1 /* $OpenBSD: bn.h,v 1.55 2022/07/12 14:42:48 kn Exp $ */
2 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
117 * The Contribution is licensed pursuant to the Eric Young open source
118 * license provided above.
120 * The binary polynomial arithmetic software is originally written by
121 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
131 #include <openssl/opensslconf.h>
133 #include <openssl/ossl_typ.h>
134 #include <openssl/crypto.h>
135 #include <openssl/bio.h>
141 /* These preprocessor symbols control various aspects of the bignum headers and
142 * library code. They're not defined by any "normal" configuration, as they are
143 * intended for development and testing purposes. NB: defining all three can be
144 * useful for debugging application code as well as openssl itself.
146 * BN_DEBUG - turn on various debugging alterations to the bignum code
147 * BN_DEBUG_RAND - uses random poisoning of unused words to trip up
148 * mismanagement of bignum internals. You must also define BN_DEBUG.
150 /* #define BN_DEBUG */
151 /* #define BN_DEBUG_RAND */
153 #ifndef OPENSSL_SMALL_FOOTPRINT
159 /* This next option uses the C libraries (2 word)/(1 word) function.
160 * If it is not defined, I use my C version (which is slower).
161 * The reason for this flag is that when the particular C compiler
162 * library routine is used, and the library is linked with a different
163 * compiler, the library is missing. This mostly happens when the
164 * library is built with gcc and then linked using normal cc. This would
165 * be a common occurrence because gcc normally produces code that is
166 * 2 times faster than system compilers for the big number stuff.
167 * For machines with only one compiler (or shared libraries), this should
168 * be on. Again this in only really a problem on machines
169 * using "long long's", are 32bit, and are not using my assembler code. */
170 /* #define BN_DIV2W */
174 #define BN_ULONG unsigned long
180 #define BN_MASK2 (0xffffffffffffffffL)
181 #define BN_MASK2l (0xffffffffL)
182 #define BN_MASK2h (0xffffffff00000000L)
183 #define BN_MASK2h1 (0xffffffff80000000L)
184 #define BN_TBIT (0x8000000000000000L)
185 #define BN_DEC_CONV (10000000000000000000UL)
186 #define BN_DEC_FMT1 "%lu"
187 #define BN_DEC_FMT2 "%019lu"
188 #define BN_DEC_NUM 19
189 #define BN_HEX_FMT1 "%lX"
190 #define BN_HEX_FMT2 "%016lX"
192 #define BN_ULLONG unsigned long long
194 #define BN_ULONG unsigned int
200 #define BN_MASK (0xffffffffffffffffLL)
201 #define BN_MASK2 (0xffffffffL)
202 #define BN_MASK2l (0xffff)
203 #define BN_MASK2h1 (0xffff8000L)
204 #define BN_MASK2h (0xffff0000L)
205 #define BN_TBIT (0x80000000L)
206 #define BN_DEC_CONV (1000000000L)
207 #define BN_DEC_FMT1 "%u"
208 #define BN_DEC_FMT2 "%09u"
210 #define BN_HEX_FMT1 "%X"
211 #define BN_HEX_FMT2 "%08X"
214 #define BN_FLG_MALLOCED 0x01
215 #define BN_FLG_STATIC_DATA 0x02
216 #define BN_FLG_CONSTTIME 0x04 /* avoid leaking exponent information through timing,
217 * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime,
218 * BN_div() will call BN_div_no_branch,
219 * BN_mod_inverse() will call BN_mod_inverse_no_branch.
222 #ifndef OPENSSL_NO_DEPRECATED
223 #define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME /* deprecated name for the flag */
224 /* avoid leaking exponent information through timings
225 * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */
228 #ifndef OPENSSL_NO_DEPRECATED
229 #define BN_FLG_FREE 0x8000 /* used for debugging */
231 void BN_set_flags(BIGNUM *b, int n);
232 int BN_get_flags(const BIGNUM *b, int n);
233 void BN_with_flags(BIGNUM *dest, const BIGNUM *src, int flags);
235 /* Values for |top| in BN_rand() */
236 #define BN_RAND_TOP_ANY -1
237 #define BN_RAND_TOP_ONE 0
238 #define BN_RAND_TOP_TWO 1
240 /* Values for |bottom| in BN_rand() */
241 #define BN_RAND_BOTTOM_ANY 0
242 #define BN_RAND_BOTTOM_ODD 1
244 BN_GENCB *BN_GENCB_new(void);
245 void BN_GENCB_free(BN_GENCB *cb);
247 /* Wrapper function to make using BN_GENCB easier, */
248 int BN_GENCB_call(BN_GENCB *cb, int a, int b);
250 /* Populate a BN_GENCB structure with an "old"-style callback */
251 void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback)(int, int, void *),
254 /* Populate a BN_GENCB structure with a "new"-style callback */
255 void BN_GENCB_set(BN_GENCB *gencb, int (*callback)(int, int, BN_GENCB *),
258 void *BN_GENCB_get_arg(BN_GENCB *cb);
260 #define BN_prime_checks 0 /* default: select number of iterations
261 based on the size of the number */
264 * BN_prime_checks_for_size() returns the number of Miller-Rabin
265 * iterations that will be done for checking that a random number
266 * is probably prime. The error rate for accepting a composite
267 * number as prime depends on the size of the prime |b|. The error
268 * rates used are for calculating an RSA key with 2 primes, and so
269 * the level is what you would expect for a key of double the size
272 * This table is generated using the algorithm of FIPS PUB 186-4
273 * Digital Signature Standard (DSS), section F.1, page 117.
274 * (https://dx.doi.org/10.6028/NIST.FIPS.186-4)
276 * The following magma script was used to generate the output:
280 * for M:=3 to Floor(2*Sqrt(k-1)-1) do
287 * s+:=(RealField(32)!2)^-(j+(k-1)/j);
289 * S+:=2^(m-(m-1)*t)*s;
292 * B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S;
293 * pkt:=2.00743*Log(2)*k*2^-k*(A+B);
294 * seclevel:=Floor(-Log(2,pkt));
295 * if seclevel ge securitybits then
296 * printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M;
300 * if seclevel ge securitybits then break; end if;
303 * It can be run online at:
304 * http://magma.maths.usyd.edu.au/calc
307 * k: 1024, security: 129 bits (t: 6, M: 23)
309 * k is the number of bits of the prime, securitybits is the level
312 * prime length | RSA key size | # MR tests | security level
313 * -------------+--------------|------------+---------------
314 * (b) >= 6394 | >= 12788 | 3 | 256 bit
315 * (b) >= 3747 | >= 7494 | 3 | 192 bit
316 * (b) >= 1345 | >= 2690 | 4 | 128 bit
317 * (b) >= 1080 | >= 2160 | 5 | 128 bit
318 * (b) >= 852 | >= 1704 | 5 | 112 bit
319 * (b) >= 476 | >= 952 | 5 | 80 bit
320 * (b) >= 400 | >= 800 | 6 | 80 bit
321 * (b) >= 347 | >= 694 | 7 | 80 bit
322 * (b) >= 308 | >= 616 | 8 | 80 bit
323 * (b) >= 55 | >= 110 | 27 | 64 bit
324 * (b) >= 6 | >= 12 | 34 | 64 bit
327 #define BN_prime_checks_for_size(b) ((b) >= 3747 ? 3 : \
336 #define BN_num_bytes(a) ((BN_num_bits(a)+7)/8)
338 int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w);
339 int BN_is_zero(const BIGNUM *a);
340 int BN_is_one(const BIGNUM *a);
341 int BN_is_word(const BIGNUM *a, const BN_ULONG w);
342 int BN_is_odd(const BIGNUM *a);
344 #define BN_one(a) BN_set_word((a), 1)
346 void BN_zero_ex(BIGNUM *a);
348 #ifdef OPENSSL_NO_DEPRECATED
349 #define BN_zero(a) BN_zero_ex(a)
351 #define BN_zero(a) (BN_set_word((a),0))
354 const BIGNUM *BN_value_one(void);
355 char * BN_options(void);
356 BN_CTX *BN_CTX_new(void);
357 #ifndef OPENSSL_NO_DEPRECATED
358 void BN_CTX_init(BN_CTX *c);
360 void BN_CTX_free(BN_CTX *c);
361 void BN_CTX_start(BN_CTX *ctx);
362 BIGNUM *BN_CTX_get(BN_CTX *ctx);
363 void BN_CTX_end(BN_CTX *ctx);
364 int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
365 int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
366 int BN_rand_range(BIGNUM *rnd, const BIGNUM *range);
367 int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range);
368 int BN_num_bits(const BIGNUM *a);
369 int BN_num_bits_word(BN_ULONG);
370 BIGNUM *BN_new(void);
371 void BN_init(BIGNUM *);
372 void BN_clear_free(BIGNUM *a);
373 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
374 void BN_swap(BIGNUM *a, BIGNUM *b);
375 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
376 int BN_bn2bin(const BIGNUM *a, unsigned char *to);
377 int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen);
378 BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret);
379 int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen);
380 BIGNUM *BN_mpi2bn(const unsigned char *s, int len, BIGNUM *ret);
381 int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
382 int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
383 int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
384 int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
385 int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
386 int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
387 int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
388 /** BN_set_negative sets sign of a BIGNUM
389 * \param b pointer to the BIGNUM object
390 * \param n 0 if the BIGNUM b should be positive and a value != 0 otherwise
392 void BN_set_negative(BIGNUM *b, int n);
394 int BN_is_negative(const BIGNUM *b);
396 #ifndef LIBRESSL_INTERNAL
397 int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
399 #define BN_mod(rem,m,d,ctx) BN_div(NULL,(rem),(m),(d),(ctx))
401 int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx);
402 int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
403 int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m);
404 int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
405 int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m);
406 int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
407 const BIGNUM *m, BN_CTX *ctx);
408 int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
409 int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
410 int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m);
411 int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx);
412 int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m);
414 BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
415 BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
416 int BN_mul_word(BIGNUM *a, BN_ULONG w);
417 int BN_add_word(BIGNUM *a, BN_ULONG w);
418 int BN_sub_word(BIGNUM *a, BN_ULONG w);
419 int BN_set_word(BIGNUM *a, BN_ULONG w);
420 BN_ULONG BN_get_word(const BIGNUM *a);
422 int BN_cmp(const BIGNUM *a, const BIGNUM *b);
423 void BN_free(BIGNUM *a);
424 int BN_is_bit_set(const BIGNUM *a, int n);
425 int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
426 int BN_lshift1(BIGNUM *r, const BIGNUM *a);
427 int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
429 #ifndef LIBRESSL_INTERNAL
430 int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
431 const BIGNUM *m, BN_CTX *ctx);
432 int BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
433 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
435 int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
436 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont);
437 int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
438 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
439 int BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1,
440 const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m,
441 BN_CTX *ctx, BN_MONT_CTX *m_ctx);
442 int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
443 const BIGNUM *m, BN_CTX *ctx);
445 int BN_mask_bits(BIGNUM *a, int n);
446 int BN_print_fp(FILE *fp, const BIGNUM *a);
447 int BN_print(BIO *fp, const BIGNUM *a);
448 int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx);
449 int BN_rshift(BIGNUM *r, const BIGNUM *a, int n);
450 int BN_rshift1(BIGNUM *r, const BIGNUM *a);
451 void BN_clear(BIGNUM *a);
452 BIGNUM *BN_dup(const BIGNUM *a);
453 int BN_ucmp(const BIGNUM *a, const BIGNUM *b);
454 int BN_set_bit(BIGNUM *a, int n);
455 int BN_clear_bit(BIGNUM *a, int n);
456 char * BN_bn2hex(const BIGNUM *a);
457 char * BN_bn2dec(const BIGNUM *a);
458 int BN_hex2bn(BIGNUM **a, const char *str);
459 int BN_dec2bn(BIGNUM **a, const char *str);
460 int BN_asc2bn(BIGNUM **a, const char *str);
461 #ifndef LIBRESSL_INTERNAL
462 int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
464 int BN_kronecker(const BIGNUM *a,const BIGNUM *b,BN_CTX *ctx); /* returns -2 for error */
465 #ifndef LIBRESSL_INTERNAL
466 BIGNUM *BN_mod_inverse(BIGNUM *ret,
467 const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
469 BIGNUM *BN_mod_sqrt(BIGNUM *ret,
470 const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
472 void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
474 int BN_security_bits(int L, int N);
476 /* Deprecated versions */
477 #ifndef OPENSSL_NO_DEPRECATED
478 BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
479 const BIGNUM *add, const BIGNUM *rem,
480 void (*callback)(int, int, void *), void *cb_arg);
481 int BN_is_prime(const BIGNUM *p, int nchecks,
482 void (*callback)(int, int, void *),
483 BN_CTX *ctx, void *cb_arg);
484 int BN_is_prime_fasttest(const BIGNUM *p, int nchecks,
485 void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg,
486 int do_trial_division);
487 #endif /* !defined(OPENSSL_NO_DEPRECATED) */
490 int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
491 const BIGNUM *rem, BN_GENCB *cb);
492 int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb);
493 int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx,
494 int do_trial_division, BN_GENCB *cb);
496 int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx);
498 int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
499 const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
500 const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb);
501 int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
502 BIGNUM *Xp1, BIGNUM *Xp2,
504 const BIGNUM *e, BN_CTX *ctx,
507 BN_MONT_CTX *BN_MONT_CTX_new(void );
508 void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
509 int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
510 BN_MONT_CTX *mont, BN_CTX *ctx);
511 int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
513 int BN_from_montgomery(BIGNUM *r, const BIGNUM *a,
514 BN_MONT_CTX *mont, BN_CTX *ctx);
515 void BN_MONT_CTX_free(BN_MONT_CTX *mont);
516 int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx);
517 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from);
518 BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
519 const BIGNUM *mod, BN_CTX *ctx);
521 /* BN_BLINDING flags */
522 #define BN_BLINDING_NO_UPDATE 0x00000001
523 #define BN_BLINDING_NO_RECREATE 0x00000002
525 BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod);
526 void BN_BLINDING_free(BN_BLINDING *b);
527 int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx);
528 int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
529 int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
530 int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *);
531 int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *);
532 #ifndef OPENSSL_NO_DEPRECATED
533 unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
534 void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
536 CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
537 unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
538 void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
539 BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
540 const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
541 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
542 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
545 #ifndef OPENSSL_NO_DEPRECATED
546 void BN_set_params(int mul, int high, int low, int mont);
547 int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */
550 void BN_RECP_CTX_init(BN_RECP_CTX *recp);
551 BN_RECP_CTX *BN_RECP_CTX_new(void);
552 void BN_RECP_CTX_free(BN_RECP_CTX *recp);
553 int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *rdiv, BN_CTX *ctx);
554 int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,
555 BN_RECP_CTX *recp, BN_CTX *ctx);
556 int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
557 const BIGNUM *m, BN_CTX *ctx);
558 int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
559 BN_RECP_CTX *recp, BN_CTX *ctx);
561 #ifndef OPENSSL_NO_EC2M
563 /* Functions for arithmetic over binary polynomials represented by BIGNUMs.
565 * The BIGNUM::neg property of BIGNUMs representing binary polynomials is
568 * Note that input arguments are not const so that their bit arrays can
569 * be expanded to the appropriate size if needed.
572 int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); /*r = a + b*/
573 #define BN_GF2m_sub(r, a, b) BN_GF2m_add(r, a, b)
574 int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p); /*r=a mod p*/
576 BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
577 const BIGNUM *p, BN_CTX *ctx); /* r = (a * b) mod p */
579 BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
580 BN_CTX *ctx); /* r = (a * a) mod p */
582 BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *b, const BIGNUM *p,
583 BN_CTX *ctx); /* r = (1 / b) mod p */
585 BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
586 const BIGNUM *p, BN_CTX *ctx); /* r = (a / b) mod p */
588 BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
589 const BIGNUM *p, BN_CTX *ctx); /* r = (a ^ b) mod p */
591 BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
592 BN_CTX *ctx); /* r = sqrt(a) mod p */
593 int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
594 BN_CTX *ctx); /* r^2 + r = a mod p */
595 #define BN_GF2m_cmp(a, b) BN_ucmp((a), (b))
596 /* Some functions allow for representation of the irreducible polynomials
597 * as an unsigned int[], say p. The irreducible f(t) is then of the form:
598 * t^p[0] + t^p[1] + ... + t^p[k]
599 * where m = p[0] > p[1] > ... > p[k] = 0.
601 int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[]);
603 int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
604 const int p[], BN_CTX *ctx); /* r = (a * b) mod p */
605 int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[],
606 BN_CTX *ctx); /* r = (a * a) mod p */
607 int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *b, const int p[],
608 BN_CTX *ctx); /* r = (1 / b) mod p */
609 int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
610 const int p[], BN_CTX *ctx); /* r = (a / b) mod p */
611 int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
612 const int p[], BN_CTX *ctx); /* r = (a ^ b) mod p */
613 int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a,
614 const int p[], BN_CTX *ctx); /* r = sqrt(a) mod p */
615 int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a,
616 const int p[], BN_CTX *ctx); /* r^2 + r = a mod p */
617 int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max);
618 int BN_GF2m_arr2poly(const int p[], BIGNUM *a);
622 /* faster mod functions for the 'NIST primes'
624 int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
625 int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
626 int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
627 int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
628 int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
630 const BIGNUM *BN_get0_nist_prime_192(void);
631 const BIGNUM *BN_get0_nist_prime_224(void);
632 const BIGNUM *BN_get0_nist_prime_256(void);
633 const BIGNUM *BN_get0_nist_prime_384(void);
634 const BIGNUM *BN_get0_nist_prime_521(void);
636 /* Primes from RFC 2409 */
637 BIGNUM *get_rfc2409_prime_768(BIGNUM *bn);
638 BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn);
639 BIGNUM *BN_get_rfc2409_prime_768(BIGNUM *bn);
640 BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM *bn);
642 /* Primes from RFC 3526 */
643 BIGNUM *get_rfc3526_prime_1536(BIGNUM *bn);
644 BIGNUM *get_rfc3526_prime_2048(BIGNUM *bn);
645 BIGNUM *get_rfc3526_prime_3072(BIGNUM *bn);
646 BIGNUM *get_rfc3526_prime_4096(BIGNUM *bn);
647 BIGNUM *get_rfc3526_prime_6144(BIGNUM *bn);
648 BIGNUM *get_rfc3526_prime_8192(BIGNUM *bn);
649 BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn);
650 BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn);
651 BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn);
652 BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn);
653 BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn);
654 BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn);
656 void ERR_load_BN_strings(void);
658 /* Error codes for the BN functions. */
660 /* Function codes. */
661 #define BN_F_BNRAND 127
662 #define BN_F_BN_BLINDING_CONVERT_EX 100
663 #define BN_F_BN_BLINDING_CREATE_PARAM 128
664 #define BN_F_BN_BLINDING_INVERT_EX 101
665 #define BN_F_BN_BLINDING_NEW 102
666 #define BN_F_BN_BLINDING_UPDATE 103
667 #define BN_F_BN_BN2DEC 104
668 #define BN_F_BN_BN2HEX 105
669 #define BN_F_BN_CTX_GET 116
670 #define BN_F_BN_CTX_NEW 106
671 #define BN_F_BN_CTX_START 129
672 #define BN_F_BN_DIV 107
673 #define BN_F_BN_DIV_NO_BRANCH 138
674 #define BN_F_BN_DIV_RECP 130
675 #define BN_F_BN_EXP 123
676 #define BN_F_BN_EXPAND2 108
677 #define BN_F_BN_GENERATE_PRIME_EX 140
678 #define BN_F_BN_EXPAND_INTERNAL 120
679 #define BN_F_BN_GF2M_MOD 131
680 #define BN_F_BN_GF2M_MOD_EXP 132
681 #define BN_F_BN_GF2M_MOD_MUL 133
682 #define BN_F_BN_GF2M_MOD_SOLVE_QUAD 134
683 #define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR 135
684 #define BN_F_BN_GF2M_MOD_SQR 136
685 #define BN_F_BN_GF2M_MOD_SQRT 137
686 #define BN_F_BN_MOD_EXP2_MONT 118
687 #define BN_F_BN_MOD_EXP_MONT 109
688 #define BN_F_BN_MOD_EXP_MONT_CONSTTIME 124
689 #define BN_F_BN_MOD_EXP_MONT_WORD 117
690 #define BN_F_BN_MOD_EXP_RECP 125
691 #define BN_F_BN_MOD_EXP_SIMPLE 126
692 #define BN_F_BN_MOD_INVERSE 110
693 #define BN_F_BN_MOD_INVERSE_NO_BRANCH 139
694 #define BN_F_BN_MOD_LSHIFT_QUICK 119
695 #define BN_F_BN_MOD_MUL_RECIPROCAL 111
696 #define BN_F_BN_MOD_SQRT 121
697 #define BN_F_BN_MPI2BN 112
698 #define BN_F_BN_NEW 113
699 #define BN_F_BN_RAND 114
700 #define BN_F_BN_RAND_RANGE 122
701 #define BN_F_BN_USUB 115
704 #define BN_R_ARG2_LT_ARG3 100
705 #define BN_R_BAD_RECIPROCAL 101
706 #define BN_R_BIGNUM_TOO_LONG 114
707 #define BN_R_BITS_TOO_SMALL 117
708 #define BN_R_CALLED_WITH_EVEN_MODULUS 102
709 #define BN_R_DIV_BY_ZERO 103
710 #define BN_R_ENCODING_ERROR 104
711 #define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105
712 #define BN_R_INPUT_NOT_REDUCED 110
713 #define BN_R_INVALID_LENGTH 106
714 #define BN_R_INVALID_RANGE 115
715 #define BN_R_NOT_A_SQUARE 111
716 #define BN_R_NOT_INITIALIZED 107
717 #define BN_R_NO_INVERSE 108
718 #define BN_R_NO_SOLUTION 116
719 #define BN_R_P_IS_NOT_PRIME 112
720 #define BN_R_TOO_MANY_ITERATIONS 113
721 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109