diff options
Diffstat (limited to 'src/crypto/bn')
| -rw-r--r-- | src/crypto/bn/add.c | 25 | ||||
| -rw-r--r-- | src/crypto/bn/asm/x86_64-mont5.pl | 22 | ||||
| -rw-r--r-- | src/crypto/bn/bn.c | 7 | ||||
| -rw-r--r-- | src/crypto/bn/bn_test.cc | 65 | ||||
| -rw-r--r-- | src/crypto/bn/convert.c | 6 | ||||
| -rw-r--r-- | src/crypto/bn/div.c | 12 | ||||
| -rw-r--r-- | src/crypto/bn/exponentiation.c | 33 | ||||
| -rw-r--r-- | src/crypto/bn/gcd.c | 2 | ||||
| -rw-r--r-- | src/crypto/bn/generic.c | 32 | ||||
| -rw-r--r-- | src/crypto/bn/internal.h | 43 | ||||
| -rw-r--r-- | src/crypto/bn/montgomery.c | 13 |
11 files changed, 144 insertions, 116 deletions
diff --git a/src/crypto/bn/add.c b/src/crypto/bn/add.c index a043d83..23f9f80 100644 --- a/src/crypto/bn/add.c +++ b/src/crypto/bn/add.c @@ -56,6 +56,8 @@ #include <openssl/bn.h> +#include <string.h> + #include <openssl/err.h> #include <openssl/mem.h> @@ -311,27 +313,8 @@ int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { } } - if (rp != ap) { - for (;;) { - if (!dif--) { - break; - } - rp[0] = ap[0]; - if (!dif--) { - break; - } - rp[1] = ap[1]; - if (!dif--) { - break; - } - rp[2] = ap[2]; - if (!dif--) { - break; - } - rp[3] = ap[3]; - rp += 4; - ap += 4; - } + if (dif > 0 && rp != ap) { + memcpy(rp, ap, sizeof(*rp) * dif); } r->top = max; diff --git a/src/crypto/bn/asm/x86_64-mont5.pl b/src/crypto/bn/asm/x86_64-mont5.pl index 38def07..3c5a8fc 100644 --- a/src/crypto/bn/asm/x86_64-mont5.pl +++ b/src/crypto/bn/asm/x86_64-mont5.pl @@ -1770,6 +1770,15 @@ sqr8x_reduction: .align 32 .L8x_tail_done: add (%rdx),%r8 # can this overflow? + adc \$0,%r9 + adc \$0,%r10 + adc \$0,%r11 + adc \$0,%r12 + adc \$0,%r13 + adc \$0,%r14 + adc \$0,%r15 # can't overflow, because we + # started with "overhung" part + # of multiplication xor %rax,%rax neg $carry @@ -3116,6 +3125,15 @@ sqrx8x_reduction: .align 32 .Lsqrx8x_tail_done: add 24+8(%rsp),%r8 # can this overflow? + adc \$0,%r9 + adc \$0,%r10 + adc \$0,%r11 + adc \$0,%r12 + adc \$0,%r13 + adc \$0,%r14 + adc \$0,%r15 # can't overflow, because we + # started with "overhung" part + # of multiplication mov $carry,%rax # xor %rax,%rax sub 16+8(%rsp),$carry # mov 16(%rsp),%cf @@ -3159,13 +3177,11 @@ my ($rptr,$nptr)=("%rdx","%rbp"); my @ri=map("%r$_",(10..13)); my @ni=map("%r$_",(14..15)); $code.=<<___; - xor %rbx,%rbx + xor %ebx,%ebx sub %r15,%rsi # compare top-most words adc %rbx,%rbx mov %rcx,%r10 # -$num - .byte 0x67 or %rbx,%rax - .byte 0x67 mov %rcx,%r9 # -$num xor \$1,%rax sar \$3+2,%rcx # cf=0 diff --git a/src/crypto/bn/bn.c b/src/crypto/bn/bn.c index b342749..543c148 100644 --- a/src/crypto/bn/bn.c +++ b/src/crypto/bn/bn.c @@ -166,11 +166,10 @@ void BN_clear(BIGNUM *bn) { } const BIGNUM *BN_value_one(void) { - static const BN_ULONG data_one = 1; - static const BIGNUM const_one = {(BN_ULONG *)&data_one, 1, 1, 0, - BN_FLG_STATIC_DATA}; + static const BN_ULONG kOneLimbs[1] = { 1 }; + static const BIGNUM kOne = STATIC_BIGNUM(kOneLimbs); - return &const_one; + return &kOne; } void BN_with_flags(BIGNUM *out, const BIGNUM *in, int flags) { diff --git a/src/crypto/bn/bn_test.cc b/src/crypto/bn/bn_test.cc index 47093a7..e7e04f1 100644 --- a/src/crypto/bn/bn_test.cc +++ b/src/crypto/bn/bn_test.cc @@ -76,6 +76,8 @@ #include <stdio.h> #include <string.h> +#include <utility> + #include <openssl/bn.h> #include <openssl/crypto.h> #include <openssl/err.h> @@ -211,7 +213,7 @@ int main(int argc, char *argv[]) { if (!sample) { return 1; } - if (!test_lshift(bc_file.get(), ctx.get(), bssl::move(sample))) { + if (!test_lshift(bc_file.get(), ctx.get(), std::move(sample))) { return 1; } flush_fp(bc_file.get()); @@ -328,6 +330,13 @@ int main(int argc, char *argv[]) { return 0; } +static int HexToBIGNUM(ScopedBIGNUM *out, const char *in) { + BIGNUM *raw = NULL; + int ret = BN_hex2bn(&raw, in); + out->reset(raw); + return ret; +} + static bool test_add(FILE *fp) { ScopedBIGNUM a(BN_new()); ScopedBIGNUM b(BN_new()); @@ -1105,6 +1114,27 @@ static bool test_mod_exp(FILE *fp, BN_CTX *ctx) { return false; } } + + // Regression test for carry propagation bug in sqr8x_reduction. + if (!HexToBIGNUM(&a, "050505050505") || + !HexToBIGNUM(&b, "02") || + !HexToBIGNUM( + &c, + "4141414141414141414141274141414141414141414141414141414141414141" + "4141414141414141414141414141414141414141414141414141414141414141" + "4141414141414141414141800000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000001") || + !BN_mod_exp(d.get(), a.get(), b.get(), c.get(), ctx) || + !BN_mul(e.get(), a.get(), a.get(), ctx)) { + return false; + } + if (BN_cmp(d.get(), e.get()) != 0) { + fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n"); + return false; + } + return true; } @@ -1286,23 +1316,23 @@ static bool test_exp(FILE *fp, BN_CTX *ctx) { // test_exp_mod_zero tests that 1**0 mod 1 == 0. static bool test_exp_mod_zero(void) { - ScopedBIGNUM zero(BN_new()); - if (!zero) { + ScopedBIGNUM zero(BN_new()), a(BN_new()), r(BN_new()); + if (!zero || !a || !r || !BN_rand(a.get(), 1024, 0, 0)) { return false; } BN_zero(zero.get()); - ScopedBN_CTX ctx(BN_CTX_new()); - ScopedBIGNUM r(BN_new()); - if (!ctx || !r || - !BN_mod_exp(r.get(), BN_value_one(), zero.get(), BN_value_one(), ctx.get())) { - return false; - } - - if (!BN_is_zero(r.get())) { - fprintf(stderr, "1**0 mod 1 = "); - BN_print_fp(stderr, r.get()); - fprintf(stderr, ", should be 0\n"); + if (!BN_mod_exp(r.get(), a.get(), zero.get(), BN_value_one(), nullptr) || + !BN_is_zero(r.get()) || + !BN_mod_exp_mont(r.get(), a.get(), zero.get(), BN_value_one(), nullptr, + nullptr) || + !BN_is_zero(r.get()) || + !BN_mod_exp_mont_consttime(r.get(), a.get(), zero.get(), BN_value_one(), + nullptr, nullptr) || + !BN_is_zero(r.get()) || + !BN_mod_exp_mont_word(r.get(), 42, zero.get(), BN_value_one(), nullptr, + nullptr) || + !BN_is_zero(r.get())) { return false; } @@ -1543,13 +1573,6 @@ static bool test_dec2bn(BN_CTX *ctx) { return true; } -static int HexToBIGNUM(ScopedBIGNUM *out, const char *in) { - BIGNUM *raw = NULL; - int ret = BN_hex2bn(&raw, in); - out->reset(raw); - return ret; -} - static bool test_hex2bn(BN_CTX *ctx) { ScopedBIGNUM bn; int ret = HexToBIGNUM(&bn, "0"); diff --git a/src/crypto/bn/convert.c b/src/crypto/bn/convert.c index 0122709..1f7af64 100644 --- a/src/crypto/bn/convert.c +++ b/src/crypto/bn/convert.c @@ -63,6 +63,7 @@ #include <string.h> #include <openssl/bio.h> +#include <openssl/bytestring.h> #include <openssl/err.h> #include <openssl/mem.h> @@ -195,6 +196,11 @@ int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) { return 1; } +int BN_bn2cbb_padded(CBB *out, size_t len, const BIGNUM *in) { + uint8_t *ptr; + return CBB_add_space(out, &ptr, len) && BN_bn2bin_padded(ptr, len, in); +} + static const char hextable[] = "0123456789abcdef"; char *BN_bn2hex(const BIGNUM *bn) { diff --git a/src/crypto/bn/div.c b/src/crypto/bn/div.c index 779dda2..f9e144a 100644 --- a/src/crypto/bn/div.c +++ b/src/crypto/bn/div.c @@ -260,10 +260,10 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, q = BN_MASK2; } else { /* n0 < d0 */ -#ifdef BN_LLONG +#ifdef BN_ULLONG BN_ULLONG t2; -#if defined(BN_LLONG) && !defined(div_asm) +#if defined(BN_ULLONG) && !defined(div_asm) q = (BN_ULONG)(((((BN_ULLONG)n0) << BN_BITS2) | n1) / d0); #else q = div_asm(n0, n1, d0); @@ -288,7 +288,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, } t2 -= d1; } -#else /* !BN_LLONG */ +#else /* !BN_ULLONG */ BN_ULONG t2l, t2h; #if defined(div_asm) @@ -331,7 +331,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, } t2l -= d1; } -#endif /* !BN_LLONG */ +#endif /* !BN_ULLONG */ } l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q); @@ -601,7 +601,7 @@ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w) { } BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w) { -#ifndef BN_LLONG +#ifndef BN_ULLONG BN_ULONG ret = 0; #else BN_ULLONG ret = 0; @@ -614,7 +614,7 @@ BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w) { w &= BN_MASK2; for (i = a->top - 1; i >= 0; i--) { -#ifndef BN_LLONG +#ifndef BN_ULLONG ret = ((ret << BN_BITS4) | ((a->d[i] >> BN_BITS4) & BN_MASK2l)) % w; ret = ((ret << BN_BITS4) | (a->d[i] & BN_MASK2l)) % w; #else diff --git a/src/crypto/bn/exponentiation.c b/src/crypto/bn/exponentiation.c index c580248..72a8db4 100644 --- a/src/crypto/bn/exponentiation.c +++ b/src/crypto/bn/exponentiation.c @@ -445,8 +445,12 @@ static int mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, bits = BN_num_bits(p); if (bits == 0) { - ret = BN_one(r); - return ret; + /* x**0 mod 1 is still zero. */ + if (BN_is_one(m)) { + BN_zero(r); + return 1; + } + return BN_one(r); } BN_CTX_start(ctx); @@ -632,8 +636,12 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } bits = BN_num_bits(p); if (bits == 0) { - ret = BN_one(rr); - return ret; + /* x**0 mod 1 is still zero. */ + if (BN_is_one(m)) { + BN_zero(rr); + return 1; + } + return BN_one(rr); } BN_CTX_start(ctx); @@ -875,8 +883,12 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, bits = BN_num_bits(p); if (bits == 0) { - ret = BN_one(rr); - return ret; + /* x**0 mod 1 is still zero. */ + if (BN_is_one(m)) { + BN_zero(rr); + return 1; + } + return BN_one(rr); } BN_CTX_start(ctx); @@ -1230,17 +1242,14 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, if (bits == 0) { /* x**0 mod 1 is still zero. */ if (BN_is_one(m)) { - ret = 1; BN_zero(rr); - } else { - ret = BN_one(rr); + return 1; } - return ret; + return BN_one(rr); } if (a == 0) { BN_zero(rr); - ret = 1; - return ret; + return 1; } BN_CTX_start(ctx); diff --git a/src/crypto/bn/gcd.c b/src/crypto/bn/gcd.c index e106149..41ca6d2 100644 --- a/src/crypto/bn/gcd.c +++ b/src/crypto/bn/gcd.c @@ -279,7 +279,7 @@ BIGNUM *BN_mod_inverse_ex(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, * sign*Y*a == A (mod |n|). */ - if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048))) { + if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS2 <= 32 ? 450 : 2048))) { /* Binary inversion algorithm; requires odd modulus. * This is faster than the general algorithm if the modulus * is sufficiently small (about 400 .. 500 bits on 32-bit diff --git a/src/crypto/bn/generic.c b/src/crypto/bn/generic.c index 7fd4819..7303ca5 100644 --- a/src/crypto/bn/generic.c +++ b/src/crypto/bn/generic.c @@ -69,13 +69,7 @@ (!defined(OPENSSL_X86_64) && !defined(OPENSSL_X86)) || \ (defined(OPENSSL_X86_64) && defined(OPENSSL_WINDOWS)) -#if defined(OPENSSL_WINDOWS) -#define alloca _alloca -#else -#include <alloca.h> -#endif - -#ifdef BN_LLONG +#ifdef BN_ULLONG #define mul_add(r, a, w, c) \ { \ BN_ULLONG t; \ @@ -222,9 +216,9 @@ (c) = h & BN_MASK2; \ (r) = l & BN_MASK2; \ } -#endif /* !BN_LLONG */ +#endif /* !BN_ULLONG */ -#if defined(BN_LLONG) || defined(BN_UMULT_HIGH) +#if defined(BN_ULLONG) || defined(BN_UMULT_HIGH) BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w) { @@ -304,7 +298,7 @@ void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n) { } } -#else /* !(defined(BN_LLONG) || defined(BN_UMULT_HIGH)) */ +#else /* !(defined(BN_ULLONG) || defined(BN_UMULT_HIGH)) */ BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w) { @@ -390,9 +384,9 @@ void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n) { } } -#endif /* !(defined(BN_LLONG) || defined(BN_UMULT_HIGH)) */ +#endif /* !(defined(BN_ULLONG) || defined(BN_UMULT_HIGH)) */ -#if defined(BN_LLONG) +#if defined(BN_ULLONG) BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) { return (BN_ULONG)(((((BN_ULLONG)h) << BN_BITS2) | l) / (BN_ULLONG)d); @@ -470,9 +464,9 @@ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) { return ret; } -#endif /* !defined(BN_LLONG) */ +#endif /* !defined(BN_ULLONG) */ -#ifdef BN_LLONG +#ifdef BN_ULLONG BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) { BN_ULLONG ll = 0; @@ -512,7 +506,7 @@ BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, return (BN_ULONG)ll; } -#else /* !BN_LLONG */ +#else /* !BN_ULLONG */ BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) { @@ -569,7 +563,7 @@ BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, return (BN_ULONG)c; } -#endif /* !BN_LLONG */ +#endif /* !BN_ULLONG */ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) { @@ -631,7 +625,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */ /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */ -#ifdef BN_LLONG +#ifdef BN_ULLONG /* Keep in mind that additions to multiplication result can not overflow, * because its high half cannot be all-ones. */ @@ -722,7 +716,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, #define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2) -#else /* !BN_LLONG */ +#else /* !BN_ULLONG */ /* Keep in mind that additions to hi can not overflow, because * the high word of a multiplication result cannot be all-ones. */ @@ -774,7 +768,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, } while (0) #define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2) -#endif /* !BN_LLONG */ +#endif /* !BN_ULLONG */ void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) { BN_ULONG c1, c2, c3; diff --git a/src/crypto/bn/internal.h b/src/crypto/bn/internal.h index 0d0eb44..72ef4e9 100644 --- a/src/crypto/bn/internal.h +++ b/src/crypto/bn/internal.h @@ -144,44 +144,41 @@ BIGNUM *bn_expand(BIGNUM *bn, size_t bits); #if !defined(_MSC_VER) /* MSVC doesn't support two-word integers on 64-bit. */ -#define BN_LLONG __int128_t #define BN_ULLONG __uint128_t #endif -#define BN_BITS 128 #define BN_BITS2 64 #define BN_BYTES 8 #define BN_BITS4 32 -#define BN_MASK (0xffffffffffffffffffffffffffffffffLL) -#define BN_MASK2 (0xffffffffffffffffL) -#define BN_MASK2l (0xffffffffL) -#define BN_MASK2h (0xffffffff00000000L) -#define BN_MASK2h1 (0xffffffff80000000L) -#define BN_TBIT (0x8000000000000000L) +#define BN_MASK2 (0xffffffffffffffffUL) +#define BN_MASK2l (0xffffffffUL) +#define BN_MASK2h (0xffffffff00000000UL) +#define BN_MASK2h1 (0xffffffff80000000UL) +#define BN_TBIT (0x8000000000000000UL) #define BN_DEC_CONV (10000000000000000000UL) #define BN_DEC_NUM 19 +#define TOBN(hi, lo) ((BN_ULONG)hi << 32 | lo) #elif defined(OPENSSL_32_BIT) -#define BN_LLONG int64_t #define BN_ULLONG uint64_t -#define BN_MASK (0xffffffffffffffffLL) -#define BN_BITS 64 #define BN_BITS2 32 #define BN_BYTES 4 #define BN_BITS4 16 -#define BN_MASK2 (0xffffffffL) -#define BN_MASK2l (0xffff) -#define BN_MASK2h1 (0xffff8000L) -#define BN_MASK2h (0xffff0000L) -#define BN_TBIT (0x80000000L) -#define BN_DEC_CONV (1000000000L) +#define BN_MASK2 (0xffffffffUL) +#define BN_MASK2l (0xffffUL) +#define BN_MASK2h1 (0xffff8000UL) +#define BN_MASK2h (0xffff0000UL) +#define BN_TBIT (0x80000000UL) +#define BN_DEC_CONV (1000000000UL) #define BN_DEC_NUM 9 +#define TOBN(hi, lo) lo, hi #else #error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT" #endif + /* Pentium pro 16,16,16,32,64 */ /* Alpha 16,16,16,16.64 */ #define BN_MULL_SIZE_NORMAL (16) /* 32 */ @@ -190,7 +187,13 @@ BIGNUM *bn_expand(BIGNUM *bn, size_t bits); #define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32) /* 32 */ #define BN_MONT_CTX_SET_SIZE_WORD (64) /* 32 */ -#if defined(BN_LLONG) +#define STATIC_BIGNUM(x) \ + { \ + (BN_ULONG *)x, sizeof(x) / sizeof(BN_ULONG), \ + sizeof(x) / sizeof(BN_ULONG), 0, BN_FLG_STATIC_DATA \ + } + +#if defined(BN_ULLONG) #define Lw(t) (((BN_ULONG)(t))&BN_MASK2) #define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2) #endif @@ -220,7 +223,7 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl); int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num); -#if !defined(BN_LLONG) +#if !defined(BN_ULLONG) #define LBITS(a) ((a) & BN_MASK2l) #define HBITS(a) (((a) >> BN_BITS4) & BN_MASK2l) @@ -252,7 +255,7 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, (h) = ht; \ } -#endif /* !defined(BN_LLONG) */ +#endif /* !defined(BN_ULLONG) */ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) # if defined(__GNUC__) && __GNUC__ >= 2 diff --git a/src/crypto/bn/montgomery.c b/src/crypto/bn/montgomery.c index 11edcbf..18da0da 100644 --- a/src/crypto/bn/montgomery.c +++ b/src/crypto/bn/montgomery.c @@ -134,7 +134,6 @@ BN_MONT_CTX *BN_MONT_CTX_new(void) { memset(ret, 0, sizeof(BN_MONT_CTX)); BN_init(&ret->RR); BN_init(&ret->N); - BN_init(&ret->Ni); return ret; } @@ -146,7 +145,6 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont) { BN_free(&mont->RR); BN_free(&mont->N); - BN_free(&mont->Ni); OPENSSL_free(mont); } @@ -156,11 +154,9 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, const BN_MONT_CTX *from) { } if (!BN_copy(&to->RR, &from->RR) || - !BN_copy(&to->N, &from->N) || - !BN_copy(&to->Ni, &from->Ni)) { + !BN_copy(&to->N, &from->N)) { return NULL; } - to->ri = from->ri; to->n0[0] = from->n0[0]; to->n0[1] = from->n0[1]; return to; @@ -193,8 +189,6 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) { tmod.dmax = 2; tmod.neg = 0; - mont->ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2; - #if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2 <= 32) /* Only certain BN_BITS2<=32 platforms actually make use of * n0[1], and we could use the #else case (with a shorter R @@ -278,9 +272,10 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) { mont->n0[1] = 0; #endif - /* setup RR for conversions */ + /* RR = (2^ri)^2 == 2^(ri*2) == 1 << (ri*2), which has its (ri*2)th bit set. */ + int ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2; BN_zero(&(mont->RR)); - if (!BN_set_bit(&(mont->RR), mont->ri * 2)) { + if (!BN_set_bit(&(mont->RR), ri * 2)) { goto err; } if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx)) { |