From 02a62d1a4ab711e935defb6e61c2564130ff8627 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Sun, 2 Nov 2014 20:16:59 +0000 Subject: [PATCH] Move bn internal functions into bn_int.h and bn_lcl.h Reviewed-by: Tim Hudson --- crypto/bn/bn.h | 108 ------------------------------- crypto/bn/bn_lcl.h | 97 +++++++++++++++++++++++++++ crypto/bn/bn_lib.c | 57 ---------------- crypto/include/internal/bn_int.h | 7 ++ util/libeay.num | 21 +++--- 5 files changed, 114 insertions(+), 176 deletions(-) diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index 55d5b9e4bd..6bccbfe45a 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -620,114 +620,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv, const unsigned char *message, size_t message_len, BN_CTX *ctx); -/* library internal functions */ - -#define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\ - (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2)) -BIGNUM *bn_wexpand(BIGNUM *a, int words); -BIGNUM *bn_expand2(BIGNUM *a, int words); -#ifndef OPENSSL_NO_DEPRECATED -BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */ -#endif - -/* Bignum consistency macros - * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from - * bignum data after direct manipulations on the data. There is also an - * "internal" macro, bn_check_top(), for verifying that there are no leading - * zeroes. Unfortunately, some auditing is required due to the fact that - * bn_fix_top() has become an overabused duct-tape because bignum data is - * occasionally passed around in an inconsistent state. So the following - * changes have been made to sort this out; - * - bn_fix_top()s implementation has been moved to bn_correct_top() - * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and - * bn_check_top() is as before. - * - if BN_DEBUG *is* defined; - * - bn_check_top() tries to pollute unused words even if the bignum 'top' is - * consistent. (ed: only if BN_DEBUG_RAND is defined) - * - bn_fix_top() maps to bn_check_top() rather than "fixing" anything. - * The idea is to have debug builds flag up inconsistent bignums when they - * occur. If that occurs in a bn_fix_top(), we examine the code in question; if - * the use of bn_fix_top() was appropriate (ie. it follows directly after code - * that manipulates the bignum) it is converted to bn_correct_top(), and if it - * was not appropriate, we convert it permanently to bn_check_top() and track - * down the cause of the bug. Eventually, no internal code should be using the - * bn_fix_top() macro. External applications and libraries should try this with - * their own code too, both in terms of building against the openssl headers - * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it - * defined. This not only improves external code, it provides more test - * coverage for openssl's own code. - */ - -#ifdef BN_DEBUG - -/* We only need assert() when debugging */ -#include - -#ifdef BN_DEBUG_RAND -/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */ -#ifndef RAND_pseudo_bytes -int RAND_pseudo_bytes(unsigned char *buf,int num); -#define BN_DEBUG_TRIX -#endif -#define bn_pollute(a) \ - do { \ - const BIGNUM *_bnum1 = (a); \ - if(_bnum1->top < _bnum1->dmax) { \ - unsigned char _tmp_char; \ - /* We cast away const without the compiler knowing, any \ - * *genuinely* constant variables that aren't mutable \ - * wouldn't be constructed with top!=dmax. */ \ - BN_ULONG *_not_const; \ - memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \ - RAND_pseudo_bytes(&_tmp_char, 1); \ - memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \ - (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \ - } \ - } while(0) -#ifdef BN_DEBUG_TRIX -#undef RAND_pseudo_bytes -#endif -#else -#define bn_pollute(a) -#endif -#define bn_check_top(a) \ - do { \ - const BIGNUM *_bnum2 = (a); \ - if (_bnum2 != NULL) { \ - assert((_bnum2->top == 0) || \ - (_bnum2->d[_bnum2->top - 1] != 0)); \ - bn_pollute(_bnum2); \ - } \ - } while(0) - -#define bn_fix_top(a) bn_check_top(a) - -#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2) -#define bn_wcheck_size(bn, words) \ - do { \ - const BIGNUM *_bnum2 = (bn); \ - assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \ - } while(0) - -#else /* !BN_DEBUG */ - -#define bn_pollute(a) -#define bn_check_top(a) -#define bn_fix_top(a) bn_correct_top(a) -#define bn_check_size(bn, bits) -#define bn_wcheck_size(bn, words) - -#endif - -void bn_correct_top(BIGNUM *a); - - -BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); -BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); -void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num); -BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d); -BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num); -BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num); /* Primes from RFC 2409 */ BIGNUM *get_rfc2409_prime_768(BIGNUM *bn); diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h index 5ca1b9c911..c072ee750d 100644 --- a/crypto/bn/bn_lcl.h +++ b/crypto/bn/bn_lcl.h @@ -118,6 +118,103 @@ extern "C" { #endif +/* Bignum consistency macros + * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from + * bignum data after direct manipulations on the data. There is also an + * "internal" macro, bn_check_top(), for verifying that there are no leading + * zeroes. Unfortunately, some auditing is required due to the fact that + * bn_fix_top() has become an overabused duct-tape because bignum data is + * occasionally passed around in an inconsistent state. So the following + * changes have been made to sort this out; + * - bn_fix_top()s implementation has been moved to bn_correct_top() + * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and + * bn_check_top() is as before. + * - if BN_DEBUG *is* defined; + * - bn_check_top() tries to pollute unused words even if the bignum 'top' is + * consistent. (ed: only if BN_DEBUG_RAND is defined) + * - bn_fix_top() maps to bn_check_top() rather than "fixing" anything. + * The idea is to have debug builds flag up inconsistent bignums when they + * occur. If that occurs in a bn_fix_top(), we examine the code in question; if + * the use of bn_fix_top() was appropriate (ie. it follows directly after code + * that manipulates the bignum) it is converted to bn_correct_top(), and if it + * was not appropriate, we convert it permanently to bn_check_top() and track + * down the cause of the bug. Eventually, no internal code should be using the + * bn_fix_top() macro. External applications and libraries should try this with + * their own code too, both in terms of building against the openssl headers + * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it + * defined. This not only improves external code, it provides more test + * coverage for openssl's own code. + */ + +#ifdef BN_DEBUG + +/* We only need assert() when debugging */ +#include + +#ifdef BN_DEBUG_RAND +/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */ +#ifndef RAND_pseudo_bytes +int RAND_pseudo_bytes(unsigned char *buf,int num); +#define BN_DEBUG_TRIX +#endif +#define bn_pollute(a) \ + do { \ + const BIGNUM *_bnum1 = (a); \ + if(_bnum1->top < _bnum1->dmax) { \ + unsigned char _tmp_char; \ + /* We cast away const without the compiler knowing, any \ + * *genuinely* constant variables that aren't mutable \ + * wouldn't be constructed with top!=dmax. */ \ + BN_ULONG *_not_const; \ + memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \ + RAND_pseudo_bytes(&_tmp_char, 1); \ + memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \ + (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \ + } \ + } while(0) +#ifdef BN_DEBUG_TRIX +#undef RAND_pseudo_bytes +#endif +#else +#define bn_pollute(a) +#endif +#define bn_check_top(a) \ + do { \ + const BIGNUM *_bnum2 = (a); \ + if (_bnum2 != NULL) { \ + assert((_bnum2->top == 0) || \ + (_bnum2->d[_bnum2->top - 1] != 0)); \ + bn_pollute(_bnum2); \ + } \ + } while(0) + +#define bn_fix_top(a) bn_check_top(a) + +#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2) +#define bn_wcheck_size(bn, words) \ + do { \ + const BIGNUM *_bnum2 = (bn); \ + assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \ + } while(0) + +#else /* !BN_DEBUG */ + +#define bn_pollute(a) +#define bn_check_top(a) +#define bn_fix_top(a) bn_correct_top(a) +#define bn_check_size(bn, bits) +#define bn_wcheck_size(bn, words) + +#endif + + +BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); +BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); +void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num); +BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d); +BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num); +BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num); + struct bignum_st { diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index cbac3c1391..f0b449dc66 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -370,63 +370,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) return(a); } -/* This is an internal function that can be used instead of bn_expand2() - * when there is a need to copy BIGNUMs instead of only expanding the - * data part, while still expanding them. - * Especially useful when needing to expand BIGNUMs that are declared - * 'const' and should therefore not be changed. - * The reason to use this instead of a BN_dup() followed by a bn_expand2() - * is memory allocation overhead. A BN_dup() followed by a bn_expand2() - * will allocate new memory for the BIGNUM data twice, and free it once, - * while bn_dup_expand() makes sure allocation is made only once. - */ - -#ifndef OPENSSL_NO_DEPRECATED -BIGNUM *bn_dup_expand(const BIGNUM *b, int words) - { - BIGNUM *r = NULL; - - bn_check_top(b); - - /* This function does not work if - * words <= b->dmax && top < words - * because BN_dup() does not preserve 'dmax'! - * (But bn_dup_expand() is not used anywhere yet.) - */ - - if (words > b->dmax) - { - BN_ULONG *a = bn_expand_internal(b, words); - - if (a) - { - r = BN_new(); - if (r) - { - r->top = b->top; - r->dmax = words; - r->neg = b->neg; - r->d = a; - } - else - { - /* r == NULL, BN_new failure */ - OPENSSL_free(a); - } - } - /* If a == NULL, there was an error in allocation in - bn_expand_internal(), and NULL should be returned */ - } - else - { - r = BN_dup(b); - } - - bn_check_top(r); - return r; - } -#endif - /* This is an internal function that should not be used in applications. * It ensures that 'b' has enough room for a 'words' word number * and initialises any unused part of b->d with leading zeros. diff --git a/crypto/include/internal/bn_int.h b/crypto/include/internal/bn_int.h index 811990b773..d3e9defdc5 100644 --- a/crypto/include/internal/bn_int.h +++ b/crypto/include/internal/bn_int.h @@ -62,6 +62,13 @@ extern "C" { #endif +#define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\ + (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2)) +BIGNUM *bn_wexpand(BIGNUM *a, int words); +BIGNUM *bn_expand2(BIGNUM *a, int words); + +void bn_correct_top(BIGNUM *a); + /* Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'. * This is an array r[] of values that are either zero or odd with an * absolute value less than 2^w satisfying diff --git a/util/libeay.num b/util/libeay.num index 3f4396f0bd..f29a327806 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -694,13 +694,13 @@ a2i_ASN1_INTEGER 700 EXIST::FUNCTION:BIO a2i_ASN1_STRING 701 EXIST::FUNCTION:BIO asn1_Finish 702 EXIST::FUNCTION: asn1_GetSequence 703 EXIST::FUNCTION: -bn_div_words 704 EXIST::FUNCTION: -bn_expand2 705 EXIST::FUNCTION: -bn_mul_add_words 706 EXIST::FUNCTION: -bn_mul_words 707 EXIST::FUNCTION: +bn_div_words 704 NOEXIST::FUNCTION: +bn_expand2 705 NOEXIST::FUNCTION: +bn_mul_add_words 706 NOEXIST::FUNCTION: +bn_mul_words 707 NOEXIST::FUNCTION: BN_uadd 708 EXIST::FUNCTION: BN_usub 709 EXIST::FUNCTION: -bn_sqr_words 710 EXIST::FUNCTION: +bn_sqr_words 710 NOEXIST::FUNCTION: _ossl_old_crypt 711 EXIST:!NeXT,!PERL5:FUNCTION:DES d2i_ASN1_BIT_STRING 712 EXIST::FUNCTION: d2i_ASN1_BOOLEAN 713 EXIST::FUNCTION: @@ -1013,7 +1013,7 @@ RSA_padding_check_PKCS1_type_1 1035 EXIST::FUNCTION:RSA RSA_padding_check_PKCS1_type_2 1036 EXIST::FUNCTION:RSA RSA_padding_check_SSLv23 1037 EXIST::FUNCTION:RSA RSA_padding_check_none 1038 EXIST::FUNCTION:RSA -bn_add_words 1039 EXIST::FUNCTION: +bn_add_words 1039 NOEXIST::FUNCTION: d2i_Netscape_RSA_2 1040 NOEXIST::FUNCTION: CRYPTO_get_ex_new_index 1041 EXIST::FUNCTION: RIPEMD160_Init 1042 EXIST::FUNCTION:RIPEMD @@ -1085,7 +1085,7 @@ PROXY_set_connect_mode 1112 NOEXIST::FUNCTION: RAND_SSLeay 1113 EXIST::FUNCTION: RAND_set_rand_method 1114 EXIST::FUNCTION: RSA_memory_lock 1115 EXIST::FUNCTION:RSA -bn_sub_words 1116 EXIST::FUNCTION: +bn_sub_words 1116 NOEXIST::FUNCTION: bn_mul_normal 1117 NOEXIST::FUNCTION: bn_mul_comba8 1118 NOEXIST::FUNCTION: bn_mul_comba4 1119 NOEXIST::FUNCTION: @@ -2419,7 +2419,7 @@ UI_get_string_type 2916 EXIST::FUNCTION: ENGINE_unregister_DH 2917 EXIST::FUNCTION:ENGINE ENGINE_register_all_DSA 2918 EXIST::FUNCTION:ENGINE OCSP_ONEREQ_get_ext_by_critical 2919 EXIST::FUNCTION: -bn_dup_expand 2920 EXIST::FUNCTION:DEPRECATED +bn_dup_expand 2920 NOEXIST::FUNCTION: OCSP_cert_id_new 2921 EXIST::FUNCTION: BASIC_CONSTRAINTS_it 2922 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: BASIC_CONSTRAINTS_it 2922 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -4513,7 +4513,6 @@ RSA_check_key_ex 4872 EXIST::FUNCTION:RSA i2s_ASN1_IA5STRING 4874 EXIST::FUNCTION: s2i_ASN1_IA5STRING 4875 EXIST::FUNCTION: FIPS_dsa_sign_ctx 4876 EXIST:OPENSSL_FIPS:FUNCTION:DSA -FIPS_ecdsa_sign 4877 EXIST:OPENSSL_FIPS:FUNCTION:ECDSA CRYPTO_ocb128_release 4878 EXIST::FUNCTION: CRYPTO_ocb128_new 4879 EXIST::FUNCTION: CRYPTO_ocb128_finish 4880 EXIST::FUNCTION: @@ -4526,12 +4525,12 @@ EVP_aes_192_ocb 4886 EXIST::FUNCTION:AES EVP_aes_128_ocb 4887 EXIST::FUNCTION:AES CRYPTO_ocb128_init 4888 EXIST::FUNCTION: CRYPTO_ocb128_encrypt 4889 EXIST::FUNCTION: -bn_wexpand 4878 EXIST::FUNCTION: +bn_wexpand 4878 NOEXIST::FUNCTION: BN_zero_ex 4879 EXIST::FUNCTION: BN_is_zero 4880 EXIST::FUNCTION: BN_with_flags 4881 EXIST::FUNCTION: BN_abs_is_word 4882 EXIST::FUNCTION: -bn_correct_top 4883 EXIST::FUNCTION: +bn_correct_top 4883 NOEXIST::FUNCTION: BN_to_montgomery 4884 EXIST::FUNCTION: BN_GENCB_new 4885 EXIST::FUNCTION: BN_is_odd 4886 EXIST::FUNCTION: