diff options
Diffstat (limited to 'src/lib/libcrypto/bn/bn_lcl.h')
| -rw-r--r-- | src/lib/libcrypto/bn/bn_lcl.h | 121 |
1 files changed, 113 insertions, 8 deletions
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h index eb4af1b75b..ca130a63cb 100644 --- a/src/lib/libcrypto/bn/bn_lcl.h +++ b/src/lib/libcrypto/bn/bn_lcl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: bn_lcl.h,v 1.22 2015/11/06 21:42:32 miod Exp $ */ | 1 | /* $OpenBSD: bn_lcl.h,v 1.23 2016/12/21 15:49:29 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -116,10 +116,7 @@ | |||
| 116 | 116 | ||
| 117 | #include <openssl/bn.h> | 117 | #include <openssl/bn.h> |
| 118 | 118 | ||
| 119 | #ifdef __cplusplus | 119 | __BEGIN_HIDDEN_DECLS |
| 120 | extern "C" { | ||
| 121 | #endif | ||
| 122 | |||
| 123 | 120 | ||
| 124 | /* | 121 | /* |
| 125 | * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions | 122 | * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions |
| @@ -452,7 +449,7 @@ extern "C" { | |||
| 452 | } | 449 | } |
| 453 | #endif /* !BN_LLONG */ | 450 | #endif /* !BN_LLONG */ |
| 454 | 451 | ||
| 455 | void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb); | 452 | void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb); |
| 456 | void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); | 453 | void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); |
| 457 | void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); | 454 | void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); |
| 458 | void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp); | 455 | void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp); |
| @@ -477,8 +474,116 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, | |||
| 477 | int cl, int dl); | 474 | int cl, int dl); |
| 478 | int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num); | 475 | int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num); |
| 479 | 476 | ||
| 480 | #ifdef __cplusplus | 477 | #define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words))) |
| 481 | } | 478 | BIGNUM *bn_expand2(BIGNUM *a, int words); |
| 479 | BIGNUM *bn_expand(BIGNUM *a, int bits); | ||
| 480 | |||
| 481 | BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */ | ||
| 482 | |||
| 483 | /* Bignum consistency macros | ||
| 484 | * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from | ||
| 485 | * bignum data after direct manipulations on the data. There is also an | ||
| 486 | * "internal" macro, bn_check_top(), for verifying that there are no leading | ||
| 487 | * zeroes. Unfortunately, some auditing is required due to the fact that | ||
| 488 | * bn_fix_top() has become an overabused duct-tape because bignum data is | ||
| 489 | * occasionally passed around in an inconsistent state. So the following | ||
| 490 | * changes have been made to sort this out; | ||
| 491 | * - bn_fix_top()s implementation has been moved to bn_correct_top() | ||
| 492 | * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and | ||
| 493 | * bn_check_top() is as before. | ||
| 494 | * - if BN_DEBUG *is* defined; | ||
| 495 | * - bn_check_top() tries to pollute unused words even if the bignum 'top' is | ||
| 496 | * consistent. (ed: only if BN_DEBUG_RAND is defined) | ||
| 497 | * - bn_fix_top() maps to bn_check_top() rather than "fixing" anything. | ||
| 498 | * The idea is to have debug builds flag up inconsistent bignums when they | ||
| 499 | * occur. If that occurs in a bn_fix_top(), we examine the code in question; if | ||
| 500 | * the use of bn_fix_top() was appropriate (ie. it follows directly after code | ||
| 501 | * that manipulates the bignum) it is converted to bn_correct_top(), and if it | ||
| 502 | * was not appropriate, we convert it permanently to bn_check_top() and track | ||
| 503 | * down the cause of the bug. Eventually, no internal code should be using the | ||
| 504 | * bn_fix_top() macro. External applications and libraries should try this with | ||
| 505 | * their own code too, both in terms of building against the openssl headers | ||
| 506 | * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it | ||
| 507 | * defined. This not only improves external code, it provides more test | ||
| 508 | * coverage for openssl's own code. | ||
| 509 | */ | ||
| 510 | |||
| 511 | #ifdef BN_DEBUG | ||
| 512 | |||
| 513 | /* We only need assert() when debugging */ | ||
| 514 | #include <assert.h> | ||
| 515 | |||
| 516 | #ifdef BN_DEBUG_RAND | ||
| 517 | #define bn_pollute(a) \ | ||
| 518 | do { \ | ||
| 519 | const BIGNUM *_bnum1 = (a); \ | ||
| 520 | if(_bnum1->top < _bnum1->dmax) { \ | ||
| 521 | unsigned char _tmp_char; \ | ||
| 522 | /* We cast away const without the compiler knowing, any \ | ||
| 523 | * *genuinely* constant variables that aren't mutable \ | ||
| 524 | * wouldn't be constructed with top!=dmax. */ \ | ||
| 525 | BN_ULONG *_not_const; \ | ||
| 526 | memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \ | ||
| 527 | arc4random_buf(&_tmp_char, 1); \ | ||
| 528 | memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \ | ||
| 529 | (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \ | ||
| 530 | } \ | ||
| 531 | } while(0) | ||
| 532 | #else | ||
| 533 | #define bn_pollute(a) | ||
| 534 | #endif | ||
| 535 | |||
| 536 | #define bn_check_top(a) \ | ||
| 537 | do { \ | ||
| 538 | const BIGNUM *_bnum2 = (a); \ | ||
| 539 | if (_bnum2 != NULL) { \ | ||
| 540 | assert((_bnum2->top == 0) || \ | ||
| 541 | (_bnum2->d[_bnum2->top - 1] != 0)); \ | ||
| 542 | bn_pollute(_bnum2); \ | ||
| 543 | } \ | ||
| 544 | } while(0) | ||
| 545 | |||
| 546 | #define bn_fix_top(a) bn_check_top(a) | ||
| 547 | |||
| 548 | #define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2) | ||
| 549 | #define bn_wcheck_size(bn, words) \ | ||
| 550 | do { \ | ||
| 551 | const BIGNUM *_bnum2 = (bn); \ | ||
| 552 | assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \ | ||
| 553 | } while(0) | ||
| 554 | |||
| 555 | #else /* !BN_DEBUG */ | ||
| 556 | |||
| 557 | #define bn_pollute(a) | ||
| 558 | #define bn_check_top(a) | ||
| 559 | #define bn_fix_top(a) bn_correct_top(a) | ||
| 560 | #define bn_check_size(bn, bits) | ||
| 561 | #define bn_wcheck_size(bn, words) | ||
| 562 | |||
| 482 | #endif | 563 | #endif |
| 483 | 564 | ||
| 565 | #define bn_correct_top(a) \ | ||
| 566 | { \ | ||
| 567 | BN_ULONG *ftl; \ | ||
| 568 | int tmp_top = (a)->top; \ | ||
| 569 | if (tmp_top > 0) \ | ||
| 570 | { \ | ||
| 571 | for (ftl= &((a)->d[tmp_top-1]); tmp_top > 0; tmp_top--) \ | ||
| 572 | if (*(ftl--)) break; \ | ||
| 573 | (a)->top = tmp_top; \ | ||
| 574 | } \ | ||
| 575 | bn_pollute(a); \ | ||
| 576 | } | ||
| 577 | |||
| 578 | BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); | ||
| 579 | BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); | ||
| 580 | void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num); | ||
| 581 | BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d); | ||
| 582 | BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int num); | ||
| 583 | BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int num); | ||
| 584 | |||
| 585 | int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom); | ||
| 586 | |||
| 587 | __END_HIDDEN_DECLS | ||
| 588 | |||
| 484 | #endif | 589 | #endif |