/src/openssl35/include/internal/safe_math.h

Source
/*
 * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#ifndef OSSL_INTERNAL_SAFE_MATH_H
#define OSSL_INTERNAL_SAFE_MATH_H
#pragma once

#include <openssl/e_os2.h> /* For 'ossl_inline' */

#ifndef OPENSSL_NO_BUILTIN_OVERFLOW_CHECKING
#ifdef __has_builtin
#define has(func) __has_builtin(func)
#elif defined(__GNUC__)
#if __GNUC__ > 5
#define has(func) 1
#endif
#endif
#endif /* OPENSSL_NO_BUILTIN_OVERFLOW_CHECKING */

#ifndef has
#define has(func) 0
#endif

/*
 * Safe addition helpers
 */
#if has(__builtin_add_overflow)
#define OSSL_SAFE_MATH_ADDS(type_name, type, min, max)               \
    static ossl_inline ossl_unused type safe_add_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        type r;                                                      \
                                                                     \
        if (!__builtin_add_overflow(a, b, &r))                       \
            return r;                                                \
        *err |= 1;                                                   \
        return a < 0 ? min : max;                                    \
    }

#define OSSL_SAFE_MATH_ADDU(type_name, type, max)                    \
    static ossl_inline ossl_unused type safe_add_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        type r;                                                      \
                                                                     \
        if (!__builtin_add_overflow(a, b, &r))                       \
            return r;                                                \
        *err |= 1;                                                   \
        return a + b;                                                \
    }

#else /* has(__builtin_add_overflow) */
#define OSSL_SAFE_MATH_ADDS(type_name, type, min, max)               \
    static ossl_inline ossl_unused type safe_add_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        if ((a < 0) ^ (b < 0)                                        \
            || (a > 0 && b <= max - a)                               \
            || (a < 0 && b >= min - a)                               \
            || a == 0)                                               \
            return a + b;                                            \
        *err |= 1;                                                   \
        return a < 0 ? min : max;                                    \
    }

#define OSSL_SAFE_MATH_ADDU(type_name, type, max)                    \
    static ossl_inline ossl_unused type safe_add_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        if (b > max - a)                                             \
            *err |= 1;                                               \
        return a + b;                                                \
    }
#endif /* has(__builtin_add_overflow) */

/*
 * Safe subtraction helpers
 */
#if has(__builtin_sub_overflow)
#define OSSL_SAFE_MATH_SUBS(type_name, type, min, max)               \
    static ossl_inline ossl_unused type safe_sub_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        type r;                                                      \
                                                                     \
        if (!__builtin_sub_overflow(a, b, &r))                       \
            return r;                                                \
        *err |= 1;                                                   \
        return a < 0 ? min : max;                                    \
    }

#else /* has(__builtin_sub_overflow) */
#define OSSL_SAFE_MATH_SUBS(type_name, type, min, max)               \
    static ossl_inline ossl_unused type safe_sub_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        if (!((a < 0) ^ (b < 0))                                     \
            || (b > 0 && a >= min + b)                               \
            || (b < 0 && a <= max + b)                               \
            || b == 0)                                               \
            return a - b;                                            \
        *err |= 1;                                                   \
        return a < 0 ? min : max;                                    \
    }

#endif /* has(__builtin_sub_overflow) */

#define OSSL_SAFE_MATH_SUBU(type_name, type)                         \
    static ossl_inline ossl_unused type safe_sub_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        if (b > a)                                                   \
            *err |= 1;                                               \
        return a - b;                                                \
    }

/*
 * Safe multiplication helpers
 */
#if has(__builtin_mul_overflow)
#define OSSL_SAFE_MATH_MULS(type_name, type, min, max)               \
    static ossl_inline ossl_unused type safe_mul_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        type r;                                                      \
                                                                     \
        if (!__builtin_mul_overflow(a, b, &r))                       \
            return r;                                                \
        *err |= 1;                                                   \
        return (a < 0) ^ (b < 0) ? min : max;                        \
    }

#define OSSL_SAFE_MATH_MULU(type_name, type, max)                    \
    static ossl_inline ossl_unused type safe_mul_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        type r;                                                      \
                                                                     \
        if (!__builtin_mul_overflow(a, b, &r))                       \
            return r;                                                \
        *err |= 1;                                                   \
        return a * b;                                                \
    }

#else /* has(__builtin_mul_overflow) */
#define OSSL_SAFE_MATH_MULS(type_name, type, min, max)               \
    static ossl_inline ossl_unused type safe_mul_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        if (a == 0 || b == 0)                                        \
            return 0;                                                \
        if (a == 1)                                                  \
            return b;                                                \
        if (b == 1)                                                  \
            return a;                                                \
        if (a != min && b != min) {                                  \
            const type x = a < 0 ? -a : a;                           \
            const type y = b < 0 ? -b : b;                           \
                                                                     \
            if (x <= max / y)                                        \
                return a * b;                                        \
        }                                                            \
        *err |= 1;                                                   \
        return (a < 0) ^ (b < 0) ? min : max;                        \
    }

#define OSSL_SAFE_MATH_MULU(type_name, type, max)                    \
    static ossl_inline ossl_unused type safe_mul_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        if (b != 0 && a > max / b)                                   \
            *err |= 1;                                               \
        return a * b;                                                \
    }
#endif /* has(__builtin_mul_overflow) */

/*
 * Safe division helpers
 */
#define OSSL_SAFE_MATH_DIVS(type_name, type, min, max)               \
    static ossl_inline ossl_unused type safe_div_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        if (b == 0) {                                                \
            *err |= 1;                                               \
            return a < 0 ? min : max;                                \
        }                                                            \
        if (b == -1 && a == min) {                                   \
            *err |= 1;                                               \
            return max;                                              \
        }                                                            \
        return a / b;                                                \
    }

#define OSSL_SAFE_MATH_DIVU(type_name, type, max)                    \
    static ossl_inline ossl_unused type safe_div_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        if (b != 0)                                                  \
            return a / b;                                            \
        *err |= 1;                                                   \
        return max;                                                  \
    }

/*
 * Safe modulus helpers
 */
#define OSSL_SAFE_MATH_MODS(type_name, type, min, max)               \
    static ossl_inline ossl_unused type safe_mod_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        if (b == 0) {                                                \
            *err |= 1;                                               \
            return 0;                                                \
        }                                                            \
        if (b == -1 && a == min) {                                   \
            *err |= 1;                                               \
            return max;                                              \
        }                                                            \
        return a % b;                                                \
    }

#define OSSL_SAFE_MATH_MODU(type_name, type)                         \
    static ossl_inline ossl_unused type safe_mod_##type_name(type a, \
        type b,                                                      \
        int *err)                                                    \
    {                                                                \
        if (b != 0)                                                  \
            return a % b;                                            \
        *err |= 1;                                                   \
        return 0;                                                    \
    }

/*
 * Safe negation helpers
 */
#define OSSL_SAFE_MATH_NEGS(type_name, type, min)                    \
    static ossl_inline ossl_unused type safe_neg_##type_name(type a, \
        int *err)                                                    \
    {                                                                \
        if (a != min)                                                \
            return -a;                                               \
        *err |= 1;                                                   \
        return min;                                                  \
    }

#define OSSL_SAFE_MATH_NEGU(type_name, type)                         \
    static ossl_inline ossl_unused type safe_neg_##type_name(type a, \
        int *err)                                                    \
    {                                                                \
        if (a == 0)                                                  \
            return a;                                                \
        *err |= 1;                                                   \
        return 1 + ~a;                                               \
    }

/*
 * Safe absolute value helpers
 */
#define OSSL_SAFE_MATH_ABSS(type_name, type, min)                    \
    static ossl_inline ossl_unused type safe_abs_##type_name(type a, \
        int *err)                                                    \
    {                                                                \
        if (a != min)                                                \
            return a < 0 ? -a : a;                                   \
        *err |= 1;                                                   \
        return min;                                                  \
    }

#define OSSL_SAFE_MATH_ABSU(type_name, type)                         \
    static ossl_inline ossl_unused type safe_abs_##type_name(type a, \
        int *err)                                                    \
    {                                                                \
        return a;                                                    \
    }

/*
 * Safe fused multiply divide helpers
 *
 * These are a bit obscure:
 *    . They begin by checking the denominator for zero and getting rid of this
 *      corner case.
 *
 *    . Second is an attempt to do the multiplication directly, if it doesn't
 *      overflow, the quotient is returned (for signed values there is a
 *      potential problem here which isn't present for unsigned).
 *
 *    . Finally, the multiplication/division is transformed so that the larger
 *      of the numerators is divided first.  This requires a remainder
 *      correction:
 *
 *          a b / c = (a / c) b + (a mod c) b / c, where a > b
 *
 *      The individual operations need to be overflow checked (again signed
 *      being more problematic).
 *
 * The algorithm used is not perfect but it should be "good enough".
 */
#define OSSL_SAFE_MATH_MULDIVS(type_name, type, max)                    \
    static ossl_inline ossl_unused type safe_muldiv_##type_name(type a, \
        type b,                                                         \
        type c,                                                         \
        int *err)                                                       \
    {                                                                   \
        int e2 = 0;                                                     \
        type q, r, x, y;                                                \
                                                                        \
        if (c == 0) {                                                   \
            *err |= 1;                                                  \
            return a == 0 || b == 0 ? 0 : max;                          \
        }                                                               \
        x = safe_mul_##type_name(a, b, &e2);                            \
        if (!e2)                                                        \
            return safe_div_##type_name(x, c, err);                     \
        if (b > a) {                                                    \
            x = b;                                                      \
            b = a;                                                      \
            a = x;                                                      \
        }                                                               \
        q = safe_div_##type_name(a, c, err);                            \
        r = safe_mod_##type_name(a, c, err);                            \
        x = safe_mul_##type_name(r, b, err);                            \
        y = safe_mul_##type_name(q, b, err);                            \
        q = safe_div_##type_name(x, c, err);                            \
        return safe_add_##type_name(y, q, err);                         \
    }

#define OSSL_SAFE_MATH_MULDIVU(type_name, type, max)                    \
    static ossl_inline ossl_unused type safe_muldiv_##type_name(type a, \
        type b,                                                         \
        type c,                                                         \
        int *err)                                                       \
    {                                                                   \
        int e2 = 0;                                                     \
        type x, y;                                                      \
                                                                        \
        if (c == 0) {                                                   \
            *err |= 1;                                                  \
            return a == 0 || b == 0 ? 0 : max;                          \
        }                                                               \
        x = safe_mul_##type_name(a, b, &e2);                            \
        if (!e2)                                                        \
            return x / c;                                               \
        if (b > a) {                                                    \
            x = b;                                                      \
            b = a;                                                      \
            a = x;                                                      \
        }                                                               \
        x = safe_mul_##type_name(a % c, b, err);                        \
        y = safe_mul_##type_name(a / c, b, err);                        \
        return safe_add_##type_name(y, x / c, err);                     \
    }

/*
 * Calculate a / b rounding up:
 *     i.e. a / b + (a % b != 0)
 * Which is usually (less safely) converted to (a + b - 1) / b
 * If you *know* that b != 0, then it's safe to ignore err.
 */
#define OSSL_SAFE_MATH_DIV_ROUND_UP(type_name, type, max)                                        \
    static ossl_inline ossl_unused type safe_div_round_up_##type_name(type a, type b, int *errp) \
    {                                                                                            \
        type x;                                                                                  \
        int *err, err_local = 0;                                                                 \
                                                                                                 \
        /* Allow errors to be ignored by callers */                                              \
        err = errp != NULL ? errp : &err_local;                                                  \
        /* Fast path, both positive */                                                           \
        if (b > 0 && a > 0) {                                                                    \
            /* Faster path: no overflow concerns */                                              \
            if (a < max - b)                                                                     \
                return (a + b - 1) / b;                                                          \
            return a / b + (a % b != 0);                                                         \
        }                                                                                        \
        if (b == 0) {                                                                            \
            *err |= 1;                                                                           \
            return a == 0 ? 0 : max;                                                             \
        }                                                                                        \
        if (a == 0)                                                                              \
            return 0;                                                                            \
        /* Rather slow path because there are negatives involved */                              \
        x = safe_mod_##type_name(a, b, err);                                                     \
        return safe_add_##type_name(safe_div_##type_name(a, b, err),                             \
            x != 0, err);                                                                        \
    }

/* Calculate ranges of types */
#define OSSL_SAFE_MATH_MINS(type) ((type)1 << (sizeof(type) * 8 - 1))
#define OSSL_SAFE_MATH_MAXS(type) (~OSSL_SAFE_MATH_MINS(type))
#define OSSL_SAFE_MATH_MAXU(type) (~(type)0)

/*
 * Wrapper macros to create all the functions of a given type
 */
#define OSSL_SAFE_MATH_SIGNED(type_name, type)                         \
    OSSL_SAFE_MATH_ADDS(type_name, type, OSSL_SAFE_MATH_MINS(type),    \
        OSSL_SAFE_MATH_MAXS(type))                                     \
    OSSL_SAFE_MATH_SUBS(type_name, type, OSSL_SAFE_MATH_MINS(type),    \
        OSSL_SAFE_MATH_MAXS(type))                                     \
    OSSL_SAFE_MATH_MULS(type_name, type, OSSL_SAFE_MATH_MINS(type),    \
        OSSL_SAFE_MATH_MAXS(type))                                     \
    OSSL_SAFE_MATH_DIVS(type_name, type, OSSL_SAFE_MATH_MINS(type),    \
        OSSL_SAFE_MATH_MAXS(type))                                     \
    OSSL_SAFE_MATH_MODS(type_name, type, OSSL_SAFE_MATH_MINS(type),    \
        OSSL_SAFE_MATH_MAXS(type))                                     \
    OSSL_SAFE_MATH_DIV_ROUND_UP(type_name, type,                       \
        OSSL_SAFE_MATH_MAXS(type))                                     \
    OSSL_SAFE_MATH_MULDIVS(type_name, type, OSSL_SAFE_MATH_MAXS(type)) \
    OSSL_SAFE_MATH_NEGS(type_name, type, OSSL_SAFE_MATH_MINS(type))    \
    OSSL_SAFE_MATH_ABSS(type_name, type, OSSL_SAFE_MATH_MINS(type))

#define OSSL_SAFE_MATH_UNSIGNED(type_name, type)                       \
    OSSL_SAFE_MATH_ADDU(type_name, type, OSSL_SAFE_MATH_MAXU(type))    \
    OSSL_SAFE_MATH_SUBU(type_name, type)                               \
    OSSL_SAFE_MATH_MULU(type_name, type, OSSL_SAFE_MATH_MAXU(type))    \
    OSSL_SAFE_MATH_DIVU(type_name, type, OSSL_SAFE_MATH_MAXU(type))    \
    OSSL_SAFE_MATH_MODU(type_name, type)                               \
    OSSL_SAFE_MATH_DIV_ROUND_UP(type_name, type,                       \
        OSSL_SAFE_MATH_MAXU(type))                                     \
    OSSL_SAFE_MATH_MULDIVU(type_name, type, OSSL_SAFE_MATH_MAXU(type)) \
    OSSL_SAFE_MATH_NEGU(type_name, type)                               \
    OSSL_SAFE_MATH_ABSU(type_name, type)

#endif /* OSSL_INTERNAL_SAFE_MATH_H */

Coverage Report

Created: 2026-02-14 07:20