# define NDEBUG
#endif
-#define OPENSSL_FIPSAPI
+
#include <assert.h>
#include <limits.h>
-#include <stdio.h>
#include "cryptlib.h"
#include "bn_lcl.h"
/* This stuff appears to be completely unused, so is deprecated */
#ifndef OPENSSL_NO_DEPRECATED
-/* For a 32 bit machine
+/*-
+ * For a 32 bit machine
* 2 - 4 == 128
* 3 - 8 == 256
* 4 - 16 == 512
BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE);
return(NULL);
}
+#ifdef PURIFY
+ /* Valgrind complains in BN_consttime_swap because we process the whole
+ * array even if it's not initialised yet. This doesn't matter in that
+ * function - what's important is constant time operation (we're not
+ * actually going to use the data)
+ */
+ memset(a, 0, sizeof(BN_ULONG)*words);
+#endif
+
#if 1
B=b->d;
/* Check if the previous number needs to be copied */
case 3: A[2]=B[2];
case 2: A[1]=B[1];
case 1: A[0]=B[0];
- case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does
- * the switch table by doing a=top&3; a--; goto jump_table[a];
- * which fails for top== 0 */
+ case 0:
;
+ /*
+ * workaround for ultrix cc: without 'case 0', the optimizer does
+ * the switch table by doing a=top&3; a--; goto jump_table[a];
+ * which fails for top== 0
+ */
}
}
return(a);
}
-/* This is an internal function that can be used instead of bn_expand2()
- * when there is a need to copy BIGNUMs instead of only expanding the
- * data part, while still expanding them.
- * Especially useful when needing to expand BIGNUMs that are declared
- * 'const' and should therefore not be changed.
- * The reason to use this instead of a BN_dup() followed by a bn_expand2()
- * is memory allocation overhead. A BN_dup() followed by a bn_expand2()
- * will allocate new memory for the BIGNUM data twice, and free it once,
- * while bn_dup_expand() makes sure allocation is made only once.
- */
-
-#ifndef OPENSSL_NO_DEPRECATED
-BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
- {
- BIGNUM *r = NULL;
-
- bn_check_top(b);
-
- /* This function does not work if
- * words <= b->dmax && top < words
- * because BN_dup() does not preserve 'dmax'!
- * (But bn_dup_expand() is not used anywhere yet.)
- */
-
- if (words > b->dmax)
- {
- BN_ULONG *a = bn_expand_internal(b, words);
-
- if (a)
- {
- r = BN_new();
- if (r)
- {
- r->top = b->top;
- r->dmax = words;
- r->neg = b->neg;
- r->d = a;
- }
- else
- {
- /* r == NULL, BN_new failure */
- OPENSSL_free(a);
- }
- }
- /* If a == NULL, there was an error in allocation in
- bn_expand_internal(), and NULL should be returned */
- }
- else
- {
- r = BN_dup(b);
- }
-
- bn_check_top(r);
- return r;
- }
-#endif
-
/* This is an internal function that should not be used in applications.
* It ensures that 'b' has enough room for a 'words' word number
* and initialises any unused part of b->d with leading zeros.
}
return bn_cmp_words(a,b,cl);
}
+
+/*
+ * Constant-time conditional swap of a and b.
+ * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
+ * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
+ * and that no more than nwords are used by either a or b.
+ * a and b cannot be the same number
+ */
+void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
+ {
+ BN_ULONG t;
+ int i;
+
+ bn_wcheck_size(a, nwords);
+ bn_wcheck_size(b, nwords);
+
+ assert(a != b);
+ assert((condition & (condition - 1)) == 0);
+ assert(sizeof(BN_ULONG) >= sizeof(int));
+
+ condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
+
+ t = (a->top^b->top) & condition;
+ a->top ^= t;
+ b->top ^= t;
+
+#define BN_CONSTTIME_SWAP(ind) \
+ do { \
+ t = (a->d[ind] ^ b->d[ind]) & condition; \
+ a->d[ind] ^= t; \
+ b->d[ind] ^= t; \
+ } while (0)
+
+
+ switch (nwords) {
+ default:
+ for (i = 10; i < nwords; i++)
+ BN_CONSTTIME_SWAP(i);
+ /* Fallthrough */
+ case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
+ case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
+ case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
+ case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
+ case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
+ case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
+ case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
+ case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
+ case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
+ case 1: BN_CONSTTIME_SWAP(0);
+ }
+#undef BN_CONSTTIME_SWAP
+}
+
+/* Bits of security, see SP800-57 */
+
+int BN_security_bits(int L, int N)
+ {
+ int secbits, bits;
+ if (L >= 15360)
+ secbits = 256;
+ else if (L >= 7690)
+ secbits = 192;
+ else if (L >= 3072)
+ secbits = 128;
+ else if (L >= 2048)
+ secbits = 112;
+ else if (L >= 1024)
+ secbits = 80;
+ else
+ return 0;
+ if (N == -1)
+ return secbits;
+ bits = N / 2;
+ if (bits < 80)
+ return 0;
+ return bits >= secbits ? secbits : bits;
+ }
+
+
+void BN_zero_ex(BIGNUM *a)
+ {
+ a->top = 0;
+ a->neg = 0;
+ }
+
+int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
+ {
+ return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
+ }
+
+int BN_is_zero(const BIGNUM *a)
+ {
+ return a->top == 0;
+ }
+
+int BN_is_one(const BIGNUM *a)
+ {
+ return BN_abs_is_word(a, 1) && !a->neg;
+ }
+
+int BN_is_word(const BIGNUM *a, const BN_ULONG w)
+ {
+ return BN_abs_is_word(a, w) && (!w || !a->neg);
+ }
+
+int BN_is_odd(const BIGNUM *a)
+ {
+ return (a->top > 0) && (a->d[0] & 1);
+ }
+
+int BN_is_negative(const BIGNUM *a)
+ {
+ return (a->neg != 0);
+ }
+
+int BN_to_montgomery(BIGNUM *r,const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx)
+ {
+ return BN_mod_mul_montgomery(r,a,&(mont->RR),mont,ctx);
+ }
+
+void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int n)
+ {
+ dest->d=b->d;
+ dest->top=b->top;
+ dest->dmax=b->dmax;
+ dest->neg=b->neg;
+ dest->flags=((dest->flags & BN_FLG_MALLOCED)
+ | (b->flags & ~BN_FLG_MALLOCED)
+ | BN_FLG_STATIC_DATA
+ | n);
+ }
+
+BN_GENCB *BN_GENCB_new(void)
+ {
+ BN_GENCB *ret;
+
+ if ((ret=(BN_GENCB *)OPENSSL_malloc(sizeof(BN_GENCB))) == NULL)
+ {
+ BNerr(BN_F_BN_GENCB_NEW,ERR_R_MALLOC_FAILURE);
+ return(NULL);
+ }
+
+ return ret;
+ }
+
+void BN_GENCB_free(BN_GENCB *cb)
+ {
+ if (cb == NULL) return;
+ OPENSSL_free(cb);
+ }
+
+void BN_set_flags(BIGNUM *b, int n)
+ {
+ b->flags|=n;
+ }
+
+int BN_get_flags(const BIGNUM *b, int n)
+ {
+ return b->flags&n;
+ }
+
+/* Populate a BN_GENCB structure with an "old"-style callback */
+void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback)(int, int, void *), void *cb_arg)
+ {
+ BN_GENCB *tmp_gencb = gencb;
+ tmp_gencb->ver = 1;
+ tmp_gencb->arg = cb_arg;
+ tmp_gencb->cb.cb_1 = callback;
+ }
+
+/* Populate a BN_GENCB structure with a "new"-style callback */
+void BN_GENCB_set(BN_GENCB *gencb, int (*callback)(int, int, BN_GENCB *), void *cb_arg)
+ {
+ BN_GENCB *tmp_gencb = gencb;
+ tmp_gencb->ver = 2;
+ tmp_gencb->arg = cb_arg;
+ tmp_gencb->cb.cb_2 = callback;
+ }
+
+void *BN_GENCB_get_arg(BN_GENCB *cb)
+ {
+ return cb->arg;
+ }
+
+
+BIGNUM *bn_wexpand(BIGNUM *a, int words)
+ {
+ return (words <= a->dmax)?a:bn_expand2(a,words);
+ }
+
+void bn_correct_top(BIGNUM *a)
+ {
+ BN_ULONG *ftl;
+ int tmp_top = a->top;
+
+ if (tmp_top > 0)
+ {
+ for (ftl= &(a->d[tmp_top-1]); tmp_top > 0; tmp_top--)
+ if (*(ftl--)) break;
+ a->top = tmp_top;
+ }
+ bn_pollute(a);
+ }