summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/bn
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/bn')
-rw-r--r--src/lib/libcrypto/bn/bn.h116
-rw-r--r--src/lib/libcrypto/bn/bn_lcl.h121
-rw-r--r--src/lib/libcrypto/bn/bn_prime.h6
3 files changed, 119 insertions, 124 deletions
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 4ae6a8195d..5f8278faa8 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: bn.h,v 1.31 2016/03/04 16:23:30 deraadt Exp $ */ 1/* $OpenBSD: bn.h,v 1.32 2016/12/21 15:49:29 jsing Exp $ */
2/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -617,118 +617,6 @@ const BIGNUM *BN_get0_nist_prime_256(void);
617const BIGNUM *BN_get0_nist_prime_384(void); 617const BIGNUM *BN_get0_nist_prime_384(void);
618const BIGNUM *BN_get0_nist_prime_521(void); 618const BIGNUM *BN_get0_nist_prime_521(void);
619 619
620/* library internal functions */
621
622#define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
623BIGNUM *bn_expand2(BIGNUM *a, int words);
624BIGNUM *bn_expand(BIGNUM *a, int bits);
625
626#ifndef OPENSSL_NO_DEPRECATED
627BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */
628#endif
629
630/* Bignum consistency macros
631 * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
632 * bignum data after direct manipulations on the data. There is also an
633 * "internal" macro, bn_check_top(), for verifying that there are no leading
634 * zeroes. Unfortunately, some auditing is required due to the fact that
635 * bn_fix_top() has become an overabused duct-tape because bignum data is
636 * occasionally passed around in an inconsistent state. So the following
637 * changes have been made to sort this out;
638 * - bn_fix_top()s implementation has been moved to bn_correct_top()
639 * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and
640 * bn_check_top() is as before.
641 * - if BN_DEBUG *is* defined;
642 * - bn_check_top() tries to pollute unused words even if the bignum 'top' is
643 * consistent. (ed: only if BN_DEBUG_RAND is defined)
644 * - bn_fix_top() maps to bn_check_top() rather than "fixing" anything.
645 * The idea is to have debug builds flag up inconsistent bignums when they
646 * occur. If that occurs in a bn_fix_top(), we examine the code in question; if
647 * the use of bn_fix_top() was appropriate (ie. it follows directly after code
648 * that manipulates the bignum) it is converted to bn_correct_top(), and if it
649 * was not appropriate, we convert it permanently to bn_check_top() and track
650 * down the cause of the bug. Eventually, no internal code should be using the
651 * bn_fix_top() macro. External applications and libraries should try this with
652 * their own code too, both in terms of building against the openssl headers
653 * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it
654 * defined. This not only improves external code, it provides more test
655 * coverage for openssl's own code.
656 */
657
658#ifdef BN_DEBUG
659
660/* We only need assert() when debugging */
661#include <assert.h>
662
663#ifdef BN_DEBUG_RAND
664#define bn_pollute(a) \
665 do { \
666 const BIGNUM *_bnum1 = (a); \
667 if(_bnum1->top < _bnum1->dmax) { \
668 unsigned char _tmp_char; \
669 /* We cast away const without the compiler knowing, any \
670 * *genuinely* constant variables that aren't mutable \
671 * wouldn't be constructed with top!=dmax. */ \
672 BN_ULONG *_not_const; \
673 memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \
674 arc4random_buf(&_tmp_char, 1); \
675 memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \
676 (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \
677 } \
678 } while(0)
679#else
680#define bn_pollute(a)
681#endif
682
683#define bn_check_top(a) \
684 do { \
685 const BIGNUM *_bnum2 = (a); \
686 if (_bnum2 != NULL) { \
687 assert((_bnum2->top == 0) || \
688 (_bnum2->d[_bnum2->top - 1] != 0)); \
689 bn_pollute(_bnum2); \
690 } \
691 } while(0)
692
693#define bn_fix_top(a) bn_check_top(a)
694
695#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
696#define bn_wcheck_size(bn, words) \
697 do { \
698 const BIGNUM *_bnum2 = (bn); \
699 assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
700 } while(0)
701
702#else /* !BN_DEBUG */
703
704#define bn_pollute(a)
705#define bn_check_top(a)
706#define bn_fix_top(a) bn_correct_top(a)
707#define bn_check_size(bn, bits)
708#define bn_wcheck_size(bn, words)
709
710#endif
711
712#define bn_correct_top(a) \
713 { \
714 BN_ULONG *ftl; \
715 int tmp_top = (a)->top; \
716 if (tmp_top > 0) \
717 { \
718 for (ftl= &((a)->d[tmp_top-1]); tmp_top > 0; tmp_top--) \
719 if (*(ftl--)) break; \
720 (a)->top = tmp_top; \
721 } \
722 bn_pollute(a); \
723 }
724
725 BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
726BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
727void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
728BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
729BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int num);
730BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int num);
731
732/* Primes from RFC 2409 */ 620/* Primes from RFC 2409 */
733BIGNUM *get_rfc2409_prime_768(BIGNUM *bn); 621BIGNUM *get_rfc2409_prime_768(BIGNUM *bn);
734BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn); 622BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn);
@@ -741,8 +629,6 @@ BIGNUM *get_rfc3526_prime_4096(BIGNUM *bn);
741BIGNUM *get_rfc3526_prime_6144(BIGNUM *bn); 629BIGNUM *get_rfc3526_prime_6144(BIGNUM *bn);
742BIGNUM *get_rfc3526_prime_8192(BIGNUM *bn); 630BIGNUM *get_rfc3526_prime_8192(BIGNUM *bn);
743 631
744int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
745
746/* BEGIN ERROR CODES */ 632/* BEGIN ERROR CODES */
747/* The following lines are auto generated by the script mkerr.pl. Any changes 633/* The following lines are auto generated by the script mkerr.pl. Any changes
748 * made after this point may be overwritten when the script is next run. 634 * made after this point may be overwritten when the script is next run.
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index eb4af1b75b..ca130a63cb 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: bn_lcl.h,v 1.22 2015/11/06 21:42:32 miod Exp $ */ 1/* $OpenBSD: bn_lcl.h,v 1.23 2016/12/21 15:49:29 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -116,10 +116,7 @@
116 116
117#include <openssl/bn.h> 117#include <openssl/bn.h>
118 118
119#ifdef __cplusplus 119__BEGIN_HIDDEN_DECLS
120extern "C" {
121#endif
122
123 120
124/* 121/*
125 * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions 122 * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
@@ -452,7 +449,7 @@ extern "C" {
452 } 449 }
453#endif /* !BN_LLONG */ 450#endif /* !BN_LLONG */
454 451
455 void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb); 452void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb);
456void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); 453void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
457void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); 454void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
458void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp); 455void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp);
@@ -477,8 +474,116 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
477 int cl, int dl); 474 int cl, int dl);
478int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num); 475int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num);
479 476
480#ifdef __cplusplus 477#define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
481} 478BIGNUM *bn_expand2(BIGNUM *a, int words);
479BIGNUM *bn_expand(BIGNUM *a, int bits);
480
481BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */
482
483/* Bignum consistency macros
484 * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
485 * bignum data after direct manipulations on the data. There is also an
486 * "internal" macro, bn_check_top(), for verifying that there are no leading
487 * zeroes. Unfortunately, some auditing is required due to the fact that
488 * bn_fix_top() has become an overabused duct-tape because bignum data is
489 * occasionally passed around in an inconsistent state. So the following
490 * changes have been made to sort this out;
491 * - bn_fix_top()s implementation has been moved to bn_correct_top()
492 * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and
493 * bn_check_top() is as before.
494 * - if BN_DEBUG *is* defined;
495 * - bn_check_top() tries to pollute unused words even if the bignum 'top' is
496 * consistent. (ed: only if BN_DEBUG_RAND is defined)
497 * - bn_fix_top() maps to bn_check_top() rather than "fixing" anything.
498 * The idea is to have debug builds flag up inconsistent bignums when they
499 * occur. If that occurs in a bn_fix_top(), we examine the code in question; if
500 * the use of bn_fix_top() was appropriate (ie. it follows directly after code
501 * that manipulates the bignum) it is converted to bn_correct_top(), and if it
502 * was not appropriate, we convert it permanently to bn_check_top() and track
503 * down the cause of the bug. Eventually, no internal code should be using the
504 * bn_fix_top() macro. External applications and libraries should try this with
505 * their own code too, both in terms of building against the openssl headers
506 * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it
507 * defined. This not only improves external code, it provides more test
508 * coverage for openssl's own code.
509 */
510
511#ifdef BN_DEBUG
512
513/* We only need assert() when debugging */
514#include <assert.h>
515
516#ifdef BN_DEBUG_RAND
517#define bn_pollute(a) \
518 do { \
519 const BIGNUM *_bnum1 = (a); \
520 if(_bnum1->top < _bnum1->dmax) { \
521 unsigned char _tmp_char; \
522 /* We cast away const without the compiler knowing, any \
523 * *genuinely* constant variables that aren't mutable \
524 * wouldn't be constructed with top!=dmax. */ \
525 BN_ULONG *_not_const; \
526 memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \
527 arc4random_buf(&_tmp_char, 1); \
528 memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \
529 (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \
530 } \
531 } while(0)
532#else
533#define bn_pollute(a)
534#endif
535
536#define bn_check_top(a) \
537 do { \
538 const BIGNUM *_bnum2 = (a); \
539 if (_bnum2 != NULL) { \
540 assert((_bnum2->top == 0) || \
541 (_bnum2->d[_bnum2->top - 1] != 0)); \
542 bn_pollute(_bnum2); \
543 } \
544 } while(0)
545
546#define bn_fix_top(a) bn_check_top(a)
547
548#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
549#define bn_wcheck_size(bn, words) \
550 do { \
551 const BIGNUM *_bnum2 = (bn); \
552 assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
553 } while(0)
554
555#else /* !BN_DEBUG */
556
557#define bn_pollute(a)
558#define bn_check_top(a)
559#define bn_fix_top(a) bn_correct_top(a)
560#define bn_check_size(bn, bits)
561#define bn_wcheck_size(bn, words)
562
482#endif 563#endif
483 564
565#define bn_correct_top(a) \
566 { \
567 BN_ULONG *ftl; \
568 int tmp_top = (a)->top; \
569 if (tmp_top > 0) \
570 { \
571 for (ftl= &((a)->d[tmp_top-1]); tmp_top > 0; tmp_top--) \
572 if (*(ftl--)) break; \
573 (a)->top = tmp_top; \
574 } \
575 bn_pollute(a); \
576 }
577
578BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
579BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
580void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
581BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
582BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int num);
583BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int num);
584
585int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
586
587__END_HIDDEN_DECLS
588
484#endif 589#endif
diff --git a/src/lib/libcrypto/bn/bn_prime.h b/src/lib/libcrypto/bn/bn_prime.h
index 3102d8eb41..d5199008f9 100644
--- a/src/lib/libcrypto/bn/bn_prime.h
+++ b/src/lib/libcrypto/bn/bn_prime.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: bn_prime.h,v 1.6 2014/06/12 15:49:28 deraadt Exp $ */ 1/* $OpenBSD: bn_prime.h,v 1.7 2016/12/21 15:49:29 jsing Exp $ */
2/* Auto generated by bn_prime.pl */ 2/* Auto generated by bn_prime.pl */
3/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * All rights reserved. 4 * All rights reserved.
@@ -57,6 +57,8 @@
57 * [including the GNU Public Licence.] 57 * [including the GNU Public Licence.]
58 */ 58 */
59 59
60__BEGIN_HIDDEN_DECLS
61
60#define NUMPRIMES 2048 62#define NUMPRIMES 2048
61typedef unsigned short prime_t; 63typedef unsigned short prime_t;
62static const prime_t primes[NUMPRIMES] = { 64static const prime_t primes[NUMPRIMES] = {
@@ -317,3 +319,5 @@ static const prime_t primes[NUMPRIMES] = {
317 17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783, 319 17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783,
318 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, 320 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863,
319}; 321};
322
323__END_HIDDEN_DECLS
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-09-01 12:27:41 +0000