• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* crypto/bn/bn_mont.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 /*
113  * Details about Montgomery multiplication algorithms can be found at
114  * http://security.ece.orst.edu/publications.html, e.g.
115  * http://security.ece.orst.edu/koc/papers/j37acmon.pdf and
116  * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf
117  */
118 
119 #include <stdio.h>
120 #include "cryptlib.h"
121 #include "bn_lcl.h"
122 
123 #define MONT_WORD /* use the faster word-based algorithm */
124 
125 #ifdef MONT_WORD
126 static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
127 #endif
128 
BN_mod_mul_montgomery(BIGNUM * r,const BIGNUM * a,const BIGNUM * b,BN_MONT_CTX * mont,BN_CTX * ctx)129 int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
130 			  BN_MONT_CTX *mont, BN_CTX *ctx)
131 	{
132 	BIGNUM *tmp;
133 	int ret=0;
134 #if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD)
135 	int num = mont->N.top;
136 
137 	if (num>1 && a->top==num && b->top==num)
138 		{
139 		if (bn_wexpand(r,num) == NULL) return(0);
140 		if (bn_mul_mont(r->d,a->d,b->d,mont->N.d,mont->n0,num))
141 			{
142 			r->neg = a->neg^b->neg;
143 			r->top = num;
144 			bn_correct_top(r);
145 			return(1);
146 			}
147 		}
148 #endif
149 
150 	BN_CTX_start(ctx);
151 	tmp = BN_CTX_get(ctx);
152 	if (tmp == NULL) goto err;
153 
154 	bn_check_top(tmp);
155 	if (a == b)
156 		{
157 		if (!BN_sqr(tmp,a,ctx)) goto err;
158 		}
159 	else
160 		{
161 		if (!BN_mul(tmp,a,b,ctx)) goto err;
162 		}
163 	/* reduce from aRR to aR */
164 #ifdef MONT_WORD
165 	if (!BN_from_montgomery_word(r,tmp,mont)) goto err;
166 #else
167 	if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;
168 #endif
169 	bn_check_top(r);
170 	ret=1;
171 err:
172 	BN_CTX_end(ctx);
173 	return(ret);
174 	}
175 
176 #ifdef MONT_WORD
BN_from_montgomery_word(BIGNUM * ret,BIGNUM * r,BN_MONT_CTX * mont)177 static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
178 	{
179 	BIGNUM *n;
180 	BN_ULONG *ap,*np,*rp,n0,v,*nrp;
181 	int al,nl,max,i,x,ri;
182 
183 	n= &(mont->N);
184 	/* mont->ri is the size of mont->N in bits (rounded up
185 	   to the word size) */
186 	al=ri=mont->ri/BN_BITS2;
187 
188 	nl=n->top;
189 	if ((al == 0) || (nl == 0)) { ret->top=0; return(1); }
190 
191 	max=(nl+al+1); /* allow for overflow (no?) XXX */
192 	if (bn_wexpand(r,max) == NULL) return(0);
193 
194 	r->neg^=n->neg;
195 	np=n->d;
196 	rp=r->d;
197 	nrp= &(r->d[nl]);
198 
199 	/* clear the top words of T */
200 #if 1
201 	for (i=r->top; i<max; i++) /* memset? XXX */
202 		r->d[i]=0;
203 #else
204 	memset(&(r->d[r->top]),0,(max-r->top)*sizeof(BN_ULONG));
205 #endif
206 
207 	r->top=max;
208 	n0=mont->n0[0];
209 
210 #ifdef BN_COUNT
211 	fprintf(stderr,"word BN_from_montgomery_word %d * %d\n",nl,nl);
212 #endif
213 	for (i=0; i<nl; i++)
214 		{
215 #ifdef __TANDEM
216                 {
217                    long long t1;
218                    long long t2;
219                    long long t3;
220                    t1 = rp[0] * (n0 & 0177777);
221                    t2 = 037777600000l;
222                    t2 = n0 & t2;
223                    t3 = rp[0] & 0177777;
224                    t2 = (t3 * t2) & BN_MASK2;
225                    t1 = t1 + t2;
226                    v=bn_mul_add_words(rp,np,nl,(BN_ULONG) t1);
227                 }
228 #else
229 		v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);
230 #endif
231 		nrp++;
232 		rp++;
233 		if (((nrp[-1]+=v)&BN_MASK2) >= v)
234 			continue;
235 		else
236 			{
237 			if (((++nrp[0])&BN_MASK2) != 0) continue;
238 			if (((++nrp[1])&BN_MASK2) != 0) continue;
239 			for (x=2; (((++nrp[x])&BN_MASK2) == 0); x++) ;
240 			}
241 		}
242 	bn_correct_top(r);
243 
244 	/* mont->ri will be a multiple of the word size and below code
245 	 * is kind of BN_rshift(ret,r,mont->ri) equivalent */
246 	if (r->top <= ri)
247 		{
248 		ret->top=0;
249 		return(1);
250 		}
251 	al=r->top-ri;
252 
253 #define BRANCH_FREE 1
254 #if BRANCH_FREE
255 	if (bn_wexpand(ret,ri) == NULL) return(0);
256 	x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
257 	ret->top=x=(ri&~x)|(al&x);	/* min(ri,al) */
258 	ret->neg=r->neg;
259 
260 	rp=ret->d;
261 	ap=&(r->d[ri]);
262 
263 	{
264 	size_t m1,m2;
265 
266 	v=bn_sub_words(rp,ap,np,ri);
267 	/* this ----------------^^ works even in al<ri case
268 	 * thanks to zealous zeroing of top of the vector in the
269 	 * beginning. */
270 
271 	/* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */
272 	/* in other words if subtraction result is real, then
273 	 * trick unconditional memcpy below to perform in-place
274 	 * "refresh" instead of actual copy. */
275 	m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1);	/* al<ri */
276 	m2=0-(size_t)(((ri-al)>>(sizeof(al)*8-1))&1);	/* al>ri */
277 	m1|=m2;			/* (al!=ri) */
278 	m1|=(0-(size_t)v);	/* (al!=ri || v) */
279 	m1&=~m2;		/* (al!=ri || v) && !al>ri */
280 	nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1));
281 	}
282 
283 	/* 'i<ri' is chosen to eliminate dependency on input data, even
284 	 * though it results in redundant copy in al<ri case. */
285 	for (i=0,ri-=4; i<ri; i+=4)
286 		{
287 		BN_ULONG t1,t2,t3,t4;
288 
289 		t1=nrp[i+0];
290 		t2=nrp[i+1];
291 		t3=nrp[i+2];	ap[i+0]=0;
292 		t4=nrp[i+3];	ap[i+1]=0;
293 		rp[i+0]=t1;	ap[i+2]=0;
294 		rp[i+1]=t2;	ap[i+3]=0;
295 		rp[i+2]=t3;
296 		rp[i+3]=t4;
297 		}
298 	for (ri+=4; i<ri; i++)
299 		rp[i]=nrp[i], ap[i]=0;
300 	bn_correct_top(r);
301 	bn_correct_top(ret);
302 #else
303 	if (bn_wexpand(ret,al) == NULL) return(0);
304 	ret->top=al;
305 	ret->neg=r->neg;
306 
307 	rp=ret->d;
308 	ap=&(r->d[ri]);
309 	al-=4;
310 	for (i=0; i<al; i+=4)
311 		{
312 		BN_ULONG t1,t2,t3,t4;
313 
314 		t1=ap[i+0];
315 		t2=ap[i+1];
316 		t3=ap[i+2];
317 		t4=ap[i+3];
318 		rp[i+0]=t1;
319 		rp[i+1]=t2;
320 		rp[i+2]=t3;
321 		rp[i+3]=t4;
322 		}
323 	al+=4;
324 	for (; i<al; i++)
325 		rp[i]=ap[i];
326 
327 	if (BN_ucmp(ret, &(mont->N)) >= 0)
328 		{
329 		if (!BN_usub(ret,ret,&(mont->N))) return(0);
330 		}
331 #endif
332 	bn_check_top(ret);
333 
334 	return(1);
335 	}
336 #endif	/* MONT_WORD */
337 
BN_from_montgomery(BIGNUM * ret,const BIGNUM * a,BN_MONT_CTX * mont,BN_CTX * ctx)338 int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
339 	     BN_CTX *ctx)
340 	{
341 	int retn=0;
342 #ifdef MONT_WORD
343 	BIGNUM *t;
344 
345 	BN_CTX_start(ctx);
346 	if ((t = BN_CTX_get(ctx)) && BN_copy(t,a))
347 		retn = BN_from_montgomery_word(ret,t,mont);
348 	BN_CTX_end(ctx);
349 #else /* !MONT_WORD */
350 	BIGNUM *t1,*t2;
351 
352 	BN_CTX_start(ctx);
353 	t1 = BN_CTX_get(ctx);
354 	t2 = BN_CTX_get(ctx);
355 	if (t1 == NULL || t2 == NULL) goto err;
356 
357 	if (!BN_copy(t1,a)) goto err;
358 	BN_mask_bits(t1,mont->ri);
359 
360 	if (!BN_mul(t2,t1,&mont->Ni,ctx)) goto err;
361 	BN_mask_bits(t2,mont->ri);
362 
363 	if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;
364 	if (!BN_add(t2,a,t1)) goto err;
365 	if (!BN_rshift(ret,t2,mont->ri)) goto err;
366 
367 	if (BN_ucmp(ret, &(mont->N)) >= 0)
368 		{
369 		if (!BN_usub(ret,ret,&(mont->N))) goto err;
370 		}
371 	retn=1;
372 	bn_check_top(ret);
373  err:
374 	BN_CTX_end(ctx);
375 #endif /* MONT_WORD */
376 	return(retn);
377 	}
378 
BN_MONT_CTX_new(void)379 BN_MONT_CTX *BN_MONT_CTX_new(void)
380 	{
381 	BN_MONT_CTX *ret;
382 
383 	if ((ret=(BN_MONT_CTX *)OPENSSL_malloc(sizeof(BN_MONT_CTX))) == NULL)
384 		return(NULL);
385 
386 	BN_MONT_CTX_init(ret);
387 	ret->flags=BN_FLG_MALLOCED;
388 	return(ret);
389 	}
390 
BN_MONT_CTX_init(BN_MONT_CTX * ctx)391 void BN_MONT_CTX_init(BN_MONT_CTX *ctx)
392 	{
393 	ctx->ri=0;
394 	BN_init(&(ctx->RR));
395 	BN_init(&(ctx->N));
396 	BN_init(&(ctx->Ni));
397 	ctx->n0[0] = ctx->n0[1] = 0;
398 	ctx->flags=0;
399 	}
400 
BN_MONT_CTX_free(BN_MONT_CTX * mont)401 void BN_MONT_CTX_free(BN_MONT_CTX *mont)
402 	{
403 	if(mont == NULL)
404 	    return;
405 
406 	BN_free(&(mont->RR));
407 	BN_free(&(mont->N));
408 	BN_free(&(mont->Ni));
409 	if (mont->flags & BN_FLG_MALLOCED)
410 		OPENSSL_free(mont);
411 	}
412 
BN_MONT_CTX_set(BN_MONT_CTX * mont,const BIGNUM * mod,BN_CTX * ctx)413 int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
414 	{
415 	int ret = 0;
416 	BIGNUM *Ri,*R;
417 
418 	BN_CTX_start(ctx);
419 	if((Ri = BN_CTX_get(ctx)) == NULL) goto err;
420 	R= &(mont->RR);					/* grab RR as a temp */
421 	if (!BN_copy(&(mont->N),mod)) goto err;		/* Set N */
422 	mont->N.neg = 0;
423 
424 #ifdef MONT_WORD
425 		{
426 		BIGNUM tmod;
427 		BN_ULONG buf[2];
428 
429 		BN_init(&tmod);
430 		tmod.d=buf;
431 		tmod.dmax=2;
432 		tmod.neg=0;
433 
434 		mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
435 
436 #if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
437 		/* Only certain BN_BITS2<=32 platforms actually make use of
438 		 * n0[1], and we could use the #else case (with a shorter R
439 		 * value) for the others.  However, currently only the assembler
440 		 * files do know which is which. */
441 
442 		BN_zero(R);
443 		if (!(BN_set_bit(R,2*BN_BITS2))) goto err;
444 
445 								tmod.top=0;
446 		if ((buf[0] = mod->d[0]))			tmod.top=1;
447 		if ((buf[1] = mod->top>1 ? mod->d[1] : 0))	tmod.top=2;
448 
449 		if ((BN_mod_inverse(Ri,R,&tmod,ctx)) == NULL)
450 			goto err;
451 		if (!BN_lshift(Ri,Ri,2*BN_BITS2)) goto err; /* R*Ri */
452 		if (!BN_is_zero(Ri))
453 			{
454 			if (!BN_sub_word(Ri,1)) goto err;
455 			}
456 		else /* if N mod word size == 1 */
457 			{
458 			if (bn_expand(Ri,(int)sizeof(BN_ULONG)*2) == NULL)
459 				goto err;
460 			/* Ri-- (mod double word size) */
461 			Ri->neg=0;
462 			Ri->d[0]=BN_MASK2;
463 			Ri->d[1]=BN_MASK2;
464 			Ri->top=2;
465 			}
466 		if (!BN_div(Ri,NULL,Ri,&tmod,ctx)) goto err;
467 		/* Ni = (R*Ri-1)/N,
468 		 * keep only couple of least significant words: */
469 		mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
470 		mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0;
471 #else
472 		BN_zero(R);
473 		if (!(BN_set_bit(R,BN_BITS2))) goto err;	/* R */
474 
475 		buf[0]=mod->d[0]; /* tmod = N mod word size */
476 		buf[1]=0;
477 		tmod.top = buf[0] != 0 ? 1 : 0;
478 							/* Ri = R^-1 mod N*/
479 		if ((BN_mod_inverse(Ri,R,&tmod,ctx)) == NULL)
480 			goto err;
481 		if (!BN_lshift(Ri,Ri,BN_BITS2)) goto err; /* R*Ri */
482 		if (!BN_is_zero(Ri))
483 			{
484 			if (!BN_sub_word(Ri,1)) goto err;
485 			}
486 		else /* if N mod word size == 1 */
487 			{
488 			if (!BN_set_word(Ri,BN_MASK2)) goto err;  /* Ri-- (mod word size) */
489 			}
490 		if (!BN_div(Ri,NULL,Ri,&tmod,ctx)) goto err;
491 		/* Ni = (R*Ri-1)/N,
492 		 * keep only least significant word: */
493 		mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
494 		mont->n0[1] = 0;
495 #endif
496 		}
497 #else /* !MONT_WORD */
498 		{ /* bignum version */
499 		mont->ri=BN_num_bits(&mont->N);
500 		BN_zero(R);
501 		if (!BN_set_bit(R,mont->ri)) goto err;  /* R = 2^ri */
502 		                                        /* Ri = R^-1 mod N*/
503 		if ((BN_mod_inverse(Ri,R,&mont->N,ctx)) == NULL)
504 			goto err;
505 		if (!BN_lshift(Ri,Ri,mont->ri)) goto err; /* R*Ri */
506 		if (!BN_sub_word(Ri,1)) goto err;
507 							/* Ni = (R*Ri-1) / N */
508 		if (!BN_div(&(mont->Ni),NULL,Ri,&mont->N,ctx)) goto err;
509 		}
510 #endif
511 
512 	/* setup RR for conversions */
513 	BN_zero(&(mont->RR));
514 	if (!BN_set_bit(&(mont->RR),mont->ri*2)) goto err;
515 	if (!BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx)) goto err;
516 
517 	ret = 1;
518 err:
519 	BN_CTX_end(ctx);
520 	return ret;
521 	}
522 
BN_MONT_CTX_copy(BN_MONT_CTX * to,BN_MONT_CTX * from)523 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
524 	{
525 	if (to == from) return(to);
526 
527 	if (!BN_copy(&(to->RR),&(from->RR))) return NULL;
528 	if (!BN_copy(&(to->N),&(from->N))) return NULL;
529 	if (!BN_copy(&(to->Ni),&(from->Ni))) return NULL;
530 	to->ri=from->ri;
531 	to->n0[0]=from->n0[0];
532 	to->n0[1]=from->n0[1];
533 	return(to);
534 	}
535 
BN_MONT_CTX_set_locked(BN_MONT_CTX ** pmont,int lock,const BIGNUM * mod,BN_CTX * ctx)536 BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
537 					const BIGNUM *mod, BN_CTX *ctx)
538 	{
539 	int got_write_lock = 0;
540 	BN_MONT_CTX *ret;
541 
542 	CRYPTO_r_lock(lock);
543 	if (!*pmont)
544 		{
545 		CRYPTO_r_unlock(lock);
546 		CRYPTO_w_lock(lock);
547 		got_write_lock = 1;
548 
549 		if (!*pmont)
550 			{
551 			ret = BN_MONT_CTX_new();
552 			if (ret && !BN_MONT_CTX_set(ret, mod, ctx))
553 				BN_MONT_CTX_free(ret);
554 			else
555 				*pmont = ret;
556 			}
557 		}
558 
559 	ret = *pmont;
560 
561 	if (got_write_lock)
562 		CRYPTO_w_unlock(lock);
563 	else
564 		CRYPTO_r_unlock(lock);
565 
566 	return ret;
567 	}
568