-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
*/
+#ifndef BN_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
#include <assert.h>
#include <limits.h>
-#include "internal/cryptlib.h"
+#include <stdio.h>
+#include "cryptlib.h"
#include "bn_lcl.h"
-#include <openssl/opensslconf.h>
+
+const char BN_version[] = "Big Number" OPENSSL_VERSION_PTEXT;
/* This stuff appears to be completely unused, so is deprecated */
-#if OPENSSL_API_COMPAT < 0x00908000L
+#ifndef OPENSSL_NO_DEPRECATED
/*-
* For a 32 bit machine
* 2 - 4 == 128
return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
}
-static void bn_free_d(BIGNUM *a)
-{
- if (BN_get_flags(a, BN_FLG_SECURE))
- OPENSSL_secure_free(a->d);
- else
- OPENSSL_free(a->d);
-}
-
-
void BN_clear_free(BIGNUM *a)
{
int i;
bn_check_top(a);
if (a->d != NULL) {
OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
- if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
- bn_free_d(a);
+ if (!(BN_get_flags(a, BN_FLG_STATIC_DATA)))
+ OPENSSL_free(a->d);
}
i = BN_get_flags(a, BN_FLG_MALLOCED);
- OPENSSL_cleanse(a, sizeof(*a));
+ OPENSSL_cleanse(a, sizeof(BIGNUM));
if (i)
OPENSSL_free(a);
}
if (a == NULL)
return;
bn_check_top(a);
- if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
- bn_free_d(a);
+ if ((a->d != NULL) && !(BN_get_flags(a, BN_FLG_STATIC_DATA)))
+ OPENSSL_free(a->d);
if (a->flags & BN_FLG_MALLOCED)
OPENSSL_free(a);
else {
-#if OPENSSL_API_COMPAT < 0x00908000L
+#ifndef OPENSSL_NO_DEPRECATED
a->flags |= BN_FLG_FREE;
#endif
a->d = NULL;
}
}
-void bn_init(BIGNUM *a)
+void BN_init(BIGNUM *a)
{
- static BIGNUM nilbn;
-
- *a = nilbn;
+ memset(a, 0, sizeof(BIGNUM));
bn_check_top(a);
}
{
BIGNUM *ret;
- if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
+ if ((ret = (BIGNUM *)OPENSSL_malloc(sizeof(BIGNUM))) == NULL) {
BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
return (NULL);
}
ret->flags = BN_FLG_MALLOCED;
+ ret->top = 0;
+ ret->neg = 0;
+ ret->dmax = 0;
+ ret->d = NULL;
bn_check_top(ret);
return (ret);
}
- BIGNUM *BN_secure_new(void)
- {
- BIGNUM *ret = BN_new();
- if (ret != NULL)
- ret->flags |= BN_FLG_SECURE;
- return (ret);
- }
-
-/* This is used by bn_expand2() */
+/* This is used both by bn_expand2() and bn_dup_expand() */
/* The caller MUST check that words > b->dmax before calling this */
static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
{
BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
return (NULL);
}
- if (BN_get_flags(b, BN_FLG_SECURE))
- a = A = OPENSSL_secure_zalloc(words * sizeof(*a));
- else
- a = A = OPENSSL_zalloc(words * sizeof(*a));
+ a = A = (BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG) * words);
if (A == NULL) {
BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
return (NULL);
}
+#ifdef PURIFY
+ /*
+ * Valgrind complains in BN_consttime_swap because we process the whole
+ * array even if it's not initialised yet. This doesn't matter in that
+ * function - what's important is constant time operation (we're not
+ * actually going to use the data)
+ */
+ memset(a, 0, sizeof(BN_ULONG) * words);
+#endif
#if 1
B = b->d;
* The fact that the loop is unrolled
* 4-wise is a tribute to Intel. It's
* the one that doesn't have enough
- * registers to accommodate more data.
+ * registers to accomodate more data.
* I'd unroll it 8-wise otherwise:-)
*
* <appro@fy.chalmers.se>
A[2] = a2;
A[3] = a3;
}
+ /*
+ * workaround for ultrix cc: without 'case 0', the optimizer does
+ * the switch table by doing a=top&3; a--; goto jump_table[a];
+ * which fails for top== 0
+ */
switch (b->top & 3) {
case 3:
A[2] = B[2];
case 1:
A[0] = B[0];
case 0:
- /* Without the "case 0" some old optimizers got this wrong. */
;
}
}
#else
- memset(A, 0, sizeof(*A) * words);
+ memset(A, 0, sizeof(BN_ULONG) * words);
memcpy(A, b->d, sizeof(b->d[0]) * b->top);
#endif
return (a);
}
+/*
+ * This is an internal function that can be used instead of bn_expand2() when
+ * there is a need to copy BIGNUMs instead of only expanding the data part,
+ * while still expanding them. Especially useful when needing to expand
+ * BIGNUMs that are declared 'const' and should therefore not be changed. The
+ * reason to use this instead of a BN_dup() followed by a bn_expand2() is
+ * memory allocation overhead. A BN_dup() followed by a bn_expand2() will
+ * allocate new memory for the BIGNUM data twice, and free it once, while
+ * bn_dup_expand() makes sure allocation is made only once.
+ */
+
+#ifndef OPENSSL_NO_DEPRECATED
+BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
+{
+ BIGNUM *r = NULL;
+
+ bn_check_top(b);
+
+ /*
+ * This function does not work if words <= b->dmax && top < words because
+ * BN_dup() does not preserve 'dmax'! (But bn_dup_expand() is not used
+ * anywhere yet.)
+ */
+
+ if (words > b->dmax) {
+ BN_ULONG *a = bn_expand_internal(b, words);
+
+ if (a) {
+ r = BN_new();
+ if (r) {
+ r->top = b->top;
+ r->dmax = words;
+ r->neg = b->neg;
+ r->d = a;
+ } else {
+ /* r == NULL, BN_new failure */
+ OPENSSL_free(a);
+ }
+ }
+ /*
+ * If a == NULL, there was an error in allocation in
+ * bn_expand_internal(), and NULL should be returned
+ */
+ } else {
+ r = BN_dup(b);
+ }
+
+ bn_check_top(r);
+ return r;
+}
+#endif
+
/*
* This is an internal function that should not be used in applications. It
* ensures that 'b' has enough room for a 'words' word number and initialises
BN_ULONG *a = bn_expand_internal(b, words);
if (!a)
return NULL;
- if (b->d) {
- OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
- bn_free_d(b);
- }
+ if (b->d)
+ OPENSSL_free(b->d);
b->d = a;
b->dmax = words;
}
+/* None of this should be necessary because of what b->top means! */
+#if 0
+ /*
+ * NB: bn_wexpand() calls this only if the BIGNUM really has to grow
+ */
+ if (b->top < b->dmax) {
+ int i;
+ BN_ULONG *A = &(b->d[b->top]);
+ for (i = (b->dmax - b->top) >> 3; i > 0; i--, A += 8) {
+ A[0] = 0;
+ A[1] = 0;
+ A[2] = 0;
+ A[3] = 0;
+ A[4] = 0;
+ A[5] = 0;
+ A[6] = 0;
+ A[7] = 0;
+ }
+ for (i = (b->dmax - b->top) & 7; i > 0; i--, A++)
+ A[0] = 0;
+ assert(A == &(b->d[b->dmax]));
+ }
+#endif
bn_check_top(b);
return b;
}
return NULL;
bn_check_top(a);
- t = BN_get_flags(a, BN_FLG_SECURE) ? BN_secure_new() : BN_new();
+ t = BN_new();
if (t == NULL)
return NULL;
if (!BN_copy(t, a)) {
if (bn_wexpand(a, b->top) == NULL)
return (NULL);
+ if (!a || !b || !a->d || !b->d)
+ return (NULL);
+
#if 1
A = a->d;
B = b->d;
{
bn_check_top(a);
if (a->d != NULL)
- OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax);
+ OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
a->top = 0;
a->neg = 0;
}
if (ret == NULL)
return (NULL);
bn_check_top(ret);
- /* Skip leading zero's. */
- for ( ; len > 0 && *s == 0; s++, len--)
- continue;
+ l = 0;
n = len;
if (n == 0) {
ret->top = 0;
i = ((n - 1) / BN_BYTES) + 1;
m = ((n - 1) % (BN_BYTES));
if (bn_wexpand(ret, (int)i) == NULL) {
- BN_free(bn);
+ if (bn)
+ BN_free(bn);
return NULL;
}
ret->top = i;
ret->neg = 0;
- l = 0;
while (n--) {
l = (l << 8L) | *(s++);
if (m-- == 0) {
}
/* ignore negative */
-static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
-{
- int i;
- BN_ULONG l;
-
- bn_check_top(a);
- i = BN_num_bytes(a);
- if (tolen == -1)
- tolen = i;
- else if (tolen < i)
- return -1;
- /* Add leading zeroes if necessary */
- if (tolen > i) {
- memset(to, 0, tolen - i);
- to += tolen - i;
- }
- while (i--) {
- l = a->d[i / BN_BYTES];
- *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
- }
- return tolen;
-}
-
-int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
-{
- if (tolen < 0)
- return -1;
- return bn2binpad(a, to, tolen);
-}
-
int BN_bn2bin(const BIGNUM *a, unsigned char *to)
{
- return bn2binpad(a, to, -1);
-}
-
-BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
-{
- unsigned int i, m;
- unsigned int n;
+ int n, i;
BN_ULONG l;
- BIGNUM *bn = NULL;
-
- if (ret == NULL)
- ret = bn = BN_new();
- if (ret == NULL)
- return (NULL);
- bn_check_top(ret);
- s += len;
- /* Skip trailing zeroes. */
- for ( ; len > 0 && s[-1] == 0; s--, len--)
- continue;
- n = len;
- if (n == 0) {
- ret->top = 0;
- return ret;
- }
- i = ((n - 1) / BN_BYTES) + 1;
- m = ((n - 1) % (BN_BYTES));
- if (bn_wexpand(ret, (int)i) == NULL) {
- BN_free(bn);
- return NULL;
- }
- ret->top = i;
- ret->neg = 0;
- l = 0;
- while (n--) {
- s--;
- l = (l << 8L) | *s;
- if (m-- == 0) {
- ret->d[--i] = l;
- l = 0;
- m = BN_BYTES - 1;
- }
- }
- /*
- * need to call this due to clear byte at top if avoiding having the top
- * bit set (-ve number)
- */
- bn_correct_top(ret);
- return ret;
-}
-int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
-{
- int i;
- BN_ULONG l;
bn_check_top(a);
- i = BN_num_bytes(a);
- if (tolen < i)
- return -1;
- /* Add trailing zeroes if necessary */
- if (tolen > i)
- memset(to + i, 0, tolen - i);
- to += i;
+ n = i = BN_num_bytes(a);
while (i--) {
l = a->d[i / BN_BYTES];
- to--;
- *to = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
+ *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
}
- return tolen;
+ return (n);
}
int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
/*
* Here follows a specialised variants of bn_cmp_words(). It has the
- * capability of performing the operation on arrays of different sizes. The
+ * property of performing the operation on arrays of different sizes. The
* sizes of those arrays is expressed through cl, which is the common length
- * ( basically, min(len(a),len(b)) ), and dl, which is the delta between the
+ * ( basicall, min(len(a),len(b)) ), and dl, which is the delta between the
* two lengths, calculated as len(a)-len(b). All lengths are the number of
* BN_ULONGs...
*/
}
#undef BN_CONSTTIME_SWAP
}
-
-/* Bits of security, see SP800-57 */
-
-int BN_security_bits(int L, int N)
-{
- int secbits, bits;
- if (L >= 15360)
- secbits = 256;
- else if (L >= 7690)
- secbits = 192;
- else if (L >= 3072)
- secbits = 128;
- else if (L >= 2048)
- secbits = 112;
- else if (L >= 1024)
- secbits = 80;
- else
- return 0;
- if (N == -1)
- return secbits;
- bits = N / 2;
- if (bits < 80)
- return 0;
- return bits >= secbits ? secbits : bits;
-}
-
-void BN_zero_ex(BIGNUM *a)
-{
- a->top = 0;
- a->neg = 0;
-}
-
-int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
-{
- return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
-}
-
-int BN_is_zero(const BIGNUM *a)
-{
- return a->top == 0;
-}
-
-int BN_is_one(const BIGNUM *a)
-{
- return BN_abs_is_word(a, 1) && !a->neg;
-}
-
-int BN_is_word(const BIGNUM *a, const BN_ULONG w)
-{
- return BN_abs_is_word(a, w) && (!w || !a->neg);
-}
-
-int BN_is_odd(const BIGNUM *a)
-{
- return (a->top > 0) && (a->d[0] & 1);
-}
-
-int BN_is_negative(const BIGNUM *a)
-{
- return (a->neg != 0);
-}
-
-int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
- BN_CTX *ctx)
-{
- return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx);
-}
-
-void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags)
-{
- dest->d = b->d;
- dest->top = b->top;
- dest->dmax = b->dmax;
- dest->neg = b->neg;
- dest->flags = ((dest->flags & BN_FLG_MALLOCED)
- | (b->flags & ~BN_FLG_MALLOCED)
- | BN_FLG_STATIC_DATA | flags);
-}
-
-BN_GENCB *BN_GENCB_new(void)
-{
- BN_GENCB *ret;
-
- if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
- BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE);
- return (NULL);
- }
-
- return ret;
-}
-
-void BN_GENCB_free(BN_GENCB *cb)
-{
- if (cb == NULL)
- return;
- OPENSSL_free(cb);
-}
-
-void BN_set_flags(BIGNUM *b, int n)
-{
- b->flags |= n;
-}
-
-int BN_get_flags(const BIGNUM *b, int n)
-{
- return b->flags & n;
-}
-
-/* Populate a BN_GENCB structure with an "old"-style callback */
-void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback) (int, int, void *),
- void *cb_arg)
-{
- BN_GENCB *tmp_gencb = gencb;
- tmp_gencb->ver = 1;
- tmp_gencb->arg = cb_arg;
- tmp_gencb->cb.cb_1 = callback;
-}
-
-/* Populate a BN_GENCB structure with a "new"-style callback */
-void BN_GENCB_set(BN_GENCB *gencb, int (*callback) (int, int, BN_GENCB *),
- void *cb_arg)
-{
- BN_GENCB *tmp_gencb = gencb;
- tmp_gencb->ver = 2;
- tmp_gencb->arg = cb_arg;
- tmp_gencb->cb.cb_2 = callback;
-}
-
-void *BN_GENCB_get_arg(BN_GENCB *cb)
-{
- return cb->arg;
-}
-
-BIGNUM *bn_wexpand(BIGNUM *a, int words)
-{
- return (words <= a->dmax) ? a : bn_expand2(a, words);
-}
-
-void bn_correct_top(BIGNUM *a)
-{
- BN_ULONG *ftl;
- int tmp_top = a->top;
-
- if (tmp_top > 0) {
- for (ftl = &(a->d[tmp_top]); tmp_top > 0; tmp_top--) {
- ftl--;
- if (*ftl != 0)
- break;
- }
- a->top = tmp_top;
- }
- if (a->top == 0)
- a->neg = 0;
- bn_pollute(a);
-}