update libressl to 2.8.2

[unleashed.git] / lib / libcrypto / man / BN_add.3

.\"     $OpenBSD: BN_add.3,v 1.13 2018/04/29 15:58:21 schwarze Exp $
.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
.\"
.\" This file was written by Ulf Moeller <ulf@openssl.org>
.\" and Bodo Moeller <bodo@openssl.org>.
.\" Copyright (c) 2000, 2001, 2015 The OpenSSL Project.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in
.\"    the documentation and/or other materials provided with the
.\"    distribution.
.\"
.\" 3. All advertising materials mentioning features or use of this
.\"    software must display the following acknowledgment:
.\"    "This product includes software developed by the OpenSSL Project
.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
.\"
.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
.\"    endorse or promote products derived from this software without
.\"    prior written permission. For written permission, please contact
.\"    openssl-core@openssl.org.
.\"
.\" 5. Products derived from this software may not be called "OpenSSL"
.\"    nor may "OpenSSL" appear in their names without prior written
.\"    permission of the OpenSSL Project.
.\"
.\" 6. Redistributions of any form whatsoever must retain the following
.\"    acknowledgment:
.\"    "This product includes software developed by the OpenSSL Project
.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: April 29 2018 $
.Dt BN_ADD 3
.Os
.Sh NAME
.Nm BN_add ,
.Nm BN_sub ,
.Nm BN_mul ,
.Nm BN_sqr ,
.Nm BN_div ,
.Nm BN_mod ,
.Nm BN_nnmod ,
.Nm BN_mod_add ,
.Nm BN_mod_sub ,
.Nm BN_mod_mul ,
.Nm BN_mod_sqr ,
.Nm BN_exp ,
.Nm BN_mod_exp ,
.\" The following are public, but intentionally undocumented for now:
.\" .Nm BN_mod_exp_mont_consttime ,
.\" .Nm BN_mod_exp_mont ,
.\" .Nm BN_mod_exp_mont_word ,
.\" .Nm BN_mod_exp_recp ,
.\" .Nm BN_mod_exp_simple ,
.\" Maybe they should be deleted from <openssl/bn.h>.
.Nm BN_gcd
.Nd arithmetic operations on BIGNUMs
.Sh SYNOPSIS
.In openssl/bn.h
.Ft int
.Fo BN_add
.Fa "BIGNUM *r"
.Fa "const BIGNUM *a"
.Fa "const BIGNUM *b"
.Fc
.Ft int
.Fo BN_sub
.Fa "BIGNUM *r"
.Fa "const BIGNUM *a"
.Fa "const BIGNUM *b"
.Fc
.Ft int
.Fo BN_mul
.Fa "BIGNUM *r"
.Fa "BIGNUM *a"
.Fa "BIGNUM *b"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo BN_sqr
.Fa "BIGNUM *r"
.Fa "BIGNUM *a"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo BN_div
.Fa "BIGNUM *dv"
.Fa "BIGNUM *rem"
.Fa "const BIGNUM *a"
.Fa "const BIGNUM *d"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo BN_mod
.Fa "BIGNUM *rem"
.Fa "const BIGNUM *a"
.Fa "const BIGNUM *m"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo BN_nnmod
.Fa "BIGNUM *r"
.Fa "const BIGNUM *a"
.Fa "const BIGNUM *m"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo BN_mod_add
.Fa "BIGNUM *r"
.Fa "BIGNUM *a"
.Fa "BIGNUM *b"
.Fa "const BIGNUM *m"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo BN_mod_sub
.Fa "BIGNUM *r"
.Fa "BIGNUM *a"
.Fa "BIGNUM *b"
.Fa "const BIGNUM *m"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo BN_mod_mul
.Fa "BIGNUM *r"
.Fa "BIGNUM *a"
.Fa "BIGNUM *b"
.Fa "const BIGNUM *m"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo BN_mod_sqr
.Fa "BIGNUM *r"
.Fa "BIGNUM *a"
.Fa "const BIGNUM *m"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo BN_exp
.Fa "BIGNUM *r"
.Fa "BIGNUM *a"
.Fa "BIGNUM *p"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo BN_mod_exp
.Fa "BIGNUM *r"
.Fa "BIGNUM *a"
.Fa "const BIGNUM *p"
.Fa "const BIGNUM *m"
.Fa "BN_CTX *ctx"
.Fc
.Ft int
.Fo BN_gcd
.Fa "BIGNUM *r"
.Fa "BIGNUM *a"
.Fa "BIGNUM *b"
.Fa "BN_CTX *ctx"
.Fc
.Sh DESCRIPTION
.Fn BN_add
adds
.Fa a
and
.Fa b
and places the result in
.Fa r
.Pq Li r=a+b .
.Fa r
may be the same
.Vt BIGNUM
as
.Fa a
or
.Fa b .
.Pp
.Fn BN_sub
subtracts
.Fa b
from
.Fa a
and places the result in
.Fa r
.Pq Li r=a-b .
.Fa r
may be the same
.Vt BIGNUM
as
.Fa a
or
.Fa b .
.Pp
.Fn BN_mul
multiplies
.Fa a
and
.Fa b
and places the result in
.Fa r
.Pq Li r=a*b .
.Fa r
may be the same
.Vt BIGNUM
as
.Fa a
or
.Fa b .
For multiplication by powers of 2, use
.Xr BN_lshift 3 .
.Pp
.Fn BN_sqr
takes the square of
.Fa a
and places the result in
.Fa r
.Pq Li r=a^2 .
.Fa r
and
.Fa a
may be the same
.Vt BIGNUM .
This function is faster than
.Fn BN_mul r a a .
.Pp
.Fn BN_div
divides
.Fa a
by
.Fa d
and places the result in
.Fa dv
and the remainder in
.Fa rem
.Pq Li dv=a/d , rem=a%d .
If the flag
.Dv BN_FLG_CONSTTIME
is set on
.Fa a
or
.Fa d ,
it operates in constant time.
Either of
.Fa dv
and
.Fa rem
may be
.Dv NULL ,
in which case the respective value is not returned.
The result is rounded towards zero; thus if
.Fa a
is negative, the remainder will be zero or negative.
For division by powers of 2, use
.Fn BN_rshift 3 .
.Pp
.Fn BN_mod
corresponds to
.Fn BN_div
with
.Fa dv
set to
.Dv NULL .
It is implemented as a macro.
.Pp
.Fn BN_nnmod
reduces
.Fa a
modulo
.Fa m
and places the non-negative remainder in
.Fa r .
.Pp
.Fn BN_mod_add
adds
.Fa a
to
.Fa b
modulo
.Fa m
and places the non-negative result in
.Fa r .
.Pp
.Fn BN_mod_sub
subtracts
.Fa b
from
.Fa a
modulo
.Fa m
and places the non-negative result in
.Fa r .
.Pp
.Fn BN_mod_mul
multiplies
.Fa a
by
.Fa b
and finds the non-negative remainder respective to modulus
.Fa m
.Pq Li r=(a*b)%m .
.Fa r
may be the same
.Vt BIGNUM
as
.Fa a
or
.Fa b .
For more efficient algorithms for repeated computations using the same
modulus, see
.Xr BN_mod_mul_montgomery 3
and
.Xr BN_mod_mul_reciprocal 3 .
.Pp
.Fn BN_mod_sqr
takes the square of
.Fa a
modulo
.Fa m
and places the result in
.Fa r .
.Pp
.Fn BN_exp
raises
.Fa a
to the
.Fa p Ns -th
power and places the result in
.Fa r
.Pq Li r=a^p .
This function is faster than repeated applications of
.Fn BN_mul .
.Pp
.Fn BN_mod_exp
computes
.Fa a
to the
.Fa p Ns -th
power modulo
.Fa m
.Pq Li r=(a^p)%m .
If the flag
.Dv BN_FLG_CONSTTIME
is set on
.Fa p ,
it operates in constant time.
This function uses less time and space than
.Fn BN_exp .
.Pp
.Fn BN_gcd
computes the greatest common divisor of
.Fa a
and
.Fa b
and places the result in
.Fa r .
.Fa r
may be the same
.Vt BIGNUM
as
.Fa a
or
.Fa b .
.Pp
For all functions,
.Fa ctx
is a previously allocated
.Vt BN_CTX
used for temporary variables; see
.Xr BN_CTX_new 3 .
.Pp
Unless noted otherwise, the result
.Vt BIGNUM
must be different from the arguments.
.Sh RETURN VALUES
For all functions, 1 is returned for success, 0 on error.
The return value should always be checked, for example:
.Pp
.Dl if (!BN_add(r,a,b)) goto err;
.Pp
The error codes can be obtained by
.Xr ERR_get_error 3 .
.Sh SEE ALSO
.Xr BN_add_word 3 ,
.Xr BN_CTX_new 3 ,
.Xr BN_new 3 ,
.Xr BN_set_bit 3 ,
.Xr BN_set_flags 3 ,
.Xr BN_set_negative 3
.Sh HISTORY
.Fn BN_add ,
.Fn BN_sub ,
.Fn BN_mul ,
.Fn BN_sqr ,
.Fn BN_div ,
.Fn BN_mod ,
.Fn BN_mod_mul ,
.Fn BN_mod_exp ,
and
.Fn BN_gcd
first appeared in SSLeay 0.5.1.
.Fn BN_exp
first appeared in SSLeay 0.9.0.
All these functions have been available since
.Ox 2.4 .
.Pp
The
.Fa ctx
argument to
.Fn BN_mul
was added in SSLeay 0.9.1 and
.Ox 2.6 .
.Pp
.Fn BN_nnmod ,
.Fn BN_mod_add ,
.Fn BN_mod_sub ,
and
.Fn BN_mod_sqr
first appeared in OpenSSL 0.9.7 and have been available since
.Ox 3.2 .
.Sh BUGS
Even if the
.Dv BN_FLG_CONSTTIME
flag is set on
.Fa a
or
.Fa b ,
.Fn BN_gcd
neither fails nor operates in constant time, potentially allowing
timing side-channel attacks.
.Pp
Even if the
.Dv BN_FLG_CONSTTIME
flag is set on
.Fa p ,
if the modulus
.Fa m
is even,
.Fn BN_mod_exp
does not operate in constant time, potentially allowing
timing side-channel attacks.
.Pp
If
.Dv BN_FLG_CONSTTIME
is set on
.Fa p ,
.Fn BN_exp
fails instead of operating in constant time.