← Back to branch summary

~ubuntu-branches/ubuntu/lucid/openssl/lucid-proposed

« back to all changes in this revision

Viewing changes to crypto/bn/bn_nist.c

  • Committer: Bazaar Package Importer
  • Author(s): Nicolas Valcárcel Scerpella (Canonical)
  • Date: 2009-12-06 20:16:24 UTC
  • mfrom: (11.1.9 sid)
  • Revision ID: james.westby@ubuntu.com-20091206201624-u126qjpqm2n2uuhu
Tags: 0.9.8k-7ubuntu1
https://launchpad.net/bugs/493392
* Merge from debian unstable, remaining changes (LP: #493392):
  - Link using -Bsymbolic-functions
  - Add support for lpia
  - Disable SSLv2 during compile
  - Ship documentation in openssl-doc, suggested by the package.
  - Use a different priority for libssl0.9.8/restart-services
    depending on whether a desktop, or server dist-upgrade is being
    performed.
  - Display a system restart required notification bubble on libssl0.9.8
    upgrade.
  - Replace duplicate files in the doc directory with symlinks.
  - Move runtime libraries to /lib, for the benefit of wpasupplicant
* Strip the patches out of the source into quilt patches
* Disable CVE-2009-3555.patch

Show diffs side-by-side

added added

removed removed

Lines of Context:
crypto/bn/bn_nist.c
59
59
#include "bn_lcl.h"
60
60
#include "cryptlib.h"
61
61
 
 
62
 
62
63
#define BN_NIST_192_TOP (192+BN_BITS2-1)/BN_BITS2
63
64
#define BN_NIST_224_TOP (224+BN_BITS2-1)/BN_BITS2
64
65
#define BN_NIST_256_TOP (256+BN_BITS2-1)/BN_BITS2
65
66
#define BN_NIST_384_TOP (384+BN_BITS2-1)/BN_BITS2
66
67
#define BN_NIST_521_TOP (521+BN_BITS2-1)/BN_BITS2
67
68
 
 
69
/* pre-computed tables are "carry-less" values of modulus*(i+1) */
68
70
#if BN_BITS2 == 64
69
 
static const BN_ULONG _nist_p_192[] =
70
 
        {0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFEULL,
71
 
        0xFFFFFFFFFFFFFFFFULL};
72
 
static const BN_ULONG _nist_p_224[] =
 
71
static const BN_ULONG _nist_p_192[][BN_NIST_192_TOP] = {
 
72
        {0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFFULL},
 
73
        {0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFDULL,0xFFFFFFFFFFFFFFFFULL},
 
74
        {0xFFFFFFFFFFFFFFFDULL,0xFFFFFFFFFFFFFFFCULL,0xFFFFFFFFFFFFFFFFULL}
 
75
        };
 
76
static const BN_ULONG _nist_p_192_sqr[] = {
 
77
        0x0000000000000001ULL,0x0000000000000002ULL,0x0000000000000001ULL,
 
78
        0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFDULL,0xFFFFFFFFFFFFFFFFULL
 
79
        };
 
80
static const BN_ULONG _nist_p_224[][BN_NIST_224_TOP] = {
73
81
        {0x0000000000000001ULL,0xFFFFFFFF00000000ULL,
74
 
        0xFFFFFFFFFFFFFFFFULL,0x00000000FFFFFFFFULL};
75
 
static const BN_ULONG _nist_p_256[] =
 
82
         0xFFFFFFFFFFFFFFFFULL,0x00000000FFFFFFFFULL},
 
83
        {0x0000000000000002ULL,0xFFFFFFFE00000000ULL,
 
84
         0xFFFFFFFFFFFFFFFFULL,0x00000001FFFFFFFFULL} /* this one is "carry-full" */
 
85
        };
 
86
static const BN_ULONG _nist_p_224_sqr[] = {
 
87
        0x0000000000000001ULL,0xFFFFFFFE00000000ULL,
 
88
        0xFFFFFFFFFFFFFFFFULL,0x0000000200000000ULL,
 
89
        0x0000000000000000ULL,0xFFFFFFFFFFFFFFFEULL,
 
90
        0xFFFFFFFFFFFFFFFFULL
 
91
        };
 
92
static const BN_ULONG _nist_p_256[][BN_NIST_256_TOP] = {
76
93
        {0xFFFFFFFFFFFFFFFFULL,0x00000000FFFFFFFFULL,
77
 
        0x0000000000000000ULL,0xFFFFFFFF00000001ULL};
78
 
static const BN_ULONG _nist_p_384[] =
79
 
        {0x00000000FFFFFFFFULL,0xFFFFFFFF00000000ULL,
80
 
        0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFFULL,
81
 
        0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL};
 
94
         0x0000000000000000ULL,0xFFFFFFFF00000001ULL},
 
95
        {0xFFFFFFFFFFFFFFFEULL,0x00000001FFFFFFFFULL,
 
96
         0x0000000000000000ULL,0xFFFFFFFE00000002ULL},
 
97
        {0xFFFFFFFFFFFFFFFDULL,0x00000002FFFFFFFFULL,
 
98
         0x0000000000000000ULL,0xFFFFFFFD00000003ULL},
 
99
        {0xFFFFFFFFFFFFFFFCULL,0x00000003FFFFFFFFULL,
 
100
         0x0000000000000000ULL,0xFFFFFFFC00000004ULL},
 
101
        {0xFFFFFFFFFFFFFFFBULL,0x00000004FFFFFFFFULL,
 
102
         0x0000000000000000ULL,0xFFFFFFFB00000005ULL},
 
103
        };
 
104
static const BN_ULONG _nist_p_256_sqr[] = {
 
105
        0x0000000000000001ULL,0xFFFFFFFE00000000ULL,
 
106
        0xFFFFFFFFFFFFFFFFULL,0x00000001FFFFFFFEULL,
 
107
        0x00000001FFFFFFFEULL,0x00000001FFFFFFFEULL,
 
108
        0xFFFFFFFE00000001ULL,0xFFFFFFFE00000002ULL
 
109
        };
 
110
static const BN_ULONG _nist_p_384[][BN_NIST_384_TOP] = {
 
111
        {0x00000000FFFFFFFFULL,0xFFFFFFFF00000000ULL,0xFFFFFFFFFFFFFFFEULL,
 
112
         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
 
113
        {0x00000001FFFFFFFEULL,0xFFFFFFFE00000000ULL,0xFFFFFFFFFFFFFFFDULL,
 
114
         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
 
115
        {0x00000002FFFFFFFDULL,0xFFFFFFFD00000000ULL,0xFFFFFFFFFFFFFFFCULL,
 
116
         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
 
117
        {0x00000003FFFFFFFCULL,0xFFFFFFFC00000000ULL,0xFFFFFFFFFFFFFFFBULL,
 
118
         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
 
119
        {0x00000004FFFFFFFBULL,0xFFFFFFFB00000000ULL,0xFFFFFFFFFFFFFFFAULL,
 
120
         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
 
121
        };
 
122
static const BN_ULONG _nist_p_384_sqr[] = {
 
123
        0xFFFFFFFE00000001ULL,0x0000000200000000ULL,0xFFFFFFFE00000000ULL,
 
124
        0x0000000200000000ULL,0x0000000000000001ULL,0x0000000000000000ULL,
 
125
        0x00000001FFFFFFFEULL,0xFFFFFFFE00000000ULL,0xFFFFFFFFFFFFFFFDULL,
 
126
        0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL
 
127
        };
82
128
static const BN_ULONG _nist_p_521[] =
83
129
        {0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
84
130
        0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
85
131
        0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
86
132
        0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
87
133
        0x00000000000001FFULL};
 
134
static const BN_ULONG _nist_p_521_sqr[] = {
 
135
        0x0000000000000001ULL,0x0000000000000000ULL,0x0000000000000000ULL,
 
136
        0x0000000000000000ULL,0x0000000000000000ULL,0x0000000000000000ULL,
 
137
        0x0000000000000000ULL,0x0000000000000000ULL,0xFFFFFFFFFFFFFC00ULL,
 
138
        0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
 
139
        0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
 
140
        0xFFFFFFFFFFFFFFFFULL,0x000000000003FFFFULL
 
141
        };
88
142
#elif BN_BITS2 == 32
89
 
static const BN_ULONG _nist_p_192[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFE,
90
 
        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF};
91
 
static const BN_ULONG _nist_p_224[] = {0x00000001,0x00000000,0x00000000,
92
 
        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF};
93
 
static const BN_ULONG _nist_p_256[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
94
 
        0x00000000,0x00000000,0x00000000,0x00000001,0xFFFFFFFF};
95
 
static const BN_ULONG _nist_p_384[] = {0xFFFFFFFF,0x00000000,0x00000000,
96
 
        0xFFFFFFFF,0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
97
 
        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF};
 
143
static const BN_ULONG _nist_p_192[][BN_NIST_192_TOP] = {
 
144
        {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
 
145
        {0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFD,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
 
146
        {0xFFFFFFFD,0xFFFFFFFF,0xFFFFFFFC,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF}
 
147
        };
 
148
static const BN_ULONG _nist_p_192_sqr[] = {
 
149
        0x00000001,0x00000000,0x00000002,0x00000000,0x00000001,0x00000000,
 
150
        0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFD,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF
 
151
        };
 
152
static const BN_ULONG _nist_p_224[][BN_NIST_224_TOP] = {
 
153
        {0x00000001,0x00000000,0x00000000,0xFFFFFFFF,
 
154
         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
 
155
        {0x00000002,0x00000000,0x00000000,0xFFFFFFFE,
 
156
         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF}
 
157
        };
 
158
static const BN_ULONG _nist_p_224_sqr[] = {
 
159
        0x00000001,0x00000000,0x00000000,0xFFFFFFFE,
 
160
        0xFFFFFFFF,0xFFFFFFFF,0x00000000,0x00000002,
 
161
        0x00000000,0x00000000,0xFFFFFFFE,0xFFFFFFFF,
 
162
        0xFFFFFFFF,0xFFFFFFFF
 
163
        };
 
164
static const BN_ULONG _nist_p_256[][BN_NIST_256_TOP] = {
 
165
        {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0x00000000,
 
166
         0x00000000,0x00000000,0x00000001,0xFFFFFFFF},
 
167
        {0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFF,0x00000001,
 
168
         0x00000000,0x00000000,0x00000002,0xFFFFFFFE},
 
169
        {0xFFFFFFFD,0xFFFFFFFF,0xFFFFFFFF,0x00000002,
 
170
         0x00000000,0x00000000,0x00000003,0xFFFFFFFD},
 
171
        {0xFFFFFFFC,0xFFFFFFFF,0xFFFFFFFF,0x00000003,
 
172
         0x00000000,0x00000000,0x00000004,0xFFFFFFFC},
 
173
        {0xFFFFFFFB,0xFFFFFFFF,0xFFFFFFFF,0x00000004,
 
174
         0x00000000,0x00000000,0x00000005,0xFFFFFFFB},
 
175
        };
 
176
static const BN_ULONG _nist_p_256_sqr[] = {
 
177
        0x00000001,0x00000000,0x00000000,0xFFFFFFFE,
 
178
        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFE,0x00000001,
 
179
        0xFFFFFFFE,0x00000001,0xFFFFFFFE,0x00000001,
 
180
        0x00000001,0xFFFFFFFE,0x00000002,0xFFFFFFFE
 
181
        };
 
182
static const BN_ULONG _nist_p_384[][BN_NIST_384_TOP] = {
 
183
        {0xFFFFFFFF,0x00000000,0x00000000,0xFFFFFFFF,0xFFFFFFFE,0xFFFFFFFF,
 
184
         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
 
185
        {0xFFFFFFFE,0x00000001,0x00000000,0xFFFFFFFE,0xFFFFFFFD,0xFFFFFFFF,
 
186
         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
 
187
        {0xFFFFFFFD,0x00000002,0x00000000,0xFFFFFFFD,0xFFFFFFFC,0xFFFFFFFF,
 
188
         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
 
189
        {0xFFFFFFFC,0x00000003,0x00000000,0xFFFFFFFC,0xFFFFFFFB,0xFFFFFFFF,
 
190
         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
 
191
        {0xFFFFFFFB,0x00000004,0x00000000,0xFFFFFFFB,0xFFFFFFFA,0xFFFFFFFF,
 
192
         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
 
193
        };
 
194
static const BN_ULONG _nist_p_384_sqr[] = {
 
195
        0x00000001,0xFFFFFFFE,0x00000000,0x00000002,0x00000000,0xFFFFFFFE,
 
196
        0x00000000,0x00000002,0x00000001,0x00000000,0x00000000,0x00000000,
 
197
        0xFFFFFFFE,0x00000001,0x00000000,0xFFFFFFFE,0xFFFFFFFD,0xFFFFFFFF,
 
198
        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF
 
199
        };
98
200
static const BN_ULONG _nist_p_521[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
99
201
        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
100
202
        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
101
203
        0xFFFFFFFF,0x000001FF};
102
 
#elif BN_BITS2 == 16
103
 
static const BN_ULONG _nist_p_192[] = {0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFE,
104
 
        0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF};
105
 
static const BN_ULONG _nist_p_224[] = {0x0001,0x0000,0x0000,0x0000,0x0000,
106
 
        0x0000,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF};
107
 
static const BN_ULONG _nist_p_256[] = {0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,
108
 
        0xFFFF,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0001,0x0000,0xFFFF,
109
 
        0xFFFF};
110
 
static const BN_ULONG _nist_p_384[] = {0xFFFF,0xFFFF,0x0000,0x0000,0x0000,
111
 
        0x0000,0xFFFF,0xFFFF,0xFFFE,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,
112
 
        0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF};
113
 
static const BN_ULONG _nist_p_521[] = {0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,
114
 
        0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,
115
 
        0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,
116
 
        0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0x01FF};
117
 
#elif BN_BITS2 == 8
118
 
static const BN_ULONG _nist_p_192[] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
119
 
        0xFE,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
120
 
        0xFF,0xFF};
121
 
static const BN_ULONG _nist_p_224[] = {0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
122
 
        0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
123
 
        0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};
124
 
static const BN_ULONG _nist_p_256[] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
125
 
        0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
126
 
        0x00,0x00,0x01,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF};
127
 
static const BN_ULONG _nist_p_384[] = {0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
128
 
        0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0xFF,
129
 
        0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
130
 
        0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};
131
 
static const BN_ULONG _nist_p_521[] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
132
 
        0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
133
 
        0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
134
 
        0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
135
 
        0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
136
 
        0xFF,0x01};
 
204
static const BN_ULONG _nist_p_521_sqr[] = {
 
205
        0x00000001,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
 
206
        0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
 
207
        0x00000000,0x00000000,0x00000000,0x00000000,0xFFFFFC00,0xFFFFFFFF,
 
208
        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
 
209
        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
 
210
        0xFFFFFFFF,0xFFFFFFFF,0x0003FFFF
 
211
        };
 
212
#else
 
213
#error "unsupported BN_BITS2"
137
214
#endif
138
215
 
 
216
 
 
217
static const BIGNUM _bignum_nist_p_192 =
 
218
        {
 
219
        (BN_ULONG *)_nist_p_192[0],
 
220
        BN_NIST_192_TOP,
 
221
        BN_NIST_192_TOP,
 
222
        0,
 
223
        BN_FLG_STATIC_DATA
 
224
        };
 
225
 
 
226
static const BIGNUM _bignum_nist_p_224 =
 
227
        {
 
228
        (BN_ULONG *)_nist_p_224[0],
 
229
        BN_NIST_224_TOP,
 
230
        BN_NIST_224_TOP,
 
231
        0,
 
232
        BN_FLG_STATIC_DATA
 
233
        };
 
234
 
 
235
static const BIGNUM _bignum_nist_p_256 =
 
236
        {
 
237
        (BN_ULONG *)_nist_p_256[0],
 
238
        BN_NIST_256_TOP,
 
239
        BN_NIST_256_TOP,
 
240
        0,
 
241
        BN_FLG_STATIC_DATA
 
242
        };
 
243
 
 
244
static const BIGNUM _bignum_nist_p_384 =
 
245
        {
 
246
        (BN_ULONG *)_nist_p_384[0],
 
247
        BN_NIST_384_TOP,
 
248
        BN_NIST_384_TOP,
 
249
        0,
 
250
        BN_FLG_STATIC_DATA
 
251
        };
 
252
 
 
253
static const BIGNUM _bignum_nist_p_521 =
 
254
        {
 
255
        (BN_ULONG *)_nist_p_521,
 
256
        BN_NIST_521_TOP,
 
257
        BN_NIST_521_TOP,
 
258
        0,
 
259
        BN_FLG_STATIC_DATA
 
260
        };
 
261
 
 
262
 
139
263
const BIGNUM *BN_get0_nist_prime_192(void)
140
264
        {
141
 
        static BIGNUM const_nist_192 = { (BN_ULONG *)_nist_p_192,
142
 
                BN_NIST_192_TOP, BN_NIST_192_TOP, 0, BN_FLG_STATIC_DATA };
143
 
        return &const_nist_192;
 
265
        return &_bignum_nist_p_192;
144
266
        }
145
267
 
146
268
const BIGNUM *BN_get0_nist_prime_224(void)
147
269
        {
148
 
        static BIGNUM const_nist_224 = { (BN_ULONG *)_nist_p_224,
149
 
                BN_NIST_224_TOP, BN_NIST_224_TOP, 0, BN_FLG_STATIC_DATA };
150
 
        return &const_nist_224;
 
270
        return &_bignum_nist_p_224;
151
271
        }
152
272
 
153
273
const BIGNUM *BN_get0_nist_prime_256(void)
154
274
        {
155
 
        static BIGNUM const_nist_256 = { (BN_ULONG *)_nist_p_256,
156
 
                BN_NIST_256_TOP, BN_NIST_256_TOP, 0, BN_FLG_STATIC_DATA };
157
 
        return &const_nist_256;
 
275
        return &_bignum_nist_p_256;
158
276
        }
159
277
 
160
278
const BIGNUM *BN_get0_nist_prime_384(void)
161
279
        {
162
 
        static BIGNUM const_nist_384 = { (BN_ULONG *)_nist_p_384,
163
 
                BN_NIST_384_TOP, BN_NIST_384_TOP, 0, BN_FLG_STATIC_DATA };
164
 
        return &const_nist_384;
 
280
        return &_bignum_nist_p_384;
165
281
        }
166
282
 
167
283
const BIGNUM *BN_get0_nist_prime_521(void)
168
284
        {
169
 
        static BIGNUM const_nist_521 = { (BN_ULONG *)_nist_p_521,
170
 
                BN_NIST_521_TOP, BN_NIST_521_TOP, 0, BN_FLG_STATIC_DATA };
171
 
        return &const_nist_521;
 
285
        return &_bignum_nist_p_521;
172
286
        }
173
287
 
174
 
/* some misc internal functions */
175
 
#if BN_BITS2 != 64
176
 
static BN_ULONG _256_data[BN_NIST_256_TOP*6];
177
 
static int _is_set_256_data = 0;
178
 
static void _init_256_data(void);
179
 
 
180
 
static BN_ULONG _384_data[BN_NIST_384_TOP*8];
181
 
static int _is_set_384_data = 0;
182
 
static void _init_384_data(void);
183
 
#endif
184
 
 
185
 
#define BN_NIST_ADD_ONE(a)      while (!(++(*(a)))) ++(a);
186
288
 
187
289
static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max)
188
 
        {
 
290
        {
189
291
        int i;
190
 
        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
191
 
        for (i = (top); i != 0; i--)
192
 
                *_tmp1++ = *_tmp2++;
193
 
        for (i = (max) - (top); i != 0; i--)
194
 
                *_tmp1++ = (BN_ULONG) 0;
195
 
        }
 
292
        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
 
293
 
 
294
#ifdef BN_DEBUG
 
295
        OPENSSL_assert(top <= max);
 
296
#endif
 
297
        for (i = (top); i != 0; i--)
 
298
                *_tmp1++ = *_tmp2++;
 
299
        for (i = (max) - (top); i != 0; i--)
 
300
                *_tmp1++ = (BN_ULONG) 0;
 
301
        }
196
302
 
197
303
static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
198
 
        { 
 
304
        { 
199
305
        int i;
200
 
        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
201
 
        for (i = (top); i != 0; i--)
202
 
                *_tmp1++ = *_tmp2++;
203
 
        }
 
306
        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
 
307
        for (i = (top); i != 0; i--)
 
308
                *_tmp1++ = *_tmp2++;
 
309
        }
204
310
 
205
311
#if BN_BITS2 == 64
206
 
#define bn_cp_64(to, n, from, m)        (to)[n] = (from)[m];
 
312
#define bn_cp_64(to, n, from, m)        (to)[n] = (m>=0)?((from)[m]):0;
207
313
#define bn_64_set_0(to, n)              (to)[n] = (BN_ULONG)0;
208
 
/* TBD */
209
 
#define bn_cp_32(to, n, from, m)        (to)[n] = (from)[m];
210
 
#define bn_32_set_0(to, n)              (to)[n] = (BN_ULONG)0;
 
314
/*
 
315
 * two following macros are implemented under assumption that they
 
316
 * are called in a sequence with *ascending* n, i.e. as they are...
 
317
 */
 
318
#define bn_cp_32_naked(to, n, from, m)  (((n)&1)?(to[(n)/2]|=((m)&1)?(from[(m)/2]&BN_MASK2h):(from[(m)/2]<<32))\
 
319
                                                :(to[(n)/2] =((m)&1)?(from[(m)/2]>>32):(from[(m)/2]&BN_MASK2l)))
 
320
#define bn_32_set_0(to, n)              (((n)&1)?(to[(n)/2]&=BN_MASK2l):(to[(n)/2]=0));
 
321
#define bn_cp_32(to,n,from,m)           ((m)>=0)?bn_cp_32_naked(to,n,from,m):bn_32_set_0(to,n)
211
322
#else
212
323
#define bn_cp_64(to, n, from, m) \
213
324
        { \
220
331
        bn_32_set_0(to, (n)*2+1); \
221
332
        }
222
333
#if BN_BITS2 == 32
223
 
#define bn_cp_32(to, n, from, m)        (to)[n] = (from)[m];
 
334
#define bn_cp_32(to, n, from, m)        (to)[n] = (m>=0)?((from)[m]):0;
224
335
#define bn_32_set_0(to, n)              (to)[n] = (BN_ULONG)0;
225
 
#elif BN_BITS2 == 16
226
 
#define bn_cp_32(to, n, from, m) \
227
 
        { \
228
 
        (to)[(n)*2]   = (from)[(m)*2];  \
229
 
        (to)[(n)*2+1] = (from)[(m)*2+1];\
230
 
        }
231
 
#define bn_32_set_0(to, n) { (to)[(n)*2] = 0; (to)[(n)*2+1] = 0; }
232
 
#elif BN_BITS2 == 8
233
 
#define bn_cp_32(to, n, from, m) \
234
 
        { \
235
 
        (to)[(n)*4]   = (from)[(m)*4];  \
236
 
        (to)[(n)*4+1] = (from)[(m)*4+1];\
237
 
        (to)[(n)*4+2] = (from)[(m)*4+2];\
238
 
        (to)[(n)*4+3] = (from)[(m)*4+3];\
239
 
        }
240
 
#define bn_32_set_0(to, n) \
241
 
        { (to)[(n)*4]   = (BN_ULONG)0; (to)[(n)*4+1] = (BN_ULONG)0; \
242
 
          (to)[(n)*4+2] = (BN_ULONG)0; (to)[(n)*4+3] = (BN_ULONG)0; }
243
336
#endif
244
337
#endif /* BN_BITS2 != 64 */
245
338
 
246
339
 
247
340
#define nist_set_192(to, from, a1, a2, a3) \
248
341
        { \
249
 
        if (a3 != 0) bn_cp_64(to, 0, from, (a3) - 3) else bn_64_set_0(to, 0)\
 
342
        bn_cp_64(to, 0, from, (a3) - 3) \
250
343
        bn_cp_64(to, 1, from, (a2) - 3) \
251
 
        if (a1 != 0) bn_cp_64(to, 2, from, (a1) - 3) else bn_64_set_0(to, 2)\
 
344
        bn_cp_64(to, 2, from, (a1) - 3) \
252
345
        }
253
346
 
254
347
int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
255
348
        BN_CTX *ctx)
256
349
        {
257
350
        int      top = a->top, i;
258
 
        BN_ULONG carry = 0;
 
351
        int      carry;
259
352
        register BN_ULONG *r_d, *a_d = a->d;
260
353
        BN_ULONG t_d[BN_NIST_192_TOP],
261
 
                 buf[BN_NIST_192_TOP];
 
354
                 buf[BN_NIST_192_TOP],
 
355
                 c_d[BN_NIST_192_TOP],
 
356
                *res;
 
357
        size_t   mask;
 
358
        static const BIGNUM _bignum_nist_p_192_sqr = {
 
359
                (BN_ULONG *)_nist_p_192_sqr,
 
360
                sizeof(_nist_p_192_sqr)/sizeof(_nist_p_192_sqr[0]),
 
361
                sizeof(_nist_p_192_sqr)/sizeof(_nist_p_192_sqr[0]),
 
362
                0,BN_FLG_STATIC_DATA };
 
363
 
 
364
        field = &_bignum_nist_p_192; /* just to make sure */
 
365
 
 
366
        if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_192_sqr)>=0)
 
367
                return BN_nnmod(r, a, field, ctx);
262
368
 
263
369
        i = BN_ucmp(field, a);
264
370
        if (i == 0)
269
375
        else if (i > 0)
270
376
                return (r == a) ? 1 : (BN_copy(r ,a) != NULL);
271
377
 
272
 
        if (top == BN_NIST_192_TOP)
273
 
                return BN_usub(r, a, field);
274
 
 
275
378
        if (r != a)
276
379
                {
277
380
                if (!bn_wexpand(r, BN_NIST_192_TOP))
284
387
 
285
388
        nist_cp_bn_0(buf, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, BN_NIST_192_TOP);
286
389
 
287
 
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
288
 
# pragma message save
289
 
# pragma message disable BADSUBSCRIPT
290
 
#endif
291
 
 
292
390
        nist_set_192(t_d, buf, 0, 3, 3);
293
 
        if (bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP))
294
 
                ++carry;
295
 
 
 
391
        carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
296
392
        nist_set_192(t_d, buf, 4, 4, 0);
297
 
        if (bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP))
298
 
                ++carry;
299
 
 
300
 
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
301
 
# pragma message restore
302
 
#endif
303
 
 
 
393
        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
304
394
        nist_set_192(t_d, buf, 5, 5, 5)
305
 
        if (bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP))
306
 
                ++carry;
307
 
 
308
 
        while (carry)
309
 
                {
310
 
                if (bn_sub_words(r_d, r_d, _nist_p_192, BN_NIST_192_TOP))
311
 
                        --carry; 
312
 
                }
 
395
        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
 
396
 
 
397
        if (carry > 0)
 
398
                carry = (int)bn_sub_words(r_d,r_d,_nist_p_192[carry-1],BN_NIST_192_TOP);
 
399
        else
 
400
                carry = 1;
 
401
 
 
402
        /*
 
403
         * we need 'if (carry==0 || result>=modulus) result-=modulus;'
 
404
         * as comparison implies subtraction, we can write
 
405
         * 'tmp=result-modulus; if (!carry || !borrow) result=tmp;'
 
406
         * this is what happens below, but without explicit if:-) a.
 
407
         */
 
408
        mask  = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_192[0],BN_NIST_192_TOP);
 
409
        mask &= 0-(size_t)carry;
 
410
        res   = (BN_ULONG *)(((size_t)c_d&~mask) | ((size_t)r_d&mask));
 
411
        nist_cp_bn(r_d, res, BN_NIST_192_TOP);
313
412
        r->top = BN_NIST_192_TOP;
314
413
        bn_correct_top(r);
315
 
        if (BN_ucmp(r, field) >= 0)
316
 
                {
317
 
                bn_sub_words(r_d, r_d, _nist_p_192, BN_NIST_192_TOP);
318
 
                bn_correct_top(r);
319
 
                }
320
414
 
321
 
        bn_check_top(r);
322
415
        return 1;
323
416
        }
324
417
 
 
418
typedef BN_ULONG (*bn_addsub_f)(BN_ULONG *,const BN_ULONG *,const BN_ULONG *,int);
 
419
 
325
420
#define nist_set_224(to, from, a1, a2, a3, a4, a5, a6, a7) \
326
421
        { \
327
 
        if (a7 != 0) bn_cp_32(to, 0, from, (a7) - 7) else bn_32_set_0(to, 0)\
328
 
        if (a6 != 0) bn_cp_32(to, 1, from, (a6) - 7) else bn_32_set_0(to, 1)\
329
 
        if (a5 != 0) bn_cp_32(to, 2, from, (a5) - 7) else bn_32_set_0(to, 2)\
330
 
        if (a4 != 0) bn_cp_32(to, 3, from, (a4) - 7) else bn_32_set_0(to, 3)\
331
 
        if (a3 != 0) bn_cp_32(to, 4, from, (a3) - 7) else bn_32_set_0(to, 4)\
332
 
        if (a2 != 0) bn_cp_32(to, 5, from, (a2) - 7) else bn_32_set_0(to, 5)\
333
 
        if (a1 != 0) bn_cp_32(to, 6, from, (a1) - 7) else bn_32_set_0(to, 6)\
 
422
        bn_cp_32(to, 0, from, (a7) - 7) \
 
423
        bn_cp_32(to, 1, from, (a6) - 7) \
 
424
        bn_cp_32(to, 2, from, (a5) - 7) \
 
425
        bn_cp_32(to, 3, from, (a4) - 7) \
 
426
        bn_cp_32(to, 4, from, (a3) - 7) \
 
427
        bn_cp_32(to, 5, from, (a2) - 7) \
 
428
        bn_cp_32(to, 6, from, (a1) - 7) \
334
429
        }
335
430
 
336
431
int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
337
432
        BN_CTX *ctx)
338
433
        {
339
 
#if BN_BITS2 != 64
340
434
        int     top = a->top, i;
341
 
        int     carry = 0;
 
435
        int     carry;
342
436
        BN_ULONG *r_d, *a_d = a->d;
343
437
        BN_ULONG t_d[BN_NIST_224_TOP],
344
 
                 buf[BN_NIST_224_TOP];
 
438
                 buf[BN_NIST_224_TOP],
 
439
                 c_d[BN_NIST_224_TOP],
 
440
                *res;
 
441
        size_t   mask;
 
442
        union { bn_addsub_f f; size_t p; } u;
 
443
        static const BIGNUM _bignum_nist_p_224_sqr = {
 
444
                (BN_ULONG *)_nist_p_224_sqr,
 
445
                sizeof(_nist_p_224_sqr)/sizeof(_nist_p_224_sqr[0]),
 
446
                sizeof(_nist_p_224_sqr)/sizeof(_nist_p_224_sqr[0]),
 
447
                0,BN_FLG_STATIC_DATA };
 
448
 
 
449
 
 
450
        field = &_bignum_nist_p_224; /* just to make sure */
 
451
 
 
452
        if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_224_sqr)>=0)
 
453
                return BN_nnmod(r, a, field, ctx);
345
454
 
346
455
        i = BN_ucmp(field, a);
347
456
        if (i == 0)
352
461
        else if (i > 0)
353
462
                return (r == a)? 1 : (BN_copy(r ,a) != NULL);
354
463
 
355
 
        if (top == BN_NIST_224_TOP)
356
 
                return BN_usub(r, a, field);
357
 
 
358
464
        if (r != a)
359
465
                {
360
466
                if (!bn_wexpand(r, BN_NIST_224_TOP))
365
471
        else
366
472
                r_d = a_d;
367
473
 
 
474
#if BN_BITS2==64
 
475
        /* copy upper 256 bits of 448 bit number ... */
 
476
        nist_cp_bn_0(t_d, a_d + (BN_NIST_224_TOP-1), top - (BN_NIST_224_TOP-1), BN_NIST_224_TOP);
 
477
        /* ... and right shift by 32 to obtain upper 224 bits */
 
478
        nist_set_224(buf, t_d, 14, 13, 12, 11, 10, 9, 8);
 
479
        /* truncate lower part to 224 bits too */
 
480
        r_d[BN_NIST_224_TOP-1] &= BN_MASK2l;
 
481
#else
368
482
        nist_cp_bn_0(buf, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_224_TOP);
369
 
 
 
483
#endif
370
484
        nist_set_224(t_d, buf, 10, 9, 8, 7, 0, 0, 0);
371
 
        if (bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP))
372
 
                ++carry;
 
485
        carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
373
486
        nist_set_224(t_d, buf, 0, 13, 12, 11, 0, 0, 0);
374
 
        if (bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP))
375
 
                ++carry;
 
487
        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
376
488
        nist_set_224(t_d, buf, 13, 12, 11, 10, 9, 8, 7);
377
 
        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP))
378
 
                --carry;
 
489
        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
379
490
        nist_set_224(t_d, buf, 0, 0, 0, 0, 13, 12, 11);
380
 
        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP))
381
 
                --carry;
 
491
        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
382
492
 
 
493
#if BN_BITS2==64
 
494
        carry = (int)(r_d[BN_NIST_224_TOP-1]>>32);
 
495
#endif
 
496
        u.f = bn_sub_words;
383
497
        if (carry > 0)
384
 
                while (carry)
385
 
                        {
386
 
                        if (bn_sub_words(r_d,r_d,_nist_p_224,BN_NIST_224_TOP))
387
 
                                --carry;
388
 
                        }
 
498
                {
 
499
                carry = (int)bn_sub_words(r_d,r_d,_nist_p_224[carry-1],BN_NIST_224_TOP);
 
500
#if BN_BITS2==64
 
501
                carry=(int)(~(r_d[BN_NIST_224_TOP-1]>>32))&1;
 
502
#endif
 
503
                }
389
504
        else if (carry < 0)
390
 
                while (carry)
391
 
                        {
392
 
                        if (bn_add_words(r_d,r_d,_nist_p_224,BN_NIST_224_TOP))
393
 
                                ++carry;
394
 
                        }
 
505
                {
 
506
                /* it's a bit more comlicated logic in this case.
 
507
                 * if bn_add_words yields no carry, then result
 
508
                 * has to be adjusted by unconditionally *adding*
 
509
                 * the modulus. but if it does, then result has
 
510
                 * to be compared to the modulus and conditionally
 
511
                 * adjusted by *subtracting* the latter. */
 
512
                carry = (int)bn_add_words(r_d,r_d,_nist_p_224[-carry-1],BN_NIST_224_TOP);
 
513
                mask = 0-(size_t)carry;
 
514
                u.p = ((size_t)bn_sub_words&mask) | ((size_t)bn_add_words&~mask);
 
515
                }
 
516
        else
 
517
                carry = 1;
395
518
 
 
519
        /* otherwise it's effectively same as in BN_nist_mod_192... */
 
520
        mask  = 0-(size_t)(*u.f)(c_d,r_d,_nist_p_224[0],BN_NIST_224_TOP);
 
521
        mask &= 0-(size_t)carry;
 
522
        res   = (BN_ULONG *)(((size_t)c_d&~mask) | ((size_t)r_d&mask));
 
523
        nist_cp_bn(r_d, res, BN_NIST_224_TOP);
396
524
        r->top = BN_NIST_224_TOP;
397
525
        bn_correct_top(r);
398
 
        if (BN_ucmp(r, field) >= 0)
399
 
                {
400
 
                bn_sub_words(r_d, r_d, _nist_p_224, BN_NIST_224_TOP);
401
 
                bn_correct_top(r);
402
 
                }
403
 
        bn_check_top(r);
 
526
 
404
527
        return 1;
405
 
#else
406
 
        return 0;
407
 
#endif
408
 
        }
409
 
 
410
 
#if BN_BITS2 != 64
411
 
static void _init_256_data(void)
412
 
        {
413
 
        int     i;
414
 
        BN_ULONG *tmp1 = _256_data;
415
 
        const BN_ULONG *tmp2 = tmp1;
416
 
 
417
 
        memcpy(tmp1, _nist_p_256, BN_NIST_256_TOP * sizeof(BN_ULONG));
418
 
        tmp1 += BN_NIST_256_TOP;
419
 
 
420
 
        for (i=0; i<5; i++)
421
 
                {
422
 
                bn_add_words(tmp1, _nist_p_256, tmp2, BN_NIST_256_TOP);
423
 
                tmp2  = tmp1;
424
 
                tmp1 += BN_NIST_256_TOP;
425
 
                }
426
 
        _is_set_256_data = 1;
427
 
        }
428
 
#endif
 
528
        }
429
529
 
430
530
#define nist_set_256(to, from, a1, a2, a3, a4, a5, a6, a7, a8) \
431
531
        { \
432
 
        if (a8 != 0) bn_cp_32(to, 0, from, (a8) - 8) else bn_32_set_0(to, 0)\
433
 
        if (a7 != 0) bn_cp_32(to, 1, from, (a7) - 8) else bn_32_set_0(to, 1)\
434
 
        if (a6 != 0) bn_cp_32(to, 2, from, (a6) - 8) else bn_32_set_0(to, 2)\
435
 
        if (a5 != 0) bn_cp_32(to, 3, from, (a5) - 8) else bn_32_set_0(to, 3)\
436
 
        if (a4 != 0) bn_cp_32(to, 4, from, (a4) - 8) else bn_32_set_0(to, 4)\
437
 
        if (a3 != 0) bn_cp_32(to, 5, from, (a3) - 8) else bn_32_set_0(to, 5)\
438
 
        if (a2 != 0) bn_cp_32(to, 6, from, (a2) - 8) else bn_32_set_0(to, 6)\
439
 
        if (a1 != 0) bn_cp_32(to, 7, from, (a1) - 8) else bn_32_set_0(to, 7)\
 
532
        bn_cp_32(to, 0, from, (a8) - 8) \
 
533
        bn_cp_32(to, 1, from, (a7) - 8) \
 
534
        bn_cp_32(to, 2, from, (a6) - 8) \
 
535
        bn_cp_32(to, 3, from, (a5) - 8) \
 
536
        bn_cp_32(to, 4, from, (a4) - 8) \
 
537
        bn_cp_32(to, 5, from, (a3) - 8) \
 
538
        bn_cp_32(to, 6, from, (a2) - 8) \
 
539
        bn_cp_32(to, 7, from, (a1) - 8) \
440
540
        }
441
541
 
442
542
int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
443
543
        BN_CTX *ctx)
444
544
        {
445
 
#if BN_BITS2 != 64
446
545
        int     i, top = a->top;
447
546
        int     carry = 0;
448
547
        register BN_ULONG *a_d = a->d, *r_d;
449
548
        BN_ULONG t_d[BN_NIST_256_TOP],
450
 
                 t_d2[BN_NIST_256_TOP],
451
 
                 buf[BN_NIST_256_TOP];
452
 
 
453
 
        if (!_is_set_256_data)
454
 
                {
455
 
                CRYPTO_w_lock(CRYPTO_LOCK_BN);
456
 
                
457
 
                if (!_is_set_256_data)
458
 
                        _init_256_data();
459
 
                
460
 
                CRYPTO_w_unlock(CRYPTO_LOCK_BN);
461
 
                }
462
 
        
 
549
                 buf[BN_NIST_256_TOP],
 
550
                 c_d[BN_NIST_256_TOP],
 
551
                *res;
 
552
        size_t   mask;
 
553
        union { bn_addsub_f f; size_t p; } u;
 
554
        static const BIGNUM _bignum_nist_p_256_sqr = {
 
555
                (BN_ULONG *)_nist_p_256_sqr,
 
556
                sizeof(_nist_p_256_sqr)/sizeof(_nist_p_256_sqr[0]),
 
557
                sizeof(_nist_p_256_sqr)/sizeof(_nist_p_256_sqr[0]),
 
558
                0,BN_FLG_STATIC_DATA };
 
559
 
 
560
        field = &_bignum_nist_p_256; /* just to make sure */
 
561
 
 
562
        if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_256_sqr)>=0)
 
563
                return BN_nnmod(r, a, field, ctx);
 
564
 
463
565
        i = BN_ucmp(field, a);
464
566
        if (i == 0)
465
567
                {
469
571
        else if (i > 0)
470
572
                return (r == a)? 1 : (BN_copy(r ,a) != NULL);
471
573
 
472
 
        if (top == BN_NIST_256_TOP)
473
 
                return BN_usub(r, a, field);
474
 
 
475
574
        if (r != a)
476
575
                {
477
576
                if (!bn_wexpand(r, BN_NIST_256_TOP))
487
586
        /*S1*/
488
587
        nist_set_256(t_d, buf, 15, 14, 13, 12, 11, 0, 0, 0);
489
588
        /*S2*/
490
 
        nist_set_256(t_d2,buf, 0, 15, 14, 13, 12, 0, 0, 0);
491
 
        if (bn_add_words(t_d, t_d, t_d2, BN_NIST_256_TOP))
492
 
                carry = 2;
 
589
        nist_set_256(c_d, buf, 0, 15, 14, 13, 12, 0, 0, 0);
 
590
        carry = (int)bn_add_words(t_d, t_d, c_d, BN_NIST_256_TOP);
493
591
        /* left shift */
494
592
                {
495
593
                register BN_ULONG *ap,t,c;
501
599
                        *(ap++)=((t<<1)|c)&BN_MASK2;
502
600
                        c=(t & BN_TBIT)?1:0;
503
601
                        }
504
 
                if (c)
505
 
                        ++carry;
 
602
                carry <<= 1;
 
603
                carry  |= c;
506
604
                }
507
 
 
508
 
        if (bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP))
509
 
                ++carry;
 
605
        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
510
606
        /*S3*/
511
607
        nist_set_256(t_d, buf, 15, 14, 0, 0, 0, 10, 9, 8);
512
 
        if (bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP))
513
 
                ++carry;
 
608
        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
514
609
        /*S4*/
515
610
        nist_set_256(t_d, buf, 8, 13, 15, 14, 13, 11, 10, 9);
516
 
        if (bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP))
517
 
                ++carry;
 
611
        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
518
612
        /*D1*/
519
613
        nist_set_256(t_d, buf, 10, 8, 0, 0, 0, 13, 12, 11);
520
 
        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP))
521
 
                --carry;
 
614
        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
522
615
        /*D2*/
523
616
        nist_set_256(t_d, buf, 11, 9, 0, 0, 15, 14, 13, 12);
524
 
        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP))
525
 
                --carry;
 
617
        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
526
618
        /*D3*/
527
619
        nist_set_256(t_d, buf, 12, 0, 10, 9, 8, 15, 14, 13);
528
 
        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP))
529
 
                --carry;
 
620
        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
530
621
        /*D4*/
531
622
        nist_set_256(t_d, buf, 13, 0, 11, 10, 9, 0, 15, 14);
532
 
        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP))
533
 
                --carry;
534
 
        
535
 
        if (carry)
 
623
        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
 
624
 
 
625
        /* see BN_nist_mod_224 for explanation */
 
626
        u.f = bn_sub_words;
 
627
        if (carry > 0)
 
628
                carry = (int)bn_sub_words(r_d,r_d,_nist_p_256[carry-1],BN_NIST_256_TOP);
 
629
        else if (carry < 0)
536
630
                {
537
 
                if (carry > 0)
538
 
                        bn_sub_words(r_d, r_d, _256_data + BN_NIST_256_TOP *
539
 
                                --carry, BN_NIST_256_TOP);
540
 
                else
541
 
                        {
542
 
                        carry = -carry;
543
 
                        bn_add_words(r_d, r_d, _256_data + BN_NIST_256_TOP *
544
 
                                --carry, BN_NIST_256_TOP);
545
 
                        }
 
631
                carry = (int)bn_add_words(r_d,r_d,_nist_p_256[-carry-1],BN_NIST_256_TOP);
 
632
                mask = 0-(size_t)carry;
 
633
                u.p = ((size_t)bn_sub_words&mask) | ((size_t)bn_add_words&~mask);
546
634
                }
 
635
        else
 
636
                carry = 1;
547
637
 
 
638
        mask  = 0-(size_t)(*u.f)(c_d,r_d,_nist_p_256[0],BN_NIST_256_TOP);
 
639
        mask &= 0-(size_t)carry;
 
640
        res   = (BN_ULONG *)(((size_t)c_d&~mask) | ((size_t)r_d&mask));
 
641
        nist_cp_bn(r_d, res, BN_NIST_256_TOP);
548
642
        r->top = BN_NIST_256_TOP;
549
643
        bn_correct_top(r);
550
 
        if (BN_ucmp(r, field) >= 0)
551
 
                {
552
 
                bn_sub_words(r_d, r_d, _nist_p_256, BN_NIST_256_TOP);
553
 
                bn_correct_top(r);
554
 
                }
555
 
        bn_check_top(r);
 
644
 
556
645
        return 1;
557
 
#else
558
 
        return 0;
559
 
#endif
560
 
        }
561
 
 
562
 
#if BN_BITS2 != 64
563
 
static void _init_384_data(void)
564
 
        {
565
 
        int     i;
566
 
        BN_ULONG *tmp1 = _384_data;
567
 
        const BN_ULONG *tmp2 = tmp1;
568
 
 
569
 
        memcpy(tmp1, _nist_p_384, BN_NIST_384_TOP * sizeof(BN_ULONG));
570
 
        tmp1 += BN_NIST_384_TOP;
571
 
 
572
 
        for (i=0; i<7; i++)
573
 
                {
574
 
                bn_add_words(tmp1, _nist_p_384, tmp2, BN_NIST_384_TOP);
575
 
                tmp2  = tmp1;
576
 
                tmp1 += BN_NIST_384_TOP;
577
 
                }
578
 
        _is_set_384_data = 1;
579
 
        }
580
 
#endif
 
646
        }
581
647
 
582
648
#define nist_set_384(to,from,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12) \
583
649
        { \
584
 
        if (a12 != 0) bn_cp_32(to, 0, from,  (a12) - 12) else bn_32_set_0(to, 0)\
585
 
        if (a11 != 0) bn_cp_32(to, 1, from,  (a11) - 12) else bn_32_set_0(to, 1)\
586
 
        if (a10 != 0) bn_cp_32(to, 2, from,  (a10) - 12) else bn_32_set_0(to, 2)\
587
 
        if (a9 != 0)  bn_cp_32(to, 3, from,  (a9) - 12)  else bn_32_set_0(to, 3)\
588
 
        if (a8 != 0)  bn_cp_32(to, 4, from,  (a8) - 12)  else bn_32_set_0(to, 4)\
589
 
        if (a7 != 0)  bn_cp_32(to, 5, from,  (a7) - 12)  else bn_32_set_0(to, 5)\
590
 
        if (a6 != 0)  bn_cp_32(to, 6, from,  (a6) - 12)  else bn_32_set_0(to, 6)\
591
 
        if (a5 != 0)  bn_cp_32(to, 7, from,  (a5) - 12)  else bn_32_set_0(to, 7)\
592
 
        if (a4 != 0)  bn_cp_32(to, 8, from,  (a4) - 12)  else bn_32_set_0(to, 8)\
593
 
        if (a3 != 0)  bn_cp_32(to, 9, from,  (a3) - 12)  else bn_32_set_0(to, 9)\
594
 
        if (a2 != 0)  bn_cp_32(to, 10, from, (a2) - 12)  else bn_32_set_0(to, 10)\
595
 
        if (a1 != 0)  bn_cp_32(to, 11, from, (a1) - 12)  else bn_32_set_0(to, 11)\
 
650
        bn_cp_32(to, 0, from,  (a12) - 12) \
 
651
        bn_cp_32(to, 1, from,  (a11) - 12) \
 
652
        bn_cp_32(to, 2, from,  (a10) - 12) \
 
653
        bn_cp_32(to, 3, from,  (a9) - 12)  \
 
654
        bn_cp_32(to, 4, from,  (a8) - 12)  \
 
655
        bn_cp_32(to, 5, from,  (a7) - 12)  \
 
656
        bn_cp_32(to, 6, from,  (a6) - 12)  \
 
657
        bn_cp_32(to, 7, from,  (a5) - 12)  \
 
658
        bn_cp_32(to, 8, from,  (a4) - 12)  \
 
659
        bn_cp_32(to, 9, from,  (a3) - 12)  \
 
660
        bn_cp_32(to, 10, from, (a2) - 12)  \
 
661
        bn_cp_32(to, 11, from, (a1) - 12)  \
596
662
        }
597
663
 
598
664
int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
599
665
        BN_CTX *ctx)
600
666
        {
601
 
#if BN_BITS2 != 64
602
667
        int     i, top = a->top;
603
668
        int     carry = 0;
604
669
        register BN_ULONG *r_d, *a_d = a->d;
605
670
        BN_ULONG t_d[BN_NIST_384_TOP],
606
 
                 buf[BN_NIST_384_TOP];
607
 
 
608
 
        if (!_is_set_384_data)
609
 
                {
610
 
                CRYPTO_w_lock(CRYPTO_LOCK_BN);
611
 
                
612
 
                if (!_is_set_384_data)
613
 
                        _init_384_data();
614
 
 
615
 
                CRYPTO_w_unlock(CRYPTO_LOCK_BN);
616
 
                }
 
671
                 buf[BN_NIST_384_TOP],
 
672
                 c_d[BN_NIST_384_TOP],
 
673
                *res;
 
674
        size_t   mask;
 
675
        union { bn_addsub_f f; size_t p; } u;
 
676
        static const BIGNUM _bignum_nist_p_384_sqr = {
 
677
                (BN_ULONG *)_nist_p_384_sqr,
 
678
                sizeof(_nist_p_384_sqr)/sizeof(_nist_p_384_sqr[0]),
 
679
                sizeof(_nist_p_384_sqr)/sizeof(_nist_p_384_sqr[0]),
 
680
                0,BN_FLG_STATIC_DATA };
 
681
 
 
682
 
 
683
        field = &_bignum_nist_p_384; /* just to make sure */
 
684
 
 
685
        if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_384_sqr)>=0)
 
686
                return BN_nnmod(r, a, field, ctx);
617
687
 
618
688
        i = BN_ucmp(field, a);
619
689
        if (i == 0)
624
694
        else if (i > 0)
625
695
                return (r == a)? 1 : (BN_copy(r ,a) != NULL);
626
696
 
627
 
        if (top == BN_NIST_384_TOP)
628
 
                return BN_usub(r, a, field);
629
 
 
630
697
        if (r != a)
631
698
                {
632
699
                if (!bn_wexpand(r, BN_NIST_384_TOP))
646
713
                register BN_ULONG *ap,t,c;
647
714
                ap = t_d;
648
715
                c=0;
649
 
                for (i = BN_NIST_256_TOP; i != 0; --i)
 
716
                for (i = 3; i != 0; --i)
650
717
                        {
651
718
                        t= *ap;
652
719
                        *(ap++)=((t<<1)|c)&BN_MASK2;
653
720
                        c=(t & BN_TBIT)?1:0;
654
721
                        }
 
722
                *ap=c;
655
723
                }
656
 
        if (bn_add_words(r_d+(128/BN_BITS2), r_d+(128/BN_BITS2), 
657
 
                t_d, BN_NIST_256_TOP))
658
 
                ++carry;
 
724
        carry = (int)bn_add_words(r_d+(128/BN_BITS2), r_d+(128/BN_BITS2), 
 
725
                t_d, BN_NIST_256_TOP);
659
726
        /*S2 */
660
 
        if (bn_add_words(r_d, r_d, buf, BN_NIST_384_TOP))
661
 
                ++carry;
 
727
        carry += (int)bn_add_words(r_d, r_d, buf, BN_NIST_384_TOP);
662
728
        /*S3*/
663
729
        nist_set_384(t_d,buf,20,19,18,17,16,15,14,13,12,23,22,21);
664
 
        if (bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP))
665
 
                ++carry;
 
730
        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
666
731
        /*S4*/
667
732
        nist_set_384(t_d,buf,19,18,17,16,15,14,13,12,20,0,23,0);
668
 
        if (bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP))
669
 
                ++carry;
 
733
        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
670
734
        /*S5*/
671
 
        nist_set_256(t_d, buf, 0, 0, 0, 0, 23-4, 22-4, 21-4, 20-4);
672
 
        if (bn_add_words(r_d+(128/BN_BITS2), r_d+(128/BN_BITS2), 
673
 
                t_d, BN_NIST_256_TOP))
674
 
                ++carry;
 
735
        nist_set_384(t_d, buf,0,0,0,0,23,22,21,20,0,0,0,0);
 
736
        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
675
737
        /*S6*/
676
738
        nist_set_384(t_d,buf,0,0,0,0,0,0,23,22,21,0,0,20);
677
 
        if (bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP))
678
 
                ++carry;
 
739
        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
679
740
        /*D1*/
680
741
        nist_set_384(t_d,buf,22,21,20,19,18,17,16,15,14,13,12,23);
681
 
        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP))
682
 
                --carry;
 
742
        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
683
743
        /*D2*/
684
744
        nist_set_384(t_d,buf,0,0,0,0,0,0,0,23,22,21,20,0);
685
 
        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP))
686
 
                --carry;
 
745
        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
687
746
        /*D3*/
688
747
        nist_set_384(t_d,buf,0,0,0,0,0,0,0,23,23,0,0,0);
689
 
        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP))
690
 
                --carry;
691
 
        
692
 
        if (carry)
 
748
        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
 
749
 
 
750
        /* see BN_nist_mod_224 for explanation */
 
751
        u.f = bn_sub_words;
 
752
        if (carry > 0)
 
753
                carry = (int)bn_sub_words(r_d,r_d,_nist_p_384[carry-1],BN_NIST_384_TOP);
 
754
        else if (carry < 0)
693
755
                {
694
 
                if (carry > 0)
695
 
                        bn_sub_words(r_d, r_d, _384_data + BN_NIST_384_TOP *
696
 
                                --carry, BN_NIST_384_TOP);
697
 
                else
698
 
                        {
699
 
                        carry = -carry;
700
 
                        bn_add_words(r_d, r_d, _384_data + BN_NIST_384_TOP *
701
 
                                --carry, BN_NIST_384_TOP);
702
 
                        }
 
756
                carry = (int)bn_add_words(r_d,r_d,_nist_p_384[-carry-1],BN_NIST_384_TOP);
 
757
                mask = 0-(size_t)carry;
 
758
                u.p = ((size_t)bn_sub_words&mask) | ((size_t)bn_add_words&~mask);
703
759
                }
 
760
        else
 
761
                carry = 1;
704
762
 
 
763
        mask  = 0-(size_t)(*u.f)(c_d,r_d,_nist_p_384[0],BN_NIST_384_TOP);
 
764
        mask &= 0-(size_t)carry;
 
765
        res   = (BN_ULONG *)(((size_t)c_d&~mask) | ((size_t)r_d&mask));
 
766
        nist_cp_bn(r_d, res, BN_NIST_384_TOP);
705
767
        r->top = BN_NIST_384_TOP;
706
768
        bn_correct_top(r);
707
 
        if (BN_ucmp(r, field) >= 0)
708
 
                {
709
 
                bn_sub_words(r_d, r_d, _nist_p_384, BN_NIST_384_TOP);
710
 
                bn_correct_top(r);
711
 
                }
712
 
        bn_check_top(r);
 
769
 
713
770
        return 1;
714
 
#else
715
 
        return 0;
716
 
#endif
717
771
        }
718
772
 
 
773
#define BN_NIST_521_RSHIFT      (521%BN_BITS2)
 
774
#define BN_NIST_521_LSHIFT      (BN_BITS2-BN_NIST_521_RSHIFT)
 
775
#define BN_NIST_521_TOP_MASK    ((BN_ULONG)BN_MASK2>>BN_NIST_521_LSHIFT)
 
776
 
719
777
int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
720
778
        BN_CTX *ctx)
721
779
        {
722
 
#if BN_BITS2 == 64
723
 
#define BN_NIST_521_TOP_MASK    (BN_ULONG)0x1FF
724
 
#elif BN_BITS2 == 32
725
 
#define BN_NIST_521_TOP_MASK    (BN_ULONG)0x1FF
726
 
#elif BN_BITS2 == 16
727
 
#define BN_NIST_521_TOP_MASK    (BN_ULONG)0x1FF
728
 
#elif BN_BITS2 == 8
729
 
#define BN_NIST_521_TOP_MASK    (BN_ULONG)0x1
730
 
#endif
731
 
        int     top, ret = 0;
732
 
        BN_ULONG *r_d;
733
 
        BIGNUM  *tmp;
734
 
 
735
 
        /* check whether a reduction is necessary */
736
 
        top = a->top;
737
 
        if (top < BN_NIST_521_TOP  || ( top == BN_NIST_521_TOP &&
738
 
           (!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
 
780
        int     top = a->top, i;
 
781
        BN_ULONG *r_d, *a_d = a->d,
 
782
                 t_d[BN_NIST_521_TOP],
 
783
                 val,tmp,*res;
 
784
        size_t  mask;
 
785
        static const BIGNUM _bignum_nist_p_521_sqr = {
 
786
                (BN_ULONG *)_nist_p_521_sqr,
 
787
                sizeof(_nist_p_521_sqr)/sizeof(_nist_p_521_sqr[0]),
 
788
                sizeof(_nist_p_521_sqr)/sizeof(_nist_p_521_sqr[0]),
 
789
                0,BN_FLG_STATIC_DATA };
 
790
 
 
791
        field = &_bignum_nist_p_521; /* just to make sure */
 
792
 
 
793
        if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_521_sqr)>=0)
 
794
                return BN_nnmod(r, a, field, ctx);
 
795
 
 
796
        i = BN_ucmp(field, a);
 
797
        if (i == 0)
 
798
                {
 
799
                BN_zero(r);
 
800
                return 1;
 
801
                }
 
802
        else if (i > 0)
739
803
                return (r == a)? 1 : (BN_copy(r ,a) != NULL);
740
804
 
741
 
        BN_CTX_start(ctx);
742
 
        tmp = BN_CTX_get(ctx);
743
 
        if (!tmp)
744
 
                goto err;
745
 
 
746
 
        if (!bn_wexpand(tmp, BN_NIST_521_TOP))
747
 
                goto err;
748
 
        nist_cp_bn(tmp->d, a->d, BN_NIST_521_TOP);
749
 
 
750
 
        tmp->top = BN_NIST_521_TOP;
751
 
        tmp->d[BN_NIST_521_TOP-1]  &= BN_NIST_521_TOP_MASK;
752
 
        bn_correct_top(tmp);
753
 
 
754
 
        if (!BN_rshift(r, a, 521))
755
 
                goto err;
756
 
 
757
 
        if (!BN_uadd(r, tmp, r))
758
 
                goto err;
759
 
        top = r->top;
760
 
        r_d = r->d;
761
 
        if (top == BN_NIST_521_TOP  && 
762
 
           (r_d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))
763
 
                {
764
 
                BN_NIST_ADD_ONE(r_d)
765
 
                r_d[BN_NIST_521_TOP-1] &= BN_NIST_521_TOP_MASK; 
766
 
                }
 
805
        if (r != a)
 
806
                {
 
807
                if (!bn_wexpand(r,BN_NIST_521_TOP))
 
808
                        return 0;
 
809
                r_d = r->d;
 
810
                nist_cp_bn(r_d,a_d, BN_NIST_521_TOP);
 
811
                }
 
812
        else
 
813
                r_d = a_d;
 
814
 
 
815
        /* upper 521 bits, copy ... */
 
816
        nist_cp_bn_0(t_d,a_d + (BN_NIST_521_TOP-1), top - (BN_NIST_521_TOP-1),BN_NIST_521_TOP);
 
817
        /* ... and right shift */
 
818
        for (val=t_d[0],i=0; i<BN_NIST_521_TOP-1; i++)
 
819
                {
 
820
                tmp = val>>BN_NIST_521_RSHIFT;
 
821
                val = t_d[i+1];
 
822
                t_d[i] = (tmp | val<<BN_NIST_521_LSHIFT) & BN_MASK2;
 
823
                }
 
824
        t_d[i] = val>>BN_NIST_521_RSHIFT;
 
825
        /* lower 521 bits */
 
826
        r_d[i] &= BN_NIST_521_TOP_MASK;
 
827
 
 
828
        bn_add_words(r_d,r_d,t_d,BN_NIST_521_TOP);
 
829
        mask = 0-(size_t)bn_sub_words(t_d,r_d,_nist_p_521,BN_NIST_521_TOP);
 
830
        res  = (BN_ULONG *)(((size_t)t_d&~mask) | ((size_t)r_d&mask));
 
831
        nist_cp_bn(r_d,res,BN_NIST_521_TOP);
 
832
        r->top = BN_NIST_521_TOP;
767
833
        bn_correct_top(r);
768
834
 
769
 
        ret = 1;
770
 
err:
771
 
        BN_CTX_end(ctx);
772
 
 
773
 
        bn_check_top(r);
774
 
        return ret;
 
835
        return 1;
775
836
        }