2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include "internal/cryptlib.h"
14 #include <openssl/opensslconf.h>
16 /* This stuff appears to be completely unused, so is deprecated */
17 #if OPENSSL_API_COMPAT < 0x00908000L
19 * For a 32 bit machine
28 static int bn_limit_bits = 0;
29 static int bn_limit_num = 8; /* (1<<bn_limit_bits) */
30 static int bn_limit_bits_low = 0;
31 static int bn_limit_num_low = 8; /* (1<<bn_limit_bits_low) */
32 static int bn_limit_bits_high = 0;
33 static int bn_limit_num_high = 8; /* (1<<bn_limit_bits_high) */
34 static int bn_limit_bits_mont = 0;
35 static int bn_limit_num_mont = 8; /* (1<<bn_limit_bits_mont) */
37 void BN_set_params(int mult, int high, int low, int mont)
40 if (mult > (int)(sizeof(int) * 8) - 1)
41 mult = sizeof(int) * 8 - 1;
43 bn_limit_num = 1 << mult;
46 if (high > (int)(sizeof(int) * 8) - 1)
47 high = sizeof(int) * 8 - 1;
48 bn_limit_bits_high = high;
49 bn_limit_num_high = 1 << high;
52 if (low > (int)(sizeof(int) * 8) - 1)
53 low = sizeof(int) * 8 - 1;
54 bn_limit_bits_low = low;
55 bn_limit_num_low = 1 << low;
58 if (mont > (int)(sizeof(int) * 8) - 1)
59 mont = sizeof(int) * 8 - 1;
60 bn_limit_bits_mont = mont;
61 bn_limit_num_mont = 1 << mont;
65 int BN_get_params(int which)
68 return (bn_limit_bits);
70 return (bn_limit_bits_high);
72 return (bn_limit_bits_low);
74 return (bn_limit_bits_mont);
80 const BIGNUM *BN_value_one(void)
82 static const BN_ULONG data_one = 1L;
83 static const BIGNUM const_one =
84 { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
89 int BN_num_bits_word(BN_ULONG l)
96 mask = (0 - x) & BN_MASK2;
97 mask = (0 - (mask >> (BN_BITS2 - 1)));
103 mask = (0 - x) & BN_MASK2;
104 mask = (0 - (mask >> (BN_BITS2 - 1)));
109 mask = (0 - x) & BN_MASK2;
110 mask = (0 - (mask >> (BN_BITS2 - 1)));
115 mask = (0 - x) & BN_MASK2;
116 mask = (0 - (mask >> (BN_BITS2 - 1)));
121 mask = (0 - x) & BN_MASK2;
122 mask = (0 - (mask >> (BN_BITS2 - 1)));
127 mask = (0 - x) & BN_MASK2;
128 mask = (0 - (mask >> (BN_BITS2 - 1)));
134 int BN_num_bits(const BIGNUM *a)
141 return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
144 static void bn_free_d(BIGNUM *a)
146 if (BN_get_flags(a, BN_FLG_SECURE))
147 OPENSSL_secure_free(a->d);
153 void BN_clear_free(BIGNUM *a)
161 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
162 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
165 i = BN_get_flags(a, BN_FLG_MALLOCED);
166 OPENSSL_cleanse(a, sizeof(*a));
171 void BN_free(BIGNUM *a)
176 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
178 if (a->flags & BN_FLG_MALLOCED)
181 #if OPENSSL_API_COMPAT < 0x00908000L
182 a->flags |= BN_FLG_FREE;
188 void bn_init(BIGNUM *a)
200 if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
201 BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
204 ret->flags = BN_FLG_MALLOCED;
209 BIGNUM *BN_secure_new(void)
211 BIGNUM *ret = BN_new();
213 ret->flags |= BN_FLG_SECURE;
217 /* This is used by bn_expand2() */
218 /* The caller MUST check that words > b->dmax before calling this */
219 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
221 BN_ULONG *A, *a = NULL;
227 if (words > (INT_MAX / (4 * BN_BITS2))) {
228 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
231 if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
232 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
235 if (BN_get_flags(b, BN_FLG_SECURE))
236 a = A = OPENSSL_secure_zalloc(words * sizeof(*a));
238 a = A = OPENSSL_zalloc(words * sizeof(*a));
240 BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
246 /* Check if the previous number needs to be copied */
248 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
250 * The fact that the loop is unrolled
251 * 4-wise is a tribute to Intel. It's
252 * the one that doesn't have enough
253 * registers to accommodate more data.
254 * I'd unroll it 8-wise otherwise:-)
256 * <appro@fy.chalmers.se>
258 BN_ULONG a0, a1, a2, a3;
268 switch (b->top & 3) {
279 /* Without the "case 0" some old optimizers got this wrong. */
284 memset(A, 0, sizeof(*A) * words);
285 memcpy(A, b->d, sizeof(b->d[0]) * b->top);
292 * This is an internal function that should not be used in applications. It
293 * ensures that 'b' has enough room for a 'words' word number and initialises
294 * any unused part of b->d with leading zeros. It is mostly used by the
295 * various BIGNUM routines. If there is an error, NULL is returned. If not,
299 BIGNUM *bn_expand2(BIGNUM *b, int words)
303 if (words > b->dmax) {
304 BN_ULONG *a = bn_expand_internal(b, words);
308 OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
319 BIGNUM *BN_dup(const BIGNUM *a)
327 t = BN_get_flags(a, BN_FLG_SECURE) ? BN_secure_new() : BN_new();
330 if (!BN_copy(t, a)) {
338 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
348 if (bn_wexpand(a, b->top) == NULL)
354 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
355 BN_ULONG a0, a1, a2, a3;
365 /* ultrix cc workaround, see comments in bn_expand_internal */
366 switch (b->top & 3) {
379 memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
388 void BN_swap(BIGNUM *a, BIGNUM *b)
390 int flags_old_a, flags_old_b;
392 int tmp_top, tmp_dmax, tmp_neg;
397 flags_old_a = a->flags;
398 flags_old_b = b->flags;
416 (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
418 (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
423 void BN_clear(BIGNUM *a)
427 OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax);
432 BN_ULONG BN_get_word(const BIGNUM *a)
436 else if (a->top == 1)
442 int BN_set_word(BIGNUM *a, BN_ULONG w)
445 if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL)
449 a->top = (w ? 1 : 0);
454 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
466 /* Skip leading zero's. */
467 for ( ; len > 0 && *s == 0; s++, len--)
474 i = ((n - 1) / BN_BYTES) + 1;
475 m = ((n - 1) % (BN_BYTES));
476 if (bn_wexpand(ret, (int)i) == NULL) {
484 l = (l << 8L) | *(s++);
492 * need to call this due to clear byte at top if avoiding having the top
493 * bit set (-ve number)
499 /* ignore negative */
500 static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
511 /* Add leading zeroes if necessary */
513 memset(to, 0, tolen - i);
517 l = a->d[i / BN_BYTES];
518 *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
523 int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
527 return bn2binpad(a, to, tolen);
530 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
532 return bn2binpad(a, to, -1);
535 BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
548 /* Skip trailing zeroes. */
549 for ( ; len > 0 && s[-1] == 0; s--, len--)
556 i = ((n - 1) / BN_BYTES) + 1;
557 m = ((n - 1) % (BN_BYTES));
558 if (bn_wexpand(ret, (int)i) == NULL) {
575 * need to call this due to clear byte at top if avoiding having the top
576 * bit set (-ve number)
582 int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
590 /* Add trailing zeroes if necessary */
592 memset(to + i, 0, tolen - i);
595 l = a->d[i / BN_BYTES];
597 *to = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
602 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
605 BN_ULONG t1, t2, *ap, *bp;
615 for (i = a->top - 1; i >= 0; i--) {
619 return ((t1 > t2) ? 1 : -1);
624 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
630 if ((a == NULL) || (b == NULL)) {
642 if (a->neg != b->neg) {
660 for (i = a->top - 1; i >= 0; i--) {
671 int BN_set_bit(BIGNUM *a, int n)
681 if (bn_wexpand(a, i + 1) == NULL)
683 for (k = a->top; k < i + 1; k++)
688 a->d[i] |= (((BN_ULONG)1) << j);
693 int BN_clear_bit(BIGNUM *a, int n)
706 a->d[i] &= (~(((BN_ULONG)1) << j));
711 int BN_is_bit_set(const BIGNUM *a, int n)
722 return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
725 int BN_mask_bits(BIGNUM *a, int n)
741 a->d[w] &= ~(BN_MASK2 << b);
747 void BN_set_negative(BIGNUM *a, int b)
749 if (b && !BN_is_zero(a))
755 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
763 return ((aa > bb) ? 1 : -1);
764 for (i = n - 2; i >= 0; i--) {
768 return ((aa > bb) ? 1 : -1);
774 * Here follows a specialised variants of bn_cmp_words(). It has the
775 * capability of performing the operation on arrays of different sizes. The
776 * sizes of those arrays is expressed through cl, which is the common length
777 * ( basically, min(len(a),len(b)) ), and dl, which is the delta between the
778 * two lengths, calculated as len(a)-len(b). All lengths are the number of
782 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
788 for (i = dl; i < 0; i++) {
790 return -1; /* a < b */
794 for (i = dl; i > 0; i--) {
796 return 1; /* a > b */
799 return bn_cmp_words(a, b, cl);
803 * Constant-time conditional swap of a and b.
804 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
805 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
806 * and that no more than nwords are used by either a or b.
807 * a and b cannot be the same number
809 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
814 bn_wcheck_size(a, nwords);
815 bn_wcheck_size(b, nwords);
818 assert((condition & (condition - 1)) == 0);
819 assert(sizeof(BN_ULONG) >= sizeof(int));
821 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
823 t = (a->top ^ b->top) & condition;
827 #define BN_CONSTTIME_SWAP(ind) \
829 t = (a->d[ind] ^ b->d[ind]) & condition; \
836 for (i = 10; i < nwords; i++)
837 BN_CONSTTIME_SWAP(i);
840 BN_CONSTTIME_SWAP(9); /* Fallthrough */
842 BN_CONSTTIME_SWAP(8); /* Fallthrough */
844 BN_CONSTTIME_SWAP(7); /* Fallthrough */
846 BN_CONSTTIME_SWAP(6); /* Fallthrough */
848 BN_CONSTTIME_SWAP(5); /* Fallthrough */
850 BN_CONSTTIME_SWAP(4); /* Fallthrough */
852 BN_CONSTTIME_SWAP(3); /* Fallthrough */
854 BN_CONSTTIME_SWAP(2); /* Fallthrough */
856 BN_CONSTTIME_SWAP(1); /* Fallthrough */
858 BN_CONSTTIME_SWAP(0);
860 #undef BN_CONSTTIME_SWAP
863 /* Bits of security, see SP800-57 */
865 int BN_security_bits(int L, int N)
885 return bits >= secbits ? secbits : bits;
888 void BN_zero_ex(BIGNUM *a)
894 int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
896 return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
899 int BN_is_zero(const BIGNUM *a)
904 int BN_is_one(const BIGNUM *a)
906 return BN_abs_is_word(a, 1) && !a->neg;
909 int BN_is_word(const BIGNUM *a, const BN_ULONG w)
911 return BN_abs_is_word(a, w) && (!w || !a->neg);
914 int BN_is_odd(const BIGNUM *a)
916 return (a->top > 0) && (a->d[0] & 1);
919 int BN_is_negative(const BIGNUM *a)
921 return (a->neg != 0);
924 int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
927 return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx);
930 void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags)
934 dest->dmax = b->dmax;
936 dest->flags = ((dest->flags & BN_FLG_MALLOCED)
937 | (b->flags & ~BN_FLG_MALLOCED)
938 | BN_FLG_STATIC_DATA | flags);
941 BN_GENCB *BN_GENCB_new(void)
945 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
946 BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE);
953 void BN_GENCB_free(BN_GENCB *cb)
960 void BN_set_flags(BIGNUM *b, int n)
965 int BN_get_flags(const BIGNUM *b, int n)
970 /* Populate a BN_GENCB structure with an "old"-style callback */
971 void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback) (int, int, void *),
974 BN_GENCB *tmp_gencb = gencb;
976 tmp_gencb->arg = cb_arg;
977 tmp_gencb->cb.cb_1 = callback;
980 /* Populate a BN_GENCB structure with a "new"-style callback */
981 void BN_GENCB_set(BN_GENCB *gencb, int (*callback) (int, int, BN_GENCB *),
984 BN_GENCB *tmp_gencb = gencb;
986 tmp_gencb->arg = cb_arg;
987 tmp_gencb->cb.cb_2 = callback;
990 void *BN_GENCB_get_arg(BN_GENCB *cb)
995 BIGNUM *bn_wexpand(BIGNUM *a, int words)
997 return (words <= a->dmax) ? a : bn_expand2(a, words);
1000 void bn_correct_top(BIGNUM *a)
1003 int tmp_top = a->top;
1006 for (ftl = &(a->d[tmp_top]); tmp_top > 0; tmp_top--) {