2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include "internal/cryptlib.h"
13 #include "internal/endian.h"
15 #include <openssl/opensslconf.h>
16 #include "internal/constant_time.h"
18 /* This stuff appears to be completely unused, so is deprecated */
19 #ifndef OPENSSL_NO_DEPRECATED_0_9_8
21 * For a 32 bit machine
30 static int bn_limit_bits
= 0;
31 static int bn_limit_num
= 8; /* (1<<bn_limit_bits) */
32 static int bn_limit_bits_low
= 0;
33 static int bn_limit_num_low
= 8; /* (1<<bn_limit_bits_low) */
34 static int bn_limit_bits_high
= 0;
35 static int bn_limit_num_high
= 8; /* (1<<bn_limit_bits_high) */
36 static int bn_limit_bits_mont
= 0;
37 static int bn_limit_num_mont
= 8; /* (1<<bn_limit_bits_mont) */
39 void BN_set_params(int mult
, int high
, int low
, int mont
)
42 if (mult
> (int)(sizeof(int) * 8) - 1)
43 mult
= sizeof(int) * 8 - 1;
45 bn_limit_num
= 1 << mult
;
48 if (high
> (int)(sizeof(int) * 8) - 1)
49 high
= sizeof(int) * 8 - 1;
50 bn_limit_bits_high
= high
;
51 bn_limit_num_high
= 1 << high
;
54 if (low
> (int)(sizeof(int) * 8) - 1)
55 low
= sizeof(int) * 8 - 1;
56 bn_limit_bits_low
= low
;
57 bn_limit_num_low
= 1 << low
;
60 if (mont
> (int)(sizeof(int) * 8) - 1)
61 mont
= sizeof(int) * 8 - 1;
62 bn_limit_bits_mont
= mont
;
63 bn_limit_num_mont
= 1 << mont
;
67 int BN_get_params(int which
)
72 return bn_limit_bits_high
;
74 return bn_limit_bits_low
;
76 return bn_limit_bits_mont
;
82 const BIGNUM
*BN_value_one(void)
84 static const BN_ULONG data_one
= 1L;
85 static const BIGNUM const_one
=
86 { (BN_ULONG
*)&data_one
, 1, 1, 0, BN_FLG_STATIC_DATA
};
92 * Old Visual Studio ARM compiler miscompiles BN_num_bits_word()
93 * https://mta.openssl.org/pipermail/openssl-users/2018-August/008465.html
95 #if defined(_MSC_VER) && defined(_ARM_) && defined(_WIN32_WCE) \
96 && _MSC_VER>=1400 && _MSC_VER<1501
97 # define MS_BROKEN_BN_num_bits_word
98 # pragma optimize("", off)
100 int BN_num_bits_word(BN_ULONG l
)
107 mask
= (0 - x
) & BN_MASK2
;
108 mask
= (0 - (mask
>> (BN_BITS2
- 1)));
114 mask
= (0 - x
) & BN_MASK2
;
115 mask
= (0 - (mask
>> (BN_BITS2
- 1)));
120 mask
= (0 - x
) & BN_MASK2
;
121 mask
= (0 - (mask
>> (BN_BITS2
- 1)));
126 mask
= (0 - x
) & BN_MASK2
;
127 mask
= (0 - (mask
>> (BN_BITS2
- 1)));
132 mask
= (0 - x
) & BN_MASK2
;
133 mask
= (0 - (mask
>> (BN_BITS2
- 1)));
138 mask
= (0 - x
) & BN_MASK2
;
139 mask
= (0 - (mask
>> (BN_BITS2
- 1)));
144 #ifdef MS_BROKEN_BN_num_bits_word
145 # pragma optimize("", on)
149 * This function still leaks `a->dmax`: it's caller's responsibility to
150 * expand the input `a` in advance to a public length.
153 int bn_num_bits_consttime(const BIGNUM
*a
)
156 unsigned int mask
, past_i
;
160 for (j
= 0, past_i
= 0, ret
= 0; j
< a
->dmax
; j
++) {
161 mask
= constant_time_eq_int(i
, j
); /* 0xff..ff if i==j, 0x0 otherwise */
163 ret
+= BN_BITS2
& (~mask
& ~past_i
);
164 ret
+= BN_num_bits_word(a
->d
[j
]) & mask
;
166 past_i
|= mask
; /* past_i will become 0xff..ff after i==j */
170 * if BN_is_zero(a) => i is -1 and ret contains garbage, so we mask the
173 mask
= ~(constant_time_eq_int(i
, ((int)-1)));
178 int BN_num_bits(const BIGNUM
*a
)
183 if (a
->flags
& BN_FLG_CONSTTIME
) {
185 * We assume that BIGNUMs flagged as CONSTTIME have also been expanded
186 * so that a->dmax is not leaking secret information.
188 * In other words, it's the caller's responsibility to ensure `a` has
189 * been preallocated in advance to a public length if we hit this
193 return bn_num_bits_consttime(a
);
199 return ((i
* BN_BITS2
) + BN_num_bits_word(a
->d
[i
]));
202 static void bn_free_d(BIGNUM
*a
, int clear
)
204 if (BN_get_flags(a
, BN_FLG_SECURE
))
205 OPENSSL_secure_clear_free(a
->d
, a
->dmax
* sizeof(a
->d
[0]));
207 OPENSSL_clear_free(a
->d
, a
->dmax
* sizeof(a
->d
[0]));
213 void BN_clear_free(BIGNUM
*a
)
217 if (a
->d
!= NULL
&& !BN_get_flags(a
, BN_FLG_STATIC_DATA
))
219 if (BN_get_flags(a
, BN_FLG_MALLOCED
)) {
220 OPENSSL_cleanse(a
, sizeof(*a
));
225 void BN_free(BIGNUM
*a
)
229 if (!BN_get_flags(a
, BN_FLG_STATIC_DATA
))
231 if (a
->flags
& BN_FLG_MALLOCED
)
235 void bn_init(BIGNUM
*a
)
247 if ((ret
= OPENSSL_zalloc(sizeof(*ret
))) == NULL
)
249 ret
->flags
= BN_FLG_MALLOCED
;
254 BIGNUM
*BN_secure_new(void)
256 BIGNUM
*ret
= BN_new();
258 ret
->flags
|= BN_FLG_SECURE
;
262 /* This is used by bn_expand2() */
263 /* The caller MUST check that words > b->dmax before calling this */
264 static BN_ULONG
*bn_expand_internal(const BIGNUM
*b
, int words
)
268 if (words
> (INT_MAX
/ (4 * BN_BITS2
))) {
269 ERR_raise(ERR_LIB_BN
, BN_R_BIGNUM_TOO_LONG
);
272 if (BN_get_flags(b
, BN_FLG_STATIC_DATA
)) {
273 ERR_raise(ERR_LIB_BN
, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA
);
276 if (BN_get_flags(b
, BN_FLG_SECURE
))
277 a
= OPENSSL_secure_zalloc(words
* sizeof(*a
));
279 a
= OPENSSL_zalloc(words
* sizeof(*a
));
283 assert(b
->top
<= words
);
285 memcpy(a
, b
->d
, sizeof(*a
) * b
->top
);
291 * This is an internal function that should not be used in applications. It
292 * ensures that 'b' has enough room for a 'words' word number and initialises
293 * any unused part of b->d with leading zeros. It is mostly used by the
294 * various BIGNUM routines. If there is an error, NULL is returned. If not,
298 BIGNUM
*bn_expand2(BIGNUM
*b
, int words
)
300 if (words
> b
->dmax
) {
301 BN_ULONG
*a
= bn_expand_internal(b
, words
);
313 BIGNUM
*BN_dup(const BIGNUM
*a
)
321 t
= BN_get_flags(a
, BN_FLG_SECURE
) ? BN_secure_new() : BN_new();
324 if (!BN_copy(t
, a
)) {
332 BIGNUM
*BN_copy(BIGNUM
*a
, const BIGNUM
*b
)
338 bn_words
= BN_get_flags(b
, BN_FLG_CONSTTIME
) ? b
->dmax
: b
->top
;
342 if (bn_wexpand(a
, bn_words
) == NULL
)
346 memcpy(a
->d
, b
->d
, sizeof(b
->d
[0]) * bn_words
);
350 a
->flags
|= b
->flags
& BN_FLG_FIXED_TOP
;
355 #define FLAGS_DATA(flags) ((flags) & (BN_FLG_STATIC_DATA \
359 #define FLAGS_STRUCT(flags) ((flags) & (BN_FLG_MALLOCED))
361 void BN_swap(BIGNUM
*a
, BIGNUM
*b
)
363 int flags_old_a
, flags_old_b
;
365 int tmp_top
, tmp_dmax
, tmp_neg
;
370 flags_old_a
= a
->flags
;
371 flags_old_b
= b
->flags
;
388 a
->flags
= FLAGS_STRUCT(flags_old_a
) | FLAGS_DATA(flags_old_b
);
389 b
->flags
= FLAGS_STRUCT(flags_old_b
) | FLAGS_DATA(flags_old_a
);
394 void BN_clear(BIGNUM
*a
)
400 OPENSSL_cleanse(a
->d
, sizeof(*a
->d
) * a
->dmax
);
403 a
->flags
&= ~BN_FLG_FIXED_TOP
;
406 BN_ULONG
BN_get_word(const BIGNUM
*a
)
410 else if (a
->top
== 1)
416 int BN_set_word(BIGNUM
*a
, BN_ULONG w
)
419 if (bn_expand(a
, (int)sizeof(BN_ULONG
) * 8) == NULL
)
423 a
->top
= (w
? 1 : 0);
424 a
->flags
&= ~BN_FLG_FIXED_TOP
;
429 typedef enum {BIG
, LITTLE
} endianess_t
;
430 typedef enum {SIGNED
, UNSIGNED
} signedness_t
;
432 static BIGNUM
*bin2bn(const unsigned char *s
, int len
, BIGNUM
*ret
,
433 endianess_t endianess
, signedness_t signedness
)
436 const unsigned char *s2
;
438 int neg
= 0, xor = 0, carry
= 0;
443 /* Negative length is not acceptable */
454 * If the input has no bits, the number is considered zero.
455 * This makes calls with s==NULL and len==0 safe.
463 * The loop that does the work iterates from least to most
464 * significant BIGNUM chunk, so we adapt parameters to transfer
465 * input bytes accordingly.
467 if (endianess
== LITTLE
) {
478 /* Take note of the signedness of the input bytes*/
479 if (signedness
== SIGNED
) {
480 neg
= !!(*s2
& 0x80);
481 xor = neg
? 0xff : 0x00;
486 * Skip leading sign extensions (the value of |xor|).
487 * This is the only spot where |s2| and |inc2| are used.
489 for ( ; len
> 0 && *s2
== xor; s2
+= inc2
, len
--)
493 * If there was a set of 0xff, we backtrack one byte unless the next
494 * one has a sign bit, as the last 0xff is then part of the actual
495 * number, rather then a mere sign extension.
498 if (len
== 0 || !(*s2
& 0x80))
501 /* If it was all zeros, we're done */
506 n
= ((len
- 1) / BN_BYTES
) + 1; /* Number of resulting bignum chunks */
507 if (!ossl_assert(bn_wexpand(ret
, (int)n
) != NULL
)) {
513 for (i
= 0; n
-- > 0; i
++) {
514 BN_ULONG l
= 0; /* Accumulator */
515 unsigned int m
= 0; /* Offset in a bignum chunk, in bits */
517 for (; len
> 0 && m
< BN_BYTES
* 8; len
--, s
+= inc
, m
+= 8) {
518 BN_ULONG byte_xored
= *s
^ xor;
519 BN_ULONG byte
= (byte_xored
+ carry
) & 0xff;
521 carry
= byte_xored
> byte
; /* Implicit 1 or 0 */
527 * need to call this due to clear byte at top if avoiding having the top
528 * bit set (-ve number)
534 BIGNUM
*BN_bin2bn(const unsigned char *s
, int len
, BIGNUM
*ret
)
536 return bin2bn(s
, len
, ret
, BIG
, UNSIGNED
);
539 BIGNUM
*BN_signed_bin2bn(const unsigned char *s
, int len
, BIGNUM
*ret
)
541 return bin2bn(s
, len
, ret
, BIG
, SIGNED
);
544 static int bn2binpad(const BIGNUM
*a
, unsigned char *to
, int tolen
,
545 endianess_t endianess
, signedness_t signedness
)
549 int xor = 0, carry
= 0, ext
= 0;
550 size_t i
, lasti
, j
, atop
, mask
;
554 * In case |a| is fixed-top, BN_num_bits can return bogus length,
555 * but it's assumed that fixed-top inputs ought to be "nominated"
556 * even for padded output, so it works out...
559 n
= (n8
+ 7) / 8; /* This is what BN_num_bytes() does */
561 /* Take note of the signedness of the bignum */
562 if (signedness
== SIGNED
) {
563 xor = a
->neg
? 0xff : 0x00;
567 * if |n * 8 == n|, then the MSbit is set, otherwise unset.
568 * We must compensate with one extra byte if that doesn't
569 * correspond to the signedness of the bignum with regards
573 ? !a
->neg
/* MSbit set on nonnegative bignum */
574 : a
->neg
; /* MSbit unset on negative bignum */
579 } else if (tolen
< n
+ ext
) { /* uncommon/unlike case */
582 bn_correct_top(&temp
);
583 n8
= BN_num_bits(&temp
);
584 n
= (n8
+ 7) / 8; /* This is what BN_num_bytes() does */
589 /* Swipe through whole available data and don't give away padded zero. */
590 atop
= a
->dmax
* BN_BYTES
;
593 memset(to
, '\0', tolen
);
598 * The loop that does the work iterates from least significant
599 * to most significant BIGNUM limb, so we adapt parameters to
600 * transfer output bytes accordingly.
602 if (endianess
== LITTLE
) {
606 to
+= tolen
- 1; /* Move to the last byte, not beyond */
610 atop
= a
->top
* BN_BYTES
;
611 for (i
= 0, j
= 0; j
< (size_t)tolen
; j
++) {
612 unsigned char byte
, byte_xored
;
614 l
= a
->d
[i
/ BN_BYTES
];
615 mask
= 0 - ((j
- atop
) >> (8 * sizeof(i
) - 1));
616 byte
= (unsigned char)(l
>> (8 * (i
% BN_BYTES
)) & mask
);
617 byte_xored
= byte
^ xor;
618 *to
= (unsigned char)(byte_xored
+ carry
);
619 carry
= byte_xored
> *to
; /* Implicit 1 or 0 */
621 i
+= (i
- lasti
) >> (8 * sizeof(i
) - 1); /* stay on last limb */
627 int BN_bn2binpad(const BIGNUM
*a
, unsigned char *to
, int tolen
)
631 return bn2binpad(a
, to
, tolen
, BIG
, UNSIGNED
);
634 int BN_signed_bn2bin(const BIGNUM
*a
, unsigned char *to
, int tolen
)
638 return bn2binpad(a
, to
, tolen
, BIG
, SIGNED
);
641 int BN_bn2bin(const BIGNUM
*a
, unsigned char *to
)
643 return bn2binpad(a
, to
, -1, BIG
, UNSIGNED
);
646 BIGNUM
*BN_lebin2bn(const unsigned char *s
, int len
, BIGNUM
*ret
)
648 return bin2bn(s
, len
, ret
, LITTLE
, UNSIGNED
);
651 BIGNUM
*BN_signed_lebin2bn(const unsigned char *s
, int len
, BIGNUM
*ret
)
653 return bin2bn(s
, len
, ret
, LITTLE
, SIGNED
);
656 int BN_bn2lebinpad(const BIGNUM
*a
, unsigned char *to
, int tolen
)
660 return bn2binpad(a
, to
, tolen
, LITTLE
, UNSIGNED
);
663 int BN_signed_bn2lebin(const BIGNUM
*a
, unsigned char *to
, int tolen
)
667 return bn2binpad(a
, to
, tolen
, LITTLE
, SIGNED
);
670 BIGNUM
*BN_native2bn(const unsigned char *s
, int len
, BIGNUM
*ret
)
674 if (IS_LITTLE_ENDIAN
)
675 return BN_lebin2bn(s
, len
, ret
);
676 return BN_bin2bn(s
, len
, ret
);
679 BIGNUM
*BN_signed_native2bn(const unsigned char *s
, int len
, BIGNUM
*ret
)
683 if (IS_LITTLE_ENDIAN
)
684 return BN_signed_lebin2bn(s
, len
, ret
);
685 return BN_signed_bin2bn(s
, len
, ret
);
688 int BN_bn2nativepad(const BIGNUM
*a
, unsigned char *to
, int tolen
)
692 if (IS_LITTLE_ENDIAN
)
693 return BN_bn2lebinpad(a
, to
, tolen
);
694 return BN_bn2binpad(a
, to
, tolen
);
697 int BN_signed_bn2native(const BIGNUM
*a
, unsigned char *to
, int tolen
)
701 if (IS_LITTLE_ENDIAN
)
702 return BN_signed_bn2lebin(a
, to
, tolen
);
703 return BN_signed_bn2bin(a
, to
, tolen
);
706 int BN_ucmp(const BIGNUM
*a
, const BIGNUM
*b
)
709 BN_ULONG t1
, t2
, *ap
, *bp
;
719 for (i
= a
->top
- 1; i
>= 0; i
--) {
723 return ((t1
> t2
) ? 1 : -1);
728 int BN_cmp(const BIGNUM
*a
, const BIGNUM
*b
)
734 if ((a
== NULL
) || (b
== NULL
)) {
746 if (a
->neg
!= b
->neg
) {
764 for (i
= a
->top
- 1; i
>= 0; i
--) {
775 int BN_set_bit(BIGNUM
*a
, int n
)
785 if (bn_wexpand(a
, i
+ 1) == NULL
)
787 for (k
= a
->top
; k
< i
+ 1; k
++)
790 a
->flags
&= ~BN_FLG_FIXED_TOP
;
793 a
->d
[i
] |= (((BN_ULONG
)1) << j
);
798 int BN_clear_bit(BIGNUM
*a
, int n
)
811 a
->d
[i
] &= (~(((BN_ULONG
)1) << j
));
816 int BN_is_bit_set(const BIGNUM
*a
, int n
)
827 return (int)(((a
->d
[i
]) >> j
) & ((BN_ULONG
)1));
830 int BN_mask_bits(BIGNUM
*a
, int n
)
846 a
->d
[w
] &= ~(BN_MASK2
<< b
);
852 void BN_set_negative(BIGNUM
*a
, int b
)
854 if (b
&& !BN_is_zero(a
))
860 int bn_cmp_words(const BN_ULONG
*a
, const BN_ULONG
*b
, int n
)
871 return ((aa
> bb
) ? 1 : -1);
872 for (i
= n
- 2; i
>= 0; i
--) {
876 return ((aa
> bb
) ? 1 : -1);
882 * Here follows a specialised variants of bn_cmp_words(). It has the
883 * capability of performing the operation on arrays of different sizes. The
884 * sizes of those arrays is expressed through cl, which is the common length
885 * ( basically, min(len(a),len(b)) ), and dl, which is the delta between the
886 * two lengths, calculated as len(a)-len(b). All lengths are the number of
890 int bn_cmp_part_words(const BN_ULONG
*a
, const BN_ULONG
*b
, int cl
, int dl
)
896 for (i
= dl
; i
< 0; i
++) {
898 return -1; /* a < b */
902 for (i
= dl
; i
> 0; i
--) {
904 return 1; /* a > b */
907 return bn_cmp_words(a
, b
, cl
);
911 * Constant-time conditional swap of a and b.
912 * a and b are swapped if condition is not 0.
913 * nwords is the number of words to swap.
914 * Assumes that at least nwords are allocated in both a and b.
915 * Assumes that no more than nwords are used by either a or b.
917 void BN_consttime_swap(BN_ULONG condition
, BIGNUM
*a
, BIGNUM
*b
, int nwords
)
922 bn_wcheck_size(a
, nwords
);
923 bn_wcheck_size(b
, nwords
);
925 condition
= ((~condition
& ((condition
- 1))) >> (BN_BITS2
- 1)) - 1;
927 t
= (a
->top
^ b
->top
) & condition
;
931 t
= (a
->neg
^ b
->neg
) & condition
;
936 * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention
937 * is actually to treat it as it's read-only data, and some (if not most)
938 * of it does reside in read-only segment. In other words observation of
939 * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal
940 * condition. It would either cause SEGV or effectively cause data
943 * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be
946 * BN_FLG_SECURE: must be preserved, because it determines how x->d was
947 * allocated and hence how to free it.
949 * BN_FLG_CONSTTIME: sufficient to mask and swap
951 * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on
952 * the data, so the d array may be padded with additional 0 values (i.e.
953 * top could be greater than the minimal value that it could be). We should
957 #define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP)
959 t
= ((a
->flags
^ b
->flags
) & BN_CONSTTIME_SWAP_FLAGS
) & condition
;
963 /* conditionally swap the data */
964 for (i
= 0; i
< nwords
; i
++) {
965 t
= (a
->d
[i
] ^ b
->d
[i
]) & condition
;
971 #undef BN_CONSTTIME_SWAP_FLAGS
973 /* Bits of security, see SP800-57 */
975 int BN_security_bits(int L
, int N
)
995 return bits
>= secbits
? secbits
: bits
;
998 void BN_zero_ex(BIGNUM
*a
)
1002 a
->flags
&= ~BN_FLG_FIXED_TOP
;
1005 int BN_abs_is_word(const BIGNUM
*a
, const BN_ULONG w
)
1007 return ((a
->top
== 1) && (a
->d
[0] == w
)) || ((w
== 0) && (a
->top
== 0));
1010 int BN_is_zero(const BIGNUM
*a
)
1015 int BN_is_one(const BIGNUM
*a
)
1017 return BN_abs_is_word(a
, 1) && !a
->neg
;
1020 int BN_is_word(const BIGNUM
*a
, const BN_ULONG w
)
1022 return BN_abs_is_word(a
, w
) && (!w
|| !a
->neg
);
1025 int BN_is_odd(const BIGNUM
*a
)
1027 return (a
->top
> 0) && (a
->d
[0] & 1);
1030 int BN_is_negative(const BIGNUM
*a
)
1032 return (a
->neg
!= 0);
1035 int BN_to_montgomery(BIGNUM
*r
, const BIGNUM
*a
, BN_MONT_CTX
*mont
,
1038 return BN_mod_mul_montgomery(r
, a
, &(mont
->RR
), mont
, ctx
);
1041 void BN_with_flags(BIGNUM
*dest
, const BIGNUM
*b
, int flags
)
1045 dest
->dmax
= b
->dmax
;
1047 dest
->flags
= ((dest
->flags
& BN_FLG_MALLOCED
)
1048 | (b
->flags
& ~BN_FLG_MALLOCED
)
1049 | BN_FLG_STATIC_DATA
| flags
);
1052 BN_GENCB
*BN_GENCB_new(void)
1056 if ((ret
= OPENSSL_malloc(sizeof(*ret
))) == NULL
)
1062 void BN_GENCB_free(BN_GENCB
*cb
)
1069 void BN_set_flags(BIGNUM
*b
, int n
)
1074 int BN_get_flags(const BIGNUM
*b
, int n
)
1076 return b
->flags
& n
;
1079 /* Populate a BN_GENCB structure with an "old"-style callback */
1080 void BN_GENCB_set_old(BN_GENCB
*gencb
, void (*callback
) (int, int, void *),
1083 BN_GENCB
*tmp_gencb
= gencb
;
1085 tmp_gencb
->arg
= cb_arg
;
1086 tmp_gencb
->cb
.cb_1
= callback
;
1089 /* Populate a BN_GENCB structure with a "new"-style callback */
1090 void BN_GENCB_set(BN_GENCB
*gencb
, int (*callback
) (int, int, BN_GENCB
*),
1093 BN_GENCB
*tmp_gencb
= gencb
;
1095 tmp_gencb
->arg
= cb_arg
;
1096 tmp_gencb
->cb
.cb_2
= callback
;
1099 void *BN_GENCB_get_arg(BN_GENCB
*cb
)
1104 BIGNUM
*bn_wexpand(BIGNUM
*a
, int words
)
1106 return (words
<= a
->dmax
) ? a
: bn_expand2(a
, words
);
1109 void bn_correct_top(BIGNUM
*a
)
1112 int tmp_top
= a
->top
;
1115 for (ftl
= &(a
->d
[tmp_top
]); tmp_top
> 0; tmp_top
--) {
1124 a
->flags
&= ~BN_FLG_FIXED_TOP
;