2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include "internal/cryptlib.h"
14 #include <openssl/opensslconf.h>
16 /* This stuff appears to be completely unused, so is deprecated */
17 #if OPENSSL_API_COMPAT < 0x00908000L
19 * For a 32 bit machine
28 static int bn_limit_bits = 0;
29 static int bn_limit_num = 8; /* (1<<bn_limit_bits) */
30 static int bn_limit_bits_low = 0;
31 static int bn_limit_num_low = 8; /* (1<<bn_limit_bits_low) */
32 static int bn_limit_bits_high = 0;
33 static int bn_limit_num_high = 8; /* (1<<bn_limit_bits_high) */
34 static int bn_limit_bits_mont = 0;
35 static int bn_limit_num_mont = 8; /* (1<<bn_limit_bits_mont) */
37 void BN_set_params(int mult, int high, int low, int mont)
40 if (mult > (int)(sizeof(int) * 8) - 1)
41 mult = sizeof(int) * 8 - 1;
43 bn_limit_num = 1 << mult;
46 if (high > (int)(sizeof(int) * 8) - 1)
47 high = sizeof(int) * 8 - 1;
48 bn_limit_bits_high = high;
49 bn_limit_num_high = 1 << high;
52 if (low > (int)(sizeof(int) * 8) - 1)
53 low = sizeof(int) * 8 - 1;
54 bn_limit_bits_low = low;
55 bn_limit_num_low = 1 << low;
58 if (mont > (int)(sizeof(int) * 8) - 1)
59 mont = sizeof(int) * 8 - 1;
60 bn_limit_bits_mont = mont;
61 bn_limit_num_mont = 1 << mont;
65 int BN_get_params(int which)
68 return (bn_limit_bits);
70 return (bn_limit_bits_high);
72 return (bn_limit_bits_low);
74 return (bn_limit_bits_mont);
80 const BIGNUM *BN_value_one(void)
82 static const BN_ULONG data_one = 1L;
83 static const BIGNUM const_one =
84 { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
89 int BN_num_bits_word(BN_ULONG l)
96 mask = (0 - x) & BN_MASK2;
97 mask = (0 - (mask >> (BN_BITS2 - 1)));
103 mask = (0 - x) & BN_MASK2;
104 mask = (0 - (mask >> (BN_BITS2 - 1)));
109 mask = (0 - x) & BN_MASK2;
110 mask = (0 - (mask >> (BN_BITS2 - 1)));
115 mask = (0 - x) & BN_MASK2;
116 mask = (0 - (mask >> (BN_BITS2 - 1)));
121 mask = (0 - x) & BN_MASK2;
122 mask = (0 - (mask >> (BN_BITS2 - 1)));
127 mask = (0 - x) & BN_MASK2;
128 mask = (0 - (mask >> (BN_BITS2 - 1)));
134 int BN_num_bits(const BIGNUM *a)
141 return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
144 static void bn_free_d(BIGNUM *a)
146 if (BN_get_flags(a, BN_FLG_SECURE))
147 OPENSSL_secure_free(a->d);
153 void BN_clear_free(BIGNUM *a)
161 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
162 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
165 i = BN_get_flags(a, BN_FLG_MALLOCED);
166 OPENSSL_cleanse(a, sizeof(*a));
171 void BN_free(BIGNUM *a)
176 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
178 if (a->flags & BN_FLG_MALLOCED)
181 #if OPENSSL_API_COMPAT < 0x00908000L
182 a->flags |= BN_FLG_FREE;
188 void bn_init(BIGNUM *a)
200 if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
201 BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
204 ret->flags = BN_FLG_MALLOCED;
209 BIGNUM *BN_secure_new(void)
211 BIGNUM *ret = BN_new();
213 ret->flags |= BN_FLG_SECURE;
217 /* This is used by bn_expand2() */
218 /* The caller MUST check that words > b->dmax before calling this */
219 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
221 BN_ULONG *A, *a = NULL;
227 if (words > (INT_MAX / (4 * BN_BITS2))) {
228 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
231 if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
232 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
235 if (BN_get_flags(b, BN_FLG_SECURE))
236 a = A = OPENSSL_secure_zalloc(words * sizeof(*a));
238 a = A = OPENSSL_zalloc(words * sizeof(*a));
240 BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
246 /* Check if the previous number needs to be copied */
248 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
250 * The fact that the loop is unrolled
251 * 4-wise is a tribute to Intel. It's
252 * the one that doesn't have enough
253 * registers to accommodate more data.
254 * I'd unroll it 8-wise otherwise:-)
256 * <appro@fy.chalmers.se>
258 BN_ULONG a0, a1, a2, a3;
268 switch (b->top & 3) {
279 /* Without the "case 0" some old optimizers got this wrong. */
284 memset(A, 0, sizeof(*A) * words);
285 memcpy(A, b->d, sizeof(b->d[0]) * b->top);
292 * This is an internal function that should not be used in applications. It
293 * ensures that 'b' has enough room for a 'words' word number and initialises
294 * any unused part of b->d with leading zeros. It is mostly used by the
295 * various BIGNUM routines. If there is an error, NULL is returned. If not,
299 BIGNUM *bn_expand2(BIGNUM *b, int words)
303 if (words > b->dmax) {
304 BN_ULONG *a = bn_expand_internal(b, words);
308 OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
319 BIGNUM *BN_dup(const BIGNUM *a)
327 t = BN_get_flags(a, BN_FLG_SECURE) ? BN_secure_new() : BN_new();
330 if (!BN_copy(t, a)) {
338 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
348 if (bn_wexpand(a, b->top) == NULL)
354 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
355 BN_ULONG a0, a1, a2, a3;
365 /* ultrix cc workaround, see comments in bn_expand_internal */
366 switch (b->top & 3) {
379 memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
388 #define FLAGS_DATA(flags) ((flags) & (BN_FLG_STATIC_DATA \
391 #define FLAGS_STRUCT(flags) ((flags) & (BN_FLG_MALLOCED))
393 void BN_swap(BIGNUM *a, BIGNUM *b)
395 int flags_old_a, flags_old_b;
397 int tmp_top, tmp_dmax, tmp_neg;
402 flags_old_a = a->flags;
403 flags_old_b = b->flags;
420 a->flags = FLAGS_STRUCT(flags_old_a) | FLAGS_DATA(flags_old_b);
421 b->flags = FLAGS_STRUCT(flags_old_b) | FLAGS_DATA(flags_old_a);
426 void BN_clear(BIGNUM *a)
430 OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax);
435 BN_ULONG BN_get_word(const BIGNUM *a)
439 else if (a->top == 1)
445 int BN_set_word(BIGNUM *a, BN_ULONG w)
448 if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL)
452 a->top = (w ? 1 : 0);
457 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
469 /* Skip leading zero's. */
470 for ( ; len > 0 && *s == 0; s++, len--)
477 i = ((n - 1) / BN_BYTES) + 1;
478 m = ((n - 1) % (BN_BYTES));
479 if (bn_wexpand(ret, (int)i) == NULL) {
487 l = (l << 8L) | *(s++);
495 * need to call this due to clear byte at top if avoiding having the top
496 * bit set (-ve number)
502 /* ignore negative */
503 static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
514 /* Add leading zeroes if necessary */
516 memset(to, 0, tolen - i);
520 l = a->d[i / BN_BYTES];
521 *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
526 int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
530 return bn2binpad(a, to, tolen);
533 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
535 return bn2binpad(a, to, -1);
538 BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
551 /* Skip trailing zeroes. */
552 for ( ; len > 0 && s[-1] == 0; s--, len--)
559 i = ((n - 1) / BN_BYTES) + 1;
560 m = ((n - 1) % (BN_BYTES));
561 if (bn_wexpand(ret, (int)i) == NULL) {
578 * need to call this due to clear byte at top if avoiding having the top
579 * bit set (-ve number)
585 int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
593 /* Add trailing zeroes if necessary */
595 memset(to + i, 0, tolen - i);
598 l = a->d[i / BN_BYTES];
600 *to = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
605 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
608 BN_ULONG t1, t2, *ap, *bp;
618 for (i = a->top - 1; i >= 0; i--) {
622 return ((t1 > t2) ? 1 : -1);
627 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
633 if ((a == NULL) || (b == NULL)) {
645 if (a->neg != b->neg) {
663 for (i = a->top - 1; i >= 0; i--) {
674 int BN_set_bit(BIGNUM *a, int n)
684 if (bn_wexpand(a, i + 1) == NULL)
686 for (k = a->top; k < i + 1; k++)
691 a->d[i] |= (((BN_ULONG)1) << j);
696 int BN_clear_bit(BIGNUM *a, int n)
709 a->d[i] &= (~(((BN_ULONG)1) << j));
714 int BN_is_bit_set(const BIGNUM *a, int n)
725 return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
728 int BN_mask_bits(BIGNUM *a, int n)
744 a->d[w] &= ~(BN_MASK2 << b);
750 void BN_set_negative(BIGNUM *a, int b)
752 if (b && !BN_is_zero(a))
758 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
766 return ((aa > bb) ? 1 : -1);
767 for (i = n - 2; i >= 0; i--) {
771 return ((aa > bb) ? 1 : -1);
777 * Here follows a specialised variants of bn_cmp_words(). It has the
778 * capability of performing the operation on arrays of different sizes. The
779 * sizes of those arrays is expressed through cl, which is the common length
780 * ( basically, min(len(a),len(b)) ), and dl, which is the delta between the
781 * two lengths, calculated as len(a)-len(b). All lengths are the number of
785 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
791 for (i = dl; i < 0; i++) {
793 return -1; /* a < b */
797 for (i = dl; i > 0; i--) {
799 return 1; /* a > b */
802 return bn_cmp_words(a, b, cl);
806 * Constant-time conditional swap of a and b.
807 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
808 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
809 * and that no more than nwords are used by either a or b.
810 * a and b cannot be the same number
812 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
817 bn_wcheck_size(a, nwords);
818 bn_wcheck_size(b, nwords);
821 assert((condition & (condition - 1)) == 0);
822 assert(sizeof(BN_ULONG) >= sizeof(int));
824 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
826 t = (a->top ^ b->top) & condition;
830 t = (a->neg ^ b->neg) & condition;
835 * Idea behind BN_FLG_STATIC_DATA is actually to
836 * indicate that data may not be written to.
837 * Intention is actually to treat it as it's
838 * read-only data, and some (if not most) of it does
839 * reside in read-only segment. In other words
840 * observation of BN_FLG_STATIC_DATA in
841 * BN_consttime_swap should be treated as fatal
842 * condition. It would either cause SEGV or
843 * effectively cause data corruption.
844 * BN_FLG_MALLOCED refers to BN structure itself,
845 * and hence must be preserved. Remaining flags are
846 * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be
847 * preserved, because it determines how x->d was
848 * allocated and hence how to free it. This leaves
849 * BN_FLG_CONSTTIME that one can do something about.
850 * To summarize it's sufficient to mask and swap
851 * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should
852 * be treated as fatal.
854 t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition;
858 #define BN_CONSTTIME_SWAP(ind) \
860 t = (a->d[ind] ^ b->d[ind]) & condition; \
867 for (i = 10; i < nwords; i++)
868 BN_CONSTTIME_SWAP(i);
871 BN_CONSTTIME_SWAP(9); /* Fallthrough */
873 BN_CONSTTIME_SWAP(8); /* Fallthrough */
875 BN_CONSTTIME_SWAP(7); /* Fallthrough */
877 BN_CONSTTIME_SWAP(6); /* Fallthrough */
879 BN_CONSTTIME_SWAP(5); /* Fallthrough */
881 BN_CONSTTIME_SWAP(4); /* Fallthrough */
883 BN_CONSTTIME_SWAP(3); /* Fallthrough */
885 BN_CONSTTIME_SWAP(2); /* Fallthrough */
887 BN_CONSTTIME_SWAP(1); /* Fallthrough */
889 BN_CONSTTIME_SWAP(0);
891 #undef BN_CONSTTIME_SWAP
894 /* Bits of security, see SP800-57 */
896 int BN_security_bits(int L, int N)
916 return bits >= secbits ? secbits : bits;
919 void BN_zero_ex(BIGNUM *a)
925 int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
927 return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
930 int BN_is_zero(const BIGNUM *a)
935 int BN_is_one(const BIGNUM *a)
937 return BN_abs_is_word(a, 1) && !a->neg;
940 int BN_is_word(const BIGNUM *a, const BN_ULONG w)
942 return BN_abs_is_word(a, w) && (!w || !a->neg);
945 int BN_is_odd(const BIGNUM *a)
947 return (a->top > 0) && (a->d[0] & 1);
950 int BN_is_negative(const BIGNUM *a)
952 return (a->neg != 0);
955 int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
958 return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx);
961 void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags)
965 dest->dmax = b->dmax;
967 dest->flags = ((dest->flags & BN_FLG_MALLOCED)
968 | (b->flags & ~BN_FLG_MALLOCED)
969 | BN_FLG_STATIC_DATA | flags);
972 BN_GENCB *BN_GENCB_new(void)
976 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
977 BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE);
984 void BN_GENCB_free(BN_GENCB *cb)
991 void BN_set_flags(BIGNUM *b, int n)
996 int BN_get_flags(const BIGNUM *b, int n)
1001 /* Populate a BN_GENCB structure with an "old"-style callback */
1002 void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback) (int, int, void *),
1005 BN_GENCB *tmp_gencb = gencb;
1007 tmp_gencb->arg = cb_arg;
1008 tmp_gencb->cb.cb_1 = callback;
1011 /* Populate a BN_GENCB structure with a "new"-style callback */
1012 void BN_GENCB_set(BN_GENCB *gencb, int (*callback) (int, int, BN_GENCB *),
1015 BN_GENCB *tmp_gencb = gencb;
1017 tmp_gencb->arg = cb_arg;
1018 tmp_gencb->cb.cb_2 = callback;
1021 void *BN_GENCB_get_arg(BN_GENCB *cb)
1026 BIGNUM *bn_wexpand(BIGNUM *a, int words)
1028 return (words <= a->dmax) ? a : bn_expand2(a, words);
1031 void bn_correct_top(BIGNUM *a)
1034 int tmp_top = a->top;
1037 for (ftl = &(a->d[tmp_top]); tmp_top > 0; tmp_top--) {