GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libcrypto/bn/bn_lib.c Lines: 255 354 72.0 %
Date: 2017-11-13 Branches: 156 229 68.1 %

Line Branch Exec Source
1
/* $OpenBSD: bn_lib.c,v 1.38 2017/05/02 03:59:44 deraadt Exp $ */
2
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3
 * All rights reserved.
4
 *
5
 * This package is an SSL implementation written
6
 * by Eric Young (eay@cryptsoft.com).
7
 * The implementation was written so as to conform with Netscapes SSL.
8
 *
9
 * This library is free for commercial and non-commercial use as long as
10
 * the following conditions are aheared to.  The following conditions
11
 * apply to all code found in this distribution, be it the RC4, RSA,
12
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13
 * included with this distribution is covered by the same copyright terms
14
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15
 *
16
 * Copyright remains Eric Young's, and as such any Copyright notices in
17
 * the code are not to be removed.
18
 * If this package is used in a product, Eric Young should be given attribution
19
 * as the author of the parts of the library used.
20
 * This can be in the form of a textual message at program startup or
21
 * in documentation (online or textual) provided with the package.
22
 *
23
 * Redistribution and use in source and binary forms, with or without
24
 * modification, are permitted provided that the following conditions
25
 * are met:
26
 * 1. Redistributions of source code must retain the copyright
27
 *    notice, this list of conditions and the following disclaimer.
28
 * 2. Redistributions in binary form must reproduce the above copyright
29
 *    notice, this list of conditions and the following disclaimer in the
30
 *    documentation and/or other materials provided with the distribution.
31
 * 3. All advertising materials mentioning features or use of this software
32
 *    must display the following acknowledgement:
33
 *    "This product includes cryptographic software written by
34
 *     Eric Young (eay@cryptsoft.com)"
35
 *    The word 'cryptographic' can be left out if the rouines from the library
36
 *    being used are not cryptographic related :-).
37
 * 4. If you include any Windows specific code (or a derivative thereof) from
38
 *    the apps directory (application code) you must include an acknowledgement:
39
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40
 *
41
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51
 * SUCH DAMAGE.
52
 *
53
 * The licence and distribution terms for any publically available version or
54
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55
 * copied and put under another distribution licence
56
 * [including the GNU Public Licence.]
57
 */
58
59
#ifndef BN_DEBUG
60
# undef NDEBUG /* avoid conflicting definitions */
61
# define NDEBUG
62
#endif
63
64
#include <assert.h>
65
#include <limits.h>
66
#include <stdio.h>
67
#include <string.h>
68
69
#include <openssl/opensslconf.h>
70
71
#include <openssl/err.h>
72
73
#include "bn_lcl.h"
74
75
/* This stuff appears to be completely unused, so is deprecated */
76
#ifndef OPENSSL_NO_DEPRECATED
77
/* For a 32 bit machine
78
 * 2 -   4 ==  128
79
 * 3 -   8 ==  256
80
 * 4 -  16 ==  512
81
 * 5 -  32 == 1024
82
 * 6 -  64 == 2048
83
 * 7 - 128 == 4096
84
 * 8 - 256 == 8192
85
 */
86
static int bn_limit_bits = 0;
87
static int bn_limit_num = 8;        /* (1<<bn_limit_bits) */
88
static int bn_limit_bits_low = 0;
89
static int bn_limit_num_low = 8;    /* (1<<bn_limit_bits_low) */
90
static int bn_limit_bits_high = 0;
91
static int bn_limit_num_high = 8;   /* (1<<bn_limit_bits_high) */
92
static int bn_limit_bits_mont = 0;
93
static int bn_limit_num_mont = 8;   /* (1<<bn_limit_bits_mont) */
94
95
void
96
BN_set_params(int mult, int high, int low, int mont)
97
{
98
	if (mult >= 0) {
99
		if (mult > (int)(sizeof(int) * 8) - 1)
100
			mult = sizeof(int) * 8 - 1;
101
		bn_limit_bits = mult;
102
		bn_limit_num = 1 << mult;
103
	}
104
	if (high >= 0) {
105
		if (high > (int)(sizeof(int) * 8) - 1)
106
			high = sizeof(int) * 8 - 1;
107
		bn_limit_bits_high = high;
108
		bn_limit_num_high = 1 << high;
109
	}
110
	if (low >= 0) {
111
		if (low > (int)(sizeof(int) * 8) - 1)
112
			low = sizeof(int) * 8 - 1;
113
		bn_limit_bits_low = low;
114
		bn_limit_num_low = 1 << low;
115
	}
116
	if (mont >= 0) {
117
		if (mont > (int)(sizeof(int) * 8) - 1)
118
			mont = sizeof(int) * 8 - 1;
119
		bn_limit_bits_mont = mont;
120
		bn_limit_num_mont = 1 << mont;
121
	}
122
}
123
124
int
125
BN_get_params(int which)
126
{
127
	if (which == 0)
128
		return (bn_limit_bits);
129
	else if (which == 1)
130
		return (bn_limit_bits_high);
131
	else if (which == 2)
132
		return (bn_limit_bits_low);
133
	else if (which == 3)
134
		return (bn_limit_bits_mont);
135
	else
136
		return (0);
137
}
138
#endif
139
140
const BIGNUM *
141
BN_value_one(void)
142
{
143
	static const BN_ULONG data_one = 1L;
144
	static const BIGNUM const_one = {
145
		(BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA
146
	};
147
148
1025932
	return (&const_one);
149
}
150
151
int
152
BN_num_bits_word(BN_ULONG l)
153
{
154
	static const unsigned char bits[256] = {
155
		0, 1, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4,
156
		5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
157
		6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
158
		6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
159
		7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
160
		7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
161
		7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
162
		7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
163
		8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,  8, 8, 8, 8,
164
		8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
165
		8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
166
		8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
167
		8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
168
		8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
169
		8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
170
		8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
171
	};
172
173
#ifdef _LP64
174
50485920
	if (l & 0xffffffff00000000L) {
175
19318700
		if (l & 0xffff000000000000L) {
176
17226231
			if (l & 0xff00000000000000L) {
177
15903507
				return (bits[(int)(l >> 56)] + 56);
178
			} else
179
1322724
				return (bits[(int)(l >> 48)] + 48);
180
		} else {
181
2092469
			if (l & 0x0000ff0000000000L) {
182
1151448
				return (bits[(int)(l >> 40)] + 40);
183
			} else
184
941021
				return (bits[(int)(l >> 32)] + 32);
185
		}
186
	} else
187
#endif
188
	{
189
5924260
		if (l & 0xffff0000L) {
190
3193895
			if (l & 0xff000000L)
191
1871461
				return (bits[(int)(l >> 24L)] + 24);
192
			else
193
1322434
				return (bits[(int)(l >> 16L)] + 16);
194
		} else {
195
2730365
			if (l & 0xff00L)
196
1339559
				return (bits[(int)(l >> 8)] + 8);
197
			else
198
1390806
				return (bits[(int)(l)]);
199
		}
200
	}
201
25242960
}
202
203
int
204
BN_num_bits(const BIGNUM *a)
205
{
206
44946162
	int i = a->top - 1;
207
208
	bn_check_top(a);
209
210
22473081
	if (BN_is_zero(a))
211
495
		return 0;
212
22472586
	return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
213
22473081
}
214
215
void
216
BN_clear_free(BIGNUM *a)
217
{
218
	int i;
219
220
5791490
	if (a == NULL)
221
29841
		return;
222
	bn_check_top(a);
223

5686920
	if (a->d != NULL && !(BN_get_flags(a, BN_FLG_STATIC_DATA)))
224
2821016
		freezero(a->d, a->dmax * sizeof(a->d[0]));
225
2865904
	i = BN_get_flags(a, BN_FLG_MALLOCED);
226
2865904
	explicit_bzero(a, sizeof(BIGNUM));
227
2865904
	if (i)
228
		free(a);
229
5761649
}
230
231
void
232
BN_free(BIGNUM *a)
233
{
234
1701840
	BN_clear_free(a);
235
850920
}
236
237
void
238
BN_init(BIGNUM *a)
239
{
240
16952864
	memset(a, 0, sizeof(BIGNUM));
241
	bn_check_top(a);
242
8476432
}
243
244
BIGNUM *
245
BN_new(void)
246
{
247
	BIGNUM *ret;
248
249
1454448
	if ((ret = malloc(sizeof(BIGNUM))) == NULL) {
250
		BNerror(ERR_R_MALLOC_FAILURE);
251
		return (NULL);
252
	}
253
727224
	ret->flags = BN_FLG_MALLOCED;
254
727224
	ret->top = 0;
255
727224
	ret->neg = 0;
256
727224
	ret->dmax = 0;
257
727224
	ret->d = NULL;
258
	bn_check_top(ret);
259
727224
	return (ret);
260
727224
}
261
262
/* This is used both by bn_expand2() and bn_dup_expand() */
263
/* The caller MUST check that words > b->dmax before calling this */
264
static BN_ULONG *
265
bn_expand_internal(const BIGNUM *b, int words)
266
{
267
	BN_ULONG *A, *a = NULL;
268
	const BN_ULONG *B;
269
	int i;
270
271
	bn_check_top(b);
272
273
10768672
	if (words > (INT_MAX/(4*BN_BITS2))) {
274
18
		BNerror(BN_R_BIGNUM_TOO_LONG);
275
18
		return NULL;
276
	}
277
5384318
	if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
278
		BNerror(BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
279
		return (NULL);
280
	}
281
5384318
	a = A = reallocarray(NULL, words, sizeof(BN_ULONG));
282
5384318
	if (A == NULL) {
283
		BNerror(ERR_R_MALLOC_FAILURE);
284
		return (NULL);
285
	}
286
#if 1
287
5384318
	B = b->d;
288
	/* Check if the previous number needs to be copied */
289
5384318
	if (B != NULL) {
290
11059982
		for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
291
			/*
292
			 * The fact that the loop is unrolled
293
			 * 4-wise is a tribute to Intel. It's
294
			 * the one that doesn't have enough
295
			 * registers to accommodate more data.
296
			 * I'd unroll it 8-wise otherwise:-)
297
			 *
298
			 *		<appro@fy.chalmers.se>
299
			 */
300
			BN_ULONG a0, a1, a2, a3;
301
2971013
			a0 = B[0];
302
2971013
			a1 = B[1];
303
2971013
			a2 = B[2];
304
2971013
			a3 = B[3];
305
2971013
			A[0] = a0;
306
2971013
			A[1] = a1;
307
2971013
			A[2] = a2;
308
2971013
			A[3] = a3;
309
		}
310

5692256
		switch (b->top & 3) {
311
		case 3:
312
29044
			A[2] = B[2];
313
		case 2:
314
62774
			A[1] = B[1];
315
		case 1:
316
255527
			A[0] = B[0];
317
255527
		}
318
	}
319
320
#else
321
	memset(A, 0, sizeof(BN_ULONG) * words);
322
	memcpy(A, b->d, sizeof(b->d[0]) * b->top);
323
#endif
324
325
5384318
	return (a);
326
5384336
}
327
328
/* This is an internal function that can be used instead of bn_expand2()
329
 * when there is a need to copy BIGNUMs instead of only expanding the
330
 * data part, while still expanding them.
331
 * Especially useful when needing to expand BIGNUMs that are declared
332
 * 'const' and should therefore not be changed.
333
 * The reason to use this instead of a BN_dup() followed by a bn_expand2()
334
 * is memory allocation overhead.  A BN_dup() followed by a bn_expand2()
335
 * will allocate new memory for the BIGNUM data twice, and free it once,
336
 * while bn_dup_expand() makes sure allocation is made only once.
337
 */
338
339
#ifndef OPENSSL_NO_DEPRECATED
340
BIGNUM *
341
bn_dup_expand(const BIGNUM *b, int words)
342
{
343
	BIGNUM *r = NULL;
344
345
	bn_check_top(b);
346
347
	/* This function does not work if
348
	 *      words <= b->dmax && top < words
349
	 * because BN_dup() does not preserve 'dmax'!
350
	 * (But bn_dup_expand() is not used anywhere yet.)
351
	 */
352
353
	if (words > b->dmax) {
354
		BN_ULONG *a = bn_expand_internal(b, words);
355
356
		if (a) {
357
			r = BN_new();
358
			if (r) {
359
				r->top = b->top;
360
				r->dmax = words;
361
				r->neg = b->neg;
362
				r->d = a;
363
			} else {
364
				/* r == NULL, BN_new failure */
365
				free(a);
366
			}
367
		}
368
		/* If a == NULL, there was an error in allocation in
369
		   bn_expand_internal(), and NULL should be returned */
370
	} else {
371
		r = BN_dup(b);
372
	}
373
374
	bn_check_top(r);
375
	return r;
376
}
377
#endif
378
379
/* This is an internal function that should not be used in applications.
380
 * It ensures that 'b' has enough room for a 'words' word number
381
 * and initialises any unused part of b->d with leading zeros.
382
 * It is mostly used by the various BIGNUM routines. If there is an error,
383
 * NULL is returned. If not, 'b' is returned. */
384
385
BIGNUM *
386
bn_expand2(BIGNUM *b, int words)
387
{
388
	bn_check_top(b);
389
390
10768672
	if (words > b->dmax) {
391
5384336
		BN_ULONG *a = bn_expand_internal(b, words);
392
5384336
		if (!a)
393
18
			return NULL;
394
5384318
		if (b->d)
395
2558978
			freezero(b->d, b->dmax * sizeof(b->d[0]));
396
5384318
		b->d = a;
397
5384318
		b->dmax = words;
398
5384318
	}
399
400
/* None of this should be necessary because of what b->top means! */
401
#if 0
402
	/* NB: bn_wexpand() calls this only if the BIGNUM really has to grow */
403
	if (b->top < b->dmax) {
404
		int i;
405
		BN_ULONG *A = &(b->d[b->top]);
406
		for (i = (b->dmax - b->top) >> 3; i > 0; i--, A += 8) {
407
			A[0] = 0;
408
			A[1] = 0;
409
			A[2] = 0;
410
			A[3] = 0;
411
			A[4] = 0;
412
			A[5] = 0;
413
			A[6] = 0;
414
			A[7] = 0;
415
		}
416
		for (i = (b->dmax - b->top)&7; i > 0; i--, A++)
417
			A[0] = 0;
418
		assert(A == &(b->d[b->dmax]));
419
	}
420
#endif
421
	bn_check_top(b);
422
5384318
	return b;
423
5384336
}
424
425
BIGNUM *
426
BN_dup(const BIGNUM *a)
427
{
428
	BIGNUM *t;
429
430
434378
	if (a == NULL)
431
		return NULL;
432
	bn_check_top(a);
433
434
217189
	t = BN_new();
435
217189
	if (t == NULL)
436
		return NULL;
437
217189
	if (!BN_copy(t, a)) {
438
		BN_free(t);
439
		return NULL;
440
	}
441
	bn_check_top(t);
442
217189
	return t;
443
217189
}
444
445
BIGNUM *
446
BN_copy(BIGNUM *a, const BIGNUM *b)
447
{
448
	int i;
449
	BN_ULONG *A;
450
	const BN_ULONG *B;
451
452
	bn_check_top(b);
453
454
9271474
	if (a == b)
455
608
		return (a);
456

9857825
	if (bn_wexpand(a, b->top) == NULL)
457
		return (NULL);
458
459
#if 1
460
4635129
	A = a->d;
461
4635129
	B = b->d;
462
23188130
	for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
463
		BN_ULONG a0, a1, a2, a3;
464
6958936
		a0 = B[0];
465
6958936
		a1 = B[1];
466
6958936
		a2 = B[2];
467
6958936
		a3 = B[3];
468
6958936
		A[0] = a0;
469
6958936
		A[1] = a1;
470
6958936
		A[2] = a2;
471
6958936
		A[3] = a3;
472
	}
473

8344889
	switch (b->top & 3) {
474
	case 3:
475
530624
		A[2] = B[2];
476
	case 2:
477
935821
		A[1] = B[1];
478
	case 1:
479
2243315
		A[0] = B[0];
480
2243315
	}
481
#else
482
	memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
483
#endif
484
485
4635129
	a->top = b->top;
486
4635129
	a->neg = b->neg;
487
	bn_check_top(a);
488
4635129
	return (a);
489
4635737
}
490
491
void
492
BN_swap(BIGNUM *a, BIGNUM *b)
493
{
494
	int flags_old_a, flags_old_b;
495
	BN_ULONG *tmp_d;
496
	int tmp_top, tmp_dmax, tmp_neg;
497
498
	bn_check_top(a);
499
	bn_check_top(b);
500
501
	flags_old_a = a->flags;
502
	flags_old_b = b->flags;
503
504
	tmp_d = a->d;
505
	tmp_top = a->top;
506
	tmp_dmax = a->dmax;
507
	tmp_neg = a->neg;
508
509
	a->d = b->d;
510
	a->top = b->top;
511
	a->dmax = b->dmax;
512
	a->neg = b->neg;
513
514
	b->d = tmp_d;
515
	b->top = tmp_top;
516
	b->dmax = tmp_dmax;
517
	b->neg = tmp_neg;
518
519
	a->flags = (flags_old_a & BN_FLG_MALLOCED) |
520
	    (flags_old_b & BN_FLG_STATIC_DATA);
521
	b->flags = (flags_old_b & BN_FLG_MALLOCED) |
522
	    (flags_old_a & BN_FLG_STATIC_DATA);
523
	bn_check_top(a);
524
	bn_check_top(b);
525
}
526
527
void
528
BN_clear(BIGNUM *a)
529
{
530
	bn_check_top(a);
531
1056
	if (a->d != NULL)
532
528
		memset(a->d, 0, a->dmax * sizeof(a->d[0]));
533
528
	a->top = 0;
534
528
	a->neg = 0;
535
528
}
536
537
BN_ULONG
538
BN_get_word(const BIGNUM *a)
539
{
540
74072
	if (a->top > 1)
541
		return BN_MASK2;
542
37036
	else if (a->top == 1)
543
31954
		return a->d[0];
544
	/* a->top == 0 */
545
5082
	return 0;
546
37036
}
547
548
BIGNUM *
549
bn_expand(BIGNUM *a, int bits)
550
{
551
75488764
	if (bits > (INT_MAX - BN_BITS2 + 1))
552
		return (NULL);
553
554
37744382
	if (((bits + BN_BITS2 - 1) / BN_BITS2) <= a->dmax)
555
35612552
		return (a);
556
557
2131830
	return bn_expand2(a, (bits + BN_BITS2 - 1) / BN_BITS2);
558
37744382
}
559
560
int
561
BN_set_word(BIGNUM *a, BN_ULONG w)
562
{
563
	bn_check_top(a);
564
75487758
	if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL)
565
		return (0);
566
37743879
	a->neg = 0;
567
37743879
	a->d[0] = w;
568
37743879
	a->top = (w ? 1 : 0);
569
	bn_check_top(a);
570
37743879
	return (1);
571
37743879
}
572
573
BIGNUM *
574
BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
575
{
576
	unsigned int i, m;
577
	unsigned int n;
578
	BN_ULONG l;
579
	BIGNUM *bn = NULL;
580
581
960208
	if (ret == NULL)
582
17802
		ret = bn = BN_new();
583
480104
	if (ret == NULL)
584
		return (NULL);
585
	bn_check_top(ret);
586
	l = 0;
587
	n = len;
588
480104
	if (n == 0) {
589
18
		ret->top = 0;
590
18
		return (ret);
591
	}
592
480086
	i = ((n - 1) / BN_BYTES) + 1;
593
480086
	m = ((n - 1) % (BN_BYTES));
594

1364823
	if (bn_wexpand(ret, (int)i) == NULL) {
595
18
		BN_free(bn);
596
18
		return NULL;
597
	}
598
480068
	ret->top = i;
599
480068
	ret->neg = 0;
600
210022078
	while (n--) {
601
104530971
		l = (l << 8L) | *(s++);
602
104530971
		if (m-- == 0) {
603
13095922
			ret->d[--i] = l;
604
			l = 0;
605
			m = BN_BYTES - 1;
606
13095922
		}
607
	}
608
	/* need to call this due to clear byte at top if avoiding
609
	 * having the top bit set (-ve number) */
610

2436261
	bn_correct_top(ret);
611
480068
	return (ret);
612
480104
}
613
614
/* ignore negative */
615
int
616
BN_bn2bin(const BIGNUM *a, unsigned char *to)
617
{
618
	int n, i;
619
	BN_ULONG l;
620
621
	bn_check_top(a);
622
775108
	n = i=BN_num_bytes(a);
623
188019310
	while (i--) {
624
93622101
		l = a->d[i / BN_BYTES];
625
93622101
		*(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
626
	}
627
387554
	return (n);
628
}
629
630
int
631
BN_ucmp(const BIGNUM *a, const BIGNUM *b)
632
{
633
	int i;
634
	BN_ULONG t1, t2, *ap, *bp;
635
636
	bn_check_top(a);
637
	bn_check_top(b);
638
639
39374510
	i = a->top - b->top;
640
19687255
	if (i != 0)
641
5598254
		return (i);
642
14089001
	ap = a->d;
643
14089001
	bp = b->d;
644
30330134
	for (i = a->top - 1; i >= 0; i--) {
645
15072202
		t1 = ap[i];
646
15072202
		t2 = bp[i];
647
15072202
		if (t1 != t2)
648
13996136
			return ((t1 > t2) ? 1 : -1);
649
	}
650
92865
	return (0);
651
19687255
}
652
653
int
654
BN_cmp(const BIGNUM *a, const BIGNUM *b)
655
{
656
	int i;
657
	int gt, lt;
658
	BN_ULONG t1, t2;
659
660
18101842
	if ((a == NULL) || (b == NULL)) {
661
		if (a != NULL)
662
			return (-1);
663
		else if (b != NULL)
664
			return (1);
665
		else
666
			return (0);
667
	}
668
669
	bn_check_top(a);
670
	bn_check_top(b);
671
672
9050921
	if (a->neg != b->neg) {
673
2224
		if (a->neg)
674
86
			return (-1);
675
		else
676
2138
			return (1);
677
	}
678
9048697
	if (a->neg == 0) {
679
		gt = 1;
680
		lt = -1;
681
9048473
	} else {
682
		gt = -1;
683
		lt = 1;
684
	}
685
686
9048697
	if (a->top > b->top)
687
3626403
		return (gt);
688
5422294
	if (a->top < b->top)
689
16050
		return (lt);
690
10998286
	for (i = a->top - 1; i >= 0; i--) {
691
5467993
		t1 = a->d[i];
692
5467993
		t2 = b->d[i];
693
5467993
		if (t1 > t2)
694
1359482
			return (gt);
695
4108511
		if (t1 < t2)
696
4015612
			return (lt);
697
	}
698
31150
	return (0);
699
9050921
}
700
701
int
702
BN_set_bit(BIGNUM *a, int n)
703
{
704
	int i, j, k;
705
706
133344
	if (n < 0)
707
		return 0;
708
709
66672
	i = n / BN_BITS2;
710
66672
	j = n % BN_BITS2;
711
66672
	if (a->top <= i) {
712

196426
		if (bn_wexpand(a, i + 1) == NULL)
713
			return (0);
714
2593976
		for (k = a->top; k < i + 1; k++)
715
1230854
			a->d[k] = 0;
716
66134
		a->top = i + 1;
717
66134
	}
718
719
66672
	a->d[i] |= (((BN_ULONG)1) << j);
720
	bn_check_top(a);
721
66672
	return (1);
722
66672
}
723
724
int
725
BN_clear_bit(BIGNUM *a, int n)
726
{
727
	int i, j;
728
729
	bn_check_top(a);
730
	if (n < 0)
731
		return 0;
732
733
	i = n / BN_BITS2;
734
	j = n % BN_BITS2;
735
	if (a->top <= i)
736
		return (0);
737
738
	a->d[i] &= (~(((BN_ULONG)1) << j));
739
	bn_correct_top(a);
740
	return (1);
741
}
742
743
int
744
BN_is_bit_set(const BIGNUM *a, int n)
745
{
746
	int i, j;
747
748
	bn_check_top(a);
749
167723870
	if (n < 0)
750
17
		return 0;
751
83861918
	i = n / BN_BITS2;
752
83861918
	j = n % BN_BITS2;
753
83861918
	if (a->top <= i)
754
11358
		return 0;
755
83850560
	return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
756
83861935
}
757
758
int
759
BN_mask_bits(BIGNUM *a, int n)
760
{
761
	int b, w;
762
763
	bn_check_top(a);
764
3846
	if (n < 0)
765
		return 0;
766
767
1923
	w = n / BN_BITS2;
768
1923
	b = n % BN_BITS2;
769
1923
	if (w >= a->top)
770
		return 0;
771
1923
	if (b == 0)
772
		a->top = w;
773
	else {
774
1923
		a->top = w + 1;
775
1923
		a->d[w] &= ~(BN_MASK2 << b);
776
	}
777

9615
	bn_correct_top(a);
778
1923
	return (1);
779
1923
}
780
781
void
782
BN_set_negative(BIGNUM *a, int b)
783
{
784

232400
	if (b && !BN_is_zero(a))
785
88
		a->neg = 1;
786
	else
787
		a->neg = 0;
788
116156
}
789
790
int
791
bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
792
{
793
	int i;
794
	BN_ULONG aa, bb;
795
796
1547028
	aa = a[n - 1];
797
773514
	bb = b[n - 1];
798
773514
	if (aa != bb)
799
752982
		return ((aa > bb) ? 1 : -1);
800
128320
	for (i = n - 2; i >= 0; i--) {
801
63944
		aa = a[i];
802
63944
		bb = b[i];
803
63944
		if (aa != bb)
804
20316
			return ((aa > bb) ? 1 : -1);
805
	}
806
216
	return (0);
807
773514
}
808
809
/* Here follows a specialised variants of bn_cmp_words().  It has the
810
   property of performing the operation on arrays of different sizes.
811
   The sizes of those arrays is expressed through cl, which is the
812
   common length ( basicall, min(len(a),len(b)) ), and dl, which is the
813
   delta between the two lengths, calculated as len(a)-len(b).
814
   All lengths are the number of BN_ULONGs...  */
815
816
int
817
bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
818
{
819
	int n, i;
820
821
1249900
	n = cl - 1;
822
823
624950
	if (dl < 0) {
824
19370
		for (i = dl; i < 0; i++) {
825
9673
			if (b[n - i] != 0)
826
9227
				return -1; /* a < b */
827
		}
828
	}
829
615723
	if (dl > 0) {
830
21144
		for (i = dl; i > 0; i--) {
831
10560
			if (a[n + i] != 0)
832
10128
				return 1; /* a > b */
833
		}
834
	}
835
605595
	return bn_cmp_words(a, b, cl);
836
624950
}
837
838
/*
839
 * Constant-time conditional swap of a and b.
840
 * a and b are swapped if condition is not 0.  The code assumes that at most one bit of condition is set.
841
 * nwords is the number of words to swap.  The code assumes that at least nwords are allocated in both a and b,
842
 * and that no more than nwords are used by either a or b.
843
 * a and b cannot be the same number
844
 */
845
void
846
BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
847
{
848
	BN_ULONG t;
849
	int i;
850
851
	bn_wcheck_size(a, nwords);
852
	bn_wcheck_size(b, nwords);
853
854
	assert(a != b);
855
	assert((condition & (condition - 1)) == 0);
856
	assert(sizeof(BN_ULONG) >= sizeof(int));
857
858
12292840
	condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
859
860
10318948
	t = (a->top^b->top) & condition;
861
10318948
	a->top ^= t;
862
10318948
	b->top ^= t;
863
864
#define BN_CONSTTIME_SWAP(ind) \
865
	do { \
866
		t = (a->d[ind] ^ b->d[ind]) & condition; \
867
		a->d[ind] ^= t; \
868
		b->d[ind] ^= t; \
869
	} while (0)
870
871
872


10318948
	switch (nwords) {
873
	default:
874
		for (i = 10; i < nwords; i++)
875
			BN_CONSTTIME_SWAP(i);
876
		/* Fallthrough */
877
	case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
878
308828
	case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
879
308828
	case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
880
593488
	case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
881
733832
	case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
882
978288
	case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
883
1482884
	case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
884
1965016
	case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
885
1973892
	case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
886
	case 1:
887
1973892
		BN_CONSTTIME_SWAP(0);
888
	}
889
#undef BN_CONSTTIME_SWAP
890
1973892
}