/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include "internal.h" void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, size_t in_len) { // The caller should have sized |out| to fit |in| without truncating. This // condition ensures we do not overflow |out|, so use a runtime check. BSSL_CHECK(in_len <= out_len * sizeof(BN_ULONG)); // Load whole words. while (in_len >= sizeof(BN_ULONG)) { in_len -= sizeof(BN_ULONG); out[0] = CRYPTO_load_word_be(in + in_len); out++; out_len--; } // Load the last partial word. if (in_len != 0) { BN_ULONG word = 0; for (size_t i = 0; i < in_len; i++) { word = (word << 8) | in[i]; } out[0] = word; out++; out_len--; } // Fill the remainder with zeros. OPENSSL_memset(out, 0, out_len * sizeof(BN_ULONG)); } BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { BIGNUM *bn = NULL; if (ret == NULL) { bn = BN_new(); if (bn == NULL) { return NULL; } ret = bn; } if (len == 0) { ret->width = 0; return ret; } size_t num_words = ((len - 1) / BN_BYTES) + 1; if (!bn_wexpand(ret, num_words)) { BN_free(bn); return NULL; } // |bn_wexpand| must check bounds on |num_words| to write it into // |ret->dmax|. assert(num_words <= INT_MAX); ret->width = (int)num_words; ret->neg = 0; bn_big_endian_to_words(ret->d, ret->width, in, len); return ret; } BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) { BIGNUM *bn = NULL; if (ret == NULL) { bn = BN_new(); if (bn == NULL) { return NULL; } ret = bn; } if (len == 0) { ret->width = 0; ret->neg = 0; return ret; } // Reserve enough space in |ret|. size_t num_words = ((len - 1) / BN_BYTES) + 1; if (!bn_wexpand(ret, num_words)) { BN_free(bn); return NULL; } ret->width = (int)num_words; bn_little_endian_to_words(ret->d, ret->width, in, len); return ret; } void bn_little_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, const size_t in_len) { assert(out_len > 0); #ifdef OPENSSL_BIG_ENDIAN size_t in_index = 0; for (size_t i = 0; i < out_len; i++) { if ((in_len-in_index) < sizeof(BN_ULONG)) { // Load the last partial word. BN_ULONG word = 0; // size_t is unsigned, so j >= 0 is always true. for (size_t j = in_len-1; j >= in_index && j < in_len; j--) { word = (word << 8) | in[j]; } in_index = in_len; out[i] = word; // Fill the remainder with zeros. OPENSSL_memset(out + i + 1, 0, (out_len - i - 1) * sizeof(BN_ULONG)); break; } out[i] = CRYPTO_load_word_le(in + in_index); in_index += sizeof(BN_ULONG); } // The caller should have sized the output to avoid truncation. assert(in_index == in_len); #else OPENSSL_memcpy(out, in, in_len); // Fill the remainder with zeros. OPENSSL_memset( ((uint8_t*)out) + in_len, 0, sizeof(BN_ULONG)*out_len - in_len); #endif } // fits_in_bytes returns one if the |num_words| words in |words| can be // represented in |num_bytes| bytes. static int fits_in_bytes(const BN_ULONG *words, size_t num_words, size_t num_bytes) { uint8_t mask = 0; #ifdef OPENSSL_BIG_ENDIAN for (size_t i = num_bytes / BN_BYTES; i < num_words; i++) { BN_ULONG word = words[i]; for (size_t j = 0; j < BN_BYTES; j++) { if ((i * BN_BYTES) + j < num_bytes) { // For the first word we don't need to check any bytes shorter than len continue ; } else { mask |= (word >> (j * 8)) & 0xff; } } } #else const uint8_t *bytes = (const uint8_t *)words; size_t tot_bytes = num_words * sizeof(BN_ULONG); for (size_t i = num_bytes; i < tot_bytes; i++) { mask |= bytes[i]; } #endif return mask == 0; } // Asserts that the BIGNUM can be represented within |num| bytes. // The logic is consistent with `fits_in_bytes` but assertions will fail when false. void bn_assert_fits_in_bytes(const BIGNUM *bn, size_t num) { const uint8_t *bytes = (const uint8_t *)bn->d; size_t tot_bytes = bn->width * sizeof(BN_ULONG); if (tot_bytes > num) { CONSTTIME_DECLASSIFY(bytes + num, tot_bytes - num); // Avoids compiler error: unused variable 'byte' or 'word' // The assert statements below are only effective in DEBUG builds #ifndef NDEBUG #ifdef OPENSSL_BIG_ENDIAN for (int i = num / BN_BYTES; i < bn->width; i++) { BN_ULONG word = bn->d[i]; for (size_t j = 0; j < BN_BYTES; j++) { if ((i * BN_BYTES) + j < num) { // For the first word we don't need to check any bytes shorter than len continue; } else { uint8_t byte = (word >> (j * 8)) & 0xff; assert(byte == 0); } } } #else for (size_t i = num; i < tot_bytes; i++) { assert(bytes[i] == 0); } #endif #endif (void)bytes; } } void bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, size_t in_len) { // The caller should have selected an output length without truncation. assert(fits_in_bytes(in, in_len, out_len)); size_t num_bytes = in_len * sizeof(BN_ULONG); if (out_len < num_bytes) { num_bytes = out_len; } #ifdef OPENSSL_BIG_ENDIAN for (size_t i = 0; i < num_bytes; i++) { BN_ULONG l = in[i / BN_BYTES]; out[out_len - i - 1] = (uint8_t)(l >> (8 * (i % BN_BYTES))) & 0xff; } #else const uint8_t *bytes = (const uint8_t *)in; for (size_t i = 0; i < num_bytes; i++) { out[out_len - i - 1] = bytes[i]; } #endif // Pad out the rest of the buffer with zeroes. OPENSSL_memset(out, 0, out_len - num_bytes); } size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) { size_t n = BN_num_bytes(in); bn_words_to_big_endian(out, n, in->d, in->width); return n; } void bn_words_to_little_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, const size_t in_len) { // The caller should have selected an output length without truncation. assert(fits_in_bytes(in, in_len, out_len)); size_t num_bytes = in_len * sizeof(BN_ULONG); if (out_len < num_bytes) { num_bytes = out_len; } #ifdef OPENSSL_BIG_ENDIAN size_t byte_idx = 0; for (size_t word_idx = 0; word_idx < in_len; word_idx++) { BN_ULONG l = in[word_idx]; for(size_t j = 0; j < BN_BYTES && byte_idx < num_bytes; j++) { out[byte_idx] = (uint8_t)(l & 0xff); l >>= 8; byte_idx++; } } #else const uint8_t *bytes = (const uint8_t *)in; OPENSSL_memcpy(out, bytes, num_bytes); #endif // Fill the remainder with zeros. OPENSSL_memset(out + num_bytes, 0, out_len - num_bytes); } int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in) { if (!fits_in_bytes(in->d, in->width, len)) { return 0; } bn_words_to_little_endian(out, len, in->d, in->width); return 1; } int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) { if (!fits_in_bytes(in->d, in->width, len)) { return 0; } bn_words_to_big_endian(out, len, in->d, in->width); return 1; } BN_ULONG BN_get_word(const BIGNUM *bn) { switch (bn_minimal_width(bn)) { case 0: return 0; case 1: return bn->d[0]; default: return BN_MASK2; } } int BN_get_u64(const BIGNUM *bn, uint64_t *out) { switch (bn_minimal_width(bn)) { case 0: *out = 0; return 1; case 1: *out = bn->d[0]; return 1; #if defined(OPENSSL_32_BIT) case 2: *out = (uint64_t) bn->d[0] | (((uint64_t) bn->d[1]) << 32); return 1; #endif default: return 0; } }