2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include "internal/cryptlib.h"
14 #include <openssl/opensslconf.h>
15 #include "internal/constant_time_locl.h"
17 /* This stuff appears to be completely unused, so is deprecated */
18 #if OPENSSL_API_COMPAT < 0x00908000L
20 * For a 32 bit machine
29 static int bn_limit_bits = 0;
30 static int bn_limit_num = 8; /* (1<<bn_limit_bits) */
31 static int bn_limit_bits_low = 0;
32 static int bn_limit_num_low = 8; /* (1<<bn_limit_bits_low) */
33 static int bn_limit_bits_high = 0;
34 static int bn_limit_num_high = 8; /* (1<<bn_limit_bits_high) */
35 static int bn_limit_bits_mont = 0;
36 static int bn_limit_num_mont = 8; /* (1<<bn_limit_bits_mont) */
38 void BN_set_params(int mult, int high, int low, int mont)
41 if (mult > (int)(sizeof(int) * 8) - 1)
42 mult = sizeof(int) * 8 - 1;
44 bn_limit_num = 1 << mult;
47 if (high > (int)(sizeof(int) * 8) - 1)
48 high = sizeof(int) * 8 - 1;
49 bn_limit_bits_high = high;
50 bn_limit_num_high = 1 << high;
53 if (low > (int)(sizeof(int) * 8) - 1)
54 low = sizeof(int) * 8 - 1;
55 bn_limit_bits_low = low;
56 bn_limit_num_low = 1 << low;
59 if (mont > (int)(sizeof(int) * 8) - 1)
60 mont = sizeof(int) * 8 - 1;
61 bn_limit_bits_mont = mont;
62 bn_limit_num_mont = 1 << mont;
66 int BN_get_params(int which)
69 return (bn_limit_bits);
71 return (bn_limit_bits_high);
73 return (bn_limit_bits_low);
75 return (bn_limit_bits_mont);
81 const BIGNUM *BN_value_one(void)
83 static const BN_ULONG data_one = 1L;
84 static const BIGNUM const_one =
85 { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
90 int BN_num_bits_word(BN_ULONG l)
97 mask = (0 - x) & BN_MASK2;
98 mask = (0 - (mask >> (BN_BITS2 - 1)));
104 mask = (0 - x) & BN_MASK2;
105 mask = (0 - (mask >> (BN_BITS2 - 1)));
110 mask = (0 - x) & BN_MASK2;
111 mask = (0 - (mask >> (BN_BITS2 - 1)));
116 mask = (0 - x) & BN_MASK2;
117 mask = (0 - (mask >> (BN_BITS2 - 1)));
122 mask = (0 - x) & BN_MASK2;
123 mask = (0 - (mask >> (BN_BITS2 - 1)));
128 mask = (0 - x) & BN_MASK2;
129 mask = (0 - (mask >> (BN_BITS2 - 1)));
136 * This function still leaks `a->dmax`: it's caller's responsibility to
137 * expand the input `a` in advance to a public length.
140 int bn_num_bits_consttime(const BIGNUM *a)
143 unsigned int mask, past_i;
147 for (j = 0, past_i = 0, ret = 0; j < a->dmax; j++) {
148 mask = constant_time_eq_int(i, j); /* 0xff..ff if i==j, 0x0 otherwise */
150 ret += BN_BITS2 & (~mask & ~past_i);
151 ret += BN_num_bits_word(a->d[j]) & mask;
153 past_i |= mask; /* past_i will become 0xff..ff after i==j */
157 * if BN_is_zero(a) => i is -1 and ret contains garbage, so we mask the
160 mask = ~(constant_time_eq_int(i, ((int)-1)));
165 int BN_num_bits(const BIGNUM *a)
170 if (a->flags & BN_FLG_CONSTTIME) {
172 * We assume that BIGNUMs flagged as CONSTTIME have also been expanded
173 * so that a->dmax is not leaking secret information.
175 * In other words, it's the caller's responsibility to ensure `a` has
176 * been preallocated in advance to a public length if we hit this
180 return bn_num_bits_consttime(a);
186 return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
189 static void bn_free_d(BIGNUM *a)
191 if (BN_get_flags(a, BN_FLG_SECURE))
192 OPENSSL_secure_free(a->d);
198 void BN_clear_free(BIGNUM *a)
206 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
207 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
210 i = BN_get_flags(a, BN_FLG_MALLOCED);
211 OPENSSL_cleanse(a, sizeof(*a));
216 void BN_free(BIGNUM *a)
221 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
223 if (a->flags & BN_FLG_MALLOCED)
226 #if OPENSSL_API_COMPAT < 0x00908000L
227 a->flags |= BN_FLG_FREE;
233 void bn_init(BIGNUM *a)
245 if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
246 BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
249 ret->flags = BN_FLG_MALLOCED;
254 BIGNUM *BN_secure_new(void)
256 BIGNUM *ret = BN_new();
258 ret->flags |= BN_FLG_SECURE;
262 /* This is used by bn_expand2() */
263 /* The caller MUST check that words > b->dmax before calling this */
264 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
266 BN_ULONG *A, *a = NULL;
270 if (words > (INT_MAX / (4 * BN_BITS2))) {
271 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
274 if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
275 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
278 if (BN_get_flags(b, BN_FLG_SECURE))
279 a = A = OPENSSL_secure_zalloc(words * sizeof(*a));
281 a = A = OPENSSL_zalloc(words * sizeof(*a));
283 BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
289 /* Check if the previous number needs to be copied */
291 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
293 * The fact that the loop is unrolled
294 * 4-wise is a tribute to Intel. It's
295 * the one that doesn't have enough
296 * registers to accommodate more data.
297 * I'd unroll it 8-wise otherwise:-)
299 * <appro@fy.chalmers.se>
301 BN_ULONG a0, a1, a2, a3;
311 switch (b->top & 3) {
322 /* Without the "case 0" some old optimizers got this wrong. */
327 memset(A, 0, sizeof(*A) * words);
328 memcpy(A, b->d, sizeof(b->d[0]) * b->top);
335 * This is an internal function that should not be used in applications. It
336 * ensures that 'b' has enough room for a 'words' word number and initialises
337 * any unused part of b->d with leading zeros. It is mostly used by the
338 * various BIGNUM routines. If there is an error, NULL is returned. If not,
342 BIGNUM *bn_expand2(BIGNUM *b, int words)
344 if (words > b->dmax) {
345 BN_ULONG *a = bn_expand_internal(b, words);
349 OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
359 BIGNUM *BN_dup(const BIGNUM *a)
367 t = BN_get_flags(a, BN_FLG_SECURE) ? BN_secure_new() : BN_new();
370 if (!BN_copy(t, a)) {
378 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
388 if (bn_wexpand(a, b->top) == NULL)
394 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
395 BN_ULONG a0, a1, a2, a3;
405 /* ultrix cc workaround, see comments in bn_expand_internal */
406 switch (b->top & 3) {
419 memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
424 a->flags |= b->flags & BN_FLG_FIXED_TOP;
429 #define FLAGS_DATA(flags) ((flags) & (BN_FLG_STATIC_DATA \
433 #define FLAGS_STRUCT(flags) ((flags) & (BN_FLG_MALLOCED))
435 void BN_swap(BIGNUM *a, BIGNUM *b)
437 int flags_old_a, flags_old_b;
439 int tmp_top, tmp_dmax, tmp_neg;
444 flags_old_a = a->flags;
445 flags_old_b = b->flags;
462 a->flags = FLAGS_STRUCT(flags_old_a) | FLAGS_DATA(flags_old_b);
463 b->flags = FLAGS_STRUCT(flags_old_b) | FLAGS_DATA(flags_old_a);
468 void BN_clear(BIGNUM *a)
472 OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax);
475 a->flags &= ~BN_FLG_FIXED_TOP;
478 BN_ULONG BN_get_word(const BIGNUM *a)
482 else if (a->top == 1)
488 int BN_set_word(BIGNUM *a, BN_ULONG w)
491 if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL)
495 a->top = (w ? 1 : 0);
496 a->flags &= ~BN_FLG_FIXED_TOP;
501 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
513 /* Skip leading zero's. */
514 for ( ; len > 0 && *s == 0; s++, len--)
521 i = ((n - 1) / BN_BYTES) + 1;
522 m = ((n - 1) % (BN_BYTES));
523 if (bn_wexpand(ret, (int)i) == NULL) {
531 l = (l << 8L) | *(s++);
539 * need to call this due to clear byte at top if avoiding having the top
540 * bit set (-ve number)
546 typedef enum {big, little} endianess_t;
548 /* ignore negative */
550 int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianess_t endianess)
553 size_t i, lasti, j, atop, mask;
557 * In case |a| is fixed-top, BN_num_bytes can return bogus length,
558 * but it's assumed that fixed-top inputs ought to be "nominated"
559 * even for padded output, so it works out...
564 } else if (tolen < n) { /* uncommon/unlike case */
567 bn_correct_top(&temp);
568 n = BN_num_bytes(&temp);
573 /* Swipe through whole available data and don't give away padded zero. */
574 atop = a->dmax * BN_BYTES;
576 OPENSSL_cleanse(to, tolen);
581 atop = a->top * BN_BYTES;
582 if (endianess == big)
583 to += tolen; /* start from the end of the buffer */
584 for (i = 0, j = 0; j < (size_t)tolen; j++) {
586 l = a->d[i / BN_BYTES];
587 mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1));
588 val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
589 if (endianess == big)
593 i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */
599 int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
603 return bn2binpad(a, to, tolen, big);
606 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
608 return bn2binpad(a, to, -1, big);
611 BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
624 /* Skip trailing zeroes. */
625 for ( ; len > 0 && s[-1] == 0; s--, len--)
632 i = ((n - 1) / BN_BYTES) + 1;
633 m = ((n - 1) % (BN_BYTES));
634 if (bn_wexpand(ret, (int)i) == NULL) {
651 * need to call this due to clear byte at top if avoiding having the top
652 * bit set (-ve number)
658 int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
662 return bn2binpad(a, to, tolen, little);
665 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
668 BN_ULONG t1, t2, *ap, *bp;
678 for (i = a->top - 1; i >= 0; i--) {
682 return ((t1 > t2) ? 1 : -1);
687 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
693 if ((a == NULL) || (b == NULL)) {
705 if (a->neg != b->neg) {
723 for (i = a->top - 1; i >= 0; i--) {
734 int BN_set_bit(BIGNUM *a, int n)
744 if (bn_wexpand(a, i + 1) == NULL)
746 for (k = a->top; k < i + 1; k++)
749 a->flags &= ~BN_FLG_FIXED_TOP;
752 a->d[i] |= (((BN_ULONG)1) << j);
757 int BN_clear_bit(BIGNUM *a, int n)
770 a->d[i] &= (~(((BN_ULONG)1) << j));
775 int BN_is_bit_set(const BIGNUM *a, int n)
786 return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
789 int BN_mask_bits(BIGNUM *a, int n)
805 a->d[w] &= ~(BN_MASK2 << b);
811 void BN_set_negative(BIGNUM *a, int b)
813 if (b && !BN_is_zero(a))
819 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
830 return ((aa > bb) ? 1 : -1);
831 for (i = n - 2; i >= 0; i--) {
835 return ((aa > bb) ? 1 : -1);
841 * Here follows a specialised variants of bn_cmp_words(). It has the
842 * capability of performing the operation on arrays of different sizes. The
843 * sizes of those arrays is expressed through cl, which is the common length
844 * ( basically, min(len(a),len(b)) ), and dl, which is the delta between the
845 * two lengths, calculated as len(a)-len(b). All lengths are the number of
849 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
855 for (i = dl; i < 0; i++) {
857 return -1; /* a < b */
861 for (i = dl; i > 0; i--) {
863 return 1; /* a > b */
866 return bn_cmp_words(a, b, cl);
870 * Constant-time conditional swap of a and b.
871 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
872 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
873 * and that no more than nwords are used by either a or b.
874 * a and b cannot be the same number
876 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
881 bn_wcheck_size(a, nwords);
882 bn_wcheck_size(b, nwords);
885 assert((condition & (condition - 1)) == 0);
886 assert(sizeof(BN_ULONG) >= sizeof(int));
888 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
890 t = (a->top ^ b->top) & condition;
894 t = (a->neg ^ b->neg) & condition;
899 * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention
900 * is actually to treat it as it's read-only data, and some (if not most)
901 * of it does reside in read-only segment. In other words observation of
902 * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal
903 * condition. It would either cause SEGV or effectively cause data
906 * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be
909 * BN_FLG_SECURE: must be preserved, because it determines how x->d was
910 * allocated and hence how to free it.
912 * BN_FLG_CONSTTIME: sufficient to mask and swap
914 * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on
915 * the data, so the d array may be padded with additional 0 values (i.e.
916 * top could be greater than the minimal value that it could be). We should
920 #define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP)
922 t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition;
926 #define BN_CONSTTIME_SWAP(ind) \
928 t = (a->d[ind] ^ b->d[ind]) & condition; \
935 for (i = 10; i < nwords; i++)
936 BN_CONSTTIME_SWAP(i);
939 BN_CONSTTIME_SWAP(9); /* Fallthrough */
941 BN_CONSTTIME_SWAP(8); /* Fallthrough */
943 BN_CONSTTIME_SWAP(7); /* Fallthrough */
945 BN_CONSTTIME_SWAP(6); /* Fallthrough */
947 BN_CONSTTIME_SWAP(5); /* Fallthrough */
949 BN_CONSTTIME_SWAP(4); /* Fallthrough */
951 BN_CONSTTIME_SWAP(3); /* Fallthrough */
953 BN_CONSTTIME_SWAP(2); /* Fallthrough */
955 BN_CONSTTIME_SWAP(1); /* Fallthrough */
957 BN_CONSTTIME_SWAP(0);
959 #undef BN_CONSTTIME_SWAP
962 /* Bits of security, see SP800-57 */
964 int BN_security_bits(int L, int N)
984 return bits >= secbits ? secbits : bits;
987 void BN_zero_ex(BIGNUM *a)
991 a->flags &= ~BN_FLG_FIXED_TOP;
994 int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
996 return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
999 int BN_is_zero(const BIGNUM *a)
1004 int BN_is_one(const BIGNUM *a)
1006 return BN_abs_is_word(a, 1) && !a->neg;
1009 int BN_is_word(const BIGNUM *a, const BN_ULONG w)
1011 return BN_abs_is_word(a, w) && (!w || !a->neg);
1014 int BN_is_odd(const BIGNUM *a)
1016 return (a->top > 0) && (a->d[0] & 1);
1019 int BN_is_negative(const BIGNUM *a)
1021 return (a->neg != 0);
1024 int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
1027 return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx);
1030 void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags)
1034 dest->dmax = b->dmax;
1036 dest->flags = ((dest->flags & BN_FLG_MALLOCED)
1037 | (b->flags & ~BN_FLG_MALLOCED)
1038 | BN_FLG_STATIC_DATA | flags);
1041 BN_GENCB *BN_GENCB_new(void)
1045 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
1046 BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE);
1053 void BN_GENCB_free(BN_GENCB *cb)
1060 void BN_set_flags(BIGNUM *b, int n)
1065 int BN_get_flags(const BIGNUM *b, int n)
1067 return b->flags & n;
1070 /* Populate a BN_GENCB structure with an "old"-style callback */
1071 void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback) (int, int, void *),
1074 BN_GENCB *tmp_gencb = gencb;
1076 tmp_gencb->arg = cb_arg;
1077 tmp_gencb->cb.cb_1 = callback;
1080 /* Populate a BN_GENCB structure with a "new"-style callback */
1081 void BN_GENCB_set(BN_GENCB *gencb, int (*callback) (int, int, BN_GENCB *),
1084 BN_GENCB *tmp_gencb = gencb;
1086 tmp_gencb->arg = cb_arg;
1087 tmp_gencb->cb.cb_2 = callback;
1090 void *BN_GENCB_get_arg(BN_GENCB *cb)
1095 BIGNUM *bn_wexpand(BIGNUM *a, int words)
1097 return (words <= a->dmax) ? a : bn_expand2(a, words);
1100 void bn_correct_top(BIGNUM *a)
1103 int tmp_top = a->top;
1106 for (ftl = &(a->d[tmp_top]); tmp_top > 0; tmp_top--) {
1115 a->flags &= ~BN_FLG_FIXED_TOP;