2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include "internal/cryptlib.h"
14 #include <openssl/opensslconf.h>
16 /* This stuff appears to be completely unused, so is deprecated */
17 #if OPENSSL_API_COMPAT < 0x00908000L
19 * For a 32 bit machine
28 static int bn_limit_bits = 0;
29 static int bn_limit_num = 8; /* (1<<bn_limit_bits) */
30 static int bn_limit_bits_low = 0;
31 static int bn_limit_num_low = 8; /* (1<<bn_limit_bits_low) */
32 static int bn_limit_bits_high = 0;
33 static int bn_limit_num_high = 8; /* (1<<bn_limit_bits_high) */
34 static int bn_limit_bits_mont = 0;
35 static int bn_limit_num_mont = 8; /* (1<<bn_limit_bits_mont) */
37 void BN_set_params(int mult, int high, int low, int mont)
40 if (mult > (int)(sizeof(int) * 8) - 1)
41 mult = sizeof(int) * 8 - 1;
43 bn_limit_num = 1 << mult;
46 if (high > (int)(sizeof(int) * 8) - 1)
47 high = sizeof(int) * 8 - 1;
48 bn_limit_bits_high = high;
49 bn_limit_num_high = 1 << high;
52 if (low > (int)(sizeof(int) * 8) - 1)
53 low = sizeof(int) * 8 - 1;
54 bn_limit_bits_low = low;
55 bn_limit_num_low = 1 << low;
58 if (mont > (int)(sizeof(int) * 8) - 1)
59 mont = sizeof(int) * 8 - 1;
60 bn_limit_bits_mont = mont;
61 bn_limit_num_mont = 1 << mont;
65 int BN_get_params(int which)
70 return bn_limit_bits_high;
72 return bn_limit_bits_low;
74 return bn_limit_bits_mont;
80 const BIGNUM *BN_value_one(void)
82 static const BN_ULONG data_one = 1L;
83 static const BIGNUM const_one =
84 { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
89 int BN_num_bits_word(BN_ULONG l)
96 mask = (0 - x) & BN_MASK2;
97 mask = (0 - (mask >> (BN_BITS2 - 1)));
103 mask = (0 - x) & BN_MASK2;
104 mask = (0 - (mask >> (BN_BITS2 - 1)));
109 mask = (0 - x) & BN_MASK2;
110 mask = (0 - (mask >> (BN_BITS2 - 1)));
115 mask = (0 - x) & BN_MASK2;
116 mask = (0 - (mask >> (BN_BITS2 - 1)));
121 mask = (0 - x) & BN_MASK2;
122 mask = (0 - (mask >> (BN_BITS2 - 1)));
127 mask = (0 - x) & BN_MASK2;
128 mask = (0 - (mask >> (BN_BITS2 - 1)));
134 int BN_num_bits(const BIGNUM *a)
141 return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
144 static void bn_free_d(BIGNUM *a)
146 if (BN_get_flags(a, BN_FLG_SECURE))
147 OPENSSL_secure_free(a->d);
153 void BN_clear_free(BIGNUM *a)
157 if (a->d != NULL && !BN_get_flags(a, BN_FLG_STATIC_DATA)) {
158 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
161 if (BN_get_flags(a, BN_FLG_MALLOCED)) {
162 OPENSSL_cleanse(a, sizeof(*a));
167 void BN_free(BIGNUM *a)
171 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
173 if (a->flags & BN_FLG_MALLOCED)
177 void bn_init(BIGNUM *a)
189 if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
190 BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
193 ret->flags = BN_FLG_MALLOCED;
198 BIGNUM *BN_secure_new(void)
200 BIGNUM *ret = BN_new();
202 ret->flags |= BN_FLG_SECURE;
206 /* This is used by bn_expand2() */
207 /* The caller MUST check that words > b->dmax before calling this */
208 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
212 if (words > (INT_MAX / (4 * BN_BITS2))) {
213 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
216 if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
217 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
220 if (BN_get_flags(b, BN_FLG_SECURE))
221 a = OPENSSL_secure_zalloc(words * sizeof(*a));
223 a = OPENSSL_zalloc(words * sizeof(*a));
225 BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
229 assert(b->top <= words);
231 memcpy(a, b->d, sizeof(*a) * b->top);
237 * This is an internal function that should not be used in applications. It
238 * ensures that 'b' has enough room for a 'words' word number and initialises
239 * any unused part of b->d with leading zeros. It is mostly used by the
240 * various BIGNUM routines. If there is an error, NULL is returned. If not,
244 BIGNUM *bn_expand2(BIGNUM *b, int words)
246 if (words > b->dmax) {
247 BN_ULONG *a = bn_expand_internal(b, words);
251 OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
261 BIGNUM *BN_dup(const BIGNUM *a)
269 t = BN_get_flags(a, BN_FLG_SECURE) ? BN_secure_new() : BN_new();
272 if (!BN_copy(t, a)) {
280 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
286 if (bn_wexpand(a, b->top) == NULL)
290 memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
294 a->flags |= b->flags & BN_FLG_FIXED_TOP;
299 #define FLAGS_DATA(flags) ((flags) & (BN_FLG_STATIC_DATA \
303 #define FLAGS_STRUCT(flags) ((flags) & (BN_FLG_MALLOCED))
305 void BN_swap(BIGNUM *a, BIGNUM *b)
307 int flags_old_a, flags_old_b;
309 int tmp_top, tmp_dmax, tmp_neg;
314 flags_old_a = a->flags;
315 flags_old_b = b->flags;
332 a->flags = FLAGS_STRUCT(flags_old_a) | FLAGS_DATA(flags_old_b);
333 b->flags = FLAGS_STRUCT(flags_old_b) | FLAGS_DATA(flags_old_a);
338 void BN_clear(BIGNUM *a)
342 OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax);
345 a->flags &= ~BN_FLG_FIXED_TOP;
348 BN_ULONG BN_get_word(const BIGNUM *a)
352 else if (a->top == 1)
358 int BN_set_word(BIGNUM *a, BN_ULONG w)
361 if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL)
365 a->top = (w ? 1 : 0);
366 a->flags &= ~BN_FLG_FIXED_TOP;
371 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
383 /* Skip leading zero's. */
384 for ( ; len > 0 && *s == 0; s++, len--)
391 i = ((n - 1) / BN_BYTES) + 1;
392 m = ((n - 1) % (BN_BYTES));
393 if (bn_wexpand(ret, (int)i) == NULL) {
401 l = (l << 8L) | *(s++);
409 * need to call this due to clear byte at top if avoiding having the top
410 * bit set (-ve number)
416 /* ignore negative */
417 static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
428 /* Add leading zeroes if necessary */
430 memset(to, 0, tolen - i);
434 l = a->d[i / BN_BYTES];
435 *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
440 int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
444 return bn2binpad(a, to, tolen);
447 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
449 return bn2binpad(a, to, -1);
452 BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
465 /* Skip trailing zeroes. */
466 for ( ; len > 0 && s[-1] == 0; s--, len--)
473 i = ((n - 1) / BN_BYTES) + 1;
474 m = ((n - 1) % (BN_BYTES));
475 if (bn_wexpand(ret, (int)i) == NULL) {
492 * need to call this due to clear byte at top if avoiding having the top
493 * bit set (-ve number)
499 int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
507 /* Add trailing zeroes if necessary */
509 memset(to + i, 0, tolen - i);
512 l = a->d[i / BN_BYTES];
514 *to = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
519 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
522 BN_ULONG t1, t2, *ap, *bp;
532 for (i = a->top - 1; i >= 0; i--) {
536 return ((t1 > t2) ? 1 : -1);
541 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
547 if ((a == NULL) || (b == NULL)) {
559 if (a->neg != b->neg) {
577 for (i = a->top - 1; i >= 0; i--) {
588 int BN_set_bit(BIGNUM *a, int n)
598 if (bn_wexpand(a, i + 1) == NULL)
600 for (k = a->top; k < i + 1; k++)
603 a->flags &= ~BN_FLG_FIXED_TOP;
606 a->d[i] |= (((BN_ULONG)1) << j);
611 int BN_clear_bit(BIGNUM *a, int n)
624 a->d[i] &= (~(((BN_ULONG)1) << j));
629 int BN_is_bit_set(const BIGNUM *a, int n)
640 return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
643 int BN_mask_bits(BIGNUM *a, int n)
659 a->d[w] &= ~(BN_MASK2 << b);
665 void BN_set_negative(BIGNUM *a, int b)
667 if (b && !BN_is_zero(a))
673 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
681 return ((aa > bb) ? 1 : -1);
682 for (i = n - 2; i >= 0; i--) {
686 return ((aa > bb) ? 1 : -1);
692 * Here follows a specialised variants of bn_cmp_words(). It has the
693 * capability of performing the operation on arrays of different sizes. The
694 * sizes of those arrays is expressed through cl, which is the common length
695 * ( basically, min(len(a),len(b)) ), and dl, which is the delta between the
696 * two lengths, calculated as len(a)-len(b). All lengths are the number of
700 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
706 for (i = dl; i < 0; i++) {
708 return -1; /* a < b */
712 for (i = dl; i > 0; i--) {
714 return 1; /* a > b */
717 return bn_cmp_words(a, b, cl);
721 * Constant-time conditional swap of a and b.
722 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
723 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
724 * and that no more than nwords are used by either a or b.
725 * a and b cannot be the same number
727 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
732 bn_wcheck_size(a, nwords);
733 bn_wcheck_size(b, nwords);
736 assert((condition & (condition - 1)) == 0);
737 assert(sizeof(BN_ULONG) >= sizeof(int));
739 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
741 t = (a->top ^ b->top) & condition;
745 t = (a->neg ^ b->neg) & condition;
750 * Idea behind BN_FLG_STATIC_DATA is actually to
751 * indicate that data may not be written to.
752 * Intention is actually to treat it as it's
753 * read-only data, and some (if not most) of it does
754 * reside in read-only segment. In other words
755 * observation of BN_FLG_STATIC_DATA in
756 * BN_consttime_swap should be treated as fatal
757 * condition. It would either cause SEGV or
758 * effectively cause data corruption.
759 * BN_FLG_MALLOCED refers to BN structure itself,
760 * and hence must be preserved. Remaining flags are
761 * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be
762 * preserved, because it determines how x->d was
763 * allocated and hence how to free it. This leaves
764 * BN_FLG_CONSTTIME that one can do something about.
765 * To summarize it's sufficient to mask and swap
766 * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should
767 * be treated as fatal.
769 t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition;
773 #define BN_CONSTTIME_SWAP(ind) \
775 t = (a->d[ind] ^ b->d[ind]) & condition; \
782 for (i = 10; i < nwords; i++)
783 BN_CONSTTIME_SWAP(i);
786 BN_CONSTTIME_SWAP(9); /* Fallthrough */
788 BN_CONSTTIME_SWAP(8); /* Fallthrough */
790 BN_CONSTTIME_SWAP(7); /* Fallthrough */
792 BN_CONSTTIME_SWAP(6); /* Fallthrough */
794 BN_CONSTTIME_SWAP(5); /* Fallthrough */
796 BN_CONSTTIME_SWAP(4); /* Fallthrough */
798 BN_CONSTTIME_SWAP(3); /* Fallthrough */
800 BN_CONSTTIME_SWAP(2); /* Fallthrough */
802 BN_CONSTTIME_SWAP(1); /* Fallthrough */
804 BN_CONSTTIME_SWAP(0);
806 #undef BN_CONSTTIME_SWAP
809 /* Bits of security, see SP800-57 */
811 int BN_security_bits(int L, int N)
831 return bits >= secbits ? secbits : bits;
834 void BN_zero_ex(BIGNUM *a)
838 a->flags &= ~BN_FLG_FIXED_TOP;
841 int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
843 return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
846 int BN_is_zero(const BIGNUM *a)
851 int BN_is_one(const BIGNUM *a)
853 return BN_abs_is_word(a, 1) && !a->neg;
856 int BN_is_word(const BIGNUM *a, const BN_ULONG w)
858 return BN_abs_is_word(a, w) && (!w || !a->neg);
861 int BN_is_odd(const BIGNUM *a)
863 return (a->top > 0) && (a->d[0] & 1);
866 int BN_is_negative(const BIGNUM *a)
868 return (a->neg != 0);
871 int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
874 return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx);
877 void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags)
881 dest->dmax = b->dmax;
883 dest->flags = ((dest->flags & BN_FLG_MALLOCED)
884 | (b->flags & ~BN_FLG_MALLOCED)
885 | BN_FLG_STATIC_DATA | flags);
888 BN_GENCB *BN_GENCB_new(void)
892 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
893 BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE);
900 void BN_GENCB_free(BN_GENCB *cb)
907 void BN_set_flags(BIGNUM *b, int n)
912 int BN_get_flags(const BIGNUM *b, int n)
917 /* Populate a BN_GENCB structure with an "old"-style callback */
918 void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback) (int, int, void *),
921 BN_GENCB *tmp_gencb = gencb;
923 tmp_gencb->arg = cb_arg;
924 tmp_gencb->cb.cb_1 = callback;
927 /* Populate a BN_GENCB structure with a "new"-style callback */
928 void BN_GENCB_set(BN_GENCB *gencb, int (*callback) (int, int, BN_GENCB *),
931 BN_GENCB *tmp_gencb = gencb;
933 tmp_gencb->arg = cb_arg;
934 tmp_gencb->cb.cb_2 = callback;
937 void *BN_GENCB_get_arg(BN_GENCB *cb)
942 BIGNUM *bn_wexpand(BIGNUM *a, int words)
944 return (words <= a->dmax) ? a : bn_expand2(a, words);
947 void bn_correct_top(BIGNUM *a)
950 int tmp_top = a->top;
953 for (ftl = &(a->d[tmp_top]); tmp_top > 0; tmp_top--) {
962 a->flags &= ~BN_FLG_FIXED_TOP;