2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include "internal/cryptlib.h"
14 #include <openssl/opensslconf.h>
16 /* This stuff appears to be completely unused, so is deprecated */
17 #if OPENSSL_API_COMPAT < 0x00908000L
19 * For a 32 bit machine
28 static int bn_limit_bits = 0;
29 static int bn_limit_num = 8; /* (1<<bn_limit_bits) */
30 static int bn_limit_bits_low = 0;
31 static int bn_limit_num_low = 8; /* (1<<bn_limit_bits_low) */
32 static int bn_limit_bits_high = 0;
33 static int bn_limit_num_high = 8; /* (1<<bn_limit_bits_high) */
34 static int bn_limit_bits_mont = 0;
35 static int bn_limit_num_mont = 8; /* (1<<bn_limit_bits_mont) */
37 void BN_set_params(int mult, int high, int low, int mont)
40 if (mult > (int)(sizeof(int) * 8) - 1)
41 mult = sizeof(int) * 8 - 1;
43 bn_limit_num = 1 << mult;
46 if (high > (int)(sizeof(int) * 8) - 1)
47 high = sizeof(int) * 8 - 1;
48 bn_limit_bits_high = high;
49 bn_limit_num_high = 1 << high;
52 if (low > (int)(sizeof(int) * 8) - 1)
53 low = sizeof(int) * 8 - 1;
54 bn_limit_bits_low = low;
55 bn_limit_num_low = 1 << low;
58 if (mont > (int)(sizeof(int) * 8) - 1)
59 mont = sizeof(int) * 8 - 1;
60 bn_limit_bits_mont = mont;
61 bn_limit_num_mont = 1 << mont;
65 int BN_get_params(int which)
70 return bn_limit_bits_high;
72 return bn_limit_bits_low;
74 return bn_limit_bits_mont;
80 const BIGNUM *BN_value_one(void)
82 static const BN_ULONG data_one = 1L;
83 static const BIGNUM const_one =
84 { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
89 int BN_num_bits_word(BN_ULONG l)
96 mask = (0 - x) & BN_MASK2;
97 mask = (0 - (mask >> (BN_BITS2 - 1)));
103 mask = (0 - x) & BN_MASK2;
104 mask = (0 - (mask >> (BN_BITS2 - 1)));
109 mask = (0 - x) & BN_MASK2;
110 mask = (0 - (mask >> (BN_BITS2 - 1)));
115 mask = (0 - x) & BN_MASK2;
116 mask = (0 - (mask >> (BN_BITS2 - 1)));
121 mask = (0 - x) & BN_MASK2;
122 mask = (0 - (mask >> (BN_BITS2 - 1)));
127 mask = (0 - x) & BN_MASK2;
128 mask = (0 - (mask >> (BN_BITS2 - 1)));
134 int BN_num_bits(const BIGNUM *a)
141 return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
144 static void bn_free_d(BIGNUM *a)
146 if (BN_get_flags(a, BN_FLG_SECURE))
147 OPENSSL_secure_free(a->d);
153 void BN_clear_free(BIGNUM *a)
157 if (a->d != NULL && !BN_get_flags(a, BN_FLG_STATIC_DATA)) {
158 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
161 if (BN_get_flags(a, BN_FLG_MALLOCED)) {
162 OPENSSL_cleanse(a, sizeof(*a));
167 void BN_free(BIGNUM *a)
171 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
173 if (a->flags & BN_FLG_MALLOCED)
177 void bn_init(BIGNUM *a)
189 if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
190 BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
193 ret->flags = BN_FLG_MALLOCED;
198 BIGNUM *BN_secure_new(void)
200 BIGNUM *ret = BN_new();
202 ret->flags |= BN_FLG_SECURE;
206 /* This is used by bn_expand2() */
207 /* The caller MUST check that words > b->dmax before calling this */
208 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
214 if (words > (INT_MAX / (4 * BN_BITS2))) {
215 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
218 if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
219 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
222 if (BN_get_flags(b, BN_FLG_SECURE))
223 a = OPENSSL_secure_zalloc(words * sizeof(*a));
225 a = OPENSSL_zalloc(words * sizeof(*a));
227 BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
231 assert(b->top <= words);
233 memcpy(a, b->d, sizeof(*a) * b->top);
239 * This is an internal function that should not be used in applications. It
240 * ensures that 'b' has enough room for a 'words' word number and initialises
241 * any unused part of b->d with leading zeros. It is mostly used by the
242 * various BIGNUM routines. If there is an error, NULL is returned. If not,
246 BIGNUM *bn_expand2(BIGNUM *b, int words)
250 if (words > b->dmax) {
251 BN_ULONG *a = bn_expand_internal(b, words);
255 OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
266 BIGNUM *BN_dup(const BIGNUM *a)
274 t = BN_get_flags(a, BN_FLG_SECURE) ? BN_secure_new() : BN_new();
277 if (!BN_copy(t, a)) {
285 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
291 if (bn_wexpand(a, b->top) == NULL)
295 memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
303 void BN_swap(BIGNUM *a, BIGNUM *b)
305 int flags_old_a, flags_old_b;
307 int tmp_top, tmp_dmax, tmp_neg;
312 flags_old_a = a->flags;
313 flags_old_b = b->flags;
331 (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
333 (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
338 void BN_clear(BIGNUM *a)
342 OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax);
347 BN_ULONG BN_get_word(const BIGNUM *a)
351 else if (a->top == 1)
357 int BN_set_word(BIGNUM *a, BN_ULONG w)
360 if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL)
364 a->top = (w ? 1 : 0);
369 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
381 /* Skip leading zero's. */
382 for ( ; len > 0 && *s == 0; s++, len--)
389 i = ((n - 1) / BN_BYTES) + 1;
390 m = ((n - 1) % (BN_BYTES));
391 if (bn_wexpand(ret, (int)i) == NULL) {
399 l = (l << 8L) | *(s++);
407 * need to call this due to clear byte at top if avoiding having the top
408 * bit set (-ve number)
414 /* ignore negative */
415 static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
426 /* Add leading zeroes if necessary */
428 memset(to, 0, tolen - i);
432 l = a->d[i / BN_BYTES];
433 *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
438 int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
442 return bn2binpad(a, to, tolen);
445 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
447 return bn2binpad(a, to, -1);
450 BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
463 /* Skip trailing zeroes. */
464 for ( ; len > 0 && s[-1] == 0; s--, len--)
471 i = ((n - 1) / BN_BYTES) + 1;
472 m = ((n - 1) % (BN_BYTES));
473 if (bn_wexpand(ret, (int)i) == NULL) {
490 * need to call this due to clear byte at top if avoiding having the top
491 * bit set (-ve number)
497 int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
505 /* Add trailing zeroes if necessary */
507 memset(to + i, 0, tolen - i);
510 l = a->d[i / BN_BYTES];
512 *to = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
517 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
520 BN_ULONG t1, t2, *ap, *bp;
530 for (i = a->top - 1; i >= 0; i--) {
534 return ((t1 > t2) ? 1 : -1);
539 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
545 if ((a == NULL) || (b == NULL)) {
557 if (a->neg != b->neg) {
575 for (i = a->top - 1; i >= 0; i--) {
586 int BN_set_bit(BIGNUM *a, int n)
596 if (bn_wexpand(a, i + 1) == NULL)
598 for (k = a->top; k < i + 1; k++)
603 a->d[i] |= (((BN_ULONG)1) << j);
608 int BN_clear_bit(BIGNUM *a, int n)
621 a->d[i] &= (~(((BN_ULONG)1) << j));
626 int BN_is_bit_set(const BIGNUM *a, int n)
637 return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
640 int BN_mask_bits(BIGNUM *a, int n)
656 a->d[w] &= ~(BN_MASK2 << b);
662 void BN_set_negative(BIGNUM *a, int b)
664 if (b && !BN_is_zero(a))
670 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
678 return ((aa > bb) ? 1 : -1);
679 for (i = n - 2; i >= 0; i--) {
683 return ((aa > bb) ? 1 : -1);
689 * Here follows a specialised variants of bn_cmp_words(). It has the
690 * capability of performing the operation on arrays of different sizes. The
691 * sizes of those arrays is expressed through cl, which is the common length
692 * ( basically, min(len(a),len(b)) ), and dl, which is the delta between the
693 * two lengths, calculated as len(a)-len(b). All lengths are the number of
697 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
703 for (i = dl; i < 0; i++) {
705 return -1; /* a < b */
709 for (i = dl; i > 0; i--) {
711 return 1; /* a > b */
714 return bn_cmp_words(a, b, cl);
718 * Constant-time conditional swap of a and b.
719 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
720 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
721 * and that no more than nwords are used by either a or b.
722 * a and b cannot be the same number
724 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
729 bn_wcheck_size(a, nwords);
730 bn_wcheck_size(b, nwords);
733 assert((condition & (condition - 1)) == 0);
734 assert(sizeof(BN_ULONG) >= sizeof(int));
736 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
738 t = (a->top ^ b->top) & condition;
742 #define BN_CONSTTIME_SWAP(ind) \
744 t = (a->d[ind] ^ b->d[ind]) & condition; \
751 for (i = 10; i < nwords; i++)
752 BN_CONSTTIME_SWAP(i);
755 BN_CONSTTIME_SWAP(9); /* Fallthrough */
757 BN_CONSTTIME_SWAP(8); /* Fallthrough */
759 BN_CONSTTIME_SWAP(7); /* Fallthrough */
761 BN_CONSTTIME_SWAP(6); /* Fallthrough */
763 BN_CONSTTIME_SWAP(5); /* Fallthrough */
765 BN_CONSTTIME_SWAP(4); /* Fallthrough */
767 BN_CONSTTIME_SWAP(3); /* Fallthrough */
769 BN_CONSTTIME_SWAP(2); /* Fallthrough */
771 BN_CONSTTIME_SWAP(1); /* Fallthrough */
773 BN_CONSTTIME_SWAP(0);
775 #undef BN_CONSTTIME_SWAP
778 /* Bits of security, see SP800-57 */
780 int BN_security_bits(int L, int N)
800 return bits >= secbits ? secbits : bits;
803 void BN_zero_ex(BIGNUM *a)
809 int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
811 return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
814 int BN_is_zero(const BIGNUM *a)
819 int BN_is_one(const BIGNUM *a)
821 return BN_abs_is_word(a, 1) && !a->neg;
824 int BN_is_word(const BIGNUM *a, const BN_ULONG w)
826 return BN_abs_is_word(a, w) && (!w || !a->neg);
829 int BN_is_odd(const BIGNUM *a)
831 return (a->top > 0) && (a->d[0] & 1);
834 int BN_is_negative(const BIGNUM *a)
836 return (a->neg != 0);
839 int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
842 return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx);
845 void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags)
849 dest->dmax = b->dmax;
851 dest->flags = ((dest->flags & BN_FLG_MALLOCED)
852 | (b->flags & ~BN_FLG_MALLOCED)
853 | BN_FLG_STATIC_DATA | flags);
856 BN_GENCB *BN_GENCB_new(void)
860 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
861 BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE);
868 void BN_GENCB_free(BN_GENCB *cb)
875 void BN_set_flags(BIGNUM *b, int n)
880 int BN_get_flags(const BIGNUM *b, int n)
885 /* Populate a BN_GENCB structure with an "old"-style callback */
886 void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback) (int, int, void *),
889 BN_GENCB *tmp_gencb = gencb;
891 tmp_gencb->arg = cb_arg;
892 tmp_gencb->cb.cb_1 = callback;
895 /* Populate a BN_GENCB structure with a "new"-style callback */
896 void BN_GENCB_set(BN_GENCB *gencb, int (*callback) (int, int, BN_GENCB *),
899 BN_GENCB *tmp_gencb = gencb;
901 tmp_gencb->arg = cb_arg;
902 tmp_gencb->cb.cb_2 = callback;
905 void *BN_GENCB_get_arg(BN_GENCB *cb)
910 BIGNUM *bn_wexpand(BIGNUM *a, int words)
912 return (words <= a->dmax) ? a : bn_expand2(a, words);
915 void bn_correct_top(BIGNUM *a)
918 int tmp_top = a->top;
921 for (ftl = &(a->d[tmp_top]); tmp_top > 0; tmp_top--) {
projects / openssl.git / blob