summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/bn/bn_lcl.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/bn/bn_lcl.h')
-rw-r--r--src/lib/libcrypto/bn/bn_lcl.h97
1 files changed, 1 insertions, 96 deletions
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index d5f1250cfd..64855115f2 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: bn_lcl.h,v 1.38 2022/11/24 01:30:01 jsing Exp $ */ 1/* $OpenBSD: bn_lcl.h,v 1.39 2022/11/26 13:56:33 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -327,18 +327,6 @@ struct bn_gencb_st {
327#define Lw(t) (((BN_ULONG)(t))&BN_MASK2) 327#define Lw(t) (((BN_ULONG)(t))&BN_MASK2)
328#define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2) 328#define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
329 329
330#ifdef BN_DEBUG_RAND
331#define bn_clear_top2max(a) \
332 { \
333 int ind = (a)->dmax - (a)->top; \
334 BN_ULONG *ftl = &(a)->d[(a)->top-1]; \
335 for (; ind != 0; ind--) \
336 *(++ftl) = 0x0; \
337 }
338#else
339#define bn_clear_top2max(a)
340#endif
341
342#ifdef BN_LLONG 330#ifdef BN_LLONG
343#define mul_add(r,a,w,c) { \ 331#define mul_add(r,a,w,c) { \
344 BN_ULLONG t; \ 332 BN_ULLONG t; \
@@ -524,88 +512,6 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_U
524int bn_expand(BIGNUM *a, int bits); 512int bn_expand(BIGNUM *a, int bits);
525int bn_wexpand(BIGNUM *a, int words); 513int bn_wexpand(BIGNUM *a, int words);
526 514
527/* Bignum consistency macros
528 * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
529 * bignum data after direct manipulations on the data. There is also an
530 * "internal" macro, bn_check_top(), for verifying that there are no leading
531 * zeroes. Unfortunately, some auditing is required due to the fact that
532 * bn_fix_top() has become an overabused duct-tape because bignum data is
533 * occasionally passed around in an inconsistent state. So the following
534 * changes have been made to sort this out;
535 * - bn_fix_top()s implementation has been moved to bn_correct_top()
536 * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and
537 * bn_check_top() is as before.
538 * - if BN_DEBUG *is* defined;
539 * - bn_check_top() tries to pollute unused words even if the bignum 'top' is
540 * consistent. (ed: only if BN_DEBUG_RAND is defined)
541 * - bn_fix_top() maps to bn_check_top() rather than "fixing" anything.
542 * The idea is to have debug builds flag up inconsistent bignums when they
543 * occur. If that occurs in a bn_fix_top(), we examine the code in question; if
544 * the use of bn_fix_top() was appropriate (ie. it follows directly after code
545 * that manipulates the bignum) it is converted to bn_correct_top(), and if it
546 * was not appropriate, we convert it permanently to bn_check_top() and track
547 * down the cause of the bug. Eventually, no internal code should be using the
548 * bn_fix_top() macro. External applications and libraries should try this with
549 * their own code too, both in terms of building against the openssl headers
550 * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it
551 * defined. This not only improves external code, it provides more test
552 * coverage for openssl's own code.
553 */
554
555#ifdef BN_DEBUG
556
557/* We only need assert() when debugging */
558#include <assert.h>
559
560#ifdef BN_DEBUG_RAND
561#define bn_pollute(a) \
562 do { \
563 const BIGNUM *_bnum1 = (a); \
564 if(_bnum1->top < _bnum1->dmax) { \
565 unsigned char _tmp_char; \
566 /* We cast away const without the compiler knowing, any \
567 * *genuinely* constant variables that aren't mutable \
568 * wouldn't be constructed with top!=dmax. */ \
569 BN_ULONG *_not_const; \
570 memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \
571 arc4random_buf(&_tmp_char, 1); \
572 memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \
573 (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \
574 } \
575 } while(0)
576#else
577#define bn_pollute(a)
578#endif
579
580#define bn_check_top(a) \
581 do { \
582 const BIGNUM *_bnum2 = (a); \
583 if (_bnum2 != NULL) { \
584 assert((_bnum2->top == 0) || \
585 (_bnum2->d[_bnum2->top - 1] != 0)); \
586 bn_pollute(_bnum2); \
587 } \
588 } while(0)
589
590#define bn_fix_top(a) bn_check_top(a)
591
592#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
593#define bn_wcheck_size(bn, words) \
594 do { \
595 const BIGNUM *_bnum2 = (bn); \
596 assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
597 } while(0)
598
599#else /* !BN_DEBUG */
600
601#define bn_pollute(a)
602#define bn_check_top(a)
603#define bn_fix_top(a) bn_correct_top(a)
604#define bn_check_size(bn, bits)
605#define bn_wcheck_size(bn, words)
606
607#endif
608
609#define bn_correct_top(a) \ 515#define bn_correct_top(a) \
610 { \ 516 { \
611 BN_ULONG *ftl; \ 517 BN_ULONG *ftl; \
@@ -616,7 +522,6 @@ int bn_wexpand(BIGNUM *a, int words);
616 if (*(ftl--)) break; \ 522 if (*(ftl--)) break; \
617 (a)->top = tmp_top; \ 523 (a)->top = tmp_top; \
618 } \ 524 } \
619 bn_pollute(a); \
620 } 525 }
621 526
622BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); 527BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);