/src/openssl/crypto/bn/bn_lib.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <assert.h> |
11 | | #include <limits.h> |
12 | | #include "internal/cryptlib.h" |
13 | | #include "bn_lcl.h" |
14 | | #include <openssl/opensslconf.h> |
15 | | #include "internal/constant_time_locl.h" |
16 | | |
17 | | /* This stuff appears to be completely unused, so is deprecated */ |
18 | | #if OPENSSL_API_COMPAT < 0x00908000L |
19 | | /*- |
20 | | * For a 32 bit machine |
21 | | * 2 - 4 == 128 |
22 | | * 3 - 8 == 256 |
23 | | * 4 - 16 == 512 |
24 | | * 5 - 32 == 1024 |
25 | | * 6 - 64 == 2048 |
26 | | * 7 - 128 == 4096 |
27 | | * 8 - 256 == 8192 |
28 | | */ |
29 | | static int bn_limit_bits = 0; |
30 | | static int bn_limit_num = 8; /* (1<<bn_limit_bits) */ |
31 | | static int bn_limit_bits_low = 0; |
32 | | static int bn_limit_num_low = 8; /* (1<<bn_limit_bits_low) */ |
33 | | static int bn_limit_bits_high = 0; |
34 | | static int bn_limit_num_high = 8; /* (1<<bn_limit_bits_high) */ |
35 | | static int bn_limit_bits_mont = 0; |
36 | | static int bn_limit_num_mont = 8; /* (1<<bn_limit_bits_mont) */ |
37 | | |
38 | | void BN_set_params(int mult, int high, int low, int mont) |
39 | 0 | { |
40 | 0 | if (mult >= 0) { |
41 | 0 | if (mult > (int)(sizeof(int) * 8) - 1) |
42 | 0 | mult = sizeof(int) * 8 - 1; |
43 | 0 | bn_limit_bits = mult; |
44 | 0 | bn_limit_num = 1 << mult; |
45 | 0 | } |
46 | 0 | if (high >= 0) { |
47 | 0 | if (high > (int)(sizeof(int) * 8) - 1) |
48 | 0 | high = sizeof(int) * 8 - 1; |
49 | 0 | bn_limit_bits_high = high; |
50 | 0 | bn_limit_num_high = 1 << high; |
51 | 0 | } |
52 | 0 | if (low >= 0) { |
53 | 0 | if (low > (int)(sizeof(int) * 8) - 1) |
54 | 0 | low = sizeof(int) * 8 - 1; |
55 | 0 | bn_limit_bits_low = low; |
56 | 0 | bn_limit_num_low = 1 << low; |
57 | 0 | } |
58 | 0 | if (mont >= 0) { |
59 | 0 | if (mont > (int)(sizeof(int) * 8) - 1) |
60 | 0 | mont = sizeof(int) * 8 - 1; |
61 | 0 | bn_limit_bits_mont = mont; |
62 | 0 | bn_limit_num_mont = 1 << mont; |
63 | 0 | } |
64 | 0 | } |
65 | | |
66 | | int BN_get_params(int which) |
67 | 0 | { |
68 | 0 | if (which == 0) |
69 | 0 | return bn_limit_bits; |
70 | 0 | else if (which == 1) |
71 | 0 | return bn_limit_bits_high; |
72 | 0 | else if (which == 2) |
73 | 0 | return bn_limit_bits_low; |
74 | 0 | else if (which == 3) |
75 | 0 | return bn_limit_bits_mont; |
76 | 0 | else |
77 | 0 | return 0; |
78 | 0 | } |
79 | | #endif |
80 | | |
81 | | const BIGNUM *BN_value_one(void) |
82 | 0 | { |
83 | 0 | static const BN_ULONG data_one = 1L; |
84 | 0 | static const BIGNUM const_one = |
85 | 0 | { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA }; |
86 | 0 |
|
87 | 0 | return &const_one; |
88 | 0 | } |
89 | | |
90 | | int BN_num_bits_word(BN_ULONG l) |
91 | 376k | { |
92 | 376k | BN_ULONG x, mask; |
93 | 376k | int bits = (l != 0); |
94 | 376k | |
95 | 376k | #if BN_BITS2 > 32 |
96 | 376k | x = l >> 32; |
97 | 376k | mask = (0 - x) & BN_MASK2; |
98 | 376k | mask = (0 - (mask >> (BN_BITS2 - 1))); |
99 | 376k | bits += 32 & mask; |
100 | 376k | l ^= (x ^ l) & mask; |
101 | 376k | #endif |
102 | 376k | |
103 | 376k | x = l >> 16; |
104 | 376k | mask = (0 - x) & BN_MASK2; |
105 | 376k | mask = (0 - (mask >> (BN_BITS2 - 1))); |
106 | 376k | bits += 16 & mask; |
107 | 376k | l ^= (x ^ l) & mask; |
108 | 376k | |
109 | 376k | x = l >> 8; |
110 | 376k | mask = (0 - x) & BN_MASK2; |
111 | 376k | mask = (0 - (mask >> (BN_BITS2 - 1))); |
112 | 376k | bits += 8 & mask; |
113 | 376k | l ^= (x ^ l) & mask; |
114 | 376k | |
115 | 376k | x = l >> 4; |
116 | 376k | mask = (0 - x) & BN_MASK2; |
117 | 376k | mask = (0 - (mask >> (BN_BITS2 - 1))); |
118 | 376k | bits += 4 & mask; |
119 | 376k | l ^= (x ^ l) & mask; |
120 | 376k | |
121 | 376k | x = l >> 2; |
122 | 376k | mask = (0 - x) & BN_MASK2; |
123 | 376k | mask = (0 - (mask >> (BN_BITS2 - 1))); |
124 | 376k | bits += 2 & mask; |
125 | 376k | l ^= (x ^ l) & mask; |
126 | 376k | |
127 | 376k | x = l >> 1; |
128 | 376k | mask = (0 - x) & BN_MASK2; |
129 | 376k | mask = (0 - (mask >> (BN_BITS2 - 1))); |
130 | 376k | bits += 1 & mask; |
131 | 376k | |
132 | 376k | return bits; |
133 | 376k | } |
134 | | |
135 | | int BN_num_bits(const BIGNUM *a) |
136 | 151k | { |
137 | 151k | int i = a->top - 1; |
138 | 151k | bn_check_top(a); |
139 | 151k | |
140 | 151k | if (BN_is_zero(a)) |
141 | 1.73k | return 0; |
142 | 149k | return ((i * BN_BITS2) + BN_num_bits_word(a->d[i])); |
143 | 149k | } |
144 | | |
145 | | static void bn_free_d(BIGNUM *a) |
146 | 1.23M | { |
147 | 1.23M | if (BN_get_flags(a, BN_FLG_SECURE)) |
148 | 1.23M | OPENSSL_secure_free(a->d); |
149 | 1.23M | else |
150 | 1.23M | OPENSSL_free(a->d); |
151 | 1.23M | } |
152 | | |
153 | | |
154 | | void BN_clear_free(BIGNUM *a) |
155 | 4.96M | { |
156 | 4.96M | if (a == NULL) |
157 | 4.96M | return; |
158 | 1.79M | if (a->d != NULL && !BN_get_flags(a, BN_FLG_STATIC_DATA)) { |
159 | 1.02M | OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0])); |
160 | 1.02M | bn_free_d(a); |
161 | 1.02M | } |
162 | 1.79M | if (BN_get_flags(a, BN_FLG_MALLOCED)) { |
163 | 1.73M | OPENSSL_cleanse(a, sizeof(*a)); |
164 | 1.73M | OPENSSL_free(a); |
165 | 1.73M | } |
166 | 1.79M | } |
167 | | |
168 | | void BN_free(BIGNUM *a) |
169 | 42.4k | { |
170 | 42.4k | if (a == NULL) |
171 | 42.4k | return; |
172 | 38.4k | if (!BN_get_flags(a, BN_FLG_STATIC_DATA)) |
173 | 38.4k | bn_free_d(a); |
174 | 38.4k | if (a->flags & BN_FLG_MALLOCED) |
175 | 38.4k | OPENSSL_free(a); |
176 | 38.4k | } |
177 | | |
178 | | void bn_init(BIGNUM *a) |
179 | 963k | { |
180 | 963k | static BIGNUM nilbn; |
181 | 963k | |
182 | 963k | *a = nilbn; |
183 | 963k | bn_check_top(a); |
184 | 963k | } |
185 | | |
186 | | BIGNUM *BN_new(void) |
187 | 1.77M | { |
188 | 1.77M | BIGNUM *ret; |
189 | 1.77M | |
190 | 1.77M | if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) { |
191 | 0 | BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE); |
192 | 0 | return NULL; |
193 | 0 | } |
194 | 1.77M | ret->flags = BN_FLG_MALLOCED; |
195 | 1.77M | bn_check_top(ret); |
196 | 1.77M | return ret; |
197 | 1.77M | } |
198 | | |
199 | | BIGNUM *BN_secure_new(void) |
200 | 1.34M | { |
201 | 1.34M | BIGNUM *ret = BN_new(); |
202 | 1.34M | if (ret != NULL) |
203 | 1.34M | ret->flags |= BN_FLG_SECURE; |
204 | 1.34M | return ret; |
205 | 1.34M | } |
206 | | |
207 | | /* This is used by bn_expand2() */ |
208 | | /* The caller MUST check that words > b->dmax before calling this */ |
209 | | static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) |
210 | 1.23M | { |
211 | 1.23M | BN_ULONG *a = NULL; |
212 | 1.23M | |
213 | 1.23M | if (words > (INT_MAX / (4 * BN_BITS2))) { |
214 | 0 | BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG); |
215 | 0 | return NULL; |
216 | 0 | } |
217 | 1.23M | if (BN_get_flags(b, BN_FLG_STATIC_DATA)) { |
218 | 0 | BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA); |
219 | 0 | return NULL; |
220 | 0 | } |
221 | 1.23M | if (BN_get_flags(b, BN_FLG_SECURE)) |
222 | 726k | a = OPENSSL_secure_zalloc(words * sizeof(*a)); |
223 | 1.23M | else |
224 | 1.23M | a = OPENSSL_zalloc(words * sizeof(*a)); |
225 | 1.23M | if (a == NULL) { |
226 | 0 | BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE); |
227 | 0 | return NULL; |
228 | 0 | } |
229 | 1.23M | |
230 | 1.23M | assert(b->top <= words); |
231 | 1.23M | if (b->top > 0) |
232 | 112k | memcpy(a, b->d, sizeof(*a) * b->top); |
233 | 1.23M | |
234 | 1.23M | return a; |
235 | 1.23M | } |
236 | | |
237 | | /* |
238 | | * This is an internal function that should not be used in applications. It |
239 | | * ensures that 'b' has enough room for a 'words' word number and initialises |
240 | | * any unused part of b->d with leading zeros. It is mostly used by the |
241 | | * various BIGNUM routines. If there is an error, NULL is returned. If not, |
242 | | * 'b' is returned. |
243 | | */ |
244 | | |
245 | | BIGNUM *bn_expand2(BIGNUM *b, int words) |
246 | 1.23M | { |
247 | 1.23M | if (words > b->dmax) { |
248 | 1.23M | BN_ULONG *a = bn_expand_internal(b, words); |
249 | 1.23M | if (!a) |
250 | 0 | return NULL; |
251 | 1.23M | if (b->d) { |
252 | 172k | OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0])); |
253 | 172k | bn_free_d(b); |
254 | 172k | } |
255 | 1.23M | b->d = a; |
256 | 1.23M | b->dmax = words; |
257 | 1.23M | } |
258 | 1.23M | |
259 | 1.23M | return b; |
260 | 1.23M | } |
261 | | |
262 | | BIGNUM *BN_dup(const BIGNUM *a) |
263 | 30.3k | { |
264 | 30.3k | BIGNUM *t; |
265 | 30.3k | |
266 | 30.3k | if (a == NULL) |
267 | 30.3k | return NULL; |
268 | 30.3k | bn_check_top(a); |
269 | 30.3k | |
270 | 30.3k | t = BN_get_flags(a, BN_FLG_SECURE) ? BN_secure_new() : BN_new(); |
271 | 30.3k | if (t == NULL) |
272 | 30.3k | return NULL; |
273 | 30.3k | if (!BN_copy(t, a)) { |
274 | 0 | BN_free(t); |
275 | 0 | return NULL; |
276 | 0 | } |
277 | 30.3k | bn_check_top(t); |
278 | 30.3k | return t; |
279 | 30.3k | } |
280 | | |
281 | | BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b) |
282 | 30.3k | { |
283 | 30.3k | bn_check_top(b); |
284 | 30.3k | |
285 | 30.3k | if (a == b) |
286 | 0 | return a; |
287 | 30.3k | if (bn_wexpand(a, b->top) == NULL) |
288 | 30.3k | return NULL; |
289 | 30.3k | |
290 | 30.3k | if (b->top > 0) |
291 | 30.3k | memcpy(a->d, b->d, sizeof(b->d[0]) * b->top); |
292 | 30.3k | |
293 | 30.3k | a->neg = b->neg; |
294 | 30.3k | a->top = b->top; |
295 | 30.3k | a->flags |= b->flags & BN_FLG_FIXED_TOP; |
296 | 30.3k | bn_check_top(a); |
297 | 30.3k | return a; |
298 | 30.3k | } |
299 | | |
300 | 0 | #define FLAGS_DATA(flags) ((flags) & (BN_FLG_STATIC_DATA \ |
301 | 0 | | BN_FLG_CONSTTIME \ |
302 | 0 | | BN_FLG_SECURE \ |
303 | 0 | | BN_FLG_FIXED_TOP)) |
304 | 0 | #define FLAGS_STRUCT(flags) ((flags) & (BN_FLG_MALLOCED)) |
305 | | |
306 | | void BN_swap(BIGNUM *a, BIGNUM *b) |
307 | 0 | { |
308 | 0 | int flags_old_a, flags_old_b; |
309 | 0 | BN_ULONG *tmp_d; |
310 | 0 | int tmp_top, tmp_dmax, tmp_neg; |
311 | 0 |
|
312 | 0 | bn_check_top(a); |
313 | 0 | bn_check_top(b); |
314 | 0 |
|
315 | 0 | flags_old_a = a->flags; |
316 | 0 | flags_old_b = b->flags; |
317 | 0 |
|
318 | 0 | tmp_d = a->d; |
319 | 0 | tmp_top = a->top; |
320 | 0 | tmp_dmax = a->dmax; |
321 | 0 | tmp_neg = a->neg; |
322 | 0 |
|
323 | 0 | a->d = b->d; |
324 | 0 | a->top = b->top; |
325 | 0 | a->dmax = b->dmax; |
326 | 0 | a->neg = b->neg; |
327 | 0 |
|
328 | 0 | b->d = tmp_d; |
329 | 0 | b->top = tmp_top; |
330 | 0 | b->dmax = tmp_dmax; |
331 | 0 | b->neg = tmp_neg; |
332 | 0 |
|
333 | 0 | a->flags = FLAGS_STRUCT(flags_old_a) | FLAGS_DATA(flags_old_b); |
334 | 0 | b->flags = FLAGS_STRUCT(flags_old_b) | FLAGS_DATA(flags_old_a); |
335 | 0 | bn_check_top(a); |
336 | 0 | bn_check_top(b); |
337 | 0 | } |
338 | | |
339 | | void BN_clear(BIGNUM *a) |
340 | 0 | { |
341 | 0 | bn_check_top(a); |
342 | 0 | if (a->d != NULL) |
343 | 0 | OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax); |
344 | 0 | a->neg = 0; |
345 | 0 | a->top = 0; |
346 | 0 | a->flags &= ~BN_FLG_FIXED_TOP; |
347 | 0 | } |
348 | | |
349 | | BN_ULONG BN_get_word(const BIGNUM *a) |
350 | 0 | { |
351 | 0 | if (a->top > 1) |
352 | 0 | return BN_MASK2; |
353 | 0 | else if (a->top == 1) |
354 | 0 | return a->d[0]; |
355 | 0 | /* a->top == 0 */ |
356 | 0 | return 0; |
357 | 0 | } |
358 | | |
359 | | int BN_set_word(BIGNUM *a, BN_ULONG w) |
360 | 103k | { |
361 | 103k | bn_check_top(a); |
362 | 103k | if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL) |
363 | 103k | return 0; |
364 | 103k | a->neg = 0; |
365 | 103k | a->d[0] = w; |
366 | 103k | a->top = (w ? 1 : 0); |
367 | 103k | a->flags &= ~BN_FLG_FIXED_TOP; |
368 | 103k | bn_check_top(a); |
369 | 103k | return 1; |
370 | 103k | } |
371 | | |
372 | | BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) |
373 | 1.59M | { |
374 | 1.59M | unsigned int i, m; |
375 | 1.59M | unsigned int n; |
376 | 1.59M | BN_ULONG l; |
377 | 1.59M | BIGNUM *bn = NULL; |
378 | 1.59M | |
379 | 1.59M | if (ret == NULL) |
380 | 1.59M | ret = bn = BN_new(); |
381 | 1.59M | if (ret == NULL) |
382 | 1.59M | return NULL; |
383 | 1.59M | bn_check_top(ret); |
384 | 1.59M | /* Skip leading zero's. */ |
385 | 3.53M | for ( ; len > 0 && *s == 0; s++, len--) |
386 | 1.94M | continue; |
387 | 1.59M | n = len; |
388 | 1.59M | if (n == 0) { |
389 | 766k | ret->top = 0; |
390 | 766k | return ret; |
391 | 766k | } |
392 | 827k | i = ((n - 1) / BN_BYTES) + 1; |
393 | 827k | m = ((n - 1) % (BN_BYTES)); |
394 | 827k | if (bn_wexpand(ret, (int)i) == NULL) { |
395 | 0 | BN_free(bn); |
396 | 0 | return NULL; |
397 | 0 | } |
398 | 827k | ret->top = i; |
399 | 827k | ret->neg = 0; |
400 | 827k | l = 0; |
401 | 35.0M | while (n--) { |
402 | 34.2M | l = (l << 8L) | *(s++); |
403 | 34.2M | if (m-- == 0) { |
404 | 4.79M | ret->d[--i] = l; |
405 | 4.79M | l = 0; |
406 | 4.79M | m = BN_BYTES - 1; |
407 | 4.79M | } |
408 | 34.2M | } |
409 | 827k | /* |
410 | 827k | * need to call this due to clear byte at top if avoiding having the top |
411 | 827k | * bit set (-ve number) |
412 | 827k | */ |
413 | 827k | bn_correct_top(ret); |
414 | 827k | return ret; |
415 | 827k | } |
416 | | |
417 | | /* ignore negative */ |
418 | | static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) |
419 | 8.51k | { |
420 | 8.51k | int n; |
421 | 8.51k | size_t i, lasti, j, atop, mask; |
422 | 8.51k | BN_ULONG l; |
423 | 8.51k | |
424 | 8.51k | /* |
425 | 8.51k | * In case |a| is fixed-top, BN_num_bytes can return bogus length, |
426 | 8.51k | * but it's assumed that fixed-top inputs ought to be "nominated" |
427 | 8.51k | * even for padded output, so it works out... |
428 | 8.51k | */ |
429 | 8.51k | n = BN_num_bytes(a); |
430 | 8.51k | if (tolen == -1) { |
431 | 8.51k | tolen = n; |
432 | 8.51k | } else if (tolen < n) { /* uncommon/unlike case */ |
433 | 0 | BIGNUM temp = *a; |
434 | 0 |
|
435 | 0 | bn_correct_top(&temp); |
436 | 0 | n = BN_num_bytes(&temp); |
437 | 0 | if (tolen < n) |
438 | 0 | return -1; |
439 | 8.51k | } |
440 | 8.51k | |
441 | 8.51k | /* Swipe through whole available data and don't give away padded zero. */ |
442 | 8.51k | atop = a->dmax * BN_BYTES; |
443 | 8.51k | if (atop == 0) { |
444 | 18 | OPENSSL_cleanse(to, tolen); |
445 | 18 | return tolen; |
446 | 18 | } |
447 | 8.49k | |
448 | 8.49k | lasti = atop - 1; |
449 | 8.49k | atop = a->top * BN_BYTES; |
450 | 804k | for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) { |
451 | 795k | l = a->d[i / BN_BYTES]; |
452 | 795k | mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1)); |
453 | 795k | *--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); |
454 | 795k | i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */ |
455 | 795k | } |
456 | 8.49k | |
457 | 8.49k | return tolen; |
458 | 8.49k | } |
459 | | |
460 | | int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) |
461 | 0 | { |
462 | 0 | if (tolen < 0) |
463 | 0 | return -1; |
464 | 0 | return bn2binpad(a, to, tolen); |
465 | 0 | } |
466 | | |
467 | | int BN_bn2bin(const BIGNUM *a, unsigned char *to) |
468 | 8.51k | { |
469 | 8.51k | return bn2binpad(a, to, -1); |
470 | 8.51k | } |
471 | | |
472 | | BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret) |
473 | 0 | { |
474 | 0 | unsigned int i, m; |
475 | 0 | unsigned int n; |
476 | 0 | BN_ULONG l; |
477 | 0 | BIGNUM *bn = NULL; |
478 | 0 |
|
479 | 0 | if (ret == NULL) |
480 | 0 | ret = bn = BN_new(); |
481 | 0 | if (ret == NULL) |
482 | 0 | return NULL; |
483 | 0 | bn_check_top(ret); |
484 | 0 | s += len; |
485 | 0 | /* Skip trailing zeroes. */ |
486 | 0 | for ( ; len > 0 && s[-1] == 0; s--, len--) |
487 | 0 | continue; |
488 | 0 | n = len; |
489 | 0 | if (n == 0) { |
490 | 0 | ret->top = 0; |
491 | 0 | return ret; |
492 | 0 | } |
493 | 0 | i = ((n - 1) / BN_BYTES) + 1; |
494 | 0 | m = ((n - 1) % (BN_BYTES)); |
495 | 0 | if (bn_wexpand(ret, (int)i) == NULL) { |
496 | 0 | BN_free(bn); |
497 | 0 | return NULL; |
498 | 0 | } |
499 | 0 | ret->top = i; |
500 | 0 | ret->neg = 0; |
501 | 0 | l = 0; |
502 | 0 | while (n--) { |
503 | 0 | s--; |
504 | 0 | l = (l << 8L) | *s; |
505 | 0 | if (m-- == 0) { |
506 | 0 | ret->d[--i] = l; |
507 | 0 | l = 0; |
508 | 0 | m = BN_BYTES - 1; |
509 | 0 | } |
510 | 0 | } |
511 | 0 | /* |
512 | 0 | * need to call this due to clear byte at top if avoiding having the top |
513 | 0 | * bit set (-ve number) |
514 | 0 | */ |
515 | 0 | bn_correct_top(ret); |
516 | 0 | return ret; |
517 | 0 | } |
518 | | |
519 | | int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen) |
520 | 0 | { |
521 | 0 | int i; |
522 | 0 | BN_ULONG l; |
523 | 0 | bn_check_top(a); |
524 | 0 | i = BN_num_bytes(a); |
525 | 0 | if (tolen < i) |
526 | 0 | return -1; |
527 | 0 | /* Add trailing zeroes if necessary */ |
528 | 0 | if (tolen > i) |
529 | 0 | memset(to + i, 0, tolen - i); |
530 | 0 | to += i; |
531 | 0 | while (i--) { |
532 | 0 | l = a->d[i / BN_BYTES]; |
533 | 0 | to--; |
534 | 0 | *to = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; |
535 | 0 | } |
536 | 0 | return tolen; |
537 | 0 | } |
538 | | |
539 | | int BN_ucmp(const BIGNUM *a, const BIGNUM *b) |
540 | 0 | { |
541 | 0 | int i; |
542 | 0 | BN_ULONG t1, t2, *ap, *bp; |
543 | 0 |
|
544 | 0 | bn_check_top(a); |
545 | 0 | bn_check_top(b); |
546 | 0 |
|
547 | 0 | i = a->top - b->top; |
548 | 0 | if (i != 0) |
549 | 0 | return i; |
550 | 0 | ap = a->d; |
551 | 0 | bp = b->d; |
552 | 0 | for (i = a->top - 1; i >= 0; i--) { |
553 | 0 | t1 = ap[i]; |
554 | 0 | t2 = bp[i]; |
555 | 0 | if (t1 != t2) |
556 | 0 | return ((t1 > t2) ? 1 : -1); |
557 | 0 | } |
558 | 0 | return 0; |
559 | 0 | } |
560 | | |
561 | | int BN_cmp(const BIGNUM *a, const BIGNUM *b) |
562 | 0 | { |
563 | 0 | int i; |
564 | 0 | int gt, lt; |
565 | 0 | BN_ULONG t1, t2; |
566 | 0 |
|
567 | 0 | if ((a == NULL) || (b == NULL)) { |
568 | 0 | if (a != NULL) |
569 | 0 | return -1; |
570 | 0 | else if (b != NULL) |
571 | 0 | return 1; |
572 | 0 | else |
573 | 0 | return 0; |
574 | 0 | } |
575 | 0 | |
576 | 0 | bn_check_top(a); |
577 | 0 | bn_check_top(b); |
578 | 0 |
|
579 | 0 | if (a->neg != b->neg) { |
580 | 0 | if (a->neg) |
581 | 0 | return -1; |
582 | 0 | else |
583 | 0 | return 1; |
584 | 0 | } |
585 | 0 | if (a->neg == 0) { |
586 | 0 | gt = 1; |
587 | 0 | lt = -1; |
588 | 0 | } else { |
589 | 0 | gt = -1; |
590 | 0 | lt = 1; |
591 | 0 | } |
592 | 0 |
|
593 | 0 | if (a->top > b->top) |
594 | 0 | return gt; |
595 | 0 | if (a->top < b->top) |
596 | 0 | return lt; |
597 | 0 | for (i = a->top - 1; i >= 0; i--) { |
598 | 0 | t1 = a->d[i]; |
599 | 0 | t2 = b->d[i]; |
600 | 0 | if (t1 > t2) |
601 | 0 | return gt; |
602 | 0 | if (t1 < t2) |
603 | 0 | return lt; |
604 | 0 | } |
605 | 0 | return 0; |
606 | 0 | } |
607 | | |
608 | | int BN_set_bit(BIGNUM *a, int n) |
609 | 0 | { |
610 | 0 | int i, j, k; |
611 | 0 |
|
612 | 0 | if (n < 0) |
613 | 0 | return 0; |
614 | 0 | |
615 | 0 | i = n / BN_BITS2; |
616 | 0 | j = n % BN_BITS2; |
617 | 0 | if (a->top <= i) { |
618 | 0 | if (bn_wexpand(a, i + 1) == NULL) |
619 | 0 | return 0; |
620 | 0 | for (k = a->top; k < i + 1; k++) |
621 | 0 | a->d[k] = 0; |
622 | 0 | a->top = i + 1; |
623 | 0 | a->flags &= ~BN_FLG_FIXED_TOP; |
624 | 0 | } |
625 | 0 |
|
626 | 0 | a->d[i] |= (((BN_ULONG)1) << j); |
627 | 0 | bn_check_top(a); |
628 | 0 | return 1; |
629 | 0 | } |
630 | | |
631 | | int BN_clear_bit(BIGNUM *a, int n) |
632 | 0 | { |
633 | 0 | int i, j; |
634 | 0 |
|
635 | 0 | bn_check_top(a); |
636 | 0 | if (n < 0) |
637 | 0 | return 0; |
638 | 0 | |
639 | 0 | i = n / BN_BITS2; |
640 | 0 | j = n % BN_BITS2; |
641 | 0 | if (a->top <= i) |
642 | 0 | return 0; |
643 | 0 | |
644 | 0 | a->d[i] &= (~(((BN_ULONG)1) << j)); |
645 | 0 | bn_correct_top(a); |
646 | 0 | return 1; |
647 | 0 | } |
648 | | |
649 | | int BN_is_bit_set(const BIGNUM *a, int n) |
650 | 0 | { |
651 | 0 | int i, j; |
652 | 0 |
|
653 | 0 | bn_check_top(a); |
654 | 0 | if (n < 0) |
655 | 0 | return 0; |
656 | 0 | i = n / BN_BITS2; |
657 | 0 | j = n % BN_BITS2; |
658 | 0 | if (a->top <= i) |
659 | 0 | return 0; |
660 | 0 | return (int)(((a->d[i]) >> j) & ((BN_ULONG)1)); |
661 | 0 | } |
662 | | |
663 | | int BN_mask_bits(BIGNUM *a, int n) |
664 | 0 | { |
665 | 0 | int b, w; |
666 | 0 |
|
667 | 0 | bn_check_top(a); |
668 | 0 | if (n < 0) |
669 | 0 | return 0; |
670 | 0 | |
671 | 0 | w = n / BN_BITS2; |
672 | 0 | b = n % BN_BITS2; |
673 | 0 | if (w >= a->top) |
674 | 0 | return 0; |
675 | 0 | if (b == 0) |
676 | 0 | a->top = w; |
677 | 0 | else { |
678 | 0 | a->top = w + 1; |
679 | 0 | a->d[w] &= ~(BN_MASK2 << b); |
680 | 0 | } |
681 | 0 | bn_correct_top(a); |
682 | 0 | return 1; |
683 | 0 | } |
684 | | |
685 | | void BN_set_negative(BIGNUM *a, int b) |
686 | 0 | { |
687 | 0 | if (b && !BN_is_zero(a)) |
688 | 0 | a->neg = 1; |
689 | 0 | else |
690 | 0 | a->neg = 0; |
691 | 0 | } |
692 | | |
693 | | int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n) |
694 | 382k | { |
695 | 382k | int i; |
696 | 382k | BN_ULONG aa, bb; |
697 | 382k | |
698 | 382k | aa = a[n - 1]; |
699 | 382k | bb = b[n - 1]; |
700 | 382k | if (aa != bb) |
701 | 250k | return ((aa > bb) ? 1 : -1); |
702 | 643k | for (i = n - 2; i >= 0; i--) { |
703 | 603k | aa = a[i]; |
704 | 603k | bb = b[i]; |
705 | 603k | if (aa != bb) |
706 | 91.3k | return ((aa > bb) ? 1 : -1); |
707 | 603k | } |
708 | 131k | return 0; |
709 | 131k | } |
710 | | |
711 | | /* |
712 | | * Here follows a specialised variants of bn_cmp_words(). It has the |
713 | | * capability of performing the operation on arrays of different sizes. The |
714 | | * sizes of those arrays is expressed through cl, which is the common length |
715 | | * ( basically, min(len(a),len(b)) ), and dl, which is the delta between the |
716 | | * two lengths, calculated as len(a)-len(b). All lengths are the number of |
717 | | * BN_ULONGs... |
718 | | */ |
719 | | |
720 | | int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl) |
721 | 465k | { |
722 | 465k | int n, i; |
723 | 465k | n = cl - 1; |
724 | 465k | |
725 | 465k | if (dl < 0) { |
726 | 201k | for (i = dl; i < 0; i++) { |
727 | 186k | if (b[n - i] != 0) |
728 | 41.2k | return -1; /* a < b */ |
729 | 186k | } |
730 | 56.5k | } |
731 | 465k | if (dl > 0) { |
732 | 145k | for (i = dl; i > 0; i--) { |
733 | 133k | if (a[n + i] != 0) |
734 | 41.8k | return 1; /* a > b */ |
735 | 133k | } |
736 | 54.0k | } |
737 | 423k | return bn_cmp_words(a, b, cl); |
738 | 423k | } |
739 | | |
740 | | /* |
741 | | * Constant-time conditional swap of a and b. |
742 | | * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set. |
743 | | * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b, |
744 | | * and that no more than nwords are used by either a or b. |
745 | | * a and b cannot be the same number |
746 | | */ |
747 | | void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) |
748 | 0 | { |
749 | 0 | BN_ULONG t; |
750 | 0 | int i; |
751 | 0 |
|
752 | 0 | bn_wcheck_size(a, nwords); |
753 | 0 | bn_wcheck_size(b, nwords); |
754 | 0 |
|
755 | 0 | assert(a != b); |
756 | 0 | assert((condition & (condition - 1)) == 0); |
757 | 0 | assert(sizeof(BN_ULONG) >= sizeof(int)); |
758 | 0 |
|
759 | 0 | condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1; |
760 | 0 |
|
761 | 0 | t = (a->top ^ b->top) & condition; |
762 | 0 | a->top ^= t; |
763 | 0 | b->top ^= t; |
764 | 0 |
|
765 | 0 | t = (a->neg ^ b->neg) & condition; |
766 | 0 | a->neg ^= t; |
767 | 0 | b->neg ^= t; |
768 | 0 |
|
769 | 0 | /*- |
770 | 0 | * Idea behind BN_FLG_STATIC_DATA is actually to |
771 | 0 | * indicate that data may not be written to. |
772 | 0 | * Intention is actually to treat it as it's |
773 | 0 | * read-only data, and some (if not most) of it does |
774 | 0 | * reside in read-only segment. In other words |
775 | 0 | * observation of BN_FLG_STATIC_DATA in |
776 | 0 | * BN_consttime_swap should be treated as fatal |
777 | 0 | * condition. It would either cause SEGV or |
778 | 0 | * effectively cause data corruption. |
779 | 0 | * BN_FLG_MALLOCED refers to BN structure itself, |
780 | 0 | * and hence must be preserved. Remaining flags are |
781 | 0 | * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be |
782 | 0 | * preserved, because it determines how x->d was |
783 | 0 | * allocated and hence how to free it. This leaves |
784 | 0 | * BN_FLG_CONSTTIME that one can do something about. |
785 | 0 | * To summarize it's sufficient to mask and swap |
786 | 0 | * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should |
787 | 0 | * be treated as fatal. |
788 | 0 | */ |
789 | 0 | t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; |
790 | 0 | a->flags ^= t; |
791 | 0 | b->flags ^= t; |
792 | 0 |
|
793 | 0 | #define BN_CONSTTIME_SWAP(ind) \ |
794 | 0 | do { \ |
795 | 0 | t = (a->d[ind] ^ b->d[ind]) & condition; \ |
796 | 0 | a->d[ind] ^= t; \ |
797 | 0 | b->d[ind] ^= t; \ |
798 | 0 | } while (0) |
799 | 0 |
|
800 | 0 | switch (nwords) { |
801 | 0 | default: |
802 | 0 | for (i = 10; i < nwords; i++) |
803 | 0 | BN_CONSTTIME_SWAP(i); |
804 | 0 | /* Fallthrough */ |
805 | 0 | case 10: |
806 | 0 | BN_CONSTTIME_SWAP(9); /* Fallthrough */ |
807 | 0 | case 9: |
808 | 0 | BN_CONSTTIME_SWAP(8); /* Fallthrough */ |
809 | 0 | case 8: |
810 | 0 | BN_CONSTTIME_SWAP(7); /* Fallthrough */ |
811 | 0 | case 7: |
812 | 0 | BN_CONSTTIME_SWAP(6); /* Fallthrough */ |
813 | 0 | case 6: |
814 | 0 | BN_CONSTTIME_SWAP(5); /* Fallthrough */ |
815 | 0 | case 5: |
816 | 0 | BN_CONSTTIME_SWAP(4); /* Fallthrough */ |
817 | 0 | case 4: |
818 | 0 | BN_CONSTTIME_SWAP(3); /* Fallthrough */ |
819 | 0 | case 3: |
820 | 0 | BN_CONSTTIME_SWAP(2); /* Fallthrough */ |
821 | 0 | case 2: |
822 | 0 | BN_CONSTTIME_SWAP(1); /* Fallthrough */ |
823 | 0 | case 1: |
824 | 0 | BN_CONSTTIME_SWAP(0); |
825 | 0 | } |
826 | 0 | #undef BN_CONSTTIME_SWAP |
827 | 0 | } |
828 | | |
829 | | /* Bits of security, see SP800-57 */ |
830 | | |
831 | | int BN_security_bits(int L, int N) |
832 | 0 | { |
833 | 0 | int secbits, bits; |
834 | 0 | if (L >= 15360) |
835 | 0 | secbits = 256; |
836 | 0 | else if (L >= 7680) |
837 | 0 | secbits = 192; |
838 | 0 | else if (L >= 3072) |
839 | 0 | secbits = 128; |
840 | 0 | else if (L >= 2048) |
841 | 0 | secbits = 112; |
842 | 0 | else if (L >= 1024) |
843 | 0 | secbits = 80; |
844 | 0 | else |
845 | 0 | return 0; |
846 | 0 | if (N == -1) |
847 | 0 | return secbits; |
848 | 0 | bits = N / 2; |
849 | 0 | if (bits < 80) |
850 | 0 | return 0; |
851 | 0 | return bits >= secbits ? secbits : bits; |
852 | 0 | } |
853 | | |
854 | | void BN_zero_ex(BIGNUM *a) |
855 | 0 | { |
856 | 0 | a->neg = 0; |
857 | 0 | a->top = 0; |
858 | 0 | a->flags &= ~BN_FLG_FIXED_TOP; |
859 | 0 | } |
860 | | |
861 | | int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w) |
862 | 23.8k | { |
863 | 23.8k | return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0)); |
864 | 23.8k | } |
865 | | |
866 | | int BN_is_zero(const BIGNUM *a) |
867 | 1.40M | { |
868 | 1.40M | return a->top == 0; |
869 | 1.40M | } |
870 | | |
871 | | int BN_is_one(const BIGNUM *a) |
872 | 0 | { |
873 | 0 | return BN_abs_is_word(a, 1) && !a->neg; |
874 | 0 | } |
875 | | |
876 | | int BN_is_word(const BIGNUM *a, const BN_ULONG w) |
877 | 23.8k | { |
878 | 23.8k | return BN_abs_is_word(a, w) && (!w || !a->neg); |
879 | 23.8k | } |
880 | | |
881 | | int BN_is_odd(const BIGNUM *a) |
882 | 0 | { |
883 | 0 | return (a->top > 0) && (a->d[0] & 1); |
884 | 0 | } |
885 | | |
886 | | int BN_is_negative(const BIGNUM *a) |
887 | 30.3k | { |
888 | 30.3k | return (a->neg != 0); |
889 | 30.3k | } |
890 | | |
891 | | int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, |
892 | | BN_CTX *ctx) |
893 | 0 | { |
894 | 0 | return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx); |
895 | 0 | } |
896 | | |
897 | | void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags) |
898 | 0 | { |
899 | 0 | dest->d = b->d; |
900 | 0 | dest->top = b->top; |
901 | 0 | dest->dmax = b->dmax; |
902 | 0 | dest->neg = b->neg; |
903 | 0 | dest->flags = ((dest->flags & BN_FLG_MALLOCED) |
904 | 0 | | (b->flags & ~BN_FLG_MALLOCED) |
905 | 0 | | BN_FLG_STATIC_DATA | flags); |
906 | 0 | } |
907 | | |
908 | | BN_GENCB *BN_GENCB_new(void) |
909 | 0 | { |
910 | 0 | BN_GENCB *ret; |
911 | 0 |
|
912 | 0 | if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) { |
913 | 0 | BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE); |
914 | 0 | return NULL; |
915 | 0 | } |
916 | 0 |
|
917 | 0 | return ret; |
918 | 0 | } |
919 | | |
920 | | void BN_GENCB_free(BN_GENCB *cb) |
921 | 0 | { |
922 | 0 | if (cb == NULL) |
923 | 0 | return; |
924 | 0 | OPENSSL_free(cb); |
925 | 0 | } |
926 | | |
927 | | void BN_set_flags(BIGNUM *b, int n) |
928 | 0 | { |
929 | 0 | b->flags |= n; |
930 | 0 | } |
931 | | |
932 | | int BN_get_flags(const BIGNUM *b, int n) |
933 | 6.58M | { |
934 | 6.58M | return b->flags & n; |
935 | 6.58M | } |
936 | | |
937 | | /* Populate a BN_GENCB structure with an "old"-style callback */ |
938 | | void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback) (int, int, void *), |
939 | | void *cb_arg) |
940 | 0 | { |
941 | 0 | BN_GENCB *tmp_gencb = gencb; |
942 | 0 | tmp_gencb->ver = 1; |
943 | 0 | tmp_gencb->arg = cb_arg; |
944 | 0 | tmp_gencb->cb.cb_1 = callback; |
945 | 0 | } |
946 | | |
947 | | /* Populate a BN_GENCB structure with a "new"-style callback */ |
948 | | void BN_GENCB_set(BN_GENCB *gencb, int (*callback) (int, int, BN_GENCB *), |
949 | | void *cb_arg) |
950 | 0 | { |
951 | 0 | BN_GENCB *tmp_gencb = gencb; |
952 | 0 | tmp_gencb->ver = 2; |
953 | 0 | tmp_gencb->arg = cb_arg; |
954 | 0 | tmp_gencb->cb.cb_2 = callback; |
955 | 0 | } |
956 | | |
957 | | void *BN_GENCB_get_arg(BN_GENCB *cb) |
958 | 0 | { |
959 | 0 | return cb->arg; |
960 | 0 | } |
961 | | |
962 | | BIGNUM *bn_wexpand(BIGNUM *a, int words) |
963 | 2.26M | { |
964 | 2.26M | return (words <= a->dmax) ? a : bn_expand2(a, words); |
965 | 2.26M | } |
966 | | |
967 | | void bn_correct_top(BIGNUM *a) |
968 | 2.18M | { |
969 | 2.18M | BN_ULONG *ftl; |
970 | 2.18M | int tmp_top = a->top; |
971 | 2.18M | |
972 | 2.18M | if (tmp_top > 0) { |
973 | 3.33M | for (ftl = &(a->d[tmp_top]); tmp_top > 0; tmp_top--) { |
974 | 3.33M | ftl--; |
975 | 3.33M | if (*ftl != 0) |
976 | 2.17M | break; |
977 | 3.33M | } |
978 | 2.17M | a->top = tmp_top; |
979 | 2.17M | } |
980 | 2.18M | if (a->top == 0) |
981 | 13.3k | a->neg = 0; |
982 | 2.18M | a->flags &= ~BN_FLG_FIXED_TOP; |
983 | 2.18M | bn_pollute(a); |
984 | 2.18M | } |