]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/bn/bn_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
More secure storage of key material.
[thirdparty/openssl.git] / crypto / bn / bn_lib.c
CommitLineData
d02b48c6 1/* crypto/bn/bn_lib.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 8 *
d02b48c6
RE		 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 15 *
d02b48c6
RE		 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
0f113f3e 22 *
d02b48c6
RE		 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
0f113f3e 37 * 4. If you include any Windows specific code (or a derivative thereof) from
d02b48c6
RE		 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 40 *
d02b48c6
RE		 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
0f113f3e 52 *
d02b48c6
RE		 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
bbb8de09 59#ifndef BN_DEBUG
0f113f3e 60# undef NDEBUG /* avoid conflicting definitions */
bbb8de09
BM		 61# define NDEBUG
62#endif
63
64#include <assert.h>
addb309a 65#include <limits.h>
b39fc560 66#include "internal/cryptlib.h"
d02b48c6
RE		 67#include "bn_lcl.h"
68
0f113f3e 69const char BN_version[] = "Big Number" OPENSSL_VERSION_PTEXT;
dfeab068 70
df11e1e9
GT		 71/* This stuff appears to be completely unused, so is deprecated */
72#ifndef OPENSSL_NO_DEPRECATED
1d97c843
TH		 73/*-
74 * For a 32 bit machine
dfeab068
RE		 75 * 2 - 4 == 128
76 * 3 - 8 == 256
77 * 4 - 16 == 512
78 * 5 - 32 == 1024
79 * 6 - 64 == 2048
80 * 7 - 128 == 4096
81 * 8 - 256 == 8192
82 */
0f113f3e
MC		 83static int bn_limit_bits = 0;
84static int bn_limit_num = 8; /* (1<<bn_limit_bits) */
85static int bn_limit_bits_low = 0;
86static int bn_limit_num_low = 8; /* (1<<bn_limit_bits_low) */
87static int bn_limit_bits_high = 0;
88static int bn_limit_num_high = 8; /* (1<<bn_limit_bits_high) */
89static int bn_limit_bits_mont = 0;
90static int bn_limit_num_mont = 8; /* (1<<bn_limit_bits_mont) */
dfeab068 91
6b691a5c 92void BN_set_params(int mult, int high, int low, int mont)
0f113f3e
MC		 93{
94 if (mult >= 0) {
95 if (mult > (int)(sizeof(int) * 8) - 1)
96 mult = sizeof(int) * 8 - 1;
97 bn_limit_bits = mult;
98 bn_limit_num = 1 << mult;
99 }
100 if (high >= 0) {
101 if (high > (int)(sizeof(int) * 8) - 1)
102 high = sizeof(int) * 8 - 1;
103 bn_limit_bits_high = high;
104 bn_limit_num_high = 1 << high;
105 }
106 if (low >= 0) {
107 if (low > (int)(sizeof(int) * 8) - 1)
108 low = sizeof(int) * 8 - 1;
109 bn_limit_bits_low = low;
110 bn_limit_num_low = 1 << low;
111 }
112 if (mont >= 0) {
113 if (mont > (int)(sizeof(int) * 8) - 1)
114 mont = sizeof(int) * 8 - 1;
115 bn_limit_bits_mont = mont;
116 bn_limit_num_mont = 1 << mont;
117 }
118}
dfeab068 119
6b691a5c 120int BN_get_params(int which)
0f113f3e
MC		 121{
122 if (which == 0)
123 return (bn_limit_bits);
124 else if (which == 1)
125 return (bn_limit_bits_high);
126 else if (which == 2)
127 return (bn_limit_bits_low);
128 else if (which == 3)
129 return (bn_limit_bits_mont);
130 else
131 return (0);
132}
df11e1e9 133#endif
d02b48c6 134
98499135 135const BIGNUM *BN_value_one(void)
0f113f3e
MC		 136{
137 static const BN_ULONG data_one = 1L;
138 static const BIGNUM const_one =
139 { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
d02b48c6 140
0f113f3e
MC		 141 return (&const_one);
142}
d02b48c6 143
6b691a5c 144int BN_num_bits_word(BN_ULONG l)
0f113f3e
MC		 145{
146 static const unsigned char bits[256] = {
147 0, 1, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4,
148 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
149 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
150 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
151 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
152 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
153 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
154 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
155 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
156 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
157 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
158 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
159 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
160 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
161 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
162 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
163 };
d02b48c6 164
dfeab068 165#if defined(SIXTY_FOUR_BIT_LONG)
0f113f3e
MC		 166 if (l & 0xffffffff00000000L) {
167 if (l & 0xffff000000000000L) {
168 if (l & 0xff00000000000000L) {
169 return (bits[(int)(l >> 56)] + 56);
170 } else
171 return (bits[(int)(l >> 48)] + 48);
172 } else {
173 if (l & 0x0000ff0000000000L) {
174 return (bits[(int)(l >> 40)] + 40);
175 } else
176 return (bits[(int)(l >> 32)] + 32);
177 }
178 } else
d02b48c6 179#else
0f113f3e
MC		 180# ifdef SIXTY_FOUR_BIT
181 if (l & 0xffffffff00000000LL) {
182 if (l & 0xffff000000000000LL) {
183 if (l & 0xff00000000000000LL) {
184 return (bits[(int)(l >> 56)] + 56);
185 } else
186 return (bits[(int)(l >> 48)] + 48);
187 } else {
188 if (l & 0x0000ff0000000000LL) {
189 return (bits[(int)(l >> 40)] + 40);
190 } else
191 return (bits[(int)(l >> 32)] + 32);
192 }
193 } else
194# endif
d02b48c6 195#endif
0f113f3e 196 {
d02b48c6 197#if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
0f113f3e
MC		 198 if (l & 0xffff0000L) {
199 if (l & 0xff000000L)
200 return (bits[(int)(l >> 24L)] + 24);
201 else
202 return (bits[(int)(l >> 16L)] + 16);
203 } else
d02b48c6 204#endif
0f113f3e 205 {
4a47f556 206#if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
0f113f3e
MC		 207 if (l & 0xff00L)
208 return (bits[(int)(l >> 8)] + 8);
209 else
d02b48c6 210#endif
0f113f3e
MC		 211 return (bits[(int)(l)]);
212 }
213 }
214}
d02b48c6 215
84c15db5 216int BN_num_bits(const BIGNUM *a)
0f113f3e
MC		 217{
218 int i = a->top - 1;
219 bn_check_top(a);
dfeab068 220
0f113f3e
MC		 221 if (BN_is_zero(a))
222 return 0;
223 return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
224}
d02b48c6 225
6b691a5c 226void BN_clear_free(BIGNUM *a)
0f113f3e
MC		 227{
228 int i;
229
230 if (a == NULL)
231 return;
232 bn_check_top(a);
233 if (a->d != NULL) {
234 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
74924dcb
RS		 235 if (!(BN_get_flags(a, BN_FLG_STATIC_DATA))) {
236 if (BN_get_flags(a,BN_FLG_SECURE))
237 OPENSSL_secure_free(a->d);
238 else
239 OPENSSL_free(a->d);
240 }
0f113f3e
MC		 241 }
242 i = BN_get_flags(a, BN_FLG_MALLOCED);
243 OPENSSL_cleanse(a, sizeof(BIGNUM));
244 if (i)
245 OPENSSL_free(a);
246}
d02b48c6 247
6b691a5c 248void BN_free(BIGNUM *a)
0f113f3e
MC		 249{
250 if (a == NULL)
251 return;
252 bn_check_top(a);
b548a1f1 253 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
74924dcb
RS		 254 if ((a->d != NULL) && !(BN_get_flags(a, BN_FLG_STATIC_DATA))) {
255 if (BN_get_flags(a, BN_FLG_SECURE))
256 OPENSSL_secure_free(a->d);
257 else
258 OPENSSL_free(a->d);
259 }
0f113f3e
MC		 260 if (a->flags & BN_FLG_MALLOCED)
261 OPENSSL_free(a);
262 else {
21933811 263#ifndef OPENSSL_NO_DEPRECATED
0f113f3e 264 a->flags |= BN_FLG_FREE;
2ae1ea37 265#endif
0f113f3e
MC		 266 a->d = NULL;
267 }
268}
dfeab068 269
6b691a5c 270void BN_init(BIGNUM *a)
0f113f3e 271{
16f8d4eb 272 memset(a, 0, sizeof(*a));
0f113f3e
MC		 273 bn_check_top(a);
274}
d02b48c6 275
6b691a5c 276BIGNUM *BN_new(void)
0f113f3e
MC		 277{
278 BIGNUM *ret;
279
b4faea50 280 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
0f113f3e
MC		 281 BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
282 return (NULL);
283 }
284 ret->flags = BN_FLG_MALLOCED;
285 ret->top = 0;
286 ret->neg = 0;
287 ret->dmax = 0;
288 ret->d = NULL;
289 bn_check_top(ret);
290 return (ret);
291}
d02b48c6 292
74924dcb
RS		 293 BIGNUM *BN_secure_new(void)
294 {
295 BIGNUM *ret = BN_new();
296 if (ret)
297 ret->flags |= BN_FLG_SECURE;
298 return (ret);
299 }
300
020fc820
RL		 301/* This is used both by bn_expand2() and bn_dup_expand() */
302/* The caller MUST check that words > b->dmax before calling this */
6343829a 303static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
0f113f3e
MC		 304{
305 BN_ULONG *A, *a = NULL;
306 const BN_ULONG *B;
307 int i;
308
309 bn_check_top(b);
310
311 if (words > (INT_MAX / (4 * BN_BITS2))) {
312 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
313 return NULL;
314 }
315 if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
316 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
317 return (NULL);
318 }
74924dcb
RS		 319 if (BN_get_flags(b,BN_FLG_SECURE))
320 a = A = OPENSSL_secure_malloc(words * sizeof(*a));
321 else
322 a = A = OPENSSL_malloc(words * sizeof(*a));
0f113f3e
MC		 323 if (A == NULL) {
324 BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
325 return (NULL);
326 }
f8571ce8 327#ifdef PURIFY
0f113f3e
MC		 328 /*
329 * Valgrind complains in BN_consttime_swap because we process the whole
330 * array even if it's not initialised yet. This doesn't matter in that
331 * function - what's important is constant time operation (we're not
332 * actually going to use the data)
333 */
16f8d4eb 334 memset(a, 0, sizeof(*a) * words);
f8571ce8
MC		 335#endif
336
dfeab068 337#if 1
0f113f3e
MC		 338 B = b->d;
339 /* Check if the previous number needs to be copied */
340 if (B != NULL) {
341 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
342 /*
343 * The fact that the loop is unrolled
344 * 4-wise is a tribute to Intel. It's
345 * the one that doesn't have enough
346 * registers to accomodate more data.
347 * I'd unroll it 8-wise otherwise:-)
348 *
349 * <appro@fy.chalmers.se>
350 */
351 BN_ULONG a0, a1, a2, a3;
352 a0 = B[0];
353 a1 = B[1];
354 a2 = B[2];
355 a3 = B[3];
356 A[0] = a0;
357 A[1] = a1;
358 A[2] = a2;
359 A[3] = a3;
360 }
361 /*
362 * workaround for ultrix cc: without 'case 0', the optimizer does
363 * the switch table by doing a=top&3; a--; goto jump_table[a];
364 * which fails for top== 0
365 */
366 switch (b->top & 3) {
367 case 3:
368 A[2] = B[2];
369 case 2:
370 A[1] = B[1];
371 case 1:
372 A[0] = B[0];
373 case 0:
374 ;
375 }
376 }
dfeab068 377#else
16f8d4eb 378 memset(A, 0, sizeof(*A) * words);
0f113f3e 379 memcpy(A, b->d, sizeof(b->d[0]) * b->top);
dfeab068 380#endif
dfeab068 381
0f113f3e
MC		 382 return (a);
383}
384
385/*
386 * This is an internal function that should not be used in applications. It
387 * ensures that 'b' has enough room for a 'words' word number and initialises
388 * any unused part of b->d with leading zeros. It is mostly used by the
389 * various BIGNUM routines. If there is an error, NULL is returned. If not,
390 * 'b' is returned.
391 */
020fc820 392
6343829a 393BIGNUM *bn_expand2(BIGNUM *b, int words)
0f113f3e
MC		 394{
395 bn_check_top(b);
396
397 if (words > b->dmax) {
398 BN_ULONG *a = bn_expand_internal(b, words);
399 if (!a)
400 return NULL;
74924dcb
RS		 401 if (b->d) {
402 if (BN_get_flags(b,BN_FLG_SECURE))
403 OPENSSL_secure_free(b->d);
404 else
405 OPENSSL_free(b->d);
406 }
0f113f3e
MC		 407 b->d = a;
408 b->dmax = words;
409 }
2bfd2c74 410
0f113f3e
MC		 411 bn_check_top(b);
412 return b;
413}
d02b48c6 414
84c15db5 415BIGNUM *BN_dup(const BIGNUM *a)
0f113f3e
MC		 416{
417 BIGNUM *t;
418
419 if (a == NULL)
420 return NULL;
421 bn_check_top(a);
422
74924dcb 423 t = BN_get_flags(a, BN_FLG_SECURE) ? BN_secure_new() : BN_new();
0f113f3e
MC		 424 if (t == NULL)
425 return NULL;
426 if (!BN_copy(t, a)) {
427 BN_free(t);
428 return NULL;
429 }
430 bn_check_top(t);
431 return t;
432}
d02b48c6 433
84c15db5 434BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
0f113f3e
MC		 435{
436 int i;
437 BN_ULONG *A;
438 const BN_ULONG *B;
58964a49 439
0f113f3e 440 bn_check_top(b);
dfeab068 441
0f113f3e
MC		 442 if (a == b)
443 return (a);
444 if (bn_wexpand(a, b->top) == NULL)
445 return (NULL);
58964a49
RE		 446
447#if 1
0f113f3e
MC		 448 A = a->d;
449 B = b->d;
450 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
451 BN_ULONG a0, a1, a2, a3;
452 a0 = B[0];
453 a1 = B[1];
454 a2 = B[2];
455 a3 = B[3];
456 A[0] = a0;
457 A[1] = a1;
458 A[2] = a2;
459 A[3] = a3;
460 }
461 /* ultrix cc workaround, see comments in bn_expand_internal */
462 switch (b->top & 3) {
463 case 3:
464 A[2] = B[2];
465 case 2:
466 A[1] = B[1];
467 case 1:
468 A[0] = B[0];
469 case 0:;
470 }
58964a49 471#else
0f113f3e 472 memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
58964a49
RE		 473#endif
474
0f113f3e
MC		 475 a->top = b->top;
476 a->neg = b->neg;
477 bn_check_top(a);
478 return (a);
479}
d02b48c6 480
78a0c1f1 481void BN_swap(BIGNUM *a, BIGNUM *b)
0f113f3e
MC		 482{
483 int flags_old_a, flags_old_b;
484 BN_ULONG *tmp_d;
485 int tmp_top, tmp_dmax, tmp_neg;
486
487 bn_check_top(a);
488 bn_check_top(b);
489
490 flags_old_a = a->flags;
491 flags_old_b = b->flags;
492
493 tmp_d = a->d;
494 tmp_top = a->top;
495 tmp_dmax = a->dmax;
496 tmp_neg = a->neg;
497
498 a->d = b->d;
499 a->top = b->top;
500 a->dmax = b->dmax;
501 a->neg = b->neg;
502
503 b->d = tmp_d;
504 b->top = tmp_top;
505 b->dmax = tmp_dmax;
506 b->neg = tmp_neg;
507
508 a->flags =
509 (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
510 b->flags =
511 (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
512 bn_check_top(a);
513 bn_check_top(b);
514}
78a0c1f1 515
6b691a5c 516void BN_clear(BIGNUM *a)
0f113f3e
MC		 517{
518 bn_check_top(a);
519 if (a->d != NULL)
16f8d4eb 520 memset(a->d, 0, sizeof(*a->d) * a->dmax);
0f113f3e
MC		 521 a->top = 0;
522 a->neg = 0;
523}
d02b48c6 524
020fc820 525BN_ULONG BN_get_word(const BIGNUM *a)
0f113f3e
MC		 526{
527 if (a->top > 1)
528 return BN_MASK2;
529 else if (a->top == 1)
530 return a->d[0];
531 /* a->top == 0 */
532 return 0;
533}
d02b48c6 534
e042540f 535int BN_set_word(BIGNUM *a, BN_ULONG w)
0f113f3e
MC		 536{
537 bn_check_top(a);
538 if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL)
539 return (0);
540 a->neg = 0;
541 a->d[0] = w;
542 a->top = (w ? 1 : 0);
543 bn_check_top(a);
544 return (1);
545}
d02b48c6 546
6343829a 547BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
0f113f3e
MC		 548{
549 unsigned int i, m;
550 unsigned int n;
551 BN_ULONG l;
552 BIGNUM *bn = NULL;
553
554 if (ret == NULL)
555 ret = bn = BN_new();
556 if (ret == NULL)
557 return (NULL);
558 bn_check_top(ret);
559 l = 0;
560 n = len;
561 if (n == 0) {
562 ret->top = 0;
563 return (ret);
564 }
565 i = ((n - 1) / BN_BYTES) + 1;
566 m = ((n - 1) % (BN_BYTES));
567 if (bn_wexpand(ret, (int)i) == NULL) {
23a1d5e9 568 BN_free(bn);
0f113f3e
MC		 569 return NULL;
570 }
571 ret->top = i;
572 ret->neg = 0;
573 while (n--) {
574 l = (l << 8L) | *(s++);
575 if (m-- == 0) {
576 ret->d[--i] = l;
577 l = 0;
578 m = BN_BYTES - 1;
579 }
580 }
581 /*
582 * need to call this due to clear byte at top if avoiding having the top
583 * bit set (-ve number)
584 */
585 bn_correct_top(ret);
586 return (ret);
587}
d02b48c6
RE		 588
589/* ignore negative */
8623f693 590int BN_bn2bin(const BIGNUM *a, unsigned char *to)
0f113f3e
MC		 591{
592 int n, i;
593 BN_ULONG l;
594
595 bn_check_top(a);
596 n = i = BN_num_bytes(a);
597 while (i--) {
598 l = a->d[i / BN_BYTES];
599 *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
600 }
601 return (n);
602}
d02b48c6 603
84c15db5 604int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
0f113f3e
MC		 605{
606 int i;
607 BN_ULONG t1, t2, *ap, *bp;
608
609 bn_check_top(a);
610 bn_check_top(b);
611
612 i = a->top - b->top;
613 if (i != 0)
614 return (i);
615 ap = a->d;
616 bp = b->d;
617 for (i = a->top - 1; i >= 0; i--) {
618 t1 = ap[i];
619 t2 = bp[i];
620 if (t1 != t2)
621 return ((t1 > t2) ? 1 : -1);
622 }
623 return (0);
624}
d02b48c6 625
84c15db5 626int BN_cmp(const BIGNUM *a, const BIGNUM *b)
0f113f3e
MC		 627{
628 int i;
629 int gt, lt;
630 BN_ULONG t1, t2;
631
632 if ((a == NULL) || (b == NULL)) {
633 if (a != NULL)
634 return (-1);
635 else if (b != NULL)
636 return (1);
637 else
638 return (0);
639 }
640
641 bn_check_top(a);
642 bn_check_top(b);
643
644 if (a->neg != b->neg) {
645 if (a->neg)
646 return (-1);
647 else
648 return (1);
649 }
650 if (a->neg == 0) {
651 gt = 1;
652 lt = -1;
653 } else {
654 gt = -1;
655 lt = 1;
656 }
657
658 if (a->top > b->top)
659 return (gt);
660 if (a->top < b->top)
661 return (lt);
662 for (i = a->top - 1; i >= 0; i--) {
663 t1 = a->d[i];
664 t2 = b->d[i];
665 if (t1 > t2)
666 return (gt);
667 if (t1 < t2)
668 return (lt);
669 }
670 return (0);
671}
d02b48c6 672
6b691a5c 673int BN_set_bit(BIGNUM *a, int n)
0f113f3e
MC		 674{
675 int i, j, k;
676
677 if (n < 0)
678 return 0;
679
680 i = n / BN_BITS2;
681 j = n % BN_BITS2;
682 if (a->top <= i) {
683 if (bn_wexpand(a, i + 1) == NULL)
684 return (0);
685 for (k = a->top; k < i + 1; k++)
686 a->d[k] = 0;
687 a->top = i + 1;
688 }
689
690 a->d[i] |= (((BN_ULONG)1) << j);
691 bn_check_top(a);
692 return (1);
693}
d02b48c6 694
6b691a5c 695int BN_clear_bit(BIGNUM *a, int n)
0f113f3e
MC		 696{
697 int i, j;
d02b48c6 698
0f113f3e
MC		 699 bn_check_top(a);
700 if (n < 0)
701 return 0;
1a017330 702
0f113f3e
MC		 703 i = n / BN_BITS2;
704 j = n % BN_BITS2;
705 if (a->top <= i)
706 return (0);
d02b48c6 707
0f113f3e
MC		 708 a->d[i] &= (~(((BN_ULONG)1) << j));
709 bn_correct_top(a);
710 return (1);
711}
d02b48c6 712
84c15db5 713int BN_is_bit_set(const BIGNUM *a, int n)
0f113f3e
MC		 714{
715 int i, j;
716
717 bn_check_top(a);
718 if (n < 0)
719 return 0;
720 i = n / BN_BITS2;
721 j = n % BN_BITS2;
722 if (a->top <= i)
723 return 0;
724 return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
725}
d02b48c6 726
6b691a5c 727int BN_mask_bits(BIGNUM *a, int n)
0f113f3e
MC		 728{
729 int b, w;
730
731 bn_check_top(a);
732 if (n < 0)
733 return 0;
734
735 w = n / BN_BITS2;
736 b = n % BN_BITS2;
737 if (w >= a->top)
738 return 0;
739 if (b == 0)
740 a->top = w;
741 else {
742 a->top = w + 1;
743 a->d[w] &= ~(BN_MASK2 << b);
744 }
745 bn_correct_top(a);
746 return (1);
747}
dfeab068 748
ff22e913 749void BN_set_negative(BIGNUM *a, int b)
0f113f3e
MC		 750{
751 if (b && !BN_is_zero(a))
752 a->neg = 1;
753 else
754 a->neg = 0;
755}
ff22e913 756
cbd48ba6 757int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
0f113f3e
MC		 758{
759 int i;
760 BN_ULONG aa, bb;
761
762 aa = a[n - 1];
763 bb = b[n - 1];
764 if (aa != bb)
765 return ((aa > bb) ? 1 : -1);
766 for (i = n - 2; i >= 0; i--) {
767 aa = a[i];
768 bb = b[i];
769 if (aa != bb)
770 return ((aa > bb) ? 1 : -1);
771 }
772 return (0);
773}
774
775/*
776 * Here follows a specialised variants of bn_cmp_words(). It has the
777 * property of performing the operation on arrays of different sizes. The
778 * sizes of those arrays is expressed through cl, which is the common length
779 * ( basicall, min(len(a),len(b)) ), and dl, which is the delta between the
780 * two lengths, calculated as len(a)-len(b). All lengths are the number of
781 * BN_ULONGs...
782 */
783
784int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
785{
786 int n, i;
787 n = cl - 1;
788
789 if (dl < 0) {
790 for (i = dl; i < 0; i++) {
791 if (b[n - i] != 0)
792 return -1; /* a < b */
793 }
794 }
795 if (dl > 0) {
796 for (i = dl; i > 0; i--) {
797 if (a[n + i] != 0)
798 return 1; /* a > b */
799 }
800 }
801 return bn_cmp_words(a, b, cl);
802}
803
804/*
805 * Constant-time conditional swap of a and b.
f9b6c0ba
DSH		 806 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
807 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
808 * and that no more than nwords are used by either a or b.
809 * a and b cannot be the same number
810 */
811void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
0f113f3e
MC		 812{
813 BN_ULONG t;
814 int i;
f9b6c0ba 815
0f113f3e
MC		 816 bn_wcheck_size(a, nwords);
817 bn_wcheck_size(b, nwords);
f9b6c0ba 818
0f113f3e
MC		 819 assert(a != b);
820 assert((condition & (condition - 1)) == 0);
821 assert(sizeof(BN_ULONG) >= sizeof(int));
f9b6c0ba 822
0f113f3e 823 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
f9b6c0ba 824
0f113f3e
MC		 825 t = (a->top ^ b->top) & condition;
826 a->top ^= t;
827 b->top ^= t;
f9b6c0ba
DSH		 828
829#define BN_CONSTTIME_SWAP(ind) \
0f113f3e
MC		 830 do { \
831 t = (a->d[ind] ^ b->d[ind]) & condition; \
832 a->d[ind] ^= t; \
833 b->d[ind] ^= t; \
834 } while (0)
835
836 switch (nwords) {
837 default:
838 for (i = 10; i < nwords; i++)
839 BN_CONSTTIME_SWAP(i);
840 /* Fallthrough */
841 case 10:
842 BN_CONSTTIME_SWAP(9); /* Fallthrough */
843 case 9:
844 BN_CONSTTIME_SWAP(8); /* Fallthrough */
845 case 8:
846 BN_CONSTTIME_SWAP(7); /* Fallthrough */
847 case 7:
848 BN_CONSTTIME_SWAP(6); /* Fallthrough */
849 case 6:
850 BN_CONSTTIME_SWAP(5); /* Fallthrough */
851 case 5:
852 BN_CONSTTIME_SWAP(4); /* Fallthrough */
853 case 4:
854 BN_CONSTTIME_SWAP(3); /* Fallthrough */
855 case 3:
856 BN_CONSTTIME_SWAP(2); /* Fallthrough */
857 case 2:
858 BN_CONSTTIME_SWAP(1); /* Fallthrough */
859 case 1:
860 BN_CONSTTIME_SWAP(0);
861 }
f9b6c0ba
DSH		 862#undef BN_CONSTTIME_SWAP
863}
2514fa79
DSH		 864
865/* Bits of security, see SP800-57 */
866
867int BN_security_bits(int L, int N)
0f113f3e
MC		 868{
869 int secbits, bits;
870 if (L >= 15360)
871 secbits = 256;
872 else if (L >= 7690)
873 secbits = 192;
874 else if (L >= 3072)
875 secbits = 128;
876 else if (L >= 2048)
877 secbits = 112;
878 else if (L >= 1024)
879 secbits = 80;
880 else
881 return 0;
882 if (N == -1)
883 return secbits;
884 bits = N / 2;
885 if (bits < 80)
886 return 0;
887 return bits >= secbits ? secbits : bits;
888}
85bcf27c
MC		 889
890void BN_zero_ex(BIGNUM *a)
0f113f3e
MC		 891{
892 a->top = 0;
893 a->neg = 0;
894}
85bcf27c
MC		 895
896int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
0f113f3e
MC		 897{
898 return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
899}
85bcf27c
MC		 900
901int BN_is_zero(const BIGNUM *a)
0f113f3e
MC		 902{
903 return a->top == 0;
904}
85bcf27c
MC		 905
906int BN_is_one(const BIGNUM *a)
0f113f3e
MC		 907{
908 return BN_abs_is_word(a, 1) && !a->neg;
909}
85bcf27c
MC		 910
911int BN_is_word(const BIGNUM *a, const BN_ULONG w)
0f113f3e
MC		 912{
913 return BN_abs_is_word(a, w) && (!w || !a->neg);
914}
85bcf27c
MC		 915
916int BN_is_odd(const BIGNUM *a)
0f113f3e
MC		 917{
918 return (a->top > 0) && (a->d[0] & 1);
919}
85bcf27c
MC		 920
921int BN_is_negative(const BIGNUM *a)
0f113f3e
MC		 922{
923 return (a->neg != 0);
924}
85bcf27c 925
0f113f3e
MC		 926int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
927 BN_CTX *ctx)
928{
929 return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx);
930}
85bcf27c
MC		 931
932void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int n)
0f113f3e
MC		 933{
934 dest->d = b->d;
935 dest->top = b->top;
936 dest->dmax = b->dmax;
937 dest->neg = b->neg;
938 dest->flags = ((dest->flags & BN_FLG_MALLOCED)
939 | (b->flags & ~BN_FLG_MALLOCED)
940 | BN_FLG_STATIC_DATA | n);
941}
85bcf27c
MC		 942
943BN_GENCB *BN_GENCB_new(void)
0f113f3e
MC		 944{
945 BN_GENCB *ret;
85bcf27c 946
b4faea50 947 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
0f113f3e
MC		 948 BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE);
949 return (NULL);
950 }
85bcf27c 951
0f113f3e
MC		 952 return ret;
953}
85bcf27c
MC		 954
955void BN_GENCB_free(BN_GENCB *cb)
0f113f3e
MC		 956{
957 if (cb == NULL)
958 return;
959 OPENSSL_free(cb);
960}
85bcf27c
MC		 961
962void BN_set_flags(BIGNUM *b, int n)
0f113f3e
MC		 963{
964 b->flags |= n;
965}
85bcf27c
MC		 966
967int BN_get_flags(const BIGNUM *b, int n)
0f113f3e
MC		 968{
969 return b->flags & n;
970}
85bcf27c
MC		 971
972/* Populate a BN_GENCB structure with an "old"-style callback */
0f113f3e
MC		 973void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback) (int, int, void *),
974 void *cb_arg)
975{
976 BN_GENCB *tmp_gencb = gencb;
977 tmp_gencb->ver = 1;
978 tmp_gencb->arg = cb_arg;
979 tmp_gencb->cb.cb_1 = callback;
980}
85bcf27c
MC		 981
982/* Populate a BN_GENCB structure with a "new"-style callback */
0f113f3e
MC		 983void BN_GENCB_set(BN_GENCB *gencb, int (*callback) (int, int, BN_GENCB *),
984 void *cb_arg)
985{
986 BN_GENCB *tmp_gencb = gencb;
987 tmp_gencb->ver = 2;
988 tmp_gencb->arg = cb_arg;
989 tmp_gencb->cb.cb_2 = callback;
990}
85bcf27c
MC		 991
992void *BN_GENCB_get_arg(BN_GENCB *cb)
0f113f3e
MC		 993{
994 return cb->arg;
995}
85bcf27c
MC		 996
997BIGNUM *bn_wexpand(BIGNUM *a, int words)
0f113f3e
MC		 998{
999 return (words <= a->dmax) ? a : bn_expand2(a, words);
1000}
85bcf27c
MC		 1001
1002void bn_correct_top(BIGNUM *a)
0f113f3e
MC		 1003{
1004 BN_ULONG *ftl;
1005 int tmp_top = a->top;
1006
1007 if (tmp_top > 0) {
1008 for (ftl = &(a->d[tmp_top - 1]); tmp_top > 0; tmp_top--)
1009 if (*(ftl--))
1010 break;
1011 a->top = tmp_top;
1012 }
1013 bn_pollute(a);
1014}
A mirror of the official openssl repository