6]=c1; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_1,$b_6 # mul_add_c(a[1],b[6],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $c_1,$c_3,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_2,$b_5 # mul_add_c(a[2],b[5],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_3,$b_4 # mul_add_c(a[3],b[4],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_4,$b_3 # mul_add_c(a[4],b[3],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_5,$b_2 # mul_add_c(a[5],b[2],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_6,$b_1 # mul_add_c(a[6],b[1],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_7,$b_0 # mul_add_c(a[7],b[0],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_7,$b_1 # mul_add_c(a[7],b[1],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - $ST $c_2,7*$BNSZ($a0) # r[7]=c2; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_6,$b_2 # mul_add_c(a[6],b[2],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $c_2,$c_1,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_5,$b_3 # mul_add_c(a[5],b[3],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_4,$b_4 # mul_add_c(a[4],b[4],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_3,$b_5 # mul_add_c(a[3],b[5],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_2,$b_6 # mul_add_c(a[2],b[6],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_1,$b_7 # mul_add_c(a[1],b[7],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_2,$b_7 # mul_add_c(a[2],b[7],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - $ST $c_3,8*$BNSZ($a0) # r[8]=c3; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_3,$b_6 # mul_add_c(a[3],b[6],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $c_3,$c_2,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_4,$b_5 # mul_add_c(a[4],b[5],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_5,$b_4 # mul_add_c(a[5],b[4],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_6,$b_3 # mul_add_c(a[6],b[3],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_7,$b_2 # mul_add_c(a[7],b[2],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_7,$b_3 # mul_add_c(a[7],b[3],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - $ST $c_1,9*$BNSZ($a0) # r[9]=c1; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_6,$b_4 # mul_add_c(a[6],b[4],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $c_1,$c_3,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_5,$b_5 # mul_add_c(a[5],b[5],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_4,$b_6 # mul_add_c(a[4],b[6],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_3,$b_7 # mul_add_c(a[3],b[7],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_4,$b_7 # mul_add_c(a[4],b[7],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - $ST $c_2,10*$BNSZ($a0) # r[10]=c2; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_5,$b_6 # mul_add_c(a[5],b[6],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $c_2,$c_1,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_6,$b_5 # mul_add_c(a[6],b[5],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_7,$b_4 # mul_add_c(a[7],b[4],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_7,$b_5 # mul_add_c(a[7],b[5],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - $ST $c_3,11*$BNSZ($a0) # r[11]=c3; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_6,$b_6 # mul_add_c(a[6],b[6],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $c_3,$c_2,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_5,$b_7 # mul_add_c(a[5],b[7],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_6,$b_7 # mul_add_c(a[6],b[7],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - $ST $c_1,12*$BNSZ($a0) # r[12]=c1; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_7,$b_6 # mul_add_c(a[7],b[6],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $c_1,$c_3,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_7,$b_7 # mul_add_c(a[7],b[7],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - $ST $c_2,13*$BNSZ($a0) # r[13]=c2; - - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - $ST $c_3,14*$BNSZ($a0) # r[14]=c3; - $ST $c_1,15*$BNSZ($a0) # r[15]=c1; - - .set noreorder -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_L $s5,10*$SZREG($sp) - $REG_L $s4,9*$SZREG($sp) - $REG_L $s3,8*$SZREG($sp) - $REG_L $s2,7*$SZREG($sp) - $REG_L $s1,6*$SZREG($sp) - $REG_L $s0,5*$SZREG($sp) - $REG_L $t3,4*$SZREG($sp) - $REG_L $t2,3*$SZREG($sp) - $REG_L $t1,2*$SZREG($sp) - $REG_L $t0,1*$SZREG($sp) - $REG_L $gp,0*$SZREG($sp) - jr $ra - $PTR_ADD $sp,12*$SZREG -___ -$code.=<<___ if ($flavour !~ /nubi/i); - $REG_L $s5,5*$SZREG($sp) - $REG_L $s4,4*$SZREG($sp) - $REG_L $s3,3*$SZREG($sp) - $REG_L $s2,2*$SZREG($sp) - $REG_L $s1,1*$SZREG($sp) - $REG_L $s0,0*$SZREG($sp) - jr $ra - $PTR_ADD $sp,6*$SZREG -___ -$code.=<<___; -.end bn_mul_comba8 - -.align 5 -.globl bn_mul_comba4 -.ent bn_mul_comba4 -bn_mul_comba4: -___ -$code.=<<___ if ($flavour =~ /nubi/i); - .frame $sp,6*$SZREG,$ra - .mask 0x8000f008,-$SZREG - .set noreorder - $PTR_SUB $sp,6*$SZREG - $REG_S $ra,5*$SZREG($sp) - $REG_S $t3,4*$SZREG($sp) - $REG_S $t2,3*$SZREG($sp) - $REG_S $t1,2*$SZREG($sp) - $REG_S $t0,1*$SZREG($sp) - $REG_S $gp,0*$SZREG($sp) -___ -$code.=<<___; - .set reorder - $LD $a_0,0($a1) - $LD $b_0,0($a2) - $LD $a_1,$BNSZ($a1) - $LD $a_2,2*$BNSZ($a1) - $MULTU $a_0,$b_0 # mul_add_c(a[0],b[0],c1,c2,c3); - $LD $a_3,3*$BNSZ($a1) - $LD $b_1,$BNSZ($a2) - $LD $b_2,2*$BNSZ($a2) - $LD $b_3,3*$BNSZ($a2) - mflo $c_1 - mfhi $c_2 - $ST $c_1,0($a0) - - $MULTU $a_0,$b_1 # mul_add_c(a[0],b[1],c2,c3,c1); - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_1,$b_0 # mul_add_c(a[1],b[0],c2,c3,c1); - $ADDU $c_3,$t_2,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_2,$b_0 # mul_add_c(a[2],b[0],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $c_1,$c_3,$t_2 - $ST $c_2,$BNSZ($a0) - - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_1,$b_1 # mul_add_c(a[1],b[1],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_0,$b_2 # mul_add_c(a[0],b[2],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $c_2,$c_1,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_0,$b_3 # mul_add_c(a[0],b[3],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - $ST $c_3,2*$BNSZ($a0) - - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_1,$b_2 # mul_add_c(a[1],b[2],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $c_3,$c_2,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_2,$b_1 # mul_add_c(a[2],b[1],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_3,$b_0 # mul_add_c(a[3],b[0],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_3,$b_1 # mul_add_c(a[3],b[1],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - $ST $c_1,3*$BNSZ($a0) - - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_2,$b_2 # mul_add_c(a[2],b[2],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $c_1,$c_3,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_1,$b_3 # mul_add_c(a[1],b[3],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_2,$b_3 # mul_add_c(a[2],b[3],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - $ST $c_2,4*$BNSZ($a0) - - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_3,$b_2 # mul_add_c(a[3],b[2],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $c_2,$c_1,$t_2 - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_3,$b_3 # mul_add_c(a[3],b[3],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - $ST $c_3,5*$BNSZ($a0) - - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - $ST $c_1,6*$BNSZ($a0) - $ST $c_2,7*$BNSZ($a0) - - .set noreorder -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_L $t3,4*$SZREG($sp) - $REG_L $t2,3*$SZREG($sp) - $REG_L $t1,2*$SZREG($sp) - $REG_L $t0,1*$SZREG($sp) - $REG_L $gp,0*$SZREG($sp) - $PTR_ADD $sp,6*$SZREG -___ -$code.=<<___; - jr $ra - nop -.end bn_mul_comba4 -___ - -($a_4,$a_5,$a_6,$a_7)=($b_0,$b_1,$b_2,$b_3); - -sub add_c2 () { -my ($hi,$lo,$c0,$c1,$c2, - $warm, # !$warm denotes first call with specific sequence of - # $c_[XYZ] when there is no Z-carry to accumulate yet; - $an,$bn # these two are arguments for multiplication which - # result is used in *next* step [which is why it's - # commented as "forward multiplication" below]; - )=@_; -$code.=<<___; - mflo $lo - mfhi $hi - $ADDU $c0,$lo - sltu $at,$c0,$lo - $MULTU $an,$bn # forward multiplication - $ADDU $c0,$lo - $ADDU $at,$hi - sltu $lo,$c0,$lo - $ADDU $c1,$at - $ADDU $hi,$lo -___ -$code.=<<___ if (!$warm); - sltu $c2,$c1,$at - $ADDU $c1,$hi - sltu $hi,$c1,$hi - $ADDU $c2,$hi -___ -$code.=<<___ if ($warm); - sltu $at,$c1,$at - $ADDU $c1,$hi - $ADDU $c2,$at - sltu $hi,$c1,$hi - $ADDU $c2,$hi -___ -} - -$code.=<<___; - -.align 5 -.globl bn_sqr_comba8 -.ent bn_sqr_comba8 -bn_sqr_comba8: -___ -$code.=<<___ if ($flavour =~ /nubi/i); - .frame $sp,6*$SZREG,$ra - .mask 0x8000f008,-$SZREG - .set noreorder - $PTR_SUB $sp,6*$SZREG - $REG_S $ra,5*$SZREG($sp) - $REG_S $t3,4*$SZREG($sp) - $REG_S $t2,3*$SZREG($sp) - $REG_S $t1,2*$SZREG($sp) - $REG_S $t0,1*$SZREG($sp) - $REG_S $gp,0*$SZREG($sp) -___ -$code.=<<___; - .set reorder - $LD $a_0,0($a1) - $LD $a_1,$BNSZ($a1) - $LD $a_2,2*$BNSZ($a1) - $LD $a_3,3*$BNSZ($a1) - - $MULTU $a_0,$a_0 # mul_add_c(a[0],b[0],c1,c2,c3); - $LD $a_4,4*$BNSZ($a1) - $LD $a_5,5*$BNSZ($a1) - $LD $a_6,6*$BNSZ($a1) - $LD $a_7,7*$BNSZ($a1) - mflo $c_1 - mfhi $c_2 - $ST $c_1,0($a0) - - $MULTU $a_0,$a_1 # mul_add_c2(a[0],b[1],c2,c3,c1); - mflo $t_1 - mfhi $t_2 - slt $c_1,$t_2,$zero - $SLL $t_2,1 - $MULTU $a_2,$a_0 # mul_add_c2(a[2],b[0],c3,c1,c2); - slt $a2,$t_1,$zero - $ADDU $t_2,$a2 - $SLL $t_1,1 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $ADDU $c_3,$t_2,$at - $ST $c_2,$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, - $a_1,$a_1); # mul_add_c(a[1],b[1],c3,c1,c2); -$code.=<<___; - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_0,$a_3 # mul_add_c2(a[0],b[3],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - $ST $c_3,2*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, - $a_1,$a_2); # mul_add_c2(a[1],b[2],c1,c2,c3); - &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, - $a_4,$a_0); # mul_add_c2(a[4],b[0],c2,c3,c1); -$code.=<<___; - $ST $c_1,3*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, - $a_3,$a_1); # mul_add_c2(a[3],b[1],c2,c3,c1); - &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, - $a_2,$a_2); # mul_add_c(a[2],b[2],c2,c3,c1); -$code.=<<___; - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_0,$a_5 # mul_add_c2(a[0],b[5],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - $ST $c_2,4*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, - $a_1,$a_4); # mul_add_c2(a[1],b[4],c3,c1,c2); - &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, - $a_2,$a_3); # mul_add_c2(a[2],b[3],c3,c1,c2); - &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, - $a_6,$a_0); # mul_add_c2(a[6],b[0],c1,c2,c3); -$code.=<<___; - $ST $c_3,5*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, - $a_5,$a_1); # mul_add_c2(a[5],b[1],c1,c2,c3); - &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, - $a_4,$a_2); # mul_add_c2(a[4],b[2],c1,c2,c3); - &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, - $a_3,$a_3); # mul_add_c(a[3],b[3],c1,c2,c3); -$code.=<<___; - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_0,$a_7 # mul_add_c2(a[0],b[7],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - $ST $c_1,6*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, - $a_1,$a_6); # mul_add_c2(a[1],b[6],c2,c3,c1); - &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, - $a_2,$a_5); # mul_add_c2(a[2],b[5],c2,c3,c1); - &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, - $a_3,$a_4); # mul_add_c2(a[3],b[4],c2,c3,c1); - &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, - $a_7,$a_1); # mul_add_c2(a[7],b[1],c3,c1,c2); -$code.=<<___; - $ST $c_2,7*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, - $a_6,$a_2); # mul_add_c2(a[6],b[2],c3,c1,c2); - &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, - $a_5,$a_3); # mul_add_c2(a[5],b[3],c3,c1,c2); - &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, - $a_4,$a_4); # mul_add_c(a[4],b[4],c3,c1,c2); -$code.=<<___; - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_2,$a_7 # mul_add_c2(a[2],b[7],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - $ST $c_3,8*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, - $a_3,$a_6); # mul_add_c2(a[3],b[6],c1,c2,c3); - &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, - $a_4,$a_5); # mul_add_c2(a[4],b[5],c1,c2,c3); - &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, - $a_7,$a_3); # mul_add_c2(a[7],b[3],c2,c3,c1); -$code.=<<___; - $ST $c_1,9*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, - $a_6,$a_4); # mul_add_c2(a[6],b[4],c2,c3,c1); - &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, - $a_5,$a_5); # mul_add_c(a[5],b[5],c2,c3,c1); -$code.=<<___; - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_4,$a_7 # mul_add_c2(a[4],b[7],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - $ST $c_2,10*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, - $a_5,$a_6); # mul_add_c2(a[5],b[6],c3,c1,c2); - &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, - $a_7,$a_5); # mul_add_c2(a[7],b[5],c1,c2,c3); -$code.=<<___; - $ST $c_3,11*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, - $a_6,$a_6); # mul_add_c(a[6],b[6],c1,c2,c3); -$code.=<<___; - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $MULTU $a_6,$a_7 # mul_add_c2(a[6],b[7],c2,c3,c1); - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - sltu $at,$c_2,$t_2 - $ADDU $c_3,$at - $ST $c_1,12*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, - $a_7,$a_7); # mul_add_c(a[7],b[7],c3,c1,c2); -$code.=<<___; - $ST $c_2,13*$BNSZ($a0) - - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - $ST $c_3,14*$BNSZ($a0) - $ST $c_1,15*$BNSZ($a0) - - .set noreorder -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_L $t3,4*$SZREG($sp) - $REG_L $t2,3*$SZREG($sp) - $REG_L $t1,2*$SZREG($sp) - $REG_L $t0,1*$SZREG($sp) - $REG_L $gp,0*$SZREG($sp) - $PTR_ADD $sp,6*$SZREG -___ -$code.=<<___; - jr $ra - nop -.end bn_sqr_comba8 - -.align 5 -.globl bn_sqr_comba4 -.ent bn_sqr_comba4 -bn_sqr_comba4: -___ -$code.=<<___ if ($flavour =~ /nubi/i); - .frame $sp,6*$SZREG,$ra - .mask 0x8000f008,-$SZREG - .set noreorder - $PTR_SUB $sp,6*$SZREG - $REG_S $ra,5*$SZREG($sp) - $REG_S $t3,4*$SZREG($sp) - $REG_S $t2,3*$SZREG($sp) - $REG_S $t1,2*$SZREG($sp) - $REG_S $t0,1*$SZREG($sp) - $REG_S $gp,0*$SZREG($sp) -___ -$code.=<<___; - .set reorder - $LD $a_0,0($a1) - $LD $a_1,$BNSZ($a1) - $MULTU $a_0,$a_0 # mul_add_c(a[0],b[0],c1,c2,c3); - $LD $a_2,2*$BNSZ($a1) - $LD $a_3,3*$BNSZ($a1) - mflo $c_1 - mfhi $c_2 - $ST $c_1,0($a0) - - $MULTU $a_0,$a_1 # mul_add_c2(a[0],b[1],c2,c3,c1); - mflo $t_1 - mfhi $t_2 - slt $c_1,$t_2,$zero - $SLL $t_2,1 - $MULTU $a_2,$a_0 # mul_add_c2(a[2],b[0],c3,c1,c2); - slt $a2,$t_1,$zero - $ADDU $t_2,$a2 - $SLL $t_1,1 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $ADDU $c_3,$t_2,$at - $ST $c_2,$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, - $a_1,$a_1); # mul_add_c(a[1],b[1],c3,c1,c2); -$code.=<<___; - mflo $t_1 - mfhi $t_2 - $ADDU $c_3,$t_1 - sltu $at,$c_3,$t_1 - $MULTU $a_0,$a_3 # mul_add_c2(a[0],b[3],c1,c2,c3); - $ADDU $t_2,$at - $ADDU $c_1,$t_2 - sltu $at,$c_1,$t_2 - $ADDU $c_2,$at - $ST $c_3,2*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, - $a_1,$a_2); # mul_add_c2(a2[1],b[2],c1,c2,c3); - &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, - $a_3,$a_1); # mul_add_c2(a[3],b[1],c2,c3,c1); -$code.=<<___; - $ST $c_1,3*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, - $a_2,$a_2); # mul_add_c(a[2],b[2],c2,c3,c1); -$code.=<<___; - mflo $t_1 - mfhi $t_2 - $ADDU $c_2,$t_1 - sltu $at,$c_2,$t_1 - $MULTU $a_2,$a_3 # mul_add_c2(a[2],b[3],c3,c1,c2); - $ADDU $t_2,$at - $ADDU $c_3,$t_2 - sltu $at,$c_3,$t_2 - $ADDU $c_1,$at - $ST $c_2,4*$BNSZ($a0) -___ - &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, - $a_3,$a_3); # mul_add_c(a[3],b[3],c1,c2,c3); -$code.=<<___; - $ST $c_3,5*$BNSZ($a0) - - mflo $t_1 - mfhi $t_2 - $ADDU $c_1,$t_1 - sltu $at,$c_1,$t_1 - $ADDU $t_2,$at - $ADDU $c_2,$t_2 - $ST $c_1,6*$BNSZ($a0) - $ST $c_2,7*$BNSZ($a0) - - .set noreorder -___ -$code.=<<___ if ($flavour =~ /nubi/i); - $REG_L $t3,4*$SZREG($sp) - $REG_L $t2,3*$SZREG($sp) - $REG_L $t1,2*$SZREG($sp) - $REG_L $t0,1*$SZREG($sp) - $REG_L $gp,0*$SZREG($sp) - $PTR_ADD $sp,6*$SZREG -___ -$code.=<<___; - jr $ra - nop -.end bn_sqr_comba4 -___ -print $code; -close STDOUT; diff --git a/src/lib/libcrypto/bn/asm/modexp512-x86_64.pl b/src/lib/libcrypto/bn/asm/modexp512-x86_64.pl deleted file mode 100644 index 8645d5adcc..0000000000 --- a/src/lib/libcrypto/bn/asm/modexp512-x86_64.pl +++ /dev/null @@ -1,1393 +0,0 @@ -#!/usr/bin/env perl -# -# Copyright (c) 2010-2011 Intel Corp. -# Author: Vinodh.Gopal@intel.com -# Jim Guilford -# Erdinc.Ozturk@intel.com -# Maxim.Perminov@intel.com -# -# More information about algorithm used can be found at: -# http://www.cse.buffalo.edu/srds2009/escs2009_submission_Gopal.pdf -# -# ==================================================================== -# Copyright (c) 2011 The OpenSSL Project. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in -# the documentation and/or other materials provided with the -# distribution. -# -# 3. All advertising materials mentioning features or use of this -# software must display the following acknowledgment: -# "This product includes software developed by the OpenSSL Project -# for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -# -# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -# endorse or promote products derived from this software without -# prior written permission. For written permission, please contact -# licensing@OpenSSL.org. -# -# 5. Products derived from this software may not be called "OpenSSL" -# nor may "OpenSSL" appear in their names without prior written -# permission of the OpenSSL Project. -# -# 6. Redistributions of any form whatsoever must retain the following -# acknowledgment: -# "This product includes software developed by the OpenSSL Project -# for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -# -# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -# OF THE POSSIBILITY OF SUCH DAMAGE. -# ==================================================================== - -$flavour = shift; -$output = shift; -if ($flavour =~ /\./) { $output = $flavour; undef $flavour; } - -$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or -( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or -die "can't locate x86_64-xlate.pl"; - -open OUT,"| \"$^X\" $xlate $flavour $output"; -*STDOUT=*OUT; - -use strict; -my $code=".text\n\n"; -my $m=0; - -# -# Define x512 macros -# - -#MULSTEP_512_ADD MACRO x7, x6, x5, x4, x3, x2, x1, x0, dst, src1, src2, add_src, tmp1, tmp2 -# -# uses rax, rdx, and args -sub MULSTEP_512_ADD -{ - my ($x, $DST, $SRC2, $ASRC, $OP, $TMP)=@_; - my @X=@$x; # make a copy -$code.=<<___; - mov (+8*0)($SRC2), %rax - mul $OP # rdx:rax = %OP * [0] - mov ($ASRC), $X[0] - add %rax, $X[0] - adc \$0, %rdx - mov $X[0], $DST -___ -for(my $i=1;$i<8;$i++) { -$code.=<<___; - mov %rdx, $TMP - - mov (+8*$i)($SRC2), %rax - mul $OP # rdx:rax = %OP * [$i] - mov (+8*$i)($ASRC), $X[$i] - add %rax, $X[$i] - adc \$0, %rdx - add $TMP, $X[$i] - adc \$0, %rdx -___ -} -$code.=<<___; - mov %rdx, $X[0] -___ -} - -#MULSTEP_512 MACRO x7, x6, x5, x4, x3, x2, x1, x0, dst, src2, src1_val, tmp -# -# uses rax, rdx, and args -sub MULSTEP_512 -{ - my ($x, $DST, $SRC2, $OP, $TMP)=@_; - my @X=@$x; # make a copy -$code.=<<___; - mov (+8*0)($SRC2), %rax - mul $OP # rdx:rax = %OP * [0] - add %rax, $X[0] - adc \$0, %rdx - mov $X[0], $DST -___ -for(my $i=1;$i<8;$i++) { -$code.=<<___; - mov %rdx, $TMP - - mov (+8*$i)($SRC2), %rax - mul $OP # rdx:rax = %OP * [$i] - add %rax, $X[$i] - adc \$0, %rdx - add $TMP, $X[$i] - adc \$0, %rdx -___ -} -$code.=<<___; - mov %rdx, $X[0] -___ -} - -# -# Swizzle Macros -# - -# macro to copy data from flat space to swizzled table -#MACRO swizzle pDst, pSrc, tmp1, tmp2 -# pDst and pSrc are modified -sub swizzle -{ - my ($pDst, $pSrc, $cnt, $d0)=@_; -$code.=<<___; - mov \$8, $cnt -loop_$m: - mov ($pSrc), $d0 - mov $d0#w, ($pDst) - shr \$16, $d0 - mov $d0#w, (+64*1)($pDst) - shr \$16, $d0 - mov $d0#w, (+64*2)($pDst) - shr \$16, $d0 - mov $d0#w, (+64*3)($pDst) - lea 8($pSrc), $pSrc - lea 64*4($pDst), $pDst - dec $cnt - jnz loop_$m -___ - - $m++; -} - -# macro to copy data from swizzled table to flat space -#MACRO unswizzle pDst, pSrc, tmp*3 -sub unswizzle -{ - my ($pDst, $pSrc, $cnt, $d0, $d1)=@_; -$code.=<<___; - mov \$4, $cnt -loop_$m: - movzxw (+64*3+256*0)($pSrc), $d0 - movzxw (+64*3+256*1)($pSrc), $d1 - shl \$16, $d0 - shl \$16, $d1 - mov (+64*2+256*0)($pSrc), $d0#w - mov (+64*2+256*1)($pSrc), $d1#w - shl \$16, $d0 - shl \$16, $d1 - mov (+64*1+256*0)($pSrc), $d0#w - mov (+64*1+256*1)($pSrc), $d1#w - shl \$16, $d0 - shl \$16, $d1 - mov (+64*0+256*0)($pSrc), $d0#w - mov (+64*0+256*1)($pSrc), $d1#w - mov $d0, (+8*0)($pDst) - mov $d1, (+8*1)($pDst) - lea 256*2($pSrc), $pSrc - lea 8*2($pDst), $pDst - sub \$1, $cnt - jnz loop_$m -___ - - $m++; -} - -# -# Data Structures -# - -# Reduce Data -# -# -# Offset Value -# 0C0 Carries -# 0B8 X2[10] -# 0B0 X2[9] -# 0A8 X2[8] -# 0A0 X2[7] -# 098 X2[6] -# 090 X2[5] -# 088 X2[4] -# 080 X2[3] -# 078 X2[2] -# 070 X2[1] -# 068 X2[0] -# 060 X1[12] P[10] -# 058 X1[11] P[9] Z[8] -# 050 X1[10] P[8] Z[7] -# 048 X1[9] P[7] Z[6] -# 040 X1[8] P[6] Z[5] -# 038 X1[7] P[5] Z[4] -# 030 X1[6] P[4] Z[3] -# 028 X1[5] P[3] Z[2] -# 020 X1[4] P[2] Z[1] -# 018 X1[3] P[1] Z[0] -# 010 X1[2] P[0] Y[2] -# 008 X1[1] Q[1] Y[1] -# 000 X1[0] Q[0] Y[0] - -my $X1_offset = 0; # 13 qwords -my $X2_offset = $X1_offset + 13*8; # 11 qwords -my $Carries_offset = $X2_offset + 11*8; # 1 qword -my $Q_offset = 0; # 2 qwords -my $P_offset = $Q_offset + 2*8; # 11 qwords -my $Y_offset = 0; # 3 qwords -my $Z_offset = $Y_offset + 3*8; # 9 qwords - -my $Red_Data_Size = $Carries_offset + 1*8; # (25 qwords) - -# -# Stack Frame -# -# -# offset value -# ... -# ... -# 280 Garray - -# 278 tmp16[15] -# ... ... -# 200 tmp16[0] - -# 1F8 tmp[7] -# ... ... -# 1C0 tmp[0] - -# 1B8 GT[7] -# ... ... -# 180 GT[0] - -# 178 Reduce Data -# ... ... -# 0B8 Reduce Data -# 0B0 reserved -# 0A8 reserved -# 0A0 reserved -# 098 reserved -# 090 reserved -# 088 reduce result addr -# 080 exp[8] - -# ... -# 048 exp[1] -# 040 exp[0] - -# 038 reserved -# 030 loop_idx -# 028 pg -# 020 i -# 018 pData ; arg 4 -# 010 pG ; arg 2 -# 008 pResult ; arg 1 -# 000 rsp ; stack pointer before subtract - -my $rsp_offset = 0; -my $pResult_offset = 8*1 + $rsp_offset; -my $pG_offset = 8*1 + $pResult_offset; -my $pData_offset = 8*1 + $pG_offset; -my $i_offset = 8*1 + $pData_offset; -my $pg_offset = 8*1 + $i_offset; -my $loop_idx_offset = 8*1 + $pg_offset; -my $reserved1_offset = 8*1 + $loop_idx_offset; -my $exp_offset = 8*1 + $reserved1_offset; -my $red_result_addr_offset= 8*9 + $exp_offset; -my $reserved2_offset = 8*1 + $red_result_addr_offset; -my $Reduce_Data_offset = 8*5 + $reserved2_offset; -my $GT_offset = $Red_Data_Size + $Reduce_Data_offset; -my $tmp_offset = 8*8 + $GT_offset; -my $tmp16_offset = 8*8 + $tmp_offset; -my $garray_offset = 8*16 + $tmp16_offset; -my $mem_size = 8*8*32 + $garray_offset; - -# -# Offsets within Reduce Data -# -# -# struct MODF_2FOLD_MONT_512_C1_DATA { -# UINT64 t[8][8]; -# UINT64 m[8]; -# UINT64 m1[8]; /* 2^768 % m */ -# UINT64 m2[8]; /* 2^640 % m */ -# UINT64 k1[2]; /* (- 1/m) % 2^128 */ -# }; - -my $T = 0; -my $M = 512; # = 8 * 8 * 8 -my $M1 = 576; # = 8 * 8 * 9 /* += 8 * 8 */ -my $M2 = 640; # = 8 * 8 * 10 /* += 8 * 8 */ -my $K1 = 704; # = 8 * 8 * 11 /* += 8 * 8 */ - -# -# FUNCTIONS -# - -{{{ -# -# MULADD_128x512 : Function to multiply 128-bits (2 qwords) by 512-bits (8 qwords) -# and add 512-bits (8 qwords) -# to get 640 bits (10 qwords) -# Input: 128-bit mul source: [rdi+8*1], rbp -# 512-bit mul source: [rsi+8*n] -# 512-bit add source: r15, r14, ..., r9, r8 -# Output: r9, r8, r15, r14, r13, r12, r11, r10, [rcx+8*1], [rcx+8*0] -# Clobbers all regs except: rcx, rsi, rdi -$code.=<<___; -.type MULADD_128x512,\@abi-omnipotent -.align 16 -MULADD_128x512: - _CET_ENDBR -___ - &MULSTEP_512([map("%r$_",(8..15))], "(+8*0)(%rcx)", "%rsi", "%rbp", "%rbx"); -$code.=<<___; - mov (+8*1)(%rdi), %rbp -___ - &MULSTEP_512([map("%r$_",(9..15,8))], "(+8*1)(%rcx)", "%rsi", "%rbp", "%rbx"); -$code.=<<___; - ret -.size MULADD_128x512,.-MULADD_128x512 -___ -}}} - -{{{ -#MULADD_256x512 MACRO pDst, pA, pB, OP, TMP, X7, X6, X5, X4, X3, X2, X1, X0 -# -# Inputs: pDst: Destination (768 bits, 12 qwords) -# pA: Multiplicand (1024 bits, 16 qwords) -# pB: Multiplicand (512 bits, 8 qwords) -# Dst = Ah * B + Al -# where Ah is (in qwords) A[15:12] (256 bits) and Al is A[7:0] (512 bits) -# Results in X3 X2 X1 X0 X7 X6 X5 X4 Dst[3:0] -# Uses registers: arguments, RAX, RDX -sub MULADD_256x512 -{ - my ($pDst, $pA, $pB, $OP, $TMP, $X)=@_; -$code.=<<___; - mov (+8*12)($pA), $OP -___ - &MULSTEP_512_ADD($X, "(+8*0)($pDst)", $pB, $pA, $OP, $TMP); - push(@$X,shift(@$X)); - -$code.=<<___; - mov (+8*13)($pA), $OP -___ - &MULSTEP_512($X, "(+8*1)($pDst)", $pB, $OP, $TMP); - push(@$X,shift(@$X)); - -$code.=<<___; - mov (+8*14)($pA), $OP -___ - &MULSTEP_512($X, "(+8*2)($pDst)", $pB, $OP, $TMP); - push(@$X,shift(@$X)); - -$code.=<<___; - mov (+8*15)($pA), $OP -___ - &MULSTEP_512($X, "(+8*3)($pDst)", $pB, $OP, $TMP); - push(@$X,shift(@$X)); -} - -# -# mont_reduce(UINT64 *x, /* 1024 bits, 16 qwords */ -# UINT64 *m, /* 512 bits, 8 qwords */ -# MODF_2FOLD_MONT_512_C1_DATA *data, -# UINT64 *r) /* 512 bits, 8 qwords */ -# Input: x (number to be reduced): tmp16 (Implicit) -# m (modulus): [pM] (Implicit) -# data (reduce data): [pData] (Implicit) -# Output: r (result): Address in [red_res_addr] -# result also in: r9, r8, r15, r14, r13, r12, r11, r10 - -my @X=map("%r$_",(8..15)); - -$code.=<<___; -.type mont_reduce,\@abi-omnipotent -.align 16 -mont_reduce: - _CET_ENDBR -___ - -my $STACK_DEPTH = 8; - # - # X1 = Xh * M1 + Xl -$code.=<<___; - lea (+$Reduce_Data_offset+$X1_offset+$STACK_DEPTH)(%rsp), %rdi # pX1 (Dst) 769 bits, 13 qwords - mov (+$pData_offset+$STACK_DEPTH)(%rsp), %rsi # pM1 (Bsrc) 512 bits, 8 qwords - add \$$M1, %rsi - lea (+$tmp16_offset+$STACK_DEPTH)(%rsp), %rcx # X (Asrc) 1024 bits, 16 qwords - -___ - - &MULADD_256x512("%rdi", "%rcx", "%rsi", "%rbp", "%rbx", \@X); # rotates @X 4 times - # results in r11, r10, r9, r8, r15, r14, r13, r12, X1[3:0] - -$code.=<<___; - xor %rax, %rax - # X1 += xl - add (+8*8)(%rcx), $X[4] - adc (+8*9)(%rcx), $X[5] - adc (+8*10)(%rcx), $X[6] - adc (+8*11)(%rcx), $X[7] - adc \$0, %rax - # X1 is now rax, r11-r8, r15-r12, tmp16[3:0] - - # - # check for carry ;; carry stored in rax - mov $X[4], (+8*8)(%rdi) # rdi points to X1 - mov $X[5], (+8*9)(%rdi) - mov $X[6], %rbp - mov $X[7], (+8*11)(%rdi) - - mov %rax, (+$Reduce_Data_offset+$Carries_offset+$STACK_DEPTH)(%rsp) - - mov (+8*0)(%rdi), $X[4] - mov (+8*1)(%rdi), $X[5] - mov (+8*2)(%rdi), $X[6] - mov (+8*3)(%rdi), $X[7] - - # X1 is now stored in: X1[11], rbp, X1[9:8], r15-r8 - # rdi -> X1 - # rsi -> M1 - - # - # X2 = Xh * M2 + Xl - # do first part (X2 = Xh * M2) - add \$8*10, %rdi # rdi -> pXh ; 128 bits, 2 qwords - # Xh is actually { [rdi+8*1], rbp } - add \$`$M2-$M1`, %rsi # rsi -> M2 - lea (+$Reduce_Data_offset+$X2_offset+$STACK_DEPTH)(%rsp), %rcx # rcx -> pX2 ; 641 bits, 11 qwords -___ - unshift(@X,pop(@X)); unshift(@X,pop(@X)); -$code.=<<___; - - call MULADD_128x512 # args in rcx, rdi / rbp, rsi, r15-r8 - # result in r9, r8, r15, r14, r13, r12, r11, r10, X2[1:0] - mov (+$Reduce_Data_offset+$Carries_offset+$STACK_DEPTH)(%rsp), %rax - - # X2 += Xl - add (+8*8-8*10)(%rdi), $X[6] # (-8*10) is to adjust rdi -> Xh to Xl - adc (+8*9-8*10)(%rdi), $X[7] - mov $X[6], (+8*8)(%rcx) - mov $X[7], (+8*9)(%rcx) - - adc %rax, %rax - mov %rax, (+$Reduce_Data_offset+$Carries_offset+$STACK_DEPTH)(%rsp) - - lea (+$Reduce_Data_offset+$Q_offset+$STACK_DEPTH)(%rsp), %rdi # rdi -> pQ ; 128 bits, 2 qwords - add \$`$K1-$M2`, %rsi # rsi -> pK1 ; 128 bits, 2 qwords - - # MUL_128x128t128 rdi, rcx, rsi ; Q = X2 * K1 (bottom half) - # B1:B0 = rsi[1:0] = K1[1:0] - # A1:A0 = rcx[1:0] = X2[1:0] - # Result = rdi[1],rbp = Q[1],rbp - mov (%rsi), %r8 # B0 - mov (+8*1)(%rsi), %rbx # B1 - - mov (%rcx), %rax # A0 - mul %r8 # B0 - mov %rax, %rbp - mov %rdx, %r9 - - mov (+8*1)(%rcx), %rax # A1 - mul %r8 # B0 - add %rax, %r9 - - mov (%rcx), %rax # A0 - mul %rbx # B1 - add %rax, %r9 - - mov %r9, (+8*1)(%rdi) - # end MUL_128x128t128 - - sub \$`$K1-$M`, %rsi - - mov (%rcx), $X[6] - mov (+8*1)(%rcx), $X[7] # r9:r8 = X2[1:0] - - call MULADD_128x512 # args in rcx, rdi / rbp, rsi, r15-r8 - # result in r9, r8, r15, r14, r13, r12, r11, r10, X2[1:0] - - # load first half of m to rdx, rdi, rbx, rax - # moved this here for efficiency - mov (+8*0)(%rsi), %rax - mov (+8*1)(%rsi), %rbx - mov (+8*2)(%rsi), %rdi - mov (+8*3)(%rsi), %rdx - - # continue with reduction - mov (+$Reduce_Data_offset+$Carries_offset+$STACK_DEPTH)(%rsp), %rbp - - add (+8*8)(%rcx), $X[6] - adc (+8*9)(%rcx), $X[7] - - #accumulate the final carry to rbp - adc %rbp, %rbp - - # Add in overflow corrections: R = (X2>>128) += T[overflow] - # R = {r9, r8, r15, r14, ..., r10} - shl \$3, %rbp - mov (+$pData_offset+$STACK_DEPTH)(%rsp), %rcx # rsi -> Data (and points to T) - add %rcx, %rbp # pT ; 512 bits, 8 qwords, spread out - - # rsi will be used to generate a mask after the addition - xor %rsi, %rsi - - add (+8*8*0)(%rbp), $X[0] - adc (+8*8*1)(%rbp), $X[1] - adc (+8*8*2)(%rbp), $X[2] - adc (+8*8*3)(%rbp), $X[3] - adc (+8*8*4)(%rbp), $X[4] - adc (+8*8*5)(%rbp), $X[5] - adc (+8*8*6)(%rbp), $X[6] - adc (+8*8*7)(%rbp), $X[7] - - # if there is a carry: rsi = 0xFFFFFFFFFFFFFFFF - # if carry is clear: rsi = 0x0000000000000000 - sbb \$0, %rsi - - # if carry is clear, subtract 0. Otherwise, subtract 256 bits of m - and %rsi, %rax - and %rsi, %rbx - and %rsi, %rdi - and %rsi, %rdx - - mov \$1, %rbp - sub %rax, $X[0] - sbb %rbx, $X[1] - sbb %rdi, $X[2] - sbb %rdx, $X[3] - - # if there is a borrow: rbp = 0 - # if there is no borrow: rbp = 1 - # this is used to save the borrows in between the first half and the 2nd half of the subtraction of m - sbb \$0, %rbp - - #load second half of m to rdx, rdi, rbx, rax - - add \$$M, %rcx - mov (+8*4)(%rcx), %rax - mov (+8*5)(%rcx), %rbx - mov (+8*6)(%rcx), %rdi - mov (+8*7)(%rcx), %rdx - - # use the rsi mask as before - # if carry is clear, subtract 0. Otherwise, subtract 256 bits of m - and %rsi, %rax - and %rsi, %rbx - and %rsi, %rdi - and %rsi, %rdx - - # if rbp = 0, there was a borrow before, it is moved to the carry flag - # if rbp = 1, there was not a borrow before, carry flag is cleared - sub \$1, %rbp - - sbb %rax, $X[4] - sbb %rbx, $X[5] - sbb %rdi, $X[6] - sbb %rdx, $X[7] - - # write R back to memory - - mov (+$red_result_addr_offset+$STACK_DEPTH)(%rsp), %rsi - mov $X[0], (+8*0)(%rsi) - mov $X[1], (+8*1)(%rsi) - mov $X[2], (+8*2)(%rsi) - mov $X[3], (+8*3)(%rsi) - mov $X[4], (+8*4)(%rsi) - mov $X[5], (+8*5)(%rsi) - mov $X[6], (+8*6)(%rsi) - mov $X[7], (+8*7)(%rsi) - - ret -.size mont_reduce,.-mont_reduce -___ -}}} - -{{{ -#MUL_512x512 MACRO pDst, pA, pB, x7, x6, x5, x4, x3, x2, x1, x0, tmp*2 -# -# Inputs: pDst: Destination (1024 bits, 16 qwords) -# pA: Multiplicand (512 bits, 8 qwords) -# pB: Multiplicand (512 bits, 8 qwords) -# Uses registers rax, rdx, args -# B operand in [pB] and also in x7...x0 -sub MUL_512x512 -{ - my ($pDst, $pA, $pB, $x, $OP, $TMP, $pDst_o)=@_; - my ($pDst, $pDst_o) = ($pDst =~ m/([^+]*)\+?(.*)?/); - my @X=@$x; # make a copy - -$code.=<<___; - mov (+8*0)($pA), $OP - - mov $X[0], %rax - mul $OP # rdx:rax = %OP * [0] - mov %rax, (+$pDst_o+8*0)($pDst) - mov %rdx, $X[0] -___ -for(my $i=1;$i<8;$i++) { -$code.=<<___; - mov $X[$i], %rax - mul $OP # rdx:rax = %OP * [$i] - add %rax, $X[$i-1] - adc \$0, %rdx - mov %rdx, $X[$i] -___ -} - -for(my $i=1;$i<8;$i++) { -$code.=<<___; - mov (+8*$i)($pA), $OP -___ - - &MULSTEP_512(\@X, "(+$pDst_o+8*$i)($pDst)", $pB, $OP, $TMP); - push(@X,shift(@X)); -} - -$code.=<<___; - mov $X[0], (+$pDst_o+8*8)($pDst) - mov $X[1], (+$pDst_o+8*9)($pDst) - mov $X[2], (+$pDst_o+8*10)($pDst) - mov $X[3], (+$pDst_o+8*11)($pDst) - mov $X[4], (+$pDst_o+8*12)($pDst) - mov $X[5], (+$pDst_o+8*13)($pDst) - mov $X[6], (+$pDst_o+8*14)($pDst) - mov $X[7], (+$pDst_o+8*15)($pDst) -___ -} - -# -# mont_mul_a3b : subroutine to compute (Src1 * Src2) % M (all 512-bits) -# Input: src1: Address of source 1: rdi -# src2: Address of source 2: rsi -# Output: dst: Address of destination: [red_res_addr] -# src2 and result also in: r9, r8, r15, r14, r13, r12, r11, r10 -# Temp: Clobbers [tmp16], all registers -$code.=<<___; -.type mont_mul_a3b,\@abi-omnipotent -.align 16 -mont_mul_a3b: - _CET_ENDBR - # - # multiply tmp = src1 * src2 - # For multiply: dst = rcx, src1 = rdi, src2 = rsi - # stack depth is extra 8 from call -___ - &MUL_512x512("%rsp+$tmp16_offset+8", "%rdi", "%rsi", [map("%r$_",(10..15,8..9))], "%rbp", "%rbx"); -$code.=<<___; - # - # Dst = tmp % m - # Call reduce(tmp, m, data, dst) - - # tail recursion optimization: jmp to mont_reduce and return from there - jmp mont_reduce - # call mont_reduce - # ret -.size mont_mul_a3b,.-mont_mul_a3b -___ -}}} - -{{{ -#SQR_512 MACRO pDest, pA, x7, x6, x5, x4, x3, x2, x1, x0, tmp*4 -# -# Input in memory [pA] and also in x7...x0 -# Uses all argument registers plus rax and rdx -# -# This version computes all of the off-diagonal terms into memory, -# and then it adds in the diagonal terms - -sub SQR_512 -{ - my ($pDst, $pA, $x, $A, $tmp, $x7, $x6, $pDst_o)=@_; - my ($pDst, $pDst_o) = ($pDst =~ m/([^+]*)\+?(.*)?/); - my @X=@$x; # make a copy -$code.=<<___; - # ------------------ - # first pass 01...07 - # ------------------ - mov $X[0], $A - - mov $X[1],%rax - mul $A - mov %rax, (+$pDst_o+8*1)($pDst) -___ -for(my $i=2;$i<8;$i++) { -$code.=<<___; - mov %rdx, $X[$i-2] - mov $X[$i],%rax - mul $A - add %rax, $X[$i-2] - adc \$0, %rdx -___ -} -$code.=<<___; - mov %rdx, $x7 - - mov $X[0], (+$pDst_o+8*2)($pDst) - - # ------------------ - # second pass 12...17 - # ------------------ - - mov (+8*1)($pA), $A - - mov (+8*2)($pA),%rax - mul $A - add %rax, $X[1] - adc \$0, %rdx - mov $X[1], (+$pDst_o+8*3)($pDst) - - mov %rdx, $X[0] - mov (+8*3)($pA),%rax - mul $A - add %rax, $X[2] - adc \$0, %rdx - add $X[0], $X[2] - adc \$0, %rdx - mov $X[2], (+$pDst_o+8*4)($pDst) - - mov %rdx, $X[0] - mov (+8*4)($pA),%rax - mul $A - add %rax, $X[3] - adc \$0, %rdx - add $X[0], $X[3] - adc \$0, %rdx - - mov %rdx, $X[0] - mov (+8*5)($pA),%rax - mul $A - add %rax, $X[4] - adc \$0, %rdx - add $X[0], $X[4] - adc \$0, %rdx - - mov %rdx, $X[0] - mov $X[6],%rax - mul $A - add %rax, $X[5] - adc \$0, %rdx - add $X[0], $X[5] - adc \$0, %rdx - - mov %rdx, $X[0] - mov $X[7],%rax - mul $A - add %rax, $x7 - adc \$0, %rdx - add $X[0], $x7 - adc \$0, %rdx - - mov %rdx, $X[1] - - # ------------------ - # third pass 23...27 - # ------------------ - mov (+8*2)($pA), $A - - mov (+8*3)($pA),%rax - mul $A - add %rax, $X[3] - adc \$0, %rdx - mov $X[3], (+$pDst_o+8*5)($pDst) - - mov %rdx, $X[0] - mov (+8*4)($pA),%rax - mul $A - add %rax, $X[4] - adc \$0, %rdx - add $X[0], $X[4] - adc \$0, %rdx - mov $X[4], (+$pDst_o+8*6)($pDst) - - mov %rdx, $X[0] - mov (+8*5)($pA),%rax - mul $A - add %rax, $X[5] - adc \$0, %rdx - add $X[0], $X[5] - adc \$0, %rdx - - mov %rdx, $X[0] - mov $X[6],%rax - mul $A - add %rax, $x7 - adc \$0, %rdx - add $X[0], $x7 - adc \$0, %rdx - - mov %rdx, $X[0] - mov $X[7],%rax - mul $A - add %rax, $X[1] - adc \$0, %rdx - add $X[0], $X[1] - adc \$0, %rdx - - mov %rdx, $X[2] - - # ------------------ - # fourth pass 34...37 - # ------------------ - - mov (+8*3)($pA), $A - - mov (+8*4)($pA),%rax - mul $A - add %rax, $X[5] - adc \$0, %rdx - mov $X[5], (+$pDst_o+8*7)($pDst) - - mov %rdx, $X[0] - mov (+8*5)($pA),%rax - mul $A - add %rax, $x7 - adc \$0, %rdx - add $X[0], $x7 - adc \$0, %rdx - mov $x7, (+$pDst_o+8*8)($pDst) - - mov %rdx, $X[0] - mov $X[6],%rax - mul $A - add %rax, $X[1] - adc \$0, %rdx - add $X[0], $X[1] - adc \$0, %rdx - - mov %rdx, $X[0] - mov $X[7],%rax - mul $A - add %rax, $X[2] - adc \$0, %rdx - add $X[0], $X[2] - adc \$0, %rdx - - mov %rdx, $X[5] - - # ------------------ - # fifth pass 45...47 - # ------------------ - mov (+8*4)($pA), $A - - mov (+8*5)($pA),%rax - mul $A - add %rax, $X[1] - adc \$0, %rdx - mov $X[1], (+$pDst_o+8*9)($pDst) - - mov %rdx, $X[0] - mov $X[6],%rax - mul $A - add %rax, $X[2] - adc \$0, %rdx - add $X[0], $X[2] - adc \$0, %rdx - mov $X[2], (+$pDst_o+8*10)($pDst) - - mov %rdx, $X[0] - mov $X[7],%rax - mul $A - add %rax, $X[5] - adc \$0, %rdx - add $X[0], $X[5] - adc \$0, %rdx - - mov %rdx, $X[1] - - # ------------------ - # sixth pass 56...57 - # ------------------ - mov (+8*5)($pA), $A - - mov $X[6],%rax - mul $A - add %rax, $X[5] - adc \$0, %rdx - mov $X[5], (+$pDst_o+8*11)($pDst) - - mov %rdx, $X[0] - mov $X[7],%rax - mul $A - add %rax, $X[1] - adc \$0, %rdx - add $X[0], $X[1] - adc \$0, %rdx - mov $X[1], (+$pDst_o+8*12)($pDst) - - mov %rdx, $X[2] - - # ------------------ - # seventh pass 67 - # ------------------ - mov $X[6], $A - - mov $X[7],%rax - mul $A - add %rax, $X[2] - adc \$0, %rdx - mov $X[2], (+$pDst_o+8*13)($pDst) - - mov %rdx, (+$pDst_o+8*14)($pDst) - - # start finalize (add in squares, and double off-terms) - mov (+$pDst_o+8*1)($pDst), $X[0] - mov (+$pDst_o+8*2)($pDst), $X[1] - mov (+$pDst_o+8*3)($pDst), $X[2] - mov (+$pDst_o+8*4)($pDst), $X[3] - mov (+$pDst_o+8*5)($pDst), $X[4] - mov (+$pDst_o+8*6)($pDst), $X[5] - - mov (+8*3)($pA), %rax - mul %rax - mov %rax, $x6 - mov %rdx, $X[6] - - add $X[0], $X[0] - adc $X[1], $X[1] - adc $X[2], $X[2] - adc $X[3], $X[3] - adc $X[4], $X[4] - adc $X[5], $X[5] - adc \$0, $X[6] - - mov (+8*0)($pA), %rax - mul %rax - mov %rax, (+$pDst_o+8*0)($pDst) - mov %rdx, $A - - mov (+8*1)($pA), %rax - mul %rax - - add $A, $X[0] - adc %rax, $X[1] - adc \$0, %rdx - - mov %rdx, $A - mov $X[0], (+$pDst_o+8*1)($pDst) - mov $X[1], (+$pDst_o+8*2)($pDst) - - mov (+8*2)($pA), %rax - mul %rax - - add $A, $X[2] - adc %rax, $X[3] - adc \$0, %rdx - - mov %rdx, $A - - mov $X[2], (+$pDst_o+8*3)($pDst) - mov $X[3], (+$pDst_o+8*4)($pDst) - - xor $tmp, $tmp - add $A, $X[4] - adc $x6, $X[5] - adc \$0, $tmp - - mov $X[4], (+$pDst_o+8*5)($pDst) - mov $X[5], (+$pDst_o+8*6)($pDst) - - # %%tmp has 0/1 in column 7 - # %%A6 has a full value in column 7 - - mov (+$pDst_o+8*7)($pDst), $X[0] - mov (+$pDst_o+8*8)($pDst), $X[1] - mov (+$pDst_o+8*9)($pDst), $X[2] - mov (+$pDst_o+8*10)($pDst), $X[3] - mov (+$pDst_o+8*11)($pDst), $X[4] - mov (+$pDst_o+8*12)($pDst), $X[5] - mov (+$pDst_o+8*13)($pDst), $x6 - mov (+$pDst_o+8*14)($pDst), $x7 - - mov $X[7], %rax - mul %rax - mov %rax, $X[7] - mov %rdx, $A - - add $X[0], $X[0] - adc $X[1], $X[1] - adc $X[2], $X[2] - adc $X[3], $X[3] - adc $X[4], $X[4] - adc $X[5], $X[5] - adc $x6, $x6 - adc $x7, $x7 - adc \$0, $A - - add $tmp, $X[0] - - mov (+8*4)($pA), %rax - mul %rax - - add $X[6], $X[0] - adc %rax, $X[1] - adc \$0, %rdx - - mov %rdx, $tmp - - mov $X[0], (+$pDst_o+8*7)($pDst) - mov $X[1], (+$pDst_o+8*8)($pDst) - - mov (+8*5)($pA), %rax - mul %rax - - add $tmp, $X[2] - adc %rax, $X[3] - adc \$0, %rdx - - mov %rdx, $tmp - - mov $X[2], (+$pDst_o+8*9)($pDst) - mov $X[3], (+$pDst_o+8*10)($pDst) - - mov (+8*6)($pA), %rax - mul %rax - - add $tmp, $X[4] - adc %rax, $X[5] - adc \$0, %rdx - - mov $X[4], (+$pDst_o+8*11)($pDst) - mov $X[5], (+$pDst_o+8*12)($pDst) - - add %rdx, $x6 - adc $X[7], $x7 - adc \$0, $A - - mov $x6, (+$pDst_o+8*13)($pDst) - mov $x7, (+$pDst_o+8*14)($pDst) - mov $A, (+$pDst_o+8*15)($pDst) -___ -} - -# -# sqr_reduce: subroutine to compute Result = reduce(Result * Result) -# -# input and result also in: r9, r8, r15, r14, r13, r12, r11, r10 -# -$code.=<<___; -.type sqr_reduce,\@abi-omnipotent -.align 16 -sqr_reduce: - _CET_ENDBR - mov (+$pResult_offset+8)(%rsp), %rcx -___ - &SQR_512("%rsp+$tmp16_offset+8", "%rcx", [map("%r$_",(10..15,8..9))], "%rbx", "%rbp", "%rsi", "%rdi"); -$code.=<<___; - # tail recursion optimization: jmp to mont_reduce and return from there - jmp mont_reduce - # call mont_reduce - # ret -.size sqr_reduce,.-sqr_reduce -___ -}}} - -# -# MAIN FUNCTION -# - -#mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */ -# UINT64 *g, /* 512 bits, 8 qwords */ -# UINT64 *exp, /* 512 bits, 8 qwords */ -# struct mod_ctx_512 *data) - -# window size = 5 -# table size = 2^5 = 32 -#table_entries equ 32 -#table_size equ table_entries * 8 -$code.=<<___; -.globl mod_exp_512 -.type mod_exp_512,\@function,4 -mod_exp_512: - _CET_ENDBR - push %rbp - push %rbx - push %r12 - push %r13 - push %r14 - push %r15 - - # adjust stack down and then align it with cache boundary - mov %rsp, %r8 - sub \$$mem_size, %rsp - and \$-64, %rsp - - # store previous stack pointer and arguments - mov %r8, (+$rsp_offset)(%rsp) - mov %rdi, (+$pResult_offset)(%rsp) - mov %rsi, (+$pG_offset)(%rsp) - mov %rcx, (+$pData_offset)(%rsp) -.Lbody: - # transform g into montgomery space - # GT = reduce(g * C2) = reduce(g * (2^256)) - # reduce expects to have the input in [tmp16] - pxor %xmm4, %xmm4 - movdqu (+16*0)(%rsi), %xmm0 - movdqu (+16*1)(%rsi), %xmm1 - movdqu (+16*2)(%rsi), %xmm2 - movdqu (+16*3)(%rsi), %xmm3 - movdqa %xmm4, (+$tmp16_offset+16*0)(%rsp) - movdqa %xmm4, (+$tmp16_offset+16*1)(%rsp) - movdqa %xmm4, (+$tmp16_offset+16*6)(%rsp) - movdqa %xmm4, (+$tmp16_offset+16*7)(%rsp) - movdqa %xmm0, (+$tmp16_offset+16*2)(%rsp) - movdqa %xmm1, (+$tmp16_offset+16*3)(%rsp) - movdqa %xmm2, (+$tmp16_offset+16*4)(%rsp) - movdqa %xmm3, (+$tmp16_offset+16*5)(%rsp) - - # load pExp before rdx gets blown away - movdqu (+16*0)(%rdx), %xmm0 - movdqu (+16*1)(%rdx), %xmm1 - movdqu (+16*2)(%rdx), %xmm2 - movdqu (+16*3)(%rdx), %xmm3 - - lea (+$GT_offset)(%rsp), %rbx - mov %rbx, (+$red_result_addr_offset)(%rsp) - call mont_reduce - - # Initialize tmp = C - lea (+$tmp_offset)(%rsp), %rcx - xor %rax, %rax - mov %rax, (+8*0)(%rcx) - mov %rax, (+8*1)(%rcx) - mov %rax, (+8*3)(%rcx) - mov %rax, (+8*4)(%rcx) - mov %rax, (+8*5)(%rcx) - mov %rax, (+8*6)(%rcx) - mov %rax, (+8*7)(%rcx) - mov %rax, (+$exp_offset+8*8)(%rsp) - movq \$1, (+8*2)(%rcx) - - lea (+$garray_offset)(%rsp), %rbp - mov %rcx, %rsi # pTmp - mov %rbp, %rdi # Garray[][0] -___ - - &swizzle("%rdi", "%rcx", "%rax", "%rbx"); - - # for (rax = 31; rax != 0; rax--) { - # tmp = reduce(tmp * G) - # swizzle(pg, tmp); - # pg += 2; } -$code.=<<___; - mov \$31, %rax - mov %rax, (+$i_offset)(%rsp) - mov %rbp, (+$pg_offset)(%rsp) - # rsi -> pTmp - mov %rsi, (+$red_result_addr_offset)(%rsp) - mov (+8*0)(%rsi), %r10 - mov (+8*1)(%rsi), %r11 - mov (+8*2)(%rsi), %r12 - mov (+8*3)(%rsi), %r13 - mov (+8*4)(%rsi), %r14 - mov (+8*5)(%rsi), %r15 - mov (+8*6)(%rsi), %r8 - mov (+8*7)(%rsi), %r9 -init_loop: - lea (+$GT_offset)(%rsp), %rdi - call mont_mul_a3b - lea (+$tmp_offset)(%rsp), %rsi - mov (+$pg_offset)(%rsp), %rbp - add \$2, %rbp - mov %rbp, (+$pg_offset)(%rsp) - mov %rsi, %rcx # rcx = rsi = addr of tmp -___ - - &swizzle("%rbp", "%rcx", "%rax", "%rbx"); -$code.=<<___; - mov (+$i_offset)(%rsp), %rax - sub \$1, %rax - mov %rax, (+$i_offset)(%rsp) - jne init_loop - - # - # Copy exponent onto stack - movdqa %xmm0, (+$exp_offset+16*0)(%rsp) - movdqa %xmm1, (+$exp_offset+16*1)(%rsp) - movdqa %xmm2, (+$exp_offset+16*2)(%rsp) - movdqa %xmm3, (+$exp_offset+16*3)(%rsp) - - - # - # Do exponentiation - # Initialize result to G[exp{511:507}] - mov (+$exp_offset+62)(%rsp), %eax - mov %rax, %rdx - shr \$11, %rax - and \$0x07FF, %edx - mov %edx, (+$exp_offset+62)(%rsp) - lea (+$garray_offset)(%rsp,%rax,2), %rsi - mov (+$pResult_offset)(%rsp), %rdx -___ - - &unswizzle("%rdx", "%rsi", "%rbp", "%rbx", "%rax"); - - # - # Loop variables - # rcx = [loop_idx] = index: 510-5 to 0 by 5 -$code.=<<___; - movq \$505, (+$loop_idx_offset)(%rsp) - - mov (+$pResult_offset)(%rsp), %rcx - mov %rcx, (+$red_result_addr_offset)(%rsp) - mov (+8*0)(%rcx), %r10 - mov (+8*1)(%rcx), %r11 - mov (+8*2)(%rcx), %r12 - mov (+8*3)(%rcx), %r13 - mov (+8*4)(%rcx), %r14 - mov (+8*5)(%rcx), %r15 - mov (+8*6)(%rcx), %r8 - mov (+8*7)(%rcx), %r9 - jmp sqr_2 - -main_loop_a3b: - call sqr_reduce - call sqr_reduce - call sqr_reduce -sqr_2: - call sqr_reduce - call sqr_reduce - - # - # Do multiply, first look up proper value in Garray - mov (+$loop_idx_offset)(%rsp), %rcx # bit index - mov %rcx, %rax - shr \$4, %rax # rax is word pointer - mov (+$exp_offset)(%rsp,%rax,2), %edx - and \$15, %rcx - shrq %cl, %rdx - and \$0x1F, %rdx - - lea (+$garray_offset)(%rsp,%rdx,2), %rsi - lea (+$tmp_offset)(%rsp), %rdx - mov %rdx, %rdi -___ - - &unswizzle("%rdx", "%rsi", "%rbp", "%rbx", "%rax"); - # rdi = tmp = pG - - # - # Call mod_mul_a1(pDst, pSrc1, pSrc2, pM, pData) - # result result pG M Data -$code.=<<___; - mov (+$pResult_offset)(%rsp), %rsi - call mont_mul_a3b - - # - # finish loop - mov (+$loop_idx_offset)(%rsp), %rcx - sub \$5, %rcx - mov %rcx, (+$loop_idx_offset)(%rsp) - jge main_loop_a3b - - # - -end_main_loop_a3b: - # transform result out of Montgomery space - # result = reduce(result) - mov (+$pResult_offset)(%rsp), %rdx - pxor %xmm4, %xmm4 - movdqu (+16*0)(%rdx), %xmm0 - movdqu (+16*1)(%rdx), %xmm1 - movdqu (+16*2)(%rdx), %xmm2 - movdqu (+16*3)(%rdx), %xmm3 - movdqa %xmm4, (+$tmp16_offset+16*4)(%rsp) - movdqa %xmm4, (+$tmp16_offset+16*5)(%rsp) - movdqa %xmm4, (+$tmp16_offset+16*6)(%rsp) - movdqa %xmm4, (+$tmp16_offset+16*7)(%rsp) - movdqa %xmm0, (+$tmp16_offset+16*0)(%rsp) - movdqa %xmm1, (+$tmp16_offset+16*1)(%rsp) - movdqa %xmm2, (+$tmp16_offset+16*2)(%rsp) - movdqa %xmm3, (+$tmp16_offset+16*3)(%rsp) - call mont_reduce - - # If result > m, subtract m - # load result into r15:r8 - mov (+$pResult_offset)(%rsp), %rax - mov (+8*0)(%rax), %r8 - mov (+8*1)(%rax), %r9 - mov (+8*2)(%rax), %r10 - mov (+8*3)(%rax), %r11 - mov (+8*4)(%rax), %r12 - mov (+8*5)(%rax), %r13 - mov (+8*6)(%rax), %r14 - mov (+8*7)(%rax), %r15 - - # subtract m - mov (+$pData_offset)(%rsp), %rbx - add \$$M, %rbx - - sub (+8*0)(%rbx), %r8 - sbb (+8*1)(%rbx), %r9 - sbb (+8*2)(%rbx), %r10 - sbb (+8*3)(%rbx), %r11 - sbb (+8*4)(%rbx), %r12 - sbb (+8*5)(%rbx), %r13 - sbb (+8*6)(%rbx), %r14 - sbb (+8*7)(%rbx), %r15 - - # if Carry is clear, replace result with difference - mov (+8*0)(%rax), %rsi - mov (+8*1)(%rax), %rdi - mov (+8*2)(%rax), %rcx - mov (+8*3)(%rax), %rdx - cmovnc %r8, %rsi - cmovnc %r9, %rdi - cmovnc %r10, %rcx - cmovnc %r11, %rdx - mov %rsi, (+8*0)(%rax) - mov %rdi, (+8*1)(%rax) - mov %rcx, (+8*2)(%rax) - mov %rdx, (+8*3)(%rax) - - mov (+8*4)(%rax), %rsi - mov (+8*5)(%rax), %rdi - mov (+8*6)(%rax), %rcx - mov (+8*7)(%rax), %rdx - cmovnc %r12, %rsi - cmovnc %r13, %rdi - cmovnc %r14, %rcx - cmovnc %r15, %rdx - mov %rsi, (+8*4)(%rax) - mov %rdi, (+8*5)(%rax) - mov %rcx, (+8*6)(%rax) - mov %rdx, (+8*7)(%rax) - - mov (+$rsp_offset)(%rsp), %rsi - mov 0(%rsi),%r15 - mov 8(%rsi),%r14 - mov 16(%rsi),%r13 - mov 24(%rsi),%r12 - mov 32(%rsi),%rbx - mov 40(%rsi),%rbp - lea 48(%rsi),%rsp -.Lepilogue: - ret -.size mod_exp_512, . - mod_exp_512 -___ - -sub reg_part { -my ($reg,$conv)=@_; - if ($reg =~ /%r[0-9]+/) { $reg .= $conv; } - elsif ($conv eq "b") { $reg =~ s/%[er]([^x]+)x?/%$1l/; } - elsif ($conv eq "w") { $reg =~ s/%[er](.+)/%$1/; } - elsif ($conv eq "d") { $reg =~ s/%[er](.+)/%e$1/; } - return $reg; -} - -$code =~ s/(%[a-z0-9]+)#([bwd])/reg_part($1,$2)/gem; -$code =~ s/\`([^\`]*)\`/eval $1/gem; -$code =~ s/(\(\+[^)]+\))/eval $1/gem; -print $code; -close STDOUT; diff --git a/src/lib/libcrypto/bn/asm/parisc-mont.pl b/src/lib/libcrypto/bn/asm/parisc-mont.pl deleted file mode 100644 index 0c7aff93b9..0000000000 --- a/src/lib/libcrypto/bn/asm/parisc-mont.pl +++ /dev/null @@ -1,985 +0,0 @@ -#!/usr/bin/env perl - -# ==================================================================== -# Written by Andy Polyakov for the OpenSSL -# project. The module is, however, dual licensed under OpenSSL and -# CRYPTOGAMS licenses depending on where you obtain it. For further -# details see http://www.openssl.org/~appro/cryptogams/. -# ==================================================================== - -# On PA-7100LC this module performs ~90-50% better, less for longer -# keys, than code generated by gcc 3.2 for PA-RISC 1.1. Latter means -# that compiler utilized xmpyu instruction to perform 32x32=64-bit -# multiplication, which in turn means that "baseline" performance was -# optimal in respect to instruction set capabilities. Fair comparison -# with vendor compiler is problematic, because OpenSSL doesn't define -# BN_LLONG [presumably] for historical reasons, which drives compiler -# toward 4 times 16x16=32-bit multiplicatons [plus complementary -# shifts and additions] instead. This means that you should observe -# several times improvement over code generated by vendor compiler -# for PA-RISC 1.1, but the "baseline" is far from optimal. The actual -# improvement coefficient was never collected on PA-7100LC, or any -# other 1.1 CPU, because I don't have access to such machine with -# vendor compiler. But to give you a taste, PA-RISC 1.1 code path -# reportedly outperformed code generated by cc +DA1.1 +O3 by factor -# of ~5x on PA-8600. -# -# On PA-RISC 2.0 it has to compete with pa-risc2[W].s, which is -# reportedly ~2x faster than vendor compiler generated code [according -# to comment in pa-risc2[W].s]. Here comes a catch. Execution core of -# this implementation is actually 32-bit one, in the sense that it -# operates on 32-bit values. But pa-risc2[W].s operates on arrays of -# 64-bit BN_LONGs... How do they interoperate then? No problem. This -# module picks halves of 64-bit values in reverse order and pretends -# they were 32-bit BN_LONGs. But can 32-bit core compete with "pure" -# 64-bit code such as pa-risc2[W].s then? Well, the thing is that -# 32x32=64-bit multiplication is the best even PA-RISC 2.0 can do, -# i.e. there is no "wider" multiplication like on most other 64-bit -# platforms. This means that even being effectively 32-bit, this -# implementation performs "64-bit" computational task in same amount -# of arithmetic operations, most notably multiplications. It requires -# more memory references, most notably to tp[num], but this doesn't -# seem to exhaust memory port capacity. And indeed, dedicated PA-RISC -# 2.0 code path provides virtually same performance as pa-risc2[W].s: -# it's ~10% better for shortest key length and ~10% worse for longest -# one. -# -# In case it wasn't clear. The module has two distinct code paths: -# PA-RISC 1.1 and PA-RISC 2.0 ones. Latter features carry-free 64-bit -# additions and 64-bit integer loads, not to mention specific -# instruction scheduling. In 64-bit build naturally only 2.0 code path -# is assembled. In 32-bit application context both code paths are -# assembled, PA-RISC 2.0 CPU is detected at run-time and proper path -# is taken automatically. Also, in 32-bit build the module imposes -# couple of limitations: vector lengths has to be even and vector -# addresses has to be 64-bit aligned. Normally neither is a problem: -# most common key lengths are even and vectors are commonly malloc-ed, -# which ensures alignment. -# -# Special thanks to polarhome.com for providing HP-UX account on -# PA-RISC 1.1 machine, and to correspondent who chose to remain -# anonymous for testing the code on PA-RISC 2.0 machine. - -$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; - -$flavour = shift; -$output = shift; - -open STDOUT,">$output"; - -if ($flavour =~ /64/) { - $LEVEL ="2.0W"; - $SIZE_T =8; - $FRAME_MARKER =80; - $SAVED_RP =16; - $PUSH ="std"; - $PUSHMA ="std,ma"; - $POP ="ldd"; - $POPMB ="ldd,mb"; - $BN_SZ =$SIZE_T; -} else { - $LEVEL ="1.1"; #$LEVEL.="\n\t.ALLOW\t2.0"; - $SIZE_T =4; - $FRAME_MARKER =48; - $SAVED_RP =20; - $PUSH ="stw"; - $PUSHMA ="stwm"; - $POP ="ldw"; - $POPMB ="ldwm"; - $BN_SZ =$SIZE_T; -} - -$FRAME=8*$SIZE_T+$FRAME_MARKER; # 8 saved regs + frame marker - # [+ argument transfer] -$LOCALS=$FRAME-$FRAME_MARKER; -$FRAME+=32; # local variables - -$tp="%r31"; -$ti1="%r29"; -$ti0="%r28"; - -$rp="%r26"; -$ap="%r25"; -$bp="%r24"; -$np="%r23"; -$n0="%r22"; # passed through stack in 32-bit -$num="%r21"; # passed through stack in 32-bit -$idx="%r20"; -$arrsz="%r19"; - -$nm1="%r7"; -$nm0="%r6"; -$ab1="%r5"; -$ab0="%r4"; - -$fp="%r3"; -$hi1="%r2"; -$hi0="%r1"; - -$xfer=$n0; # accommodates [-16..15] offset in fld[dw]s - -$fm0="%fr4"; $fti=$fm0; -$fbi="%fr5L"; -$fn0="%fr5R"; -$fai="%fr6"; $fab0="%fr7"; $fab1="%fr8"; -$fni="%fr9"; $fnm0="%fr10"; $fnm1="%fr11"; - -$code=<<___; - .LEVEL $LEVEL - .text - - .EXPORT bn_mul_mont,ENTRY,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR - .ALIGN 64 -bn_mul_mont - .PROC - .CALLINFO FRAME=`$FRAME-8*$SIZE_T`,NO_CALLS,SAVE_RP,SAVE_SP,ENTRY_GR=6 - .ENTRY - $PUSH %r2,-$SAVED_RP(%sp) ; standard prologue - $PUSHMA %r3,$FRAME(%sp) - $PUSH %r4,`-$FRAME+1*$SIZE_T`(%sp) - $PUSH %r5,`-$FRAME+2*$SIZE_T`(%sp) - $PUSH %r6,`-$FRAME+3*$SIZE_T`(%sp) - $PUSH %r7,`-$FRAME+4*$SIZE_T`(%sp) - $PUSH %r8,`-$FRAME+5*$SIZE_T`(%sp) - $PUSH %r9,`-$FRAME+6*$SIZE_T`(%sp) - $PUSH %r10,`-$FRAME+7*$SIZE_T`(%sp) - ldo -$FRAME(%sp),$fp -___ -$code.=<<___ if ($SIZE_T==4); - ldw `-$FRAME_MARKER-4`($fp),$n0 - ldw `-$FRAME_MARKER-8`($fp),$num - nop - nop ; alignment -___ -$code.=<<___ if ($BN_SZ==4); - comiclr,<= 6,$num,%r0 ; are vectors long enough? - b L\$abort - ldi 0,%r28 ; signal "unhandled" - add,ev %r0,$num,$num ; is $num even? - b L\$abort - nop - or $ap,$np,$ti1 - extru,= $ti1,31,3,%r0 ; are ap and np 64-bit aligned? - b L\$abort - nop - nop ; alignment - nop - - fldws 0($n0),${fn0} - fldws,ma 4($bp),${fbi} ; bp[0] -___ -$code.=<<___ if ($BN_SZ==8); - comib,> 3,$num,L\$abort ; are vectors long enough? - ldi 0,%r28 ; signal "unhandled" - addl $num,$num,$num ; I operate on 32-bit values - - fldws 4($n0),${fn0} ; only low part of n0 - fldws 4($bp),${fbi} ; bp[0] in flipped word order -___ -$code.=<<___; - fldds 0($ap),${fai} ; ap[0,1] - fldds 0($np),${fni} ; np[0,1] - - sh2addl $num,%r0,$arrsz - ldi 31,$hi0 - ldo 36($arrsz),$hi1 ; space for tp[num+1] - andcm $hi1,$hi0,$hi1 ; align - addl $hi1,%sp,%sp - $PUSH $fp,-$SIZE_T(%sp) - - ldo `$LOCALS+16`($fp),$xfer - ldo `$LOCALS+32+4`($fp),$tp - - xmpyu ${fai}L,${fbi},${fab0} ; ap[0]*bp[0] - xmpyu ${fai}R,${fbi},${fab1} ; ap[1]*bp[0] - xmpyu ${fn0},${fab0}R,${fm0} - - addl $arrsz,$ap,$ap ; point at the end - addl $arrsz,$np,$np - subi 0,$arrsz,$idx ; j=0 - ldo 8($idx),$idx ; j++++ - - xmpyu ${fni}L,${fm0}R,${fnm0} ; np[0]*m - xmpyu ${fni}R,${fm0}R,${fnm1} ; np[1]*m - fstds ${fab0},-16($xfer) - fstds ${fnm0},-8($xfer) - fstds ${fab1},0($xfer) - fstds ${fnm1},8($xfer) - flddx $idx($ap),${fai} ; ap[2,3] - flddx $idx($np),${fni} ; np[2,3] -___ -$code.=<<___ if ($BN_SZ==4); -#ifdef __LP64__ - mtctl $hi0,%cr11 ; $hi0 still holds 31 - extrd,u,*= $hi0,%sar,1,$hi0 ; executes on PA-RISC 1.0 - b L\$parisc11 - nop -___ -$code.=<<___; # PA-RISC 2.0 code-path - xmpyu ${fai}L,${fbi},${fab0} ; ap[j]*bp[0] - xmpyu ${fni}L,${fm0}R,${fnm0} ; np[j]*m - ldd -16($xfer),$ab0 - fstds ${fab0},-16($xfer) - - extrd,u $ab0,31,32,$hi0 - extrd,u $ab0,63,32,$ab0 - ldd -8($xfer),$nm0 - fstds ${fnm0},-8($xfer) - ldo 8($idx),$idx ; j++++ - addl $ab0,$nm0,$nm0 ; low part is discarded - extrd,u $nm0,31,32,$hi1 - -L\$1st - xmpyu ${fai}R,${fbi},${fab1} ; ap[j+1]*bp[0] - xmpyu ${fni}R,${fm0}R,${fnm1} ; np[j+1]*m - ldd 0($xfer),$ab1 - fstds ${fab1},0($xfer) - addl $hi0,$ab1,$ab1 - extrd,u $ab1,31,32,$hi0 - ldd 8($xfer),$nm1 - fstds ${fnm1},8($xfer) - extrd,u $ab1,63,32,$ab1 - addl $hi1,$nm1,$nm1 - flddx $idx($ap),${fai} ; ap[j,j+1] - flddx $idx($np),${fni} ; np[j,j+1] - addl $ab1,$nm1,$nm1 - extrd,u $nm1,31,32,$hi1 - - xmpyu ${fai}L,${fbi},${fab0} ; ap[j]*bp[0] - xmpyu ${fni}L,${fm0}R,${fnm0} ; np[j]*m - ldd -16($xfer),$ab0 - fstds ${fab0},-16($xfer) - addl $hi0,$ab0,$ab0 - extrd,u $ab0,31,32,$hi0 - ldd -8($xfer),$nm0 - fstds ${fnm0},-8($xfer) - extrd,u $ab0,63,32,$ab0 - addl $hi1,$nm0,$nm0 - stw $nm1,-4($tp) ; tp[j-1] - addl $ab0,$nm0,$nm0 - stw,ma $nm0,8($tp) ; tp[j-1] - addib,<> 8,$idx,L\$1st ; j++++ - extrd,u $nm0,31,32,$hi1 - - xmpyu ${fai}R,${fbi},${fab1} ; ap[j]*bp[0] - xmpyu ${fni}R,${fm0}R,${fnm1} ; np[j]*m - ldd 0($xfer),$ab1 - fstds ${fab1},0($xfer) - addl $hi0,$ab1,$ab1 - extrd,u $ab1,31,32,$hi0 - ldd 8($xfer),$nm1 - fstds ${fnm1},8($xfer) - extrd,u $ab1,63,32,$ab1 - addl $hi1,$nm1,$nm1 - ldd -16($xfer),$ab0 - addl $ab1,$nm1,$nm1 - ldd -8($xfer),$nm0 - extrd,u $nm1,31,32,$hi1 - - addl $hi0,$ab0,$ab0 - extrd,u $ab0,31,32,$hi0 - stw $nm1,-4($tp) ; tp[j-1] - extrd,u $ab0,63,32,$ab0 - addl $hi1,$nm0,$nm0 - ldd 0($xfer),$ab1 - addl $ab0,$nm0,$nm0 - ldd,mb 8($xfer),$nm1 - extrd,u $nm0,31,32,$hi1 - stw,ma $nm0,8($tp) ; tp[j-1] - - ldo -1($num),$num ; i-- - subi 0,$arrsz,$idx ; j=0 -___ -$code.=<<___ if ($BN_SZ==4); - fldws,ma 4($bp),${fbi} ; bp[1] -___ -$code.=<<___ if ($BN_SZ==8); - fldws 0($bp),${fbi} ; bp[1] in flipped word order -___ -$code.=<<___; - flddx $idx($ap),${fai} ; ap[0,1] - flddx $idx($np),${fni} ; np[0,1] - fldws 8($xfer),${fti}R ; tp[0] - addl $hi0,$ab1,$ab1 - extrd,u $ab1,31,32,$hi0 - extrd,u $ab1,63,32,$ab1 - ldo 8($idx),$idx ; j++++ - xmpyu ${fai}L,${fbi},${fab0} ; ap[0]*bp[1] - xmpyu ${fai}R,${fbi},${fab1} ; ap[1]*bp[1] - addl $hi1,$nm1,$nm1 - addl $ab1,$nm1,$nm1 - extrd,u $nm1,31,32,$hi1 - fstws,mb ${fab0}L,-8($xfer) ; save high part - stw $nm1,-4($tp) ; tp[j-1] - - fcpy,sgl %fr0,${fti}L ; zero high part - fcpy,sgl %fr0,${fab0}L - addl $hi1,$hi0,$hi0 - extrd,u $hi0,31,32,$hi1 - fcnvxf,dbl,dbl ${fti},${fti} ; 32-bit unsigned int -> double - fcnvxf,dbl,dbl ${fab0},${fab0} - stw $hi0,0($tp) - stw $hi1,4($tp) - - fadd,dbl ${fti},${fab0},${fab0} ; add tp[0] - fcnvfx,dbl,dbl ${fab0},${fab0} ; double -> 33-bit unsigned int - xmpyu ${fn0},${fab0}R,${fm0} - ldo `$LOCALS+32+4`($fp),$tp -L\$outer - xmpyu ${fni}L,${fm0}R,${fnm0} ; np[0]*m - xmpyu ${fni}R,${fm0}R,${fnm1} ; np[1]*m - fstds ${fab0},-16($xfer) ; 33-bit value - fstds ${fnm0},-8($xfer) - flddx $idx($ap),${fai} ; ap[2] - flddx $idx($np),${fni} ; np[2] - ldo 8($idx),$idx ; j++++ - ldd -16($xfer),$ab0 ; 33-bit value - ldd -8($xfer),$nm0 - ldw 0($xfer),$hi0 ; high part - - xmpyu ${fai}L,${fbi},${fab0} ; ap[j]*bp[i] - xmpyu ${fni}L,${fm0}R,${fnm0} ; np[j]*m - extrd,u $ab0,31,32,$ti0 ; carry bit - extrd,u $ab0,63,32,$ab0 - fstds ${fab1},0($xfer) - addl $ti0,$hi0,$hi0 ; account carry bit - fstds ${fnm1},8($xfer) - addl $ab0,$nm0,$nm0 ; low part is discarded - ldw 0($tp),$ti1 ; tp[1] - extrd,u $nm0,31,32,$hi1 - fstds ${fab0},-16($xfer) - fstds ${fnm0},-8($xfer) - -L\$inner - xmpyu ${fai}R,${fbi},${fab1} ; ap[j+1]*bp[i] - xmpyu ${fni}R,${fm0}R,${fnm1} ; np[j+1]*m - ldd 0($xfer),$ab1 - fstds ${fab1},0($xfer) - addl $hi0,$ti1,$ti1 - addl $ti1,$ab1,$ab1 - ldd 8($xfer),$nm1 - fstds ${fnm1},8($xfer) - extrd,u $ab1,31,32,$hi0 - extrd,u $ab1,63,32,$ab1 - flddx $idx($ap),${fai} ; ap[j,j+1] - flddx $idx($np),${fni} ; np[j,j+1] - addl $hi1,$nm1,$nm1 - addl $ab1,$nm1,$nm1 - ldw 4($tp),$ti0 ; tp[j] - stw $nm1,-4($tp) ; tp[j-1] - - xmpyu ${fai}L,${fbi},${fab0} ; ap[j]*bp[i] - xmpyu ${fni}L,${fm0}R,${fnm0} ; np[j]*m - ldd -16($xfer),$ab0 - fstds ${fab0},-16($xfer) - addl $hi0,$ti0,$ti0 - addl $ti0,$ab0,$ab0 - ldd -8($xfer),$nm0 - fstds ${fnm0},-8($xfer) - extrd,u $ab0,31,32,$hi0 - extrd,u $nm1,31,32,$hi1 - ldw 8($tp),$ti1 ; tp[j] - extrd,u $ab0,63,32,$ab0 - addl $hi1,$nm0,$nm0 - addl $ab0,$nm0,$nm0 - stw,ma $nm0,8($tp) ; tp[j-1] - addib,<> 8,$idx,L\$inner ; j++++ - extrd,u $nm0,31,32,$hi1 - - xmpyu ${fai}R,${fbi},${fab1} ; ap[j]*bp[i] - xmpyu ${fni}R,${fm0}R,${fnm1} ; np[j]*m - ldd 0($xfer),$ab1 - fstds ${fab1},0($xfer) - addl $hi0,$ti1,$ti1 - addl $ti1,$ab1,$ab1 - ldd 8($xfer),$nm1 - fstds ${fnm1},8($xfer) - extrd,u $ab1,31,32,$hi0 - extrd,u $ab1,63,32,$ab1 - ldw 4($tp),$ti0 ; tp[j] - addl $hi1,$nm1,$nm1 - addl $ab1,$nm1,$nm1 - ldd -16($xfer),$ab0 - ldd -8($xfer),$nm0 - extrd,u $nm1,31,32,$hi1 - - addl $hi0,$ab0,$ab0 - addl $ti0,$ab0,$ab0 - stw $nm1,-4($tp) ; tp[j-1] - extrd,u $ab0,31,32,$hi0 - ldw 8($tp),$ti1 ; tp[j] - extrd,u $ab0,63,32,$ab0 - addl $hi1,$nm0,$nm0 - ldd 0($xfer),$ab1 - addl $ab0,$nm0,$nm0 - ldd,mb 8($xfer),$nm1 - extrd,u $nm0,31,32,$hi1 - stw,ma $nm0,8($tp) ; tp[j-1] - - addib,= -1,$num,L\$outerdone ; i-- - subi 0,$arrsz,$idx ; j=0 -___ -$code.=<<___ if ($BN_SZ==4); - fldws,ma 4($bp),${fbi} ; bp[i] -___ -$code.=<<___ if ($BN_SZ==8); - ldi 12,$ti0 ; bp[i] in flipped word order - addl,ev %r0,$num,$num - ldi -4,$ti0 - addl $ti0,$bp,$bp - fldws 0($bp),${fbi} -___ -$code.=<<___; - flddx $idx($ap),${fai} ; ap[0] - addl $hi0,$ab1,$ab1 - flddx $idx($np),${fni} ; np[0] - fldws 8($xfer),${fti}R ; tp[0] - addl $ti1,$ab1,$ab1 - extrd,u $ab1,31,32,$hi0 - extrd,u $ab1,63,32,$ab1 - - ldo 8($idx),$idx ; j++++ - xmpyu ${fai}L,${fbi},${fab0} ; ap[0]*bp[i] - xmpyu ${fai}R,${fbi},${fab1} ; ap[1]*bp[i] - ldw 4($tp),$ti0 ; tp[j] - - addl $hi1,$nm1,$nm1 - fstws,mb ${fab0}L,-8($xfer) ; save high part - addl $ab1,$nm1,$nm1 - extrd,u $nm1,31,32,$hi1 - fcpy,sgl %fr0,${fti}L ; zero high part - fcpy,sgl %fr0,${fab0}L - stw $nm1,-4($tp) ; tp[j-1] - - fcnvxf,dbl,dbl ${fti},${fti} ; 32-bit unsigned int -> double - fcnvxf,dbl,dbl ${fab0},${fab0} - addl $hi1,$hi0,$hi0 - fadd,dbl ${fti},${fab0},${fab0} ; add tp[0] - addl $ti0,$hi0,$hi0 - extrd,u $hi0,31,32,$hi1 - fcnvfx,dbl,dbl ${fab0},${fab0} ; double -> 33-bit unsigned int - stw $hi0,0($tp) - stw $hi1,4($tp) - xmpyu ${fn0},${fab0}R,${fm0} - - b L\$outer - ldo `$LOCALS+32+4`($fp),$tp - -L\$outerdone - addl $hi0,$ab1,$ab1 - addl $ti1,$ab1,$ab1 - extrd,u $ab1,31,32,$hi0 - extrd,u $ab1,63,32,$ab1 - - ldw 4($tp),$ti0 ; tp[j] - - addl $hi1,$nm1,$nm1 - addl $ab1,$nm1,$nm1 - extrd,u $nm1,31,32,$hi1 - stw $nm1,-4($tp) ; tp[j-1] - - addl $hi1,$hi0,$hi0 - addl $ti0,$hi0,$hi0 - extrd,u $hi0,31,32,$hi1 - stw $hi0,0($tp) - stw $hi1,4($tp) - - ldo `$LOCALS+32`($fp),$tp - sub %r0,%r0,%r0 ; clear borrow -___ -$code.=<<___ if ($BN_SZ==4); - ldws,ma 4($tp),$ti0 - extru,= $rp,31,3,%r0 ; is rp 64-bit aligned? - b L\$sub_pa11 - addl $tp,$arrsz,$tp -L\$sub - ldwx $idx($np),$hi0 - subb $ti0,$hi0,$hi1 - ldwx $idx($tp),$ti0 - addib,<> 4,$idx,L\$sub - stws,ma $hi1,4($rp) - - subb $ti0,%r0,$hi1 - ldo -4($tp),$tp -___ -$code.=<<___ if ($BN_SZ==8); - ldd,ma 8($tp),$ti0 -L\$sub - ldd $idx($np),$hi0 - shrpd $ti0,$ti0,32,$ti0 ; flip word order - std $ti0,-8($tp) ; save flipped value - sub,db $ti0,$hi0,$hi1 - ldd,ma 8($tp),$ti0 - addib,<> 8,$idx,L\$sub - std,ma $hi1,8($rp) - - extrd,u $ti0,31,32,$ti0 ; carry in flipped word order - sub,db $ti0,%r0,$hi1 - ldo -8($tp),$tp -___ -$code.=<<___; - and $tp,$hi1,$ap - andcm $rp,$hi1,$bp - or $ap,$bp,$np - - sub $rp,$arrsz,$rp ; rewind rp - subi 0,$arrsz,$idx - ldo `$LOCALS+32`($fp),$tp -L\$copy - ldd $idx($np),$hi0 - std,ma %r0,8($tp) - addib,<> 8,$idx,.-8 ; L\$copy - std,ma $hi0,8($rp) -___ - -if ($BN_SZ==4) { # PA-RISC 1.1 code-path -$ablo=$ab0; -$abhi=$ab1; -$nmlo0=$nm0; -$nmhi0=$nm1; -$nmlo1="%r9"; -$nmhi1="%r8"; - -$code.=<<___; - b L\$done - nop - - .ALIGN 8 -L\$parisc11 -#endif - xmpyu ${fai}L,${fbi},${fab0} ; ap[j]*bp[0] - xmpyu ${fni}L,${fm0}R,${fnm0} ; np[j]*m - ldw -12($xfer),$ablo - ldw -16($xfer),$hi0 - ldw -4($xfer),$nmlo0 - ldw -8($xfer),$nmhi0 - fstds ${fab0},-16($xfer) - fstds ${fnm0},-8($xfer) - - ldo 8($idx),$idx ; j++++ - add $ablo,$nmlo0,$nmlo0 ; discarded - addc %r0,$nmhi0,$hi1 - ldw 4($xfer),$ablo - ldw 0($xfer),$abhi - nop - -L\$1st_pa11 - xmpyu ${fai}R,${fbi},${fab1} ; ap[j+1]*bp[0] - flddx $idx($ap),${fai} ; ap[j,j+1] - xmpyu ${fni}R,${fm0}R,${fnm1} ; np[j+1]*m - flddx $idx($np),${fni} ; np[j,j+1] - add $hi0,$ablo,$ablo - ldw 12($xfer),$nmlo1 - addc %r0,$abhi,$hi0 - ldw 8($xfer),$nmhi1 - add $ablo,$nmlo1,$nmlo1 - fstds ${fab1},0($xfer) - addc %r0,$nmhi1,$nmhi1 - fstds ${fnm1},8($xfer) - add $hi1,$nmlo1,$nmlo1 - ldw -12($xfer),$ablo - addc %r0,$nmhi1,$hi1 - ldw -16($xfer),$abhi - - xmpyu ${fai}L,${fbi},${fab0} ; ap[j]*bp[0] - ldw -4($xfer),$nmlo0 - xmpyu ${fni}L,${fm0}R,${fnm0} ; np[j]*m - ldw -8($xfer),$nmhi0 - add $hi0,$ablo,$ablo - stw $nmlo1,-4($tp) ; tp[j-1] - addc %r0,$abhi,$hi0 - fstds ${fab0},-16($xfer) - add $ablo,$nmlo0,$nmlo0 - fstds ${fnm0},-8($xfer) - addc %r0,$nmhi0,$nmhi0 - ldw 0($xfer),$abhi - add $hi1,$nmlo0,$nmlo0 - ldw 4($xfer),$ablo - stws,ma $nmlo0,8($tp) ; tp[j-1] - addib,<> 8,$idx,L\$1st_pa11 ; j++++ - addc %r0,$nmhi0,$hi1 - - ldw 8($xfer),$nmhi1 - ldw 12($xfer),$nmlo1 - xmpyu ${fai}R,${fbi},${fab1} ; ap[j]*bp[0] - xmpyu ${fni}R,${fm0}R,${fnm1} ; np[j]*m - add $hi0,$ablo,$ablo - fstds ${fab1},0($xfer) - addc %r0,$abhi,$hi0 - fstds ${fnm1},8($xfer) - add $ablo,$nmlo1,$nmlo1 - ldw -16($xfer),$abhi - addc %r0,$nmhi1,$nmhi1 - ldw -12($xfer),$ablo - add $hi1,$nmlo1,$nmlo1 - ldw -8($xfer),$nmhi0 - addc %r0,$nmhi1,$hi1 - ldw -4($xfer),$nmlo0 - - add $hi0,$ablo,$ablo - stw $nmlo1,-4($tp) ; tp[j-1] - addc %r0,$abhi,$hi0 - ldw 0($xfer),$abhi - add $ablo,$nmlo0,$nmlo0 - ldw 4($xfer),$ablo - addc %r0,$nmhi0,$nmhi0 - ldws,mb 8($xfer),$nmhi1 - add $hi1,$nmlo0,$nmlo0 - ldw 4($xfer),$nmlo1 - addc %r0,$nmhi0,$hi1 - stws,ma $nmlo0,8($tp) ; tp[j-1] - - ldo -1($num),$num ; i-- - subi 0,$arrsz,$idx ; j=0 - - fldws,ma 4($bp),${fbi} ; bp[1] - flddx $idx($ap),${fai} ; ap[0,1] - flddx $idx($np),${fni} ; np[0,1] - fldws 8($xfer),${fti}R ; tp[0] - add $hi0,$ablo,$ablo - addc %r0,$abhi,$hi0 - ldo 8($idx),$idx ; j++++ - xmpyu ${fai}L,${fbi},${fab0} ; ap[0]*bp[1] - xmpyu ${fai}R,${fbi},${fab1} ; ap[1]*bp[1] - add $hi1,$nmlo1,$nmlo1 - addc %r0,$nmhi1,$nmhi1 - add $ablo,$nmlo1,$nmlo1 - addc %r0,$nmhi1,$hi1 - fstws,mb ${fab0}L,-8($xfer) ; save high part - stw $nmlo1,-4($tp) ; tp[j-1] - - fcpy,sgl %fr0,${fti}L ; zero high part - fcpy,sgl %fr0,${fab0}L - add $hi1,$hi0,$hi0 - addc %r0,%r0,$hi1 - fcnvxf,dbl,dbl ${fti},${fti} ; 32-bit unsigned int -> double - fcnvxf,dbl,dbl ${fab0},${fab0} - stw $hi0,0($tp) - stw $hi1,4($tp) - - fadd,dbl ${fti},${fab0},${fab0} ; add tp[0] - fcnvfx,dbl,dbl ${fab0},${fab0} ; double -> 33-bit unsigned int - xmpyu ${fn0},${fab0}R,${fm0} - ldo `$LOCALS+32+4`($fp),$tp -L\$outer_pa11 - xmpyu ${fni}L,${fm0}R,${fnm0} ; np[0]*m - xmpyu ${fni}R,${fm0}R,${fnm1} ; np[1]*m - fstds ${fab0},-16($xfer) ; 33-bit value - fstds ${fnm0},-8($xfer) - flddx $idx($ap),${fai} ; ap[2,3] - flddx $idx($np),${fni} ; np[2,3] - ldw -16($xfer),$abhi ; carry bit actually - ldo 8($idx),$idx ; j++++ - ldw -12($xfer),$ablo - ldw -8($xfer),$nmhi0 - ldw -4($xfer),$nmlo0 - ldw 0($xfer),$hi0 ; high part - - xmpyu ${fai}L,${fbi},${fab0} ; ap[j]*bp[i] - xmpyu ${fni}L,${fm0}R,${fnm0} ; np[j]*m - fstds ${fab1},0($xfer) - addl $abhi,$hi0,$hi0 ; account carry bit - fstds ${fnm1},8($xfer) - add $ablo,$nmlo0,$nmlo0 ; discarded - ldw 0($tp),$ti1 ; tp[1] - addc %r0,$nmhi0,$hi1 - fstds ${fab0},-16($xfer) - fstds ${fnm0},-8($xfer) - ldw 4($xfer),$ablo - ldw 0($xfer),$abhi - -L\$inner_pa11 - xmpyu ${fai}R,${fbi},${fab1} ; ap[j+1]*bp[i] - flddx $idx($ap),${fai} ; ap[j,j+1] - xmpyu ${fni}R,${fm0}R,${fnm1} ; np[j+1]*m - flddx $idx($np),${fni} ; np[j,j+1] - add $hi0,$ablo,$ablo - ldw 4($tp),$ti0 ; tp[j] - addc %r0,$abhi,$abhi - ldw 12($xfer),$nmlo1 - add $ti1,$ablo,$ablo - ldw 8($xfer),$nmhi1 - addc %r0,$abhi,$hi0 - fstds ${fab1},0($xfer) - add $ablo,$nmlo1,$nmlo1 - fstds ${fnm1},8($xfer) - addc %r0,$nmhi1,$nmhi1 - ldw -12($xfer),$ablo - add $hi1,$nmlo1,$nmlo1 - ldw -16($xfer),$abhi - addc %r0,$nmhi1,$hi1 - - xmpyu ${fai}L,${fbi},${fab0} ; ap[j]*bp[i] - ldw 8($tp),$ti1 ; tp[j] - xmpyu ${fni}L,${fm0}R,${fnm0} ; np[j]*m - ldw -4($xfer),$nmlo0 - add $hi0,$ablo,$ablo - ldw -8($xfer),$nmhi0 - addc %r0,$abhi,$abhi - stw $nmlo1,-4($tp) ; tp[j-1] - add $ti0,$ablo,$ablo - fstds ${fab0},-16($xfer) - addc %r0,$abhi,$hi0 - fstds ${fnm0},-8($xfer) - add $ablo,$nmlo0,$nmlo0 - ldw 4($xfer),$ablo - addc %r0,$nmhi0,$nmhi0 - ldw 0($xfer),$abhi - add $hi1,$nmlo0,$nmlo0 - stws,ma $nmlo0,8($tp) ; tp[j-1] - addib,<> 8,$idx,L\$inner_pa11 ; j++++ - addc %r0,$nmhi0,$hi1 - - xmpyu ${fai}R,${fbi},${fab1} ; ap[j]*bp[i] - ldw 12($xfer),$nmlo1 - xmpyu ${fni}R,${fm0}R,${fnm1} ; np[j]*m - ldw 8($xfer),$nmhi1 - add $hi0,$ablo,$ablo - ldw 4($tp),$ti0 ; tp[j] - addc %r0,$abhi,$abhi - fstds ${fab1},0($xfer) - add $ti1,$ablo,$ablo - fstds ${fnm1},8($xfer) - addc %r0,$abhi,$hi0 - ldw -16($xfer),$abhi - add $ablo,$nmlo1,$nmlo1 - ldw -12($xfer),$ablo - addc %r0,$nmhi1,$nmhi1 - ldw -8($xfer),$nmhi0 - add $hi1,$nmlo1,$nmlo1 - ldw -4($xfer),$nmlo0 - addc %r0,$nmhi1,$hi1 - - add $hi0,$ablo,$ablo - stw $nmlo1,-4($tp) ; tp[j-1] - addc %r0,$abhi,$abhi - add $ti0,$ablo,$ablo - ldw 8($tp),$ti1 ; tp[j] - addc %r0,$abhi,$hi0 - ldw 0($xfer),$abhi - add $ablo,$nmlo0,$nmlo0 - ldw 4($xfer),$ablo - addc %r0,$nmhi0,$nmhi0 - ldws,mb 8($xfer),$nmhi1 - add $hi1,$nmlo0,$nmlo0 - ldw 4($xfer),$nmlo1 - addc %r0,$nmhi0,$hi1 - stws,ma $nmlo0,8($tp) ; tp[j-1] - - addib,= -1,$num,L\$outerdone_pa11; i-- - subi 0,$arrsz,$idx ; j=0 - - fldws,ma 4($bp),${fbi} ; bp[i] - flddx $idx($ap),${fai} ; ap[0] - add $hi0,$ablo,$ablo - addc %r0,$abhi,$abhi - flddx $idx($np),${fni} ; np[0] - fldws 8($xfer),${fti}R ; tp[0] - add $ti1,$ablo,$ablo - addc %r0,$abhi,$hi0 - - ldo 8($idx),$idx ; j++++ - xmpyu ${fai}L,${fbi},${fab0} ; ap[0]*bp[i] - xmpyu ${fai}R,${fbi},${fab1} ; ap[1]*bp[i] - ldw 4($tp),$ti0 ; tp[j] - - add $hi1,$nmlo1,$nmlo1 - addc %r0,$nmhi1,$nmhi1 - fstws,mb ${fab0}L,-8($xfer) ; save high part - add $ablo,$nmlo1,$nmlo1 - addc %r0,$nmhi1,$hi1 - fcpy,sgl %fr0,${fti}L ; zero high part - fcpy,sgl %fr0,${fab0}L - stw $nmlo1,-4($tp) ; tp[j-1] - - fcnvxf,dbl,dbl ${fti},${fti} ; 32-bit unsigned int -> double - fcnvxf,dbl,dbl ${fab0},${fab0} - add $hi1,$hi0,$hi0 - addc %r0,%r0,$hi1 - fadd,dbl ${fti},${fab0},${fab0} ; add tp[0] - add $ti0,$hi0,$hi0 - addc %r0,$hi1,$hi1 - fcnvfx,dbl,dbl ${fab0},${fab0} ; double -> 33-bit unsigned int - stw $hi0,0($tp) - stw $hi1,4($tp) - xmpyu ${fn0},${fab0}R,${fm0} - - b L\$outer_pa11 - ldo `$LOCALS+32+4`($fp),$tp - -L\$outerdone_pa11 - add $hi0,$ablo,$ablo - addc %r0,$abhi,$abhi - add $ti1,$ablo,$ablo - addc %r0,$abhi,$hi0 - - ldw 4($tp),$ti0 ; tp[j] - - add $hi1,$nmlo1,$nmlo1 - addc %r0,$nmhi1,$nmhi1 - add $ablo,$nmlo1,$nmlo1 - addc %r0,$nmhi1,$hi1 - stw $nmlo1,-4($tp) ; tp[j-1] - - add $hi1,$hi0,$hi0 - addc %r0,%r0,$hi1 - add $ti0,$hi0,$hi0 - addc %r0,$hi1,$hi1 - stw $hi0,0($tp) - stw $hi1,4($tp) - - ldo `$LOCALS+32+4`($fp),$tp - sub %r0,%r0,%r0 ; clear borrow - ldw -4($tp),$ti0 - addl $tp,$arrsz,$tp -L\$sub_pa11 - ldwx $idx($np),$hi0 - subb $ti0,$hi0,$hi1 - ldwx $idx($tp),$ti0 - addib,<> 4,$idx,L\$sub_pa11 - stws,ma $hi1,4($rp) - - subb $ti0,%r0,$hi1 - ldo -4($tp),$tp - and $tp,$hi1,$ap - andcm $rp,$hi1,$bp - or $ap,$bp,$np - - sub $rp,$arrsz,$rp ; rewind rp - subi 0,$arrsz,$idx - ldo `$LOCALS+32`($fp),$tp -L\$copy_pa11 - ldwx $idx($np),$hi0 - stws,ma %r0,4($tp) - addib,<> 4,$idx,L\$copy_pa11 - stws,ma $hi0,4($rp) - - nop ; alignment -L\$done -___ -} - -$code.=<<___; - ldi 1,%r28 ; signal "handled" - ldo $FRAME($fp),%sp ; destroy tp[num+1] - - $POP `-$FRAME-$SAVED_RP`(%sp),%r2 ; standard epilogue - $POP `-$FRAME+1*$SIZE_T`(%sp),%r4 - $POP `-$FRAME+2*$SIZE_T`(%sp),%r5 - $POP `-$FRAME+3*$SIZE_T`(%sp),%r6 - $POP `-$FRAME+4*$SIZE_T`(%sp),%r7 - $POP `-$FRAME+5*$SIZE_T`(%sp),%r8 - $POP `-$FRAME+6*$SIZE_T`(%sp),%r9 - $POP `-$FRAME+7*$SIZE_T`(%sp),%r10 -L\$abort - bv (%r2) - .EXIT - $POPMB -$FRAME(%sp),%r3 - .PROCEND -___ - -# Explicitly encode PA-RISC 2.0 instructions used in this module, so -# that it can be compiled with .LEVEL 1.0. It should be noted that I -# wouldn't have to do this, if GNU assembler understood .ALLOW 2.0 -# directive... - -my $ldd = sub { - my ($mod,$args) = @_; - my $orig = "ldd$mod\t$args"; - - if ($args =~ /%r([0-9]+)\(%r([0-9]+)\),%r([0-9]+)/) # format 4 - { my $opcode=(0x03<<26)|($2<<21)|($1<<16)|(3<<6)|$3; - sprintf "\t.WORD\t0x%08x\t; %s",$opcode,$orig; - } - elsif ($args =~ /(\-?[0-9]+)\(%r([0-9]+)\),%r([0-9]+)/) # format 5 - { my $opcode=(0x03<<26)|($2<<21)|(1<<12)|(3<<6)|$3; - $opcode|=(($1&0xF)<<17)|(($1&0x10)<<12); # encode offset - $opcode|=(1<<5) if ($mod =~ /^,m/); - $opcode|=(1<<13) if ($mod =~ /^,mb/); - sprintf "\t.WORD\t0x%08x\t; %s",$opcode,$orig; - } - else { "\t".$orig; } -}; - -my $std = sub { - my ($mod,$args) = @_; - my $orig = "std$mod\t$args"; - - if ($args =~ /%r([0-9]+),(\-?[0-9]+)\(%r([0-9]+)\)/) # format 6 - { my $opcode=(0x03<<26)|($3<<21)|($1<<16)|(1<<12)|(0xB<<6); - $opcode|=(($2&0xF)<<1)|(($2&0x10)>>4); # encode offset - $opcode|=(1<<5) if ($mod =~ /^,m/); - $opcode|=(1<<13) if ($mod =~ /^,mb/); - sprintf "\t.WORD\t0x%08x\t; %s",$opcode,$orig; - } - else { "\t".$orig; } -}; - -my $extrd = sub { - my ($mod,$args) = @_; - my $orig = "extrd$mod\t$args"; - - # I only have ",u" completer, it's implicitly encoded... - if ($args =~ /%r([0-9]+),([0-9]+),([0-9]+),%r([0-9]+)/) # format 15 - { my $opcode=(0x36<<26)|($1<<21)|($4<<16); - my $len=32-$3; - $opcode |= (($2&0x20)<<6)|(($2&0x1f)<<5); # encode pos - $opcode |= (($len&0x20)<<7)|($len&0x1f); # encode len - sprintf "\t.WORD\t0x%08x\t; %s",$opcode,$orig; - } - elsif ($args =~ /%r([0-9]+),%sar,([0-9]+),%r([0-9]+)/) # format 12 - { my $opcode=(0x34<<26)|($1<<21)|($3<<16)|(2<<11)|(1<<9); - my $len=32-$2; - $opcode |= (($len&0x20)<<3)|($len&0x1f); # encode len - $opcode |= (1<<13) if ($mod =~ /,\**=/); - sprintf "\t.WORD\t0x%08x\t; %s",$opcode,$orig; - } - else { "\t".$orig; } -}; - -my $shrpd = sub { - my ($mod,$args) = @_; - my $orig = "shrpd$mod\t$args"; - - if ($args =~ /%r([0-9]+),%r([0-9]+),([0-9]+),%r([0-9]+)/) # format 14 - { my $opcode=(0x34<<26)|($2<<21)|($1<<16)|(1<<10)|$4; - my $cpos=63-$3; - $opcode |= (($cpos&0x20)<<6)|(($cpos&0x1f)<<5); # encode sa - sprintf "\t.WORD\t0x%08x\t; %s",$opcode,$orig; - } - else { "\t".$orig; } -}; - -my $sub = sub { - my ($mod,$args) = @_; - my $orig = "sub$mod\t$args"; - - if ($mod eq ",db" && $args =~ /%r([0-9]+),%r([0-9]+),%r([0-9]+)/) { - my $opcode=(0x02<<26)|($2<<21)|($1<<16)|$3; - $opcode|=(1<<10); # e1 - $opcode|=(1<<8); # e2 - $opcode|=(1<<5); # d - sprintf "\t.WORD\t0x%08x\t; %s",$opcode,$orig - } - else { "\t".$orig; } -}; - -sub assemble { - my ($mnemonic,$mod,$args)=@_; - my $opcode = eval("\$$mnemonic"); - - ref($opcode) eq 'CODE' ? &$opcode($mod,$args) : "\t$mnemonic$mod\t$args"; -} - -foreach (split("\n",$code)) { - s/\`([^\`]*)\`/eval $1/ge; - # flip word order in 64-bit mode... - s/(xmpyu\s+)($fai|$fni)([LR])/$1.$2.($3 eq "L"?"R":"L")/e if ($BN_SZ==8); - # assemble 2.0 instructions in 32-bit mode... - s/^\s+([a-z]+)([\S]*)\s+([\S]*)/&assemble($1,$2,$3)/e if ($BN_SZ==4); - - s/\bbv\b/bve/gm if ($SIZE_T==8); - - print $_,"\n"; -} -close STDOUT; diff --git a/src/lib/libcrypto/bn/asm/ppc-mont.pl b/src/lib/libcrypto/bn/asm/ppc-mont.pl deleted file mode 100644 index 68320a87f7..0000000000 --- a/src/lib/libcrypto/bn/asm/ppc-mont.pl +++ /dev/null @@ -1,329 +0,0 @@ -#!/usr/bin/env perl - -# ==================================================================== -# Written by Andy Polyakov for the OpenSSL -# project. The module is, however, dual licensed under OpenSSL and -# CRYPTOGAMS licenses depending on where you obtain it. For further -# details see http://www.openssl.org/~appro/cryptogams/. -# ==================================================================== - -# April 2006 - -# "Teaser" Montgomery multiplication module for PowerPC. It's possible -# to gain a bit more by modulo-scheduling outer loop, then dedicated -# squaring procedure should give further 20% and code can be adapted -# for 32-bit application running on 64-bit CPU. As for the latter. -# It won't be able to achieve "native" 64-bit performance, because in -# 32-bit application context every addc instruction will have to be -# expanded as addc, twice right shift by 32 and finally adde, etc. -# So far RSA *sign* performance improvement over pre-bn_mul_mont asm -# for 64-bit application running on PPC970/G5 is: -# -# 512-bit +65% -# 1024-bit +35% -# 2048-bit +18% -# 4096-bit +4% - -$flavour = shift; - -if ($flavour =~ /32/) { - $BITS= 32; - $BNSZ= $BITS/8; - $SIZE_T=4; - $RZONE= 224; - - $LD= "lwz"; # load - $LDU= "lwzu"; # load and update - $LDX= "lwzx"; # load indexed - $ST= "stw"; # store - $STU= "stwu"; # store and update - $STX= "stwx"; # store indexed - $STUX= "stwux"; # store indexed and update - $UMULL= "mullw"; # unsigned multiply low - $UMULH= "mulhwu"; # unsigned multiply high - $UCMP= "cmplw"; # unsigned compare - $SHRI= "srwi"; # unsigned shift right by immediate - $PUSH= $ST; - $POP= $LD; -} elsif ($flavour =~ /64/) { - $BITS= 64; - $BNSZ= $BITS/8; - $SIZE_T=8; - $RZONE= 288; - - # same as above, but 64-bit mnemonics... - $LD= "ld"; # load - $LDU= "ldu"; # load and update - $LDX= "ldx"; # load indexed - $ST= "std"; # store - $STU= "stdu"; # store and update - $STX= "stdx"; # store indexed - $STUX= "stdux"; # store indexed and update - $UMULL= "mulld"; # unsigned multiply low - $UMULH= "mulhdu"; # unsigned multiply high - $UCMP= "cmpld"; # unsigned compare - $SHRI= "srdi"; # unsigned shift right by immediate - $PUSH= $ST; - $POP= $LD; -} else { die "nonsense $flavour"; } - -$FRAME=8*$SIZE_T+$RZONE; -$LOCALS=8*$SIZE_T; - -$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or -( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or -die "can't locate ppc-xlate.pl"; - -open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!"; - -$sp="r1"; -$toc="r2"; -$rp="r3"; $ovf="r3"; -$ap="r4"; -$bp="r5"; -$np="r6"; -$n0="r7"; -$num="r8"; -$rp="r9"; # $rp is reassigned -$aj="r10"; -$nj="r11"; -$tj="r12"; -# non-volatile registers -$i="r20"; -$j="r21"; -$tp="r22"; -$m0="r23"; -$m1="r24"; -$lo0="r25"; -$hi0="r26"; -$lo1="r27"; -$hi1="r28"; -$alo="r29"; -$ahi="r30"; -$nlo="r31"; -# -$nhi="r0"; - -$code=<<___; -.machine "any" -.text - -.globl .bn_mul_mont -.align 4 -.bn_mul_mont: - cmpwi $num,4 - mr $rp,r3 ; $rp is reassigned - li r3,0 - bltlr -___ -$code.=<<___ if ($BNSZ==4); - cmpwi $num,32 ; longer key performance is not better - bgelr -___ -$code.=<<___; - slwi $num,$num,`log($BNSZ)/log(2)` - li $tj,-4096 - addi $ovf,$num,$FRAME - subf $ovf,$ovf,$sp ; $sp-$ovf - and $ovf,$ovf,$tj ; minimize TLB usage - subf $ovf,$sp,$ovf ; $ovf-$sp - mr $tj,$sp - srwi $num,$num,`log($BNSZ)/log(2)` - $STUX $sp,$sp,$ovf - - $PUSH r20,`-12*$SIZE_T`($tj) - $PUSH r21,`-11*$SIZE_T`($tj) - $PUSH r22,`-10*$SIZE_T`($tj) - $PUSH r23,`-9*$SIZE_T`($tj) - $PUSH r24,`-8*$SIZE_T`($tj) - $PUSH r25,`-7*$SIZE_T`($tj) - $PUSH r26,`-6*$SIZE_T`($tj) - $PUSH r27,`-5*$SIZE_T`($tj) - $PUSH r28,`-4*$SIZE_T`($tj) - $PUSH r29,`-3*$SIZE_T`($tj) - $PUSH r30,`-2*$SIZE_T`($tj) - $PUSH r31,`-1*$SIZE_T`($tj) - - $LD $n0,0($n0) ; pull n0[0] value - addi $num,$num,-2 ; adjust $num for counter register - - $LD $m0,0($bp) ; m0=bp[0] - $LD $aj,0($ap) ; ap[0] - addi $tp,$sp,$LOCALS - $UMULL $lo0,$aj,$m0 ; ap[0]*bp[0] - $UMULH $hi0,$aj,$m0 - - $LD $aj,$BNSZ($ap) ; ap[1] - $LD $nj,0($np) ; np[0] - - $UMULL $m1,$lo0,$n0 ; "tp[0]"*n0 - - $UMULL $alo,$aj,$m0 ; ap[1]*bp[0] - $UMULH $ahi,$aj,$m0 - - $UMULL $lo1,$nj,$m1 ; np[0]*m1 - $UMULH $hi1,$nj,$m1 - $LD $nj,$BNSZ($np) ; np[1] - addc $lo1,$lo1,$lo0 - addze $hi1,$hi1 - - $UMULL $nlo,$nj,$m1 ; np[1]*m1 - $UMULH $nhi,$nj,$m1 - - mtctr $num - li $j,`2*$BNSZ` -.align 4 -L1st: - $LDX $aj,$ap,$j ; ap[j] - addc $lo0,$alo,$hi0 - $LDX $nj,$np,$j ; np[j] - addze $hi0,$ahi - $UMULL $alo,$aj,$m0 ; ap[j]*bp[0] - addc $lo1,$nlo,$hi1 - $UMULH $ahi,$aj,$m0 - addze $hi1,$nhi - $UMULL $nlo,$nj,$m1 ; np[j]*m1 - addc $lo1,$lo1,$lo0 ; np[j]*m1+ap[j]*bp[0] - $UMULH $nhi,$nj,$m1 - addze $hi1,$hi1 - $ST $lo1,0($tp) ; tp[j-1] - - addi $j,$j,$BNSZ ; j++ - addi $tp,$tp,$BNSZ ; tp++ - bdnz- L1st -;L1st - addc $lo0,$alo,$hi0 - addze $hi0,$ahi - - addc $lo1,$nlo,$hi1 - addze $hi1,$nhi - addc $lo1,$lo1,$lo0 ; np[j]*m1+ap[j]*bp[0] - addze $hi1,$hi1 - $ST $lo1,0($tp) ; tp[j-1] - - li $ovf,0 - addc $hi1,$hi1,$hi0 - addze $ovf,$ovf ; upmost overflow bit - $ST $hi1,$BNSZ($tp) - - li $i,$BNSZ -.align 4 -Louter: - $LDX $m0,$bp,$i ; m0=bp[i] - $LD $aj,0($ap) ; ap[0] - addi $tp,$sp,$LOCALS - $LD $tj,$LOCALS($sp); tp[0] - $UMULL $lo0,$aj,$m0 ; ap[0]*bp[i] - $UMULH $hi0,$aj,$m0 - $LD $aj,$BNSZ($ap) ; ap[1] - $LD $nj,0($np) ; np[0] - addc $lo0,$lo0,$tj ; ap[0]*bp[i]+tp[0] - $UMULL $alo,$aj,$m0 ; ap[j]*bp[i] - addze $hi0,$hi0 - $UMULL $m1,$lo0,$n0 ; tp[0]*n0 - $UMULH $ahi,$aj,$m0 - $UMULL $lo1,$nj,$m1 ; np[0]*m1 - $UMULH $hi1,$nj,$m1 - $LD $nj,$BNSZ($np) ; np[1] - addc $lo1,$lo1,$lo0 - $UMULL $nlo,$nj,$m1 ; np[1]*m1 - addze $hi1,$hi1 - $UMULH $nhi,$nj,$m1 - - mtctr $num - li $j,`2*$BNSZ` -.align 4 -Linner: - $LDX $aj,$ap,$j ; ap[j] - addc $lo0,$alo,$hi0 - $LD $tj,$BNSZ($tp) ; tp[j] - addze $hi0,$ahi - $LDX $nj,$np,$j ; np[j] - addc $lo1,$nlo,$hi1 - $UMULL $alo,$aj,$m0 ; ap[j]*bp[i] - addze $hi1,$nhi - $UMULH $ahi,$aj,$m0 - addc $lo0,$lo0,$tj ; ap[j]*bp[i]+tp[j] - $UMULL $nlo,$nj,$m1 ; np[j]*m1 - addze $hi0,$hi0 - $UMULH $nhi,$nj,$m1 - addc $lo1,$lo1,$lo0 ; np[j]*m1+ap[j]*bp[i]+tp[j] - addi $j,$j,$BNSZ ; j++ - addze $hi1,$hi1 - $ST $lo1,0($tp) ; tp[j-1] - addi $tp,$tp,$BNSZ ; tp++ - bdnz- Linner -;Linner - $LD $tj,$BNSZ($tp) ; tp[j] - addc $lo0,$alo,$hi0 - addze $hi0,$ahi - addc $lo0,$lo0,$tj ; ap[j]*bp[i]+tp[j] - addze $hi0,$hi0 - - addc $lo1,$nlo,$hi1 - addze $hi1,$nhi - addc $lo1,$lo1,$lo0 ; np[j]*m1+ap[j]*bp[i]+tp[j] - addze $hi1,$hi1 - $ST $lo1,0($tp) ; tp[j-1] - - addic $ovf,$ovf,-1 ; move upmost overflow to XER[CA] - li $ovf,0 - adde $hi1,$hi1,$hi0 - addze $ovf,$ovf - $ST $hi1,$BNSZ($tp) -; - slwi $tj,$num,`log($BNSZ)/log(2)` - $UCMP $i,$tj - addi $i,$i,$BNSZ - ble- Louter - - addi $num,$num,2 ; restore $num - subfc $j,$j,$j ; j=0 and "clear" XER[CA] - addi $tp,$sp,$LOCALS - mtctr $num - -.align 4 -Lsub: $LDX $tj,$tp,$j - $LDX $nj,$np,$j - subfe $aj,$nj,$tj ; tp[j]-np[j] - $STX $aj,$rp,$j - addi $j,$j,$BNSZ - bdnz- Lsub - - li $j,0 - mtctr $num - subfe $ovf,$j,$ovf ; handle upmost overflow bit - and $ap,$tp,$ovf - andc $np,$rp,$ovf - or $ap,$ap,$np ; ap=borrow?tp:rp - -.align 4 -Lcopy: ; copy or in-place refresh - $LDX $tj,$ap,$j - $STX $tj,$rp,$j - $STX $j,$tp,$j ; zap at once - addi $j,$j,$BNSZ - bdnz- Lcopy - - $POP $tj,0($sp) - li r3,1 - $POP r20,`-12*$SIZE_T`($tj) - $POP r21,`-11*$SIZE_T`($tj) - $POP r22,`-10*$SIZE_T`($tj) - $POP r23,`-9*$SIZE_T`($tj) - $POP r24,`-8*$SIZE_T`($tj) - $POP r25,`-7*$SIZE_T`($tj) - $POP r26,`-6*$SIZE_T`($tj) - $POP r27,`-5*$SIZE_T`($tj) - $POP r28,`-4*$SIZE_T`($tj) - $POP r29,`-3*$SIZE_T`($tj) - $POP r30,`-2*$SIZE_T`($tj) - $POP r31,`-1*$SIZE_T`($tj) - mr $sp,$tj - blr -___ - -$code =~ s/\`([^\`]*)\`/eval $1/gem; -print $code; -close STDOUT; diff --git a/src/lib/libcrypto/bn/asm/ppc.pl b/src/lib/libcrypto/bn/asm/ppc.pl deleted file mode 100644 index c9b7f9477d..0000000000 --- a/src/lib/libcrypto/bn/asm/ppc.pl +++ /dev/null @@ -1,1968 +0,0 @@ -#!/usr/bin/env perl -# -# Implemented as a Perl wrapper as we want to support several different -# architectures with single file. We pick up the target based on the -# file name we are asked to generate. -# -# It should be noted though that this perl code is nothing like -# /crypto/perlasm/x86*. In this case perl is used pretty much -# as pre-processor to cover for platform differences in name decoration, -# linker tables, 32-/64-bit instruction sets... -# -# As you might know there're several PowerPC ABI in use. Most notably -# Linux and AIX use different 32-bit ABIs. Good news are that these ABIs -# are similar enough to implement leaf(!) functions, which would be ABI -# neutral. And that's what you find here: ABI neutral leaf functions. -# In case you wonder what that is... -# -# AIX performance -# -# MEASUREMENTS WITH cc ON a 200 MhZ PowerPC 604e. -# -# The following is the performance of 32-bit compiler -# generated code: -# -# OpenSSL 0.9.6c 21 dec 2001 -# built on: Tue Jun 11 11:06:51 EDT 2002 -# options:bn(64,32) ... -#compiler: cc -DTHREADS -DAIX -DB_ENDIAN -DBN_LLONG -O3 -# sign verify sign/s verify/s -#rsa 512 bits 0.0098s 0.0009s 102.0 1170.6 -#rsa 1024 bits 0.0507s 0.0026s 19.7 387.5 -#rsa 2048 bits 0.3036s 0.0085s 3.3 117.1 -#rsa 4096 bits 2.0040s 0.0299s 0.5 33.4 -#dsa 512 bits 0.0087s 0.0106s 114.3 94.5 -#dsa 1024 bits 0.0256s 0.0313s 39.0 32.0 -# -# Same benchmark with this assembler code: -# -#rsa 512 bits 0.0056s 0.0005s 178.6 2049.2 -#rsa 1024 bits 0.0283s 0.0015s 35.3 674.1 -#rsa 2048 bits 0.1744s 0.0050s 5.7 201.2 -#rsa 4096 bits 1.1644s 0.0179s 0.9 55.7 -#dsa 512 bits 0.0052s 0.0062s 191.6 162.0 -#dsa 1024 bits 0.0149s 0.0180s 67.0 55.5 -# -# Number of operations increases by at almost 75% -# -# Here are performance numbers for 64-bit compiler -# generated code: -# -# OpenSSL 0.9.6g [engine] 9 Aug 2002 -# built on: Fri Apr 18 16:59:20 EDT 2003 -# options:bn(64,64) ... -# compiler: cc -DTHREADS -D_REENTRANT -q64 -DB_ENDIAN -O3 -# sign verify sign/s verify/s -#rsa 512 bits 0.0028s 0.0003s 357.1 3844.4 -#rsa 1024 bits 0.0148s 0.0008s 67.5 1239.7 -#rsa 2048 bits 0.0963s 0.0028s 10.4 353.0 -#rsa 4096 bits 0.6538s 0.0102s 1.5 98.1 -#dsa 512 bits 0.0026s 0.0032s 382.5 313.7 -#dsa 1024 bits 0.0081s 0.0099s 122.8 100.6 -# -# Same benchmark with this assembler code: -# -#rsa 512 bits 0.0020s 0.0002s 510.4 6273.7 -#rsa 1024 bits 0.0088s 0.0005s 114.1 2128.3 -#rsa 2048 bits 0.0540s 0.0016s 18.5 622.5 -#rsa 4096 bits 0.3700s 0.0058s 2.7 171.0 -#dsa 512 bits 0.0016s 0.0020s 610.7 507.1 -#dsa 1024 bits 0.0047s 0.0058s 212.5 173.2 -# -# Again, performance increases by at about 75% -# -# Mac OS X, Apple G5 1.8GHz (Note this is 32 bit code) -# OpenSSL 0.9.7c 30 Sep 2003 -# -# Original code. -# -#rsa 512 bits 0.0011s 0.0001s 906.1 11012.5 -#rsa 1024 bits 0.0060s 0.0003s 166.6 3363.1 -#rsa 2048 bits 0.0370s 0.0010s 27.1 982.4 -#rsa 4096 bits 0.2426s 0.0036s 4.1 280.4 -#dsa 512 bits 0.0010s 0.0012s 1038.1 841.5 -#dsa 1024 bits 0.0030s 0.0037s 329.6 269.7 -#dsa 2048 bits 0.0101s 0.0127s 98.9 78.6 -# -# Same benchmark with this assembler code: -# -#rsa 512 bits 0.0007s 0.0001s 1416.2 16645.9 -#rsa 1024 bits 0.0036s 0.0002s 274.4 5380.6 -#rsa 2048 bits 0.0222s 0.0006s 45.1 1589.5 -#rsa 4096 bits 0.1469s 0.0022s 6.8 449.6 -#dsa 512 bits 0.0006s 0.0007s 1664.2 1376.2 -#dsa 1024 bits 0.0018s 0.0023s 545.0 442.2 -#dsa 2048 bits 0.0061s 0.0075s 163.5 132.8 -# -# Performance increase of ~60% -# -# If you have comments or suggestions to improve code send -# me a note at schari@us.ibm.com -# - -$flavour = shift; - -if ($flavour =~ /32/) { - $BITS= 32; - $BNSZ= $BITS/8; - $ISA= "\"ppc\""; - - $LD= "lwz"; # load - $LDU= "lwzu"; # load and update - $ST= "stw"; # store - $STU= "stwu"; # store and update - $UMULL= "mullw"; # unsigned multiply low - $UMULH= "mulhwu"; # unsigned multiply high - $UDIV= "divwu"; # unsigned divide - $UCMPI= "cmplwi"; # unsigned compare with immediate - $UCMP= "cmplw"; # unsigned compare - $CNTLZ= "cntlzw"; # count leading zeros - $SHL= "slw"; # shift left - $SHR= "srw"; # unsigned shift right - $SHRI= "srwi"; # unsigned shift right by immediate - $SHLI= "slwi"; # shift left by immediate - $CLRU= "clrlwi"; # clear upper bits - $INSR= "insrwi"; # insert right - $ROTL= "rotlwi"; # rotate left by immediate - $TR= "tw"; # conditional trap -} elsif ($flavour =~ /64/) { - $BITS= 64; - $BNSZ= $BITS/8; - $ISA= "\"ppc64\""; - - # same as above, but 64-bit mnemonics... - $LD= "ld"; # load - $LDU= "ldu"; # load and update - $ST= "std"; # store - $STU= "stdu"; # store and update - $UMULL= "mulld"; # unsigned multiply low - $UMULH= "mulhdu"; # unsigned multiply high - $UDIV= "divdu"; # unsigned divide - $UCMPI= "cmpldi"; # unsigned compare with immediate - $UCMP= "cmpld"; # unsigned compare - $CNTLZ= "cntlzd"; # count leading zeros - $SHL= "sld"; # shift left - $SHR= "srd"; # unsigned shift right - $SHRI= "srdi"; # unsigned shift right by immediate - $SHLI= "sldi"; # shift left by immediate - $CLRU= "clrldi"; # clear upper bits - $INSR= "insrdi"; # insert right - $ROTL= "rotldi"; # rotate left by immediate - $TR= "td"; # conditional trap -} else { die "nonsense $flavour"; } - -$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or -( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or -die "can't locate ppc-xlate.pl"; - -open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!"; - -$data=< 0 then result !=0 - # In either case carry bit is set. - beq Lppcasm_sub_adios - addi r4,r4,-$BNSZ - addi r3,r3,-$BNSZ - addi r5,r5,-$BNSZ - mtctr r6 -Lppcasm_sub_mainloop: - $LDU r7,$BNSZ(r4) - $LDU r8,$BNSZ(r5) - subfe r6,r8,r7 # r6 = r7+carry bit + onescomplement(r8) - # if carry = 1 this is r7-r8. Else it - # is r7-r8 -1 as we need. - $STU r6,$BNSZ(r3) - bdnz- Lppcasm_sub_mainloop -Lppcasm_sub_adios: - subfze r3,r0 # if carry bit is set then r3 = 0 else -1 - andi. r3,r3,1 # keep only last bit. - blr - -# -# NOTE: The following label name should be changed to -# "bn_add_words" i.e. remove the first dot -# for the gcc compiler. This should be automatically -# done in the build -# - -.align 4 -.bn_add_words: -# -# Handcoded version of bn_add_words -# -#BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) -# -# r3 = r -# r4 = a -# r5 = b -# r6 = n -# -# Note: No loop unrolling done since this is not a performance -# critical loop. - - xor r0,r0,r0 -# -# check for r6 = 0. Is this needed? -# - addic. r6,r6,0 #test r6 and clear carry bit. - beq Lppcasm_add_adios - addi r4,r4,-$BNSZ - addi r3,r3,-$BNSZ - addi r5,r5,-$BNSZ - mtctr r6 -Lppcasm_add_mainloop: - $LDU r7,$BNSZ(r4) - $LDU r8,$BNSZ(r5) - adde r8,r7,r8 - $STU r8,$BNSZ(r3) - bdnz- Lppcasm_add_mainloop -Lppcasm_add_adios: - addze r3,r0 #return carry bit. - blr - -# -# NOTE: The following label name should be changed to -# "bn_div_words" i.e. remove the first dot -# for the gcc compiler. This should be automatically -# done in the build -# - -.align 4 -.bn_div_words: -# -# This is a cleaned up version of code generated by -# the AIX compiler. The only optimization is to use -# the PPC instruction to count leading zeros instead -# of call to num_bits_word. Since this was compiled -# only at level -O2 we can possibly squeeze it more? -# -# r3 = h -# r4 = l -# r5 = d - - $UCMPI 0,r5,0 # compare r5 and 0 - bne Lppcasm_div1 # proceed if d!=0 - li r3,-1 # d=0 return -1 - blr -Lppcasm_div1: - xor r0,r0,r0 #r0=0 - li r8,$BITS - $CNTLZ. r7,r5 #r7 = num leading 0s in d. - beq Lppcasm_div2 #proceed if no leading zeros - subf r8,r7,r8 #r8 = BN_num_bits_word(d) - $SHR. r9,r3,r8 #are there any bits above r8'th? - $TR 16,r9,r0 #if there're, signal to dump core... -Lppcasm_div2: - $UCMP 0,r3,r5 #h>=d? - blt Lppcasm_div3 #goto Lppcasm_div3 if not - subf r3,r5,r3 #h-=d ; -Lppcasm_div3: #r7 = BN_BITS2-i. so r7=i - cmpi 0,0,r7,0 # is (i == 0)? - beq Lppcasm_div4 - $SHL r3,r3,r7 # h = (h<< i) - $SHR r8,r4,r8 # r8 = (l >> BN_BITS2 -i) - $SHL r5,r5,r7 # d<<=i - or r3,r3,r8 # h = (h<>(BN_BITS2-i)) - $SHL r4,r4,r7 # l <<=i -Lppcasm_div4: - $SHRI r9,r5,`$BITS/2` # r9 = dh - # dl will be computed when needed - # as it saves registers. - li r6,2 #r6=2 - mtctr r6 #counter will be in count. -Lppcasm_divouterloop: - $SHRI r8,r3,`$BITS/2` #r8 = (h>>BN_BITS4) - $SHRI r11,r4,`$BITS/2` #r11= (l&BN_MASK2h)>>BN_BITS4 - # compute here for innerloop. - $UCMP 0,r8,r9 # is (h>>BN_BITS4)==dh - bne Lppcasm_div5 # goto Lppcasm_div5 if not - - li r8,-1 - $CLRU r8,r8,`$BITS/2` #q = BN_MASK2l - b Lppcasm_div6 -Lppcasm_div5: - $UDIV r8,r3,r9 #q = h/dh -Lppcasm_div6: - $UMULL r12,r9,r8 #th = q*dh - $CLRU r10,r5,`$BITS/2` #r10=dl - $UMULL r6,r8,r10 #tl = q*dl - -Lppcasm_divinnerloop: - subf r10,r12,r3 #t = h -th - $SHRI r7,r10,`$BITS/2` #r7= (t &BN_MASK2H), sort of... - addic. r7,r7,0 #test if r7 == 0. used below. - # now want to compute - # r7 = (t<>BN_BITS4) - # the following 2 instructions do that - $SHLI r7,r10,`$BITS/2` # r7 = (t<>BN_BITS4) - $UCMP cr1,r6,r7 # compare (tl <= r7) - bne Lppcasm_divinnerexit - ble cr1,Lppcasm_divinnerexit - addi r8,r8,-1 #q-- - subf r12,r9,r12 #th -=dh - $CLRU r10,r5,`$BITS/2` #r10=dl. t is no longer needed in loop. - subf r6,r10,r6 #tl -=dl - b Lppcasm_divinnerloop -Lppcasm_divinnerexit: - $SHRI r10,r6,`$BITS/2` #t=(tl>>BN_BITS4) - $SHLI r11,r6,`$BITS/2` #tl=(tl<=tl) goto Lppcasm_div7 - addi r12,r12,1 # th++ -Lppcasm_div7: - subf r11,r11,r4 #r11=l-tl - $UCMP cr1,r3,r12 #compare h and th - bge cr1,Lppcasm_div8 #if (h>=th) goto Lppcasm_div8 - addi r8,r8,-1 # q-- - add r3,r5,r3 # h+=d -Lppcasm_div8: - subf r12,r12,r3 #r12 = h-th - $SHLI r4,r11,`$BITS/2` #l=(l&BN_MASK2l)<>BN_BITS4))&BN_MASK2 - # the following 2 instructions will do this. - $INSR r11,r12,`$BITS/2`,`$BITS/2` # r11 is the value we want rotated $BITS/2. - $ROTL r3,r11,`$BITS/2` # rotate by $BITS/2 and store in r3 - bdz Lppcasm_div9 #if (count==0) break ; - $SHLI r0,r8,`$BITS/2` #ret =q<> 2 - beq Lppcasm_mw_REM - mtctr r7 -Lppcasm_mw_LOOP: - #mul(rp[0],ap[0],w,c1); - $LD r8,`0*$BNSZ`(r4) - $UMULL r9,r6,r8 - $UMULH r10,r6,r8 - addc r9,r9,r12 - #addze r10,r10 #carry is NOT ignored. - #will be taken care of - #in second spin below - #using adde. - $ST r9,`0*$BNSZ`(r3) - #mul(rp[1],ap[1],w,c1); - $LD r8,`1*$BNSZ`(r4) - $UMULL r11,r6,r8 - $UMULH r12,r6,r8 - adde r11,r11,r10 - #addze r12,r12 - $ST r11,`1*$BNSZ`(r3) - #mul(rp[2],ap[2],w,c1); - $LD r8,`2*$BNSZ`(r4) - $UMULL r9,r6,r8 - $UMULH r10,r6,r8 - adde r9,r9,r12 - #addze r10,r10 - $ST r9,`2*$BNSZ`(r3) - #mul_add(rp[3],ap[3],w,c1); - $LD r8,`3*$BNSZ`(r4) - $UMULL r11,r6,r8 - $UMULH r12,r6,r8 - adde r11,r11,r10 - addze r12,r12 #this spin we collect carry into - #r12 - $ST r11,`3*$BNSZ`(r3) - - addi r3,r3,`4*$BNSZ` - addi r4,r4,`4*$BNSZ` - bdnz- Lppcasm_mw_LOOP - -Lppcasm_mw_REM: - andi. r5,r5,0x3 - beq Lppcasm_mw_OVER - #mul(rp[0],ap[0],w,c1); - $LD r8,`0*$BNSZ`(r4) - $UMULL r9,r6,r8 - $UMULH r10,r6,r8 - addc r9,r9,r12 - addze r10,r10 - $ST r9,`0*$BNSZ`(r3) - addi r12,r10,0 - - addi r5,r5,-1 - cmpli 0,0,r5,0 - beq Lppcasm_mw_OVER - - - #mul(rp[1],ap[1],w,c1); - $LD r8,`1*$BNSZ`(r4) - $UMULL r9,r6,r8 - $UMULH r10,r6,r8 - addc r9,r9,r12 - addze r10,r10 - $ST r9,`1*$BNSZ`(r3) - addi r12,r10,0 - - addi r5,r5,-1 - cmpli 0,0,r5,0 - beq Lppcasm_mw_OVER - - #mul_add(rp[2],ap[2],w,c1); - $LD r8,`2*$BNSZ`(r4) - $UMULL r9,r6,r8 - $UMULH r10,r6,r8 - addc r9,r9,r12 - addze r10,r10 - $ST r9,`2*$BNSZ`(r3) - addi r12,r10,0 - -Lppcasm_mw_OVER: - addi r3,r12,0 - blr - -# -# NOTE: The following label name should be changed to -# "bn_mul_add_words" i.e. remove the first dot -# for the gcc compiler. This should be automatically -# done in the build -# - -.align 4 -.bn_mul_add_words: -# -# BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w) -# -# r3 = rp -# r4 = ap -# r5 = num -# r6 = w -# -# empirical evidence suggests that unrolled version performs best!! -# - xor r0,r0,r0 #r0 = 0 - xor r12,r12,r12 #r12 = 0 . used for carry - rlwinm. r7,r5,30,2,31 # num >> 2 - beq Lppcasm_maw_leftover # if (num < 4) go LPPCASM_maw_leftover - mtctr r7 -Lppcasm_maw_mainloop: - #mul_add(rp[0],ap[0],w,c1); - $LD r8,`0*$BNSZ`(r4) - $LD r11,`0*$BNSZ`(r3) - $UMULL r9,r6,r8 - $UMULH r10,r6,r8 - addc r9,r9,r12 #r12 is carry. - addze r10,r10 - addc r9,r9,r11 - #addze r10,r10 - #the above instruction addze - #is NOT needed. Carry will NOT - #be ignored. It's not affected - #by multiply and will be collected - #in the next spin - $ST r9,`0*$BNSZ`(r3) - - #mul_add(rp[1],ap[1],w,c1); - $LD r8,`1*$BNSZ`(r4) - $LD r9,`1*$BNSZ`(r3) - $UMULL r11,r6,r8 - $UMULH r12,r6,r8 - adde r11,r11,r10 #r10 is carry. - addze r12,r12 - addc r11,r11,r9 - #addze r12,r12 - $ST r11,`1*$BNSZ`(r3) - - #mul_add(rp[2],ap[2],w,c1); - $LD r8,`2*$BNSZ`(r4) - $UMULL r9,r6,r8 - $LD r11,`2*$BNSZ`(r3) - $UMULH r10,r6,r8 - adde r9,r9,r12 - addze r10,r10 - addc r9,r9,r11 - #addze r10,r10 - $ST r9,`2*$BNSZ`(r3) - - #mul_add(rp[3],ap[3],w,c1); - $LD r8,`3*$BNSZ`(r4) - $UMULL r11,r6,r8 - $LD r9,`3*$BNSZ`(r3) - $UMULH r12,r6,r8 - adde r11,r11,r10 - addze r12,r12 - addc r11,r11,r9 - addze r12,r12 - $ST r11,`3*$BNSZ`(r3) - addi r3,r3,`4*$BNSZ` - addi r4,r4,`4*$BNSZ` - bdnz- Lppcasm_maw_mainloop - -Lppcasm_maw_leftover: - andi. r5,r5,0x3 - beq Lppcasm_maw_adios - addi r3,r3,-$BNSZ - addi r4,r4,-$BNSZ - #mul_add(rp[0],ap[0],w,c1); - mtctr r5 - $LDU r8,$BNSZ(r4) - $UMULL r9,r6,r8 - $UMULH r10,r6,r8 - $LDU r11,$BNSZ(r3) - addc r9,r9,r11 - addze r10,r10 - addc r9,r9,r12 - addze r12,r10 - $ST r9,0(r3) - - bdz Lppcasm_maw_adios - #mul_add(rp[1],ap[1],w,c1); - $LDU r8,$BNSZ(r4) - $UMULL r9,r6,r8 - $UMULH r10,r6,r8 - $LDU r11,$BNSZ(r3) - addc r9,r9,r11 - addze r10,r10 - addc r9,r9,r12 - addze r12,r10 - $ST r9,0(r3) - - bdz Lppcasm_maw_adios - #mul_add(rp[2],ap[2],w,c1); - $LDU r8,$BNSZ(r4) - $UMULL r9,r6,r8 - $UMULH r10,r6,r8 - $LDU r11,$BNSZ(r3) - addc r9,r9,r11 - addze r10,r10 - addc r9,r9,r12 - addze r12,r10 - $ST r9,0(r3) - -Lppcasm_maw_adios: - addi r3,r12,0 - blr - .align 4 -EOF -$data =~ s/\`([^\`]*)\`/eval $1/gem; -print $data; -close STDOUT; diff --git a/src/lib/libcrypto/bn/asm/x86-mont.pl b/src/lib/libcrypto/bn/asm/x86-mont.pl deleted file mode 100755 index 6524651748..0000000000 --- a/src/lib/libcrypto/bn/asm/x86-mont.pl +++ /dev/null @@ -1,592 +0,0 @@ -#!/usr/bin/env perl - -# ==================================================================== -# Written by Andy Polyakov for the OpenSSL -# project. The module is, however, dual licensed under OpenSSL and -# CRYPTOGAMS licenses depending on where you obtain it. For further -# details see http://www.openssl.org/~appro/cryptogams/. -# ==================================================================== - -# October 2005 -# -# This is a "teaser" code, as it can be improved in several ways... -# First of all non-SSE2 path should be implemented (yes, for now it -# performs Montgomery multiplication/convolution only on SSE2-capable -# CPUs such as P4, others fall down to original code). Then inner loop -# can be unrolled and modulo-scheduled to improve ILP and possibly -# moved to 128-bit XMM register bank (though it would require input -# rearrangement and/or increase bus bandwidth utilization). Dedicated -# squaring procedure should give further performance improvement... -# Yet, for being draft, the code improves rsa512 *sign* benchmark by -# 110%(!), rsa1024 one - by 70% and rsa4096 - by 20%:-) - -# December 2006 -# -# Modulo-scheduling SSE2 loops results in further 15-20% improvement. -# Integer-only code [being equipped with dedicated squaring procedure] -# gives ~40% on rsa512 sign benchmark... - -$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -push(@INC,"${dir}","${dir}../../perlasm"); -require "x86asm.pl"; - -&asm_init($ARGV[0],$0); - -$sse2=0; -for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } - -&external_label("OPENSSL_ia32cap_P") if ($sse2); - -&function_begin("bn_mul_mont"); - -$i="edx"; -$j="ecx"; -$ap="esi"; $tp="esi"; # overlapping variables!!! -$rp="edi"; $bp="edi"; # overlapping variables!!! -$np="ebp"; -$num="ebx"; - -$_num=&DWP(4*0,"esp"); # stack top layout -$_rp=&DWP(4*1,"esp"); -$_ap=&DWP(4*2,"esp"); -$_bp=&DWP(4*3,"esp"); -$_np=&DWP(4*4,"esp"); -$_n0=&DWP(4*5,"esp"); $_n0q=&QWP(4*5,"esp"); -$_sp=&DWP(4*6,"esp"); -$_bpend=&DWP(4*7,"esp"); -$frame=32; # size of above frame rounded up to 16n - - &xor ("eax","eax"); - &mov ("edi",&wparam(5)); # int num - &cmp ("edi",4); - &jl (&label("just_leave")); - - &lea ("esi",&wparam(0)); # put aside pointer to argument block - &lea ("edx",&wparam(1)); # load ap - &mov ("ebp","esp"); # saved stack pointer! - &add ("edi",2); # extra two words on top of tp - &neg ("edi"); - &lea ("esp",&DWP(-$frame,"esp","edi",4)); # alloca($frame+4*(num+2)) - &neg ("edi"); - - # minimize cache contention by arranging 2K window between stack - # pointer and ap argument [np is also position sensitive vector, - # but it's assumed to be near ap, as it's allocated at ~same - # time]. - &mov ("eax","esp"); - &sub ("eax","edx"); - &and ("eax",2047); - &sub ("esp","eax"); # this aligns sp and ap modulo 2048 - - &xor ("edx","esp"); - &and ("edx",2048); - &xor ("edx",2048); - &sub ("esp","edx"); # this splits them apart modulo 4096 - - &and ("esp",-64); # align to cache line - - ################################# load argument block... - &mov ("eax",&DWP(0*4,"esi"));# BN_ULONG *rp - &mov ("ebx",&DWP(1*4,"esi"));# const BN_ULONG *ap - &mov ("ecx",&DWP(2*4,"esi"));# const BN_ULONG *bp - &mov ("edx",&DWP(3*4,"esi"));# const BN_ULONG *np - &mov ("esi",&DWP(4*4,"esi"));# const BN_ULONG *n0 - #&mov ("edi",&DWP(5*4,"esi"));# int num - - &mov ("esi",&DWP(0,"esi")); # pull n0[0] - &mov ($_rp,"eax"); # ... save a copy of argument block - &mov ($_ap,"ebx"); - &mov ($_bp,"ecx"); - &mov ($_np,"edx"); - &mov ($_n0,"esi"); - &lea ($num,&DWP(-3,"edi")); # num=num-1 to assist modulo-scheduling - #&mov ($_num,$num); # redundant as $num is not reused - &mov ($_sp,"ebp"); # saved stack pointer! - -if($sse2) { -$acc0="mm0"; # mmx register bank layout -$acc1="mm1"; -$car0="mm2"; -$car1="mm3"; -$mul0="mm4"; -$mul1="mm5"; -$temp="mm6"; -$mask="mm7"; - - &picsetup("eax"); - &picsymbol("eax", "OPENSSL_ia32cap_P", "eax"); - &bt (&DWP(0,"eax"),"\$IA32CAP_BIT0_SSE2"); - &jnc (&label("non_sse2")); - - &mov ("eax",-1); - &movd ($mask,"eax"); # mask 32 lower bits - - &mov ($ap,$_ap); # load input pointers - &mov ($bp,$_bp); - &mov ($np,$_np); - - &xor ($i,$i); # i=0 - &xor ($j,$j); # j=0 - - &movd ($mul0,&DWP(0,$bp)); # bp[0] - &movd ($mul1,&DWP(0,$ap)); # ap[0] - &movd ($car1,&DWP(0,$np)); # np[0] - - &pmuludq($mul1,$mul0); # ap[0]*bp[0] - &movq ($car0,$mul1); - &movq ($acc0,$mul1); # I wish movd worked for - &pand ($acc0,$mask); # inter-register transfers - - &pmuludq($mul1,$_n0q); # *=n0 - - &pmuludq($car1,$mul1); # "t[0]"*np[0]*n0 - &paddq ($car1,$acc0); - - &movd ($acc1,&DWP(4,$np)); # np[1] - &movd ($acc0,&DWP(4,$ap)); # ap[1] - - &psrlq ($car0,32); - &psrlq ($car1,32); - - &inc ($j); # j++ -&set_label("1st",16); - &pmuludq($acc0,$mul0); # ap[j]*bp[0] - &pmuludq($acc1,$mul1); # np[j]*m1 - &paddq ($car0,$acc0); # +=c0 - &paddq ($car1,$acc1); # +=c1 - - &movq ($acc0,$car0); - &pand ($acc0,$mask); - &movd ($acc1,&DWP(4,$np,$j,4)); # np[j+1] - &paddq ($car1,$acc0); # +=ap[j]*bp[0]; - &movd ($acc0,&DWP(4,$ap,$j,4)); # ap[j+1] - &psrlq ($car0,32); - &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[j-1]= - &psrlq ($car1,32); - - &lea ($j,&DWP(1,$j)); - &cmp ($j,$num); - &jl (&label("1st")); - - &pmuludq($acc0,$mul0); # ap[num-1]*bp[0] - &pmuludq($acc1,$mul1); # np[num-1]*m1 - &paddq ($car0,$acc0); # +=c0 - &paddq ($car1,$acc1); # +=c1 - - &movq ($acc0,$car0); - &pand ($acc0,$mask); - &paddq ($car1,$acc0); # +=ap[num-1]*bp[0]; - &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[num-2]= - - &psrlq ($car0,32); - &psrlq ($car1,32); - - &paddq ($car1,$car0); - &movq (&QWP($frame,"esp",$num,4),$car1); # tp[num].tp[num-1] - - &inc ($i); # i++ -&set_label("outer"); - &xor ($j,$j); # j=0 - - &movd ($mul0,&DWP(0,$bp,$i,4)); # bp[i] - &movd ($mul1,&DWP(0,$ap)); # ap[0] - &movd ($temp,&DWP($frame,"esp")); # tp[0] - &movd ($car1,&DWP(0,$np)); # np[0] - &pmuludq($mul1,$mul0); # ap[0]*bp[i] - - &paddq ($mul1,$temp); # +=tp[0] - &movq ($acc0,$mul1); - &movq ($car0,$mul1); - &pand ($acc0,$mask); - - &pmuludq($mul1,$_n0q); # *=n0 - - &pmuludq($car1,$mul1); - &paddq ($car1,$acc0); - - &movd ($temp,&DWP($frame+4,"esp")); # tp[1] - &movd ($acc1,&DWP(4,$np)); # np[1] - &movd ($acc0,&DWP(4,$ap)); # ap[1] - - &psrlq ($car0,32); - &psrlq ($car1,32); - &paddq ($car0,$temp); # +=tp[1] - - &inc ($j); # j++ - &dec ($num); -&set_label("inner"); - &pmuludq($acc0,$mul0); # ap[j]*bp[i] - &pmuludq($acc1,$mul1); # np[j]*m1 - &paddq ($car0,$acc0); # +=c0 - &paddq ($car1,$acc1); # +=c1 - - &movq ($acc0,$car0); - &movd ($temp,&DWP($frame+4,"esp",$j,4));# tp[j+1] - &pand ($acc0,$mask); - &movd ($acc1,&DWP(4,$np,$j,4)); # np[j+1] - &paddq ($car1,$acc0); # +=ap[j]*bp[i]+tp[j] - &movd ($acc0,&DWP(4,$ap,$j,4)); # ap[j+1] - &psrlq ($car0,32); - &movd (&DWP($frame-4,"esp",$j,4),$car1);# tp[j-1]= - &psrlq ($car1,32); - &paddq ($car0,$temp); # +=tp[j+1] - - &dec ($num); - &lea ($j,&DWP(1,$j)); # j++ - &jnz (&label("inner")); - - &mov ($num,$j); - &pmuludq($acc0,$mul0); # ap[num-1]*bp[i] - &pmuludq($acc1,$mul1); # np[num-1]*m1 - &paddq ($car0,$acc0); # +=c0 - &paddq ($car1,$acc1); # +=c1 - - &movq ($acc0,$car0); - &pand ($acc0,$mask); - &paddq ($car1,$acc0); # +=ap[num-1]*bp[i]+tp[num-1] - &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[num-2]= - &psrlq ($car0,32); - &psrlq ($car1,32); - - &movd ($temp,&DWP($frame+4,"esp",$num,4)); # += tp[num] - &paddq ($car1,$car0); - &paddq ($car1,$temp); - &movq (&QWP($frame,"esp",$num,4),$car1); # tp[num].tp[num-1] - - &lea ($i,&DWP(1,$i)); # i++ - &cmp ($i,$num); - &jle (&label("outer")); - - &emms (); # done with mmx bank - &jmp (&label("common_tail")); - -&set_label("non_sse2",16); -} - -if (0) { - &mov ("esp",$_sp); - &xor ("eax","eax"); # signal "not fast enough [yet]" - &jmp (&label("just_leave")); - # While the below code provides competitive performance for - # all key lengths on modern Intel cores, it's still more - # than 10% slower for 4096-bit key elsewhere:-( "Competitive" - # means compared to the original integer-only assembler. - # 512-bit RSA sign is better by ~40%, but that's about all - # one can say about all CPUs... -} else { -$inp="esi"; # integer path uses these registers differently -$word="edi"; -$carry="ebp"; - - &mov ($inp,$_ap); - &lea ($carry,&DWP(1,$num)); - &mov ($word,$_bp); - &xor ($j,$j); # j=0 - &mov ("edx",$inp); - &and ($carry,1); # see if num is even - &sub ("edx",$word); # see if ap==bp - &lea ("eax",&DWP(4,$word,$num,4)); # &bp[num] - &or ($carry,"edx"); - &mov ($word,&DWP(0,$word)); # bp[0] - &jz (&label("bn_sqr_mont")); - &mov ($_bpend,"eax"); - &mov ("eax",&DWP(0,$inp)); - &xor ("edx","edx"); - -&set_label("mull",16); - &mov ($carry,"edx"); - &mul ($word); # ap[j]*bp[0] - &add ($carry,"eax"); - &lea ($j,&DWP(1,$j)); - &adc ("edx",0); - &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j+1] - &cmp ($j,$num); - &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]= - &jl (&label("mull")); - - &mov ($carry,"edx"); - &mul ($word); # ap[num-1]*bp[0] - &mov ($word,$_n0); - &add ("eax",$carry); - &mov ($inp,$_np); - &adc ("edx",0); - &imul ($word,&DWP($frame,"esp")); # n0*tp[0] - - &mov (&DWP($frame,"esp",$num,4),"eax"); # tp[num-1]= - &xor ($j,$j); - &mov (&DWP($frame+4,"esp",$num,4),"edx"); # tp[num]= - &mov (&DWP($frame+8,"esp",$num,4),$j); # tp[num+1]= - - &mov ("eax",&DWP(0,$inp)); # np[0] - &mul ($word); # np[0]*m - &add ("eax",&DWP($frame,"esp")); # +=tp[0] - &mov ("eax",&DWP(4,$inp)); # np[1] - &adc ("edx",0); - &inc ($j); - - &jmp (&label("2ndmadd")); - -&set_label("1stmadd",16); - &mov ($carry,"edx"); - &mul ($word); # ap[j]*bp[i] - &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j] - &lea ($j,&DWP(1,$j)); - &adc ("edx",0); - &add ($carry,"eax"); - &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j+1] - &adc ("edx",0); - &cmp ($j,$num); - &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]= - &jl (&label("1stmadd")); - - &mov ($carry,"edx"); - &mul ($word); # ap[num-1]*bp[i] - &add ("eax",&DWP($frame,"esp",$num,4)); # +=tp[num-1] - &mov ($word,$_n0); - &adc ("edx",0); - &mov ($inp,$_np); - &add ($carry,"eax"); - &adc ("edx",0); - &imul ($word,&DWP($frame,"esp")); # n0*tp[0] - - &xor ($j,$j); - &add ("edx",&DWP($frame+4,"esp",$num,4)); # carry+=tp[num] - &mov (&DWP($frame,"esp",$num,4),$carry); # tp[num-1]= - &adc ($j,0); - &mov ("eax",&DWP(0,$inp)); # np[0] - &mov (&DWP($frame+4,"esp",$num,4),"edx"); # tp[num]= - &mov (&DWP($frame+8,"esp",$num,4),$j); # tp[num+1]= - - &mul ($word); # np[0]*m - &add ("eax",&DWP($frame,"esp")); # +=tp[0] - &mov ("eax",&DWP(4,$inp)); # np[1] - &adc ("edx",0); - &mov ($j,1); - -&set_label("2ndmadd",16); - &mov ($carry,"edx"); - &mul ($word); # np[j]*m - &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j] - &lea ($j,&DWP(1,$j)); - &adc ("edx",0); - &add ($carry,"eax"); - &mov ("eax",&DWP(0,$inp,$j,4)); # np[j+1] - &adc ("edx",0); - &cmp ($j,$num); - &mov (&DWP($frame-8,"esp",$j,4),$carry); # tp[j-1]= - &jl (&label("2ndmadd")); - - &mov ($carry,"edx"); - &mul ($word); # np[j]*m - &add ($carry,&DWP($frame,"esp",$num,4)); # +=tp[num-1] - &adc ("edx",0); - &add ($carry,"eax"); - &adc ("edx",0); - &mov (&DWP($frame-4,"esp",$num,4),$carry); # tp[num-2]= - - &xor ("eax","eax"); - &mov ($j,$_bp); # &bp[i] - &add ("edx",&DWP($frame+4,"esp",$num,4)); # carry+=tp[num] - &adc ("eax",&DWP($frame+8,"esp",$num,4)); # +=tp[num+1] - &lea ($j,&DWP(4,$j)); - &mov (&DWP($frame,"esp",$num,4),"edx"); # tp[num-1]= - &cmp ($j,$_bpend); - &mov (&DWP($frame+4,"esp",$num,4),"eax"); # tp[num]= - &je (&label("common_tail")); - - &mov ($word,&DWP(0,$j)); # bp[i+1] - &mov ($inp,$_ap); - &mov ($_bp,$j); # &bp[++i] - &xor ($j,$j); - &xor ("edx","edx"); - &mov ("eax",&DWP(0,$inp)); - &jmp (&label("1stmadd")); - -&set_label("bn_sqr_mont",16); -$sbit=$num; - &mov ($_num,$num); - &mov ($_bp,$j); # i=0 - - &mov ("eax",$word); # ap[0] - &mul ($word); # ap[0]*ap[0] - &mov (&DWP($frame,"esp"),"eax"); # tp[0]= - &mov ($sbit,"edx"); - &shr ("edx",1); - &and ($sbit,1); - &inc ($j); -&set_label("sqr",16); - &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j] - &mov ($carry,"edx"); - &mul ($word); # ap[j]*ap[0] - &add ("eax",$carry); - &lea ($j,&DWP(1,$j)); - &adc ("edx",0); - &lea ($carry,&DWP(0,$sbit,"eax",2)); - &shr ("eax",31); - &cmp ($j,$_num); - &mov ($sbit,"eax"); - &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]= - &jl (&label("sqr")); - - &mov ("eax",&DWP(0,$inp,$j,4)); # ap[num-1] - &mov ($carry,"edx"); - &mul ($word); # ap[num-1]*ap[0] - &add ("eax",$carry); - &mov ($word,$_n0); - &adc ("edx",0); - &mov ($inp,$_np); - &lea ($carry,&DWP(0,$sbit,"eax",2)); - &imul ($word,&DWP($frame,"esp")); # n0*tp[0] - &shr ("eax",31); - &mov (&DWP($frame,"esp",$j,4),$carry); # tp[num-1]= - - &lea ($carry,&DWP(0,"eax","edx",2)); - &mov ("eax",&DWP(0,$inp)); # np[0] - &shr ("edx",31); - &mov (&DWP($frame+4,"esp",$j,4),$carry); # tp[num]= - &mov (&DWP($frame+8,"esp",$j,4),"edx"); # tp[num+1]= - - &mul ($word); # np[0]*m - &add ("eax",&DWP($frame,"esp")); # +=tp[0] - &mov ($num,$j); - &adc ("edx",0); - &mov ("eax",&DWP(4,$inp)); # np[1] - &mov ($j,1); - -&set_label("3rdmadd",16); - &mov ($carry,"edx"); - &mul ($word); # np[j]*m - &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j] - &adc ("edx",0); - &add ($carry,"eax"); - &mov ("eax",&DWP(4,$inp,$j,4)); # np[j+1] - &adc ("edx",0); - &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j-1]= - - &mov ($carry,"edx"); - &mul ($word); # np[j+1]*m - &add ($carry,&DWP($frame+4,"esp",$j,4)); # +=tp[j+1] - &lea ($j,&DWP(2,$j)); - &adc ("edx",0); - &add ($carry,"eax"); - &mov ("eax",&DWP(0,$inp,$j,4)); # np[j+2] - &adc ("edx",0); - &cmp ($j,$num); - &mov (&DWP($frame-8,"esp",$j,4),$carry); # tp[j]= - &jl (&label("3rdmadd")); - - &mov ($carry,"edx"); - &mul ($word); # np[j]*m - &add ($carry,&DWP($frame,"esp",$num,4)); # +=tp[num-1] - &adc ("edx",0); - &add ($carry,"eax"); - &adc ("edx",0); - &mov (&DWP($frame-4,"esp",$num,4),$carry); # tp[num-2]= - - &mov ($j,$_bp); # i - &xor ("eax","eax"); - &mov ($inp,$_ap); - &add ("edx",&DWP($frame+4,"esp",$num,4)); # carry+=tp[num] - &adc ("eax",&DWP($frame+8,"esp",$num,4)); # +=tp[num+1] - &mov (&DWP($frame,"esp",$num,4),"edx"); # tp[num-1]= - &cmp ($j,$num); - &mov (&DWP($frame+4,"esp",$num,4),"eax"); # tp[num]= - &je (&label("common_tail")); - - &mov ($word,&DWP(4,$inp,$j,4)); # ap[i] - &lea ($j,&DWP(1,$j)); - &mov ("eax",$word); - &mov ($_bp,$j); # ++i - &mul ($word); # ap[i]*ap[i] - &add ("eax",&DWP($frame,"esp",$j,4)); # +=tp[i] - &adc ("edx",0); - &mov (&DWP($frame,"esp",$j,4),"eax"); # tp[i]= - &xor ($carry,$carry); - &cmp ($j,$num); - &lea ($j,&DWP(1,$j)); - &je (&label("sqrlast")); - - &mov ($sbit,"edx"); # zaps $num - &shr ("edx",1); - &and ($sbit,1); -&set_label("sqradd",16); - &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j] - &mov ($carry,"edx"); - &mul ($word); # ap[j]*ap[i] - &add ("eax",$carry); - &lea ($carry,&DWP(0,"eax","eax")); - &adc ("edx",0); - &shr ("eax",31); - &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j] - &lea ($j,&DWP(1,$j)); - &adc ("eax",0); - &add ($carry,$sbit); - &adc ("eax",0); - &cmp ($j,$_num); - &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]= - &mov ($sbit,"eax"); - &jle (&label("sqradd")); - - &mov ($carry,"edx"); - &add ("edx","edx"); - &shr ($carry,31); - &add ("edx",$sbit); - &adc ($carry,0); -&set_label("sqrlast"); - &mov ($word,$_n0); - &mov ($inp,$_np); - &imul ($word,&DWP($frame,"esp")); # n0*tp[0] - - &add ("edx",&DWP($frame,"esp",$j,4)); # +=tp[num] - &mov ("eax",&DWP(0,$inp)); # np[0] - &adc ($carry,0); - &mov (&DWP($frame,"esp",$j,4),"edx"); # tp[num]= - &mov (&DWP($frame+4,"esp",$j,4),$carry); # tp[num+1]= - - &mul ($word); # np[0]*m - &add ("eax",&DWP($frame,"esp")); # +=tp[0] - &lea ($num,&DWP(-1,$j)); - &adc ("edx",0); - &mov ($j,1); - &mov ("eax",&DWP(4,$inp)); # np[1] - - &jmp (&label("3rdmadd")); -} - -&set_label("common_tail",16); - &mov ($np,$_np); # load modulus pointer - &mov ($rp,$_rp); # load result pointer - &lea ($tp,&DWP($frame,"esp")); # [$ap and $bp are zapped] - - &mov ("eax",&DWP(0,$tp)); # tp[0] - &mov ($j,$num); # j=num-1 - &xor ($i,$i); # i=0 and clear CF! - -&set_label("sub",16); - &sbb ("eax",&DWP(0,$np,$i,4)); - &mov (&DWP(0,$rp,$i,4),"eax"); # rp[i]=tp[i]-np[i] - &dec ($j); # doesn't affect CF! - &mov ("eax",&DWP(4,$tp,$i,4)); # tp[i+1] - &lea ($i,&DWP(1,$i)); # i++ - &jge (&label("sub")); - - &sbb ("eax",0); # handle upmost overflow bit - &and ($tp,"eax"); - ¬ ("eax"); - &mov ($np,$rp); - &and ($np,"eax"); - &or ($tp,$np); # tp=carry?tp:rp - -&set_label("copy",16); # copy or in-place refresh - &mov ("eax",&DWP(0,$tp,$num,4)); - &mov (&DWP(0,$rp,$num,4),"eax"); # rp[i]=tp[i] - &mov (&DWP($frame,"esp",$num,4),$j); # zap temporary vector - &dec ($num); - &jge (&label("copy")); - - &mov ("esp",$_sp); # pull saved stack pointer - &mov ("eax",1); -&set_label("just_leave"); -&function_end("bn_mul_mont"); - -&asm_finish(); diff --git a/src/lib/libcrypto/bn/asm/x86_64-mont.pl b/src/lib/libcrypto/bn/asm/x86_64-mont.pl deleted file mode 100755 index 30cfab4fce..0000000000 --- a/src/lib/libcrypto/bn/asm/x86_64-mont.pl +++ /dev/null @@ -1,1503 +0,0 @@ -#!/usr/bin/env perl - -# ==================================================================== -# Written by Andy Polyakov for the OpenSSL -# project. The module is, however, dual licensed under OpenSSL and -# CRYPTOGAMS licenses depending on where you obtain it. For further -# details see http://www.openssl.org/~appro/cryptogams/. -# ==================================================================== - -# October 2005. -# -# Montgomery multiplication routine for x86_64. While it gives modest -# 9% improvement of rsa4096 sign on Opteron, rsa512 sign runs more -# than twice, >2x, as fast. Most common rsa1024 sign is improved by -# respectful 50%. It remains to be seen if loop unrolling and -# dedicated squaring routine can provide further improvement... - -# July 2011. -# -# Add dedicated squaring procedure. Performance improvement varies -# from platform to platform, but in average it's ~5%/15%/25%/33% -# for 512-/1024-/2048-/4096-bit RSA *sign* benchmarks respectively. - -# August 2011. -# -# Unroll and modulo-schedule inner loops in such manner that they -# are "fallen through" for input lengths of 8, which is critical for -# 1024-bit RSA *sign*. Average performance improvement in comparison -# to *initial* version of this module from 2005 is ~0%/30%/40%/45% -# for 512-/1024-/2048-/4096-bit RSA *sign* benchmarks respectively. - -$flavour = shift; -$output = shift; -if ($flavour =~ /\./) { $output = $flavour; undef $flavour; } - -$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or -( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or -die "can't locate x86_64-xlate.pl"; - -open OUT,"| \"$^X\" $xlate $flavour $output"; -*STDOUT=*OUT; - -# int bn_mul_mont( -$rp="%rdi"; # BN_ULONG *rp, -$ap="%rsi"; # const BN_ULONG *ap, -$bp="%rdx"; # const BN_ULONG *bp, -$np="%rcx"; # const BN_ULONG *np, -$n0="%r8"; # const BN_ULONG *n0, -$num="%r9"; # int num); -$lo0="%r10"; -$hi0="%r11"; -$hi1="%r13"; -$i="%r14"; -$j="%r15"; -$m0="%rbx"; -$m1="%rbp"; - -$code=<<___; -.text - -.globl bn_mul_mont -.type bn_mul_mont,\@function,6 -.align 16 -bn_mul_mont: - _CET_ENDBR - test \$3,${num}d - jnz .Lmul_enter - cmp \$8,${num}d - jb .Lmul_enter - cmp $ap,$bp - jne .Lmul4x_enter - jmp .Lsqr4x_enter - -.align 16 -.Lmul_enter: - push %rbx - push %rbp - push %r12 - push %r13 - push %r14 - push %r15 - - mov ${num}d,${num}d - lea 2($num),%r10 - mov %rsp,%r11 - neg %r10 - lea (%rsp,%r10,8),%rsp # tp=alloca(8*(num+2)) - and \$-1024,%rsp # minimize TLB usage - - mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp -.Lmul_body: - mov $bp,%r12 # reassign $bp -___ - $bp="%r12"; -$code.=<<___; - mov ($n0),$n0 # pull n0[0] value - mov ($bp),$m0 # m0=bp[0] - mov ($ap),%rax - - xor $i,$i # i=0 - xor $j,$j # j=0 - - mov $n0,$m1 - mulq $m0 # ap[0]*bp[0] - mov %rax,$lo0 - mov ($np),%rax - - imulq $lo0,$m1 # "tp[0]"*n0 - mov %rdx,$hi0 - - mulq $m1 # np[0]*m1 - add %rax,$lo0 # discarded - mov 8($ap),%rax - adc \$0,%rdx - mov %rdx,$hi1 - - lea 1($j),$j # j++ - jmp .L1st_enter - -.align 16 -.L1st: - add %rax,$hi1 - mov ($ap,$j,8),%rax - adc \$0,%rdx - add $hi0,$hi1 # np[j]*m1+ap[j]*bp[0] - mov $lo0,$hi0 - adc \$0,%rdx - mov $hi1,-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$hi1 - -.L1st_enter: - mulq $m0 # ap[j]*bp[0] - add %rax,$hi0 - mov ($np,$j,8),%rax - adc \$0,%rdx - lea 1($j),$j # j++ - mov %rdx,$lo0 - - mulq $m1 # np[j]*m1 - cmp $num,$j - jl .L1st - - add %rax,$hi1 - mov ($ap),%rax # ap[0] - adc \$0,%rdx - add $hi0,$hi1 # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $hi1,-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$hi1 - mov $lo0,$hi0 - - xor %rdx,%rdx - add $hi0,$hi1 - adc \$0,%rdx - mov $hi1,-8(%rsp,$num,8) - mov %rdx,(%rsp,$num,8) # store upmost overflow bit - - lea 1($i),$i # i++ - jmp .Louter -.align 16 -.Louter: - mov ($bp,$i,8),$m0 # m0=bp[i] - xor $j,$j # j=0 - mov $n0,$m1 - mov (%rsp),$lo0 - mulq $m0 # ap[0]*bp[i] - add %rax,$lo0 # ap[0]*bp[i]+tp[0] - mov ($np),%rax - adc \$0,%rdx - - imulq $lo0,$m1 # tp[0]*n0 - mov %rdx,$hi0 - - mulq $m1 # np[0]*m1 - add %rax,$lo0 # discarded - mov 8($ap),%rax - adc \$0,%rdx - mov 8(%rsp),$lo0 # tp[1] - mov %rdx,$hi1 - - lea 1($j),$j # j++ - jmp .Linner_enter - -.align 16 -.Linner: - add %rax,$hi1 - mov ($ap,$j,8),%rax - adc \$0,%rdx - add $lo0,$hi1 # np[j]*m1+ap[j]*bp[i]+tp[j] - mov (%rsp,$j,8),$lo0 - adc \$0,%rdx - mov $hi1,-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$hi1 - -.Linner_enter: - mulq $m0 # ap[j]*bp[i] - add %rax,$hi0 - mov ($np,$j,8),%rax - adc \$0,%rdx - add $hi0,$lo0 # ap[j]*bp[i]+tp[j] - mov %rdx,$hi0 - adc \$0,$hi0 - lea 1($j),$j # j++ - - mulq $m1 # np[j]*m1 - cmp $num,$j - jl .Linner - - add %rax,$hi1 - mov ($ap),%rax # ap[0] - adc \$0,%rdx - add $lo0,$hi1 # np[j]*m1+ap[j]*bp[i]+tp[j] - mov (%rsp,$j,8),$lo0 - adc \$0,%rdx - mov $hi1,-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$hi1 - - xor %rdx,%rdx - add $hi0,$hi1 - adc \$0,%rdx - add $lo0,$hi1 # pull upmost overflow bit - adc \$0,%rdx - mov $hi1,-8(%rsp,$num,8) - mov %rdx,(%rsp,$num,8) # store upmost overflow bit - - lea 1($i),$i # i++ - cmp $num,$i - jl .Louter - - xor $i,$i # i=0 and clear CF! - mov (%rsp),%rax # tp[0] - lea (%rsp),$ap # borrow ap for tp - mov $num,$j # j=num - jmp .Lsub -.align 16 -.Lsub: sbb ($np,$i,8),%rax - mov %rax,($rp,$i,8) # rp[i]=tp[i]-np[i] - mov 8($ap,$i,8),%rax # tp[i+1] - lea 1($i),$i # i++ - dec $j # doesnn't affect CF! - jnz .Lsub - - sbb \$0,%rax # handle upmost overflow bit - xor $i,$i - and %rax,$ap - not %rax - mov $rp,$np - and %rax,$np - mov $num,$j # j=num - or $np,$ap # ap=borrow?tp:rp -.align 16 -.Lcopy: # copy or in-place refresh - mov ($ap,$i,8),%rax - mov $i,(%rsp,$i,8) # zap temporary vector - mov %rax,($rp,$i,8) # rp[i]=tp[i] - lea 1($i),$i - sub \$1,$j - jnz .Lcopy - - mov 8(%rsp,$num,8),%rsi # restore %rsp - mov \$1,%rax - mov (%rsi),%r15 - mov 8(%rsi),%r14 - mov 16(%rsi),%r13 - mov 24(%rsi),%r12 - mov 32(%rsi),%rbp - mov 40(%rsi),%rbx - lea 48(%rsi),%rsp -.Lmul_epilogue: - ret -.size bn_mul_mont,.-bn_mul_mont -___ -{{{ -my @A=("%r10","%r11"); -my @N=("%r13","%rdi"); -$code.=<<___; -.type bn_mul4x_mont,\@function,6 -.align 16 -bn_mul4x_mont: -.Lmul4x_enter: - _CET_ENDBR - push %rbx - push %rbp - push %r12 - push %r13 - push %r14 - push %r15 - - mov ${num}d,${num}d - lea 4($num),%r10 - mov %rsp,%r11 - neg %r10 - lea (%rsp,%r10,8),%rsp # tp=alloca(8*(num+4)) - and \$-1024,%rsp # minimize TLB usage - - mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp -.Lmul4x_body: - mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp - mov %rdx,%r12 # reassign $bp -___ - $bp="%r12"; -$code.=<<___; - mov ($n0),$n0 # pull n0[0] value - mov ($bp),$m0 # m0=bp[0] - mov ($ap),%rax - - xor $i,$i # i=0 - xor $j,$j # j=0 - - mov $n0,$m1 - mulq $m0 # ap[0]*bp[0] - mov %rax,$A[0] - mov ($np),%rax - - imulq $A[0],$m1 # "tp[0]"*n0 - mov %rdx,$A[1] - - mulq $m1 # np[0]*m1 - add %rax,$A[0] # discarded - mov 8($ap),%rax - adc \$0,%rdx - mov %rdx,$N[1] - - mulq $m0 - add %rax,$A[1] - mov 8($np),%rax - adc \$0,%rdx - mov %rdx,$A[0] - - mulq $m1 - add %rax,$N[1] - mov 16($ap),%rax - adc \$0,%rdx - add $A[1],$N[1] - lea 4($j),$j # j++ - adc \$0,%rdx - mov $N[1],(%rsp) - mov %rdx,$N[0] - jmp .L1st4x -.align 16 -.L1st4x: - mulq $m0 # ap[j]*bp[0] - add %rax,$A[0] - mov -16($np,$j,8),%rax - adc \$0,%rdx - mov %rdx,$A[1] - - mulq $m1 # np[j]*m1 - add %rax,$N[0] - mov -8($ap,$j,8),%rax - adc \$0,%rdx - add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $N[0],-24(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[0] - add %rax,$A[1] - mov -8($np,$j,8),%rax - adc \$0,%rdx - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov ($ap,$j,8),%rax - adc \$0,%rdx - add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $N[1],-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[0] - - mulq $m0 # ap[j]*bp[0] - add %rax,$A[0] - mov ($np,$j,8),%rax - adc \$0,%rdx - mov %rdx,$A[1] - - mulq $m1 # np[j]*m1 - add %rax,$N[0] - mov 8($ap,$j,8),%rax - adc \$0,%rdx - add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $N[0],-8(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[0] - add %rax,$A[1] - mov 8($np,$j,8),%rax - adc \$0,%rdx - lea 4($j),$j # j++ - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov -16($ap,$j,8),%rax - adc \$0,%rdx - add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $N[1],-32(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[0] - cmp $num,$j - jl .L1st4x - - mulq $m0 # ap[j]*bp[0] - add %rax,$A[0] - mov -16($np,$j,8),%rax - adc \$0,%rdx - mov %rdx,$A[1] - - mulq $m1 # np[j]*m1 - add %rax,$N[0] - mov -8($ap,$j,8),%rax - adc \$0,%rdx - add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $N[0],-24(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[0] - add %rax,$A[1] - mov -8($np,$j,8),%rax - adc \$0,%rdx - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov ($ap),%rax # ap[0] - adc \$0,%rdx - add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $N[1],-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[0] - - xor $N[1],$N[1] - add $A[0],$N[0] - adc \$0,$N[1] - mov $N[0],-8(%rsp,$j,8) - mov $N[1],(%rsp,$j,8) # store upmost overflow bit - - lea 1($i),$i # i++ -.align 4 -.Louter4x: - mov ($bp,$i,8),$m0 # m0=bp[i] - xor $j,$j # j=0 - mov (%rsp),$A[0] - mov $n0,$m1 - mulq $m0 # ap[0]*bp[i] - add %rax,$A[0] # ap[0]*bp[i]+tp[0] - mov ($np),%rax - adc \$0,%rdx - - imulq $A[0],$m1 # tp[0]*n0 - mov %rdx,$A[1] - - mulq $m1 # np[0]*m1 - add %rax,$A[0] # "$N[0]", discarded - mov 8($ap),%rax - adc \$0,%rdx - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[i] - add %rax,$A[1] - mov 8($np),%rax - adc \$0,%rdx - add 8(%rsp),$A[1] # +tp[1] - adc \$0,%rdx - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov 16($ap),%rax - adc \$0,%rdx - add $A[1],$N[1] # np[j]*m1+ap[j]*bp[i]+tp[j] - lea 4($j),$j # j+=2 - adc \$0,%rdx - mov $N[1],(%rsp) # tp[j-1] - mov %rdx,$N[0] - jmp .Linner4x -.align 16 -.Linner4x: - mulq $m0 # ap[j]*bp[i] - add %rax,$A[0] - mov -16($np,$j,8),%rax - adc \$0,%rdx - add -16(%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j] - adc \$0,%rdx - mov %rdx,$A[1] - - mulq $m1 # np[j]*m1 - add %rax,$N[0] - mov -8($ap,$j,8),%rax - adc \$0,%rdx - add $A[0],$N[0] - adc \$0,%rdx - mov $N[0],-24(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[i] - add %rax,$A[1] - mov -8($np,$j,8),%rax - adc \$0,%rdx - add -8(%rsp,$j,8),$A[1] - adc \$0,%rdx - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov ($ap,$j,8),%rax - adc \$0,%rdx - add $A[1],$N[1] - adc \$0,%rdx - mov $N[1],-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[0] - - mulq $m0 # ap[j]*bp[i] - add %rax,$A[0] - mov ($np,$j,8),%rax - adc \$0,%rdx - add (%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j] - adc \$0,%rdx - mov %rdx,$A[1] - - mulq $m1 # np[j]*m1 - add %rax,$N[0] - mov 8($ap,$j,8),%rax - adc \$0,%rdx - add $A[0],$N[0] - adc \$0,%rdx - mov $N[0],-8(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[i] - add %rax,$A[1] - mov 8($np,$j,8),%rax - adc \$0,%rdx - add 8(%rsp,$j,8),$A[1] - adc \$0,%rdx - lea 4($j),$j # j++ - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov -16($ap,$j,8),%rax - adc \$0,%rdx - add $A[1],$N[1] - adc \$0,%rdx - mov $N[1],-32(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[0] - cmp $num,$j - jl .Linner4x - - mulq $m0 # ap[j]*bp[i] - add %rax,$A[0] - mov -16($np,$j,8),%rax - adc \$0,%rdx - add -16(%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j] - adc \$0,%rdx - mov %rdx,$A[1] - - mulq $m1 # np[j]*m1 - add %rax,$N[0] - mov -8($ap,$j,8),%rax - adc \$0,%rdx - add $A[0],$N[0] - adc \$0,%rdx - mov $N[0],-24(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[i] - add %rax,$A[1] - mov -8($np,$j,8),%rax - adc \$0,%rdx - add -8(%rsp,$j,8),$A[1] - adc \$0,%rdx - lea 1($i),$i # i++ - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov ($ap),%rax # ap[0] - adc \$0,%rdx - add $A[1],$N[1] - adc \$0,%rdx - mov $N[1],-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[0] - - xor $N[1],$N[1] - add $A[0],$N[0] - adc \$0,$N[1] - add (%rsp,$num,8),$N[0] # pull upmost overflow bit - adc \$0,$N[1] - mov $N[0],-8(%rsp,$j,8) - mov $N[1],(%rsp,$j,8) # store upmost overflow bit - - cmp $num,$i - jl .Louter4x -___ -{ -my @ri=("%rax","%rdx",$m0,$m1); -$code.=<<___; - mov 16(%rsp,$num,8),$rp # restore $rp - mov 0(%rsp),@ri[0] # tp[0] - pxor %xmm0,%xmm0 - mov 8(%rsp),@ri[1] # tp[1] - shr \$2,$num # num/=4 - lea (%rsp),$ap # borrow ap for tp - xor $i,$i # i=0 and clear CF! - - sub 0($np),@ri[0] - mov 16($ap),@ri[2] # tp[2] - mov 24($ap),@ri[3] # tp[3] - sbb 8($np),@ri[1] - lea -1($num),$j # j=num/4-1 - jmp .Lsub4x -.align 16 -.Lsub4x: - mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i] - mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i] - sbb 16($np,$i,8),@ri[2] - mov 32($ap,$i,8),@ri[0] # tp[i+1] - mov 40($ap,$i,8),@ri[1] - sbb 24($np,$i,8),@ri[3] - mov @ri[2],16($rp,$i,8) # rp[i]=tp[i]-np[i] - mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i] - sbb 32($np,$i,8),@ri[0] - mov 48($ap,$i,8),@ri[2] - mov 56($ap,$i,8),@ri[3] - sbb 40($np,$i,8),@ri[1] - lea 4($i),$i # i++ - dec $j # doesnn't affect CF! - jnz .Lsub4x - - mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i] - mov 32($ap,$i,8),@ri[0] # load overflow bit - sbb 16($np,$i,8),@ri[2] - mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i] - sbb 24($np,$i,8),@ri[3] - mov @ri[2],16($rp,$i,8) # rp[i]=tp[i]-np[i] - - sbb \$0,@ri[0] # handle upmost overflow bit - mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i] - xor $i,$i # i=0 - and @ri[0],$ap - not @ri[0] - mov $rp,$np - and @ri[0],$np - lea -1($num),$j - or $np,$ap # ap=borrow?tp:rp - - movdqu ($ap),%xmm1 - movdqa %xmm0,(%rsp) - movdqu %xmm1,($rp) - jmp .Lcopy4x -.align 16 -.Lcopy4x: # copy or in-place refresh - movdqu 16($ap,$i),%xmm2 - movdqu 32($ap,$i),%xmm1 - movdqa %xmm0,16(%rsp,$i) - movdqu %xmm2,16($rp,$i) - movdqa %xmm0,32(%rsp,$i) - movdqu %xmm1,32($rp,$i) - lea 32($i),$i - dec $j - jnz .Lcopy4x - - shl \$2,$num - movdqu 16($ap,$i),%xmm2 - movdqa %xmm0,16(%rsp,$i) - movdqu %xmm2,16($rp,$i) -___ -} -$code.=<<___; - mov 8(%rsp,$num,8),%rsi # restore %rsp - mov \$1,%rax - mov (%rsi),%r15 - mov 8(%rsi),%r14 - mov 16(%rsi),%r13 - mov 24(%rsi),%r12 - mov 32(%rsi),%rbp - mov 40(%rsi),%rbx - lea 48(%rsi),%rsp -.Lmul4x_epilogue: - ret -.size bn_mul4x_mont,.-bn_mul4x_mont -___ -}}} - {{{ -###################################################################### -# void bn_sqr4x_mont( -my $rptr="%rdi"; # const BN_ULONG *rptr, -my $aptr="%rsi"; # const BN_ULONG *aptr, -my $bptr="%rdx"; # not used -my $nptr="%rcx"; # const BN_ULONG *nptr, -my $n0 ="%r8"; # const BN_ULONG *n0); -my $num ="%r9"; # int num, has to be divisible by 4 and - # not less than 8 - -my ($i,$j,$tptr)=("%rbp","%rcx",$rptr); -my @A0=("%r10","%r11"); -my @A1=("%r12","%r13"); -my ($a0,$a1,$ai)=("%r14","%r15","%rbx"); - -$code.=<<___; -.type bn_sqr4x_mont,\@function,6 -.align 16 -bn_sqr4x_mont: -.Lsqr4x_enter: - _CET_ENDBR - push %rbx - push %rbp - push %r12 - push %r13 - push %r14 - push %r15 - - shl \$3,${num}d # convert $num to bytes - xor %r10,%r10 - mov %rsp,%r11 # put aside %rsp - sub $num,%r10 # -$num - mov ($n0),$n0 # *n0 - lea -72(%rsp,%r10,2),%rsp # alloca(frame+2*$num) - and \$-1024,%rsp # minimize TLB usage - ############################################################## - # Stack layout - # - # +0 saved $num, used in reduction section - # +8 &t[2*$num], used in reduction section - # +32 saved $rptr - # +40 saved $nptr - # +48 saved *n0 - # +56 saved %rsp - # +64 t[2*$num] - # - mov $rptr,32(%rsp) # save $rptr - mov $nptr,40(%rsp) - mov $n0, 48(%rsp) - mov %r11, 56(%rsp) # save original %rsp -.Lsqr4x_body: - ############################################################## - # Squaring part: - # - # a) multiply-n-add everything but a[i]*a[i]; - # b) shift result of a) by 1 to the left and accumulate - # a[i]*a[i] products; - # - lea 32(%r10),$i # $i=-($num-32) - lea ($aptr,$num),$aptr # end of a[] buffer, ($aptr,$i)=&ap[2] - - mov $num,$j # $j=$num - - # comments apply to $num==8 case - mov -32($aptr,$i),$a0 # a[0] - lea 64(%rsp,$num,2),$tptr # end of tp[] buffer, &tp[2*$num] - mov -24($aptr,$i),%rax # a[1] - lea -32($tptr,$i),$tptr # end of tp[] window, &tp[2*$num-"$i"] - mov -16($aptr,$i),$ai # a[2] - mov %rax,$a1 - - mul $a0 # a[1]*a[0] - mov %rax,$A0[0] # a[1]*a[0] - mov $ai,%rax # a[2] - mov %rdx,$A0[1] - mov $A0[0],-24($tptr,$i) # t[1] - - xor $A0[0],$A0[0] - mul $a0 # a[2]*a[0] - add %rax,$A0[1] - mov $ai,%rax - adc %rdx,$A0[0] - mov $A0[1],-16($tptr,$i) # t[2] - - lea -16($i),$j # j=-16 - - - mov 8($aptr,$j),$ai # a[3] - mul $a1 # a[2]*a[1] - mov %rax,$A1[0] # a[2]*a[1]+t[3] - mov $ai,%rax - mov %rdx,$A1[1] - - xor $A0[1],$A0[1] - add $A1[0],$A0[0] - lea 16($j),$j - adc \$0,$A0[1] - mul $a0 # a[3]*a[0] - add %rax,$A0[0] # a[3]*a[0]+a[2]*a[1]+t[3] - mov $ai,%rax - adc %rdx,$A0[1] - mov $A0[0],-8($tptr,$j) # t[3] - jmp .Lsqr4x_1st - -.align 16 -.Lsqr4x_1st: - mov ($aptr,$j),$ai # a[4] - xor $A1[0],$A1[0] - mul $a1 # a[3]*a[1] - add %rax,$A1[1] # a[3]*a[1]+t[4] - mov $ai,%rax - adc %rdx,$A1[0] - - xor $A0[0],$A0[0] - add $A1[1],$A0[1] - adc \$0,$A0[0] - mul $a0 # a[4]*a[0] - add %rax,$A0[1] # a[4]*a[0]+a[3]*a[1]+t[4] - mov $ai,%rax # a[3] - adc %rdx,$A0[0] - mov $A0[1],($tptr,$j) # t[4] - - - mov 8($aptr,$j),$ai # a[5] - xor $A1[1],$A1[1] - mul $a1 # a[4]*a[3] - add %rax,$A1[0] # a[4]*a[3]+t[5] - mov $ai,%rax - adc %rdx,$A1[1] - - xor $A0[1],$A0[1] - add $A1[0],$A0[0] - adc \$0,$A0[1] - mul $a0 # a[5]*a[2] - add %rax,$A0[0] # a[5]*a[2]+a[4]*a[3]+t[5] - mov $ai,%rax - adc %rdx,$A0[1] - mov $A0[0],8($tptr,$j) # t[5] - - mov 16($aptr,$j),$ai # a[6] - xor $A1[0],$A1[0] - mul $a1 # a[5]*a[3] - add %rax,$A1[1] # a[5]*a[3]+t[6] - mov $ai,%rax - adc %rdx,$A1[0] - - xor $A0[0],$A0[0] - add $A1[1],$A0[1] - adc \$0,$A0[0] - mul $a0 # a[6]*a[2] - add %rax,$A0[1] # a[6]*a[2]+a[5]*a[3]+t[6] - mov $ai,%rax # a[3] - adc %rdx,$A0[0] - mov $A0[1],16($tptr,$j) # t[6] - - - mov 24($aptr,$j),$ai # a[7] - xor $A1[1],$A1[1] - mul $a1 # a[6]*a[5] - add %rax,$A1[0] # a[6]*a[5]+t[7] - mov $ai,%rax - adc %rdx,$A1[1] - - xor $A0[1],$A0[1] - add $A1[0],$A0[0] - lea 32($j),$j - adc \$0,$A0[1] - mul $a0 # a[7]*a[4] - add %rax,$A0[0] # a[7]*a[4]+a[6]*a[5]+t[6] - mov $ai,%rax - adc %rdx,$A0[1] - mov $A0[0],-8($tptr,$j) # t[7] - - cmp \$0,$j - jne .Lsqr4x_1st - - xor $A1[0],$A1[0] - add $A0[1],$A1[1] - adc \$0,$A1[0] - mul $a1 # a[7]*a[5] - add %rax,$A1[1] - adc %rdx,$A1[0] - - mov $A1[1],($tptr) # t[8] - lea 16($i),$i - mov $A1[0],8($tptr) # t[9] - jmp .Lsqr4x_outer - -.align 16 -.Lsqr4x_outer: # comments apply to $num==6 case - mov -32($aptr,$i),$a0 # a[0] - lea 64(%rsp,$num,2),$tptr # end of tp[] buffer, &tp[2*$num] - mov -24($aptr,$i),%rax # a[1] - lea -32($tptr,$i),$tptr # end of tp[] window, &tp[2*$num-"$i"] - mov -16($aptr,$i),$ai # a[2] - mov %rax,$a1 - - mov -24($tptr,$i),$A0[0] # t[1] - xor $A0[1],$A0[1] - mul $a0 # a[1]*a[0] - add %rax,$A0[0] # a[1]*a[0]+t[1] - mov $ai,%rax # a[2] - adc %rdx,$A0[1] - mov $A0[0],-24($tptr,$i) # t[1] - - xor $A0[0],$A0[0] - add -16($tptr,$i),$A0[1] # a[2]*a[0]+t[2] - adc \$0,$A0[0] - mul $a0 # a[2]*a[0] - add %rax,$A0[1] - mov $ai,%rax - adc %rdx,$A0[0] - mov $A0[1],-16($tptr,$i) # t[2] - - lea -16($i),$j # j=-16 - xor $A1[0],$A1[0] - - - mov 8($aptr,$j),$ai # a[3] - xor $A1[1],$A1[1] - add 8($tptr,$j),$A1[0] - adc \$0,$A1[1] - mul $a1 # a[2]*a[1] - add %rax,$A1[0] # a[2]*a[1]+t[3] - mov $ai,%rax - adc %rdx,$A1[1] - - xor $A0[1],$A0[1] - add $A1[0],$A0[0] - adc \$0,$A0[1] - mul $a0 # a[3]*a[0] - add %rax,$A0[0] # a[3]*a[0]+a[2]*a[1]+t[3] - mov $ai,%rax - adc %rdx,$A0[1] - mov $A0[0],8($tptr,$j) # t[3] - - lea 16($j),$j - jmp .Lsqr4x_inner - -.align 16 -.Lsqr4x_inner: - mov ($aptr,$j),$ai # a[4] - xor $A1[0],$A1[0] - add ($tptr,$j),$A1[1] - adc \$0,$A1[0] - mul $a1 # a[3]*a[1] - add %rax,$A1[1] # a[3]*a[1]+t[4] - mov $ai,%rax - adc %rdx,$A1[0] - - xor $A0[0],$A0[0] - add $A1[1],$A0[1] - adc \$0,$A0[0] - mul $a0 # a[4]*a[0] - add %rax,$A0[1] # a[4]*a[0]+a[3]*a[1]+t[4] - mov $ai,%rax # a[3] - adc %rdx,$A0[0] - mov $A0[1],($tptr,$j) # t[4] - - mov 8($aptr,$j),$ai # a[5] - xor $A1[1],$A1[1] - add 8($tptr,$j),$A1[0] - adc \$0,$A1[1] - mul $a1 # a[4]*a[3] - add %rax,$A1[0] # a[4]*a[3]+t[5] - mov $ai,%rax - adc %rdx,$A1[1] - - xor $A0[1],$A0[1] - add $A1[0],$A0[0] - lea 16($j),$j # j++ - adc \$0,$A0[1] - mul $a0 # a[5]*a[2] - add %rax,$A0[0] # a[5]*a[2]+a[4]*a[3]+t[5] - mov $ai,%rax - adc %rdx,$A0[1] - mov $A0[0],-8($tptr,$j) # t[5], "preloaded t[1]" below - - cmp \$0,$j - jne .Lsqr4x_inner - - xor $A1[0],$A1[0] - add $A0[1],$A1[1] - adc \$0,$A1[0] - mul $a1 # a[5]*a[3] - add %rax,$A1[1] - adc %rdx,$A1[0] - - mov $A1[1],($tptr) # t[6], "preloaded t[2]" below - mov $A1[0],8($tptr) # t[7], "preloaded t[3]" below - - add \$16,$i - jnz .Lsqr4x_outer - - # comments apply to $num==4 case - mov -32($aptr),$a0 # a[0] - lea 64(%rsp,$num,2),$tptr # end of tp[] buffer, &tp[2*$num] - mov -24($aptr),%rax # a[1] - lea -32($tptr,$i),$tptr # end of tp[] window, &tp[2*$num-"$i"] - mov -16($aptr),$ai # a[2] - mov %rax,$a1 - - xor $A0[1],$A0[1] - mul $a0 # a[1]*a[0] - add %rax,$A0[0] # a[1]*a[0]+t[1], preloaded t[1] - mov $ai,%rax # a[2] - adc %rdx,$A0[1] - mov $A0[0],-24($tptr) # t[1] - - xor $A0[0],$A0[0] - add $A1[1],$A0[1] # a[2]*a[0]+t[2], preloaded t[2] - adc \$0,$A0[0] - mul $a0 # a[2]*a[0] - add %rax,$A0[1] - mov $ai,%rax - adc %rdx,$A0[0] - mov $A0[1],-16($tptr) # t[2] - - mov -8($aptr),$ai # a[3] - mul $a1 # a[2]*a[1] - add %rax,$A1[0] # a[2]*a[1]+t[3], preloaded t[3] - mov $ai,%rax - adc \$0,%rdx - - xor $A0[1],$A0[1] - add $A1[0],$A0[0] - mov %rdx,$A1[1] - adc \$0,$A0[1] - mul $a0 # a[3]*a[0] - add %rax,$A0[0] # a[3]*a[0]+a[2]*a[1]+t[3] - mov $ai,%rax - adc %rdx,$A0[1] - mov $A0[0],-8($tptr) # t[3] - - xor $A1[0],$A1[0] - add $A0[1],$A1[1] - adc \$0,$A1[0] - mul $a1 # a[3]*a[1] - add %rax,$A1[1] - mov -16($aptr),%rax # a[2] - adc %rdx,$A1[0] - - mov $A1[1],($tptr) # t[4] - mov $A1[0],8($tptr) # t[5] - - mul $ai # a[2]*a[3] -___ -{ -my ($shift,$carry)=($a0,$a1); -my @S=(@A1,$ai,$n0); -$code.=<<___; - add \$16,$i - xor $shift,$shift - sub $num,$i # $i=16-$num - xor $carry,$carry - - add $A1[0],%rax # t[5] - adc \$0,%rdx - mov %rax,8($tptr) # t[5] - mov %rdx,16($tptr) # t[6] - mov $carry,24($tptr) # t[7] - - mov -16($aptr,$i),%rax # a[0] - lea 64(%rsp,$num,2),$tptr - xor $A0[0],$A0[0] # t[0] - mov -24($tptr,$i,2),$A0[1] # t[1] - - lea ($shift,$A0[0],2),$S[0] # t[2*i]<<1 | shift - shr \$63,$A0[0] - lea ($j,$A0[1],2),$S[1] # t[2*i+1]<<1 | - shr \$63,$A0[1] - or $A0[0],$S[1] # | t[2*i]>>63 - mov -16($tptr,$i,2),$A0[0] # t[2*i+2] # prefetch - mov $A0[1],$shift # shift=t[2*i+1]>>63 - mul %rax # a[i]*a[i] - neg $carry # mov $carry,cf - mov -8($tptr,$i,2),$A0[1] # t[2*i+2+1] # prefetch - adc %rax,$S[0] - mov -8($aptr,$i),%rax # a[i+1] # prefetch - mov $S[0],-32($tptr,$i,2) - adc %rdx,$S[1] - - lea ($shift,$A0[0],2),$S[2] # t[2*i]<<1 | shift - mov $S[1],-24($tptr,$i,2) - sbb $carry,$carry # mov cf,$carry - shr \$63,$A0[0] - lea ($j,$A0[1],2),$S[3] # t[2*i+1]<<1 | - shr \$63,$A0[1] - or $A0[0],$S[3] # | t[2*i]>>63 - mov 0($tptr,$i,2),$A0[0] # t[2*i+2] # prefetch - mov $A0[1],$shift # shift=t[2*i+1]>>63 - mul %rax # a[i]*a[i] - neg $carry # mov $carry,cf - mov 8($tptr,$i,2),$A0[1] # t[2*i+2+1] # prefetch - adc %rax,$S[2] - mov 0($aptr,$i),%rax # a[i+1] # prefetch - mov $S[2],-16($tptr,$i,2) - adc %rdx,$S[3] - lea 16($i),$i - mov $S[3],-40($tptr,$i,2) - sbb $carry,$carry # mov cf,$carry - jmp .Lsqr4x_shift_n_add - -.align 16 -.Lsqr4x_shift_n_add: - lea ($shift,$A0[0],2),$S[0] # t[2*i]<<1 | shift - shr \$63,$A0[0] - lea ($j,$A0[1],2),$S[1] # t[2*i+1]<<1 | - shr \$63,$A0[1] - or $A0[0],$S[1] # | t[2*i]>>63 - mov -16($tptr,$i,2),$A0[0] # t[2*i+2] # prefetch - mov $A0[1],$shift # shift=t[2*i+1]>>63 - mul %rax # a[i]*a[i] - neg $carry # mov $carry,cf - mov -8($tptr,$i,2),$A0[1] # t[2*i+2+1] # prefetch - adc %rax,$S[0] - mov -8($aptr,$i),%rax # a[i+1] # prefetch - mov $S[0],-32($tptr,$i,2) - adc %rdx,$S[1] - - lea ($shift,$A0[0],2),$S[2] # t[2*i]<<1 | shift - mov $S[1],-24($tptr,$i,2) - sbb $carry,$carry # mov cf,$carry - shr \$63,$A0[0] - lea ($j,$A0[1],2),$S[3] # t[2*i+1]<<1 | - shr \$63,$A0[1] - or $A0[0],$S[3] # | t[2*i]>>63 - mov 0($tptr,$i,2),$A0[0] # t[2*i+2] # prefetch - mov $A0[1],$shift # shift=t[2*i+1]>>63 - mul %rax # a[i]*a[i] - neg $carry # mov $carry,cf - mov 8($tptr,$i,2),$A0[1] # t[2*i+2+1] # prefetch - adc %rax,$S[2] - mov 0($aptr,$i),%rax # a[i+1] # prefetch - mov $S[2],-16($tptr,$i,2) - adc %rdx,$S[3] - - lea ($shift,$A0[0],2),$S[0] # t[2*i]<<1 | shift - mov $S[3],-8($tptr,$i,2) - sbb $carry,$carry # mov cf,$carry - shr \$63,$A0[0] - lea ($j,$A0[1],2),$S[1] # t[2*i+1]<<1 | - shr \$63,$A0[1] - or $A0[0],$S[1] # | t[2*i]>>63 - mov 16($tptr,$i,2),$A0[0] # t[2*i+2] # prefetch - mov $A0[1],$shift # shift=t[2*i+1]>>63 - mul %rax # a[i]*a[i] - neg $carry # mov $carry,cf - mov 24($tptr,$i,2),$A0[1] # t[2*i+2+1] # prefetch - adc %rax,$S[0] - mov 8($aptr,$i),%rax # a[i+1] # prefetch - mov $S[0],0($tptr,$i,2) - adc %rdx,$S[1] - - lea ($shift,$A0[0],2),$S[2] # t[2*i]<<1 | shift - mov $S[1],8($tptr,$i,2) - sbb $carry,$carry # mov cf,$carry - shr \$63,$A0[0] - lea ($j,$A0[1],2),$S[3] # t[2*i+1]<<1 | - shr \$63,$A0[1] - or $A0[0],$S[3] # | t[2*i]>>63 - mov 32($tptr,$i,2),$A0[0] # t[2*i+2] # prefetch - mov $A0[1],$shift # shift=t[2*i+1]>>63 - mul %rax # a[i]*a[i] - neg $carry # mov $carry,cf - mov 40($tptr,$i,2),$A0[1] # t[2*i+2+1] # prefetch - adc %rax,$S[2] - mov 16($aptr,$i),%rax # a[i+1] # prefetch - mov $S[2],16($tptr,$i,2) - adc %rdx,$S[3] - mov $S[3],24($tptr,$i,2) - sbb $carry,$carry # mov cf,$carry - add \$32,$i - jnz .Lsqr4x_shift_n_add - - lea ($shift,$A0[0],2),$S[0] # t[2*i]<<1 | shift - shr \$63,$A0[0] - lea ($j,$A0[1],2),$S[1] # t[2*i+1]<<1 | - shr \$63,$A0[1] - or $A0[0],$S[1] # | t[2*i]>>63 - mov -16($tptr),$A0[0] # t[2*i+2] # prefetch - mov $A0[1],$shift # shift=t[2*i+1]>>63 - mul %rax # a[i]*a[i] - neg $carry # mov $carry,cf - mov -8($tptr),$A0[1] # t[2*i+2+1] # prefetch - adc %rax,$S[0] - mov -8($aptr),%rax # a[i+1] # prefetch - mov $S[0],-32($tptr) - adc %rdx,$S[1] - - lea ($shift,$A0[0],2),$S[2] # t[2*i]<<1|shift - mov $S[1],-24($tptr) - sbb $carry,$carry # mov cf,$carry - shr \$63,$A0[0] - lea ($j,$A0[1],2),$S[3] # t[2*i+1]<<1 | - shr \$63,$A0[1] - or $A0[0],$S[3] # | t[2*i]>>63 - mul %rax # a[i]*a[i] - neg $carry # mov $carry,cf - adc %rax,$S[2] - adc %rdx,$S[3] - mov $S[2],-16($tptr) - mov $S[3],-8($tptr) -___ -} -############################################################## -# Montgomery reduction part, "word-by-word" algorithm. -# -{ -my ($topbit,$nptr)=("%rbp",$aptr); -my ($m0,$m1)=($a0,$a1); -my @Ni=("%rbx","%r9"); -$code.=<<___; - mov 40(%rsp),$nptr # restore $nptr - mov 48(%rsp),$n0 # restore *n0 - xor $j,$j - mov $num,0(%rsp) # save $num - sub $num,$j # $j=-$num - mov 64(%rsp),$A0[0] # t[0] # modsched # - mov $n0,$m0 # # modsched # - lea 64(%rsp,$num,2),%rax # end of t[] buffer - lea 64(%rsp,$num),$tptr # end of t[] window - mov %rax,8(%rsp) # save end of t[] buffer - lea ($nptr,$num),$nptr # end of n[] buffer - xor $topbit,$topbit # $topbit=0 - - mov 0($nptr,$j),%rax # n[0] # modsched # - mov 8($nptr,$j),$Ni[1] # n[1] # modsched # - imulq $A0[0],$m0 # m0=t[0]*n0 # modsched # - mov %rax,$Ni[0] # # modsched # - jmp .Lsqr4x_mont_outer - -.align 16 -.Lsqr4x_mont_outer: - xor $A0[1],$A0[1] - mul $m0 # n[0]*m0 - add %rax,$A0[0] # n[0]*m0+t[0] - mov $Ni[1],%rax - adc %rdx,$A0[1] - mov $n0,$m1 - - xor $A0[0],$A0[0] - add 8($tptr,$j),$A0[1] - adc \$0,$A0[0] - mul $m0 # n[1]*m0 - add %rax,$A0[1] # n[1]*m0+t[1] - mov $Ni[0],%rax - adc %rdx,$A0[0] - - imulq $A0[1],$m1 - - mov 16($nptr,$j),$Ni[0] # n[2] - xor $A1[1],$A1[1] - add $A0[1],$A1[0] - adc \$0,$A1[1] - mul $m1 # n[0]*m1 - add %rax,$A1[0] # n[0]*m1+"t[1]" - mov $Ni[0],%rax - adc %rdx,$A1[1] - mov $A1[0],8($tptr,$j) # "t[1]" - - xor $A0[1],$A0[1] - add 16($tptr,$j),$A0[0] - adc \$0,$A0[1] - mul $m0 # n[2]*m0 - add %rax,$A0[0] # n[2]*m0+t[2] - mov $Ni[1],%rax - adc %rdx,$A0[1] - - mov 24($nptr,$j),$Ni[1] # n[3] - xor $A1[0],$A1[0] - add $A0[0],$A1[1] - adc \$0,$A1[0] - mul $m1 # n[1]*m1 - add %rax,$A1[1] # n[1]*m1+"t[2]" - mov $Ni[1],%rax - adc %rdx,$A1[0] - mov $A1[1],16($tptr,$j) # "t[2]" - - xor $A0[0],$A0[0] - add 24($tptr,$j),$A0[1] - lea 32($j),$j - adc \$0,$A0[0] - mul $m0 # n[3]*m0 - add %rax,$A0[1] # n[3]*m0+t[3] - mov $Ni[0],%rax - adc %rdx,$A0[0] - jmp .Lsqr4x_mont_inner - -.align 16 -.Lsqr4x_mont_inner: - mov ($nptr,$j),$Ni[0] # n[4] - xor $A1[1],$A1[1] - add $A0[1],$A1[0] - adc \$0,$A1[1] - mul $m1 # n[2]*m1 - add %rax,$A1[0] # n[2]*m1+"t[3]" - mov $Ni[0],%rax - adc %rdx,$A1[1] - mov $A1[0],-8($tptr,$j) # "t[3]" - - xor $A0[1],$A0[1] - add ($tptr,$j),$A0[0] - adc \$0,$A0[1] - mul $m0 # n[4]*m0 - add %rax,$A0[0] # n[4]*m0+t[4] - mov $Ni[1],%rax - adc %rdx,$A0[1] - - mov 8($nptr,$j),$Ni[1] # n[5] - xor $A1[0],$A1[0] - add $A0[0],$A1[1] - adc \$0,$A1[0] - mul $m1 # n[3]*m1 - add %rax,$A1[1] # n[3]*m1+"t[4]" - mov $Ni[1],%rax - adc %rdx,$A1[0] - mov $A1[1],($tptr,$j) # "t[4]" - - xor $A0[0],$A0[0] - add 8($tptr,$j),$A0[1] - adc \$0,$A0[0] - mul $m0 # n[5]*m0 - add %rax,$A0[1] # n[5]*m0+t[5] - mov $Ni[0],%rax - adc %rdx,$A0[0] - - - mov 16($nptr,$j),$Ni[0] # n[6] - xor $A1[1],$A1[1] - add $A0[1],$A1[0] - adc \$0,$A1[1] - mul $m1 # n[4]*m1 - add %rax,$A1[0] # n[4]*m1+"t[5]" - mov $Ni[0],%rax - adc %rdx,$A1[1] - mov $A1[0],8($tptr,$j) # "t[5]" - - xor $A0[1],$A0[1] - add 16($tptr,$j),$A0[0] - adc \$0,$A0[1] - mul $m0 # n[6]*m0 - add %rax,$A0[0] # n[6]*m0+t[6] - mov $Ni[1],%rax - adc %rdx,$A0[1] - - mov 24($nptr,$j),$Ni[1] # n[7] - xor $A1[0],$A1[0] - add $A0[0],$A1[1] - adc \$0,$A1[0] - mul $m1 # n[5]*m1 - add %rax,$A1[1] # n[5]*m1+"t[6]" - mov $Ni[1],%rax - adc %rdx,$A1[0] - mov $A1[1],16($tptr,$j) # "t[6]" - - xor $A0[0],$A0[0] - add 24($tptr,$j),$A0[1] - lea 32($j),$j - adc \$0,$A0[0] - mul $m0 # n[7]*m0 - add %rax,$A0[1] # n[7]*m0+t[7] - mov $Ni[0],%rax - adc %rdx,$A0[0] - cmp \$0,$j - jne .Lsqr4x_mont_inner - - sub 0(%rsp),$j # $j=-$num # modsched # - mov $n0,$m0 # # modsched # - - xor $A1[1],$A1[1] - add $A0[1],$A1[0] - adc \$0,$A1[1] - mul $m1 # n[6]*m1 - add %rax,$A1[0] # n[6]*m1+"t[7]" - mov $Ni[1],%rax - adc %rdx,$A1[1] - mov $A1[0],-8($tptr) # "t[7]" - - xor $A0[1],$A0[1] - add ($tptr),$A0[0] # +t[8] - adc \$0,$A0[1] - mov 0($nptr,$j),$Ni[0] # n[0] # modsched # - add $topbit,$A0[0] - adc \$0,$A0[1] - - imulq 16($tptr,$j),$m0 # m0=t[0]*n0 # modsched # - xor $A1[0],$A1[0] - mov 8($nptr,$j),$Ni[1] # n[1] # modsched # - add $A0[0],$A1[1] - mov 16($tptr,$j),$A0[0] # t[0] # modsched # - adc \$0,$A1[0] - mul $m1 # n[7]*m1 - add %rax,$A1[1] # n[7]*m1+"t[8]" - mov $Ni[0],%rax # # modsched # - adc %rdx,$A1[0] - mov $A1[1],($tptr) # "t[8]" - - xor $topbit,$topbit - add 8($tptr),$A1[0] # +t[9] - adc $topbit,$topbit - add $A0[1],$A1[0] - lea 16($tptr),$tptr # "t[$num]>>128" - adc \$0,$topbit - mov $A1[0],-8($tptr) # "t[9]" - cmp 8(%rsp),$tptr # are we done? - jb .Lsqr4x_mont_outer - - mov 0(%rsp),$num # restore $num - mov $topbit,($tptr) # save $topbit -___ -} -############################################################## -# Post-condition, 4x unrolled copy from bn_mul_mont -# -{ -my ($tptr,$nptr)=("%rbx",$aptr); -my @ri=("%rax","%rdx","%r10","%r11"); -$code.=<<___; - mov 64(%rsp,$num),@ri[0] # tp[0] - lea 64(%rsp,$num),$tptr # upper half of t[2*$num] holds result - mov 40(%rsp),$nptr # restore $nptr - shr \$5,$num # num/4 - mov 8($tptr),@ri[1] # t[1] - xor $i,$i # i=0 and clear CF! - - mov 32(%rsp),$rptr # restore $rptr - sub 0($nptr),@ri[0] - mov 16($tptr),@ri[2] # t[2] - mov 24($tptr),@ri[3] # t[3] - sbb 8($nptr),@ri[1] - lea -1($num),$j # j=num/4-1 - jmp .Lsqr4x_sub -.align 16 -.Lsqr4x_sub: - mov @ri[0],0($rptr,$i,8) # rp[i]=tp[i]-np[i] - mov @ri[1],8($rptr,$i,8) # rp[i]=tp[i]-np[i] - sbb 16($nptr,$i,8),@ri[2] - mov 32($tptr,$i,8),@ri[0] # tp[i+1] - mov 40($tptr,$i,8),@ri[1] - sbb 24($nptr,$i,8),@ri[3] - mov @ri[2],16($rptr,$i,8) # rp[i]=tp[i]-np[i] - mov @ri[3],24($rptr,$i,8) # rp[i]=tp[i]-np[i] - sbb 32($nptr,$i,8),@ri[0] - mov 48($tptr,$i,8),@ri[2] - mov 56($tptr,$i,8),@ri[3] - sbb 40($nptr,$i,8),@ri[1] - lea 4($i),$i # i++ - dec $j # doesn't affect CF! - jnz .Lsqr4x_sub - - mov @ri[0],0($rptr,$i,8) # rp[i]=tp[i]-np[i] - mov 32($tptr,$i,8),@ri[0] # load overflow bit - sbb 16($nptr,$i,8),@ri[2] - mov @ri[1],8($rptr,$i,8) # rp[i]=tp[i]-np[i] - sbb 24($nptr,$i,8),@ri[3] - mov @ri[2],16($rptr,$i,8) # rp[i]=tp[i]-np[i] - - sbb \$0,@ri[0] # handle upmost overflow bit - mov @ri[3],24($rptr,$i,8) # rp[i]=tp[i]-np[i] - xor $i,$i # i=0 - and @ri[0],$tptr - not @ri[0] - mov $rptr,$nptr - and @ri[0],$nptr - lea -1($num),$j - or $nptr,$tptr # tp=borrow?tp:rp - - pxor %xmm0,%xmm0 - lea 64(%rsp,$num,8),$nptr - movdqu ($tptr),%xmm1 - lea ($nptr,$num,8),$nptr - movdqa %xmm0,64(%rsp) # zap lower half of temporary vector - movdqa %xmm0,($nptr) # zap upper half of temporary vector - movdqu %xmm1,($rptr) - jmp .Lsqr4x_copy -.align 16 -.Lsqr4x_copy: # copy or in-place refresh - movdqu 16($tptr,$i),%xmm2 - movdqu 32($tptr,$i),%xmm1 - movdqa %xmm0,80(%rsp,$i) # zap lower half of temporary vector - movdqa %xmm0,96(%rsp,$i) # zap lower half of temporary vector - movdqa %xmm0,16($nptr,$i) # zap upper half of temporary vector - movdqa %xmm0,32($nptr,$i) # zap upper half of temporary vector - movdqu %xmm2,16($rptr,$i) - movdqu %xmm1,32($rptr,$i) - lea 32($i),$i - dec $j - jnz .Lsqr4x_copy - - movdqu 16($tptr,$i),%xmm2 - movdqa %xmm0,80(%rsp,$i) # zap lower half of temporary vector - movdqa %xmm0,16($nptr,$i) # zap upper half of temporary vector - movdqu %xmm2,16($rptr,$i) -___ -} -$code.=<<___; - mov 56(%rsp),%rsi # restore %rsp - mov \$1,%rax - mov 0(%rsi),%r15 - mov 8(%rsi),%r14 - mov 16(%rsi),%r13 - mov 24(%rsi),%r12 - mov 32(%rsi),%rbp - mov 40(%rsi),%rbx - lea 48(%rsi),%rsp -.Lsqr4x_epilogue: - ret -.size bn_sqr4x_mont,.-bn_sqr4x_mont -___ -}}} - -print $code; -close STDOUT; diff --git a/src/lib/libcrypto/bn/asm/x86_64-mont5.pl b/src/lib/libcrypto/bn/asm/x86_64-mont5.pl deleted file mode 100755 index 38751ec5de..0000000000 --- a/src/lib/libcrypto/bn/asm/x86_64-mont5.pl +++ /dev/null @@ -1,1192 +0,0 @@ -#!/usr/bin/env perl - -# ==================================================================== -# Written by Andy Polyakov for the OpenSSL -# project. The module is, however, dual licensed under OpenSSL and -# CRYPTOGAMS licenses depending on where you obtain it. For further -# details see http://www.openssl.org/~appro/cryptogams/. -# ==================================================================== - -# August 2011. -# -# Companion to x86_64-mont.pl that optimizes cache-timing attack -# countermeasures. The subroutines are produced by replacing bp[i] -# references in their x86_64-mont.pl counterparts with cache-neutral -# references to powers table computed in BN_mod_exp_mont_consttime. -# In addition subroutine that scatters elements of the powers table -# is implemented, so that scatter-/gathering can be tuned without -# bn_exp.c modifications. - -$flavour = shift; -$output = shift; -if ($flavour =~ /\./) { $output = $flavour; undef $flavour; } - -$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/); - -$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or -( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or -die "can't locate x86_64-xlate.pl"; - -open OUT,"| \"$^X\" $xlate $flavour $output"; -*STDOUT=*OUT; - -# int bn_mul_mont_gather5( -$rp="%rdi"; # BN_ULONG *rp, -$ap="%rsi"; # const BN_ULONG *ap, -$bp="%rdx"; # const BN_ULONG *bp, -$np="%rcx"; # const BN_ULONG *np, -$n0="%r8"; # const BN_ULONG *n0, -$num="%r9"; # int num, - # int idx); # 0 to 2^5-1, "index" in $bp holding - # pre-computed powers of a', interlaced - # in such manner that b[0] is $bp[idx], - # b[1] is [2^5+idx], etc. -$lo0="%r10"; -$hi0="%r11"; -$hi1="%r13"; -$i="%r14"; -$j="%r15"; -$m0="%rbx"; -$m1="%rbp"; - -$code=<<___; -.text - -.globl bn_mul_mont_gather5 -.type bn_mul_mont_gather5,\@function,6 -.align 64 -bn_mul_mont_gather5: - _CET_ENDBR - test \$3,${num}d - jnz .Lmul_enter - cmp \$8,${num}d - jb .Lmul_enter - jmp .Lmul4x_enter - -.align 16 -.Lmul_enter: - mov ${num}d,${num}d - movd `($win64?56:8)`(%rsp),%xmm5 # load 7th argument - lea .Linc(%rip),%r10 - push %rbx - push %rbp - push %r12 - push %r13 - push %r14 - push %r15 - -.Lmul_alloca: - mov %rsp,%rax - lea 2($num),%r11 - neg %r11 - lea -264(%rsp,%r11,8),%rsp # tp=alloca(8*(num+2)+256+8) - and \$-1024,%rsp # minimize TLB usage - - mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp -.Lmul_body: - lea 128($bp),%r12 # reassign $bp (+size optimization) -___ - $bp="%r12"; - $STRIDE=2**5*8; # 5 is "window size" - $N=$STRIDE/4; # should match cache line size -$code.=<<___; - movdqa 0(%r10),%xmm0 # 00000001000000010000000000000000 - movdqa 16(%r10),%xmm1 # 00000002000000020000000200000002 - lea 24-112(%rsp,$num,8),%r10# place the mask after tp[num+3] (+ICache optimization) - and \$-16,%r10 - - pshufd \$0,%xmm5,%xmm5 # broadcast index - movdqa %xmm1,%xmm4 - movdqa %xmm1,%xmm2 -___ -######################################################################## -# calculate mask by comparing 0..31 to index and save result to stack -# -$code.=<<___; - paddd %xmm0,%xmm1 - pcmpeqd %xmm5,%xmm0 # compare to 1,0 - .byte 0x67 - movdqa %xmm4,%xmm3 -___ -for($k=0;$k<$STRIDE/16-4;$k+=4) { -$code.=<<___; - paddd %xmm1,%xmm2 - pcmpeqd %xmm5,%xmm1 # compare to 3,2 - movdqa %xmm0,`16*($k+0)+112`(%r10) - movdqa %xmm4,%xmm0 - - paddd %xmm2,%xmm3 - pcmpeqd %xmm5,%xmm2 # compare to 5,4 - movdqa %xmm1,`16*($k+1)+112`(%r10) - movdqa %xmm4,%xmm1 - - paddd %xmm3,%xmm0 - pcmpeqd %xmm5,%xmm3 # compare to 7,6 - movdqa %xmm2,`16*($k+2)+112`(%r10) - movdqa %xmm4,%xmm2 - - paddd %xmm0,%xmm1 - pcmpeqd %xmm5,%xmm0 - movdqa %xmm3,`16*($k+3)+112`(%r10) - movdqa %xmm4,%xmm3 -___ -} -$code.=<<___; # last iteration can be optimized - paddd %xmm1,%xmm2 - pcmpeqd %xmm5,%xmm1 - movdqa %xmm0,`16*($k+0)+112`(%r10) - - paddd %xmm2,%xmm3 - .byte 0x67 - pcmpeqd %xmm5,%xmm2 - movdqa %xmm1,`16*($k+1)+112`(%r10) - - pcmpeqd %xmm5,%xmm3 - movdqa %xmm2,`16*($k+2)+112`(%r10) - pand `16*($k+0)-128`($bp),%xmm0 # while it's still in register - - pand `16*($k+1)-128`($bp),%xmm1 - pand `16*($k+2)-128`($bp),%xmm2 - movdqa %xmm3,`16*($k+3)+112`(%r10) - pand `16*($k+3)-128`($bp),%xmm3 - por %xmm2,%xmm0 - por %xmm3,%xmm1 -___ -for($k=0;$k<$STRIDE/16-4;$k+=4) { -$code.=<<___; - movdqa `16*($k+0)-128`($bp),%xmm4 - movdqa `16*($k+1)-128`($bp),%xmm5 - movdqa `16*($k+2)-128`($bp),%xmm2 - pand `16*($k+0)+112`(%r10),%xmm4 - movdqa `16*($k+3)-128`($bp),%xmm3 - pand `16*($k+1)+112`(%r10),%xmm5 - por %xmm4,%xmm0 - pand `16*($k+2)+112`(%r10),%xmm2 - por %xmm5,%xmm1 - pand `16*($k+3)+112`(%r10),%xmm3 - por %xmm2,%xmm0 - por %xmm3,%xmm1 -___ -} -$code.=<<___; - por %xmm1,%xmm0 - pshufd \$0x4e,%xmm0,%xmm1 - por %xmm1,%xmm0 - lea $STRIDE($bp),$bp - movd %xmm0,$m0 # m0=bp[0] - - mov ($n0),$n0 # pull n0[0] value - mov ($ap),%rax - - xor $i,$i # i=0 - xor $j,$j # j=0 - - mov $n0,$m1 - mulq $m0 # ap[0]*bp[0] - mov %rax,$lo0 - mov ($np),%rax - - imulq $lo0,$m1 # "tp[0]"*n0 - mov %rdx,$hi0 - - mulq $m1 # np[0]*m1 - add %rax,$lo0 # discarded - mov 8($ap),%rax - adc \$0,%rdx - mov %rdx,$hi1 - - lea 1($j),$j # j++ - jmp .L1st_enter - -.align 16 -.L1st: - add %rax,$hi1 - mov ($ap,$j,8),%rax - adc \$0,%rdx - add $hi0,$hi1 # np[j]*m1+ap[j]*bp[0] - mov $lo0,$hi0 - adc \$0,%rdx - mov $hi1,-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$hi1 - -.L1st_enter: - mulq $m0 # ap[j]*bp[0] - add %rax,$hi0 - mov ($np,$j,8),%rax - adc \$0,%rdx - lea 1($j),$j # j++ - mov %rdx,$lo0 - - mulq $m1 # np[j]*m1 - cmp $num,$j - jl .L1st - - add %rax,$hi1 - mov ($ap),%rax # ap[0] - adc \$0,%rdx - add $hi0,$hi1 # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $hi1,-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$hi1 - mov $lo0,$hi0 - - xor %rdx,%rdx - add $hi0,$hi1 - adc \$0,%rdx - mov $hi1,-8(%rsp,$num,8) - mov %rdx,(%rsp,$num,8) # store upmost overflow bit - - lea 1($i),$i # i++ - jmp .Louter -.align 16 -.Louter: - lea 24+128(%rsp,$num,8),%rdx # where 256-byte mask is (+size optimization) - and \$-16,%rdx - pxor %xmm4,%xmm4 - pxor %xmm5,%xmm5 -___ -for($k=0;$k<$STRIDE/16;$k+=4) { -$code.=<<___; - movdqa `16*($k+0)-128`($bp),%xmm0 - movdqa `16*($k+1)-128`($bp),%xmm1 - movdqa `16*($k+2)-128`($bp),%xmm2 - movdqa `16*($k+3)-128`($bp),%xmm3 - pand `16*($k+0)-128`(%rdx),%xmm0 - pand `16*($k+1)-128`(%rdx),%xmm1 - por %xmm0,%xmm4 - pand `16*($k+2)-128`(%rdx),%xmm2 - por %xmm1,%xmm5 - pand `16*($k+3)-128`(%rdx),%xmm3 - por %xmm2,%xmm4 - por %xmm3,%xmm5 -___ -} -$code.=<<___; - por %xmm5,%xmm4 - pshufd \$0x4e,%xmm4,%xmm0 - por %xmm4,%xmm0 - lea $STRIDE($bp),$bp - movd %xmm0,$m0 # m0=bp[i] - - xor $j,$j # j=0 - mov $n0,$m1 - mov (%rsp),$lo0 - - mulq $m0 # ap[0]*bp[i] - add %rax,$lo0 # ap[0]*bp[i]+tp[0] - mov ($np),%rax - adc \$0,%rdx - - imulq $lo0,$m1 # tp[0]*n0 - mov %rdx,$hi0 - - mulq $m1 # np[0]*m1 - add %rax,$lo0 # discarded - mov 8($ap),%rax - adc \$0,%rdx - mov 8(%rsp),$lo0 # tp[1] - mov %rdx,$hi1 - - lea 1($j),$j # j++ - jmp .Linner_enter - -.align 16 -.Linner: - add %rax,$hi1 - mov ($ap,$j,8),%rax - adc \$0,%rdx - add $lo0,$hi1 # np[j]*m1+ap[j]*bp[i]+tp[j] - mov (%rsp,$j,8),$lo0 - adc \$0,%rdx - mov $hi1,-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$hi1 - -.Linner_enter: - mulq $m0 # ap[j]*bp[i] - add %rax,$hi0 - mov ($np,$j,8),%rax - adc \$0,%rdx - add $hi0,$lo0 # ap[j]*bp[i]+tp[j] - mov %rdx,$hi0 - adc \$0,$hi0 - lea 1($j),$j # j++ - - mulq $m1 # np[j]*m1 - cmp $num,$j - jl .Linner - - add %rax,$hi1 - mov ($ap),%rax # ap[0] - adc \$0,%rdx - add $lo0,$hi1 # np[j]*m1+ap[j]*bp[i]+tp[j] - mov (%rsp,$j,8),$lo0 - adc \$0,%rdx - mov $hi1,-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$hi1 - - xor %rdx,%rdx - add $hi0,$hi1 - adc \$0,%rdx - add $lo0,$hi1 # pull upmost overflow bit - adc \$0,%rdx - mov $hi1,-8(%rsp,$num,8) - mov %rdx,(%rsp,$num,8) # store upmost overflow bit - - lea 1($i),$i # i++ - cmp $num,$i - jl .Louter - - xor $i,$i # i=0 and clear CF! - mov (%rsp),%rax # tp[0] - lea (%rsp),$ap # borrow ap for tp - mov $num,$j # j=num - jmp .Lsub -.align 16 -.Lsub: sbb ($np,$i,8),%rax - mov %rax,($rp,$i,8) # rp[i]=tp[i]-np[i] - mov 8($ap,$i,8),%rax # tp[i+1] - lea 1($i),$i # i++ - dec $j # doesnn't affect CF! - jnz .Lsub - - sbb \$0,%rax # handle upmost overflow bit - xor $i,$i - and %rax,$ap - not %rax - mov $rp,$np - and %rax,$np - mov $num,$j # j=num - or $np,$ap # ap=borrow?tp:rp -.align 16 -.Lcopy: # copy or in-place refresh - mov ($ap,$i,8),%rax - mov $i,(%rsp,$i,8) # zap temporary vector - mov %rax,($rp,$i,8) # rp[i]=tp[i] - lea 1($i),$i - sub \$1,$j - jnz .Lcopy - - mov 8(%rsp,$num,8),%rsi # restore %rsp - mov \$1,%rax - - mov (%rsi),%r15 - mov 8(%rsi),%r14 - mov 16(%rsi),%r13 - mov 24(%rsi),%r12 - mov 32(%rsi),%rbp - mov 40(%rsi),%rbx - lea 48(%rsi),%rsp -.Lmul_epilogue: - ret -.size bn_mul_mont_gather5,.-bn_mul_mont_gather5 -___ -{{{ -my @A=("%r10","%r11"); -my @N=("%r13","%rdi"); -$code.=<<___; -.type bn_mul4x_mont_gather5,\@function,6 -.align 16 -bn_mul4x_mont_gather5: - _CET_ENDBR -.Lmul4x_enter: - mov ${num}d,${num}d - movd `($win64?56:8)`(%rsp),%xmm5 # load 7th argument - lea .Linc(%rip),%r10 - push %rbx - push %rbp - push %r12 - push %r13 - push %r14 - push %r15 - -.Lmul4x_alloca: - mov %rsp,%rax - lea 4($num),%r11 - neg %r11 - lea -256(%rsp,%r11,8),%rsp # tp=alloca(8*(num+4)+256) - and \$-1024,%rsp # minimize TLB usage - - mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp -.Lmul4x_body: - mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp - lea 128(%rdx),%r12 # reassign $bp (+size optimization) -___ - $bp="%r12"; - $STRIDE=2**5*8; # 5 is "window size" - $N=$STRIDE/4; # should match cache line size -$code.=<<___; - movdqa 0(%r10),%xmm0 # 00000001000000010000000000000000 - movdqa 16(%r10),%xmm1 # 00000002000000020000000200000002 - lea 32-112(%rsp,$num,8),%r10# place the mask after tp[num+4] (+ICache optimization) - - pshufd \$0,%xmm5,%xmm5 # broadcast index - movdqa %xmm1,%xmm4 - .byte 0x67,0x67 - movdqa %xmm1,%xmm2 -___ -######################################################################## -# calculate mask by comparing 0..31 to index and save result to stack -# -$code.=<<___; - paddd %xmm0,%xmm1 - pcmpeqd %xmm5,%xmm0 # compare to 1,0 - .byte 0x67 - movdqa %xmm4,%xmm3 -___ -for($k=0;$k<$STRIDE/16-4;$k+=4) { -$code.=<<___; - paddd %xmm1,%xmm2 - pcmpeqd %xmm5,%xmm1 # compare to 3,2 - movdqa %xmm0,`16*($k+0)+112`(%r10) - movdqa %xmm4,%xmm0 - - paddd %xmm2,%xmm3 - pcmpeqd %xmm5,%xmm2 # compare to 5,4 - movdqa %xmm1,`16*($k+1)+112`(%r10) - movdqa %xmm4,%xmm1 - - paddd %xmm3,%xmm0 - pcmpeqd %xmm5,%xmm3 # compare to 7,6 - movdqa %xmm2,`16*($k+2)+112`(%r10) - movdqa %xmm4,%xmm2 - - paddd %xmm0,%xmm1 - pcmpeqd %xmm5,%xmm0 - movdqa %xmm3,`16*($k+3)+112`(%r10) - movdqa %xmm4,%xmm3 -___ -} -$code.=<<___; # last iteration can be optimized - paddd %xmm1,%xmm2 - pcmpeqd %xmm5,%xmm1 - movdqa %xmm0,`16*($k+0)+112`(%r10) - - paddd %xmm2,%xmm3 - .byte 0x67 - pcmpeqd %xmm5,%xmm2 - movdqa %xmm1,`16*($k+1)+112`(%r10) - - pcmpeqd %xmm5,%xmm3 - movdqa %xmm2,`16*($k+2)+112`(%r10) - pand `16*($k+0)-128`($bp),%xmm0 # while it's still in register - - pand `16*($k+1)-128`($bp),%xmm1 - pand `16*($k+2)-128`($bp),%xmm2 - movdqa %xmm3,`16*($k+3)+112`(%r10) - pand `16*($k+3)-128`($bp),%xmm3 - por %xmm2,%xmm0 - por %xmm3,%xmm1 -___ -for($k=0;$k<$STRIDE/16-4;$k+=4) { -$code.=<<___; - movdqa `16*($k+0)-128`($bp),%xmm4 - movdqa `16*($k+1)-128`($bp),%xmm5 - movdqa `16*($k+2)-128`($bp),%xmm2 - pand `16*($k+0)+112`(%r10),%xmm4 - movdqa `16*($k+3)-128`($bp),%xmm3 - pand `16*($k+1)+112`(%r10),%xmm5 - por %xmm4,%xmm0 - pand `16*($k+2)+112`(%r10),%xmm2 - por %xmm5,%xmm1 - pand `16*($k+3)+112`(%r10),%xmm3 - por %xmm2,%xmm0 - por %xmm3,%xmm1 -___ -} -$code.=<<___; - por %xmm1,%xmm0 - pshufd \$0x4e,%xmm0,%xmm1 - por %xmm1,%xmm0 - lea $STRIDE($bp),$bp - movd %xmm0,$m0 # m0=bp[0] - - mov ($n0),$n0 # pull n0[0] value - mov ($ap),%rax - - xor $i,$i # i=0 - xor $j,$j # j=0 - - mov $n0,$m1 - mulq $m0 # ap[0]*bp[0] - mov %rax,$A[0] - mov ($np),%rax - - imulq $A[0],$m1 # "tp[0]"*n0 - mov %rdx,$A[1] - - mulq $m1 # np[0]*m1 - add %rax,$A[0] # discarded - mov 8($ap),%rax - adc \$0,%rdx - mov %rdx,$N[1] - - mulq $m0 - add %rax,$A[1] - mov 8($np),%rax - adc \$0,%rdx - mov %rdx,$A[0] - - mulq $m1 - add %rax,$N[1] - mov 16($ap),%rax - adc \$0,%rdx - add $A[1],$N[1] - lea 4($j),$j # j++ - adc \$0,%rdx - mov $N[1],(%rsp) - mov %rdx,$N[0] - jmp .L1st4x -.align 16 -.L1st4x: - mulq $m0 # ap[j]*bp[0] - add %rax,$A[0] - mov -16($np,$j,8),%rax - adc \$0,%rdx - mov %rdx,$A[1] - - mulq $m1 # np[j]*m1 - add %rax,$N[0] - mov -8($ap,$j,8),%rax - adc \$0,%rdx - add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $N[0],-24(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[0] - add %rax,$A[1] - mov -8($np,$j,8),%rax - adc \$0,%rdx - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov ($ap,$j,8),%rax - adc \$0,%rdx - add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $N[1],-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[0] - - mulq $m0 # ap[j]*bp[0] - add %rax,$A[0] - mov ($np,$j,8),%rax - adc \$0,%rdx - mov %rdx,$A[1] - - mulq $m1 # np[j]*m1 - add %rax,$N[0] - mov 8($ap,$j,8),%rax - adc \$0,%rdx - add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $N[0],-8(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[0] - add %rax,$A[1] - mov 8($np,$j,8),%rax - adc \$0,%rdx - lea 4($j),$j # j++ - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov -16($ap,$j,8),%rax - adc \$0,%rdx - add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $N[1],-32(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[0] - cmp $num,$j - jl .L1st4x - - mulq $m0 # ap[j]*bp[0] - add %rax,$A[0] - mov -16($np,$j,8),%rax - adc \$0,%rdx - mov %rdx,$A[1] - - mulq $m1 # np[j]*m1 - add %rax,$N[0] - mov -8($ap,$j,8),%rax - adc \$0,%rdx - add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $N[0],-24(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[0] - add %rax,$A[1] - mov -8($np,$j,8),%rax - adc \$0,%rdx - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov ($ap),%rax # ap[0] - adc \$0,%rdx - add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0] - adc \$0,%rdx - mov $N[1],-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[0] - - xor $N[1],$N[1] - add $A[0],$N[0] - adc \$0,$N[1] - mov $N[0],-8(%rsp,$j,8) - mov $N[1],(%rsp,$j,8) # store upmost overflow bit - - lea 1($i),$i # i++ -.align 4 -.Louter4x: - lea 32+128(%rsp,$num,8),%rdx # where 256-byte mask is (+size optimization) - pxor %xmm4,%xmm4 - pxor %xmm5,%xmm5 -___ -for($k=0;$k<$STRIDE/16;$k+=4) { -$code.=<<___; - movdqa `16*($k+0)-128`($bp),%xmm0 - movdqa `16*($k+1)-128`($bp),%xmm1 - movdqa `16*($k+2)-128`($bp),%xmm2 - movdqa `16*($k+3)-128`($bp),%xmm3 - pand `16*($k+0)-128`(%rdx),%xmm0 - pand `16*($k+1)-128`(%rdx),%xmm1 - por %xmm0,%xmm4 - pand `16*($k+2)-128`(%rdx),%xmm2 - por %xmm1,%xmm5 - pand `16*($k+3)-128`(%rdx),%xmm3 - por %xmm2,%xmm4 - por %xmm3,%xmm5 -___ -} -$code.=<<___; - por %xmm5,%xmm4 - pshufd \$0x4e,%xmm4,%xmm0 - por %xmm4,%xmm0 - lea $STRIDE($bp),$bp - movd %xmm0,$m0 # m0=bp[i] - - xor $j,$j # j=0 - - mov (%rsp),$A[0] - mov $n0,$m1 - mulq $m0 # ap[0]*bp[i] - add %rax,$A[0] # ap[0]*bp[i]+tp[0] - mov ($np),%rax - adc \$0,%rdx - - imulq $A[0],$m1 # tp[0]*n0 - mov %rdx,$A[1] - - mulq $m1 # np[0]*m1 - add %rax,$A[0] # "$N[0]", discarded - mov 8($ap),%rax - adc \$0,%rdx - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[i] - add %rax,$A[1] - mov 8($np),%rax - adc \$0,%rdx - add 8(%rsp),$A[1] # +tp[1] - adc \$0,%rdx - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov 16($ap),%rax - adc \$0,%rdx - add $A[1],$N[1] # np[j]*m1+ap[j]*bp[i]+tp[j] - lea 4($j),$j # j+=2 - adc \$0,%rdx - mov %rdx,$N[0] - jmp .Linner4x -.align 16 -.Linner4x: - mulq $m0 # ap[j]*bp[i] - add %rax,$A[0] - mov -16($np,$j,8),%rax - adc \$0,%rdx - add -16(%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j] - adc \$0,%rdx - mov %rdx,$A[1] - - mulq $m1 # np[j]*m1 - add %rax,$N[0] - mov -8($ap,$j,8),%rax - adc \$0,%rdx - add $A[0],$N[0] - adc \$0,%rdx - mov $N[1],-32(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[i] - add %rax,$A[1] - mov -8($np,$j,8),%rax - adc \$0,%rdx - add -8(%rsp,$j,8),$A[1] - adc \$0,%rdx - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov ($ap,$j,8),%rax - adc \$0,%rdx - add $A[1],$N[1] - adc \$0,%rdx - mov $N[0],-24(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[0] - - mulq $m0 # ap[j]*bp[i] - add %rax,$A[0] - mov ($np,$j,8),%rax - adc \$0,%rdx - add (%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j] - adc \$0,%rdx - mov %rdx,$A[1] - - mulq $m1 # np[j]*m1 - add %rax,$N[0] - mov 8($ap,$j,8),%rax - adc \$0,%rdx - add $A[0],$N[0] - adc \$0,%rdx - mov $N[1],-16(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[i] - add %rax,$A[1] - mov 8($np,$j,8),%rax - adc \$0,%rdx - add 8(%rsp,$j,8),$A[1] - adc \$0,%rdx - lea 4($j),$j # j++ - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov -16($ap,$j,8),%rax - adc \$0,%rdx - add $A[1],$N[1] - adc \$0,%rdx - mov $N[0],-40(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[0] - cmp $num,$j - jl .Linner4x - - mulq $m0 # ap[j]*bp[i] - add %rax,$A[0] - mov -16($np,$j,8),%rax - adc \$0,%rdx - add -16(%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j] - adc \$0,%rdx - mov %rdx,$A[1] - - mulq $m1 # np[j]*m1 - add %rax,$N[0] - mov -8($ap,$j,8),%rax - adc \$0,%rdx - add $A[0],$N[0] - adc \$0,%rdx - mov $N[1],-32(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[1] - - mulq $m0 # ap[j]*bp[i] - add %rax,$A[1] - mov -8($np,$j,8),%rax - adc \$0,%rdx - add -8(%rsp,$j,8),$A[1] - adc \$0,%rdx - lea 1($i),$i # i++ - mov %rdx,$A[0] - - mulq $m1 # np[j]*m1 - add %rax,$N[1] - mov ($ap),%rax # ap[0] - adc \$0,%rdx - add $A[1],$N[1] - adc \$0,%rdx - mov $N[0],-24(%rsp,$j,8) # tp[j-1] - mov %rdx,$N[0] - - mov $N[1],-16(%rsp,$j,8) # tp[j-1] - - xor $N[1],$N[1] - add $A[0],$N[0] - adc \$0,$N[1] - add (%rsp,$num,8),$N[0] # pull upmost overflow bit - adc \$0,$N[1] - mov $N[0],-8(%rsp,$j,8) - mov $N[1],(%rsp,$j,8) # store upmost overflow bit - - cmp $num,$i - jl .Louter4x -___ -{ -my @ri=("%rax","%rdx",$m0,$m1); -$code.=<<___; - mov 16(%rsp,$num,8),$rp # restore $rp - mov 0(%rsp),@ri[0] # tp[0] - pxor %xmm0,%xmm0 - mov 8(%rsp),@ri[1] # tp[1] - shr \$2,$num # num/=4 - lea (%rsp),$ap # borrow ap for tp - xor $i,$i # i=0 and clear CF! - - sub 0($np),@ri[0] - mov 16($ap),@ri[2] # tp[2] - mov 24($ap),@ri[3] # tp[3] - sbb 8($np),@ri[1] - lea -1($num),$j # j=num/4-1 - jmp .Lsub4x -.align 16 -.Lsub4x: - mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i] - mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i] - sbb 16($np,$i,8),@ri[2] - mov 32($ap,$i,8),@ri[0] # tp[i+1] - mov 40($ap,$i,8),@ri[1] - sbb 24($np,$i,8),@ri[3] - mov @ri[2],16($rp,$i,8) # rp[i]=tp[i]-np[i] - mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i] - sbb 32($np,$i,8),@ri[0] - mov 48($ap,$i,8),@ri[2] - mov 56($ap,$i,8),@ri[3] - sbb 40($np,$i,8),@ri[1] - lea 4($i),$i # i++ - dec $j # doesnn't affect CF! - jnz .Lsub4x - - mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i] - mov 32($ap,$i,8),@ri[0] # load overflow bit - sbb 16($np,$i,8),@ri[2] - mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i] - sbb 24($np,$i,8),@ri[3] - mov @ri[2],16($rp,$i,8) # rp[i]=tp[i]-np[i] - - sbb \$0,@ri[0] # handle upmost overflow bit - mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i] - xor $i,$i # i=0 - and @ri[0],$ap - not @ri[0] - mov $rp,$np - and @ri[0],$np - lea -1($num),$j - or $np,$ap # ap=borrow?tp:rp - - movdqu ($ap),%xmm1 - movdqa %xmm0,(%rsp) - movdqu %xmm1,($rp) - jmp .Lcopy4x -.align 16 -.Lcopy4x: # copy or in-place refresh - movdqu 16($ap,$i),%xmm2 - movdqu 32($ap,$i),%xmm1 - movdqa %xmm0,16(%rsp,$i) - movdqu %xmm2,16($rp,$i) - movdqa %xmm0,32(%rsp,$i) - movdqu %xmm1,32($rp,$i) - lea 32($i),$i - dec $j - jnz .Lcopy4x - - shl \$2,$num - movdqu 16($ap,$i),%xmm2 - movdqa %xmm0,16(%rsp,$i) - movdqu %xmm2,16($rp,$i) -___ -} -$code.=<<___; - mov 8(%rsp,$num,8),%rsi # restore %rsp - mov \$1,%rax - - mov (%rsi),%r15 - mov 8(%rsi),%r14 - mov 16(%rsi),%r13 - mov 24(%rsi),%r12 - mov 32(%rsi),%rbp - mov 40(%rsi),%rbx - lea 48(%rsi),%rsp -.Lmul4x_epilogue: - ret -.size bn_mul4x_mont_gather5,.-bn_mul4x_mont_gather5 -___ -}}} - -{ -my ($inp,$num,$tbl,$idx)=$win64?("%rcx","%rdx","%r8", "%r9d") : # Win64 order - ("%rdi","%rsi","%rdx","%ecx"); # Unix order -my $out=$inp; -my $STRIDE=2**5*8; -my $N=$STRIDE/4; - -$code.=<<___; -.globl bn_scatter5 -.type bn_scatter5,\@abi-omnipotent -.align 16 -bn_scatter5: - _CET_ENDBR - cmp \$0, $num - jz .Lscatter_epilogue - lea ($tbl,$idx,8),$tbl -.Lscatter: - mov ($inp),%rax - lea 8($inp),$inp - mov %rax,($tbl) - lea 32*8($tbl),$tbl - sub \$1,$num - jnz .Lscatter -.Lscatter_epilogue: - ret -.size bn_scatter5,.-bn_scatter5 - -.globl bn_gather5 -.type bn_gather5,\@abi-omnipotent -.align 16 -bn_gather5: - _CET_ENDBR -.LSEH_begin_bn_gather5: # Win64 thing, but harmless in other cases - # I can't trust assembler to use specific encoding:-( - .byte 0x4c,0x8d,0x14,0x24 # lea (%rsp),%r10 - .byte 0x48,0x81,0xec,0x08,0x01,0x00,0x00 # sub $0x108,%rsp - lea .Linc(%rip),%rax - and \$-16,%rsp # shouldn't be formally required - - movd $idx,%xmm5 - movdqa 0(%rax),%xmm0 # 00000001000000010000000000000000 - movdqa 16(%rax),%xmm1 # 00000002000000020000000200000002 - lea 128($tbl),%r11 # size optimization - lea 128(%rsp),%rax # size optimization - - pshufd \$0,%xmm5,%xmm5 # broadcast $idx - movdqa %xmm1,%xmm4 - movdqa %xmm1,%xmm2 -___ -######################################################################## -# calculate mask by comparing 0..31 to $idx and save result to stack -# -for($i=0;$i<$STRIDE/16;$i+=4) { -$code.=<<___; - paddd %xmm0,%xmm1 - pcmpeqd %xmm5,%xmm0 # compare to 1,0 -___ -$code.=<<___ if ($i); - movdqa %xmm3,`16*($i-1)-128`(%rax) -___ -$code.=<<___; - movdqa %xmm4,%xmm3 - - paddd %xmm1,%xmm2 - pcmpeqd %xmm5,%xmm1 # compare to 3,2 - movdqa %xmm0,`16*($i+0)-128`(%rax) - movdqa %xmm4,%xmm0 - - paddd %xmm2,%xmm3 - pcmpeqd %xmm5,%xmm2 # compare to 5,4 - movdqa %xmm1,`16*($i+1)-128`(%rax) - movdqa %xmm4,%xmm1 - - paddd %xmm3,%xmm0 - pcmpeqd %xmm5,%xmm3 # compare to 7,6 - movdqa %xmm2,`16*($i+2)-128`(%rax) - movdqa %xmm4,%xmm2 -___ -} -$code.=<<___; - movdqa %xmm3,`16*($i-1)-128`(%rax) - jmp .Lgather - -.align 32 -.Lgather: - pxor %xmm4,%xmm4 - pxor %xmm5,%xmm5 -___ -for($i=0;$i<$STRIDE/16;$i+=4) { -$code.=<<___; - movdqa `16*($i+0)-128`(%r11),%xmm0 - movdqa `16*($i+1)-128`(%r11),%xmm1 - movdqa `16*($i+2)-128`(%r11),%xmm2 - pand `16*($i+0)-128`(%rax),%xmm0 - movdqa `16*($i+3)-128`(%r11),%xmm3 - pand `16*($i+1)-128`(%rax),%xmm1 - por %xmm0,%xmm4 - pand `16*($i+2)-128`(%rax),%xmm2 - por %xmm1,%xmm5 - pand `16*($i+3)-128`(%rax),%xmm3 - por %xmm2,%xmm4 - por %xmm3,%xmm5 -___ -} -$code.=<<___; - por %xmm5,%xmm4 - lea $STRIDE(%r11),%r11 - pshufd \$0x4e,%xmm4,%xmm0 - por %xmm4,%xmm0 - movq %xmm0,($out) # m0=bp[0] - lea 8($out),$out - sub \$1,$num - jnz .Lgather - - lea (%r10),%rsp - ret -.LSEH_end_bn_gather5: -.size bn_gather5,.-bn_gather5 -___ -} -$code.=<<___; -.section .rodata -.align 64 -.Linc: - .long 0,0, 1,1 - .long 2,2, 2,2 -.text -___ - -# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame, -# CONTEXT *context,DISPATCHER_CONTEXT *disp) -if ($win64) { -$rec="%rcx"; -$frame="%rdx"; -$context="%r8"; -$disp="%r9"; - -$code.=<<___; -.extern __imp_RtlVirtualUnwind -.type mul_handler,\@abi-omnipotent -.align 16 -mul_handler: - _CET_ENDBR - push %rsi - push %rdi - push %rbx - push %rbp - push %r12 - push %r13 - push %r14 - push %r15 - pushfq - sub \$64,%rsp - - mov 120($context),%rax # pull context->Rax - mov 248($context),%rbx # pull context->Rip - - mov 8($disp),%rsi # disp->ImageBase - mov 56($disp),%r11 # disp->HandlerData - - mov 0(%r11),%r10d # HandlerData[0] - lea (%rsi,%r10),%r10 # end of prologue label - cmp %r10,%rbx # context->RipRipRsp - - mov 8(%r11),%r10d # HandlerData[2] - lea (%rsi,%r10),%r10 # epilogue label - cmp %r10,%rbx # context->Rip>=epilogue label - jae .Lcommon_seh_tail - - mov 192($context),%r10 # pull $num - mov 8(%rax,%r10,8),%rax # pull saved stack pointer - - lea 48(%rax),%rax - - mov -8(%rax),%rbx - mov -16(%rax),%rbp - mov -24(%rax),%r12 - mov -32(%rax),%r13 - mov -40(%rax),%r14 - mov -48(%rax),%r15 - mov %rbx,144($context) # restore context->Rbx - mov %rbp,160($context) # restore context->Rbp - mov %r12,216($context) # restore context->R12 - mov %r13,224($context) # restore context->R13 - mov %r14,232($context) # restore context->R14 - mov %r15,240($context) # restore context->R15 - -.Lcommon_seh_tail: - mov 8(%rax),%rdi - mov 16(%rax),%rsi - mov %rax,152($context) # restore context->Rsp - mov %rsi,168($context) # restore context->Rsi - mov %rdi,176($context) # restore context->Rdi - - mov 40($disp),%rdi # disp->ContextRecord - mov $context,%rsi # context - mov \$154,%ecx # sizeof(CONTEXT) - .long 0xa548f3fc # cld; rep movsq - - mov $disp,%rsi - xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER - mov 8(%rsi),%rdx # arg2, disp->ImageBase - mov 0(%rsi),%r8 # arg3, disp->ControlPc - mov 16(%rsi),%r9 # arg4, disp->FunctionEntry - mov 40(%rsi),%r10 # disp->ContextRecord - lea 56(%rsi),%r11 # &disp->HandlerData - lea 24(%rsi),%r12 # &disp->EstablisherFrame - mov %r10,32(%rsp) # arg5 - mov %r11,40(%rsp) # arg6 - mov %r12,48(%rsp) # arg7 - mov %rcx,56(%rsp) # arg8, (NULL) - call *__imp_RtlVirtualUnwind(%rip) - - mov \$1,%eax # ExceptionContinueSearch - add \$64,%rsp - popfq - pop %r15 - pop %r14 - pop %r13 - pop %r12 - pop %rbp - pop %rbx - pop %rdi - pop %rsi - ret -.size mul_handler,.-mul_handler - -.section .pdata -.align 4 - .rva .LSEH_begin_bn_mul_mont_gather5 - .rva .LSEH_end_bn_mul_mont_gather5 - .rva .LSEH_info_bn_mul_mont_gather5 - - .rva .LSEH_begin_bn_mul4x_mont_gather5 - .rva .LSEH_end_bn_mul4x_mont_gather5 - .rva .LSEH_info_bn_mul4x_mont_gather5 - - .rva .LSEH_begin_bn_gather5 - .rva .LSEH_end_bn_gather5 - .rva .LSEH_info_bn_gather5 - -.section .xdata -.align 8 -.LSEH_info_bn_mul_mont_gather5: - .byte 9,0,0,0 - .rva mul_handler - .rva .Lmul_alloca,.Lmul_body,.Lmul_epilogue # HandlerData[] -.align 8 -.LSEH_info_bn_mul4x_mont_gather5: - .byte 9,0,0,0 - .rva mul_handler - .rva .Lmul4x_alloca,.Lmul4x_body,.Lmul4x_epilogue # HandlerData[] -.align 8 -.LSEH_info_bn_gather5: - .byte 0x01,0x0b,0x03,0x0a - .byte 0x0b,0x01,0x21,0x00 # sub rsp,0x108 - .byte 0x04,0xa3,0x00,0x00 # lea r10,(rsp), set_frame r10 -.align 8 -___ -} - -$code =~ s/\`([^\`]*)\`/eval($1)/gem; - -print $code; -close STDOUT; diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h deleted file mode 100644 index 7c3c0b142f..0000000000 --- a/src/lib/libcrypto/bn/bn.h +++ /dev/null @@ -1,520 +0,0 @@ -/* $OpenBSD: bn.h,v 1.80 2025/03/09 15:22:40 tb Exp $ */ -/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the Eric Young open source - * license provided above. - * - * The binary polynomial arithmetic software is originally written by - * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. - * - */ - -#ifndef HEADER_BN_H -#define HEADER_BN_H - -#include -#include - -#include - -#include -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/* This next option uses the C libraries (2 word)/(1 word) function. - * If it is not defined, I use my C version (which is slower). - * The reason for this flag is that when the particular C compiler - * library routine is used, and the library is linked with a different - * compiler, the library is missing. This mostly happens when the - * library is built with gcc and then linked using normal cc. This would - * be a common occurrence because gcc normally produces code that is - * 2 times faster than system compilers for the big number stuff. - * For machines with only one compiler (or shared libraries), this should - * be on. Again this in only really a problem on machines - * using "long long's", are 32bit, and are not using my assembler code. */ -/* #define BN_DIV2W */ - -#ifdef _LP64 -#undef BN_LLONG -#define BN_ULONG unsigned long -#define BN_LONG long -#define BN_BITS 128 -#define BN_BYTES 8 -#define BN_BITS2 64 -#define BN_BITS4 32 -#define BN_MASK2 (0xffffffffffffffffL) -#define BN_MASK2l (0xffffffffL) -#define BN_MASK2h (0xffffffff00000000L) -#define BN_MASK2h1 (0xffffffff80000000L) -#define BN_TBIT (0x8000000000000000L) -#define BN_DEC_CONV (10000000000000000000UL) -#define BN_DEC_FMT1 "%lu" -#define BN_DEC_FMT2 "%019lu" -#define BN_DEC_NUM 19 -#define BN_HEX_FMT1 "%lX" -#define BN_HEX_FMT2 "%016lX" -#else -#define BN_ULLONG unsigned long long -#define BN_LLONG -#define BN_ULONG unsigned int -#define BN_LONG int -#define BN_BITS 64 -#define BN_BYTES 4 -#define BN_BITS2 32 -#define BN_BITS4 16 -#define BN_MASK (0xffffffffffffffffLL) -#define BN_MASK2 (0xffffffffL) -#define BN_MASK2l (0xffff) -#define BN_MASK2h1 (0xffff8000L) -#define BN_MASK2h (0xffff0000L) -#define BN_TBIT (0x80000000L) -#define BN_DEC_CONV (1000000000L) -#define BN_DEC_FMT1 "%u" -#define BN_DEC_FMT2 "%09u" -#define BN_DEC_NUM 9 -#define BN_HEX_FMT1 "%X" -#define BN_HEX_FMT2 "%08X" -#endif - -#define BN_FLG_MALLOCED 0x01 -#define BN_FLG_STATIC_DATA 0x02 -#define BN_FLG_CONSTTIME 0x04 /* avoid leaking exponent information through timing, - * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime, - * BN_div() will call BN_div_no_branch, - * BN_mod_inverse() will call BN_mod_inverse_no_branch. - */ - -void BN_set_flags(BIGNUM *b, int n); -int BN_get_flags(const BIGNUM *b, int n); -void BN_with_flags(BIGNUM *dest, const BIGNUM *src, int flags); - -/* Values for |top| in BN_rand() */ -#define BN_RAND_TOP_ANY -1 -#define BN_RAND_TOP_ONE 0 -#define BN_RAND_TOP_TWO 1 - -/* Values for |bottom| in BN_rand() */ -#define BN_RAND_BOTTOM_ANY 0 -#define BN_RAND_BOTTOM_ODD 1 - -BN_GENCB *BN_GENCB_new(void); -void BN_GENCB_free(BN_GENCB *cb); - -/* Wrapper function to make using BN_GENCB easier, */ -int BN_GENCB_call(BN_GENCB *cb, int a, int b); - -/* Populate a BN_GENCB structure with an "old"-style callback */ -void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback)(int, int, void *), - void *cb_arg); - -/* Populate a BN_GENCB structure with a "new"-style callback */ -void BN_GENCB_set(BN_GENCB *gencb, int (*callback)(int, int, BN_GENCB *), - void *cb_arg); - -void *BN_GENCB_get_arg(BN_GENCB *cb); - -#define BN_prime_checks 0 /* default: select number of iterations - based on the size of the number */ - -/* - * BN_prime_checks_for_size() returns the number of Miller-Rabin - * iterations that will be done for checking that a random number - * is probably prime. The error rate for accepting a composite - * number as prime depends on the size of the prime |b|. The error - * rates used are for calculating an RSA key with 2 primes, and so - * the level is what you would expect for a key of double the size - * of the prime. - * - * This table is generated using the algorithm of FIPS PUB 186-4 - * Digital Signature Standard (DSS), section F.1, page 117. - * (https://dx.doi.org/10.6028/NIST.FIPS.186-4) - * - * The following magma script was used to generate the output: - * securitybits:=125; - * k:=1024; - * for t:=1 to 65 do - * for M:=3 to Floor(2*Sqrt(k-1)-1) do - * S:=0; - * // Sum over m - * for m:=3 to M do - * s:=0; - * // Sum over j - * for j:=2 to m do - * s+:=(RealField(32)!2)^-(j+(k-1)/j); - * end for; - * S+:=2^(m-(m-1)*t)*s; - * end for; - * A:=2^(k-2-M*t); - * B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S; - * pkt:=2.00743*Log(2)*k*2^-k*(A+B); - * seclevel:=Floor(-Log(2,pkt)); - * if seclevel ge securitybits then - * printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M; - * break; - * end if; - * end for; - * if seclevel ge securitybits then break; end if; - * end for; - * - * It can be run online at: - * http://magma.maths.usyd.edu.au/calc - * - * And will output: - * k: 1024, security: 129 bits (t: 6, M: 23) - * - * k is the number of bits of the prime, securitybits is the level - * we want to reach. - * - * prime length | RSA key size | # MR tests | security level - * -------------+--------------|------------+--------------- - * (b) >= 6394 | >= 12788 | 3 | 256 bit - * (b) >= 3747 | >= 7494 | 3 | 192 bit - * (b) >= 1345 | >= 2690 | 4 | 128 bit - * (b) >= 1080 | >= 2160 | 5 | 128 bit - * (b) >= 852 | >= 1704 | 5 | 112 bit - * (b) >= 476 | >= 952 | 5 | 80 bit - * (b) >= 400 | >= 800 | 6 | 80 bit - * (b) >= 347 | >= 694 | 7 | 80 bit - * (b) >= 308 | >= 616 | 8 | 80 bit - * (b) >= 55 | >= 110 | 27 | 64 bit - * (b) >= 6 | >= 12 | 34 | 64 bit - */ - -#define BN_prime_checks_for_size(b) ((b) >= 3747 ? 3 : \ - (b) >= 1345 ? 4 : \ - (b) >= 476 ? 5 : \ - (b) >= 400 ? 6 : \ - (b) >= 347 ? 7 : \ - (b) >= 308 ? 8 : \ - (b) >= 55 ? 27 : \ - /* b >= 6 */ 34) - -#define BN_num_bytes(a) ((BN_num_bits(a)+7)/8) - -int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w); -int BN_is_zero(const BIGNUM *a); -int BN_is_one(const BIGNUM *a); -int BN_is_word(const BIGNUM *a, const BN_ULONG w); -int BN_is_odd(const BIGNUM *a); - -void BN_zero(BIGNUM *a); -int BN_one(BIGNUM *a); - -const BIGNUM *BN_value_one(void); -BN_CTX *BN_CTX_new(void); -void BN_CTX_free(BN_CTX *c); -void BN_CTX_start(BN_CTX *ctx); -BIGNUM *BN_CTX_get(BN_CTX *ctx); -void BN_CTX_end(BN_CTX *ctx); -int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); -int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); -int BN_rand_range(BIGNUM *rnd, const BIGNUM *range); -int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range); -int BN_num_bits(const BIGNUM *a); -int BN_num_bits_word(BN_ULONG); -BIGNUM *BN_new(void); -void BN_clear_free(BIGNUM *a); -BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b); -void BN_swap(BIGNUM *a, BIGNUM *b); -BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret); -int BN_bn2bin(const BIGNUM *a, unsigned char *to); -int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen); -BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret); -int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen); -BIGNUM *BN_mpi2bn(const unsigned char *s, int len, BIGNUM *ret); -int BN_bn2mpi(const BIGNUM *a, unsigned char *to); -int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); -void BN_set_negative(BIGNUM *b, int n); - -int BN_is_negative(const BIGNUM *b); - -int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, - BN_CTX *ctx); -#define BN_mod(rem,m,d,ctx) BN_div(NULL,(rem),(m),(d),(ctx)) - -int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx); -int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); -int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m); -int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); -int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m); -int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - const BIGNUM *m, BN_CTX *ctx); -int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); -int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); -int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m); -int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx); -int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m); - -BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w); -BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w); -int BN_mul_word(BIGNUM *a, BN_ULONG w); -int BN_add_word(BIGNUM *a, BN_ULONG w); -int BN_sub_word(BIGNUM *a, BN_ULONG w); -int BN_set_word(BIGNUM *a, BN_ULONG w); -BN_ULONG BN_get_word(const BIGNUM *a); - -int BN_cmp(const BIGNUM *a, const BIGNUM *b); -void BN_free(BIGNUM *a); -int BN_is_bit_set(const BIGNUM *a, int n); -int BN_lshift(BIGNUM *r, const BIGNUM *a, int n); -int BN_lshift1(BIGNUM *r, const BIGNUM *a); -int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); - -int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx); -int BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont); - -int BN_mask_bits(BIGNUM *a, int n); -int BN_print_fp(FILE *fp, const BIGNUM *a); -int BN_print(BIO *fp, const BIGNUM *a); -int BN_rshift(BIGNUM *r, const BIGNUM *a, int n); -int BN_rshift1(BIGNUM *r, const BIGNUM *a); -void BN_clear(BIGNUM *a); -BIGNUM *BN_dup(const BIGNUM *a); -int BN_ucmp(const BIGNUM *a, const BIGNUM *b); -int BN_set_bit(BIGNUM *a, int n); -int BN_clear_bit(BIGNUM *a, int n); -char * BN_bn2hex(const BIGNUM *a); -char * BN_bn2dec(const BIGNUM *a); -int BN_hex2bn(BIGNUM **a, const char *str); -int BN_dec2bn(BIGNUM **a, const char *str); -int BN_asc2bn(BIGNUM **a, const char *str); -int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -int BN_kronecker(const BIGNUM *a,const BIGNUM *b,BN_CTX *ctx); /* returns -2 for error */ -BIGNUM *BN_mod_inverse(BIGNUM *ret, - const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); -BIGNUM *BN_mod_sqrt(BIGNUM *ret, - const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); - -void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords); - -int BN_security_bits(int L, int N); - -int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, - const BIGNUM *rem, BN_GENCB *cb); -int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb); -int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, - int do_trial_division, BN_GENCB *cb); - -BN_MONT_CTX *BN_MONT_CTX_new(void); -int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - BN_MONT_CTX *mont, BN_CTX *ctx); -int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, - BN_CTX *ctx); -int BN_from_montgomery(BIGNUM *r, const BIGNUM *a, - BN_MONT_CTX *mont, BN_CTX *ctx); -void BN_MONT_CTX_free(BN_MONT_CTX *mont); -int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx); -BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, const BN_MONT_CTX *from); -BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, - const BIGNUM *mod, BN_CTX *ctx); - -/* Primes from RFC 2409 */ -BIGNUM *BN_get_rfc2409_prime_768(BIGNUM *bn); -BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM *bn); - -/* Primes from RFC 3526 */ -BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn); -BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn); -BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn); -BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn); -BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn); -BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn); - -void ERR_load_BN_strings(void); - -/* Error codes for the BN functions. */ - -/* Function codes. */ -#define BN_F_BNRAND 127 -#define BN_F_BN_BLINDING_CONVERT_EX 100 -#define BN_F_BN_BLINDING_CREATE_PARAM 128 -#define BN_F_BN_BLINDING_INVERT_EX 101 -#define BN_F_BN_BLINDING_NEW 102 -#define BN_F_BN_BLINDING_UPDATE 103 -#define BN_F_BN_BN2DEC 104 -#define BN_F_BN_BN2HEX 105 -#define BN_F_BN_CTX_GET 116 -#define BN_F_BN_CTX_NEW 106 -#define BN_F_BN_CTX_START 129 -#define BN_F_BN_DIV 107 -#define BN_F_BN_DIV_NO_BRANCH 138 -#define BN_F_BN_DIV_RECP 130 -#define BN_F_BN_EXP 123 -#define BN_F_BN_EXPAND2 108 -#define BN_F_BN_GENERATE_PRIME_EX 140 -#define BN_F_BN_EXPAND_INTERNAL 120 -#define BN_F_BN_GF2M_MOD 131 -#define BN_F_BN_GF2M_MOD_EXP 132 -#define BN_F_BN_GF2M_MOD_MUL 133 -#define BN_F_BN_GF2M_MOD_SOLVE_QUAD 134 -#define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR 135 -#define BN_F_BN_GF2M_MOD_SQR 136 -#define BN_F_BN_GF2M_MOD_SQRT 137 -#define BN_F_BN_MOD_EXP2_MONT 118 -#define BN_F_BN_MOD_EXP_MONT 109 -#define BN_F_BN_MOD_EXP_MONT_CONSTTIME 124 -#define BN_F_BN_MOD_EXP_MONT_WORD 117 -#define BN_F_BN_MOD_EXP_RECP 125 -#define BN_F_BN_MOD_EXP_SIMPLE 126 -#define BN_F_BN_MOD_INVERSE 110 -#define BN_F_BN_MOD_INVERSE_NO_BRANCH 139 -#define BN_F_BN_MOD_LSHIFT_QUICK 119 -#define BN_F_BN_MOD_MUL_RECIPROCAL 111 -#define BN_F_BN_MOD_SQRT 121 -#define BN_F_BN_MPI2BN 112 -#define BN_F_BN_NEW 113 -#define BN_F_BN_RAND 114 -#define BN_F_BN_RAND_RANGE 122 -#define BN_F_BN_USUB 115 - -/* Reason codes. */ -#define BN_R_ARG2_LT_ARG3 100 -#define BN_R_BAD_RECIPROCAL 101 -#define BN_R_BIGNUM_TOO_LONG 114 -#define BN_R_BITS_TOO_SMALL 117 -#define BN_R_CALLED_WITH_EVEN_MODULUS 102 -#define BN_R_DIV_BY_ZERO 103 -#define BN_R_ENCODING_ERROR 104 -#define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105 -#define BN_R_INPUT_NOT_REDUCED 110 -#define BN_R_INVALID_ARGUMENT 118 -#define BN_R_INVALID_LENGTH 106 -#define BN_R_INVALID_RANGE 115 -#define BN_R_NOT_A_SQUARE 111 -#define BN_R_NOT_INITIALIZED 107 -#define BN_R_NO_INVERSE 108 -#define BN_R_NO_SOLUTION 116 -#define BN_R_P_IS_NOT_PRIME 112 -#define BN_R_TOO_MANY_ITERATIONS 113 -#define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109 - -#ifdef __cplusplus -} -#endif -#endif diff --git a/src/lib/libcrypto/bn/bn_add.c b/src/lib/libcrypto/bn/bn_add.c deleted file mode 100644 index 86768a312a..0000000000 --- a/src/lib/libcrypto/bn/bn_add.c +++ /dev/null @@ -1,341 +0,0 @@ -/* $OpenBSD: bn_add.c,v 1.26 2023/07/08 12:21:58 beck Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include -#include - -#include - -#include "bn_arch.h" -#include "bn_local.h" -#include "bn_internal.h" - -/* - * bn_add_words() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b - * are both arrays of words. Any carry resulting from the addition is returned. - */ -#ifndef HAVE_BN_ADD_WORDS -BN_ULONG -bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) -{ - BN_ULONG carry = 0; - - assert(n >= 0); - if (n <= 0) - return 0; - - while (n & ~3) { - bn_qwaddqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0], - carry, &carry, &r[3], &r[2], &r[1], &r[0]); - a += 4; - b += 4; - r += 4; - n -= 4; - } - while (n) { - bn_addw_addw(a[0], b[0], carry, &carry, &r[0]); - a++; - b++; - r++; - n--; - } - return carry; -} -#endif - -/* - * bn_add() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b are both - * arrays of words (r may be the same as a or b). The length of a and b may - * differ, while r must be at least max(a_len, b_len) in length. Any carry - * resulting from the addition is returned. - */ -#ifndef HAVE_BN_ADD -BN_ULONG -bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b, - int b_len) -{ - int min_len, diff_len; - BN_ULONG carry = 0; - - if ((min_len = a_len) > b_len) - min_len = b_len; - - diff_len = a_len - b_len; - - carry = bn_add_words(r, a, b, min_len); - - a += min_len; - b += min_len; - r += min_len; - - /* XXX - consider doing four at a time to match bn_add_words(). */ - while (diff_len < 0) { - /* Compute r[0] = 0 + b[0] + carry. */ - bn_addw(b[0], carry, &carry, &r[0]); - diff_len++; - b++; - r++; - } - - /* XXX - consider doing four at a time to match bn_add_words(). */ - while (diff_len > 0) { - /* Compute r[0] = a[0] + 0 + carry. */ - bn_addw(a[0], carry, &carry, &r[0]); - diff_len--; - a++; - r++; - } - - return carry; -} -#endif - -/* - * bn_sub_words() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b - * are both arrays of words. Any borrow resulting from the subtraction is - * returned. - */ -#ifndef HAVE_BN_SUB_WORDS -BN_ULONG -bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) -{ - BN_ULONG borrow = 0; - - assert(n >= 0); - if (n <= 0) - return 0; - - while (n & ~3) { - bn_qwsubqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0], - borrow, &borrow, &r[3], &r[2], &r[1], &r[0]); - a += 4; - b += 4; - r += 4; - n -= 4; - } - while (n) { - bn_subw_subw(a[0], b[0], borrow, &borrow, &r[0]); - a++; - b++; - r++; - n--; - } - return borrow; -} -#endif - -/* - * bn_sub() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b are both - * arrays of words (r may be the same as a or b). The length of a and b may - * differ, while r must be at least max(a_len, b_len) in length. Any borrow - * resulting from the subtraction is returned. - */ -#ifndef HAVE_BN_SUB -BN_ULONG -bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b, - int b_len) -{ - int min_len, diff_len; - BN_ULONG borrow = 0; - - if ((min_len = a_len) > b_len) - min_len = b_len; - - diff_len = a_len - b_len; - - borrow = bn_sub_words(r, a, b, min_len); - - a += min_len; - b += min_len; - r += min_len; - - /* XXX - consider doing four at a time to match bn_sub_words. */ - while (diff_len < 0) { - /* Compute r[0] = 0 - b[0] - borrow. */ - bn_subw(0 - b[0], borrow, &borrow, &r[0]); - diff_len++; - b++; - r++; - } - - /* XXX - consider doing four at a time to match bn_sub_words. */ - while (diff_len > 0) { - /* Compute r[0] = a[0] - 0 - borrow. */ - bn_subw(a[0], borrow, &borrow, &r[0]); - diff_len--; - a++; - r++; - } - - return borrow; -} -#endif - -int -BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) -{ - BN_ULONG carry; - int rn; - - if ((rn = a->top) < b->top) - rn = b->top; - if (rn == INT_MAX) - return 0; - if (!bn_wexpand(r, rn + 1)) - return 0; - - carry = bn_add(r->d, rn, a->d, a->top, b->d, b->top); - r->d[rn] = carry; - - r->top = rn + (carry & 1); - r->neg = 0; - - return 1; -} -LCRYPTO_ALIAS(BN_uadd); - -int -BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) -{ - BN_ULONG borrow; - int rn; - - if (a->top < b->top) { - BNerror(BN_R_ARG2_LT_ARG3); - return 0; - } - rn = a->top; - - if (!bn_wexpand(r, rn)) - return 0; - - borrow = bn_sub(r->d, rn, a->d, a->top, b->d, b->top); - if (borrow > 0) { - BNerror(BN_R_ARG2_LT_ARG3); - return 0; - } - - r->top = rn; - r->neg = 0; - - bn_correct_top(r); - - return 1; -} -LCRYPTO_ALIAS(BN_usub); - -int -BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) -{ - int ret, r_neg; - - if (a->neg == b->neg) { - r_neg = a->neg; - ret = BN_uadd(r, a, b); - } else { - int cmp = BN_ucmp(a, b); - - if (cmp > 0) { - r_neg = a->neg; - ret = BN_usub(r, a, b); - } else if (cmp < 0) { - r_neg = b->neg; - ret = BN_usub(r, b, a); - } else { - r_neg = 0; - BN_zero(r); - ret = 1; - } - } - - BN_set_negative(r, r_neg); - - return ret; -} -LCRYPTO_ALIAS(BN_add); - -int -BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) -{ - int ret, r_neg; - - if (a->neg != b->neg) { - r_neg = a->neg; - ret = BN_uadd(r, a, b); - } else { - int cmp = BN_ucmp(a, b); - - if (cmp > 0) { - r_neg = a->neg; - ret = BN_usub(r, a, b); - } else if (cmp < 0) { - r_neg = !b->neg; - ret = BN_usub(r, b, a); - } else { - r_neg = 0; - BN_zero(r); - ret = 1; - } - } - - BN_set_negative(r, r_neg); - - return ret; -} -LCRYPTO_ALIAS(BN_sub); diff --git a/src/lib/libcrypto/bn/bn_bpsw.c b/src/lib/libcrypto/bn/bn_bpsw.c deleted file mode 100644 index 04db17b527..0000000000 --- a/src/lib/libcrypto/bn/bn_bpsw.c +++ /dev/null @@ -1,531 +0,0 @@ -/* $OpenBSD: bn_bpsw.c,v 1.12 2025/02/13 11:10:01 tb Exp $ */ -/* - * Copyright (c) 2022 Martin Grenouilloux - * Copyright (c) 2022 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include "bn_local.h" -#include "bn_prime.h" - -/* - * For an odd n compute a / 2 (mod n). If a is even, we can do a plain - * division, otherwise calculate (a + n) / 2. Then reduce (mod n). - */ - -static int -bn_div_by_two_mod_odd_n(BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) -{ - if (!BN_is_odd(n)) - return 0; - - if (BN_is_odd(a)) { - if (!BN_add(a, a, n)) - return 0; - } - if (!BN_rshift1(a, a)) - return 0; - if (!BN_mod_ct(a, a, n, ctx)) - return 0; - - return 1; -} - -/* - * Given the next binary digit of k and the current Lucas terms U and V, this - * helper computes the next terms in the Lucas sequence defined as follows: - * - * U' = U * V (mod n) - * V' = (V^2 + D * U^2) / 2 (mod n) - * - * If digit == 0, bn_lucas_step() returns U' and V'. If digit == 1, it returns - * - * U'' = (U' + V') / 2 (mod n) - * V'' = (V' + D * U') / 2 (mod n) - * - * Compare with FIPS 186-4, Appendix C.3.3, step 6. - */ - -static int -bn_lucas_step(BIGNUM *U, BIGNUM *V, int digit, const BIGNUM *D, - const BIGNUM *n, BN_CTX *ctx) -{ - BIGNUM *tmp; - int ret = 0; - - BN_CTX_start(ctx); - - if ((tmp = BN_CTX_get(ctx)) == NULL) - goto err; - - /* Calculate D * U^2 before computing U'. */ - if (!BN_sqr(tmp, U, ctx)) - goto err; - if (!BN_mul(tmp, D, tmp, ctx)) - goto err; - - /* U' = U * V (mod n). */ - if (!BN_mod_mul(U, U, V, n, ctx)) - goto err; - - /* V' = (V^2 + D * U^2) / 2 (mod n). */ - if (!BN_sqr(V, V, ctx)) - goto err; - if (!BN_add(V, V, tmp)) - goto err; - if (!bn_div_by_two_mod_odd_n(V, n, ctx)) - goto err; - - if (digit == 1) { - /* Calculate D * U' before computing U''. */ - if (!BN_mul(tmp, D, U, ctx)) - goto err; - - /* U'' = (U' + V') / 2 (mod n). */ - if (!BN_add(U, U, V)) - goto err; - if (!bn_div_by_two_mod_odd_n(U, n, ctx)) - goto err; - - /* V'' = (V' + D * U') / 2 (mod n). */ - if (!BN_add(V, V, tmp)) - goto err; - if (!bn_div_by_two_mod_odd_n(V, n, ctx)) - goto err; - } - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -/* - * Compute the Lucas terms U_k, V_k, see FIPS 186-4, Appendix C.3.3, steps 4-6. - */ - -static int -bn_lucas(BIGNUM *U, BIGNUM *V, const BIGNUM *k, const BIGNUM *D, - const BIGNUM *n, BN_CTX *ctx) -{ - int digit, i; - int ret = 0; - - if (!BN_one(U)) - goto err; - if (!BN_one(V)) - goto err; - - /* - * Iterate over the digits of k from MSB to LSB. Start at digit 2 - * since the first digit is dealt with by setting U = 1 and V = 1. - */ - - for (i = BN_num_bits(k) - 2; i >= 0; i--) { - digit = BN_is_bit_set(k, i); - - if (!bn_lucas_step(U, V, digit, D, n, ctx)) - goto err; - } - - ret = 1; - - err: - return ret; -} - -/* - * This is a stronger variant of the Lucas test in FIPS 186-4, Appendix C.3.3. - * Every strong Lucas pseudoprime n is also a Lucas pseudoprime since - * U_{n+1} == 0 follows from U_k == 0 or V_{k * 2^r} == 0 for 0 <= r < s. - */ - -static int -bn_strong_lucas_test(int *is_pseudoprime, const BIGNUM *n, const BIGNUM *D, - BN_CTX *ctx) -{ - BIGNUM *k, *U, *V; - int r, s; - int ret = 0; - - BN_CTX_start(ctx); - - if ((k = BN_CTX_get(ctx)) == NULL) - goto err; - if ((U = BN_CTX_get(ctx)) == NULL) - goto err; - if ((V = BN_CTX_get(ctx)) == NULL) - goto err; - - /* - * Factorize n + 1 = k * 2^s with odd k: shift away the s trailing ones - * of n and set the lowest bit of the resulting number k. - */ - - s = 0; - while (BN_is_bit_set(n, s)) - s++; - if (!BN_rshift(k, n, s)) - goto err; - if (!BN_set_bit(k, 0)) - goto err; - - /* - * Calculate the Lucas terms U_k and V_k. If either of them is zero, - * then n is a strong Lucas pseudoprime. - */ - - if (!bn_lucas(U, V, k, D, n, ctx)) - goto err; - - if (BN_is_zero(U) || BN_is_zero(V)) { - *is_pseudoprime = 1; - goto done; - } - - /* - * Calculate the Lucas terms U_{k * 2^r}, V_{k * 2^r} for 1 <= r < s. - * If any V_{k * 2^r} is zero then n is a strong Lucas pseudoprime. - */ - - for (r = 1; r < s; r++) { - if (!bn_lucas_step(U, V, 0, D, n, ctx)) - goto err; - - if (BN_is_zero(V)) { - *is_pseudoprime = 1; - goto done; - } - } - - /* - * If we got here, n is definitely composite. - */ - - *is_pseudoprime = 0; - - done: - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -/* - * Test n for primality using the strong Lucas test with Selfridge's Method A. - * Returns 1 if n is prime or a strong Lucas-Selfridge pseudoprime. - * If it returns 0 then n is definitely composite. - */ - -static int -bn_strong_lucas_selfridge(int *is_pseudoprime, const BIGNUM *n, BN_CTX *ctx) -{ - BIGNUM *D, *two; - int is_perfect_square, jacobi_symbol, sign; - int ret = 0; - - BN_CTX_start(ctx); - - /* If n is a perfect square, it is composite. */ - if (!bn_is_perfect_square(&is_perfect_square, n, ctx)) - goto err; - if (is_perfect_square) { - *is_pseudoprime = 0; - goto done; - } - - /* - * Find the first D in the Selfridge sequence 5, -7, 9, -11, 13, ... - * such that the Jacobi symbol (D/n) is -1. - */ - - if ((D = BN_CTX_get(ctx)) == NULL) - goto err; - if ((two = BN_CTX_get(ctx)) == NULL) - goto err; - - sign = 1; - if (!BN_set_word(D, 5)) - goto err; - if (!BN_set_word(two, 2)) - goto err; - - while (1) { - /* For odd n the Kronecker symbol computes the Jacobi symbol. */ - if ((jacobi_symbol = BN_kronecker(D, n, ctx)) == -2) - goto err; - - /* We found the value for D. */ - if (jacobi_symbol == -1) - break; - - /* n and D have prime factors in common. */ - if (jacobi_symbol == 0) { - *is_pseudoprime = 0; - goto done; - } - - sign = -sign; - if (!BN_uadd(D, D, two)) - goto err; - BN_set_negative(D, sign == -1); - } - - if (!bn_strong_lucas_test(is_pseudoprime, n, D, ctx)) - goto err; - - done: - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -/* - * Fermat criterion in Miller-Rabin test. - * - * Check whether 1 < base < n - 1 witnesses that n is composite. For prime n: - * - * * Fermat's little theorem: base^(n-1) = 1 (mod n). - * * The only square roots of 1 (mod n) are 1 and -1. - * - * Calculate base^((n-1)/2) by writing n - 1 = k * 2^s with odd k. Iteratively - * compute power = (base^k)^(2^(s-1)) by successive squaring of base^k. - * - * If power ever reaches -1, base^(n-1) is equal to 1 and n is a pseudoprime - * for base. If power reaches 1 before -1 during successive squaring, we have - * an unexpected square root of 1 and n is composite. Otherwise base^(n-1) != 1, - * and n is composite. - */ - -static int -bn_fermat(int *is_pseudoprime, const BIGNUM *n, const BIGNUM *n_minus_one, - const BIGNUM *k, int s, const BIGNUM *base, BN_CTX *ctx, BN_MONT_CTX *mctx) -{ - BIGNUM *power; - int ret = 0; - int i; - - BN_CTX_start(ctx); - - if ((power = BN_CTX_get(ctx)) == NULL) - goto err; - - /* Sanity check: ensure that 1 < base < n - 1. */ - if (BN_cmp(base, BN_value_one()) <= 0 || BN_cmp(base, n_minus_one) >= 0) - goto err; - - if (!BN_mod_exp_mont_ct(power, base, k, n, ctx, mctx)) - goto err; - - if (BN_is_one(power) || BN_cmp(power, n_minus_one) == 0) { - *is_pseudoprime = 1; - goto done; - } - - /* Loop invariant: power is neither 1 nor -1 (mod n). */ - for (i = 1; i < s; i++) { - if (!BN_mod_sqr(power, power, n, ctx)) - goto err; - - /* n is a pseudoprime for base. */ - if (BN_cmp(power, n_minus_one) == 0) { - *is_pseudoprime = 1; - goto done; - } - - /* n is composite: there's a square root of unity != 1 or -1. */ - if (BN_is_one(power)) { - *is_pseudoprime = 0; - goto done; - } - } - - /* - * If we get here, n is definitely composite: base^(n-1) != 1. - */ - - *is_pseudoprime = 0; - - done: - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -/* - * Miller-Rabin primality test for base 2 and for |rounds| of random bases. - * On success: is_pseudoprime == 0 implies that n is composite. - */ - -static int -bn_miller_rabin(int *is_pseudoprime, const BIGNUM *n, BN_CTX *ctx, - size_t rounds) -{ - BN_MONT_CTX *mctx = NULL; - BIGNUM *base, *k, *n_minus_one; - size_t i; - int s; - int ret = 0; - - BN_CTX_start(ctx); - - if ((base = BN_CTX_get(ctx)) == NULL) - goto err; - if ((k = BN_CTX_get(ctx)) == NULL) - goto err; - if ((n_minus_one = BN_CTX_get(ctx)) == NULL) - goto err; - - if (BN_is_word(n, 2) || BN_is_word(n, 3)) { - *is_pseudoprime = 1; - goto done; - } - - if (BN_cmp(n, BN_value_one()) <= 0 || !BN_is_odd(n)) { - *is_pseudoprime = 0; - goto done; - } - - if (!BN_sub(n_minus_one, n, BN_value_one())) - goto err; - - /* - * Factorize n - 1 = k * 2^s. - */ - - s = 0; - while (!BN_is_bit_set(n_minus_one, s)) - s++; - if (!BN_rshift(k, n_minus_one, s)) - goto err; - - /* - * Montgomery setup for n. - */ - - if ((mctx = BN_MONT_CTX_create(n, ctx)) == NULL) - goto err; - - /* - * Perform a Miller-Rabin test for base 2 as required by BPSW. - */ - - if (!BN_set_word(base, 2)) - goto err; - - if (!bn_fermat(is_pseudoprime, n, n_minus_one, k, s, base, ctx, mctx)) - goto err; - if (!*is_pseudoprime) - goto done; - - /* - * Perform Miller-Rabin tests with random 3 <= base < n - 1 to reduce - * risk of false positives in BPSW. - */ - - for (i = 0; i < rounds; i++) { - if (!bn_rand_interval(base, 3, n_minus_one)) - goto err; - - if (!bn_fermat(is_pseudoprime, n, n_minus_one, k, s, base, ctx, - mctx)) - goto err; - if (!*is_pseudoprime) - goto done; - } - - /* - * If we got here, we have a Miller-Rabin pseudoprime. - */ - - *is_pseudoprime = 1; - - done: - ret = 1; - - err: - BN_MONT_CTX_free(mctx); - BN_CTX_end(ctx); - - return ret; -} - -/* - * The Baillie-Pomerance-Selfridge-Wagstaff algorithm combines a Miller-Rabin - * test for base 2 with a Strong Lucas pseudoprime test. - */ - -int -bn_is_prime_bpsw(int *is_pseudoprime, const BIGNUM *n, BN_CTX *in_ctx, - size_t rounds) -{ - BN_CTX *ctx = NULL; - BN_ULONG mod; - int i; - int ret = 0; - - if (BN_is_word(n, 2)) { - *is_pseudoprime = 1; - goto done; - } - - if (BN_cmp(n, BN_value_one()) <= 0 || !BN_is_odd(n)) { - *is_pseudoprime = 0; - goto done; - } - - /* Trial divisions with the first 2048 primes. */ - for (i = 0; i < NUMPRIMES; i++) { - if ((mod = BN_mod_word(n, primes[i])) == (BN_ULONG)-1) - goto err; - if (mod == 0) { - *is_pseudoprime = BN_is_word(n, primes[i]); - goto done; - } - } - - if ((ctx = in_ctx) == NULL) - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; - - if (!bn_miller_rabin(is_pseudoprime, n, ctx, rounds)) - goto err; - if (!*is_pseudoprime) - goto done; - - if (!bn_strong_lucas_selfridge(is_pseudoprime, n, ctx)) - goto err; - - done: - ret = 1; - - err: - if (ctx != in_ctx) - BN_CTX_free(ctx); - - return ret; -} diff --git a/src/lib/libcrypto/bn/bn_const.c b/src/lib/libcrypto/bn/bn_const.c deleted file mode 100644 index bf684c8a46..0000000000 --- a/src/lib/libcrypto/bn/bn_const.c +++ /dev/null @@ -1,433 +0,0 @@ -/* $OpenBSD: bn_const.c,v 1.8 2023/07/28 10:07:30 tb Exp $ */ -/* Insert boilerplate */ - -#include - -/* - * "First Oakley Default Group" from RFC2409, section 6.1. - * - * The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 } - * - * RFC2409 specifies a generator of 2. - * RFC2412 specifies a generator of of 22. - */ - -static const unsigned char RFC2409_PRIME_768[] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, - 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, - 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, - 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, - 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, - 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, - 0xA6, 0x3A, 0x36, 0x20, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -}; - -BIGNUM * -BN_get_rfc2409_prime_768(BIGNUM *bn) -{ - return BN_bin2bn(RFC2409_PRIME_768, sizeof(RFC2409_PRIME_768), bn); -} -LCRYPTO_ALIAS(BN_get_rfc2409_prime_768); - -/* - * "Second Oakley Default Group" from RFC2409, section 6.2. - * - * The prime is: 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }. - * - * RFC2409 specifies a generator of 2. - * RFC2412 specifies a generator of 22. - */ - -static const unsigned char RFC2409_PRIME_1024[] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, - 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, - 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, - 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, - 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, - 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, - 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, - 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, - 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -}; - -BIGNUM * -BN_get_rfc2409_prime_1024(BIGNUM *bn) -{ - return BN_bin2bn(RFC2409_PRIME_1024, sizeof(RFC2409_PRIME_1024), bn); -} -LCRYPTO_ALIAS(BN_get_rfc2409_prime_1024); - -/* - * "1536-bit MODP Group" from RFC3526, Section 2. - * - * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } - * - * RFC3526 specifies a generator of 2. - * RFC2312 specifies a generator of 22. - */ - -static const unsigned char RFC3526_PRIME_1536[] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, - 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, - 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, - 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, - 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, - 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, - 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, - 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, - 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, - 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, - 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, - 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, - 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, - 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, - 0xCA, 0x23, 0x73, 0x27, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -}; - -BIGNUM * -BN_get_rfc3526_prime_1536(BIGNUM *bn) -{ - return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), bn); -} -LCRYPTO_ALIAS(BN_get_rfc3526_prime_1536); - -/* - * "2048-bit MODP Group" from RFC3526, Section 3. - * - * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } - * - * RFC3526 specifies a generator of 2. - */ - -static const unsigned char RFC3526_PRIME_2048[] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, - 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, - 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, - 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, - 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, - 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, - 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, - 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, - 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, - 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, - 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, - 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, - 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, - 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, - 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, - 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, - 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, - 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C, - 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, - 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, -}; - -BIGNUM * -BN_get_rfc3526_prime_2048(BIGNUM *bn) -{ - return BN_bin2bn(RFC3526_PRIME_2048, sizeof(RFC3526_PRIME_2048), bn); -} -LCRYPTO_ALIAS(BN_get_rfc3526_prime_2048); - -/* - * "3072-bit MODP Group" from RFC3526, Section 4. - * - * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } - * - * RFC3526 specifies a generator of 2. - */ - -static const unsigned char RFC3526_PRIME_3072[] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, - 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, - 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, - 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, - 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, - 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, - 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, - 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, - 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, - 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, - 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, - 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, - 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, - 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, - 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, - 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, - 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, - 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C, - 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, - 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, - 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, - 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57, - 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, - 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, - 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, - 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73, - 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, - 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0, - 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, - 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20, - 0xA9, 0x3A, 0xD2, 0xCA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -}; - -BIGNUM * -BN_get_rfc3526_prime_3072(BIGNUM *bn) -{ - return BN_bin2bn(RFC3526_PRIME_3072, sizeof(RFC3526_PRIME_3072), bn); -} -LCRYPTO_ALIAS(BN_get_rfc3526_prime_3072); - -/* - * "4096-bit MODP Group" from RFC3526, Section 5. - * - * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } - * - * RFC3526 specifies a generator of 2. - */ - -static const unsigned char RFC3526_PRIME_4096[] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, - 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, - 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, - 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, - 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, - 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, - 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, - 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, - 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, - 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, - 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, - 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, - 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, - 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, - 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, - 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, - 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, - 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C, - 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, - 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, - 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, - 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57, - 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, - 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, - 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, - 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73, - 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, - 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0, - 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, - 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20, - 0xA9, 0x21, 0x08, 0x01, 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, - 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, 0x99, 0xC3, 0x27, 0x18, - 0x6A, 0xF4, 0xE2, 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, - 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, 0xDB, 0xBB, 0xC2, 0xDB, - 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, - 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, 0xB2, 0x96, 0x4F, - 0xA0, 0x90, 0xC3, 0xA2, 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, - 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76, - 0x21, 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, - 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, 0xB7, 0xDC, - 0x90, 0xA6, 0xC0, 0x8F, 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -}; - -BIGNUM * -BN_get_rfc3526_prime_4096(BIGNUM *bn) -{ - return BN_bin2bn(RFC3526_PRIME_4096, sizeof(RFC3526_PRIME_4096), bn); -} -LCRYPTO_ALIAS(BN_get_rfc3526_prime_4096); - -/* - * "6144-bit MODP Group" from RFC3526, Section 6. - * - * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } - * - * RFC3526 specifies a generator of 2. - */ - -static const unsigned char RFC3526_PRIME_6144[] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, - 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, - 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, - 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, - 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, - 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, - 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, - 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, - 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, - 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, - 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, - 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, - 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, - 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, - 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, - 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, - 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, - 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C, - 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, - 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, - 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, - 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57, - 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, - 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, - 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, - 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73, - 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, - 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0, - 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, - 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20, - 0xA9, 0x21, 0x08, 0x01, 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, - 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, 0x99, 0xC3, 0x27, 0x18, - 0x6A, 0xF4, 0xE2, 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, - 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, 0xDB, 0xBB, 0xC2, 0xDB, - 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, - 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, 0xB2, 0x96, 0x4F, - 0xA0, 0x90, 0xC3, 0xA2, 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, - 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76, - 0x21, 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, - 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, 0xB7, 0xDC, - 0x90, 0xA6, 0xC0, 0x8F, 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, - 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, 0xC1, 0xD4, 0xDC, 0xB2, - 0x60, 0x26, 0x46, 0xDE, 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, - 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, 0xE5, 0xDB, 0x38, 0x2F, - 0x41, 0x30, 0x01, 0xAE, 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, - 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, 0xDA, 0x3E, 0xDB, 0xEB, - 0xCF, 0x9B, 0x14, 0xED, 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, - 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, 0x33, 0x20, 0x51, 0x51, - 0x2B, 0xD7, 0xAF, 0x42, 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, - 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, 0xF0, 0x32, 0xEA, 0x15, - 0xD1, 0x72, 0x1D, 0x03, 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, - 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, 0xB5, 0xA8, 0x40, 0x31, - 0x90, 0x0B, 0x1C, 0x9E, 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, - 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, 0x0F, 0x1D, 0x45, 0xB7, - 0xFF, 0x58, 0x5A, 0xC5, 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, - 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, 0x14, 0xCC, 0x5E, 0xD2, - 0x0F, 0x80, 0x37, 0xE0, 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, - 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, 0xF5, 0x50, 0xAA, 0x3D, - 0x8A, 0x1F, 0xBF, 0xF0, 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, - 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, 0x38, 0x7F, 0xE8, 0xD7, - 0x6E, 0x3C, 0x04, 0x68, 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, - 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, 0xE6, 0x94, 0xF9, 0x1E, - 0x6D, 0xCC, 0x40, 0x24, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -}; - -BIGNUM * -BN_get_rfc3526_prime_6144(BIGNUM *bn) -{ - return BN_bin2bn(RFC3526_PRIME_6144, sizeof(RFC3526_PRIME_6144), bn); -} -LCRYPTO_ALIAS(BN_get_rfc3526_prime_6144); - -/* - * "8192-bit MODP Group" from RFC3526, Section 7. - * - * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } - * - * RFC3526 specifies a generator of 2. - */ - -static const unsigned char RFC3526_PRIME_8192[] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, - 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, - 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, - 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, - 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, - 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, - 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, - 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, - 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, - 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, - 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, - 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, - 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, - 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, - 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, - 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, - 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, - 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C, - 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, - 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, - 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, - 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57, - 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, - 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, - 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, - 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73, - 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, - 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0, - 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, - 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20, - 0xA9, 0x21, 0x08, 0x01, 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, - 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, 0x99, 0xC3, 0x27, 0x18, - 0x6A, 0xF4, 0xE2, 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, - 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, 0xDB, 0xBB, 0xC2, 0xDB, - 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, - 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, 0xB2, 0x96, 0x4F, - 0xA0, 0x90, 0xC3, 0xA2, 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, - 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76, - 0x21, 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, - 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, 0xB7, 0xDC, - 0x90, 0xA6, 0xC0, 0x8F, 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, - 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, 0xC1, 0xD4, 0xDC, 0xB2, - 0x60, 0x26, 0x46, 0xDE, 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, - 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, 0xE5, 0xDB, 0x38, 0x2F, - 0x41, 0x30, 0x01, 0xAE, 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, - 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, 0xDA, 0x3E, 0xDB, 0xEB, - 0xCF, 0x9B, 0x14, 0xED, 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, - 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, 0x33, 0x20, 0x51, 0x51, - 0x2B, 0xD7, 0xAF, 0x42, 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, - 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, 0xF0, 0x32, 0xEA, 0x15, - 0xD1, 0x72, 0x1D, 0x03, 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, - 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, 0xB5, 0xA8, 0x40, 0x31, - 0x90, 0x0B, 0x1C, 0x9E, 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, - 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, 0x0F, 0x1D, 0x45, 0xB7, - 0xFF, 0x58, 0x5A, 0xC5, 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, - 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, 0x14, 0xCC, 0x5E, 0xD2, - 0x0F, 0x80, 0x37, 0xE0, 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, - 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, 0xF5, 0x50, 0xAA, 0x3D, - 0x8A, 0x1F, 0xBF, 0xF0, 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, - 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, 0x38, 0x7F, 0xE8, 0xD7, - 0x6E, 0x3C, 0x04, 0x68, 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, - 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, 0xE6, 0x94, 0xF9, 0x1E, - 0x6D, 0xBE, 0x11, 0x59, 0x74, 0xA3, 0x92, 0x6F, 0x12, 0xFE, 0xE5, 0xE4, - 0x38, 0x77, 0x7C, 0xB6, 0xA9, 0x32, 0xDF, 0x8C, 0xD8, 0xBE, 0xC4, 0xD0, - 0x73, 0xB9, 0x31, 0xBA, 0x3B, 0xC8, 0x32, 0xB6, 0x8D, 0x9D, 0xD3, 0x00, - 0x74, 0x1F, 0xA7, 0xBF, 0x8A, 0xFC, 0x47, 0xED, 0x25, 0x76, 0xF6, 0x93, - 0x6B, 0xA4, 0x24, 0x66, 0x3A, 0xAB, 0x63, 0x9C, 0x5A, 0xE4, 0xF5, 0x68, - 0x34, 0x23, 0xB4, 0x74, 0x2B, 0xF1, 0xC9, 0x78, 0x23, 0x8F, 0x16, 0xCB, - 0xE3, 0x9D, 0x65, 0x2D, 0xE3, 0xFD, 0xB8, 0xBE, 0xFC, 0x84, 0x8A, 0xD9, - 0x22, 0x22, 0x2E, 0x04, 0xA4, 0x03, 0x7C, 0x07, 0x13, 0xEB, 0x57, 0xA8, - 0x1A, 0x23, 0xF0, 0xC7, 0x34, 0x73, 0xFC, 0x64, 0x6C, 0xEA, 0x30, 0x6B, - 0x4B, 0xCB, 0xC8, 0x86, 0x2F, 0x83, 0x85, 0xDD, 0xFA, 0x9D, 0x4B, 0x7F, - 0xA2, 0xC0, 0x87, 0xE8, 0x79, 0x68, 0x33, 0x03, 0xED, 0x5B, 0xDD, 0x3A, - 0x06, 0x2B, 0x3C, 0xF5, 0xB3, 0xA2, 0x78, 0xA6, 0x6D, 0x2A, 0x13, 0xF8, - 0x3F, 0x44, 0xF8, 0x2D, 0xDF, 0x31, 0x0E, 0xE0, 0x74, 0xAB, 0x6A, 0x36, - 0x45, 0x97, 0xE8, 0x99, 0xA0, 0x25, 0x5D, 0xC1, 0x64, 0xF3, 0x1C, 0xC5, - 0x08, 0x46, 0x85, 0x1D, 0xF9, 0xAB, 0x48, 0x19, 0x5D, 0xED, 0x7E, 0xA1, - 0xB1, 0xD5, 0x10, 0xBD, 0x7E, 0xE7, 0x4D, 0x73, 0xFA, 0xF3, 0x6B, 0xC3, - 0x1E, 0xCF, 0xA2, 0x68, 0x35, 0x90, 0x46, 0xF4, 0xEB, 0x87, 0x9F, 0x92, - 0x40, 0x09, 0x43, 0x8B, 0x48, 0x1C, 0x6C, 0xD7, 0x88, 0x9A, 0x00, 0x2E, - 0xD5, 0xEE, 0x38, 0x2B, 0xC9, 0x19, 0x0D, 0xA6, 0xFC, 0x02, 0x6E, 0x47, - 0x95, 0x58, 0xE4, 0x47, 0x56, 0x77, 0xE9, 0xAA, 0x9E, 0x30, 0x50, 0xE2, - 0x76, 0x56, 0x94, 0xDF, 0xC8, 0x1F, 0x56, 0xE8, 0x80, 0xB9, 0x6E, 0x71, - 0x60, 0xC9, 0x80, 0xDD, 0x98, 0xED, 0xD3, 0xDF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, -}; - -BIGNUM * -BN_get_rfc3526_prime_8192(BIGNUM *bn) -{ - return BN_bin2bn(RFC3526_PRIME_8192, sizeof(RFC3526_PRIME_8192), bn); -} -LCRYPTO_ALIAS(BN_get_rfc3526_prime_8192); diff --git a/src/lib/libcrypto/bn/bn_convert.c b/src/lib/libcrypto/bn/bn_convert.c deleted file mode 100644 index 6a6354f44e..0000000000 --- a/src/lib/libcrypto/bn/bn_convert.c +++ /dev/null @@ -1,757 +0,0 @@ -/* $OpenBSD: bn_convert.c,v 1.23 2024/11/08 14:18:44 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include -#include -#include - -#include - -#include -#include -#include - -#include "bn_local.h" -#include "bytestring.h" -#include "crypto_internal.h" - -static int bn_dec2bn_cbs(BIGNUM **bnp, CBS *cbs); -static int bn_hex2bn_cbs(BIGNUM **bnp, CBS *cbs); - -static const char hex_digits[] = "0123456789ABCDEF"; - -static int -bn_bn2binpad_internal(const BIGNUM *bn, uint8_t *out, int out_len, - int little_endian) -{ - uint8_t mask, v; - BN_ULONG w; - int i, j; - int b, n; - - n = BN_num_bytes(bn); - - if (out_len == -1) - out_len = n; - if (out_len < n) - return -1; - - if (bn->dmax == 0) { - explicit_bzero(out, out_len); - return out_len; - } - - mask = 0; - b = BN_BITS2; - j = 0; - - for (i = out_len - 1; i >= 0; i--) { - if (b == BN_BITS2) { - mask = crypto_ct_lt_mask(j, bn->top); - w = bn->d[j++ % bn->dmax]; - b = 0; - } - out[i] = (w >> b) & mask; - b += 8; - } - - if (little_endian) { - for (i = 0, j = out_len - 1; i < out_len / 2; i++, j--) { - v = out[i]; - out[i] = out[j]; - out[j] = v; - } - } - - return out_len; -} - -int -BN_bn2bin(const BIGNUM *bn, unsigned char *to) -{ - return bn_bn2binpad_internal(bn, to, -1, 0); -} -LCRYPTO_ALIAS(BN_bn2bin); - -int -BN_bn2binpad(const BIGNUM *bn, unsigned char *to, int to_len) -{ - if (to_len < 0) - return -1; - - return bn_bn2binpad_internal(bn, to, to_len, 0); -} -LCRYPTO_ALIAS(BN_bn2binpad); - -static int -bn_bin2bn_cbs(BIGNUM **bnp, CBS *cbs, int lebin) -{ - BIGNUM *bn = NULL; - BN_ULONG w; - uint8_t v; - int b, i; - - if ((bn = *bnp) == NULL) - bn = BN_new(); - if (bn == NULL) - goto err; - if (!bn_expand_bytes(bn, CBS_len(cbs))) - goto err; - - b = 0; - i = 0; - w = 0; - - while (CBS_len(cbs) > 0) { - if (lebin) { - if (!CBS_get_u8(cbs, &v)) - goto err; - } else { - if (!CBS_get_last_u8(cbs, &v)) - goto err; - } - - w |= (BN_ULONG)v << b; - b += 8; - - if (b == BN_BITS2 || CBS_len(cbs) == 0) { - b = 0; - bn->d[i++] = w; - w = 0; - } - } - - bn->neg = 0; - bn->top = i; - - bn_correct_top(bn); - - *bnp = bn; - - return 1; - - err: - if (*bnp == NULL) - BN_free(bn); - - return 0; -} - -BIGNUM * -BN_bin2bn(const unsigned char *d, int len, BIGNUM *bn) -{ - CBS cbs; - - if (len < 0) - return NULL; - - CBS_init(&cbs, d, len); - - if (!bn_bin2bn_cbs(&bn, &cbs, 0)) - return NULL; - - return bn; -} -LCRYPTO_ALIAS(BN_bin2bn); - -int -BN_bn2lebinpad(const BIGNUM *bn, unsigned char *to, int to_len) -{ - if (to_len < 0) - return -1; - - return bn_bn2binpad_internal(bn, to, to_len, 1); -} -LCRYPTO_ALIAS(BN_bn2lebinpad); - -BIGNUM * -BN_lebin2bn(const unsigned char *d, int len, BIGNUM *bn) -{ - CBS cbs; - - if (len < 0) - return NULL; - - CBS_init(&cbs, d, len); - - if (!bn_bin2bn_cbs(&bn, &cbs, 1)) - return NULL; - - return bn; -} -LCRYPTO_ALIAS(BN_lebin2bn); - -int -BN_asc2bn(BIGNUM **bnp, const char *s) -{ - CBS cbs, cbs_hex; - size_t s_len; - uint8_t v; - int neg; - - if (bnp != NULL && *bnp != NULL) - BN_zero(*bnp); - - if (s == NULL) - return 0; - if ((s_len = strlen(s)) == 0) - return 0; - - CBS_init(&cbs, s, s_len); - - /* Handle negative sign. */ - if (!CBS_peek_u8(&cbs, &v)) - return 0; - if ((neg = (v == '-'))) { - if (!CBS_skip(&cbs, 1)) - return 0; - } - - /* Try parsing as hexadecimal with a 0x prefix. */ - CBS_dup(&cbs, &cbs_hex); - if (!CBS_get_u8(&cbs_hex, &v)) - goto decimal; - if (v != '0') - goto decimal; - if (!CBS_get_u8(&cbs_hex, &v)) - goto decimal; - if (v != 'X' && v != 'x') - goto decimal; - if (bn_hex2bn_cbs(bnp, &cbs_hex) == 0) - return 0; - - goto done; - - decimal: - if (bn_dec2bn_cbs(bnp, &cbs) == 0) - return 0; - - done: - if (bnp != NULL && *bnp != NULL) - BN_set_negative(*bnp, neg); - - return 1; -} -LCRYPTO_ALIAS(BN_asc2bn); - -char * -BN_bn2dec(const BIGNUM *bn) -{ - int started = 0; - BIGNUM *tmp = NULL; - uint8_t *data = NULL; - size_t data_len = 0; - uint8_t *s = NULL; - size_t s_len; - BN_ULONG v, w; - uint8_t c; - CBB cbb; - CBS cbs; - int i; - - if (!CBB_init(&cbb, 0)) - goto err; - - if ((tmp = BN_dup(bn)) == NULL) - goto err; - - /* - * Divide the BIGNUM by a large multiple of 10, then break the remainder - * into decimal digits. This produces a reversed string of digits, - * potentially with leading zeroes. - */ - while (!BN_is_zero(tmp)) { - if ((w = BN_div_word(tmp, BN_DEC_CONV)) == -1) - goto err; - for (i = 0; i < BN_DEC_NUM; i++) { - v = w % 10; - if (!CBB_add_u8(&cbb, '0' + v)) - goto err; - w /= 10; - } - } - if (!CBB_finish(&cbb, &data, &data_len)) - goto err; - - if (data_len > SIZE_MAX - 3) - goto err; - if (!CBB_init(&cbb, data_len + 3)) - goto err; - - if (BN_is_negative(bn)) { - if (!CBB_add_u8(&cbb, '-')) - goto err; - } - - /* Reverse digits and trim leading zeroes. */ - CBS_init(&cbs, data, data_len); - while (CBS_len(&cbs) > 0) { - if (!CBS_get_last_u8(&cbs, &c)) - goto err; - if (!started && c == '0') - continue; - if (!CBB_add_u8(&cbb, c)) - goto err; - started = 1; - } - - if (!started) { - if (!CBB_add_u8(&cbb, '0')) - goto err; - } - if (!CBB_add_u8(&cbb, '\0')) - goto err; - if (!CBB_finish(&cbb, &s, &s_len)) - goto err; - - err: - BN_free(tmp); - CBB_cleanup(&cbb); - freezero(data, data_len); - - return s; -} -LCRYPTO_ALIAS(BN_bn2dec); - -static int -bn_dec2bn_cbs(BIGNUM **bnp, CBS *cbs) -{ - CBS cbs_digits; - BIGNUM *bn = NULL; - int d, neg, num; - size_t digits = 0; - BN_ULONG w; - uint8_t v; - - /* Handle negative sign. */ - if (!CBS_peek_u8(cbs, &v)) - goto err; - if ((neg = (v == '-'))) { - if (!CBS_skip(cbs, 1)) - goto err; - } - - /* Scan to find last decimal digit. */ - CBS_dup(cbs, &cbs_digits); - while (CBS_len(&cbs_digits) > 0) { - if (!CBS_get_u8(&cbs_digits, &v)) - goto err; - if (!isdigit(v)) - break; - digits++; - } - if (digits > INT_MAX / 4) - goto err; - - num = digits + neg; - - if (bnp == NULL) - return num; - - if ((bn = *bnp) == NULL) - bn = BN_new(); - if (bn == NULL) - goto err; - if (!bn_expand_bits(bn, digits * 4)) - goto err; - - if ((d = digits % BN_DEC_NUM) == 0) - d = BN_DEC_NUM; - - w = 0; - - /* Work forwards from most significant digit. */ - while (digits-- > 0) { - if (!CBS_get_u8(cbs, &v)) - goto err; - - if (v < '0' || v > '9') - goto err; - - v -= '0'; - w = w * 10 + v; - d--; - - if (d == 0) { - if (!BN_mul_word(bn, BN_DEC_CONV)) - goto err; - if (!BN_add_word(bn, w)) - goto err; - - d = BN_DEC_NUM; - w = 0; - } - } - - bn_correct_top(bn); - - BN_set_negative(bn, neg); - - *bnp = bn; - - return num; - - err: - if (bnp != NULL && *bnp == NULL) - BN_free(bn); - - return 0; -} - -int -BN_dec2bn(BIGNUM **bnp, const char *s) -{ - size_t s_len; - CBS cbs; - - if (bnp != NULL && *bnp != NULL) - BN_zero(*bnp); - - if (s == NULL) - return 0; - if ((s_len = strlen(s)) == 0) - return 0; - - CBS_init(&cbs, s, s_len); - - return bn_dec2bn_cbs(bnp, &cbs); -} -LCRYPTO_ALIAS(BN_dec2bn); - -static int -bn_bn2hex_internal(const BIGNUM *bn, int include_sign, int nibbles_only, - char **out, size_t *out_len) -{ - int started = 0; - uint8_t *s = NULL; - size_t s_len = 0; - BN_ULONG v, w; - int i, j; - CBB cbb; - CBS cbs; - uint8_t nul; - int ret = 0; - - *out = NULL; - *out_len = 0; - - if (!CBB_init(&cbb, 0)) - goto err; - - if (BN_is_negative(bn) && include_sign) { - if (!CBB_add_u8(&cbb, '-')) - goto err; - } - if (BN_is_zero(bn)) { - if (!CBB_add_u8(&cbb, '0')) - goto err; - } - for (i = bn->top - 1; i >= 0; i--) { - w = bn->d[i]; - for (j = BN_BITS2 - 8; j >= 0; j -= 8) { - v = (w >> j) & 0xff; - if (!started && v == 0) - continue; - if (started || !nibbles_only || (v >> 4) != 0) { - if (!CBB_add_u8(&cbb, hex_digits[v >> 4])) - goto err; - } - if (!CBB_add_u8(&cbb, hex_digits[v & 0xf])) - goto err; - started = 1; - } - } - if (!CBB_add_u8(&cbb, '\0')) - goto err; - if (!CBB_finish(&cbb, &s, &s_len)) - goto err; - - /* The length of a C string does not include the terminating NUL. */ - CBS_init(&cbs, s, s_len); - if (!CBS_get_last_u8(&cbs, &nul)) - goto err; - - *out = (char *)CBS_data(&cbs); - *out_len = CBS_len(&cbs); - s = NULL; - s_len = 0; - - ret = 1; - - err: - CBB_cleanup(&cbb); - freezero(s, s_len); - - return ret; -} - -int -bn_bn2hex_nosign(const BIGNUM *bn, char **out, size_t *out_len) -{ - return bn_bn2hex_internal(bn, 0, 0, out, out_len); -} - -int -bn_bn2hex_nibbles(const BIGNUM *bn, char **out, size_t *out_len) -{ - return bn_bn2hex_internal(bn, 1, 1, out, out_len); -} - -char * -BN_bn2hex(const BIGNUM *bn) -{ - char *s; - size_t s_len; - - if (!bn_bn2hex_internal(bn, 1, 0, &s, &s_len)) - return NULL; - - return s; -} -LCRYPTO_ALIAS(BN_bn2hex); - -static int -bn_hex2bn_cbs(BIGNUM **bnp, CBS *cbs) -{ - CBS cbs_digits; - BIGNUM *bn = NULL; - int b, i, neg, num; - size_t digits = 0; - BN_ULONG w; - uint8_t v; - - /* Handle negative sign. */ - if (!CBS_peek_u8(cbs, &v)) - goto err; - if ((neg = (v == '-'))) { - if (!CBS_skip(cbs, 1)) - goto err; - } - - /* Scan to find last hexadecimal digit. */ - CBS_dup(cbs, &cbs_digits); - while (CBS_len(&cbs_digits) > 0) { - if (!CBS_get_u8(&cbs_digits, &v)) - goto err; - if (!isxdigit(v)) - break; - digits++; - } - if (digits > INT_MAX / 4) - goto err; - - num = digits + neg; - - if (bnp == NULL) - return num; - - if ((bn = *bnp) == NULL) - bn = BN_new(); - if (bn == NULL) - goto err; - if (!bn_expand_bits(bn, digits * 4)) - goto err; - - if (!CBS_get_bytes(cbs, cbs, digits)) - goto err; - - b = 0; - i = 0; - w = 0; - - /* Work backwards from least significant digit. */ - while (digits-- > 0) { - if (!CBS_get_last_u8(cbs, &v)) - goto err; - - if (v >= '0' && v <= '9') - v -= '0'; - else if (v >= 'a' && v <= 'f') - v -= 'a' - 10; - else if (v >= 'A' && v <= 'F') - v -= 'A' - 10; - else - goto err; - - w |= (BN_ULONG)v << b; - b += 4; - - if (b == BN_BITS2 || digits == 0) { - b = 0; - bn->d[i++] = w; - w = 0; - } - } - - bn->top = i; - bn_correct_top(bn); - - BN_set_negative(bn, neg); - - *bnp = bn; - - return num; - - err: - if (bnp != NULL && *bnp == NULL) - BN_free(bn); - - return 0; -} - -int -BN_hex2bn(BIGNUM **bnp, const char *s) -{ - size_t s_len; - CBS cbs; - - if (bnp != NULL && *bnp != NULL) - BN_zero(*bnp); - - if (s == NULL) - return 0; - if ((s_len = strlen(s)) == 0) - return 0; - - CBS_init(&cbs, s, s_len); - - return bn_hex2bn_cbs(bnp, &cbs); -} -LCRYPTO_ALIAS(BN_hex2bn); - -int -BN_bn2mpi(const BIGNUM *bn, unsigned char *d) -{ - uint8_t *out_bin; - size_t out_len, out_bin_len; - int bits, bytes; - int extend; - CBB cbb, cbb_bin; - - bits = BN_num_bits(bn); - bytes = (bits + 7) / 8; - extend = (bits != 0) && (bits % 8 == 0); - out_bin_len = extend + bytes; - out_len = 4 + out_bin_len; - - if (d == NULL) - return out_len; - - if (!CBB_init_fixed(&cbb, d, out_len)) - goto err; - if (!CBB_add_u32_length_prefixed(&cbb, &cbb_bin)) - goto err; - if (!CBB_add_space(&cbb_bin, &out_bin, out_bin_len)) - goto err; - if (BN_bn2binpad(bn, out_bin, out_bin_len) != out_bin_len) - goto err; - if (!CBB_finish(&cbb, NULL, NULL)) - goto err; - - if (bn->neg) - d[4] |= 0x80; - - return out_len; - - err: - CBB_cleanup(&cbb); - - return -1; -} -LCRYPTO_ALIAS(BN_bn2mpi); - -BIGNUM * -BN_mpi2bn(const unsigned char *d, int n, BIGNUM *bn_in) -{ - BIGNUM *bn = bn_in; - uint32_t mpi_len; - uint8_t v; - int neg = 0; - CBS cbs; - - if (n < 0) - return NULL; - - CBS_init(&cbs, d, n); - - if (!CBS_get_u32(&cbs, &mpi_len)) { - BNerror(BN_R_INVALID_LENGTH); - return NULL; - } - if (CBS_len(&cbs) != mpi_len) { - BNerror(BN_R_ENCODING_ERROR); - return NULL; - } - if (CBS_len(&cbs) > 0) { - if (!CBS_peek_u8(&cbs, &v)) - return NULL; - neg = (v >> 7) & 1; - } - - if (!bn_bin2bn_cbs(&bn, &cbs, 0)) - return NULL; - - if (neg) - BN_clear_bit(bn, BN_num_bits(bn) - 1); - - BN_set_negative(bn, neg); - - return bn; -} -LCRYPTO_ALIAS(BN_mpi2bn); diff --git a/src/lib/libcrypto/bn/bn_ctx.c b/src/lib/libcrypto/bn/bn_ctx.c deleted file mode 100644 index 129b9c9781..0000000000 --- a/src/lib/libcrypto/bn/bn_ctx.c +++ /dev/null @@ -1,161 +0,0 @@ -/* $OpenBSD: bn_ctx.c,v 1.22 2023/07/08 12:21:58 beck Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include - -#include "bn_local.h" - -#define BN_CTX_INITIAL_LEN 8 - -struct bignum_ctx { - BIGNUM **bignums; - uint8_t *groups; - uint8_t group; - size_t index; - size_t len; - - int error; -}; - -static int -bn_ctx_grow(BN_CTX *bctx) -{ - BIGNUM **bignums = NULL; - uint8_t *groups = NULL; - size_t len; - - if ((len = bctx->len) == 0) { - len = BN_CTX_INITIAL_LEN; - } else { - if (SIZE_MAX - len < len) - return 0; - len *= 2; - } - - if ((bignums = recallocarray(bctx->bignums, bctx->len, len, - sizeof(bctx->bignums[0]))) == NULL) - return 0; - bctx->bignums = bignums; - - if ((groups = reallocarray(bctx->groups, len, - sizeof(bctx->groups[0]))) == NULL) - return 0; - bctx->groups = groups; - - bctx->len = len; - - return 1; -} - -BN_CTX * -BN_CTX_new(void) -{ - return calloc(1, sizeof(struct bignum_ctx)); -} -LCRYPTO_ALIAS(BN_CTX_new); - -void -BN_CTX_free(BN_CTX *bctx) -{ - size_t i; - - if (bctx == NULL) - return; - - for (i = 0; i < bctx->len; i++) { - BN_free(bctx->bignums[i]); - bctx->bignums[i] = NULL; - } - - free(bctx->bignums); - free(bctx->groups); - - freezero(bctx, sizeof(*bctx)); -} -LCRYPTO_ALIAS(BN_CTX_free); - -void -BN_CTX_start(BN_CTX *bctx) -{ - bctx->group++; - - if (bctx->group == 0) { - BNerror(BN_R_TOO_MANY_TEMPORARY_VARIABLES); - bctx->error = 1; - return; - } -} -LCRYPTO_ALIAS(BN_CTX_start); - -BIGNUM * -BN_CTX_get(BN_CTX *bctx) -{ - BIGNUM *bn = NULL; - - if (bctx->error) - return NULL; - - if (bctx->group == 0) { - BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - bctx->error = 1; - return NULL; - } - - if (bctx->index == bctx->len) { - if (!bn_ctx_grow(bctx)) { - BNerror(BN_R_TOO_MANY_TEMPORARY_VARIABLES); - bctx->error = 1; - return NULL; - } - } - - if ((bn = bctx->bignums[bctx->index]) == NULL) { - if ((bn = BN_new()) == NULL) { - BNerror(BN_R_TOO_MANY_TEMPORARY_VARIABLES); - bctx->error = 1; - return NULL; - } - bctx->bignums[bctx->index] = bn; - } - bctx->groups[bctx->index] = bctx->group; - bctx->index++; - - BN_zero(bn); - - return bn; -} -LCRYPTO_ALIAS(BN_CTX_get); - -void -BN_CTX_end(BN_CTX *bctx) -{ - if (bctx == NULL || bctx->error || bctx->group == 0) - return; - - while (bctx->index > 0 && bctx->groups[bctx->index - 1] == bctx->group) { - BN_zero(bctx->bignums[bctx->index - 1]); - bctx->groups[bctx->index - 1] = 0; - bctx->index--; - } - - bctx->group--; -} -LCRYPTO_ALIAS(BN_CTX_end); diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c deleted file mode 100644 index 09a8a364df..0000000000 --- a/src/lib/libcrypto/bn/bn_div.c +++ /dev/null @@ -1,458 +0,0 @@ -/* $OpenBSD: bn_div.c,v 1.41 2024/04/10 14:58:06 beck Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include - -#include - -#include -#include - -#include "bn_arch.h" -#include "bn_local.h" -#include "bn_internal.h" - -BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0); - -#ifndef HAVE_BN_DIV_WORDS -#if defined(BN_LLONG) && defined(BN_DIV2W) - -BN_ULONG -bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) -{ - return ((BN_ULONG)(((((BN_ULLONG)h) << BN_BITS2)|l)/(BN_ULLONG)d)); -} - -#else - -/* Divide h,l by d and return the result. */ -/* I need to test this some more :-( */ -BN_ULONG -bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) -{ - BN_ULONG dh, dl, q,ret = 0, th, tl, t; - int i, count = 2; - - if (d == 0) - return (BN_MASK2); - - i = BN_num_bits_word(d); - assert((i == BN_BITS2) || (h <= (BN_ULONG)1 << i)); - - i = BN_BITS2 - i; - if (h >= d) - h -= d; - - if (i) { - d <<= i; - h = (h << i) | (l >> (BN_BITS2 - i)); - l <<= i; - } - dh = (d & BN_MASK2h) >> BN_BITS4; - dl = (d & BN_MASK2l); - for (;;) { - if ((h >> BN_BITS4) == dh) - q = BN_MASK2l; - else - q = h / dh; - - th = q * dh; - tl = dl * q; - for (;;) { - t = h - th; - if ((t & BN_MASK2h) || - ((tl) <= ( - (t << BN_BITS4) | - ((l & BN_MASK2h) >> BN_BITS4)))) - break; - q--; - th -= dh; - tl -= dl; - } - t = (tl >> BN_BITS4); - tl = (tl << BN_BITS4) & BN_MASK2h; - th += t; - - if (l < tl) - th++; - l -= tl; - if (h < th) { - h += d; - q--; - } - h -= th; - - if (--count == 0) - break; - - ret = q << BN_BITS4; - h = ((h << BN_BITS4) | (l >> BN_BITS4)) & BN_MASK2; - l = (l & BN_MASK2l) << BN_BITS4; - } - ret |= q; - return (ret); -} -#endif /* !defined(BN_LLONG) && defined(BN_DIV2W) */ -#endif - -/* - * Divide a double word (h:l) by d, returning the quotient q and the remainder - * r, such that q * d + r is equal to the numerator. - */ -#ifndef HAVE_BN_DIV_REM_WORDS -#ifndef HAVE_BN_DIV_REM_WORDS_INLINE -static inline void -bn_div_rem_words_inline(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q, - BN_ULONG *out_r) -{ - BN_ULONG q, r; - - q = bn_div_words(h, l, d); - r = (l - q * d) & BN_MASK2; - - *out_q = q; - *out_r = r; -} -#endif - -void -bn_div_rem_words(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q, - BN_ULONG *out_r) -{ - bn_div_rem_words_inline(h, l, d, out_q, out_r); -} -#endif - -#ifndef HAVE_BN_DIV_3_WORDS - -/* - * Interface is somewhat quirky, |m| is pointer to most significant limb, - * and less significant limb is referred at |m[-1]|. This means that caller - * is responsible for ensuring that |m[-1]| is valid. Second condition that - * has to be met is that |d0|'s most significant bit has to be set. Or in - * other words divisor has to be "bit-aligned to the left." The subroutine - * considers four limbs, two of which are "overlapping," hence the name... - */ -BN_ULONG -bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0) -{ - BN_ULONG n0, n1, q, t2h, t2l; - BN_ULONG rem = 0; - - n0 = m[0]; - n1 = m[-1]; - - if (n0 == d0) - return BN_MASK2; - - /* n0 < d0 */ - bn_div_rem_words(n0, n1, d0, &q, &rem); - - bn_mulw(d1, q, &t2h, &t2l); - - for (;;) { - if (t2h < rem || (t2h == rem && t2l <= m[-2])) - break; - q--; - rem += d0; - if (rem < d0) - break; /* don't let rem overflow */ - if (t2l < d1) - t2h--; - t2l -= d1; - } - - return q; -} -#endif /* !HAVE_BN_DIV_3_WORDS */ - -/* - * BN_div_internal computes quotient := numerator / divisor, rounding towards - * zero and setting remainder such that quotient * divisor + remainder equals - * the numerator. Thus: - * - * quotient->neg == numerator->neg ^ divisor->neg (unless result is zero) - * remainder->neg == numerator->neg (unless the remainder is zero) - * - * If either the quotient or remainder is NULL, the respective value is not - * returned. - */ -static int -BN_div_internal(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator, - const BIGNUM *divisor, BN_CTX *ctx, int ct) -{ - int norm_shift, i, loop, r_neg; - BIGNUM *tmp, wnum, *snum, *sdiv, *res; - BN_ULONG *resp, *wnump; - BN_ULONG d0, d1; - int num_n, div_n; - int no_branch = 0; - int ret = 0; - - BN_CTX_start(ctx); - - /* Invalid zero-padding would have particularly bad consequences. */ - if (numerator->top > 0 && numerator->d[numerator->top - 1] == 0) { - BNerror(BN_R_NOT_INITIALIZED); - goto err; - } - - if (ct) - no_branch = 1; - - if (BN_is_zero(divisor)) { - BNerror(BN_R_DIV_BY_ZERO); - goto err; - } - - if (!no_branch) { - if (BN_ucmp(numerator, divisor) < 0) { - if (remainder != NULL) { - if (!bn_copy(remainder, numerator)) - goto err; - } - if (quotient != NULL) - BN_zero(quotient); - - goto done; - } - } - - if ((tmp = BN_CTX_get(ctx)) == NULL) - goto err; - if ((snum = BN_CTX_get(ctx)) == NULL) - goto err; - if ((sdiv = BN_CTX_get(ctx)) == NULL) - goto err; - if ((res = quotient) == NULL) { - if ((res = BN_CTX_get(ctx)) == NULL) - goto err; - } - - /* First we normalise the numbers. */ - norm_shift = BN_BITS2 - BN_num_bits(divisor) % BN_BITS2; - if (!BN_lshift(sdiv, divisor, norm_shift)) - goto err; - sdiv->neg = 0; - norm_shift += BN_BITS2; - if (!BN_lshift(snum, numerator, norm_shift)) - goto err; - snum->neg = 0; - - if (no_branch) { - /* - * Since we don't know whether snum is larger than sdiv, we pad - * snum with enough zeroes without changing its value. - */ - if (snum->top <= sdiv->top + 1) { - if (!bn_wexpand(snum, sdiv->top + 2)) - goto err; - for (i = snum->top; i < sdiv->top + 2; i++) - snum->d[i] = 0; - snum->top = sdiv->top + 2; - } else { - if (!bn_wexpand(snum, snum->top + 1)) - goto err; - snum->d[snum->top] = 0; - snum->top++; - } - } - - div_n = sdiv->top; - num_n = snum->top; - loop = num_n - div_n; - - /* - * Setup a 'window' into snum - this is the part that corresponds to the - * current 'area' being divided. - */ - wnum.neg = 0; - wnum.d = &(snum->d[loop]); - wnum.top = div_n; - /* only needed when BN_ucmp messes up the values between top and max */ - wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */ - wnum.flags = snum->flags | BN_FLG_STATIC_DATA; - - /* Get the top 2 words of sdiv */ - /* div_n=sdiv->top; */ - d0 = sdiv->d[div_n - 1]; - d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2]; - - /* pointer to the 'top' of snum */ - wnump = &(snum->d[num_n - 1]); - - /* Setup to 'res' */ - if (!bn_wexpand(res, (loop + 1))) - goto err; - res->top = loop - no_branch; - r_neg = numerator->neg ^ divisor->neg; - resp = &(res->d[loop - 1]); - - /* space for temp */ - if (!bn_wexpand(tmp, (div_n + 1))) - goto err; - - if (!no_branch) { - if (BN_ucmp(&wnum, sdiv) >= 0) { - bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n); - *resp = 1; - } else - res->top--; - } - - /* - * If res->top == 0 then clear the neg value otherwise decrease the resp - * pointer. - */ - if (res->top == 0) - res->neg = 0; - else - resp--; - - for (i = 0; i < loop - 1; i++, wnump--, resp--) { - BN_ULONG q, l0; - - /* - * The first part of the loop uses the top two words of snum and - * sdiv to calculate a BN_ULONG q such that: - * - * | wnum - sdiv * q | < sdiv - */ - q = bn_div_3_words(wnump, d1, d0); - l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q); - tmp->d[div_n] = l0; - wnum.d--; - - /* - * Ignore top values of the bignums just sub the two BN_ULONG - * arrays with bn_sub_words. - */ - if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) { - /* - * Note: As we have considered only the leading two - * BN_ULONGs in the calculation of q, sdiv * q might be - * greater than wnum (but then (q-1) * sdiv is less or - * equal than wnum). - */ - q--; - if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n)) { - /* - * We can't have an overflow here (assuming - * that q != 0, but if q == 0 then tmp is - * zero anyway). - */ - (*wnump)++; - } - } - /* store part of the result */ - *resp = q; - } - - bn_correct_top(snum); - - if (remainder != NULL) { - /* - * Keep a copy of the neg flag in numerator because if - * remainder == numerator, BN_rshift() will overwrite it. - */ - int neg = numerator->neg; - - BN_rshift(remainder, snum, norm_shift); - BN_set_negative(remainder, neg); - } - - if (no_branch) - bn_correct_top(res); - - BN_set_negative(res, r_neg); - - done: - ret = 1; - err: - BN_CTX_end(ctx); - - return ret; -} - -int -BN_div(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator, - const BIGNUM *divisor, BN_CTX *ctx) -{ - int ct; - - ct = BN_get_flags(numerator, BN_FLG_CONSTTIME) != 0 || - BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0; - - return BN_div_internal(quotient, remainder, numerator, divisor, ctx, ct); -} -LCRYPTO_ALIAS(BN_div); - -int -BN_div_nonct(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator, - const BIGNUM *divisor, BN_CTX *ctx) -{ - return BN_div_internal(quotient, remainder, numerator, divisor, ctx, 0); -} - -int -BN_div_ct(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator, - const BIGNUM *divisor, BN_CTX *ctx) -{ - return BN_div_internal(quotient, remainder, numerator, divisor, ctx, 1); -} diff --git a/src/lib/libcrypto/bn/bn_err.c b/src/lib/libcrypto/bn/bn_err.c deleted file mode 100644 index 3ee6b4311f..0000000000 --- a/src/lib/libcrypto/bn/bn_err.c +++ /dev/null @@ -1,110 +0,0 @@ -/* $OpenBSD: bn_err.c,v 1.18 2024/06/24 06:43:22 tb Exp $ */ -/* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include - -#include - -#include -#include - -#include "err_local.h" - -#ifndef OPENSSL_NO_ERR - -#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BN,func,0) -#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BN,0,reason) - -static const ERR_STRING_DATA BN_str_functs[] = { - {ERR_FUNC(0xfff), "CRYPTO_internal"}, - {0, NULL} -}; - -static const ERR_STRING_DATA BN_str_reasons[] = { - {ERR_REASON(BN_R_ARG2_LT_ARG3) , "arg2 lt arg3"}, - {ERR_REASON(BN_R_BAD_RECIPROCAL) , "bad reciprocal"}, - {ERR_REASON(BN_R_BIGNUM_TOO_LONG) , "bignum too long"}, - {ERR_REASON(BN_R_BITS_TOO_SMALL) , "bits too small"}, - {ERR_REASON(BN_R_CALLED_WITH_EVEN_MODULUS), "called with even modulus"}, - {ERR_REASON(BN_R_DIV_BY_ZERO) , "div by zero"}, - {ERR_REASON(BN_R_ENCODING_ERROR) , "encoding error"}, - {ERR_REASON(BN_R_EXPAND_ON_STATIC_BIGNUM_DATA), "expand on static bignum data"}, - {ERR_REASON(BN_R_INPUT_NOT_REDUCED) , "input not reduced"}, - {ERR_REASON(BN_R_INVALID_ARGUMENT) , "invalid argument"}, - {ERR_REASON(BN_R_INVALID_LENGTH) , "invalid length"}, - {ERR_REASON(BN_R_INVALID_RANGE) , "invalid range"}, - {ERR_REASON(BN_R_NOT_A_SQUARE) , "not a square"}, - {ERR_REASON(BN_R_NOT_INITIALIZED) , "not initialized"}, - {ERR_REASON(BN_R_NO_INVERSE) , "no inverse"}, - {ERR_REASON(BN_R_NO_SOLUTION) , "no solution"}, - {ERR_REASON(BN_R_P_IS_NOT_PRIME) , "p is not prime"}, - {ERR_REASON(BN_R_TOO_MANY_ITERATIONS) , "too many iterations"}, - {ERR_REASON(BN_R_TOO_MANY_TEMPORARY_VARIABLES), "too many temporary variables"}, - {0, NULL} -}; - -#endif - -void -ERR_load_BN_strings(void) -{ -#ifndef OPENSSL_NO_ERR - if (ERR_func_error_string(BN_str_functs[0].error) == NULL) { - ERR_load_const_strings(BN_str_functs); - ERR_load_const_strings(BN_str_reasons); - } -#endif -} -LCRYPTO_ALIAS(ERR_load_BN_strings); diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c deleted file mode 100644 index e925d325d2..0000000000 --- a/src/lib/libcrypto/bn/bn_exp.c +++ /dev/null @@ -1,1330 +0,0 @@ -/* $OpenBSD: bn_exp.c,v 1.58 2025/02/13 11:15:09 tb Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include - -#include - -#include "bn_local.h" -#include "constant_time.h" - -/* maximum precomputation table size for *variable* sliding windows */ -#define TABLE_SIZE 32 - -/* Calculates r = a^p by successive squaring of a. Not constant time. */ -int -BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) -{ - BIGNUM *rr, *v; - int i; - int ret = 0; - - if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { - BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return -1; - } - - BN_CTX_start(ctx); - - if ((v = BN_CTX_get(ctx)) == NULL) - goto err; - - rr = r; - if (r == a || r == p) - rr = BN_CTX_get(ctx); - if (rr == NULL) - goto err; - - if (!BN_one(rr)) - goto err; - if (BN_is_odd(p)) { - if (!bn_copy(rr, a)) - goto err; - } - - if (!bn_copy(v, a)) - goto err; - - for (i = 1; i < BN_num_bits(p); i++) { - if (!BN_sqr(v, v, ctx)) - goto err; - if (!BN_is_bit_set(p, i)) - continue; - if (!BN_mul(rr, rr, v, ctx)) - goto err; - } - - if (!bn_copy(r, rr)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} -LCRYPTO_ALIAS(BN_exp); - -/* The old fallback, simple version :-) */ -int -BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx) -{ - int i, j, bits, wstart, wend, window, wvalue; - int start = 1; - BIGNUM *d, *q; - /* Table of variables obtained from 'ctx' */ - BIGNUM *val[TABLE_SIZE]; - int ret = 0; - - if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { - /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */ - BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return -1; - } - - if (r == m) { - BNerror(BN_R_INVALID_ARGUMENT); - return 0; - } - - bits = BN_num_bits(p); - if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_abs_is_word(m, 1)) { - ret = 1; - BN_zero(r); - } else - ret = BN_one(r); - return ret; - } - - BN_CTX_start(ctx); - if ((d = BN_CTX_get(ctx)) == NULL) - goto err; - if ((q = BN_CTX_get(ctx)) == NULL) - goto err; - if ((val[0] = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_nnmod(val[0], a, m, ctx)) - goto err; - if (BN_is_zero(val[0])) { - BN_zero(r); - goto done; - } - if (!bn_copy(q, p)) - goto err; - - window = BN_window_bits_for_exponent_size(bits); - if (window > 1) { - if (!BN_mod_mul(d, val[0], val[0], m, ctx)) - goto err; - j = 1 << (window - 1); - for (i = 1; i < j; i++) { - if (((val[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul(val[i], val[i - 1], d,m, ctx)) - goto err; - } - } - - start = 1; /* This is used to avoid multiplication etc - * when there is only the value '1' in the - * buffer. */ - wvalue = 0; /* The 'value' of the window */ - wstart = bits - 1; /* The top bit of the window */ - wend = 0; /* The bottom bit of the window */ - - if (!BN_one(r)) - goto err; - - for (;;) { - if (BN_is_bit_set(q, wstart) == 0) { - if (!start) - if (!BN_mod_mul(r, r, r, m, ctx)) - goto err; - if (wstart == 0) - break; - wstart--; - continue; - } - /* We now have wstart on a 'set' bit, we now need to work out - * how bit a window to do. To do this we need to scan - * forward until the last set bit before the end of the - * window */ - j = wstart; - wvalue = 1; - wend = 0; - for (i = 1; i < window; i++) { - if (wstart - i < 0) - break; - if (BN_is_bit_set(q, wstart - i)) { - wvalue <<= (i - wend); - wvalue |= 1; - wend = i; - } - } - - /* wend is the size of the current window */ - j = wend + 1; - /* add the 'bytes above' */ - if (!start) - for (i = 0; i < j; i++) { - if (!BN_mod_mul(r, r, r, m, ctx)) - goto err; - } - - /* wvalue will be an odd number < 2^window */ - if (!BN_mod_mul(r, r, val[wvalue >> 1], m, ctx)) - goto err; - - /* move the 'window' down further */ - wstart -= wend + 1; - wvalue = 0; - start = 0; - if (wstart < 0) - break; - } - - done: - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout - * so that accessing any of these table values shows the same access pattern as far - * as cache lines are concerned. The following functions are used to transfer a BIGNUM - * from/to that table. */ - -static int -MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top, unsigned char *buf, - int idx, int window) -{ - int i, j; - int width = 1 << window; - BN_ULONG *table = (BN_ULONG *)buf; - - if (top > b->top) - top = b->top; /* this works because 'buf' is explicitly zeroed */ - - for (i = 0, j = idx; i < top; i++, j += width) { - table[j] = b->d[i]; - } - - return 1; -} - -static int -MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, - int window) -{ - int i, j; - int width = 1 << window; - volatile BN_ULONG *table = (volatile BN_ULONG *)buf; - - if (!bn_wexpand(b, top)) - return 0; - - if (window <= 3) { - for (i = 0; i < top; i++, table += width) { - BN_ULONG acc = 0; - - for (j = 0; j < width; j++) { - acc |= table[j] & - ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1)); - } - - b->d[i] = acc; - } - } else { - int xstride = 1 << (window - 2); - BN_ULONG y0, y1, y2, y3; - - i = idx >> (window - 2); /* equivalent of idx / xstride */ - idx &= xstride - 1; /* equivalent of idx % xstride */ - - y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1); - y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1); - y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1); - y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1); - - for (i = 0; i < top; i++, table += width) { - BN_ULONG acc = 0; - - for (j = 0; j < xstride; j++) { - acc |= ( (table[j + 0 * xstride] & y0) | - (table[j + 1 * xstride] & y1) | - (table[j + 2 * xstride] & y2) | - (table[j + 3 * xstride] & y3) ) - & ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1)); - } - - b->d[i] = acc; - } - } - b->top = top; - bn_correct_top(b); - return 1; -} - -/* Given a pointer value, compute the next address that is a cache line multiple. */ -#define MOD_EXP_CTIME_ALIGN(x_) \ - ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((size_t)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK)))) - -/* This variant of BN_mod_exp_mont() uses fixed windows and the special - * precomputation memory layout to limit data-dependency to a minimum - * to protect secret exponents (cf. the hyper-threading timing attacks - * pointed out by Colin Percival, - * http://www.daemonology.net/hyperthreading-considered-harmful/) - */ -int -BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) -{ - int i, bits, ret = 0, window, wvalue; - int top; - BN_MONT_CTX *mont = NULL; - int numPowers; - unsigned char *powerbufFree = NULL; - int powerbufLen = 0; - unsigned char *powerbuf = NULL; - BIGNUM tmp, am; - - - if (!BN_is_odd(m)) { - BNerror(BN_R_CALLED_WITH_EVEN_MODULUS); - return (0); - } - - top = m->top; - - bits = BN_num_bits(p); - if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_abs_is_word(m, 1)) { - ret = 1; - BN_zero(rr); - } else - ret = BN_one(rr); - return ret; - } - - BN_CTX_start(ctx); - - if ((mont = in_mont) == NULL) - mont = BN_MONT_CTX_create(m, ctx); - if (mont == NULL) - goto err; - - /* Get the window size to use with size of p. */ - window = BN_window_bits_for_ctime_exponent_size(bits); -#if defined(OPENSSL_BN_ASM_MONT5) - if (window == 6 && bits <= 1024) - window = 5; /* ~5% improvement of 2048-bit RSA sign */ -#endif - - /* Allocate a buffer large enough to hold all of the pre-computed - * powers of am, am itself and tmp. - */ - numPowers = 1 << window; - powerbufLen = sizeof(m->d[0]) * (top * numPowers + - ((2*top) > numPowers ? (2*top) : numPowers)); - if ((powerbufFree = calloc(powerbufLen + - MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH, 1)) == NULL) - goto err; - powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree); - - /* lay down tmp and am right after powers table */ - tmp.d = (BN_ULONG *)(powerbuf + sizeof(m->d[0]) * top * numPowers); - am.d = tmp.d + top; - tmp.top = am.top = 0; - tmp.dmax = am.dmax = top; - tmp.neg = am.neg = 0; - tmp.flags = am.flags = BN_FLG_STATIC_DATA; - - /* prepare a^0 in Montgomery domain */ -#if 1 - if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx)) - goto err; -#else - tmp.d[0] = (0 - m - >d[0]) & BN_MASK2; /* 2^(top*BN_BITS2) - m */ - for (i = 1; i < top; i++) - tmp.d[i] = (~m->d[i]) & BN_MASK2; - tmp.top = top; -#endif - - /* prepare a^1 in Montgomery domain */ - if (!BN_nnmod(&am, a, m, ctx)) - goto err; - if (!BN_to_montgomery(&am, &am, mont, ctx)) - goto err; - -#if defined(OPENSSL_BN_ASM_MONT5) - /* This optimization uses ideas from http://eprint.iacr.org/2011/239, - * specifically optimization of cache-timing attack countermeasures - * and pre-computation optimization. */ - - /* Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as - * 512-bit RSA is hardly relevant, we omit it to spare size... */ - if (window == 5 && top > 1) { - void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap, - const void *table, const BN_ULONG *np, - const BN_ULONG *n0, int num, int power); - void bn_scatter5(const BN_ULONG *inp, size_t num, - void *table, size_t power); - void bn_gather5(BN_ULONG *out, size_t num, - void *table, size_t power); - - BN_ULONG *np = mont->N.d, *n0 = mont->n0; - - /* BN_to_montgomery can contaminate words above .top - * [in BN_DEBUG[_DEBUG] build]... */ - for (i = am.top; i < top; i++) - am.d[i] = 0; - for (i = tmp.top; i < top; i++) - tmp.d[i] = 0; - - bn_scatter5(tmp.d, top, powerbuf, 0); - bn_scatter5(am.d, am.top, powerbuf, 1); - bn_mul_mont(tmp.d, am.d, am.d, np, n0, top); - bn_scatter5(tmp.d, top, powerbuf, 2); - -#if 0 - for (i = 3; i < 32; i++) { - /* Calculate a^i = a^(i-1) * a */ - bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, - n0, top, i - 1); - bn_scatter5(tmp.d, top, powerbuf, i); - } -#else - /* same as above, but uses squaring for 1/2 of operations */ - for (i = 4; i < 32; i*=2) { - bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); - bn_scatter5(tmp.d, top, powerbuf, i); - } - for (i = 3; i < 8; i += 2) { - int j; - bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, - n0, top, i - 1); - bn_scatter5(tmp.d, top, powerbuf, i); - for (j = 2 * i; j < 32; j *= 2) { - bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); - bn_scatter5(tmp.d, top, powerbuf, j); - } - } - for (; i < 16; i += 2) { - bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, - n0, top, i - 1); - bn_scatter5(tmp.d, top, powerbuf, i); - bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); - bn_scatter5(tmp.d, top, powerbuf, 2*i); - } - for (; i < 32; i += 2) { - bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, - n0, top, i - 1); - bn_scatter5(tmp.d, top, powerbuf, i); - } -#endif - bits--; - for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--) - wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); - bn_gather5(tmp.d, top, powerbuf, wvalue); - - /* Scan the exponent one window at a time starting from the most - * significant bits. - */ - while (bits >= 0) { - for (wvalue = 0, i = 0; i < 5; i++, bits--) - wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); - - bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); - bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); - bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); - bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); - bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); - bn_mul_mont_gather5(tmp.d, tmp.d, powerbuf, np, n0, top, wvalue); - } - - tmp.top = top; - bn_correct_top(&tmp); - } else -#endif - { - if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, - window)) - goto err; - if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, - window)) - goto err; - - /* If the window size is greater than 1, then calculate - * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1) - * (even powers could instead be computed as (a^(i/2))^2 - * to use the slight performance advantage of sqr over mul). - */ - if (window > 1) { - if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx)) - goto err; - if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, - 2, window)) - goto err; - for (i = 3; i < numPowers; i++) { - /* Calculate a^i = a^(i-1) * a */ - if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, - mont, ctx)) - goto err; - if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, - powerbuf, i, window)) - goto err; - } - } - - bits--; - for (wvalue = 0, i = bits % window; i >= 0; i--, bits--) - wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); - if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp, top, powerbuf, - wvalue, window)) - goto err; - - /* Scan the exponent one window at a time starting from the most - * significant bits. - */ - while (bits >= 0) { - wvalue = 0; /* The 'value' of the window */ - - /* Scan the window, squaring the result as we go */ - for (i = 0; i < window; i++, bits--) { - if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, - mont, ctx)) - goto err; - wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); - } - - /* Fetch the appropriate pre-computed value from the pre-buf */ - if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am, top, powerbuf, - wvalue, window)) - goto err; - - /* Multiply the result into the intermediate result */ - if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx)) - goto err; - } - } - - /* Convert the final result from montgomery to standard format */ - if (!BN_from_montgomery(rr, &tmp, mont, ctx)) - goto err; - - ret = 1; - - err: - if (mont != in_mont) - BN_MONT_CTX_free(mont); - BN_CTX_end(ctx); - freezero(powerbufFree, powerbufLen + MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH); - - return ret; -} -LCRYPTO_ALIAS(BN_mod_exp_mont_consttime); - -static int -BN_mod_exp_mont_internal(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *in_mont, int ct) -{ - int i, j, bits, ret = 0, wstart, wend, window, wvalue; - int start = 1; - BIGNUM *d, *r; - const BIGNUM *aa; - /* Table of variables obtained from 'ctx' */ - BIGNUM *val[TABLE_SIZE]; - BN_MONT_CTX *mont = NULL; - - if (ct) { - return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); - } - - - if (!BN_is_odd(m)) { - BNerror(BN_R_CALLED_WITH_EVEN_MODULUS); - return (0); - } - - bits = BN_num_bits(p); - if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_abs_is_word(m, 1)) { - ret = 1; - BN_zero(rr); - } else - ret = BN_one(rr); - return ret; - } - - BN_CTX_start(ctx); - if ((d = BN_CTX_get(ctx)) == NULL) - goto err; - if ((r = BN_CTX_get(ctx)) == NULL) - goto err; - if ((val[0] = BN_CTX_get(ctx)) == NULL) - goto err; - - if ((mont = in_mont) == NULL) - mont = BN_MONT_CTX_create(m, ctx); - if (mont == NULL) - goto err; - - if (!BN_nnmod(val[0], a,m, ctx)) - goto err; - aa = val[0]; - if (BN_is_zero(aa)) { - BN_zero(rr); - ret = 1; - goto err; - } - if (!BN_to_montgomery(val[0], aa, mont, ctx)) - goto err; - - window = BN_window_bits_for_exponent_size(bits); - if (window > 1) { - if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) - goto err; - j = 1 << (window - 1); - for (i = 1; i < j; i++) { - if (((val[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul_montgomery(val[i], val[i - 1], - d, mont, ctx)) - goto err; - } - } - - start = 1; /* This is used to avoid multiplication etc - * when there is only the value '1' in the - * buffer. */ - wvalue = 0; /* The 'value' of the window */ - wstart = bits - 1; /* The top bit of the window */ - wend = 0; /* The bottom bit of the window */ - - if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) - goto err; - for (;;) { - if (BN_is_bit_set(p, wstart) == 0) { - if (!start) { - if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) - goto err; - } - if (wstart == 0) - break; - wstart--; - continue; - } - /* We now have wstart on a 'set' bit, we now need to work out - * how bit a window to do. To do this we need to scan - * forward until the last set bit before the end of the - * window */ - j = wstart; - wvalue = 1; - wend = 0; - for (i = 1; i < window; i++) { - if (wstart - i < 0) - break; - if (BN_is_bit_set(p, wstart - i)) { - wvalue <<= (i - wend); - wvalue |= 1; - wend = i; - } - } - - /* wend is the size of the current window */ - j = wend + 1; - /* add the 'bytes above' */ - if (!start) - for (i = 0; i < j; i++) { - if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) - goto err; - } - - /* wvalue will be an odd number < 2^window */ - if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx)) - goto err; - - /* move the 'window' down further */ - wstart -= wend + 1; - wvalue = 0; - start = 0; - if (wstart < 0) - break; - } - if (!BN_from_montgomery(rr, r,mont, ctx)) - goto err; - - ret = 1; - - err: - if (mont != in_mont) - BN_MONT_CTX_free(mont); - BN_CTX_end(ctx); - - return ret; -} - -int -BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *in_mont) -{ - return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, - (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)); -} -LCRYPTO_ALIAS(BN_mod_exp_mont); - -int -BN_mod_exp_mont_ct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *in_mont) -{ - return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 1); -} - -int -BN_mod_exp_mont_nonct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *in_mont) -{ - return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 0); -} - -int -BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *in_mont) -{ - BN_MONT_CTX *mont = NULL; - int b, bits, ret = 0; - int r_is_one; - BN_ULONG w, next_w; - BIGNUM *d, *r, *t; - BIGNUM *swap_tmp; - -#define BN_MOD_MUL_WORD(r, w, m) \ - (BN_mul_word(r, (w)) && \ - (/* BN_ucmp(r, (m)) < 0 ? 1 :*/ \ - (BN_mod_ct(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1)))) - /* BN_MOD_MUL_WORD is only used with 'w' large, - * so the BN_ucmp test is probably more overhead - * than always using BN_mod (which uses bn_copy if - * a similar test returns true). */ - /* We can use BN_mod and do not need BN_nnmod because our - * accumulator is never negative (the result of BN_mod does - * not depend on the sign of the modulus). - */ -#define BN_TO_MONTGOMERY_WORD(r, w, mont) \ - (BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx)) - - if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { - /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */ - BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return -1; - } - - - if (!BN_is_odd(m)) { - BNerror(BN_R_CALLED_WITH_EVEN_MODULUS); - return (0); - } - if (m->top == 1) - a %= m->d[0]; /* make sure that 'a' is reduced */ - - bits = BN_num_bits(p); - if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_abs_is_word(m, 1)) { - ret = 1; - BN_zero(rr); - } else - ret = BN_one(rr); - return ret; - } - if (a == 0) { - BN_zero(rr); - ret = 1; - return ret; - } - - BN_CTX_start(ctx); - if ((d = BN_CTX_get(ctx)) == NULL) - goto err; - if ((r = BN_CTX_get(ctx)) == NULL) - goto err; - if ((t = BN_CTX_get(ctx)) == NULL) - goto err; - - if ((mont = in_mont) == NULL) - mont = BN_MONT_CTX_create(m, ctx); - if (mont == NULL) - goto err; - - r_is_one = 1; /* except for Montgomery factor */ - - /* bits-1 >= 0 */ - - /* The result is accumulated in the product r*w. */ - w = a; /* bit 'bits-1' of 'p' is always set */ - for (b = bits - 2; b >= 0; b--) { - /* First, square r*w. */ - next_w = w * w; - if ((next_w / w) != w) /* overflow */ - { - if (r_is_one) { - if (!BN_TO_MONTGOMERY_WORD(r, w, mont)) - goto err; - r_is_one = 0; - } else { - if (!BN_MOD_MUL_WORD(r, w, m)) - goto err; - } - next_w = 1; - } - w = next_w; - if (!r_is_one) { - if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) - goto err; - } - - /* Second, multiply r*w by 'a' if exponent bit is set. */ - if (BN_is_bit_set(p, b)) { - next_w = w * a; - if ((next_w / a) != w) /* overflow */ - { - if (r_is_one) { - if (!BN_TO_MONTGOMERY_WORD(r, w, mont)) - goto err; - r_is_one = 0; - } else { - if (!BN_MOD_MUL_WORD(r, w, m)) - goto err; - } - next_w = a; - } - w = next_w; - } - } - - /* Finally, set r:=r*w. */ - if (w != 1) { - if (r_is_one) { - if (!BN_TO_MONTGOMERY_WORD(r, w, mont)) - goto err; - r_is_one = 0; - } else { - if (!BN_MOD_MUL_WORD(r, w, m)) - goto err; - } - } - - if (r_is_one) /* can happen only if a == 1*/ - { - if (!BN_one(rr)) - goto err; - } else { - if (!BN_from_montgomery(rr, r, mont, ctx)) - goto err; - } - - ret = 1; - - err: - if (mont != in_mont) - BN_MONT_CTX_free(mont); - BN_CTX_end(ctx); - - return ret; -} - -int -BN_mod_exp_reciprocal(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx) -{ - int i, j, bits, wstart, wend, window, wvalue; - int start = 1; - BIGNUM *aa, *q; - /* Table of variables obtained from 'ctx' */ - BIGNUM *val[TABLE_SIZE]; - BN_RECP_CTX *recp = NULL; - int ret = 0; - - if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { - /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */ - BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return -1; - } - - bits = BN_num_bits(p); - if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_abs_is_word(m, 1)) { - ret = 1; - BN_zero(r); - } else - ret = BN_one(r); - return ret; - } - - BN_CTX_start(ctx); - if ((aa = BN_CTX_get(ctx)) == NULL) - goto err; - if ((q = BN_CTX_get(ctx)) == NULL) - goto err; - if ((val[0] = BN_CTX_get(ctx)) == NULL) - goto err; - - if ((recp = BN_RECP_CTX_create(m)) == NULL) - goto err; - - if (!BN_nnmod(val[0], a, m, ctx)) - goto err; - if (BN_is_zero(val[0])) { - BN_zero(r); - goto done; - } - if (!bn_copy(q, p)) - goto err; - - window = BN_window_bits_for_exponent_size(bits); - if (window > 1) { - if (!BN_mod_sqr_reciprocal(aa, val[0], recp, ctx)) - goto err; - j = 1 << (window - 1); - for (i = 1; i < j; i++) { - if (((val[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul_reciprocal(val[i], val[i - 1], - aa, recp, ctx)) - goto err; - } - } - - start = 1; /* This is used to avoid multiplication etc - * when there is only the value '1' in the - * buffer. */ - wvalue = 0; /* The 'value' of the window */ - wstart = bits - 1; /* The top bit of the window */ - wend = 0; /* The bottom bit of the window */ - - if (!BN_one(r)) - goto err; - - for (;;) { - if (BN_is_bit_set(q, wstart) == 0) { - if (!start) - if (!BN_mod_sqr_reciprocal(r, r, recp, ctx)) - goto err; - if (wstart == 0) - break; - wstart--; - continue; - } - /* We now have wstart on a 'set' bit, we now need to work out - * how bit a window to do. To do this we need to scan - * forward until the last set bit before the end of the - * window */ - j = wstart; - wvalue = 1; - wend = 0; - for (i = 1; i < window; i++) { - if (wstart - i < 0) - break; - if (BN_is_bit_set(q, wstart - i)) { - wvalue <<= (i - wend); - wvalue |= 1; - wend = i; - } - } - - /* wend is the size of the current window */ - j = wend + 1; - /* add the 'bytes above' */ - if (!start) - for (i = 0; i < j; i++) { - if (!BN_mod_sqr_reciprocal(r, r, recp, ctx)) - goto err; - } - - /* wvalue will be an odd number < 2^window */ - if (!BN_mod_mul_reciprocal(r, r, val[wvalue >> 1], recp, ctx)) - goto err; - - /* move the 'window' down further */ - wstart -= wend + 1; - wvalue = 0; - start = 0; - if (wstart < 0) - break; - } - - done: - ret = 1; - - err: - BN_CTX_end(ctx); - BN_RECP_CTX_free(recp); - - return ret; -} - -static int -BN_mod_exp_internal(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, int ct) -{ - int ret; - - - /* For even modulus m = 2^k*m_odd, it might make sense to compute - * a^p mod m_odd and a^p mod 2^k separately (with Montgomery - * exponentiation for the odd part), using appropriate exponent - * reductions, and combine the results using the CRT. - * - * For now, we use Montgomery only if the modulus is odd; otherwise, - * exponentiation using the reciprocal-based quick remaindering - * algorithm is used. - * - * (Timing obtained with expspeed.c [computations a^p mod m - * where a, p, m are of the same length: 256, 512, 1024, 2048, - * 4096, 8192 bits], compared to the running time of the - * standard algorithm: - * - * BN_mod_exp_mont 33 .. 40 % [AMD K6-2, Linux, debug configuration] - * 55 .. 77 % [UltraSparc processor, but - * debug-solaris-sparcv8-gcc conf.] - * - * BN_mod_exp_recp 50 .. 70 % [AMD K6-2, Linux, debug configuration] - * 62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc] - * - * On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont - * at 2048 and more bits, but at 512 and 1024 bits, it was - * slower even than the standard algorithm! - * - * "Real" timings [linux-elf, solaris-sparcv9-gcc configurations] - * should be obtained when the new Montgomery reduction code - * has been integrated into OpenSSL.) - */ - - if (BN_is_odd(m)) { - if (a->top == 1 && !a->neg && !ct) { - BN_ULONG A = a->d[0]; - ret = BN_mod_exp_mont_word(r, A,p, m,ctx, NULL); - } else - ret = BN_mod_exp_mont_ct(r, a,p, m,ctx, NULL); - } else { - ret = BN_mod_exp_reciprocal(r, a,p, m, ctx); - } - - return (ret); -} - -int -BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx) -{ - return BN_mod_exp_internal(r, a, p, m, ctx, - (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)); -} -LCRYPTO_ALIAS(BN_mod_exp); - -int -BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx) -{ - return BN_mod_exp_internal(r, a, p, m, ctx, 1); -} - -int -BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx) -{ - return BN_mod_exp_internal(r, a, p, m, ctx, 0); -} - -int -BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, - const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *in_mont) -{ - int i, j, bits, b, bits1, bits2, ret = 0, wpos1, wpos2, window1, window2, wvalue1, wvalue2; - int r_is_one = 1; - BIGNUM *d, *r; - const BIGNUM *a_mod_m; - /* Tables of variables obtained from 'ctx' */ - BIGNUM *val1[TABLE_SIZE], *val2[TABLE_SIZE]; - BN_MONT_CTX *mont = NULL; - - - if (!BN_is_odd(m)) { - BNerror(BN_R_CALLED_WITH_EVEN_MODULUS); - return (0); - } - bits1 = BN_num_bits(p1); - bits2 = BN_num_bits(p2); - if ((bits1 == 0) && (bits2 == 0)) { - ret = BN_one(rr); - return ret; - } - - bits = (bits1 > bits2) ? bits1 : bits2; - - BN_CTX_start(ctx); - if ((d = BN_CTX_get(ctx)) == NULL) - goto err; - if ((r = BN_CTX_get(ctx)) == NULL) - goto err; - if ((val1[0] = BN_CTX_get(ctx)) == NULL) - goto err; - if ((val2[0] = BN_CTX_get(ctx)) == NULL) - goto err; - - if ((mont = in_mont) == NULL) - mont = BN_MONT_CTX_create(m, ctx); - if (mont == NULL) - goto err; - - window1 = BN_window_bits_for_exponent_size(bits1); - window2 = BN_window_bits_for_exponent_size(bits2); - - /* - * Build table for a1: val1[i] := a1^(2*i + 1) mod m for i = 0 .. 2^(window1-1) - */ - if (!BN_nnmod(val1[0], a1, m, ctx)) - goto err; - a_mod_m = val1[0]; - if (BN_is_zero(a_mod_m)) { - BN_zero(rr); - ret = 1; - goto err; - } - - if (!BN_to_montgomery(val1[0], a_mod_m, mont, ctx)) - goto err; - if (window1 > 1) { - if (!BN_mod_mul_montgomery(d, val1[0], val1[0], mont, ctx)) - goto err; - - j = 1 << (window1 - 1); - for (i = 1; i < j; i++) { - if (((val1[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul_montgomery(val1[i], val1[i - 1], - d, mont, ctx)) - goto err; - } - } - - - /* - * Build table for a2: val2[i] := a2^(2*i + 1) mod m for i = 0 .. 2^(window2-1) - */ - if (!BN_nnmod(val2[0], a2, m, ctx)) - goto err; - a_mod_m = val2[0]; - if (BN_is_zero(a_mod_m)) { - BN_zero(rr); - ret = 1; - goto err; - } - if (!BN_to_montgomery(val2[0], a_mod_m, mont, ctx)) - goto err; - if (window2 > 1) { - if (!BN_mod_mul_montgomery(d, val2[0], val2[0], mont, ctx)) - goto err; - - j = 1 << (window2 - 1); - for (i = 1; i < j; i++) { - if (((val2[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul_montgomery(val2[i], val2[i - 1], - d, mont, ctx)) - goto err; - } - } - - - /* Now compute the power product, using independent windows. */ - r_is_one = 1; - wvalue1 = 0; /* The 'value' of the first window */ - wvalue2 = 0; /* The 'value' of the second window */ - wpos1 = 0; /* If wvalue1 > 0, the bottom bit of the first window */ - wpos2 = 0; /* If wvalue2 > 0, the bottom bit of the second window */ - - if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) - goto err; - for (b = bits - 1; b >= 0; b--) { - if (!r_is_one) { - if (!BN_mod_mul_montgomery(r, r,r, mont, ctx)) - goto err; - } - - if (!wvalue1) - if (BN_is_bit_set(p1, b)) { - /* consider bits b-window1+1 .. b for this window */ - i = b - window1 + 1; - while (!BN_is_bit_set(p1, i)) /* works for i<0 */ - i++; - wpos1 = i; - wvalue1 = 1; - for (i = b - 1; i >= wpos1; i--) { - wvalue1 <<= 1; - if (BN_is_bit_set(p1, i)) - wvalue1++; - } - } - - if (!wvalue2) - if (BN_is_bit_set(p2, b)) { - /* consider bits b-window2+1 .. b for this window */ - i = b - window2 + 1; - while (!BN_is_bit_set(p2, i)) - i++; - wpos2 = i; - wvalue2 = 1; - for (i = b - 1; i >= wpos2; i--) { - wvalue2 <<= 1; - if (BN_is_bit_set(p2, i)) - wvalue2++; - } - } - - if (wvalue1 && b == wpos1) { - /* wvalue1 is odd and < 2^window1 */ - if (!BN_mod_mul_montgomery(r, r, val1[wvalue1 >> 1], - mont, ctx)) - goto err; - wvalue1 = 0; - r_is_one = 0; - } - - if (wvalue2 && b == wpos2) { - /* wvalue2 is odd and < 2^window2 */ - if (!BN_mod_mul_montgomery(r, r, val2[wvalue2 >> 1], - mont, ctx)) - goto err; - wvalue2 = 0; - r_is_one = 0; - } - } - if (!BN_from_montgomery(rr, r,mont, ctx)) - goto err; - - ret = 1; - - err: - if (mont != in_mont) - BN_MONT_CTX_free(mont); - BN_CTX_end(ctx); - - return ret; -} diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c deleted file mode 100644 index fa5d71a7f3..0000000000 --- a/src/lib/libcrypto/bn/bn_gcd.c +++ /dev/null @@ -1,818 +0,0 @@ -/* $OpenBSD: bn_gcd.c,v 1.29 2024/04/10 14:58:06 beck Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include - -#include "bn_local.h" - -static BIGNUM * -euclid(BIGNUM *a, BIGNUM *b) -{ - BIGNUM *t; - int shifts = 0; - - /* Loop invariant: 0 <= b <= a. */ - while (!BN_is_zero(b)) { - if (BN_is_odd(a) && BN_is_odd(b)) { - if (!BN_sub(a, a, b)) - goto err; - if (!BN_rshift1(a, a)) - goto err; - } else if (BN_is_odd(a) && !BN_is_odd(b)) { - if (!BN_rshift1(b, b)) - goto err; - } else if (!BN_is_odd(a) && BN_is_odd(b)) { - if (!BN_rshift1(a, a)) - goto err; - } else { - if (!BN_rshift1(a, a)) - goto err; - if (!BN_rshift1(b, b)) - goto err; - shifts++; - continue; - } - - if (BN_cmp(a, b) < 0) { - t = a; - a = b; - b = t; - } - } - - if (shifts) { - if (!BN_lshift(a, a, shifts)) - goto err; - } - - return a; - - err: - return NULL; -} - -int -BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) -{ - BIGNUM *a, *b, *t; - int ret = 0; - - BN_CTX_start(ctx); - if ((a = BN_CTX_get(ctx)) == NULL) - goto err; - if ((b = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!bn_copy(a, in_a)) - goto err; - if (!bn_copy(b, in_b)) - goto err; - a->neg = 0; - b->neg = 0; - - if (BN_cmp(a, b) < 0) { - t = a; - a = b; - b = t; - } - t = euclid(a, b); - if (t == NULL) - goto err; - - if (!bn_copy(r, t)) - goto err; - ret = 1; - - err: - BN_CTX_end(ctx); - return (ret); -} -LCRYPTO_ALIAS(BN_gcd); - -/* - * BN_gcd_no_branch is a special version of BN_mod_inverse_no_branch. - * that returns the GCD. - */ -static BIGNUM * -BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, - BN_CTX *ctx) -{ - BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; - BIGNUM local_A, local_B; - BIGNUM *pA, *pB; - BIGNUM *ret = NULL; - int sign; - - if (in == NULL) - goto err; - R = in; - - BN_init(&local_A); - BN_init(&local_B); - - BN_CTX_start(ctx); - if ((A = BN_CTX_get(ctx)) == NULL) - goto err; - if ((B = BN_CTX_get(ctx)) == NULL) - goto err; - if ((X = BN_CTX_get(ctx)) == NULL) - goto err; - if ((D = BN_CTX_get(ctx)) == NULL) - goto err; - if ((M = BN_CTX_get(ctx)) == NULL) - goto err; - if ((Y = BN_CTX_get(ctx)) == NULL) - goto err; - if ((T = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_one(X)) - goto err; - BN_zero(Y); - if (!bn_copy(B, a)) - goto err; - if (!bn_copy(A, n)) - goto err; - A->neg = 0; - - if (B->neg || (BN_ucmp(B, A) >= 0)) { - /* - * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, - * BN_div_no_branch will be called eventually. - */ - pB = &local_B; - /* BN_init() done at the top of the function. */ - BN_with_flags(pB, B, BN_FLG_CONSTTIME); - if (!BN_nnmod(B, pB, A, ctx)) - goto err; - } - sign = -1; - /* From B = a mod |n|, A = |n| it follows that - * - * 0 <= B < A, - * -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|). - */ - - while (!BN_is_zero(B)) { - BIGNUM *tmp; - - /* - * 0 < B < A, - * (*) -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|) - */ - - /* - * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, - * BN_div_no_branch will be called eventually. - */ - pA = &local_A; - /* BN_init() done at the top of the function. */ - BN_with_flags(pA, A, BN_FLG_CONSTTIME); - - /* (D, M) := (A/B, A%B) ... */ - if (!BN_div_ct(D, M, pA, B, ctx)) - goto err; - - /* Now - * A = D*B + M; - * thus we have - * (**) sign*Y*a == D*B + M (mod |n|). - */ - tmp = A; /* keep the BIGNUM object, the value does not matter */ - - /* (A, B) := (B, A mod B) ... */ - A = B; - B = M; - /* ... so we have 0 <= B < A again */ - - /* Since the former M is now B and the former B is now A, - * (**) translates into - * sign*Y*a == D*A + B (mod |n|), - * i.e. - * sign*Y*a - D*A == B (mod |n|). - * Similarly, (*) translates into - * -sign*X*a == A (mod |n|). - * - * Thus, - * sign*Y*a + D*sign*X*a == B (mod |n|), - * i.e. - * sign*(Y + D*X)*a == B (mod |n|). - * - * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at - * -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|). - * Note that X and Y stay non-negative all the time. - */ - - if (!BN_mul(tmp, D, X, ctx)) - goto err; - if (!BN_add(tmp, tmp, Y)) - goto err; - - M = Y; /* keep the BIGNUM object, the value does not matter */ - Y = X; - X = tmp; - sign = -sign; - } - - /* - * The while loop (Euclid's algorithm) ends when - * A == gcd(a,n); - */ - - if (!bn_copy(R, A)) - goto err; - ret = R; - err: - if ((ret == NULL) && (in == NULL)) - BN_free(R); - BN_CTX_end(ctx); - return (ret); -} - -int -BN_gcd_ct(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) -{ - if (BN_gcd_no_branch(r, in_a, in_b, ctx) == NULL) - return 0; - return 1; -} - -/* BN_mod_inverse_no_branch is a special version of BN_mod_inverse. - * It does not contain branches that may leak sensitive information. - */ -static BIGNUM * -BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, - BN_CTX *ctx) -{ - BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; - BIGNUM local_A, local_B; - BIGNUM *pA, *pB; - BIGNUM *ret = NULL; - int sign; - - BN_init(&local_A); - BN_init(&local_B); - - BN_CTX_start(ctx); - if ((A = BN_CTX_get(ctx)) == NULL) - goto err; - if ((B = BN_CTX_get(ctx)) == NULL) - goto err; - if ((X = BN_CTX_get(ctx)) == NULL) - goto err; - if ((D = BN_CTX_get(ctx)) == NULL) - goto err; - if ((M = BN_CTX_get(ctx)) == NULL) - goto err; - if ((Y = BN_CTX_get(ctx)) == NULL) - goto err; - if ((T = BN_CTX_get(ctx)) == NULL) - goto err; - - if (in == NULL) - R = BN_new(); - else - R = in; - if (R == NULL) - goto err; - - if (!BN_one(X)) - goto err; - BN_zero(Y); - if (!bn_copy(B, a)) - goto err; - if (!bn_copy(A, n)) - goto err; - A->neg = 0; - - if (B->neg || (BN_ucmp(B, A) >= 0)) { - /* - * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, - * BN_div_no_branch will be called eventually. - */ - pB = &local_B; - /* BN_init() done at the top of the function. */ - BN_with_flags(pB, B, BN_FLG_CONSTTIME); - if (!BN_nnmod(B, pB, A, ctx)) - goto err; - } - sign = -1; - /* From B = a mod |n|, A = |n| it follows that - * - * 0 <= B < A, - * -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|). - */ - - while (!BN_is_zero(B)) { - BIGNUM *tmp; - - /* - * 0 < B < A, - * (*) -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|) - */ - - /* - * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, - * BN_div_no_branch will be called eventually. - */ - pA = &local_A; - /* BN_init() done at the top of the function. */ - BN_with_flags(pA, A, BN_FLG_CONSTTIME); - - /* (D, M) := (A/B, A%B) ... */ - if (!BN_div_ct(D, M, pA, B, ctx)) - goto err; - - /* Now - * A = D*B + M; - * thus we have - * (**) sign*Y*a == D*B + M (mod |n|). - */ - tmp = A; /* keep the BIGNUM object, the value does not matter */ - - /* (A, B) := (B, A mod B) ... */ - A = B; - B = M; - /* ... so we have 0 <= B < A again */ - - /* Since the former M is now B and the former B is now A, - * (**) translates into - * sign*Y*a == D*A + B (mod |n|), - * i.e. - * sign*Y*a - D*A == B (mod |n|). - * Similarly, (*) translates into - * -sign*X*a == A (mod |n|). - * - * Thus, - * sign*Y*a + D*sign*X*a == B (mod |n|), - * i.e. - * sign*(Y + D*X)*a == B (mod |n|). - * - * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at - * -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|). - * Note that X and Y stay non-negative all the time. - */ - - if (!BN_mul(tmp, D, X, ctx)) - goto err; - if (!BN_add(tmp, tmp, Y)) - goto err; - - M = Y; /* keep the BIGNUM object, the value does not matter */ - Y = X; - X = tmp; - sign = -sign; - } - - /* - * The while loop (Euclid's algorithm) ends when - * A == gcd(a,n); - * we have - * sign*Y*a == A (mod |n|), - * where Y is non-negative. - */ - - if (sign < 0) { - if (!BN_sub(Y, n, Y)) - goto err; - } - /* Now Y*a == A (mod |n|). */ - - if (!BN_is_one(A)) { - BNerror(BN_R_NO_INVERSE); - goto err; - } - - if (!BN_nnmod(Y, Y, n, ctx)) - goto err; - if (!bn_copy(R, Y)) - goto err; - - ret = R; - - err: - if ((ret == NULL) && (in == NULL)) - BN_free(R); - BN_CTX_end(ctx); - return (ret); -} - -/* solves ax == 1 (mod n) */ -static BIGNUM * -BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx, - int ct) -{ - BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; - BIGNUM *ret = NULL; - int sign; - - if (ct) - return BN_mod_inverse_no_branch(in, a, n, ctx); - - BN_CTX_start(ctx); - if ((A = BN_CTX_get(ctx)) == NULL) - goto err; - if ((B = BN_CTX_get(ctx)) == NULL) - goto err; - if ((X = BN_CTX_get(ctx)) == NULL) - goto err; - if ((D = BN_CTX_get(ctx)) == NULL) - goto err; - if ((M = BN_CTX_get(ctx)) == NULL) - goto err; - if ((Y = BN_CTX_get(ctx)) == NULL) - goto err; - if ((T = BN_CTX_get(ctx)) == NULL) - goto err; - - if (in == NULL) - R = BN_new(); - else - R = in; - if (R == NULL) - goto err; - - if (!BN_one(X)) - goto err; - BN_zero(Y); - if (!bn_copy(B, a)) - goto err; - if (!bn_copy(A, n)) - goto err; - A->neg = 0; - if (B->neg || (BN_ucmp(B, A) >= 0)) { - if (!BN_nnmod(B, B, A, ctx)) - goto err; - } - sign = -1; - /* From B = a mod |n|, A = |n| it follows that - * - * 0 <= B < A, - * -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|). - */ - - if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048))) { - /* Binary inversion algorithm; requires odd modulus. - * This is faster than the general algorithm if the modulus - * is sufficiently small (about 400 .. 500 bits on 32-bit - * systems, but much more on 64-bit systems) */ - int shift; - - while (!BN_is_zero(B)) { - /* - * 0 < B < |n|, - * 0 < A <= |n|, - * (1) -sign*X*a == B (mod |n|), - * (2) sign*Y*a == A (mod |n|) - */ - - /* Now divide B by the maximum possible power of two in the integers, - * and divide X by the same value mod |n|. - * When we're done, (1) still holds. */ - shift = 0; - while (!BN_is_bit_set(B, shift)) /* note that 0 < B */ - { - shift++; - - if (BN_is_odd(X)) { - if (!BN_uadd(X, X, n)) - goto err; - } - /* now X is even, so we can easily divide it by two */ - if (!BN_rshift1(X, X)) - goto err; - } - if (shift > 0) { - if (!BN_rshift(B, B, shift)) - goto err; - } - - /* Same for A and Y. Afterwards, (2) still holds. */ - shift = 0; - while (!BN_is_bit_set(A, shift)) /* note that 0 < A */ - { - shift++; - - if (BN_is_odd(Y)) { - if (!BN_uadd(Y, Y, n)) - goto err; - } - /* now Y is even */ - if (!BN_rshift1(Y, Y)) - goto err; - } - if (shift > 0) { - if (!BN_rshift(A, A, shift)) - goto err; - } - - /* We still have (1) and (2). - * Both A and B are odd. - * The following computations ensure that - * - * 0 <= B < |n|, - * 0 < A < |n|, - * (1) -sign*X*a == B (mod |n|), - * (2) sign*Y*a == A (mod |n|), - * - * and that either A or B is even in the next iteration. - */ - if (BN_ucmp(B, A) >= 0) { - /* -sign*(X + Y)*a == B - A (mod |n|) */ - if (!BN_uadd(X, X, Y)) - goto err; - /* NB: we could use BN_mod_add_quick(X, X, Y, n), but that - * actually makes the algorithm slower */ - if (!BN_usub(B, B, A)) - goto err; - } else { - /* sign*(X + Y)*a == A - B (mod |n|) */ - if (!BN_uadd(Y, Y, X)) - goto err; - /* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */ - if (!BN_usub(A, A, B)) - goto err; - } - } - } else { - /* general inversion algorithm */ - - while (!BN_is_zero(B)) { - BIGNUM *tmp; - - /* - * 0 < B < A, - * (*) -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|) - */ - - /* (D, M) := (A/B, A%B) ... */ - if (BN_num_bits(A) == BN_num_bits(B)) { - if (!BN_one(D)) - goto err; - if (!BN_sub(M, A, B)) - goto err; - } else if (BN_num_bits(A) == BN_num_bits(B) + 1) { - /* A/B is 1, 2, or 3 */ - if (!BN_lshift1(T, B)) - goto err; - if (BN_ucmp(A, T) < 0) { - /* A < 2*B, so D=1 */ - if (!BN_one(D)) - goto err; - if (!BN_sub(M, A, B)) - goto err; - } else { - /* A >= 2*B, so D=2 or D=3 */ - if (!BN_sub(M, A, T)) - goto err; - if (!BN_add(D,T,B)) goto err; /* use D (:= 3*B) as temp */ - if (BN_ucmp(A, D) < 0) { - /* A < 3*B, so D=2 */ - if (!BN_set_word(D, 2)) - goto err; - /* M (= A - 2*B) already has the correct value */ - } else { - /* only D=3 remains */ - if (!BN_set_word(D, 3)) - goto err; - /* currently M = A - 2*B, but we need M = A - 3*B */ - if (!BN_sub(M, M, B)) - goto err; - } - } - } else { - if (!BN_div_nonct(D, M, A, B, ctx)) - goto err; - } - - /* Now - * A = D*B + M; - * thus we have - * (**) sign*Y*a == D*B + M (mod |n|). - */ - tmp = A; /* keep the BIGNUM object, the value does not matter */ - - /* (A, B) := (B, A mod B) ... */ - A = B; - B = M; - /* ... so we have 0 <= B < A again */ - - /* Since the former M is now B and the former B is now A, - * (**) translates into - * sign*Y*a == D*A + B (mod |n|), - * i.e. - * sign*Y*a - D*A == B (mod |n|). - * Similarly, (*) translates into - * -sign*X*a == A (mod |n|). - * - * Thus, - * sign*Y*a + D*sign*X*a == B (mod |n|), - * i.e. - * sign*(Y + D*X)*a == B (mod |n|). - * - * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at - * -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|). - * Note that X and Y stay non-negative all the time. - */ - - /* most of the time D is very small, so we can optimize tmp := D*X+Y */ - if (BN_is_one(D)) { - if (!BN_add(tmp, X, Y)) - goto err; - } else { - if (BN_is_word(D, 2)) { - if (!BN_lshift1(tmp, X)) - goto err; - } else if (BN_is_word(D, 4)) { - if (!BN_lshift(tmp, X, 2)) - goto err; - } else if (D->top == 1) { - if (!bn_copy(tmp, X)) - goto err; - if (!BN_mul_word(tmp, D->d[0])) - goto err; - } else { - if (!BN_mul(tmp, D,X, ctx)) - goto err; - } - if (!BN_add(tmp, tmp, Y)) - goto err; - } - - M = Y; /* keep the BIGNUM object, the value does not matter */ - Y = X; - X = tmp; - sign = -sign; - } - } - - /* - * The while loop (Euclid's algorithm) ends when - * A == gcd(a,n); - * we have - * sign*Y*a == A (mod |n|), - * where Y is non-negative. - */ - - if (sign < 0) { - if (!BN_sub(Y, n, Y)) - goto err; - } - /* Now Y*a == A (mod |n|). */ - - if (!BN_is_one(A)) { - BNerror(BN_R_NO_INVERSE); - goto err; - } - - if (!BN_nnmod(Y, Y, n, ctx)) - goto err; - if (!bn_copy(R, Y)) - goto err; - - ret = R; - - err: - if ((ret == NULL) && (in == NULL)) - BN_free(R); - BN_CTX_end(ctx); - return (ret); -} - -BIGNUM * -BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) -{ - int ct = ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) || - (BN_get_flags(n, BN_FLG_CONSTTIME) != 0)); - return BN_mod_inverse_internal(in, a, n, ctx, ct); -} -LCRYPTO_ALIAS(BN_mod_inverse); - -BIGNUM * -BN_mod_inverse_nonct(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) -{ - return BN_mod_inverse_internal(in, a, n, ctx, 0); -} - -BIGNUM * -BN_mod_inverse_ct(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) -{ - return BN_mod_inverse_internal(in, a, n, ctx, 1); -} diff --git a/src/lib/libcrypto/bn/bn_internal.h b/src/lib/libcrypto/bn/bn_internal.h deleted file mode 100644 index fd04bc9f8a..0000000000 --- a/src/lib/libcrypto/bn/bn_internal.h +++ /dev/null @@ -1,568 +0,0 @@ -/* $OpenBSD: bn_internal.h,v 1.15 2023/06/25 11:42:26 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include "bn_arch.h" - -#ifndef HEADER_BN_INTERNAL_H -#define HEADER_BN_INTERNAL_H - -int bn_word_clz(BN_ULONG w); - -int bn_bitsize(const BIGNUM *bn); - -#ifndef HAVE_BN_CT_NE_ZERO -static inline int -bn_ct_ne_zero(BN_ULONG w) -{ - return (w | ~(w - 1)) >> (BN_BITS2 - 1); -} -#endif - -#ifndef HAVE_BN_CT_NE_ZERO_MASK -static inline BN_ULONG -bn_ct_ne_zero_mask(BN_ULONG w) -{ - return 0 - bn_ct_ne_zero(w); -} -#endif - -#ifndef HAVE_BN_CT_EQ_ZERO -static inline int -bn_ct_eq_zero(BN_ULONG w) -{ - return 1 - bn_ct_ne_zero(w); -} -#endif - -#ifndef HAVE_BN_CT_EQ_ZERO_MASK -static inline BN_ULONG -bn_ct_eq_zero_mask(BN_ULONG w) -{ - return 0 - bn_ct_eq_zero(w); -} -#endif - -#ifndef HAVE_BN_CLZW -static inline int -bn_clzw(BN_ULONG w) -{ - return bn_word_clz(w); -} -#endif - -/* - * Big number primitives are named as the operation followed by a suffix - * that indicates the number of words that it operates on, where 'w' means - * single word, 'dw' means double word, 'tw' means triple word and 'qw' means - * quadruple word. Unless otherwise noted, the size of the output is implied - * based on its inputs, for example bn_mulw() takes two single word inputs - * and is going to produce a double word result. - * - * Where a function implements multiple operations, these are listed in order. - * For example, a function that computes (r1:r0) = a * b + c is named - * bn_mulw_addw(), producing a double word result. - */ - -/* - * Default implementations for BN_ULLONG architectures. - * - * On these platforms the C compiler is generally better at optimising without - * the use of inline assembly primitives. However, it can be difficult for the - * compiler to see through primitives in order to combine operations, due to - * type changes/narrowing. For this reason compound primitives are usually - * explicitly provided. - */ -#ifdef BN_ULLONG - -#ifndef HAVE_BN_ADDW -#define HAVE_BN_ADDW -static inline void -bn_addw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULLONG r; - - r = (BN_ULLONG)a + (BN_ULLONG)b; - - *out_r1 = r >> BN_BITS2; - *out_r0 = r & BN_MASK2; -} -#endif - -#ifndef HAVE_BN_ADDW_ADDW -#define HAVE_BN_ADDW_ADDW -static inline void -bn_addw_addw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG *out_r1, - BN_ULONG *out_r0) -{ - BN_ULLONG r; - - r = (BN_ULLONG)a + (BN_ULLONG)b + (BN_ULLONG)c; - - *out_r1 = r >> BN_BITS2; - *out_r0 = r & BN_MASK2; -} -#endif - -#ifndef HAVE_BN_MULW -#define HAVE_BN_MULW -static inline void -bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULLONG r; - - r = (BN_ULLONG)a * (BN_ULLONG)b; - - *out_r1 = r >> BN_BITS2; - *out_r0 = r & BN_MASK2; -} -#endif - -#ifndef HAVE_BN_MULW_ADDW -#define HAVE_BN_MULW_ADDW -static inline void -bn_mulw_addw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG *out_r1, - BN_ULONG *out_r0) -{ - BN_ULLONG r; - - r = (BN_ULLONG)a * (BN_ULLONG)b + (BN_ULLONG)c; - - *out_r1 = r >> BN_BITS2; - *out_r0 = r & BN_MASK2; -} -#endif - -#ifndef HAVE_BN_MULW_ADDW_ADDW -#define HAVE_BN_MULW_ADDW_ADDW -static inline void -bn_mulw_addw_addw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG d, - BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULLONG r; - - r = (BN_ULLONG)a * (BN_ULLONG)b + (BN_ULLONG)c + (BN_ULLONG)d; - - *out_r1 = r >> BN_BITS2; - *out_r0 = r & BN_MASK2; -} -#endif - -#endif /* !BN_ULLONG */ - -/* - * bn_addw() computes (r1:r0) = a + b, where both inputs are single words, - * producing a double word result. The value of r1 is the carry from the - * addition. - */ -#ifndef HAVE_BN_ADDW -static inline void -bn_addw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r1, r0, c1, c2; - - c1 = a | b; - c2 = a & b; - r0 = a + b; - r1 = ((c1 & ~r0) | c2) >> (BN_BITS2 - 1); /* carry */ - - *out_r1 = r1; - *out_r0 = r0; -} -#endif - -/* - * bn_addw_addw() computes (r1:r0) = a + b + c, where all inputs are single - * words, producing a double word result. - */ -#ifndef HAVE_BN_ADDW_ADDW -static inline void -bn_addw_addw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG *out_r1, - BN_ULONG *out_r0) -{ - BN_ULONG carry, r1, r0; - - bn_addw(a, b, &r1, &r0); - bn_addw(r0, c, &carry, &r0); - r1 += carry; - - *out_r1 = r1; - *out_r0 = r0; -} -#endif - -/* - * bn_qwaddqw() computes - * (r4:r3:r2:r1:r0) = (a3:a2:a1:a0) + (b3:b2:b1:b0) + carry, where a is a quad word, - * b is a quad word, and carry is a single word with value 0 or 1, producing a four - * word result and carry. - */ -#ifndef HAVE_BN_QWADDQW -static inline void -bn_qwaddqw(BN_ULONG a3, BN_ULONG a2, BN_ULONG a1, BN_ULONG a0, BN_ULONG b3, - BN_ULONG b2, BN_ULONG b1, BN_ULONG b0, BN_ULONG carry, BN_ULONG *out_carry, - BN_ULONG *out_r3, BN_ULONG *out_r2, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r3, r2, r1, r0; - - bn_addw_addw(a0, b0, carry, &carry, &r0); - bn_addw_addw(a1, b1, carry, &carry, &r1); - bn_addw_addw(a2, b2, carry, &carry, &r2); - bn_addw_addw(a3, b3, carry, &carry, &r3); - - *out_carry = carry; - *out_r3 = r3; - *out_r2 = r2; - *out_r1 = r1; - *out_r0 = r0; -} -#endif - -/* - * bn_subw() computes r0 = a - b, where both inputs are single words, - * producing a single word result and borrow. - */ -#ifndef HAVE_BN_SUBW -static inline void -bn_subw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_borrow, BN_ULONG *out_r0) -{ - BN_ULONG borrow, r0; - - r0 = a - b; - borrow = ((r0 | (b & ~a)) & (b | ~a)) >> (BN_BITS2 - 1); - - *out_borrow = borrow; - *out_r0 = r0; -} -#endif - -/* - * bn_subw_subw() computes r0 = a - b - c, where all inputs are single words, - * producing a single word result and borrow. - */ -#ifndef HAVE_BN_SUBW_SUBW -static inline void -bn_subw_subw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG *out_borrow, - BN_ULONG *out_r0) -{ - BN_ULONG b1, b2, r0; - - bn_subw(a, b, &b1, &r0); - bn_subw(r0, c, &b2, &r0); - - *out_borrow = b1 + b2; - *out_r0 = r0; -} -#endif - -/* - * bn_qwsubqw() computes - * (r3:r2:r1:r0) = (a3:a2:a1:a0) - (b3:b2:b1:b0) - borrow, where a is a quad word, - * b is a quad word, and borrow is a single word with value 0 or 1, producing a - * four word result and borrow. - */ -#ifndef HAVE_BN_QWSUBQW -static inline void -bn_qwsubqw(BN_ULONG a3, BN_ULONG a2, BN_ULONG a1, BN_ULONG a0, BN_ULONG b3, - BN_ULONG b2, BN_ULONG b1, BN_ULONG b0, BN_ULONG borrow, BN_ULONG *out_borrow, - BN_ULONG *out_r3, BN_ULONG *out_r2, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r3, r2, r1, r0; - - bn_subw_subw(a0, b0, borrow, &borrow, &r0); - bn_subw_subw(a1, b1, borrow, &borrow, &r1); - bn_subw_subw(a2, b2, borrow, &borrow, &r2); - bn_subw_subw(a3, b3, borrow, &borrow, &r3); - - *out_borrow = borrow; - *out_r3 = r3; - *out_r2 = r2; - *out_r1 = r1; - *out_r0 = r0; -} -#endif - -/* - * bn_mulw() computes (r1:r0) = a * b, where both inputs are single words, - * producing a double word result. - */ -#ifndef HAVE_BN_MULW -/* - * Multiply two words (a * b) producing a double word result (h:l). - * - * This can be rewritten as: - * - * a * b = (hi32(a) * 2^32 + lo32(a)) * (hi32(b) * 2^32 + lo32(b)) - * = hi32(a) * hi32(b) * 2^64 + - * hi32(a) * lo32(b) * 2^32 + - * hi32(b) * lo32(a) * 2^32 + - * lo32(a) * lo32(b) - * - * The multiplication for each part of a and b can be calculated for each of - * these four terms without overflowing a BN_ULONG, as the maximum value of a - * 32 bit x 32 bit multiplication is 32 + 32 = 64 bits. Once these - * multiplications have been performed the result can be partitioned and summed - * into a double word (h:l). The same applies on a 32 bit system, substituting - * 16 for 32 and 32 for 64. - */ -#if 1 -static inline void -bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG a1, a0, b1, b0, r1, r0; - BN_ULONG carry, x; - - a1 = a >> BN_BITS4; - a0 = a & BN_MASK2l; - b1 = b >> BN_BITS4; - b0 = b & BN_MASK2l; - - r1 = a1 * b1; - r0 = a0 * b0; - - /* (a1 * b0) << BN_BITS4, partition the result across r1:r0 with carry. */ - x = a1 * b0; - r1 += x >> BN_BITS4; - bn_addw(r0, x << BN_BITS4, &carry, &r0); - r1 += carry; - - /* (b1 * a0) << BN_BITS4, partition the result across r1:r0 with carry. */ - x = b1 * a0; - r1 += x >> BN_BITS4; - bn_addw(r0, x << BN_BITS4, &carry, &r0); - r1 += carry; - - *out_r1 = r1; - *out_r0 = r0; -} -#else - -/* - * XXX - this accumulator based version uses fewer instructions, however - * requires more variables/registers. It seems to be slower on at least amd64 - * and i386, however may be faster on other architectures that have more - * registers available. Further testing is required and one of the two - * implementations should eventually be removed. - */ -static inline void -bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG a1, a0, b1, b0, r1, r0, x; - BN_ULONG acc0, acc1, acc2, acc3; - - a1 = a >> BN_BITS4; - b1 = b >> BN_BITS4; - a0 = a & BN_MASK2l; - b0 = b & BN_MASK2l; - - r1 = a1 * b1; - r0 = a0 * b0; - - acc0 = r0 & BN_MASK2l; - acc1 = r0 >> BN_BITS4; - acc2 = r1 & BN_MASK2l; - acc3 = r1 >> BN_BITS4; - - /* (a1 * b0) << BN_BITS4, partition the result across r1:r0. */ - x = a1 * b0; - acc1 += x & BN_MASK2l; - acc2 += (acc1 >> BN_BITS4) + (x >> BN_BITS4); - acc1 &= BN_MASK2l; - acc3 += acc2 >> BN_BITS4; - acc2 &= BN_MASK2l; - - /* (b1 * a0) << BN_BITS4, partition the result across r1:r0. */ - x = b1 * a0; - acc1 += x & BN_MASK2l; - acc2 += (acc1 >> BN_BITS4) + (x >> BN_BITS4); - acc1 &= BN_MASK2l; - acc3 += acc2 >> BN_BITS4; - acc2 &= BN_MASK2l; - - *out_r1 = (acc3 << BN_BITS4) | acc2; - *out_r0 = (acc1 << BN_BITS4) | acc0; -} -#endif -#endif - -#ifndef HAVE_BN_MULW_LO -static inline BN_ULONG -bn_mulw_lo(BN_ULONG a, BN_ULONG b) -{ - return a * b; -} -#endif - -#ifndef HAVE_BN_MULW_HI -static inline BN_ULONG -bn_mulw_hi(BN_ULONG a, BN_ULONG b) -{ - BN_ULONG h, l; - - bn_mulw(a, b, &h, &l); - - return h; -} -#endif - -/* - * bn_mulw_addw() computes (r1:r0) = a * b + c with all inputs being single - * words, producing a double word result. - */ -#ifndef HAVE_BN_MULW_ADDW -static inline void -bn_mulw_addw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG *out_r1, - BN_ULONG *out_r0) -{ - BN_ULONG carry, r1, r0; - - bn_mulw(a, b, &r1, &r0); - bn_addw(r0, c, &carry, &r0); - r1 += carry; - - *out_r1 = r1; - *out_r0 = r0; -} -#endif - -/* - * bn_mulw_addw_addw() computes (r1:r0) = a * b + c + d with all inputs being - * single words, producing a double word result. - */ -#ifndef HAVE_BN_MULW_ADDW_ADDW -static inline void -bn_mulw_addw_addw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG d, - BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG carry, r1, r0; - - bn_mulw_addw(a, b, c, &r1, &r0); - bn_addw(r0, d, &carry, &r0); - r1 += carry; - - *out_r1 = r1; - *out_r0 = r0; -} -#endif - -/* - * bn_mulw_addtw() computes (r2:r1:r0) = a * b + (c2:c1:c0), where a and b are - * single words and (c2:c1:c0) is a triple word, producing a triple word result. - * The caller must ensure that the inputs provided do not result in c2 - * overflowing. - */ -#ifndef HAVE_BN_MULW_ADDTW -static inline void -bn_mulw_addtw(BN_ULONG a, BN_ULONG b, BN_ULONG c2, BN_ULONG c1, BN_ULONG c0, - BN_ULONG *out_r2, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG carry, r2, r1, r0, x1; - - bn_mulw_addw(a, b, c0, &x1, &r0); - bn_addw(c1, x1, &carry, &r1); - r2 = c2 + carry; - - *out_r2 = r2; - *out_r1 = r1; - *out_r0 = r0; -} -#endif - -/* - * bn_mul2_mulw_addtw() computes (r2:r1:r0) = 2 * a * b + (c2:c1:c0), where a - * and b are single words and (c2:c1:c0) is a triple word, producing a triple - * word result. The caller must ensure that the inputs provided do not result - * in c2 overflowing. - */ -#ifndef HAVE_BN_MUL2_MULW_ADDTW -static inline void -bn_mul2_mulw_addtw(BN_ULONG a, BN_ULONG b, BN_ULONG c2, BN_ULONG c1, BN_ULONG c0, - BN_ULONG *out_r2, BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r2, r1, r0, x1, x0; - BN_ULONG carry; - - bn_mulw(a, b, &x1, &x0); - bn_addw(c0, x0, &carry, &r0); - bn_addw(c1, x1 + carry, &r2, &r1); - bn_addw(c2, r2, &carry, &r2); - bn_addw(r0, x0, &carry, &r0); - bn_addw(r1, x1 + carry, &carry, &r1); - r2 += carry; - - *out_r2 = r2; - *out_r1 = r1; - *out_r0 = r0; -} -#endif - -/* - * bn_qwmulw_addw() computes (r4:r3:r2:r1:r0) = (a3:a2:a1:a0) * b + c, where a - * is a quad word, b is a single word and c is a single word, producing a five - * word result. - */ -#ifndef HAVE_BN_QWMULW_ADDW -static inline void -bn_qwmulw_addw(BN_ULONG a3, BN_ULONG a2, BN_ULONG a1, BN_ULONG a0, BN_ULONG b, - BN_ULONG c, BN_ULONG *out_r4, BN_ULONG *out_r3, BN_ULONG *out_r2, - BN_ULONG *out_r1, BN_ULONG *out_r0) -{ - BN_ULONG r3, r2, r1, r0; - - bn_mulw_addw(a0, b, c, &c, &r0); - bn_mulw_addw(a1, b, c, &c, &r1); - bn_mulw_addw(a2, b, c, &c, &r2); - bn_mulw_addw(a3, b, c, &c, &r3); - - *out_r4 = c; - *out_r3 = r3; - *out_r2 = r2; - *out_r1 = r1; - *out_r0 = r0; -} -#endif - -/* - * bn_qwmulw_addqw_addw() computes - * (r4:r3:r2:r1:r0) = (a3:a2:a1:a0) * b + (c3:c2:c1:c0) + d, where a - * is a quad word, b is a single word, c is a quad word, and d is a single word, - * producing a five word result. - */ -#ifndef HAVE_BN_QWMULW_ADDQW_ADDW -static inline void -bn_qwmulw_addqw_addw(BN_ULONG a3, BN_ULONG a2, BN_ULONG a1, BN_ULONG a0, - BN_ULONG b, BN_ULONG c3, BN_ULONG c2, BN_ULONG c1, BN_ULONG c0, BN_ULONG d, - BN_ULONG *out_r4, BN_ULONG *out_r3, BN_ULONG *out_r2, BN_ULONG *out_r1, - BN_ULONG *out_r0) -{ - BN_ULONG r3, r2, r1, r0; - - bn_mulw_addw_addw(a0, b, c0, d, &d, &r0); - bn_mulw_addw_addw(a1, b, c1, d, &d, &r1); - bn_mulw_addw_addw(a2, b, c2, d, &d, &r2); - bn_mulw_addw_addw(a3, b, c3, d, &d, &r3); - - *out_r4 = d; - *out_r3 = r3; - *out_r2 = r2; - *out_r1 = r1; - *out_r0 = r0; -} -#endif - -#endif diff --git a/src/lib/libcrypto/bn/bn_isqrt.c b/src/lib/libcrypto/bn/bn_isqrt.c deleted file mode 100644 index 018d5f34bd..0000000000 --- a/src/lib/libcrypto/bn/bn_isqrt.c +++ /dev/null @@ -1,234 +0,0 @@ -/* $OpenBSD: bn_isqrt.c,v 1.10 2023/06/04 17:28:35 tb Exp $ */ -/* - * Copyright (c) 2022 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include - -#include "bn_local.h" -#include "crypto_internal.h" - -/* - * Calculate integer square root of |n| using a variant of Newton's method. - * - * Returns the integer square root of |n| in the caller-provided |out_sqrt|; - * |*out_perfect| is set to 1 if and only if |n| is a perfect square. - * One of |out_sqrt| and |out_perfect| can be NULL; |in_ctx| can be NULL. - * - * Returns 0 on error, 1 on success. - * - * Adapted from pure Python describing cpython's math.isqrt(), without bothering - * with any of the optimizations in the C code. A correctness proof is here: - * https://github.com/mdickinson/snippets/blob/master/proofs/isqrt/src/isqrt.lean - * The comments in the Python code also give a rather detailed proof. - */ - -int -bn_isqrt(BIGNUM *out_sqrt, int *out_perfect, const BIGNUM *n, BN_CTX *in_ctx) -{ - BN_CTX *ctx = NULL; - BIGNUM *a, *b; - int c, d, e, s; - int cmp, perfect; - int ret = 0; - - if (out_perfect == NULL && out_sqrt == NULL) { - BNerror(ERR_R_PASSED_NULL_PARAMETER); - goto err; - } - - if (BN_is_negative(n)) { - BNerror(BN_R_INVALID_RANGE); - goto err; - } - - if ((ctx = in_ctx) == NULL) - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; - - BN_CTX_start(ctx); - - if ((a = BN_CTX_get(ctx)) == NULL) - goto err; - if ((b = BN_CTX_get(ctx)) == NULL) - goto err; - - if (BN_is_zero(n)) { - perfect = 1; - BN_zero(a); - goto done; - } - - if (!BN_one(a)) - goto err; - - c = (BN_num_bits(n) - 1) / 2; - d = 0; - - /* Calculate s = floor(log(c)). */ - if (!BN_set_word(b, c)) - goto err; - s = BN_num_bits(b) - 1; - - /* - * By definition, the loop below is run <= floor(log(log(n))) times. - * Comments in the cpython code establish the loop invariant that - * - * (a - 1)^2 < n / 4^(c - d) < (a + 1)^2 - * - * holds true in every iteration. Once this is proved via induction, - * correctness of the algorithm is easy. - * - * Roughly speaking, A = (a << (d - e)) is used for one Newton step - * "a = (A >> 1) + (m >> 1) / A" approximating m = (n >> 2 * (c - d)). - */ - - for (; s >= 0; s--) { - e = d; - d = c >> s; - - if (!BN_rshift(b, n, 2 * c - d - e + 1)) - goto err; - - if (!BN_div_ct(b, NULL, b, a, ctx)) - goto err; - - if (!BN_lshift(a, a, d - e - 1)) - goto err; - - if (!BN_add(a, a, b)) - goto err; - } - - /* - * The loop invariant implies that either a or a - 1 is isqrt(n). - * Figure out which one it is. The invariant also implies that for - * a perfect square n, a must be the square root. - */ - - if (!BN_sqr(b, a, ctx)) - goto err; - - /* If a^2 > n, we must have isqrt(n) == a - 1. */ - if ((cmp = BN_cmp(b, n)) > 0) { - if (!BN_sub_word(a, 1)) - goto err; - } - - perfect = cmp == 0; - - done: - if (out_perfect != NULL) - *out_perfect = perfect; - - if (out_sqrt != NULL) { - if (!bn_copy(out_sqrt, a)) - goto err; - } - - ret = 1; - - err: - BN_CTX_end(ctx); - - if (ctx != in_ctx) - BN_CTX_free(ctx); - - return ret; -} - -/* - * is_square_mod_N[r % N] indicates whether r % N has a square root modulo N. - * The tables are generated in regress/lib/libcrypto/bn/bn_isqrt.c. - */ - -const uint8_t is_square_mod_11[] = { - 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, -}; -CTASSERT(sizeof(is_square_mod_11) == 11); - -const uint8_t is_square_mod_63[] = { - 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, - 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, - 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, - 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, -}; -CTASSERT(sizeof(is_square_mod_63) == 63); - -const uint8_t is_square_mod_64[] = { - 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, - 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, -}; -CTASSERT(sizeof(is_square_mod_64) == 64); - -const uint8_t is_square_mod_65[] = { - 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, - 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, - 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 0, - 1, -}; -CTASSERT(sizeof(is_square_mod_65) == 65); - -/* - * Determine whether n is a perfect square or not. - * - * Returns 1 on success and 0 on error. In case of success, |*out_perfect| is - * set to 1 if and only if |n| is a perfect square. - */ - -int -bn_is_perfect_square(int *out_perfect, const BIGNUM *n, BN_CTX *ctx) -{ - BN_ULONG r; - - *out_perfect = 0; - - if (BN_is_negative(n)) - return 1; - - /* - * Before performing an expensive bn_isqrt() operation, weed out many - * obvious non-squares. See H. Cohen, "A course in computational - * algebraic number theory", Algorithm 1.7.3. - * - * The idea is that a square remains a square when reduced modulo any - * number. The moduli are chosen in such a way that a non-square has - * probability < 1% of passing the four table lookups. - */ - - /* n % 64 */ - r = BN_lsw(n) & 0x3f; - - if (!is_square_mod_64[r % 64]) - return 1; - - if ((r = BN_mod_word(n, 11 * 63 * 65)) == (BN_ULONG)-1) - return 0; - - if (!is_square_mod_63[r % 63] || - !is_square_mod_65[r % 65] || - !is_square_mod_11[r % 11]) - return 1; - - return bn_isqrt(NULL, out_perfect, n, ctx); -} diff --git a/src/lib/libcrypto/bn/bn_kron.c b/src/lib/libcrypto/bn/bn_kron.c deleted file mode 100644 index a170d688e9..0000000000 --- a/src/lib/libcrypto/bn/bn_kron.c +++ /dev/null @@ -1,195 +0,0 @@ -/* $OpenBSD: bn_kron.c,v 1.15 2023/07/08 12:21:58 beck Exp $ */ -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include "bn_local.h" - -/* - * Kronecker symbol, implemented according to Henri Cohen, "A Course in - * Computational Algebraic Number Theory", Algorithm 1.4.10. - * - * Returns -1, 0, or 1 on success and -2 on error. - */ - -int -BN_kronecker(const BIGNUM *A, const BIGNUM *B, BN_CTX *ctx) -{ - /* tab[BN_lsw(n) & 7] = (-1)^((n^2 - 1)) / 8) for odd values of n. */ - static const int tab[8] = {0, 1, 0, -1, 0, -1, 0, 1}; - BIGNUM *a, *b, *tmp; - int k, v; - int ret = -2; - - BN_CTX_start(ctx); - - if ((a = BN_CTX_get(ctx)) == NULL) - goto end; - if ((b = BN_CTX_get(ctx)) == NULL) - goto end; - - if (!bn_copy(a, A)) - goto end; - if (!bn_copy(b, B)) - goto end; - - /* - * Cohen's step 1: - */ - - /* If b is zero, output 1 if |a| is 1, otherwise output 0. */ - if (BN_is_zero(b)) { - ret = BN_abs_is_word(a, 1); - goto end; - } - - /* - * Cohen's step 2: - */ - - /* If both are even, they have a factor in common, so output 0. */ - if (!BN_is_odd(a) && !BN_is_odd(b)) { - ret = 0; - goto end; - } - - /* Factorize b = 2^v * u with odd u and replace b with u. */ - v = 0; - while (!BN_is_bit_set(b, v)) - v++; - if (!BN_rshift(b, b, v)) - goto end; - - /* If v is even set k = 1, otherwise set it to (-1)^((a^2 - 1) / 8). */ - k = 1; - if (v % 2 != 0) - k = tab[BN_lsw(a) & 7]; - - /* - * If b is negative, replace it with -b and if a is also negative - * replace k with -k. - */ - if (BN_is_negative(b)) { - BN_set_negative(b, 0); - - if (BN_is_negative(a)) - k = -k; - } - - /* - * Now b is positive and odd, so compute the Jacobi symbol (a/b) - * and multiply it by k. - */ - - while (1) { - /* - * Cohen's step 3: - */ - - /* b is positive and odd. */ - - /* If a is zero output k if b is one, otherwise output 0. */ - if (BN_is_zero(a)) { - ret = BN_is_one(b) ? k : 0; - goto end; - } - - /* Factorize a = 2^v * u with odd u and replace a with u. */ - v = 0; - while (!BN_is_bit_set(a, v)) - v++; - if (!BN_rshift(a, a, v)) - goto end; - - /* If v is odd, multiply k with (-1)^((b^2 - 1) / 8). */ - if (v % 2 != 0) - k *= tab[BN_lsw(b) & 7]; - - /* - * Cohen's step 4: - */ - - /* - * Apply the reciprocity law: multiply k by (-1)^((a-1)(b-1)/4). - * - * This expression is -1 if and only if a and b are 3 (mod 4). - * In turn, this is the case if and only if their two's - * complement representations have the second bit set. - * a could be negative in the first iteration, b is positive. - */ - if ((BN_is_negative(a) ? ~BN_lsw(a) : BN_lsw(a)) & BN_lsw(b) & 2) - k = -k; - - /* - * (a, b) := (b mod |a|, |a|) - * - * Once this is done, we know that 0 < a < b at the start of the - * loop. Since b is strictly decreasing, the loop terminates. - */ - - if (!BN_nnmod(b, b, a, ctx)) - goto end; - - tmp = a; - a = b; - b = tmp; - - BN_set_negative(b, 0); - } - - end: - BN_CTX_end(ctx); - - return ret; -} -LCRYPTO_ALIAS(BN_kronecker); diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c deleted file mode 100644 index 72b988650c..0000000000 --- a/src/lib/libcrypto/bn/bn_lib.c +++ /dev/null @@ -1,752 +0,0 @@ -/* $OpenBSD: bn_lib.c,v 1.93 2024/04/16 13:07:14 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include -#include -#include - -#include - -#include - -#include "bn_local.h" -#include "bn_internal.h" - -BIGNUM * -BN_new(void) -{ - BIGNUM *bn; - - if ((bn = calloc(1, sizeof(BIGNUM))) == NULL) { - BNerror(ERR_R_MALLOC_FAILURE); - return NULL; - } - bn->flags = BN_FLG_MALLOCED; - - return bn; -} -LCRYPTO_ALIAS(BN_new); - -void -BN_init(BIGNUM *a) -{ - memset(a, 0, sizeof(BIGNUM)); -} - -void -BN_clear(BIGNUM *a) -{ - if (a->d != NULL) - explicit_bzero(a->d, a->dmax * sizeof(a->d[0])); - a->top = 0; - a->neg = 0; -} -LCRYPTO_ALIAS(BN_clear); - -void -BN_free(BIGNUM *bn) -{ - if (bn == NULL) - return; - - if (!BN_get_flags(bn, BN_FLG_STATIC_DATA)) - freezero(bn->d, bn->dmax * sizeof(bn->d[0])); - - if (!BN_get_flags(bn, BN_FLG_MALLOCED)) { - explicit_bzero(bn, sizeof(*bn)); - return; - } - - freezero(bn, sizeof(*bn)); -} -LCRYPTO_ALIAS(BN_free); - -void -BN_clear_free(BIGNUM *bn) -{ - BN_free(bn); -} -LCRYPTO_ALIAS(BN_clear_free); - -void -BN_set_flags(BIGNUM *b, int n) -{ - b->flags |= n; -} -LCRYPTO_ALIAS(BN_set_flags); - -int -BN_get_flags(const BIGNUM *b, int n) -{ - return b->flags & n; -} -LCRYPTO_ALIAS(BN_get_flags); - -void -BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags) -{ - int dest_flags; - - dest_flags = (dest->flags & BN_FLG_MALLOCED) | - (b->flags & ~BN_FLG_MALLOCED) | BN_FLG_STATIC_DATA | flags; - - *dest = *b; - dest->flags = dest_flags; -} -LCRYPTO_ALIAS(BN_with_flags); - -static const BN_ULONG bn_value_one_data = 1; -static const BIGNUM bn_value_one = { - .d = (BN_ULONG *)&bn_value_one_data, - .top = 1, - .dmax = 1, - .neg = 0, - .flags = BN_FLG_STATIC_DATA, -}; - -const BIGNUM * -BN_value_one(void) -{ - return &bn_value_one; -} -LCRYPTO_ALIAS(BN_value_one); - -int -BN_num_bits_word(BN_ULONG w) -{ - return BN_BITS2 - bn_clzw(w); -} -LCRYPTO_ALIAS(BN_num_bits_word); - -int -BN_num_bits(const BIGNUM *bn) -{ - return bn_bitsize(bn); -} -LCRYPTO_ALIAS(BN_num_bits); - -void -bn_correct_top(BIGNUM *a) -{ - while (a->top > 0 && a->d[a->top - 1] == 0) - a->top--; -} - -static int -bn_expand_internal(BIGNUM *bn, int words) -{ - BN_ULONG *d; - - if (words < 0) { - BNerror(BN_R_BIGNUM_TOO_LONG); // XXX - return 0; - } - - if (words > INT_MAX / (4 * BN_BITS2)) { - BNerror(BN_R_BIGNUM_TOO_LONG); - return 0; - } - if (BN_get_flags(bn, BN_FLG_STATIC_DATA)) { - BNerror(BN_R_EXPAND_ON_STATIC_BIGNUM_DATA); - return 0; - } - - d = recallocarray(bn->d, bn->dmax, words, sizeof(BN_ULONG)); - if (d == NULL) { - BNerror(ERR_R_MALLOC_FAILURE); - return 0; - } - bn->d = d; - bn->dmax = words; - - return 1; -} - -int -bn_expand_bits(BIGNUM *bn, size_t bits) -{ - int words; - - if (bits > (INT_MAX - BN_BITS2 + 1)) - return 0; - - words = (bits + BN_BITS2 - 1) / BN_BITS2; - - return bn_wexpand(bn, words); -} - -int -bn_expand_bytes(BIGNUM *bn, size_t bytes) -{ - int words; - - if (bytes > (INT_MAX - BN_BYTES + 1)) - return 0; - - words = (bytes + BN_BYTES - 1) / BN_BYTES; - - return bn_wexpand(bn, words); -} - -int -bn_wexpand(BIGNUM *bn, int words) -{ - if (words < 0) - return 0; - - if (words <= bn->dmax) - return 1; - - return bn_expand_internal(bn, words); -} - -BIGNUM * -BN_dup(const BIGNUM *a) -{ - BIGNUM *t; - - if (a == NULL) - return NULL; - - t = BN_new(); - if (t == NULL) - return NULL; - if (!bn_copy(t, a)) { - BN_free(t); - return NULL; - } - return t; -} -LCRYPTO_ALIAS(BN_dup); - -static inline void -bn_copy_words(BN_ULONG *ap, const BN_ULONG *bp, int n) -{ - while (n > 0) { - ap[0] = bp[0]; - ap++; - bp++; - n--; - } -} - -BIGNUM * -BN_copy(BIGNUM *a, const BIGNUM *b) -{ - if (a == b) - return (a); - - if (!bn_wexpand(a, b->top)) - return (NULL); - - bn_copy_words(a->d, b->d, b->top); - - /* Copy constant time flag from b, but make it sticky on a. */ - a->flags |= b->flags & BN_FLG_CONSTTIME; - - a->top = b->top; - a->neg = b->neg; - - return (a); -} -LCRYPTO_ALIAS(BN_copy); - -int -bn_copy(BIGNUM *dst, const BIGNUM *src) -{ - return BN_copy(dst, src) != NULL; -} - -void -BN_swap(BIGNUM *a, BIGNUM *b) -{ - int flags_old_a, flags_old_b; - BN_ULONG *tmp_d; - int tmp_top, tmp_dmax, tmp_neg; - - - flags_old_a = a->flags; - flags_old_b = b->flags; - - tmp_d = a->d; - tmp_top = a->top; - tmp_dmax = a->dmax; - tmp_neg = a->neg; - - a->d = b->d; - a->top = b->top; - a->dmax = b->dmax; - a->neg = b->neg; - - b->d = tmp_d; - b->top = tmp_top; - b->dmax = tmp_dmax; - b->neg = tmp_neg; - - a->flags = (flags_old_a & BN_FLG_MALLOCED) | - (flags_old_b & BN_FLG_STATIC_DATA); - b->flags = (flags_old_b & BN_FLG_MALLOCED) | - (flags_old_a & BN_FLG_STATIC_DATA); -} -LCRYPTO_ALIAS(BN_swap); - -BN_ULONG -BN_get_word(const BIGNUM *a) -{ - if (a->top > 1) - return BN_MASK2; - else if (a->top == 1) - return a->d[0]; - /* a->top == 0 */ - return 0; -} -LCRYPTO_ALIAS(BN_get_word); - -int -BN_set_word(BIGNUM *a, BN_ULONG w) -{ - if (!bn_wexpand(a, 1)) - return (0); - a->neg = 0; - a->d[0] = w; - a->top = (w ? 1 : 0); - return (1); -} -LCRYPTO_ALIAS(BN_set_word); - -int -BN_ucmp(const BIGNUM *a, const BIGNUM *b) -{ - int i; - - if (a->top < b->top) - return -1; - if (a->top > b->top) - return 1; - - for (i = a->top - 1; i >= 0; i--) { - if (a->d[i] != b->d[i]) - return (a->d[i] > b->d[i] ? 1 : -1); - } - - return 0; -} -LCRYPTO_ALIAS(BN_ucmp); - -int -BN_cmp(const BIGNUM *a, const BIGNUM *b) -{ - if (a == NULL || b == NULL) { - if (a != NULL) - return -1; - if (b != NULL) - return 1; - return 0; - } - - if (a->neg != b->neg) - return b->neg - a->neg; - - if (a->neg) - return BN_ucmp(b, a); - - return BN_ucmp(a, b); -} -LCRYPTO_ALIAS(BN_cmp); - -int -BN_set_bit(BIGNUM *a, int n) -{ - int i, j, k; - - if (n < 0) - return 0; - - i = n / BN_BITS2; - j = n % BN_BITS2; - if (a->top <= i) { - if (!bn_wexpand(a, i + 1)) - return (0); - for (k = a->top; k < i + 1; k++) - a->d[k] = 0; - a->top = i + 1; - } - - a->d[i] |= (((BN_ULONG)1) << j); - return (1); -} -LCRYPTO_ALIAS(BN_set_bit); - -int -BN_clear_bit(BIGNUM *a, int n) -{ - int i, j; - - if (n < 0) - return 0; - - i = n / BN_BITS2; - j = n % BN_BITS2; - if (a->top <= i) - return (0); - - a->d[i] &= (~(((BN_ULONG)1) << j)); - bn_correct_top(a); - - BN_set_negative(a, a->neg); - - return (1); -} -LCRYPTO_ALIAS(BN_clear_bit); - -int -BN_is_bit_set(const BIGNUM *a, int n) -{ - int i, j; - - if (n < 0) - return 0; - i = n / BN_BITS2; - j = n % BN_BITS2; - if (a->top <= i) - return 0; - return (int)(((a->d[i]) >> j) & ((BN_ULONG)1)); -} -LCRYPTO_ALIAS(BN_is_bit_set); - -int -BN_mask_bits(BIGNUM *a, int n) -{ - int b, w; - - if (n < 0) - return 0; - - w = n / BN_BITS2; - b = n % BN_BITS2; - if (w >= a->top) - return 0; - if (b == 0) - a->top = w; - else { - a->top = w + 1; - a->d[w] &= ~(BN_MASK2 << b); - } - bn_correct_top(a); - - BN_set_negative(a, a->neg); - - return (1); -} -LCRYPTO_ALIAS(BN_mask_bits); - -void -BN_set_negative(BIGNUM *bn, int neg) -{ - bn->neg = ~BN_is_zero(bn) & bn_ct_ne_zero(neg); -} -LCRYPTO_ALIAS(BN_set_negative); - -/* - * Constant-time conditional swap of a and b. - * a and b are swapped if condition is not 0. - * The code assumes that at most one bit of condition is set. - * nwords is the number of words to swap. - * The code assumes that at least nwords are allocated in both a and b, - * and that no more than nwords are used by either a or b. - * a and b cannot be the same number - */ -void -BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) -{ - BN_ULONG t; - int i; - - assert(a != b); - assert((condition & (condition - 1)) == 0); - assert(sizeof(BN_ULONG) >= sizeof(int)); - - condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1; - - t = (a->top^b->top) & condition; - a->top ^= t; - b->top ^= t; - -#define BN_CONSTTIME_SWAP(ind) \ - do { \ - t = (a->d[ind] ^ b->d[ind]) & condition; \ - a->d[ind] ^= t; \ - b->d[ind] ^= t; \ - } while (0) - - - switch (nwords) { - default: - for (i = 10; i < nwords; i++) - BN_CONSTTIME_SWAP(i); - /* Fallthrough */ - case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */ - case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */ - case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */ - case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */ - case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */ - case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */ - case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */ - case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */ - case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */ - case 1: - BN_CONSTTIME_SWAP(0); - } -#undef BN_CONSTTIME_SWAP -} -LCRYPTO_ALIAS(BN_consttime_swap); - -/* - * Constant-time conditional swap of a and b. - * a and b are swapped if condition is not 0. - * nwords is the number of words to swap. - */ -int -BN_swap_ct(BN_ULONG condition, BIGNUM *a, BIGNUM *b, size_t nwords) -{ - BN_ULONG t; - int i, words; - - if (a == b) - return 1; - if (nwords > INT_MAX) - return 0; - words = (int)nwords; - if (!bn_wexpand(a, words) || !bn_wexpand(b, words)) - return 0; - if (a->top > words || b->top > words) { - BNerror(BN_R_INVALID_LENGTH); - return 0; - } - - /* Set condition to 0 (if it was zero) or all 1s otherwise. */ - condition = ((~condition & (condition - 1)) >> (BN_BITS2 - 1)) - 1; - - /* swap top field */ - t = (a->top ^ b->top) & condition; - a->top ^= t; - b->top ^= t; - - /* swap neg field */ - t = (a->neg ^ b->neg) & condition; - a->neg ^= t; - b->neg ^= t; - - /* swap BN_FLG_CONSTTIME from flag field */ - t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; - a->flags ^= t; - b->flags ^= t; - - /* swap the data */ - for (i = 0; i < words; i++) { - t = (a->d[i] ^ b->d[i]) & condition; - a->d[i] ^= t; - b->d[i] ^= t; - } - - return 1; -} - -void -BN_zero(BIGNUM *a) -{ - a->neg = 0; - a->top = 0; -} -LCRYPTO_ALIAS(BN_zero); - -int -BN_one(BIGNUM *a) -{ - return BN_set_word(a, 1); -} -LCRYPTO_ALIAS(BN_one); - -int -BN_abs_is_word(const BIGNUM *a, const BN_ULONG w) -{ - return (a->top == 1 && a->d[0] == w) || (w == 0 && a->top == 0); -} -LCRYPTO_ALIAS(BN_abs_is_word); - -int -BN_is_zero(const BIGNUM *bn) -{ - BN_ULONG bits = 0; - int i; - - for (i = 0; i < bn->top; i++) - bits |= bn->d[i]; - - return bits == 0; -} -LCRYPTO_ALIAS(BN_is_zero); - -int -BN_is_one(const BIGNUM *a) -{ - return BN_abs_is_word(a, 1) && !a->neg; -} -LCRYPTO_ALIAS(BN_is_one); - -int -BN_is_word(const BIGNUM *a, const BN_ULONG w) -{ - return BN_abs_is_word(a, w) && (w == 0 || !a->neg); -} -LCRYPTO_ALIAS(BN_is_word); - -int -BN_is_odd(const BIGNUM *a) -{ - return a->top > 0 && (a->d[0] & 1); -} -LCRYPTO_ALIAS(BN_is_odd); - -int -BN_is_negative(const BIGNUM *a) -{ - return a->neg != 0; -} -LCRYPTO_ALIAS(BN_is_negative); - -/* - * Bits of security, see SP800-57, section 5.6.11, table 2. - */ -int -BN_security_bits(int L, int N) -{ - int secbits, bits; - - if (L >= 15360) - secbits = 256; - else if (L >= 7680) - secbits = 192; - else if (L >= 3072) - secbits = 128; - else if (L >= 2048) - secbits = 112; - else if (L >= 1024) - secbits = 80; - else - return 0; - - if (N == -1) - return secbits; - - bits = N / 2; - if (bits < 80) - return 0; - - return bits >= secbits ? secbits : bits; -} -LCRYPTO_ALIAS(BN_security_bits); - -BN_GENCB * -BN_GENCB_new(void) -{ - BN_GENCB *cb; - - if ((cb = calloc(1, sizeof(*cb))) == NULL) - return NULL; - - return cb; -} -LCRYPTO_ALIAS(BN_GENCB_new); - -void -BN_GENCB_free(BN_GENCB *cb) -{ - if (cb == NULL) - return; - free(cb); -} -LCRYPTO_ALIAS(BN_GENCB_free); - -/* Populate a BN_GENCB structure with an "old"-style callback */ -void -BN_GENCB_set_old(BN_GENCB *gencb, void (*cb)(int, int, void *), void *cb_arg) -{ - gencb->ver = 1; - gencb->cb.cb_1 = cb; - gencb->arg = cb_arg; -} -LCRYPTO_ALIAS(BN_GENCB_set_old); - -/* Populate a BN_GENCB structure with a "new"-style callback */ -void -BN_GENCB_set(BN_GENCB *gencb, int (*cb)(int, int, BN_GENCB *), void *cb_arg) -{ - gencb->ver = 2; - gencb->cb.cb_2 = cb; - gencb->arg = cb_arg; -} -LCRYPTO_ALIAS(BN_GENCB_set); - -void * -BN_GENCB_get_arg(BN_GENCB *cb) -{ - return cb->arg; -} -LCRYPTO_ALIAS(BN_GENCB_get_arg); diff --git a/src/lib/libcrypto/bn/bn_local.h b/src/lib/libcrypto/bn/bn_local.h deleted file mode 100644 index 067ffab3d9..0000000000 --- a/src/lib/libcrypto/bn/bn_local.h +++ /dev/null @@ -1,335 +0,0 @@ -/* $OpenBSD: bn_local.h,v 1.50 2025/02/13 11:04:20 tb Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#ifndef HEADER_BN_LOCAL_H -#define HEADER_BN_LOCAL_H - -#include - -#include - -__BEGIN_HIDDEN_DECLS - -struct bignum_st { - BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit chunks. */ - int top; /* Index of last used d +1. */ - /* The next are internal book keeping for bn_expand. */ - int dmax; /* Size of the d array. */ - int neg; /* one if the number is negative */ - int flags; -}; - -struct bn_mont_ctx_st { - int ri; /* Number of bits in R */ - BIGNUM RR; /* Used to convert to Montgomery form */ - BIGNUM N; /* Modulus */ - - /* Least significant word(s) of Ni; R*(1/R mod N) - N*Ni = 1 */ - BN_ULONG n0[2]; - - int flags; -}; - -typedef struct bn_recp_ctx_st BN_RECP_CTX; - -/* Used for slow "generation" functions. */ -struct bn_gencb_st { - unsigned int ver; /* To handle binary (in)compatibility */ - void *arg; /* callback-specific data */ - union { - /* if(ver==1) - handles old style callbacks */ - void (*cb_1)(int, int, void *); - /* if(ver==2) - new callback style */ - int (*cb_2)(int, int, BN_GENCB *); - } cb; -}; - -/* - * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions - * - * - * For window size 'w' (w >= 2) and a random 'b' bits exponent, - * the number of multiplications is a constant plus on average - * - * 2^(w-1) + (b-w)/(w+1); - * - * here 2^(w-1) is for precomputing the table (we actually need - * entries only for windows that have the lowest bit set), and - * (b-w)/(w+1) is an approximation for the expected number of - * w-bit windows, not counting the first one. - * - * Thus we should use - * - * w >= 6 if b > 671 - * w = 5 if 671 > b > 239 - * w = 4 if 239 > b > 79 - * w = 3 if 79 > b > 23 - * w <= 2 if 23 > b - * - * (with draws in between). Very small exponents are often selected - * with low Hamming weight, so we use w = 1 for b <= 23. - */ -#define BN_window_bits_for_exponent_size(b) \ - ((b) > 671 ? 6 : \ - (b) > 239 ? 5 : \ - (b) > 79 ? 4 : \ - (b) > 23 ? 3 : 1) - - -/* BN_mod_exp_mont_consttime is based on the assumption that the - * L1 data cache line width of the target processor is at least - * the following value. - */ -#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 ) -#define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1) - -/* Window sizes optimized for fixed window size modular exponentiation - * algorithm (BN_mod_exp_mont_consttime). - * - * To achieve the security goals of BN_mode_exp_mont_consttime, the - * maximum size of the window must not exceed - * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH). - * - * Window size thresholds are defined for cache line sizes of 32 and 64, - * cache line sizes where log_2(32)=5 and log_2(64)=6 respectively. A - * window size of 7 should only be used on processors that have a 128 - * byte or greater cache line size. - */ -#if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64 - -# define BN_window_bits_for_ctime_exponent_size(b) \ - ((b) > 937 ? 6 : \ - (b) > 306 ? 5 : \ - (b) > 89 ? 4 : \ - (b) > 22 ? 3 : 1) -# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (6) - -#elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32 - -# define BN_window_bits_for_ctime_exponent_size(b) \ - ((b) > 306 ? 5 : \ - (b) > 89 ? 4 : \ - (b) > 22 ? 3 : 1) -# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (5) - -#endif - - -/* Pentium pro 16,16,16,32,64 */ -/* Alpha 16,16,16,16.64 */ -#define BN_MULL_SIZE_NORMAL (16) /* 32 */ -#define BN_MUL_RECURSIVE_SIZE_NORMAL (16) /* 32 less than */ -#define BN_SQR_RECURSIVE_SIZE_NORMAL (16) /* 32 */ -#define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32) /* 32 */ -#define BN_MONT_CTX_SET_SIZE_WORD (64) /* 32 */ - -/* The least significant word of a BIGNUM. */ -#define BN_lsw(n) (((n)->top == 0) ? (BN_ULONG) 0 : (n)->d[0]) - -BN_ULONG bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, - const BN_ULONG *b, int b_len); -BN_ULONG bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, - const BN_ULONG *b, int b_len); - -void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb); -void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); -void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); - -void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a); -void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a); - -int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num); - -void bn_correct_top(BIGNUM *a); -int bn_expand_bits(BIGNUM *a, size_t bits); -int bn_expand_bytes(BIGNUM *a, size_t bytes); -int bn_wexpand(BIGNUM *a, int words); - -BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - int num); -BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - int num); -BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); -BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); -void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num); -BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d); -void bn_div_rem_words(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q, - BN_ULONG *out_r); - -int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom); -int bn_rand_in_range(BIGNUM *rnd, const BIGNUM *lower_inc, const BIGNUM *upper_exc); -int bn_rand_interval(BIGNUM *rnd, BN_ULONG lower_word, const BIGNUM *upper_exc); - -void BN_init(BIGNUM *); - -BN_MONT_CTX *BN_MONT_CTX_create(const BIGNUM *bn, BN_CTX *ctx); - -BN_RECP_CTX *BN_RECP_CTX_create(const BIGNUM *N); -void BN_RECP_CTX_free(BN_RECP_CTX *recp); -int BN_div_reciprocal(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, - BN_RECP_CTX *recp, BN_CTX *ctx); -int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y, - BN_RECP_CTX *recp, BN_CTX *ctx); -int BN_mod_sqr_reciprocal(BIGNUM *r, const BIGNUM *x, BN_RECP_CTX *recp, - BN_CTX *ctx); -int BN_mod_exp_reciprocal(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx); - -/* Explicitly const time / non-const time versions for internal use */ -int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx); -int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx); -int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -int BN_div_nonct(BIGNUM *q, BIGNUM *r, const BIGNUM *n, const BIGNUM *d, - BN_CTX *ctx); -int BN_div_ct(BIGNUM *q, BIGNUM *r, const BIGNUM *n, const BIGNUM *d, - BN_CTX *ctx); -int BN_mod_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); -int BN_mod_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); - -int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -int BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1, - const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *m_ctx); - -int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx); - -BIGNUM *BN_mod_inverse_ct(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n, - BN_CTX *ctx); -BIGNUM *BN_mod_inverse_nonct(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n, - BN_CTX *ctx); -int BN_gcd_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); - -int BN_swap_ct(BN_ULONG swap, BIGNUM *a, BIGNUM *b, size_t nwords); - -int bn_copy(BIGNUM *dst, const BIGNUM *src); - -int bn_isqrt(BIGNUM *out_sqrt, int *out_perfect, const BIGNUM *n, BN_CTX *ctx); -int bn_is_perfect_square(int *out_perfect, const BIGNUM *n, BN_CTX *ctx); - -int bn_is_prime_bpsw(int *is_prime, const BIGNUM *n, BN_CTX *ctx, size_t rounds); - -int bn_printf(BIO *bio, const BIGNUM *bn, int indent, const char *fmt, ...) - __attribute__((__format__ (printf, 4, 5))) - __attribute__((__nonnull__ (4))); - -int bn_bn2hex_nosign(const BIGNUM *bn, char **out, size_t *out_len); -int bn_bn2hex_nibbles(const BIGNUM *bn, char **out, size_t *out_len); - -__END_HIDDEN_DECLS -#endif /* !HEADER_BN_LOCAL_H */ diff --git a/src/lib/libcrypto/bn/bn_mod.c b/src/lib/libcrypto/bn/bn_mod.c deleted file mode 100644 index 365f6fcf03..0000000000 --- a/src/lib/libcrypto/bn/bn_mod.c +++ /dev/null @@ -1,369 +0,0 @@ -/* $OpenBSD: bn_mod.c,v 1.22 2023/07/08 12:21:58 beck Exp $ */ -/* Includes code written by Lenka Fibikova - * for the OpenSSL project. */ -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include "bn_local.h" - -int -BN_mod_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) -{ - return BN_div_ct(NULL, r, a, m, ctx); -} - -int -BN_mod_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) -{ - return BN_div_nonct(NULL, r, a, m, ctx); -} - -/* - * BN_nnmod() is like BN_mod(), but always returns a non-negative remainder - * (that is 0 <= r < |m| always holds). If both a and m have the same sign then - * the result is already non-negative. Otherwise, -|m| < r < 0, which needs to - * be adjusted as r := r + |m|. This equates to r := |m| - |r|. - */ -int -BN_nnmod(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) -{ - if (r == m) { - BNerror(BN_R_INVALID_ARGUMENT); - return 0; - } - if (!BN_mod_ct(r, a, m, ctx)) - return 0; - if (BN_is_negative(r)) - return BN_usub(r, m, r); - return 1; -} -LCRYPTO_ALIAS(BN_nnmod); - -int -BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, - BN_CTX *ctx) -{ - if (r == m) { - BNerror(BN_R_INVALID_ARGUMENT); - return 0; - } - if (!BN_add(r, a, b)) - return 0; - return BN_nnmod(r, r, m, ctx); -} -LCRYPTO_ALIAS(BN_mod_add); - -/* - * BN_mod_add() variant that may only be used if both a and b are non-negative - * and have already been reduced (less than m). - */ -int -BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m) -{ - if (r == m) { - BNerror(BN_R_INVALID_ARGUMENT); - return 0; - } - if (!BN_uadd(r, a, b)) - return 0; - if (BN_ucmp(r, m) >= 0) - return BN_usub(r, r, m); - return 1; -} -LCRYPTO_ALIAS(BN_mod_add_quick); - -int -BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, - BN_CTX *ctx) -{ - if (r == m) { - BNerror(BN_R_INVALID_ARGUMENT); - return 0; - } - if (!BN_sub(r, a, b)) - return 0; - return BN_nnmod(r, r, m, ctx); -} -LCRYPTO_ALIAS(BN_mod_sub); - -/* - * BN_mod_sub() variant that may only be used if both a and b are non-negative - * and have already been reduced (less than m). - */ -int -BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m) -{ - if (r == m) { - BNerror(BN_R_INVALID_ARGUMENT); - return 0; - } - if (BN_ucmp(a, b) >= 0) - return BN_usub(r, a, b); - if (!BN_usub(r, b, a)) - return 0; - return BN_usub(r, m, r); -} -LCRYPTO_ALIAS(BN_mod_sub_quick); - -int -BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, - BN_CTX *ctx) -{ - BIGNUM *rr; - int ret = 0; - - BN_CTX_start(ctx); - - if (r == m) { - BNerror(BN_R_INVALID_ARGUMENT); - goto err; - } - - rr = r; - if (rr == a || rr == b) - rr = BN_CTX_get(ctx); - if (rr == NULL) - goto err; - - if (a == b) { - if (!BN_sqr(rr, a, ctx)) - goto err; - } else { - if (!BN_mul(rr, a, b, ctx)) - goto err; - } - if (!BN_nnmod(r, rr, m, ctx)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} -LCRYPTO_ALIAS(BN_mod_mul); - -int -BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) -{ - return BN_mod_mul(r, a, a, m, ctx); -} -LCRYPTO_ALIAS(BN_mod_sqr); - -int -BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) -{ - if (r == m) { - BNerror(BN_R_INVALID_ARGUMENT); - return 0; - } - if (!BN_lshift1(r, a)) - return 0; - return BN_nnmod(r, r, m, ctx); -} -LCRYPTO_ALIAS(BN_mod_lshift1); - -/* - * BN_mod_lshift1() variant that may be used if a is non-negative - * and has already been reduced (less than m). - */ -int -BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m) -{ - if (r == m) { - BNerror(BN_R_INVALID_ARGUMENT); - return 0; - } - if (!BN_lshift1(r, a)) - return 0; - if (BN_ucmp(r, m) >= 0) - return BN_usub(r, r, m); - return 1; -} -LCRYPTO_ALIAS(BN_mod_lshift1_quick); - -int -BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx) -{ - BIGNUM *abs_m; - int ret = 0; - - BN_CTX_start(ctx); - - if (r == m) { - BNerror(BN_R_INVALID_ARGUMENT); - goto err; - } - - if (!BN_nnmod(r, a, m, ctx)) - goto err; - - if (BN_is_negative(m)) { - if ((abs_m = BN_CTX_get(ctx)) == NULL) - goto err; - if (!bn_copy(abs_m, m)) - goto err; - BN_set_negative(abs_m, 0); - m = abs_m; - } - if (!BN_mod_lshift_quick(r, r, n, m)) - goto err; - - ret = 1; - err: - BN_CTX_end(ctx); - - return ret; -} -LCRYPTO_ALIAS(BN_mod_lshift); - -/* - * BN_mod_lshift() variant that may be used if a is non-negative - * and has already been reduced (less than m). - */ -int -BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m) -{ - int max_shift; - - if (r == m) { - BNerror(BN_R_INVALID_ARGUMENT); - return 0; - } - - if (!bn_copy(r, a)) - return 0; - - while (n > 0) { - if ((max_shift = BN_num_bits(m) - BN_num_bits(r)) < 0) { - BNerror(BN_R_INPUT_NOT_REDUCED); - return 0; - } - if (max_shift == 0) - max_shift = 1; - if (max_shift > n) - max_shift = n; - - if (!BN_lshift(r, r, max_shift)) - return 0; - n -= max_shift; - - if (BN_ucmp(r, m) >= 0) { - if (!BN_usub(r, r, m)) - return 0; - } - } - - return 1; -} -LCRYPTO_ALIAS(BN_mod_lshift_quick); diff --git a/src/lib/libcrypto/bn/bn_mod_sqrt.c b/src/lib/libcrypto/bn/bn_mod_sqrt.c deleted file mode 100644 index 280002cc48..0000000000 --- a/src/lib/libcrypto/bn/bn_mod_sqrt.c +++ /dev/null @@ -1,723 +0,0 @@ -/* $OpenBSD: bn_mod_sqrt.c,v 1.3 2023/08/03 18:53:55 tb Exp $ */ - -/* - * Copyright (c) 2022 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include "bn_local.h" - -/* - * Tonelli-Shanks according to H. Cohen "A Course in Computational Algebraic - * Number Theory", Section 1.5.1, Springer GTM volume 138, Berlin, 1996. - * - * Under the assumption that p is prime and a is a quadratic residue, we know: - * - * a^[(p-1)/2] = 1 (mod p). (*) - * - * To find a square root of a (mod p), we handle three cases of increasing - * complexity. In the first two cases, we can compute a square root using an - * explicit formula, thus avoiding the probabilistic nature of Tonelli-Shanks. - * - * 1. p = 3 (mod 4). - * - * Set n = (p+1)/4. Then 2n = 1 + (p-1)/2 and (*) shows that x = a^n (mod p) - * is a square root of a: x^2 = a^(2n) = a * a^[(p-1)/2] = a (mod p). - * - * 2. p = 5 (mod 8). - * - * This uses a simplification due to Atkin. By Theorem 1.4.7 and 1.4.9, the - * Kronecker symbol (2/p) evaluates to (-1)^[(p^2-1)/8]. From p = 5 (mod 8) - * we get (p^2-1)/8 = 1 (mod 2), so (2/p) = -1, and thus - * - * 2^[(p-1)/2] = -1 (mod p). (**) - * - * Set b = (2a)^[(p-5)/8]. With (p-1)/2 = 2 + (p-5)/2, (*) and (**) show - * - * i = 2 a b^2 is a square root of -1 (mod p). - * - * Indeed, i^2 = 2^2 a^2 b^4 = 2^[(p-1)/2] a^[(p-1)/2] = -1 (mod p). Because - * of (i-1)^2 = -2i (mod p) and i (-i) = 1 (mod p), a square root of a is - * - * x = a b (i-1) - * - * as x^2 = a^2 b^2 (-2i) = a (2 a b^2) (-i) = a (mod p). - * - * 3. p = 1 (mod 8). - * - * This is the Tonelli-Shanks algorithm. For a prime p, the multiplicative - * group of GF(p) is cyclic of order p - 1 = 2^s q, with odd q. Denote its - * 2-Sylow subgroup by S. It is cyclic of order 2^s. The squares in S have - * order dividing 2^(s-1). They are the even powers of any generator z of S. - * If a is a quadratic residue, 1 = a^[(p-1)/2] = (a^q)^[2^(s-1)], so b = a^q - * is a square in S. Therefore there is an integer k such that b z^(2k) = 1. - * Set x = a^[(q+1)/2] z^k, and find x^2 = a (mod p). - * - * The problem is thus reduced to finding a generator z of the 2-Sylow - * subgroup S of GF(p)* and finding k. An iterative constructions avoids - * the need for an explicit k, a generator is found by a randomized search. - * - * While we do not actually know that p is a prime number, we can still apply - * the formulas in cases 1 and 2 and verify that we have indeed found a square - * root of p. Similarly, in case 3, we can try to find a quadratic non-residue, - * which will fail for example if p is a square. The iterative construction - * may or may not find a candidate square root which we can then validate. - */ - -/* - * Handle the cases where p is 2, p isn't odd or p is one. Since BN_mod_sqrt() - * can run on untrusted data, a primality check is too expensive. Also treat - * the obvious cases where a is 0 or 1. - */ - -static int -bn_mod_sqrt_trivial_cases(int *done, BIGNUM *out_sqrt, const BIGNUM *a, - const BIGNUM *p, BN_CTX *ctx) -{ - *done = 1; - - if (BN_abs_is_word(p, 2)) - return BN_set_word(out_sqrt, BN_is_odd(a)); - - if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) { - BNerror(BN_R_P_IS_NOT_PRIME); - return 0; - } - - if (BN_is_zero(a) || BN_is_one(a)) - return BN_set_word(out_sqrt, BN_is_one(a)); - - *done = 0; - - return 1; -} - -/* - * Case 1. We know that (a/p) = 1 and that p = 3 (mod 4). - */ - -static int -bn_mod_sqrt_p_is_3_mod_4(BIGNUM *out_sqrt, const BIGNUM *a, const BIGNUM *p, - BN_CTX *ctx) -{ - BIGNUM *n; - int ret = 0; - - BN_CTX_start(ctx); - - if ((n = BN_CTX_get(ctx)) == NULL) - goto err; - - /* Calculate n = (|p| + 1) / 4. */ - if (!BN_uadd(n, p, BN_value_one())) - goto err; - if (!BN_rshift(n, n, 2)) - goto err; - - /* By case 1 above, out_sqrt = a^n is a square root of a (mod p). */ - if (!BN_mod_exp_ct(out_sqrt, a, n, p, ctx)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -/* - * Case 2. We know that (a/p) = 1 and that p = 5 (mod 8). - */ - -static int -bn_mod_sqrt_p_is_5_mod_8(BIGNUM *out_sqrt, const BIGNUM *a, const BIGNUM *p, - BN_CTX *ctx) -{ - BIGNUM *b, *i, *n, *tmp; - int ret = 0; - - BN_CTX_start(ctx); - - if ((b = BN_CTX_get(ctx)) == NULL) - goto err; - if ((i = BN_CTX_get(ctx)) == NULL) - goto err; - if ((n = BN_CTX_get(ctx)) == NULL) - goto err; - if ((tmp = BN_CTX_get(ctx)) == NULL) - goto err; - - /* Calculate n = (|p| - 5) / 8. Since p = 5 (mod 8), simply shift. */ - if (!BN_rshift(n, p, 3)) - goto err; - BN_set_negative(n, 0); - - /* Compute tmp = 2a (mod p) for later use. */ - if (!BN_mod_lshift1(tmp, a, p, ctx)) - goto err; - - /* Calculate b = (2a)^n (mod p). */ - if (!BN_mod_exp_ct(b, tmp, n, p, ctx)) - goto err; - - /* Calculate i = 2 a b^2 (mod p). */ - if (!BN_mod_sqr(i, b, p, ctx)) - goto err; - if (!BN_mod_mul(i, tmp, i, p, ctx)) - goto err; - - /* A square root is out_sqrt = a b (i-1) (mod p). */ - if (!BN_sub_word(i, 1)) - goto err; - if (!BN_mod_mul(out_sqrt, a, b, p, ctx)) - goto err; - if (!BN_mod_mul(out_sqrt, out_sqrt, i, p, ctx)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -/* - * Case 3. We know that (a/p) = 1 and that p = 1 (mod 8). - */ - -/* - * Simple helper. To find a generator of the 2-Sylow subgroup of GF(p)*, we - * need to find a quadratic non-residue of p, i.e., n such that (n/p) = -1. - */ - -static int -bn_mod_sqrt_n_is_non_residue(int *is_non_residue, const BIGNUM *n, - const BIGNUM *p, BN_CTX *ctx) -{ - switch (BN_kronecker(n, p, ctx)) { - case -1: - *is_non_residue = 1; - return 1; - case 1: - *is_non_residue = 0; - return 1; - case 0: - /* n divides p, so ... */ - BNerror(BN_R_P_IS_NOT_PRIME); - return 0; - default: - return 0; - } -} - -/* - * The following is the only non-deterministic part preparing Tonelli-Shanks. - * - * If we find n such that (n/p) = -1, then n^q (mod p) is a generator of the - * 2-Sylow subgroup of GF(p)*. To find such n, first try some small numbers, - * then random ones. - */ - -static int -bn_mod_sqrt_find_sylow_generator(BIGNUM *out_generator, const BIGNUM *p, - const BIGNUM *q, BN_CTX *ctx) -{ - BIGNUM *n, *p_abs; - int i, is_non_residue; - int ret = 0; - - BN_CTX_start(ctx); - - if ((n = BN_CTX_get(ctx)) == NULL) - goto err; - if ((p_abs = BN_CTX_get(ctx)) == NULL) - goto err; - - for (i = 2; i < 32; i++) { - if (!BN_set_word(n, i)) - goto err; - if (!bn_mod_sqrt_n_is_non_residue(&is_non_residue, n, p, ctx)) - goto err; - if (is_non_residue) - goto found; - } - - if (!bn_copy(p_abs, p)) - goto err; - BN_set_negative(p_abs, 0); - - for (i = 0; i < 128; i++) { - if (!bn_rand_interval(n, 32, p_abs)) - goto err; - if (!bn_mod_sqrt_n_is_non_residue(&is_non_residue, n, p, ctx)) - goto err; - if (is_non_residue) - goto found; - } - - /* - * The probability to get here is < 2^(-128) for prime p. For squares - * it is easy: for p = 1369 = 37^2 this happens in ~3% of runs. - */ - - BNerror(BN_R_TOO_MANY_ITERATIONS); - goto err; - - found: - /* - * If p is prime, n^q generates the 2-Sylow subgroup S of GF(p)*. - */ - - if (!BN_mod_exp_ct(out_generator, n, q, p, ctx)) - goto err; - - /* Sanity: p is not necessarily prime, so we could have found 0 or 1. */ - if (BN_is_zero(out_generator) || BN_is_one(out_generator)) { - BNerror(BN_R_P_IS_NOT_PRIME); - goto err; - } - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -/* - * Initialization step for Tonelli-Shanks. - * - * In the end, b = a^q (mod p) and x = a^[(q+1)/2] (mod p). Cohen optimizes this - * to minimize taking powers of a. This is a bit confusing and distracting, so - * factor this into a separate function. - */ - -static int -bn_mod_sqrt_tonelli_shanks_initialize(BIGNUM *b, BIGNUM *x, const BIGNUM *a, - const BIGNUM *p, const BIGNUM *q, BN_CTX *ctx) -{ - BIGNUM *k; - int ret = 0; - - BN_CTX_start(ctx); - - if ((k = BN_CTX_get(ctx)) == NULL) - goto err; - - /* k = (q-1)/2. Since q is odd, we can shift. */ - if (!BN_rshift1(k, q)) - goto err; - - /* x = a^[(q-1)/2] (mod p). */ - if (!BN_mod_exp_ct(x, a, k, p, ctx)) - goto err; - - /* b = ax^2 = a^q (mod p). */ - if (!BN_mod_sqr(b, x, p, ctx)) - goto err; - if (!BN_mod_mul(b, a, b, p, ctx)) - goto err; - - /* x = ax = a^[(q+1)/2] (mod p). */ - if (!BN_mod_mul(x, a, x, p, ctx)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -/* - * Find smallest exponent m such that b^(2^m) = 1 (mod p). Assuming that a - * is a quadratic residue and p is a prime, we know that 1 <= m < r. - */ - -static int -bn_mod_sqrt_tonelli_shanks_find_exponent(int *out_exponent, const BIGNUM *b, - const BIGNUM *p, int r, BN_CTX *ctx) -{ - BIGNUM *x; - int m; - int ret = 0; - - BN_CTX_start(ctx); - - if ((x = BN_CTX_get(ctx)) == NULL) - goto err; - - /* - * If r <= 1, the Tonelli-Shanks iteration should have terminated as - * r == 1 implies b == 1. - */ - if (r <= 1) { - BNerror(BN_R_P_IS_NOT_PRIME); - goto err; - } - - /* - * Sanity check to ensure taking squares actually does something: - * If b is 1, the Tonelli-Shanks iteration should have terminated. - * If b is 0, something's very wrong, in particular p can't be prime. - */ - if (BN_is_zero(b) || BN_is_one(b)) { - BNerror(BN_R_P_IS_NOT_PRIME); - goto err; - } - - if (!bn_copy(x, b)) - goto err; - - for (m = 1; m < r; m++) { - if (!BN_mod_sqr(x, x, p, ctx)) - goto err; - if (BN_is_one(x)) - break; - } - - if (m >= r) { - /* This means a is not a quadratic residue. As (a/p) = 1, ... */ - BNerror(BN_R_P_IS_NOT_PRIME); - goto err; - } - - *out_exponent = m; - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -/* - * The update step. With the minimal m such that b^(2^m) = 1 (mod m), - * set t = y^[2^(r-m-1)] (mod p) and update x = xt, y = t^2, b = by. - * This preserves the loop invariants a b = x^2, y^[2^(r-1)] = -1 and - * b^[2^(r-1)] = 1. - */ - -static int -bn_mod_sqrt_tonelli_shanks_update(BIGNUM *b, BIGNUM *x, BIGNUM *y, - const BIGNUM *p, int m, int r, BN_CTX *ctx) -{ - BIGNUM *t; - int ret = 0; - - BN_CTX_start(ctx); - - if ((t = BN_CTX_get(ctx)) == NULL) - goto err; - - /* t = y^[2^(r-m-1)] (mod p). */ - if (!BN_set_bit(t, r - m - 1)) - goto err; - if (!BN_mod_exp_ct(t, y, t, p, ctx)) - goto err; - - /* x = xt (mod p). */ - if (!BN_mod_mul(x, x, t, p, ctx)) - goto err; - - /* y = t^2 = y^[2^(r-m)] (mod p). */ - if (!BN_mod_sqr(y, t, p, ctx)) - goto err; - - /* b = by (mod p). */ - if (!BN_mod_mul(b, b, y, p, ctx)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -static int -bn_mod_sqrt_p_is_1_mod_8(BIGNUM *out_sqrt, const BIGNUM *a, const BIGNUM *p, - BN_CTX *ctx) -{ - BIGNUM *b, *q, *x, *y; - int e, m, r; - int ret = 0; - - BN_CTX_start(ctx); - - if ((b = BN_CTX_get(ctx)) == NULL) - goto err; - if ((q = BN_CTX_get(ctx)) == NULL) - goto err; - if ((x = BN_CTX_get(ctx)) == NULL) - goto err; - if ((y = BN_CTX_get(ctx)) == NULL) - goto err; - - /* - * Factor p - 1 = 2^e q with odd q. Since p = 1 (mod 8), we know e >= 3. - */ - - e = 1; - while (!BN_is_bit_set(p, e)) - e++; - if (!BN_rshift(q, p, e)) - goto err; - - if (!bn_mod_sqrt_find_sylow_generator(y, p, q, ctx)) - goto err; - - /* - * Set b = a^q (mod p) and x = a^[(q+1)/2] (mod p). - */ - if (!bn_mod_sqrt_tonelli_shanks_initialize(b, x, a, p, q, ctx)) - goto err; - - /* - * The Tonelli-Shanks iteration. Starting with r = e, the following loop - * invariants hold at the start of the loop. - * - * a b = x^2 (mod p) - * y^[2^(r-1)] = -1 (mod p) - * b^[2^(r-1)] = 1 (mod p) - * - * In particular, if b = 1 (mod p), x is a square root of a. - * - * Since p - 1 = 2^e q, we have 2^(e-1) q = (p - 1) / 2, so in the first - * iteration this follows from (a/p) = 1, (n/p) = -1, y = n^q, b = a^q. - * - * In subsequent iterations, t = y^[2^(r-m-1)], where m is the smallest - * m such that b^(2^m) = 1. With x = xt (mod p) and b = bt^2 (mod p) the - * first invariant is preserved, the second and third follow from - * y = t^2 (mod p) and r = m as well as the choice of m. - * - * Finally, r is strictly decreasing in each iteration. If p is prime, - * let S be the 2-Sylow subgroup of GF(p)*. We can prove the algorithm - * stops: Let S_r be the subgroup of S consisting of elements of order - * dividing 2^r. Then S_r = and b is in S_(r-1). The S_r form a - * descending filtration of S and when r = 1, then b = 1. - */ - - for (r = e; r >= 1; r = m) { - /* - * Termination condition. If b == 1 then x is a square root. - */ - if (BN_is_one(b)) - goto done; - - /* Find smallest exponent 1 <= m < r such that b^(2^m) == 1. */ - if (!bn_mod_sqrt_tonelli_shanks_find_exponent(&m, b, p, r, ctx)) - goto err; - - /* - * With t = y^[2^(r-m-1)], update x = xt, y = t^2, b = by. - */ - if (!bn_mod_sqrt_tonelli_shanks_update(b, x, y, p, m, r, ctx)) - goto err; - - /* - * Sanity check to make sure we don't loop indefinitely. - * bn_mod_sqrt_tonelli_shanks_find_exponent() ensures m < r. - */ - if (r <= m) - goto err; - } - - /* - * If p is prime, we should not get here. - */ - - BNerror(BN_R_NOT_A_SQUARE); - goto err; - - done: - if (!bn_copy(out_sqrt, x)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -/* - * Choose the smaller of sqrt and |p| - sqrt. - */ - -static int -bn_mod_sqrt_normalize(BIGNUM *sqrt, const BIGNUM *p, BN_CTX *ctx) -{ - BIGNUM *x; - int ret = 0; - - BN_CTX_start(ctx); - - if ((x = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_lshift1(x, sqrt)) - goto err; - - if (BN_ucmp(x, p) > 0) { - if (!BN_usub(sqrt, p, sqrt)) - goto err; - } - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -/* - * Verify that a = (sqrt_a)^2 (mod p). Requires that a is reduced (mod p). - */ - -static int -bn_mod_sqrt_verify(const BIGNUM *a, const BIGNUM *sqrt_a, const BIGNUM *p, - BN_CTX *ctx) -{ - BIGNUM *x; - int ret = 0; - - BN_CTX_start(ctx); - - if ((x = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_mod_sqr(x, sqrt_a, p, ctx)) - goto err; - - if (BN_cmp(x, a) != 0) { - BNerror(BN_R_NOT_A_SQUARE); - goto err; - } - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -static int -bn_mod_sqrt_internal(BIGNUM *out_sqrt, const BIGNUM *a, const BIGNUM *p, - BN_CTX *ctx) -{ - BIGNUM *a_mod_p, *sqrt; - BN_ULONG lsw; - int done; - int kronecker; - int ret = 0; - - BN_CTX_start(ctx); - - if ((a_mod_p = BN_CTX_get(ctx)) == NULL) - goto err; - if ((sqrt = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_nnmod(a_mod_p, a, p, ctx)) - goto err; - - if (!bn_mod_sqrt_trivial_cases(&done, sqrt, a_mod_p, p, ctx)) - goto err; - if (done) - goto verify; - - /* - * Make sure that the Kronecker symbol (a/p) == 1. In case p is prime - * this is equivalent to a having a square root (mod p). The cost of - * BN_kronecker() is O(log^2(n)). This is small compared to the cost - * O(log^4(n)) of Tonelli-Shanks. - */ - - if ((kronecker = BN_kronecker(a_mod_p, p, ctx)) == -2) - goto err; - if (kronecker <= 0) { - /* This error is only accurate if p is known to be a prime. */ - BNerror(BN_R_NOT_A_SQUARE); - goto err; - } - - lsw = BN_lsw(p); - - if (lsw % 4 == 3) { - if (!bn_mod_sqrt_p_is_3_mod_4(sqrt, a_mod_p, p, ctx)) - goto err; - } else if (lsw % 8 == 5) { - if (!bn_mod_sqrt_p_is_5_mod_8(sqrt, a_mod_p, p, ctx)) - goto err; - } else if (lsw % 8 == 1) { - if (!bn_mod_sqrt_p_is_1_mod_8(sqrt, a_mod_p, p, ctx)) - goto err; - } else { - /* Impossible to hit since the trivial cases ensure p is odd. */ - BNerror(BN_R_P_IS_NOT_PRIME); - goto err; - } - - if (!bn_mod_sqrt_normalize(sqrt, p, ctx)) - goto err; - - verify: - if (!bn_mod_sqrt_verify(a_mod_p, sqrt, p, ctx)) - goto err; - - if (!bn_copy(out_sqrt, sqrt)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - -BIGNUM * -BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) -{ - BIGNUM *out_sqrt; - - if ((out_sqrt = in) == NULL) - out_sqrt = BN_new(); - if (out_sqrt == NULL) - goto err; - - if (!bn_mod_sqrt_internal(out_sqrt, a, p, ctx)) - goto err; - - return out_sqrt; - - err: - if (out_sqrt != in) - BN_free(out_sqrt); - - return NULL; -} -LCRYPTO_ALIAS(BN_mod_sqrt); diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c deleted file mode 100644 index edd7bcd0c8..0000000000 --- a/src/lib/libcrypto/bn/bn_mont.c +++ /dev/null @@ -1,621 +0,0 @@ -/* $OpenBSD: bn_mont.c,v 1.66 2025/03/09 15:22:40 tb Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* - * Details about Montgomery multiplication algorithms can be found at - * http://security.ece.orst.edu/publications.html, e.g. - * http://security.ece.orst.edu/koc/papers/j37acmon.pdf and - * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf - */ - -#include -#include -#include - -#include "bn_internal.h" -#include "bn_local.h" - -BN_MONT_CTX * -BN_MONT_CTX_new(void) -{ - BN_MONT_CTX *mctx; - - if ((mctx = calloc(1, sizeof(BN_MONT_CTX))) == NULL) - return NULL; - mctx->flags = BN_FLG_MALLOCED; - - BN_init(&mctx->RR); - BN_init(&mctx->N); - - return mctx; -} -LCRYPTO_ALIAS(BN_MONT_CTX_new); - -void -BN_MONT_CTX_free(BN_MONT_CTX *mctx) -{ - if (mctx == NULL) - return; - - BN_free(&mctx->RR); - BN_free(&mctx->N); - - if (mctx->flags & BN_FLG_MALLOCED) - free(mctx); -} -LCRYPTO_ALIAS(BN_MONT_CTX_free); - -BN_MONT_CTX * -BN_MONT_CTX_create(const BIGNUM *bn, BN_CTX *bn_ctx) -{ - BN_MONT_CTX *mctx; - - if ((mctx = BN_MONT_CTX_new()) == NULL) - goto err; - if (!BN_MONT_CTX_set(mctx, bn, bn_ctx)) - goto err; - - return mctx; - - err: - BN_MONT_CTX_free(mctx); - - return NULL; -} - -BN_MONT_CTX * -BN_MONT_CTX_copy(BN_MONT_CTX *dst, const BN_MONT_CTX *src) -{ - if (dst == src) - return dst; - - if (!bn_copy(&dst->RR, &src->RR)) - return NULL; - if (!bn_copy(&dst->N, &src->N)) - return NULL; - - dst->ri = src->ri; - dst->n0[0] = src->n0[0]; - dst->n0[1] = src->n0[1]; - - return dst; -} -LCRYPTO_ALIAS(BN_MONT_CTX_copy); - -int -BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) -{ - BIGNUM *N, *Ninv, *Rinv, *R; - int ret = 0; - - BN_CTX_start(ctx); - - if ((N = BN_CTX_get(ctx)) == NULL) - goto err; - if ((Ninv = BN_CTX_get(ctx)) == NULL) - goto err; - if ((R = BN_CTX_get(ctx)) == NULL) - goto err; - if ((Rinv = BN_CTX_get(ctx)) == NULL) - goto err; - - /* Save modulus and determine length of R. */ - if (BN_is_zero(mod)) - goto err; - if (!bn_copy(&mont->N, mod)) - goto err; - mont->N.neg = 0; - mont->ri = ((BN_num_bits(mod) + BN_BITS2 - 1) / BN_BITS2) * BN_BITS2; - if (mont->ri * 2 < mont->ri) - goto err; - - /* - * Compute Ninv = (R * Rinv - 1)/N mod R, for R = 2^64. This provides - * a single or double word result (dependent on BN word size), that is - * later used to implement Montgomery reduction. - */ - BN_zero(R); - if (!BN_set_bit(R, 64)) - goto err; - - /* N = N mod R. */ - if (!bn_wexpand(N, 2)) - goto err; - if (!BN_set_word(N, mod->d[0])) - goto err; -#if BN_BITS2 == 32 - if (mod->top > 1) { - N->d[1] = mod->d[1]; - N->top += bn_ct_ne_zero(N->d[1]); - } -#endif - - /* Rinv = R^-1 mod N */ - if ((BN_mod_inverse_ct(Rinv, R, N, ctx)) == NULL) - goto err; - - /* Ninv = (R * Rinv - 1) / N */ - if (!BN_lshift(Ninv, Rinv, 64)) - goto err; - if (BN_is_zero(Ninv)) { - /* R * Rinv == 0, set to R so that R * Rinv - 1 is mod R. */ - if (!BN_set_bit(Ninv, 64)) - goto err; - } - if (!BN_sub_word(Ninv, 1)) - goto err; - if (!BN_div_ct(Ninv, NULL, Ninv, N, ctx)) - goto err; - - /* Store least significant word(s) of Ninv. */ - mont->n0[0] = mont->n0[1] = 0; - if (Ninv->top > 0) - mont->n0[0] = Ninv->d[0]; -#if BN_BITS2 == 32 - /* Some BN_BITS2 == 32 platforms (namely parisc) use two words of Ninv. */ - if (Ninv->top > 1) - mont->n0[1] = Ninv->d[1]; -#endif - - /* Compute RR = R * R mod N, for use when converting to Montgomery form. */ - BN_zero(&mont->RR); - if (!BN_set_bit(&mont->RR, mont->ri * 2)) - goto err; - if (!BN_mod_ct(&mont->RR, &mont->RR, &mont->N, ctx)) - goto err; - - ret = 1; - err: - BN_CTX_end(ctx); - - return ret; -} -LCRYPTO_ALIAS(BN_MONT_CTX_set); - -BN_MONT_CTX * -BN_MONT_CTX_set_locked(BN_MONT_CTX **pmctx, int lock, const BIGNUM *mod, - BN_CTX *ctx) -{ - BN_MONT_CTX *mctx = NULL; - - CRYPTO_r_lock(lock); - mctx = *pmctx; - CRYPTO_r_unlock(lock); - - if (mctx != NULL) - goto done; - - if ((mctx = BN_MONT_CTX_create(mod, ctx)) == NULL) - goto err; - - CRYPTO_w_lock(lock); - if (*pmctx != NULL) { - /* Someone else raced us... */ - BN_MONT_CTX_free(mctx); - mctx = *pmctx; - } else { - *pmctx = mctx; - } - CRYPTO_w_unlock(lock); - - goto done; - err: - BN_MONT_CTX_free(mctx); - mctx = NULL; - done: - return mctx; -} -LCRYPTO_ALIAS(BN_MONT_CTX_set_locked); - -/* - * bn_montgomery_reduce() performs Montgomery reduction, reducing the input - * from its Montgomery form aR to a, returning the result in r. Note that the - * input is mutated in the process of performing the reduction, destroying its - * original value. - */ -static int -bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx) -{ - BIGNUM *n; - BN_ULONG *ap, *rp, n0, v, carry, mask; - int i, max, n_len; - - n = &mctx->N; - n_len = mctx->N.top; - - if (n_len == 0) { - BN_zero(r); - return 1; - } - - if (!bn_wexpand(r, n_len)) - return 0; - - /* - * Expand a to twice the length of the modulus, zero if necessary. - * XXX - make this a requirement of the caller. - */ - if ((max = 2 * n_len) < n_len) - return 0; - if (!bn_wexpand(a, max)) - return 0; - for (i = a->top; i < max; i++) - a->d[i] = 0; - - carry = 0; - n0 = mctx->n0[0]; - - /* Add multiples of the modulus, so that it becomes divisible by R. */ - for (i = 0; i < n_len; i++) { - v = bn_mul_add_words(&a->d[i], n->d, n_len, a->d[i] * n0); - bn_addw_addw(v, a->d[i + n_len], carry, &carry, - &a->d[i + n_len]); - } - - /* Divide by R (this is the equivalent of right shifting by n_len). */ - ap = &a->d[n_len]; - - /* - * The output is now in the range of [0, 2N). Attempt to reduce once by - * subtracting the modulus. If the reduction was necessary then the - * result is already in r, otherwise copy the value prior to reduction - * from the top half of a. - */ - mask = carry - bn_sub_words(r->d, ap, n->d, n_len); - - rp = r->d; - for (i = 0; i < n_len; i++) { - *rp = (*rp & ~mask) | (*ap & mask); - rp++; - ap++; - } - r->top = n_len; - - bn_correct_top(r); - - BN_set_negative(r, a->neg ^ n->neg); - - return 1; -} - -static int -bn_mod_mul_montgomery_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - BN_MONT_CTX *mctx, BN_CTX *ctx) -{ - BIGNUM *tmp; - int ret = 0; - - BN_CTX_start(ctx); - - if ((tmp = BN_CTX_get(ctx)) == NULL) - goto err; - - if (a == b) { - if (!BN_sqr(tmp, a, ctx)) - goto err; - } else { - if (!BN_mul(tmp, a, b, ctx)) - goto err; - } - - /* Reduce from aRR to aR. */ - if (!bn_montgomery_reduce(r, tmp, mctx)) - goto err; - - ret = 1; - err: - BN_CTX_end(ctx); - - return ret; -} - -static void -bn_montgomery_multiply_word(const BN_ULONG *ap, BN_ULONG b, const BN_ULONG *np, - BN_ULONG *tp, BN_ULONG w, BN_ULONG *carry_a, BN_ULONG *carry_n, int n_len) -{ - BN_ULONG x3, x2, x1, x0; - - *carry_a = *carry_n = 0; - - while (n_len & ~3) { - bn_qwmulw_addqw_addw(ap[3], ap[2], ap[1], ap[0], b, - tp[3], tp[2], tp[1], tp[0], *carry_a, carry_a, - &x3, &x2, &x1, &x0); - bn_qwmulw_addqw_addw(np[3], np[2], np[1], np[0], w, - x3, x2, x1, x0, *carry_n, carry_n, - &tp[3], &tp[2], &tp[1], &tp[0]); - ap += 4; - np += 4; - tp += 4; - n_len -= 4; - } - while (n_len > 0) { - bn_mulw_addw_addw(ap[0], b, tp[0], *carry_a, carry_a, &x0); - bn_mulw_addw_addw(np[0], w, x0, *carry_n, carry_n, &tp[0]); - ap++; - np++; - tp++; - n_len--; - } -} - -/* - * bn_montgomery_multiply_words() computes r = aR * bR * R^-1 = abR for the - * given word arrays. The caller must ensure that rp, ap, bp and np are all - * n_len words in length, while tp must be n_len * 2 + 2 words in length. - */ -static void -bn_montgomery_multiply_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, BN_ULONG *tp, BN_ULONG n0, int n_len) -{ - BN_ULONG a0, b, carry_a, carry_n, carry, mask, w; - int i; - - carry = 0; - - for (i = 0; i < n_len; i++) - tp[i] = 0; - - a0 = ap[0]; - - for (i = 0; i < n_len; i++) { - b = bp[i]; - - /* Compute new t[0] * n0, as we need it for this iteration. */ - w = (a0 * b + tp[0]) * n0; - - bn_montgomery_multiply_word(ap, b, np, tp, w, &carry_a, - &carry_n, n_len); - bn_addw_addw(carry_a, carry_n, carry, &carry, &tp[n_len]); - - tp++; - } - tp[n_len] = carry; - - /* - * The output is now in the range of [0, 2N). Attempt to reduce once by - * subtracting the modulus. If the reduction was necessary then the - * result is already in r, otherwise copy the value prior to reduction - * from tp. - */ - mask = bn_ct_ne_zero(tp[n_len]) - bn_sub_words(rp, tp, np, n_len); - - for (i = 0; i < n_len; i++) { - *rp = (*rp & ~mask) | (*tp & mask); - rp++; - tp++; - } -} - -/* - * bn_montgomery_multiply() computes r = aR * bR * R^-1 = abR for the given - * BIGNUMs. The caller must ensure that the modulus is two or more words in - * length and that a and b have the same number of words as the modulus. - */ -static int -bn_montgomery_multiply(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - BN_MONT_CTX *mctx, BN_CTX *ctx) -{ - BIGNUM *t; - int ret = 0; - - BN_CTX_start(ctx); - - if (mctx->N.top <= 1 || a->top != mctx->N.top || b->top != mctx->N.top) - goto err; - if (!bn_wexpand(r, mctx->N.top)) - goto err; - - if ((t = BN_CTX_get(ctx)) == NULL) - goto err; - if (!bn_wexpand(t, mctx->N.top * 2 + 2)) - goto err; - - bn_montgomery_multiply_words(r->d, a->d, b->d, mctx->N.d, t->d, - mctx->n0[0], mctx->N.top); - - r->top = mctx->N.top; - bn_correct_top(r); - - BN_set_negative(r, a->neg ^ b->neg); - - ret = 1; - err: - BN_CTX_end(ctx); - - return ret; -} - -#ifndef OPENSSL_BN_ASM_MONT -static int -bn_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - BN_MONT_CTX *mctx, BN_CTX *ctx) -{ - if (mctx->N.top <= 1 || a->top != mctx->N.top || b->top != mctx->N.top) - return bn_mod_mul_montgomery_simple(r, a, b, mctx, ctx); - - return bn_montgomery_multiply(r, a, b, mctx, ctx); -} -#else - -static int -bn_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - BN_MONT_CTX *mctx, BN_CTX *ctx) -{ - if (mctx->N.top <= 1 || a->top != mctx->N.top || b->top != mctx->N.top) - return bn_mod_mul_montgomery_simple(r, a, b, mctx, ctx); - - /* - * Legacy bn_mul_mont() performs stack based allocation, without - * size limitation. Allowing a large size results in the stack - * being blown. - */ - if (mctx->N.top > (8 * 1024 / sizeof(BN_ULONG))) - return bn_montgomery_multiply(r, a, b, mctx, ctx); - - if (!bn_wexpand(r, mctx->N.top)) - return 0; - - /* - * Legacy bn_mul_mont() can indicate that we should "fallback" to - * another implementation. - */ - if (!bn_mul_mont(r->d, a->d, b->d, mctx->N.d, mctx->n0, mctx->N.top)) - return bn_montgomery_multiply(r, a, b, mctx, ctx); - - r->top = mctx->N.top; - bn_correct_top(r); - - BN_set_negative(r, a->neg ^ b->neg); - - return (1); -} -#endif - -int -BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - BN_MONT_CTX *mctx, BN_CTX *ctx) -{ - /* Compute r = aR * bR * R^-1 mod N = abR mod N */ - return bn_mod_mul_montgomery(r, a, b, mctx, ctx); -} -LCRYPTO_ALIAS(BN_mod_mul_montgomery); - -int -BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mctx, BN_CTX *ctx) -{ - /* Compute r = a * R * R * R^-1 mod N = aR mod N */ - return bn_mod_mul_montgomery(r, a, &mctx->RR, mctx, ctx); -} -LCRYPTO_ALIAS(BN_to_montgomery); - -int -BN_from_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mctx, BN_CTX *ctx) -{ - BIGNUM *tmp; - int ret = 0; - - BN_CTX_start(ctx); - - if ((tmp = BN_CTX_get(ctx)) == NULL) - goto err; - if (!bn_copy(tmp, a)) - goto err; - if (!bn_montgomery_reduce(r, tmp, mctx)) - goto err; - - ret = 1; - err: - BN_CTX_end(ctx); - - return ret; -} -LCRYPTO_ALIAS(BN_from_montgomery); diff --git a/src/lib/libcrypto/bn/bn_mul.c b/src/lib/libcrypto/bn/bn_mul.c deleted file mode 100644 index bdeb9b0fe8..0000000000 --- a/src/lib/libcrypto/bn/bn_mul.c +++ /dev/null @@ -1,370 +0,0 @@ -/* $OpenBSD: bn_mul.c,v 1.39 2023/07/08 12:21:58 beck Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include -#include - -#include - -#include "bn_arch.h" -#include "bn_internal.h" -#include "bn_local.h" - -/* - * bn_mul_comba4() computes r[] = a[] * b[] using Comba multiplication - * (https://everything2.com/title/Comba+multiplication), where a and b are both - * four word arrays, producing an eight word array result. - */ -#ifndef HAVE_BN_MUL_COMBA4 -void -bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) -{ - BN_ULONG c0, c1, c2; - - bn_mulw_addtw(a[0], b[0], 0, 0, 0, &c2, &c1, &r[0]); - - bn_mulw_addtw(a[0], b[1], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[1], b[0], c2, c1, c0, &c2, &c1, &r[1]); - - bn_mulw_addtw(a[2], b[0], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[1], b[1], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[0], b[2], c2, c1, c0, &c2, &c1, &r[2]); - - bn_mulw_addtw(a[0], b[3], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[1], b[2], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[2], b[1], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[3], b[0], c2, c1, c0, &c2, &c1, &r[3]); - - bn_mulw_addtw(a[3], b[1], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[2], b[2], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[1], b[3], c2, c1, c0, &c2, &c1, &r[4]); - - bn_mulw_addtw(a[2], b[3], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[3], b[2], c2, c1, c0, &c2, &c1, &r[5]); - - bn_mulw_addtw(a[3], b[3], 0, c2, c1, &c2, &r[7], &r[6]); -} -#endif - -/* - * bn_mul_comba8() computes r[] = a[] * b[] using Comba multiplication - * (https://everything2.com/title/Comba+multiplication), where a and b are both - * eight word arrays, producing a 16 word array result. - */ -#ifndef HAVE_BN_MUL_COMBA8 -void -bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) -{ - BN_ULONG c0, c1, c2; - - bn_mulw_addtw(a[0], b[0], 0, 0, 0, &c2, &c1, &r[0]); - - bn_mulw_addtw(a[0], b[1], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[1], b[0], c2, c1, c0, &c2, &c1, &r[1]); - - bn_mulw_addtw(a[2], b[0], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[1], b[1], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[0], b[2], c2, c1, c0, &c2, &c1, &r[2]); - - bn_mulw_addtw(a[0], b[3], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[1], b[2], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[2], b[1], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[3], b[0], c2, c1, c0, &c2, &c1, &r[3]); - - bn_mulw_addtw(a[4], b[0], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[3], b[1], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[2], b[2], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[1], b[3], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[0], b[4], c2, c1, c0, &c2, &c1, &r[4]); - - bn_mulw_addtw(a[0], b[5], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[1], b[4], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[2], b[3], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[3], b[2], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[4], b[1], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[5], b[0], c2, c1, c0, &c2, &c1, &r[5]); - - bn_mulw_addtw(a[6], b[0], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[5], b[1], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[4], b[2], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[3], b[3], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[2], b[4], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[1], b[5], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[0], b[6], c2, c1, c0, &c2, &c1, &r[6]); - - bn_mulw_addtw(a[0], b[7], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[1], b[6], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[2], b[5], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[3], b[4], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[4], b[3], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[5], b[2], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[6], b[1], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[7], b[0], c2, c1, c0, &c2, &c1, &r[7]); - - bn_mulw_addtw(a[7], b[1], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[6], b[2], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[5], b[3], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[4], b[4], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[3], b[5], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[2], b[6], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[1], b[7], c2, c1, c0, &c2, &c1, &r[8]); - - bn_mulw_addtw(a[2], b[7], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[3], b[6], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[4], b[5], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[5], b[4], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[6], b[3], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[7], b[2], c2, c1, c0, &c2, &c1, &r[9]); - - bn_mulw_addtw(a[7], b[3], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[6], b[4], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[5], b[5], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[4], b[6], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[3], b[7], c2, c1, c0, &c2, &c1, &r[10]); - - bn_mulw_addtw(a[4], b[7], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[5], b[6], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[6], b[5], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[7], b[4], c2, c1, c0, &c2, &c1, &r[11]); - - bn_mulw_addtw(a[7], b[5], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[6], b[6], c2, c1, c0, &c2, &c1, &c0); - bn_mulw_addtw(a[5], b[7], c2, c1, c0, &c2, &c1, &r[12]); - - bn_mulw_addtw(a[6], b[7], 0, c2, c1, &c2, &c1, &c0); - bn_mulw_addtw(a[7], b[6], c2, c1, c0, &c2, &c1, &r[13]); - - bn_mulw_addtw(a[7], b[7], 0, c2, c1, &c2, &r[15], &r[14]); -} -#endif - -/* - * bn_mul_words() computes (carry:r[i]) = a[i] * w + carry, where a is an array - * of words and w is a single word. This should really be called bn_mulw_words() - * since only one input is an array. This is used as a step in the multiplication - * of word arrays. - */ -#ifndef HAVE_BN_MUL_WORDS -BN_ULONG -bn_mul_words(BN_ULONG *r, const BN_ULONG *a, int num, BN_ULONG w) -{ - BN_ULONG carry = 0; - - assert(num >= 0); - if (num <= 0) - return 0; - - while (num & ~3) { - bn_qwmulw_addw(a[3], a[2], a[1], a[0], w, carry, &carry, - &r[3], &r[2], &r[1], &r[0]); - a += 4; - r += 4; - num -= 4; - } - while (num) { - bn_mulw_addw(a[0], w, carry, &carry, &r[0]); - a++; - r++; - num--; - } - return carry; -} -#endif - -/* - * bn_mul_add_words() computes (carry:r[i]) = a[i] * w + r[i] + carry, where - * a is an array of words and w is a single word. This should really be called - * bn_mulw_add_words() since only one input is an array. This is used as a step - * in the multiplication of word arrays. - */ -#ifndef HAVE_BN_MUL_ADD_WORDS -BN_ULONG -bn_mul_add_words(BN_ULONG *r, const BN_ULONG *a, int num, BN_ULONG w) -{ - BN_ULONG carry = 0; - - assert(num >= 0); - if (num <= 0) - return 0; - - while (num & ~3) { - bn_qwmulw_addqw_addw(a[3], a[2], a[1], a[0], w, - r[3], r[2], r[1], r[0], carry, &carry, - &r[3], &r[2], &r[1], &r[0]); - a += 4; - r += 4; - num -= 4; - } - while (num) { - bn_mulw_addw_addw(a[0], w, r[0], carry, &carry, &r[0]); - a++; - r++; - num--; - } - - return carry; -} -#endif - -void -bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb) -{ - BN_ULONG *rr; - - - if (na < nb) { - int itmp; - BN_ULONG *ltmp; - - itmp = na; - na = nb; - nb = itmp; - ltmp = a; - a = b; - b = ltmp; - - } - rr = &(r[na]); - if (nb <= 0) { - (void)bn_mul_words(r, a, na, 0); - return; - } else - rr[0] = bn_mul_words(r, a, na, b[0]); - - for (;;) { - if (--nb <= 0) - return; - rr[1] = bn_mul_add_words(&(r[1]), a, na, b[1]); - if (--nb <= 0) - return; - rr[2] = bn_mul_add_words(&(r[2]), a, na, b[2]); - if (--nb <= 0) - return; - rr[3] = bn_mul_add_words(&(r[3]), a, na, b[3]); - if (--nb <= 0) - return; - rr[4] = bn_mul_add_words(&(r[4]), a, na, b[4]); - rr += 4; - r += 4; - b += 4; - } -} - - -#ifndef HAVE_BN_MUL -int -bn_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, int rn, BN_CTX *ctx) -{ - bn_mul_normal(r->d, a->d, a->top, b->d, b->top); - - return 1; -} - -#endif /* HAVE_BN_MUL */ - -int -BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) -{ - BIGNUM *rr; - int rn; - int ret = 0; - - BN_CTX_start(ctx); - - if (BN_is_zero(a) || BN_is_zero(b)) { - BN_zero(r); - goto done; - } - - rr = r; - if (rr == a || rr == b) - rr = BN_CTX_get(ctx); - if (rr == NULL) - goto err; - - rn = a->top + b->top; - if (rn < a->top) - goto err; - if (!bn_wexpand(rr, rn)) - goto err; - - if (a->top == 4 && b->top == 4) { - bn_mul_comba4(rr->d, a->d, b->d); - } else if (a->top == 8 && b->top == 8) { - bn_mul_comba8(rr->d, a->d, b->d); - } else { - if (!bn_mul(rr, a, b, rn, ctx)) - goto err; - } - - rr->top = rn; - bn_correct_top(rr); - - BN_set_negative(rr, a->neg ^ b->neg); - - if (!bn_copy(r, rr)) - goto err; - done: - ret = 1; - err: - BN_CTX_end(ctx); - - return ret; -} -LCRYPTO_ALIAS(BN_mul); diff --git a/src/lib/libcrypto/bn/bn_prime.c b/src/lib/libcrypto/bn/bn_prime.c deleted file mode 100644 index 5a4aa50bf1..0000000000 --- a/src/lib/libcrypto/bn/bn_prime.c +++ /dev/null @@ -1,423 +0,0 @@ -/* $OpenBSD: bn_prime.c,v 1.34 2023/07/20 06:26:27 tb Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include - -#include - -#include "bn_local.h" - -/* The quick sieve algorithm approach to weeding out primes is - * Philip Zimmermann's, as implemented in PGP. I have had a read of - * his comments and implemented my own version. - */ -#include "bn_prime.h" - -static int probable_prime(BIGNUM *rnd, int bits); -static int probable_prime_dh(BIGNUM *rnd, int bits, - const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx); -static int probable_prime_dh_safe(BIGNUM *rnd, int bits, - const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx); - -int -BN_GENCB_call(BN_GENCB *cb, int a, int b) -{ - /* No callback means continue */ - if (!cb) - return 1; - switch (cb->ver) { - case 1: - /* Deprecated-style callbacks */ - if (!cb->cb.cb_1) - return 1; - cb->cb.cb_1(a, b, cb->arg); - return 1; - case 2: - /* New-style callbacks */ - return cb->cb.cb_2(a, b, cb); - default: - break; - } - /* Unrecognised callback type */ - return 0; -} -LCRYPTO_ALIAS(BN_GENCB_call); - -int -BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, - const BIGNUM *rem, BN_GENCB *cb) -{ - BN_CTX *ctx; - BIGNUM *p; - int is_prime; - int loops = 0; - int found = 0; - - if (bits < 2 || (bits == 2 && safe)) { - /* - * There are no prime numbers smaller than 2, and the smallest - * safe prime (7) spans three bits. - */ - BNerror(BN_R_BITS_TOO_SMALL); - return 0; - } - - if ((ctx = BN_CTX_new()) == NULL) - goto err; - BN_CTX_start(ctx); - if ((p = BN_CTX_get(ctx)) == NULL) - goto err; - - loop: - /* Make a random number and set the top and bottom bits. */ - if (add == NULL) { - if (!probable_prime(ret, bits)) - goto err; - } else { - if (safe) { - if (!probable_prime_dh_safe(ret, bits, add, rem, ctx)) - goto err; - } else { - if (!probable_prime_dh(ret, bits, add, rem, ctx)) - goto err; - } - } - - if (!BN_GENCB_call(cb, 0, loops++)) - goto err; - - if (!safe) { - if (!bn_is_prime_bpsw(&is_prime, ret, ctx, 1)) - goto err; - if (!is_prime) - goto loop; - } else { - if (!bn_is_prime_bpsw(&is_prime, ret, ctx, 1)) - goto err; - if (!is_prime) - goto loop; - - /* - * For safe prime generation, check that p = (ret-1)/2 is prime. - * Since this prime has >= 3 bits, it is odd, and we can simply - * divide by 2. - */ - if (!BN_rshift1(p, ret)) - goto err; - - if (!bn_is_prime_bpsw(&is_prime, p, ctx, 1)) - goto err; - if (!is_prime) - goto loop; - - if (!BN_GENCB_call(cb, 2, loops - 1)) - goto err; - } - - found = 1; - - err: - BN_CTX_end(ctx); - BN_CTX_free(ctx); - - return found; -} -LCRYPTO_ALIAS(BN_generate_prime_ex); - -int -BN_is_prime_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed, BN_GENCB *cb) -{ - return BN_is_prime_fasttest_ex(a, checks, ctx_passed, 0, cb); -} -LCRYPTO_ALIAS(BN_is_prime_ex); - -#define BN_PRIME_MAXIMUM_BITS (32 * 1024) - -int -BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed, - int do_trial_division, BN_GENCB *cb) -{ - int is_prime; - - if (checks < 0) - return -1; - - /* - * Prime numbers this large do not appear in everyday cryptography - * and checking such numbers for primality is very expensive. - */ - if (BN_num_bits(a) > BN_PRIME_MAXIMUM_BITS) { - BNerror(BN_R_BIGNUM_TOO_LONG); - return -1; - } - - if (checks == BN_prime_checks) - checks = BN_prime_checks_for_size(BN_num_bits(a)); - - /* XXX - tickle BN_GENCB in bn_is_prime_bpsw(). */ - if (!bn_is_prime_bpsw(&is_prime, a, ctx_passed, checks)) - return -1; - - return is_prime; -} -LCRYPTO_ALIAS(BN_is_prime_fasttest_ex); - -static int -probable_prime(BIGNUM *rnd, int bits) -{ - int i; - BN_ULONG mods[NUMPRIMES]; - BN_ULONG delta, maxdelta; - -again: - if (!BN_rand(rnd, bits, 1, 1)) - return (0); - /* we now have a random number 'rand' to test. */ - for (i = 1; i < NUMPRIMES; i++) { - BN_ULONG mod = BN_mod_word(rnd, primes[i]); - if (mod == (BN_ULONG)-1) - return (0); - mods[i] = mod; - } - maxdelta = BN_MASK2 - primes[NUMPRIMES - 1]; - delta = 0; -loop: - for (i = 1; i < NUMPRIMES; i++) { - /* check that rnd is not a prime and also - * that gcd(rnd-1,primes) == 1 (except for 2) */ - if (((mods[i] + delta) % primes[i]) <= 1) { - delta += 2; - if (delta > maxdelta) - goto again; - goto loop; - } - } - if (!BN_add_word(rnd, delta)) - return (0); - return (1); -} - -static int -probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add, const BIGNUM *rem, - BN_CTX *ctx) -{ - int i, ret = 0; - BIGNUM *t1; - - BN_CTX_start(ctx); - if ((t1 = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_rand(rnd, bits, 0, 1)) - goto err; - - /* we need ((rnd-rem) % add) == 0 */ - - if (!BN_mod_ct(t1, rnd, add, ctx)) - goto err; - if (!BN_sub(rnd, rnd, t1)) - goto err; - if (rem == NULL) { - if (!BN_add_word(rnd, 1)) - goto err; - } else { - if (!BN_add(rnd, rnd, rem)) - goto err; - } - - /* we now have a random number 'rand' to test. */ - -loop: - for (i = 1; i < NUMPRIMES; i++) { - /* check that rnd is a prime */ - BN_LONG mod = BN_mod_word(rnd, primes[i]); - if (mod == (BN_ULONG)-1) - goto err; - if (mod <= 1) { - if (!BN_add(rnd, rnd, add)) - goto err; - goto loop; - } - } - ret = 1; - -err: - BN_CTX_end(ctx); - return (ret); -} - -static int -probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd, - const BIGNUM *rem, BN_CTX *ctx) -{ - int i, ret = 0; - BIGNUM *t1, *qadd, *q; - - bits--; - BN_CTX_start(ctx); - if ((t1 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((q = BN_CTX_get(ctx)) == NULL) - goto err; - if ((qadd = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_rshift1(qadd, padd)) - goto err; - - if (!BN_rand(q, bits, 0, 1)) - goto err; - - /* we need ((rnd-rem) % add) == 0 */ - if (!BN_mod_ct(t1, q,qadd, ctx)) - goto err; - if (!BN_sub(q, q, t1)) - goto err; - if (rem == NULL) { - if (!BN_add_word(q, 1)) - goto err; - } else { - if (!BN_rshift1(t1, rem)) - goto err; - if (!BN_add(q, q, t1)) - goto err; - } - - /* we now have a random number 'rand' to test. */ - if (!BN_lshift1(p, q)) - goto err; - if (!BN_add_word(p, 1)) - goto err; - -loop: - for (i = 1; i < NUMPRIMES; i++) { - /* check that p and q are prime */ - /* check that for p and q - * gcd(p-1,primes) == 1 (except for 2) */ - BN_ULONG pmod = BN_mod_word(p, primes[i]); - BN_ULONG qmod = BN_mod_word(q, primes[i]); - if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1) - goto err; - if (pmod == 0 || qmod == 0) { - if (!BN_add(p, p, padd)) - goto err; - if (!BN_add(q, q, qadd)) - goto err; - goto loop; - } - } - ret = 1; - -err: - BN_CTX_end(ctx); - return (ret); -} diff --git a/src/lib/libcrypto/bn/bn_prime.h b/src/lib/libcrypto/bn/bn_prime.h deleted file mode 100644 index 4ea2d47948..0000000000 --- a/src/lib/libcrypto/bn/bn_prime.h +++ /dev/null @@ -1,14 +0,0 @@ -/* $OpenBSD: bn_prime.h,v 1.9 2022/11/10 10:24:50 tb Exp $ */ -/* - * Public domain. - */ - -#include - -__BEGIN_HIDDEN_DECLS - -#define NUMPRIMES 2048 - -extern const uint16_t primes[NUMPRIMES]; - -__END_HIDDEN_DECLS diff --git a/src/lib/libcrypto/bn/bn_prime.pl b/src/lib/libcrypto/bn/bn_prime.pl deleted file mode 100644 index f638e4a9a4..0000000000 --- a/src/lib/libcrypto/bn/bn_prime.pl +++ /dev/null @@ -1,100 +0,0 @@ -#!/usr/bin/perl -# $OpenBSD: bn_prime.pl,v 1.12 2023/03/26 08:04:57 tb Exp $ -# -# Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) -# All rights reserved. -# -# This package is an SSL implementation written -# by Eric Young (eay@cryptsoft.com). -# The implementation was written so as to conform with Netscapes SSL. -# -# This library is free for commercial and non-commercial use as long as -# the following conditions are aheared to. The following conditions -# apply to all code found in this distribution, be it the RC4, RSA, -# lhash, DES, etc., code; not just the SSL code. The SSL documentation -# included with this distribution is covered by the same copyright terms -# except that the holder is Tim Hudson (tjh@cryptsoft.com). -# -# Copyright remains Eric Young's, and as such any Copyright notices in -# the code are not to be removed. -# If this package is used in a product, Eric Young should be given attribution -# as the author of the parts of the library used. -# This can be in the form of a textual message at program startup or -# in documentation (online or textual) provided with the package. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# 3. All advertising materials mentioning features or use of this software -# must display the following acknowledgement: -# "This product includes cryptographic software written by -# Eric Young (eay@cryptsoft.com)" -# The word 'cryptographic' can be left out if the rouines from the library -# being used are not cryptographic related :-). -# 4. If you include any Windows specific code (or a derivative thereof) from -# the apps directory (application code) you must include an acknowledgement: -# "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -# -# THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# The licence and distribution terms for any publically available version or -# derivative of this code cannot be changed. i.e. this code cannot simply be -# copied and put under another distribution licence -# [including the GNU Public Licence.] - -use strict; -use warnings; - -my ($i, $num, $p, $s, @primes); - -$num = 2048; -$num = $ARGV[0] if $#ARGV >= 0; - -# The 6543rd prime is 2^16 + 1. -die "$num must be smaller than 6543" if $num >= 6543; - -push(@primes, 2); -$p = 1; - -loop: -while ($#primes < $num - 1) { - $p += 2; - $s = int(sqrt($p)); - - for ($i = 0; defined($primes[$i]) && $primes[$i] <= $s; $i++) { - next loop if $p % $primes[$i] == 0; - } - - die "\$primes[$i] is too large: $primes[$i]" if $primes[$i] > 65535; - push(@primes, $p); -} - -printf("/*\t\$" . "OpenBSD" . "\$ */\n"); -print <<\EOF; -/* - * Public domain, generated by bn_prime.pl. - */ - -EOF - -print "#include \"bn_prime.h\"\n\n"; -print "const uint16_t primes[NUMPRIMES] = {"; -for ($i = 0; $i <= $#primes; $i++) { - printf("%s%5d,", $i % 8 == 0 ? "\n\t" : " ", $primes[$i]); -} -print "\n};\n"; diff --git a/src/lib/libcrypto/bn/bn_primitives.c b/src/lib/libcrypto/bn/bn_primitives.c deleted file mode 100644 index 66427a9046..0000000000 --- a/src/lib/libcrypto/bn/bn_primitives.c +++ /dev/null @@ -1,65 +0,0 @@ -/* $OpenBSD: bn_primitives.c,v 1.2 2023/06/21 07:48:41 jsing Exp $ */ -/* - * Copyright (c) 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include "bn_arch.h" -#include "bn_internal.h" -#include "bn_local.h" - -#ifndef HAVE_BN_CLZW -#ifndef HAVE_BN_WORD_CLZ -int -bn_word_clz(BN_ULONG w) -{ - BN_ULONG bits, mask, shift; - - bits = shift = BN_BITS2; - mask = 0; - - while ((shift >>= 1) != 0) { - bits += (shift & mask) - (shift & ~mask); - mask = bn_ct_ne_zero_mask(w >> bits); - } - bits += 1 & mask; - - bits -= bn_ct_eq_zero(w); - - return BN_BITS2 - bits; -} -#endif -#endif - -#ifndef HAVE_BN_BITSIZE -int -bn_bitsize(const BIGNUM *bn) -{ - BN_ULONG n = 0, x = 0; - BN_ULONG mask, w; - int i = 0; - - while (i < bn->top) { - w = bn->d[i]; - mask = bn_ct_ne_zero_mask(w); - n = ((BN_ULONG)i & mask) | (n & ~mask); - x = (w & mask) | (x & ~mask); - i++; - } - - return (n + 1) * BN_BITS2 - bn_clzw(x); -} -#endif diff --git a/src/lib/libcrypto/bn/bn_print.c b/src/lib/libcrypto/bn/bn_print.c deleted file mode 100644 index cd8b663602..0000000000 --- a/src/lib/libcrypto/bn/bn_print.c +++ /dev/null @@ -1,191 +0,0 @@ -/* $OpenBSD: bn_print.c,v 1.47 2024/03/02 09:18:28 tb Exp $ */ - -/* - * Copyright (c) 2023 Theo Buehler - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include -#include -#include -#include - -#include -#include - -#include "bio_local.h" -#include "bn_local.h" -#include "bytestring.h" - -static int -bn_print_zero(BIO *bio, const BIGNUM *bn) -{ - if (!BN_is_zero(bn)) - return 0; - if (BIO_printf(bio, " 0\n") <= 0) - return 0; - return 1; -} - -static int -bn_print_word(BIO *bio, const BIGNUM *bn) -{ - unsigned long long word; - const char *neg = ""; - - if (BN_is_zero(bn) || BN_num_bytes(bn) > BN_BYTES) - return 0; - - if (BN_is_negative(bn)) - neg = "-"; - - word = BN_get_word(bn); - if (BIO_printf(bio, " %s%llu (%s0x%llx)\n", neg, word, neg, word) <= 0) - return 0; - - return 1; -} - -static int -bn_print_bignum(BIO *bio, const BIGNUM *bn, int indent) -{ - CBS cbs; - char *hex = NULL; - size_t hex_len = 0; - size_t octets = 0; - uint8_t hi, lo; - const char *sep = ":"; - int ret = 0; - - if (BN_num_bytes(bn) <= BN_BYTES) - goto err; - - /* Secondary indent is 4 spaces, capped at 128. */ - if (indent > 124) - indent = 124; - indent += 4; - if (indent < 0) - indent = 0; - - if (!bn_bn2hex_nosign(bn, &hex, &hex_len)) - goto err; - - CBS_init(&cbs, hex, hex_len); - - if (BN_is_negative(bn)) { - if (BIO_printf(bio, " (Negative)") <= 0) - goto err; - } - - while (CBS_len(&cbs) > 0) { - if (!CBS_get_u8(&cbs, &hi)) - goto err; - if (!CBS_get_u8(&cbs, &lo)) - goto err; - if (octets++ % 15 == 0) { - if (BIO_printf(bio, "\n%*s", indent, "") <= 0) - goto err; - } - /* First nibble has the high bit set. Insert leading 0 octet. */ - if (octets == 1 && hi >= '8') { - if (BIO_printf(bio, "00:") <= 0) - goto err; - octets++; - } - if (CBS_len(&cbs) == 0) - sep = ""; - if (BIO_printf(bio, "%c%c%s", tolower(hi), tolower(lo), sep) <= 0) - goto err; - } - - if (BIO_printf(bio, "\n") <= 0) - goto err; - - ret = 1; - - err: - freezero(hex, hex_len); - - return ret; -} - -int -bn_printf(BIO *bio, const BIGNUM *bn, int indent, const char *fmt, ...) -{ - va_list ap; - int rv; - - if (bn == NULL) - return 1; - - if (!BIO_indent(bio, indent, 128)) - return 0; - - va_start(ap, fmt); - rv = BIO_vprintf(bio, fmt, ap); - va_end(ap); - if (rv < 0) - return 0; - - if (BN_is_zero(bn)) - return bn_print_zero(bio, bn); - - if (BN_num_bytes(bn) <= BN_BYTES) - return bn_print_word(bio, bn); - - return bn_print_bignum(bio, bn, indent); -} - -int -BN_print(BIO *bio, const BIGNUM *bn) -{ - char *hex = NULL; - size_t hex_len = 0; - int ret = 0; - - if (!bn_bn2hex_nibbles(bn, &hex, &hex_len)) - goto err; - if (BIO_printf(bio, "%s", hex) <= 0) - goto err; - - ret = 1; - - err: - freezero(hex, hex_len); - - return ret; -} -LCRYPTO_ALIAS(BN_print); - -int -BN_print_fp(FILE *fp, const BIGNUM *bn) -{ - char *hex = NULL; - size_t hex_len = 0; - int ret = 0; - - if (!bn_bn2hex_nibbles(bn, &hex, &hex_len)) - goto err; - if (fprintf(fp, "%s", hex) < 0) - goto err; - - ret = 1; - - err: - freezero(hex, hex_len); - - return ret; -} -LCRYPTO_ALIAS(BN_print_fp); diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c deleted file mode 100644 index 9cfcd8e2c0..0000000000 --- a/src/lib/libcrypto/bn/bn_rand.c +++ /dev/null @@ -1,340 +0,0 @@ -/* $OpenBSD: bn_rand.c,v 1.30 2024/03/16 20:42:33 tb Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include -#include -#include -#include - -#include - -#include "bn_local.h" - -static int -bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) -{ - unsigned char *buf = NULL; - int ret = 0, bit, bytes, mask; - - if (rnd == NULL) { - BNerror(ERR_R_PASSED_NULL_PARAMETER); - return (0); - } - - if (bits < 0 || (bits == 1 && top > 0)) { - BNerror(BN_R_BITS_TOO_SMALL); - return (0); - } - if (bits > INT_MAX - 7) { - BNerror(BN_R_BIGNUM_TOO_LONG); - return (0); - } - - if (bits == 0) { - BN_zero(rnd); - return (1); - } - - bytes = (bits + 7) / 8; - bit = (bits - 1) % 8; - mask = 0xff << (bit + 1); - - buf = malloc(bytes); - if (buf == NULL) { - BNerror(ERR_R_MALLOC_FAILURE); - goto err; - } - - /* make a random number and set the top and bottom bits */ - arc4random_buf(buf, bytes); - -#if 1 - if (pseudorand == 2) { - /* generate patterns that are more likely to trigger BN - library bugs */ - int i; - unsigned char c; - - for (i = 0; i < bytes; i++) { - arc4random_buf(&c, 1); - if (c >= 128 && i > 0) - buf[i] = buf[i - 1]; - else if (c < 42) - buf[i] = 0; - else if (c < 84) - buf[i] = 255; - } - } -#endif - - if (top > 0) { - if (bit == 0) { - buf[0] = 1; - buf[1] |= 0x80; - } else { - buf[0] |= (3 << (bit - 1)); - } - } - if (top == 0) - buf[0] |= (1 << bit); - buf[0] &= ~mask; - if (bottom) /* set bottom bit if requested */ - buf[bytes - 1] |= 1; - if (BN_bin2bn(buf, bytes, rnd) == NULL) - goto err; - ret = 1; - -err: - freezero(buf, bytes); - return (ret); -} - -int -BN_rand(BIGNUM *rnd, int bits, int top, int bottom) -{ - return bnrand(0, rnd, bits, top, bottom); -} -LCRYPTO_ALIAS(BN_rand); - -int -BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) -{ - return bnrand(1, rnd, bits, top, bottom); -} -LCRYPTO_ALIAS(BN_pseudo_rand); - -#if 1 -int -BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) -{ - return bnrand(2, rnd, bits, top, bottom); -} -#endif - - -/* random number r: 0 <= r < range */ -static int -bn_rand_range(int pseudo, BIGNUM *r, const BIGNUM *range) -{ - int (*bn_rand)(BIGNUM *, int, int, int) = pseudo ? BN_pseudo_rand : BN_rand; - int n; - int count = 100; - - if (range->neg || BN_is_zero(range)) { - BNerror(BN_R_INVALID_RANGE); - return 0; - } - - n = BN_num_bits(range); /* n > 0 */ - - /* BN_is_bit_set(range, n - 1) always holds */ - - if (n == 1) - BN_zero(r); - else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) { - /* range = 100..._2, - * so 3*range (= 11..._2) is exactly one bit longer than range */ - do { - if (!bn_rand(r, n + 1, -1, 0)) - return 0; - /* If r < 3*range, use r := r MOD range - * (which is either r, r - range, or r - 2*range). - * Otherwise, iterate once more. - * Since 3*range = 11..._2, each iteration succeeds with - * probability >= .75. */ - if (BN_cmp(r, range) >= 0) { - if (!BN_sub(r, r, range)) - return 0; - if (BN_cmp(r, range) >= 0) - if (!BN_sub(r, r, range)) - return 0; - } - - if (!--count) { - BNerror(BN_R_TOO_MANY_ITERATIONS); - return 0; - } - - } while (BN_cmp(r, range) >= 0); - } else { - do { - /* range = 11..._2 or range = 101..._2 */ - if (!bn_rand(r, n, -1, 0)) - return 0; - - if (!--count) { - BNerror(BN_R_TOO_MANY_ITERATIONS); - return 0; - } - } while (BN_cmp(r, range) >= 0); - } - - return 1; -} - -int -BN_rand_range(BIGNUM *r, const BIGNUM *range) -{ - return bn_rand_range(0, r, range); -} -LCRYPTO_ALIAS(BN_rand_range); - -int -bn_rand_in_range(BIGNUM *rnd, const BIGNUM *lower_inc, const BIGNUM *upper_exc) -{ - BIGNUM *len; - int ret = 0; - - if ((len = BN_new()) == NULL) - goto err; - if (!BN_sub(len, upper_exc, lower_inc)) - goto err; - if (!BN_rand_range(rnd, len)) - goto err; - if (!BN_add(rnd, rnd, lower_inc)) - goto err; - - ret = 1; - - err: - BN_free(len); - - return ret; -} - -int -bn_rand_interval(BIGNUM *rnd, BN_ULONG lower_word, const BIGNUM *upper_exc) -{ - BIGNUM *lower_inc = NULL; - int ret = 0; - - if ((lower_inc = BN_new()) == NULL) - goto err; - if (!BN_set_word(lower_inc, lower_word)) - goto err; - if (!bn_rand_in_range(rnd, lower_inc, upper_exc)) - goto err; - - ret = 1; - - err: - BN_free(lower_inc); - - return ret; -} - -int -BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) -{ - return bn_rand_range(1, r, range); -} -LCRYPTO_ALIAS(BN_pseudo_rand_range); diff --git a/src/lib/libcrypto/bn/bn_recp.c b/src/lib/libcrypto/bn/bn_recp.c deleted file mode 100644 index e3f22c52a9..0000000000 --- a/src/lib/libcrypto/bn/bn_recp.c +++ /dev/null @@ -1,222 +0,0 @@ -/* $OpenBSD: bn_recp.c,v 1.33 2025/02/04 20:22:20 tb Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include - -#include "bn_local.h" - -struct bn_recp_ctx_st { - BIGNUM *N; /* the divisor */ - BIGNUM *Nr; /* the reciprocal 2^shift / N */ - int num_bits; /* number of bits in N */ - int shift; -} /* BN_RECP_CTX */; - -BN_RECP_CTX * -BN_RECP_CTX_create(const BIGNUM *N) -{ - BN_RECP_CTX *recp; - - if ((recp = calloc(1, sizeof(*recp))) == NULL) - goto err; - - if ((recp->N = BN_dup(N)) == NULL) - goto err; - BN_set_negative(recp->N, 0); - recp->num_bits = BN_num_bits(recp->N); - - if ((recp->Nr = BN_new()) == NULL) - goto err; - - return recp; - - err: - BN_RECP_CTX_free(recp); - - return NULL; -} - -void -BN_RECP_CTX_free(BN_RECP_CTX *recp) -{ - if (recp == NULL) - return; - - BN_free(recp->N); - BN_free(recp->Nr); - freezero(recp, sizeof(*recp)); -} - -int -BN_div_reciprocal(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, BN_RECP_CTX *recp, - BN_CTX *ctx) -{ - int i, j, ret = 0; - BIGNUM *a, *b, *d, *r; - - if (BN_ucmp(m, recp->N) < 0) { - if (dv != NULL) - BN_zero(dv); - if (rem != NULL) - return bn_copy(rem, m); - return 1; - } - - BN_CTX_start(ctx); - if ((a = BN_CTX_get(ctx)) == NULL) - goto err; - if ((b = BN_CTX_get(ctx)) == NULL) - goto err; - - if ((d = dv) == NULL) - d = BN_CTX_get(ctx); - if (d == NULL) - goto err; - - if ((r = rem) == NULL) - r = BN_CTX_get(ctx); - if (r == NULL) - goto err; - - /* - * We want the remainder. Given input of ABCDEF / ab we need to - * multiply ABCDEF by 3 digits of the reciprocal of ab. - */ - - /* i := max(BN_num_bits(m), 2*BN_num_bits(N)) */ - i = BN_num_bits(m); - j = recp->num_bits << 1; - if (j > i) - i = j; - - /* Compute Nr := (1 << i) / N if necessary. */ - if (i != recp->shift) { - BN_zero(recp->Nr); - if (!BN_set_bit(recp->Nr, i)) - goto err; - if (!BN_div_ct(recp->Nr, NULL, recp->Nr, recp->N, ctx)) - goto err; - recp->shift = i; - } - - /* - * d := |((m >> BN_num_bits(N)) * recp->Nr) >> (i - BN_num_bits(N))| - * = |((m >> BN_num_bits(N)) * (1 << i) / N) >> (i - BN_num_bits(N))| - * <= |(m / 2^BN_num_bits(N)) * (2^i / N) * 2^BN_num_bits(N) / 2^i | - * = |m / N| - */ - if (!BN_rshift(a, m, recp->num_bits)) - goto err; - if (!BN_mul(b, a, recp->Nr, ctx)) - goto err; - if (!BN_rshift(d, b, i - recp->num_bits)) - goto err; - d->neg = 0; - - if (!BN_mul(b, recp->N, d, ctx)) - goto err; - if (!BN_usub(r, m, b)) - goto err; - r->neg = 0; - -#if 1 - j = 0; - while (BN_ucmp(r, recp->N) >= 0) { - if (j++ > 2) { - BNerror(BN_R_BAD_RECIPROCAL); - goto err; - } - if (!BN_usub(r, r, recp->N)) - goto err; - if (!BN_add_word(d, 1)) - goto err; - } -#endif - - BN_set_negative(r, m->neg); - BN_set_negative(d, m->neg ^ recp->N->neg); - - ret = 1; - -err: - BN_CTX_end(ctx); - return ret; -} - -/* Compute r = (x * y) % m. */ -int -BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y, - BN_RECP_CTX *recp, BN_CTX *ctx) -{ - if (!BN_mul(r, x, y, ctx)) - return 0; - - return BN_div_reciprocal(NULL, r, r, recp, ctx); -} - -/* Compute r = x^2 % m. */ -int -BN_mod_sqr_reciprocal(BIGNUM *r, const BIGNUM *x, BN_RECP_CTX *recp, BN_CTX *ctx) -{ - if (!BN_sqr(r, x, ctx)) - return 0; - - return BN_div_reciprocal(NULL, r, r, recp, ctx); -} diff --git a/src/lib/libcrypto/bn/bn_shift.c b/src/lib/libcrypto/bn/bn_shift.c deleted file mode 100644 index 12edc7c0a0..0000000000 --- a/src/lib/libcrypto/bn/bn_shift.c +++ /dev/null @@ -1,175 +0,0 @@ -/* $OpenBSD: bn_shift.c,v 1.22 2023/07/08 12:21:58 beck Exp $ */ -/* - * Copyright (c) 2022, 2023 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include "bn_local.h" - -static inline int -bn_lshift(BIGNUM *r, const BIGNUM *a, int n) -{ - size_t count, shift_bits, shift_words; - size_t lshift, rshift; - ssize_t rstride; - BN_ULONG *dst, *src; - - if (n < 0) { - BNerror(BN_R_INVALID_LENGTH); - return 0; - } - shift_bits = n; - - /* - * Left bit shift, potentially across word boundaries. - * - * When shift is not an exact multiple of BN_BITS2, the bottom bits of - * the previous word need to be right shifted and combined with the left - * shifted bits using bitwise OR. If shift is an exact multiple of - * BN_BITS2, the source for the left and right shifts are the same - * and the shifts become zero bits (which is effectively a memmove). - */ - shift_words = shift_bits / BN_BITS2; - lshift = shift_bits % BN_BITS2; - rshift = (BN_BITS2 - lshift) % BN_BITS2; - rstride = 0 - (lshift + rshift) / BN_BITS2; - - if (a->top < 1) { - BN_zero(r); - return 1; - } - - count = a->top + shift_words + 1; - - if (count < shift_words) - return 0; - - if (!bn_wexpand(r, count)) - return 0; - - src = a->d + a->top - 1; - dst = r->d + a->top + shift_words; - - /* Handle right shift for top most word. */ - *dst = (*src >> rshift) & rstride; - dst--; - - /* Handle left shift and right shift for remaining words. */ - while (src > a->d) { - *dst = *src << lshift | src[rstride] >> rshift; - src--; - dst--; - } - *dst = *src << lshift; - - /* Zero any additional words resulting from the left shift. */ - while (dst > r->d) { - dst--; - *dst = 0; - } - - r->top = count; - bn_correct_top(r); - - BN_set_negative(r, a->neg); - - return 1; -} - -static inline int -bn_rshift(BIGNUM *r, const BIGNUM *a, int n) -{ - size_t count, shift_bits, shift_words; - size_t lshift, rshift; - ssize_t lstride; - BN_ULONG *dst, *src; - size_t i; - - if (n < 0) { - BNerror(BN_R_INVALID_LENGTH); - return 0; - } - shift_bits = n; - - /* - * Right bit shift, potentially across word boundaries. - * - * When shift is not an exact multiple of BN_BITS2, the top bits of - * the next word need to be left shifted and combined with the right - * shifted bits using bitwise OR. If shift is an exact multiple of - * BN_BITS2, the source for the left and right shifts are the same - * and the shifts become zero (which is effectively a memmove). - */ - shift_words = shift_bits / BN_BITS2; - rshift = shift_bits % BN_BITS2; - lshift = (BN_BITS2 - rshift) % BN_BITS2; - lstride = (lshift + rshift) / BN_BITS2; - - if (a->top <= shift_words) { - BN_zero(r); - return 1; - } - count = a->top - shift_words; - - if (!bn_wexpand(r, count)) - return 0; - - src = a->d + shift_words; - dst = r->d; - - for (i = 1; i < count; i++) { - *dst = src[lstride] << lshift | *src >> rshift; - src++; - dst++; - } - *dst = *src >> rshift; - - r->top = count; - bn_correct_top(r); - - BN_set_negative(r, a->neg); - - return 1; -} - -int -BN_lshift1(BIGNUM *r, const BIGNUM *a) -{ - return bn_lshift(r, a, 1); -} -LCRYPTO_ALIAS(BN_lshift1); - -int -BN_lshift(BIGNUM *r, const BIGNUM *a, int n) -{ - return bn_lshift(r, a, n); -} -LCRYPTO_ALIAS(BN_lshift); - -int -BN_rshift1(BIGNUM *r, const BIGNUM *a) -{ - return bn_rshift(r, a, 1); -} -LCRYPTO_ALIAS(BN_rshift1); - -int -BN_rshift(BIGNUM *r, const BIGNUM *a, int n) -{ - return bn_rshift(r, a, n); -} -LCRYPTO_ALIAS(BN_rshift); diff --git a/src/lib/libcrypto/bn/bn_small_primes.c b/src/lib/libcrypto/bn/bn_small_primes.c deleted file mode 100644 index bfb7903a54..0000000000 --- a/src/lib/libcrypto/bn/bn_small_primes.c +++ /dev/null @@ -1,265 +0,0 @@ -/* $OpenBSD: bn_small_primes.c,v 1.1 2022/11/09 22:52:51 tb Exp $ */ -/* - * Public domain, generated by bn_prime.pl. - */ - -#include "bn_prime.h" - -const uint16_t primes[NUMPRIMES] = { - 2, 3, 5, 7, 11, 13, 17, 19, - 23, 29, 31, 37, 41, 43, 47, 53, - 59, 61, 67, 71, 73, 79, 83, 89, - 97, 101, 103, 107, 109, 113, 127, 131, - 137, 139, 149, 151, 157, 163, 167, 173, - 179, 181, 191, 193, 197, 199, 211, 223, - 227, 229, 233, 239, 241, 251, 257, 263, - 269, 271, 277, 281, 283, 293, 307, 311, - 313, 317, 331, 337, 347, 349, 353, 359, - 367, 373, 379, 383, 389, 397, 401, 409, - 419, 421, 431, 433, 439, 443, 449, 457, - 461, 463, 467, 479, 487, 491, 499, 503, - 509, 521, 523, 541, 547, 557, 563, 569, - 571, 577, 587, 593, 599, 601, 607, 613, - 617, 619, 631, 641, 643, 647, 653, 659, - 661, 673, 677, 683, 691, 701, 709, 719, - 727, 733, 739, 743, 751, 757, 761, 769, - 773, 787, 797, 809, 811, 821, 823, 827, - 829, 839, 853, 857, 859, 863, 877, 881, - 883, 887, 907, 911, 919, 929, 937, 941, - 947, 953, 967, 971, 977, 983, 991, 997, - 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, - 1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097, - 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163, - 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223, - 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, - 1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321, - 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, - 1427, 1429, 1433, 1439, 1447, 1451, 1453, 1459, - 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, - 1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571, - 1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619, - 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693, - 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, - 1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811, - 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, - 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, - 1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003, - 2011, 2017, 2027, 2029, 2039, 2053, 2063, 2069, - 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, - 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, - 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267, - 2269, 2273, 2281, 2287, 2293, 2297, 2309, 2311, - 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377, - 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, - 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, - 2521, 2531, 2539, 2543, 2549, 2551, 2557, 2579, - 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, - 2659, 2663, 2671, 2677, 2683, 2687, 2689, 2693, - 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, - 2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801, - 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, - 2879, 2887, 2897, 2903, 2909, 2917, 2927, 2939, - 2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011, - 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079, - 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, - 3169, 3181, 3187, 3191, 3203, 3209, 3217, 3221, - 3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301, - 3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347, - 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413, - 3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491, - 3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541, - 3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607, - 3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671, - 3673, 3677, 3691, 3697, 3701, 3709, 3719, 3727, - 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797, - 3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863, - 3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923, - 3929, 3931, 3943, 3947, 3967, 3989, 4001, 4003, - 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, - 4073, 4079, 4091, 4093, 4099, 4111, 4127, 4129, - 4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211, - 4217, 4219, 4229, 4231, 4241, 4243, 4253, 4259, - 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, - 4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409, - 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, - 4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547, - 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, - 4637, 4639, 4643, 4649, 4651, 4657, 4663, 4673, - 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751, - 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813, - 4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909, - 4919, 4931, 4933, 4937, 4943, 4951, 4957, 4967, - 4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011, - 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, - 5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167, - 5171, 5179, 5189, 5197, 5209, 5227, 5231, 5233, - 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309, - 5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399, - 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443, - 5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507, - 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, - 5581, 5591, 5623, 5639, 5641, 5647, 5651, 5653, - 5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711, - 5717, 5737, 5741, 5743, 5749, 5779, 5783, 5791, - 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, - 5851, 5857, 5861, 5867, 5869, 5879, 5881, 5897, - 5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007, - 6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073, - 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, - 6143, 6151, 6163, 6173, 6197, 6199, 6203, 6211, - 6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271, - 6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329, - 6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379, - 6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473, - 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, - 6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637, - 6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701, - 6703, 6709, 6719, 6733, 6737, 6761, 6763, 6779, - 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833, - 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907, - 6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971, - 6977, 6983, 6991, 6997, 7001, 7013, 7019, 7027, - 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, - 7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207, - 7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253, - 7283, 7297, 7307, 7309, 7321, 7331, 7333, 7349, - 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, - 7459, 7477, 7481, 7487, 7489, 7499, 7507, 7517, - 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561, - 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621, - 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, - 7699, 7703, 7717, 7723, 7727, 7741, 7753, 7757, - 7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853, - 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919, - 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009, - 8011, 8017, 8039, 8053, 8059, 8069, 8081, 8087, - 8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161, - 8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231, - 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291, - 8293, 8297, 8311, 8317, 8329, 8353, 8363, 8369, - 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443, - 8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537, - 8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609, - 8623, 8627, 8629, 8641, 8647, 8663, 8669, 8677, - 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, - 8737, 8741, 8747, 8753, 8761, 8779, 8783, 8803, - 8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861, - 8863, 8867, 8887, 8893, 8923, 8929, 8933, 8941, - 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, - 9013, 9029, 9041, 9043, 9049, 9059, 9067, 9091, - 9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161, - 9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227, - 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, - 9319, 9323, 9337, 9341, 9343, 9349, 9371, 9377, - 9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433, - 9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491, - 9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587, - 9601, 9613, 9619, 9623, 9629, 9631, 9643, 9649, - 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733, - 9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791, - 9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857, - 9859, 9871, 9883, 9887, 9901, 9907, 9923, 9929, - 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037, - 10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099, - 10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163, - 10169, 10177, 10181, 10193, 10211, 10223, 10243, 10247, - 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, - 10313, 10321, 10331, 10333, 10337, 10343, 10357, 10369, - 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459, - 10463, 10477, 10487, 10499, 10501, 10513, 10529, 10531, - 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, - 10631, 10639, 10651, 10657, 10663, 10667, 10687, 10691, - 10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771, - 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859, - 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, - 10939, 10949, 10957, 10973, 10979, 10987, 10993, 11003, - 11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087, - 11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161, - 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251, - 11257, 11261, 11273, 11279, 11287, 11299, 11311, 11317, - 11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399, - 11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483, - 11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551, - 11579, 11587, 11593, 11597, 11617, 11621, 11633, 11657, - 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731, - 11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813, - 11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887, - 11897, 11903, 11909, 11923, 11927, 11933, 11939, 11941, - 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, - 12037, 12041, 12043, 12049, 12071, 12073, 12097, 12101, - 12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161, - 12163, 12197, 12203, 12211, 12227, 12239, 12241, 12251, - 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, - 12329, 12343, 12347, 12373, 12377, 12379, 12391, 12401, - 12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473, - 12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527, - 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, - 12601, 12611, 12613, 12619, 12637, 12641, 12647, 12653, - 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739, - 12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821, - 12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907, - 12911, 12917, 12919, 12923, 12941, 12953, 12959, 12967, - 12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033, - 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109, - 13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177, - 13183, 13187, 13217, 13219, 13229, 13241, 13249, 13259, - 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337, - 13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421, - 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499, - 13513, 13523, 13537, 13553, 13567, 13577, 13591, 13597, - 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, - 13687, 13691, 13693, 13697, 13709, 13711, 13721, 13723, - 13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799, - 13807, 13829, 13831, 13841, 13859, 13873, 13877, 13879, - 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, - 13963, 13967, 13997, 13999, 14009, 14011, 14029, 14033, - 14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143, - 14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221, - 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, - 14327, 14341, 14347, 14369, 14387, 14389, 14401, 14407, - 14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461, - 14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549, - 14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627, - 14629, 14633, 14639, 14653, 14657, 14669, 14683, 14699, - 14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753, - 14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821, - 14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887, - 14891, 14897, 14923, 14929, 14939, 14947, 14951, 14957, - 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073, - 15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137, - 15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217, - 15227, 15233, 15241, 15259, 15263, 15269, 15271, 15277, - 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, - 15349, 15359, 15361, 15373, 15377, 15383, 15391, 15401, - 15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473, - 15493, 15497, 15511, 15527, 15541, 15551, 15559, 15569, - 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, - 15647, 15649, 15661, 15667, 15671, 15679, 15683, 15727, - 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773, - 15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859, - 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, - 15923, 15937, 15959, 15971, 15973, 15991, 16001, 16007, - 16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087, - 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183, - 16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249, - 16253, 16267, 16273, 16301, 16319, 16333, 16339, 16349, - 16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427, - 16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493, - 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603, - 16607, 16619, 16631, 16633, 16649, 16651, 16657, 16661, - 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747, - 16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843, - 16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927, - 16931, 16937, 16943, 16963, 16979, 16981, 16987, 16993, - 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, - 17077, 17093, 17099, 17107, 17117, 17123, 17137, 17159, - 17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231, - 17239, 17257, 17291, 17293, 17299, 17317, 17321, 17327, - 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, - 17393, 17401, 17417, 17419, 17431, 17443, 17449, 17467, - 17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519, - 17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599, - 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, - 17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783, - 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, -}; diff --git a/src/lib/libcrypto/bn/bn_sqr.c b/src/lib/libcrypto/bn/bn_sqr.c deleted file mode 100644 index 0dbccbf85d..0000000000 --- a/src/lib/libcrypto/bn/bn_sqr.c +++ /dev/null @@ -1,305 +0,0 @@ -/* $OpenBSD: bn_sqr.c,v 1.36 2023/07/08 12:21:58 beck Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include -#include - -#include "bn_arch.h" -#include "bn_local.h" -#include "bn_internal.h" - -int bn_sqr(BIGNUM *r, const BIGNUM *a, int max, BN_CTX *ctx); - -/* - * bn_sqr_comba4() computes r[] = a[] * a[] using Comba multiplication - * (https://everything2.com/title/Comba+multiplication), where a is a - * four word array, producing an eight word array result. - */ -#ifndef HAVE_BN_SQR_COMBA4 -void -bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a) -{ - BN_ULONG c2, c1, c0; - - bn_mulw_addtw(a[0], a[0], 0, 0, 0, &c2, &c1, &r[0]); - - bn_mul2_mulw_addtw(a[1], a[0], 0, c2, c1, &c2, &c1, &r[1]); - - bn_mulw_addtw(a[1], a[1], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[2], a[0], c2, c1, c0, &c2, &c1, &r[2]); - - bn_mul2_mulw_addtw(a[3], a[0], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[2], a[1], c2, c1, c0, &c2, &c1, &r[3]); - - bn_mulw_addtw(a[2], a[2], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[3], a[1], c2, c1, c0, &c2, &c1, &r[4]); - - bn_mul2_mulw_addtw(a[3], a[2], 0, c2, c1, &c2, &c1, &r[5]); - - bn_mulw_addtw(a[3], a[3], 0, c2, c1, &c2, &r[7], &r[6]); -} -#endif - -/* - * bn_sqr_comba8() computes r[] = a[] * a[] using Comba multiplication - * (https://everything2.com/title/Comba+multiplication), where a is an - * eight word array, producing an 16 word array result. - */ -#ifndef HAVE_BN_SQR_COMBA8 -void -bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a) -{ - BN_ULONG c2, c1, c0; - - bn_mulw_addtw(a[0], a[0], 0, 0, 0, &c2, &c1, &r[0]); - - bn_mul2_mulw_addtw(a[1], a[0], 0, c2, c1, &c2, &c1, &r[1]); - - bn_mulw_addtw(a[1], a[1], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[2], a[0], c2, c1, c0, &c2, &c1, &r[2]); - - bn_mul2_mulw_addtw(a[3], a[0], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[2], a[1], c2, c1, c0, &c2, &c1, &r[3]); - - bn_mulw_addtw(a[2], a[2], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[3], a[1], c2, c1, c0, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[4], a[0], c2, c1, c0, &c2, &c1, &r[4]); - - bn_mul2_mulw_addtw(a[5], a[0], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[4], a[1], c2, c1, c0, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[3], a[2], c2, c1, c0, &c2, &c1, &r[5]); - - bn_mulw_addtw(a[3], a[3], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[4], a[2], c2, c1, c0, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[5], a[1], c2, c1, c0, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[6], a[0], c2, c1, c0, &c2, &c1, &r[6]); - - bn_mul2_mulw_addtw(a[7], a[0], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[6], a[1], c2, c1, c0, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[5], a[2], c2, c1, c0, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[4], a[3], c2, c1, c0, &c2, &c1, &r[7]); - - bn_mulw_addtw(a[4], a[4], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[5], a[3], c2, c1, c0, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[6], a[2], c2, c1, c0, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[7], a[1], c2, c1, c0, &c2, &c1, &r[8]); - - bn_mul2_mulw_addtw(a[7], a[2], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[6], a[3], c2, c1, c0, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[5], a[4], c2, c1, c0, &c2, &c1, &r[9]); - - bn_mulw_addtw(a[5], a[5], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[6], a[4], c2, c1, c0, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[7], a[3], c2, c1, c0, &c2, &c1, &r[10]); - - bn_mul2_mulw_addtw(a[7], a[4], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[6], a[5], c2, c1, c0, &c2, &c1, &r[11]); - - bn_mulw_addtw(a[6], a[6], 0, c2, c1, &c2, &c1, &c0); - bn_mul2_mulw_addtw(a[7], a[5], c2, c1, c0, &c2, &c1, &r[12]); - - bn_mul2_mulw_addtw(a[7], a[6], 0, c2, c1, &c2, &c1, &r[13]); - - bn_mulw_addtw(a[7], a[7], 0, c2, c1, &c2, &r[15], &r[14]); -} -#endif - -#ifndef HAVE_BN_SQR -/* - * bn_sqr_add_words() computes (r[i*2+1]:r[i*2]) = (r[i*2+1]:r[i*2]) + a[i] * a[i]. - */ -static void -bn_sqr_add_words(BN_ULONG *r, const BN_ULONG *a, int n) -{ - BN_ULONG x3, x2, x1, x0; - BN_ULONG carry = 0; - - assert(n >= 0); - if (n <= 0) - return; - - while (n & ~3) { - bn_mulw(a[0], a[0], &x1, &x0); - bn_mulw(a[1], a[1], &x3, &x2); - bn_qwaddqw(x3, x2, x1, x0, r[3], r[2], r[1], r[0], carry, - &carry, &r[3], &r[2], &r[1], &r[0]); - bn_mulw(a[2], a[2], &x1, &x0); - bn_mulw(a[3], a[3], &x3, &x2); - bn_qwaddqw(x3, x2, x1, x0, r[7], r[6], r[5], r[4], carry, - &carry, &r[7], &r[6], &r[5], &r[4]); - - a += 4; - r += 8; - n -= 4; - } - while (n) { - bn_mulw_addw_addw(a[0], a[0], r[0], carry, &carry, &r[0]); - bn_addw(r[1], carry, &carry, &r[1]); - a++; - r += 2; - n--; - } -} - -static void -bn_sqr_normal(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len) -{ - const BN_ULONG *ap; - BN_ULONG *rp; - BN_ULONG w; - int n; - - if (a_len <= 0) - return; - - ap = a; - w = ap[0]; - ap++; - - rp = r; - rp[0] = rp[r_len - 1] = 0; - rp++; - - /* Compute initial product - r[n:1] = a[n:1] * a[0] */ - n = a_len - 1; - if (n > 0) { - rp[n] = bn_mul_words(rp, ap, n, w); - } - rp += 2; - n--; - - /* Compute and sum remaining products. */ - while (n > 0) { - w = ap[0]; - ap++; - - rp[n] = bn_mul_add_words(rp, ap, n, w); - rp += 2; - n--; - } - - /* Double the sum of products. */ - bn_add_words(r, r, r, r_len); - - /* Add squares. */ - bn_sqr_add_words(r, a, a_len); -} - -/* - * bn_sqr() computes a * a, storing the result in r. The caller must ensure that - * r is not the same BIGNUM as a and that r has been expanded to rn = a->top * 2 - * words. - */ -int -bn_sqr(BIGNUM *r, const BIGNUM *a, int r_len, BN_CTX *ctx) -{ - bn_sqr_normal(r->d, r_len, a->d, a->top); - - return 1; -} -#endif - -int -BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) -{ - BIGNUM *rr; - int r_len; - int ret = 1; - - BN_CTX_start(ctx); - - if (a->top < 1) { - BN_zero(r); - goto done; - } - - if ((rr = r) == a) - rr = BN_CTX_get(ctx); - if (rr == NULL) - goto err; - - if ((r_len = a->top * 2) < a->top) - goto err; - if (!bn_wexpand(rr, r_len)) - goto err; - - if (a->top == 4) { - bn_sqr_comba4(rr->d, a->d); - } else if (a->top == 8) { - bn_sqr_comba8(rr->d, a->d); - } else { - if (!bn_sqr(rr, a, r_len, ctx)) - goto err; - } - - rr->top = r_len; - bn_correct_top(rr); - - rr->neg = 0; - - if (!bn_copy(r, rr)) - goto err; - done: - ret = 1; - err: - BN_CTX_end(ctx); - - return ret; -} -LCRYPTO_ALIAS(BN_sqr); diff --git a/src/lib/libcrypto/bn/bn_word.c b/src/lib/libcrypto/bn/bn_word.c deleted file mode 100644 index a82b911e67..0000000000 --- a/src/lib/libcrypto/bn/bn_word.c +++ /dev/null @@ -1,245 +0,0 @@ -/* $OpenBSD: bn_word.c,v 1.21 2023/07/08 12:21:58 beck Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include "bn_local.h" - -BN_ULONG -BN_mod_word(const BIGNUM *a, BN_ULONG w) -{ -#ifndef BN_LLONG - BN_ULONG ret = 0; -#else - BN_ULLONG ret = 0; -#endif - int i; - - if (w == 0) - return (BN_ULONG) - 1; - -#ifndef BN_ULLONG - /* If |w| is too long and we don't have |BN_ULLONG| then we need to fall back - * to using |BN_div_word|. */ - if (w > ((BN_ULONG)1 << BN_BITS4)) { - BIGNUM *tmp = BN_dup(a); - if (tmp == NULL) { - return (BN_ULONG)-1; - } - ret = BN_div_word(tmp, w); - BN_free(tmp); - return ret; - } -#endif - - w &= BN_MASK2; - for (i = a->top - 1; i >= 0; i--) { -#ifndef BN_LLONG - ret = ((ret << BN_BITS4) | ((a->d[i] >> BN_BITS4) & - BN_MASK2l)) % w; - ret = ((ret << BN_BITS4) | (a->d[i] & BN_MASK2l)) % w; -#else - ret = (BN_ULLONG)(((ret << (BN_ULLONG)BN_BITS2) | - a->d[i]) % (BN_ULLONG)w); -#endif - } - return ((BN_ULONG)ret); -} -LCRYPTO_ALIAS(BN_mod_word); - -BN_ULONG -BN_div_word(BIGNUM *a, BN_ULONG w) -{ - BN_ULONG ret = 0; - int i, j; - - w &= BN_MASK2; - - if (!w) - /* actually this an error (division by zero) */ - return (BN_ULONG) - 1; - if (a->top == 0) - return 0; - - /* normalize input (so bn_div_words doesn't complain) */ - j = BN_BITS2 - BN_num_bits_word(w); - w <<= j; - if (!BN_lshift(a, a, j)) - return (BN_ULONG) - 1; - - for (i = a->top - 1; i >= 0; i--) { - BN_ULONG l, d; - - l = a->d[i]; - bn_div_rem_words(ret, l, w, &d, &ret); - a->d[i] = d; - } - if ((a->top > 0) && (a->d[a->top - 1] == 0)) - a->top--; - ret >>= j; - - /* Set negative again, to handle -0 case. */ - BN_set_negative(a, a->neg); - - return (ret); -} -LCRYPTO_ALIAS(BN_div_word); - -int -BN_add_word(BIGNUM *a, BN_ULONG w) -{ - BN_ULONG l; - int i; - - w &= BN_MASK2; - - /* degenerate case: w is zero */ - if (!w) - return 1; - /* degenerate case: a is zero */ - if (BN_is_zero(a)) - return BN_set_word(a, w); - /* handle 'a' when negative */ - if (a->neg) { - a->neg = 0; - i = BN_sub_word(a, w); - BN_set_negative(a, !a->neg); - return (i); - } - for (i = 0; w != 0 && i < a->top; i++) { - a->d[i] = l = (a->d[i] + w) & BN_MASK2; - w = (w > l) ? 1 : 0; - } - if (w && i == a->top) { - if (!bn_wexpand(a, a->top + 1)) - return 0; - a->top++; - a->d[i] = w; - } - return (1); -} -LCRYPTO_ALIAS(BN_add_word); - -int -BN_sub_word(BIGNUM *a, BN_ULONG w) -{ - int i; - - w &= BN_MASK2; - - /* degenerate case: w is zero */ - if (!w) - return 1; - /* degenerate case: a is zero */ - if (BN_is_zero(a)) { - i = BN_set_word(a, w); - if (i != 0) - BN_set_negative(a, 1); - return i; - } - /* handle 'a' when negative */ - if (a->neg) { - a->neg = 0; - i = BN_add_word(a, w); - BN_set_negative(a, !a->neg); - return (i); - } - - if ((a->top == 1) && (a->d[0] < w)) { - a->d[0] = w - a->d[0]; - BN_set_negative(a, 1); - return (1); - } - i = 0; - for (;;) { - if (a->d[i] >= w) { - a->d[i] -= w; - break; - } else { - a->d[i] = (a->d[i] - w) & BN_MASK2; - i++; - w = 1; - } - } - if ((a->d[i] == 0) && (i == (a->top - 1))) - a->top--; - return (1); -} -LCRYPTO_ALIAS(BN_sub_word); - -int -BN_mul_word(BIGNUM *a, BN_ULONG w) -{ - BN_ULONG ll; - - w &= BN_MASK2; - if (a->top) { - if (w == 0) - BN_zero(a); - else { - ll = bn_mul_words(a->d, a->d, a->top, w); - if (ll) { - if (!bn_wexpand(a, a->top + 1)) - return (0); - a->d[a->top++] = ll; - } - } - } - return (1); -} -LCRYPTO_ALIAS(BN_mul_word); diff --git a/src/lib/libcrypto/bn/s2n_bignum.h b/src/lib/libcrypto/bn/s2n_bignum.h deleted file mode 100644 index ce6e8cdc94..0000000000 --- a/src/lib/libcrypto/bn/s2n_bignum.h +++ /dev/null @@ -1,856 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -// ---------------------------------------------------------------------------- -// C prototypes for s2n-bignum functions, so you can use them in C programs via -// -// #include "s2n-bignum.h" -// -// The functions are listed in alphabetical order with a brief description -// in comments for each one. For more detailed documentation see the comment -// banner at the top of the corresponding assembly (.S) file, and -// for the last word in what properties it satisfies see the spec in the -// formal proof (the .ml file in the architecture-specific directory). -// -// For some functions there are additional variants with names ending in -// "_alt". These have the same core mathematical functionality as their -// non-"alt" versions, but can be better suited to some microarchitectures: -// -// - On x86, the "_alt" forms avoid BMI and ADX instruction set -// extensions, so will run on any x86_64 machine, even older ones -// -// - On ARM, the "_alt" forms target machines with higher multiplier -// throughput, generally offering higher performance there. -// ---------------------------------------------------------------------------- - -// Add, z := x + y -// Inputs x[m], y[n]; outputs function return (carry-out) and z[p] -extern uint64_t bignum_add (uint64_t p, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); - -// Add modulo p_25519, z := (x + y) mod p_25519, assuming x and y reduced -// Inputs x[4], y[4]; output z[4] -extern void bignum_add_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); - -// Add modulo p_256, z := (x + y) mod p_256, assuming x and y reduced -// Inputs x[4], y[4]; output z[4] -extern void bignum_add_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); - -// Add modulo p_256k1, z := (x + y) mod p_256k1, assuming x and y reduced -// Inputs x[4], y[4]; output z[4] -extern void bignum_add_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); - -// Add modulo p_384, z := (x + y) mod p_384, assuming x and y reduced -// Inputs x[6], y[6]; output z[6] -extern void bignum_add_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]); - -// Add modulo p_521, z := (x + y) mod p_521, assuming x and y reduced -// Inputs x[9], y[9]; output z[9] -extern void bignum_add_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]); - -// Compute "amontification" constant z :== 2^{128k} (congruent mod m) -// Input m[k]; output z[k]; temporary buffer t[>=k] -extern void bignum_amontifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t); - -// Almost-Montgomery multiply, z :== (x * y / 2^{64k}) (congruent mod m) -// Inputs x[k], y[k], m[k]; output z[k] -extern void bignum_amontmul (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m); - -// Almost-Montgomery reduce, z :== (x' / 2^{64p}) (congruent mod m) -// Inputs x[n], m[k], p; output z[k] -extern void bignum_amontredc (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t *m, uint64_t p); - -// Almost-Montgomery square, z :== (x^2 / 2^{64k}) (congruent mod m) -// Inputs x[k], m[k]; output z[k] -extern void bignum_amontsqr (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m); - -// Convert 4-digit (256-bit) bignum to/from big-endian form -// Input x[4]; output z[4] -extern void bignum_bigendian_4 (uint64_t z[static 4], uint64_t x[static 4]); - -// Convert 6-digit (384-bit) bignum to/from big-endian form -// Input x[6]; output z[6] -extern void bignum_bigendian_6 (uint64_t z[static 6], uint64_t x[static 6]); - -// Select bitfield starting at bit n with length l <= 64 -// Inputs x[k], n, l; output function return -extern uint64_t bignum_bitfield (uint64_t k, uint64_t *x, uint64_t n, uint64_t l); - -// Return size of bignum in bits -// Input x[k]; output function return -extern uint64_t bignum_bitsize (uint64_t k, uint64_t *x); - -// Divide by a single (nonzero) word, z := x / m and return x mod m -// Inputs x[n], m; outputs function return (remainder) and z[k] -extern uint64_t bignum_cdiv (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t m); - -// Divide by a single word, z := x / m when known to be exact -// Inputs x[n], m; output z[k] -extern void bignum_cdiv_exact (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t m); - -// Count leading zero digits (64-bit words) -// Input x[k]; output function return -extern uint64_t bignum_cld (uint64_t k, uint64_t *x); - -// Count leading zero bits -// Input x[k]; output function return -extern uint64_t bignum_clz (uint64_t k, uint64_t *x); - -// Multiply-add with single-word multiplier, z := z + c * y -// Inputs c, y[n]; outputs function return (carry-out) and z[k] -extern uint64_t bignum_cmadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y); - -// Negated multiply-add with single-word multiplier, z := z - c * y -// Inputs c, y[n]; outputs function return (negative carry-out) and z[k] -extern uint64_t bignum_cmnegadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y); - -// Find modulus of bignum w.r.t. single nonzero word m, returning x mod m -// Input x[k], m; output function return -extern uint64_t bignum_cmod (uint64_t k, uint64_t *x, uint64_t m); - -// Multiply by a single word, z := c * y -// Inputs c, y[n]; outputs function return (carry-out) and z[k] -extern uint64_t bignum_cmul (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y); - -// Multiply by a single word modulo p_25519, z := (c * x) mod p_25519, assuming x reduced -// Inputs c, x[4]; output z[4] -extern void bignum_cmul_p25519 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]); -extern void bignum_cmul_p25519_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]); - -// Multiply by a single word modulo p_256, z := (c * x) mod p_256, assuming x reduced -// Inputs c, x[4]; output z[4] -extern void bignum_cmul_p256 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]); -extern void bignum_cmul_p256_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]); - -// Multiply by a single word modulo p_256k1, z := (c * x) mod p_256k1, assuming x reduced -// Inputs c, x[4]; output z[4] -extern void bignum_cmul_p256k1 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]); -extern void bignum_cmul_p256k1_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]); - -// Multiply by a single word modulo p_384, z := (c * x) mod p_384, assuming x reduced -// Inputs c, x[6]; output z[6] -extern void bignum_cmul_p384 (uint64_t z[static 6], uint64_t c, uint64_t x[static 6]); -extern void bignum_cmul_p384_alt (uint64_t z[static 6], uint64_t c, uint64_t x[static 6]); - -// Multiply by a single word modulo p_521, z := (c * x) mod p_521, assuming x reduced -// Inputs c, x[9]; output z[9] -extern void bignum_cmul_p521 (uint64_t z[static 9], uint64_t c, uint64_t x[static 9]); -extern void bignum_cmul_p521_alt (uint64_t z[static 9], uint64_t c, uint64_t x[static 9]); - -// Test bignums for coprimality, gcd(x,y) = 1 -// Inputs x[m], y[n]; output function return; temporary buffer t[>=2*max(m,n)] -extern uint64_t bignum_coprime (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y, uint64_t *t); - -// Copy bignum with zero-extension or truncation, z := x -// Input x[n]; output z[k] -extern void bignum_copy (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x); - -// Count trailing zero digits (64-bit words) -// Input x[k]; output function return -extern uint64_t bignum_ctd (uint64_t k, uint64_t *x); - -// Count trailing zero bits -// Input x[k]; output function return -extern uint64_t bignum_ctz (uint64_t k, uint64_t *x); - -// Convert from almost-Montgomery form, z := (x / 2^256) mod p_256 -// Input x[4]; output z[4] -extern void bignum_deamont_p256 (uint64_t z[static 4], uint64_t x[static 4]); -extern void bignum_deamont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]); - -// Convert from almost-Montgomery form, z := (x / 2^256) mod p_256k1 -// Input x[4]; output z[4] -extern void bignum_deamont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); - -// Convert from almost-Montgomery form, z := (x / 2^384) mod p_384 -// Input x[6]; output z[6] -extern void bignum_deamont_p384 (uint64_t z[static 6], uint64_t x[static 6]); -extern void bignum_deamont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]); - -// Convert from almost-Montgomery form z := (x / 2^576) mod p_521 -// Input x[9]; output z[9] -extern void bignum_deamont_p521 (uint64_t z[static 9], uint64_t x[static 9]); - -// Convert from (almost-)Montgomery form z := (x / 2^{64k}) mod m -// Inputs x[k], m[k]; output z[k] -extern void bignum_demont (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m); - -// Convert from Montgomery form z := (x / 2^256) mod p_256, assuming x reduced -// Input x[4]; output z[4] -extern void bignum_demont_p256 (uint64_t z[static 4], uint64_t x[static 4]); -extern void bignum_demont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]); - -// Convert from Montgomery form z := (x / 2^256) mod p_256k1, assuming x reduced -// Input x[4]; output z[4] -extern void bignum_demont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); - -// Convert from Montgomery form z := (x / 2^384) mod p_384, assuming x reduced -// Input x[6]; output z[6] -extern void bignum_demont_p384 (uint64_t z[static 6], uint64_t x[static 6]); -extern void bignum_demont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]); - -// Convert from Montgomery form z := (x / 2^576) mod p_521, assuming x reduced -// Input x[9]; output z[9] -extern void bignum_demont_p521 (uint64_t z[static 9], uint64_t x[static 9]); - -// Select digit x[n] -// Inputs x[k], n; output function return -extern uint64_t bignum_digit (uint64_t k, uint64_t *x, uint64_t n); - -// Return size of bignum in digits (64-bit word) -// Input x[k]; output function return -extern uint64_t bignum_digitsize (uint64_t k, uint64_t *x); - -// Divide bignum by 10: z' := z div 10, returning remainder z mod 10 -// Inputs z[k]; outputs function return (remainder) and z[k] -extern uint64_t bignum_divmod10 (uint64_t k, uint64_t *z); - -// Double modulo p_25519, z := (2 * x) mod p_25519, assuming x reduced -// Input x[4]; output z[4] -extern void bignum_double_p25519 (uint64_t z[static 4], uint64_t x[static 4]); - -// Double modulo p_256, z := (2 * x) mod p_256, assuming x reduced -// Input x[4]; output z[4] -extern void bignum_double_p256 (uint64_t z[static 4], uint64_t x[static 4]); - -// Double modulo p_256k1, z := (2 * x) mod p_256k1, assuming x reduced -// Input x[4]; output z[4] -extern void bignum_double_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); - -// Double modulo p_384, z := (2 * x) mod p_384, assuming x reduced -// Input x[6]; output z[6] -extern void bignum_double_p384 (uint64_t z[static 6], uint64_t x[static 6]); - -// Double modulo p_521, z := (2 * x) mod p_521, assuming x reduced -// Input x[9]; output z[9] -extern void bignum_double_p521 (uint64_t z[static 9], uint64_t x[static 9]); - -// Extended Montgomery reduce, returning results in input-output buffer -// Inputs z[2*k], m[k], w; outputs function return (extra result bit) and z[2*k] -extern uint64_t bignum_emontredc (uint64_t k, uint64_t *z, uint64_t *m, uint64_t w); - -// Extended Montgomery reduce in 8-digit blocks, results in input-output buffer -// Inputs z[2*k], m[k], w; outputs function return (extra result bit) and z[2*k] -extern uint64_t bignum_emontredc_8n (uint64_t k, uint64_t *z, uint64_t *m, uint64_t w); - -// Test bignums for equality, x = y -// Inputs x[m], y[n]; output function return -extern uint64_t bignum_eq (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); - -// Test bignum for even-ness -// Input x[k]; output function return -extern uint64_t bignum_even (uint64_t k, uint64_t *x); - -// Convert 4-digit (256-bit) bignum from big-endian bytes -// Input x[32] (bytes); output z[4] -extern void bignum_frombebytes_4 (uint64_t z[static 4], uint8_t x[static 32]); - -// Convert 6-digit (384-bit) bignum from big-endian bytes -// Input x[48] (bytes); output z[6] -extern void bignum_frombebytes_6 (uint64_t z[static 6], uint8_t x[static 48]); - -// Convert 4-digit (256-bit) bignum from little-endian bytes -// Input x[32] (bytes); output z[4] -extern void bignum_fromlebytes_4 (uint64_t z[static 4], uint8_t x[static 32]); - -// Convert 6-digit (384-bit) bignum from little-endian bytes -// Input x[48] (bytes); output z[6] -extern void bignum_fromlebytes_6 (uint64_t z[static 6], uint8_t x[static 48]); - -// Convert little-endian bytes to 9-digit 528-bit bignum -// Input x[66] (bytes); output z[9] -extern void bignum_fromlebytes_p521 (uint64_t z[static 9],uint8_t x[static 66]); - -// Compare bignums, x >= y -// Inputs x[m], y[n]; output function return -extern uint64_t bignum_ge (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); - -// Compare bignums, x > y -// Inputs x[m], y[n]; output function return -extern uint64_t bignum_gt (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); - -// Halve modulo p_256, z := (x / 2) mod p_256, assuming x reduced -// Input x[4]; output z[4] -extern void bignum_half_p256 (uint64_t z[static 4], uint64_t x[static 4]); - -// Halve modulo p_256k1, z := (x / 2) mod p_256k1, assuming x reduced -// Input x[4]; output z[4] -extern void bignum_half_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); - -// Halve modulo p_384, z := (x / 2) mod p_384, assuming x reduced -// Input x[6]; output z[6] -extern void bignum_half_p384 (uint64_t z[static 6], uint64_t x[static 6]); - -// Halve modulo p_521, z := (x / 2) mod p_521, assuming x reduced -// Input x[9]; output z[9] -extern void bignum_half_p521 (uint64_t z[static 9], uint64_t x[static 9]); - -// Test bignum for zero-ness, x = 0 -// Input x[k]; output function return -extern uint64_t bignum_iszero (uint64_t k, uint64_t *x); - -// Multiply z := x * y -// Inputs x[16], y[16]; output z[32]; temporary buffer t[>=32] -extern void bignum_kmul_16_32 (uint64_t z[static 32], uint64_t x[static 16], uint64_t y[static 16], uint64_t t[static 32]); - -// Multiply z := x * y -// Inputs x[32], y[32]; output z[64]; temporary buffer t[>=96] -extern void bignum_kmul_32_64 (uint64_t z[static 64], uint64_t x[static 32], uint64_t y[static 32], uint64_t t[static 96]); - -// Square, z := x^2 -// Input x[16]; output z[32]; temporary buffer t[>=24] -extern void bignum_ksqr_16_32 (uint64_t z[static 32], uint64_t x[static 16], uint64_t t[static 24]); - -// Square, z := x^2 -// Input x[32]; output z[64]; temporary buffer t[>=72] -extern void bignum_ksqr_32_64 (uint64_t z[static 64], uint64_t x[static 32], uint64_t t[static 72]); - -// Compare bignums, x <= y -// Inputs x[m], y[n]; output function return -extern uint64_t bignum_le (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); - -// Convert 4-digit (256-bit) bignum to/from little-endian form -// Input x[4]; output z[4] -extern void bignum_littleendian_4 (uint64_t z[static 4], uint64_t x[static 4]); - -// Convert 6-digit (384-bit) bignum to/from little-endian form -// Input x[6]; output z[6] -extern void bignum_littleendian_6 (uint64_t z[static 6], uint64_t x[static 6]); - -// Compare bignums, x < y -// Inputs x[m], y[n]; output function return -extern uint64_t bignum_lt (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); - -// Multiply-add, z := z + x * y -// Inputs x[m], y[n]; outputs function return (carry-out) and z[k] -extern uint64_t bignum_madd (uint64_t k, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); - -// Reduce modulo group order, z := x mod n_256 -// Input x[k]; output z[4] -extern void bignum_mod_n256 (uint64_t z[static 4], uint64_t k, uint64_t *x); -extern void bignum_mod_n256_alt (uint64_t z[static 4], uint64_t k, uint64_t *x); - -// Reduce modulo group order, z := x mod n_256 -// Input x[4]; output z[4] -extern void bignum_mod_n256_4 (uint64_t z[static 4], uint64_t x[static 4]); - -// Reduce modulo group order, z := x mod n_256k1 -// Input x[4]; output z[4] -extern void bignum_mod_n256k1_4 (uint64_t z[static 4], uint64_t x[static 4]); - -// Reduce modulo group order, z := x mod n_384 -// Input x[k]; output z[6] -extern void bignum_mod_n384 (uint64_t z[static 6], uint64_t k, uint64_t *x); -extern void bignum_mod_n384_alt (uint64_t z[static 6], uint64_t k, uint64_t *x); - -// Reduce modulo group order, z := x mod n_384 -// Input x[6]; output z[6] -extern void bignum_mod_n384_6 (uint64_t z[static 6], uint64_t x[static 6]); - -// Reduce modulo group order, z := x mod n_521 -// Input x[9]; output z[9] -extern void bignum_mod_n521_9 (uint64_t z[static 9], uint64_t x[static 9]); -extern void bignum_mod_n521_9_alt (uint64_t z[static 9], uint64_t x[static 9]); - -// Reduce modulo field characteristic, z := x mod p_25519 -// Input x[4]; output z[4] -extern void bignum_mod_p25519_4 (uint64_t z[static 4], uint64_t x[static 4]); - -// Reduce modulo field characteristic, z := x mod p_256 -// Input x[k]; output z[4] -extern void bignum_mod_p256 (uint64_t z[static 4], uint64_t k, uint64_t *x); -extern void bignum_mod_p256_alt (uint64_t z[static 4], uint64_t k, uint64_t *x); - -// Reduce modulo field characteristic, z := x mod p_256 -// Input x[4]; output z[4] -extern void bignum_mod_p256_4 (uint64_t z[static 4], uint64_t x[static 4]); - -// Reduce modulo field characteristic, z := x mod p_256k1 -// Input x[4]; output z[4] -extern void bignum_mod_p256k1_4 (uint64_t z[static 4], uint64_t x[static 4]); - -// Reduce modulo field characteristic, z := x mod p_384 -// Input x[k]; output z[6] -extern void bignum_mod_p384 (uint64_t z[static 6], uint64_t k, uint64_t *x); -extern void bignum_mod_p384_alt (uint64_t z[static 6], uint64_t k, uint64_t *x); - -// Reduce modulo field characteristic, z := x mod p_384 -// Input x[6]; output z[6] -extern void bignum_mod_p384_6 (uint64_t z[static 6], uint64_t x[static 6]); - -// Reduce modulo field characteristic, z := x mod p_521 -// Input x[9]; output z[9] -extern void bignum_mod_p521_9 (uint64_t z[static 9], uint64_t x[static 9]); - -// Add modulo m, z := (x + y) mod m, assuming x and y reduced -// Inputs x[k], y[k], m[k]; output z[k] -extern void bignum_modadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m); - -// Double modulo m, z := (2 * x) mod m, assuming x reduced -// Inputs x[k], m[k]; output z[k] -extern void bignum_moddouble (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m); - -// Compute "modification" constant z := 2^{64k} mod m -// Input m[k]; output z[k]; temporary buffer t[>=k] -extern void bignum_modifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t); - -// Invert modulo m, z = (1/a) mod b, assuming b is an odd number > 1, a coprime to b -// Inputs a[k], b[k]; output z[k]; temporary buffer t[>=3*k] -extern void bignum_modinv (uint64_t k, uint64_t *z, uint64_t *a, uint64_t *b, uint64_t *t); - -// Optionally negate modulo m, z := (-x) mod m (if p nonzero) or z := x (if p zero), assuming x reduced -// Inputs p, x[k], m[k]; output z[k] -extern void bignum_modoptneg (uint64_t k, uint64_t *z, uint64_t p, uint64_t *x, uint64_t *m); - -// Subtract modulo m, z := (x - y) mod m, assuming x and y reduced -// Inputs x[k], y[k], m[k]; output z[k] -extern void bignum_modsub (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m); - -// Compute "montification" constant z := 2^{128k} mod m -// Input m[k]; output z[k]; temporary buffer t[>=k] -extern void bignum_montifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t); - -// Montgomery multiply, z := (x * y / 2^{64k}) mod m -// Inputs x[k], y[k], m[k]; output z[k] -extern void bignum_montmul (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m); - -// Montgomery multiply, z := (x * y / 2^256) mod p_256 -// Inputs x[4], y[4]; output z[4] -extern void bignum_montmul_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); -extern void bignum_montmul_p256_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); - -// Montgomery multiply, z := (x * y / 2^256) mod p_256k1 -// Inputs x[4], y[4]; output z[4] -extern void bignum_montmul_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); -extern void bignum_montmul_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); - -// Montgomery multiply, z := (x * y / 2^384) mod p_384 -// Inputs x[6], y[6]; output z[6] -extern void bignum_montmul_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]); -extern void bignum_montmul_p384_alt (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]); - -// Montgomery multiply, z := (x * y / 2^576) mod p_521 -// Inputs x[9], y[9]; output z[9] -extern void bignum_montmul_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]); -extern void bignum_montmul_p521_alt (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]); - -// Montgomery reduce, z := (x' / 2^{64p}) MOD m -// Inputs x[n], m[k], p; output z[k] -extern void bignum_montredc (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t *m, uint64_t p); - -// Montgomery square, z := (x^2 / 2^{64k}) mod m -// Inputs x[k], m[k]; output z[k] -extern void bignum_montsqr (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m); - -// Montgomery square, z := (x^2 / 2^256) mod p_256 -// Input x[4]; output z[4] -extern void bignum_montsqr_p256 (uint64_t z[static 4], uint64_t x[static 4]); -extern void bignum_montsqr_p256_alt (uint64_t z[static 4], uint64_t x[static 4]); - -// Montgomery square, z := (x^2 / 2^256) mod p_256k1 -// Input x[4]; output z[4] -extern void bignum_montsqr_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); -extern void bignum_montsqr_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]); - -// Montgomery square, z := (x^2 / 2^384) mod p_384 -// Input x[6]; output z[6] -extern void bignum_montsqr_p384 (uint64_t z[static 6], uint64_t x[static 6]); -extern void bignum_montsqr_p384_alt (uint64_t z[static 6], uint64_t x[static 6]); - -// Montgomery square, z := (x^2 / 2^576) mod p_521 -// Input x[9]; output z[9] -extern void bignum_montsqr_p521 (uint64_t z[static 9], uint64_t x[static 9]); -extern void bignum_montsqr_p521_alt (uint64_t z[static 9], uint64_t x[static 9]); - -// Multiply z := x * y -// Inputs x[m], y[n]; output z[k] -extern void bignum_mul (uint64_t k, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); - -// Multiply z := x * y -// Inputs x[4], y[4]; output z[8] -extern void bignum_mul_4_8 (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]); -extern void bignum_mul_4_8_alt (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]); - -// Multiply z := x * y -// Inputs x[6], y[6]; output z[12] -extern void bignum_mul_6_12 (uint64_t z[static 12], uint64_t x[static 6], uint64_t y[static 6]); -extern void bignum_mul_6_12_alt (uint64_t z[static 12], uint64_t x[static 6], uint64_t y[static 6]); - -// Multiply z := x * y -// Inputs x[8], y[8]; output z[16] -extern void bignum_mul_8_16 (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]); -extern void bignum_mul_8_16_alt (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]); - -// Multiply modulo p_25519, z := (x * y) mod p_25519 -// Inputs x[4], y[4]; output z[4] -extern void bignum_mul_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); -extern void bignum_mul_p25519_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); - -// Multiply modulo p_256k1, z := (x * y) mod p_256k1 -// Inputs x[4], y[4]; output z[4] -extern void bignum_mul_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); -extern void bignum_mul_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); - -// Multiply modulo p_521, z := (x * y) mod p_521, assuming x and y reduced -// Inputs x[9], y[9]; output z[9] -extern void bignum_mul_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]); -extern void bignum_mul_p521_alt (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]); - -// Multiply bignum by 10 and add word: z := 10 * z + d -// Inputs z[k], d; outputs function return (carry) and z[k] -extern uint64_t bignum_muladd10 (uint64_t k, uint64_t *z, uint64_t d); - -// Multiplex/select z := x (if p nonzero) or z := y (if p zero) -// Inputs p, x[k], y[k]; output z[k] -extern void bignum_mux (uint64_t p, uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y); - -// 256-bit multiplex/select z := x (if p nonzero) or z := y (if p zero) -// Inputs p, x[4], y[4]; output z[4] -extern void bignum_mux_4 (uint64_t p, uint64_t z[static 4],uint64_t x[static 4], uint64_t y[static 4]); - -// 384-bit multiplex/select z := x (if p nonzero) or z := y (if p zero) -// Inputs p, x[6], y[6]; output z[6] -extern void bignum_mux_6 (uint64_t p, uint64_t z[static 6],uint64_t x[static 6], uint64_t y[static 6]); - -// Select element from 16-element table, z := xs[k*i] -// Inputs xs[16*k], i; output z[k] -extern void bignum_mux16 (uint64_t k, uint64_t *z, uint64_t *xs, uint64_t i); - -// Negate modulo p_25519, z := (-x) mod p_25519, assuming x reduced -// Input x[4]; output z[4] -extern void bignum_neg_p25519 (uint64_t z[static 4], uint64_t x[static 4]); - -// Negate modulo p_256, z := (-x) mod p_256, assuming x reduced -// Input x[4]; output z[4] -extern void bignum_neg_p256 (uint64_t z[static 4], uint64_t x[static 4]); - -// Negate modulo p_256k1, z := (-x) mod p_256k1, assuming x reduced -// Input x[4]; output z[4] -extern void bignum_neg_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); - -// Negate modulo p_384, z := (-x) mod p_384, assuming x reduced -// Input x[6]; output z[6] -extern void bignum_neg_p384 (uint64_t z[static 6], uint64_t x[static 6]); - -// Negate modulo p_521, z := (-x) mod p_521, assuming x reduced -// Input x[9]; output z[9] -extern void bignum_neg_p521 (uint64_t z[static 9], uint64_t x[static 9]); - -// Negated modular inverse, z := (-1/x) mod 2^{64k} -// Input x[k]; output z[k] -extern void bignum_negmodinv (uint64_t k, uint64_t *z, uint64_t *x); - -// Test bignum for nonzero-ness x =/= 0 -// Input x[k]; output function return -extern uint64_t bignum_nonzero (uint64_t k, uint64_t *x); - -// Test 256-bit bignum for nonzero-ness x =/= 0 -// Input x[4]; output function return -extern uint64_t bignum_nonzero_4(uint64_t x[static 4]); - -// Test 384-bit bignum for nonzero-ness x =/= 0 -// Input x[6]; output function return -extern uint64_t bignum_nonzero_6(uint64_t x[static 6]); - -// Normalize bignum in-place by shifting left till top bit is 1 -// Input z[k]; outputs function return (bits shifted left) and z[k] -extern uint64_t bignum_normalize (uint64_t k, uint64_t *z); - -// Test bignum for odd-ness -// Input x[k]; output function return -extern uint64_t bignum_odd (uint64_t k, uint64_t *x); - -// Convert single digit to bignum, z := n -// Input n; output z[k] -extern void bignum_of_word (uint64_t k, uint64_t *z, uint64_t n); - -// Optionally add, z := x + y (if p nonzero) or z := x (if p zero) -// Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k] -extern uint64_t bignum_optadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y); - -// Optionally negate, z := -x (if p nonzero) or z := x (if p zero) -// Inputs p, x[k]; outputs function return (nonzero input) and z[k] -extern uint64_t bignum_optneg (uint64_t k, uint64_t *z, uint64_t p, uint64_t *x); - -// Optionally negate modulo p_25519, z := (-x) mod p_25519 (if p nonzero) or z := x (if p zero), assuming x reduced -// Inputs p, x[4]; output z[4] -extern void bignum_optneg_p25519 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]); - -// Optionally negate modulo p_256, z := (-x) mod p_256 (if p nonzero) or z := x (if p zero), assuming x reduced -// Inputs p, x[4]; output z[4] -extern void bignum_optneg_p256 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]); - -// Optionally negate modulo p_256k1, z := (-x) mod p_256k1 (if p nonzero) or z := x (if p zero), assuming x reduced -// Inputs p, x[4]; output z[4] -extern void bignum_optneg_p256k1 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]); - -// Optionally negate modulo p_384, z := (-x) mod p_384 (if p nonzero) or z := x (if p zero), assuming x reduced -// Inputs p, x[6]; output z[6] -extern void bignum_optneg_p384 (uint64_t z[static 6], uint64_t p, uint64_t x[static 6]); - -// Optionally negate modulo p_521, z := (-x) mod p_521 (if p nonzero) or z := x (if p zero), assuming x reduced -// Inputs p, x[9]; output z[9] -extern void bignum_optneg_p521 (uint64_t z[static 9], uint64_t p, uint64_t x[static 9]); - -// Optionally subtract, z := x - y (if p nonzero) or z := x (if p zero) -// Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k] -extern uint64_t bignum_optsub (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y); - -// Optionally subtract or add, z := x + sgn(p) * y interpreting p as signed -// Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k] -extern uint64_t bignum_optsubadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y); - -// Return bignum of power of 2, z := 2^n -// Input n; output z[k] -extern void bignum_pow2 (uint64_t k, uint64_t *z, uint64_t n); - -// Shift bignum left by c < 64 bits z := x * 2^c -// Inputs x[n], c; outputs function return (carry-out) and z[k] -extern uint64_t bignum_shl_small (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t c); - -// Shift bignum right by c < 64 bits z := floor(x / 2^c) -// Inputs x[n], c; outputs function return (bits shifted out) and z[k] -extern uint64_t bignum_shr_small (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t c); - -// Square, z := x^2 -// Input x[n]; output z[k] -extern void bignum_sqr (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x); - -// Square, z := x^2 -// Input x[4]; output z[8] -extern void bignum_sqr_4_8 (uint64_t z[static 8], uint64_t x[static 4]); -extern void bignum_sqr_4_8_alt (uint64_t z[static 8], uint64_t x[static 4]); - -// Square, z := x^2 -// Input x[6]; output z[12] -extern void bignum_sqr_6_12 (uint64_t z[static 12], uint64_t x[static 6]); -extern void bignum_sqr_6_12_alt (uint64_t z[static 12], uint64_t x[static 6]); - -// Square, z := x^2 -// Input x[8]; output z[16] -extern void bignum_sqr_8_16 (uint64_t z[static 16], uint64_t x[static 8]); -extern void bignum_sqr_8_16_alt (uint64_t z[static 16], uint64_t x[static 8]); - -// Square modulo p_25519, z := (x^2) mod p_25519 -// Input x[4]; output z[4] -extern void bignum_sqr_p25519 (uint64_t z[static 4], uint64_t x[static 4]); -extern void bignum_sqr_p25519_alt (uint64_t z[static 4], uint64_t x[static 4]); - -// Square modulo p_256k1, z := (x^2) mod p_256k1 -// Input x[4]; output z[4] -extern void bignum_sqr_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); -extern void bignum_sqr_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]); - -// Square modulo p_521, z := (x^2) mod p_521, assuming x reduced -// Input x[9]; output z[9] -extern void bignum_sqr_p521 (uint64_t z[static 9], uint64_t x[static 9]); -extern void bignum_sqr_p521_alt (uint64_t z[static 9], uint64_t x[static 9]); - -// Subtract, z := x - y -// Inputs x[m], y[n]; outputs function return (carry-out) and z[p] -extern uint64_t bignum_sub (uint64_t p, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); - -// Subtract modulo p_25519, z := (x - y) mod p_25519, assuming x and y reduced -// Inputs x[4], y[4]; output z[4] -extern void bignum_sub_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); - -// Subtract modulo p_256, z := (x - y) mod p_256, assuming x and y reduced -// Inputs x[4], y[4]; output z[4] -extern void bignum_sub_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); - -// Subtract modulo p_256k1, z := (x - y) mod p_256k1, assuming x and y reduced -// Inputs x[4], y[4]; output z[4] -extern void bignum_sub_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); - -// Subtract modulo p_384, z := (x - y) mod p_384, assuming x and y reduced -// Inputs x[6], y[6]; output z[6] -extern void bignum_sub_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]); - -// Subtract modulo p_521, z := (x - y) mod p_521, assuming x and y reduced -// Inputs x[9], y[9]; output z[9] -extern void bignum_sub_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]); - -// Convert 4-digit (256-bit) bignum to big-endian bytes -// Input x[4]; output z[32] (bytes) -extern void bignum_tobebytes_4 (uint8_t z[static 32], uint64_t x[static 4]); - -// Convert 6-digit (384-bit) bignum to big-endian bytes -// Input x[6]; output z[48] (bytes) -extern void bignum_tobebytes_6 (uint8_t z[static 48], uint64_t x[static 6]); - -// Convert 4-digit (256-bit) bignum to little-endian bytes -// Input x[4]; output z[32] (bytes) -extern void bignum_tolebytes_4 (uint8_t z[static 32], uint64_t x[static 4]); - -// Convert 6-digit (384-bit) bignum to little-endian bytes -// Input x[6]; output z[48] (bytes) -extern void bignum_tolebytes_6 (uint8_t z[static 48], uint64_t x[static 6]); - -// Convert 9-digit 528-bit bignum to little-endian bytes -// Input x[6]; output z[66] (bytes) -extern void bignum_tolebytes_p521 (uint8_t z[static 66], uint64_t x[static 9]); - -// Convert to Montgomery form z := (2^256 * x) mod p_256 -// Input x[4]; output z[4] -extern void bignum_tomont_p256 (uint64_t z[static 4], uint64_t x[static 4]); -extern void bignum_tomont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]); - -// Convert to Montgomery form z := (2^256 * x) mod p_256k1 -// Input x[4]; output z[4] -extern void bignum_tomont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); -extern void bignum_tomont_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]); - -// Convert to Montgomery form z := (2^384 * x) mod p_384 -// Input x[6]; output z[6] -extern void bignum_tomont_p384 (uint64_t z[static 6], uint64_t x[static 6]); -extern void bignum_tomont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]); - -// Convert to Montgomery form z := (2^576 * x) mod p_521 -// Input x[9]; output z[9] -extern void bignum_tomont_p521 (uint64_t z[static 9], uint64_t x[static 9]); - -// Triple modulo p_256, z := (3 * x) mod p_256 -// Input x[4]; output z[4] -extern void bignum_triple_p256 (uint64_t z[static 4], uint64_t x[static 4]); -extern void bignum_triple_p256_alt (uint64_t z[static 4], uint64_t x[static 4]); - -// Triple modulo p_256k1, z := (3 * x) mod p_256k1 -// Input x[4]; output z[4] -extern void bignum_triple_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); -extern void bignum_triple_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]); - -// Triple modulo p_384, z := (3 * x) mod p_384 -// Input x[6]; output z[6] -extern void bignum_triple_p384 (uint64_t z[static 6], uint64_t x[static 6]); -extern void bignum_triple_p384_alt (uint64_t z[static 6], uint64_t x[static 6]); - -// Triple modulo p_521, z := (3 * x) mod p_521, assuming x reduced -// Input x[9]; output z[9] -extern void bignum_triple_p521 (uint64_t z[static 9], uint64_t x[static 9]); -extern void bignum_triple_p521_alt (uint64_t z[static 9], uint64_t x[static 9]); - -// Montgomery ladder step for curve25519 -// Inputs point[8], pp[16], b; output rr[16] -extern void curve25519_ladderstep(uint64_t rr[16],uint64_t point[8],uint64_t pp[16],uint64_t b); -extern void curve25519_ladderstep_alt(uint64_t rr[16],uint64_t point[8],uint64_t pp[16],uint64_t b); - -// Projective scalar multiplication, x coordinate only, for curve25519 -// Inputs scalar[4], point[4]; output res[8] -extern void curve25519_pxscalarmul(uint64_t res[static 8],uint64_t scalar[static 4],uint64_t point[static 4]); -extern void curve25519_pxscalarmul_alt(uint64_t res[static 8],uint64_t scalar[static 4],uint64_t point[static 4]); - -// x25519 function for curve25519 -// Inputs scalar[4], point[4]; output res[4] -extern void curve25519_x25519(uint64_t res[static 4],uint64_t scalar[static 4],uint64_t point[static 4]); -extern void curve25519_x25519_alt(uint64_t res[static 4],uint64_t scalar[static 4],uint64_t point[static 4]); - -// x25519 function for curve25519 on base element 9 -// Input scalar[4]; output res[4] -extern void curve25519_x25519base(uint64_t res[static 4],uint64_t scalar[static 4]); -extern void curve25519_x25519base_alt(uint64_t res[static 4],uint64_t scalar[static 4]); - -// Extended projective addition for edwards25519 -// Inputs p1[16], p2[16]; output p3[16] -extern void edwards25519_epadd(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 16]); -extern void edwards25519_epadd_alt(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 16]); - -// Extended projective doubling for edwards25519 -// Inputs p1[12]; output p3[16] -extern void edwards25519_epdouble(uint64_t p3[static 16],uint64_t p1[static 12]); -extern void edwards25519_epdouble_alt(uint64_t p3[static 16],uint64_t p1[static 12]); - -// Projective doubling for edwards25519 -// Inputs p1[12]; output p3[12] -extern void edwards25519_pdouble(uint64_t p3[static 12],uint64_t p1[static 12]); -extern void edwards25519_pdouble_alt(uint64_t p3[static 12],uint64_t p1[static 12]); - -// Extended projective + precomputed mixed addition for edwards25519 -// Inputs p1[16], p2[12]; output p3[16] -extern void edwards25519_pepadd(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 12]); -extern void edwards25519_pepadd_alt(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 12]); - -// Point addition on NIST curve P-256 in Montgomery-Jacobian coordinates -// Inputs p1[12], p2[12]; output p3[12] -extern void p256_montjadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 12]); - -// Point doubling on NIST curve P-256 in Montgomery-Jacobian coordinates -// Inputs p1[12]; output p3[12] -extern void p256_montjdouble(uint64_t p3[static 12],uint64_t p1[static 12]); - -// Point mixed addition on NIST curve P-256 in Montgomery-Jacobian coordinates -// Inputs p1[12], p2[8]; output p3[12] -extern void p256_montjmixadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 8]); - -// Point addition on NIST curve P-384 in Montgomery-Jacobian coordinates -// Inputs p1[18], p2[18]; output p3[18] -extern void p384_montjadd(uint64_t p3[static 18],uint64_t p1[static 18],uint64_t p2[static 18]); - -// Point doubling on NIST curve P-384 in Montgomery-Jacobian coordinates -// Inputs p1[18]; output p3[18] -extern void p384_montjdouble(uint64_t p3[static 18],uint64_t p1[static 18]); - -// Point mixed addition on NIST curve P-384 in Montgomery-Jacobian coordinates -// Inputs p1[18], p2[12]; output p3[18] -extern void p384_montjmixadd(uint64_t p3[static 18],uint64_t p1[static 18],uint64_t p2[static 12]); - -// Point addition on NIST curve P-521 in Jacobian coordinates -// Inputs p1[27], p2[27]; output p3[27] -extern void p521_jadd(uint64_t p3[static 27],uint64_t p1[static 27],uint64_t p2[static 27]); - -// Point doubling on NIST curve P-521 in Jacobian coordinates -// Input p1[27]; output p3[27] -extern void p521_jdouble(uint64_t p3[static 27],uint64_t p1[static 27]); - -// Point mixed addition on NIST curve P-521 in Jacobian coordinates -// Inputs p1[27], p2[18]; output p3[27] -extern void p521_jmixadd(uint64_t p3[static 27],uint64_t p1[static 27],uint64_t p2[static 18]); - -// Point addition on SECG curve secp256k1 in Jacobian coordinates -// Inputs p1[12], p2[12]; output p3[12] -extern void secp256k1_jadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 12]); - -// Point doubling on SECG curve secp256k1 in Jacobian coordinates -// Input p1[12]; output p3[12] -extern void secp256k1_jdouble(uint64_t p3[static 12],uint64_t p1[static 12]); - -// Point mixed addition on SECG curve secp256k1 in Jacobian coordinates -// Inputs p1[12], p2[8]; output p3[12] -extern void secp256k1_jmixadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 8]); - -// Reverse the bytes in a single word -// Input a; output function return -extern uint64_t word_bytereverse (uint64_t a); - -// Count leading zero bits in a single word -// Input a; output function return -extern uint64_t word_clz (uint64_t a); - -// Count trailing zero bits in a single word -// Input a; output function return -extern uint64_t word_ctz (uint64_t a); - -// Return maximum of two unsigned 64-bit words -// Inputs a, b; output function return -extern uint64_t word_max (uint64_t a, uint64_t b); - -// Return minimum of two unsigned 64-bit words -// Inputs a, b; output function return -extern uint64_t word_min (uint64_t a, uint64_t b); - -// Single-word negated modular inverse (-1/a) mod 2^64 -// Input a; output function return -extern uint64_t word_negmodinv (uint64_t a); - -// Single-word reciprocal, 2^64 + ret = ceil(2^128/a) - 1 if MSB of "a" is set -// Input a; output function return -extern uint64_t word_recip (uint64_t a); diff --git a/src/lib/libcrypto/bn/s2n_bignum_internal.h b/src/lib/libcrypto/bn/s2n_bignum_internal.h deleted file mode 100644 index b82db7d019..0000000000 --- a/src/lib/libcrypto/bn/s2n_bignum_internal.h +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// -// Permission to use, copy, modify, and/or distribute this software for any -// purpose with or without fee is hereby granted, provided that the above -// copyright notice and this permission notice appear in all copies. -// -// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -#ifdef __APPLE__ -# define S2N_BN_SYMBOL(NAME) _##NAME -#else -# define S2N_BN_SYMBOL(name) name -#endif - -#ifdef __CET__ -# include -#else -# define _CET_ENDBR -#endif - -#define S2N_BN_SYM_VISIBILITY_DIRECTIVE(name) .globl S2N_BN_SYMBOL(name) -#ifdef S2N_BN_HIDE_SYMBOLS -# ifdef __APPLE__ -# define S2N_BN_SYM_PRIVACY_DIRECTIVE(name) .private_extern S2N_BN_SYMBOL(name) -# else -# define S2N_BN_SYM_PRIVACY_DIRECTIVE(name) .hidden S2N_BN_SYMBOL(name) -# endif -#else -# define S2N_BN_SYM_PRIVACY_DIRECTIVE(name) /* NO-OP: S2N_BN_SYM_PRIVACY_DIRECTIVE */ -#endif -- cgit v1.2.3-55-g6feb