1/* 2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <openssl/bn.h> 11 12#include <assert.h> 13#include <limits.h> 14 15#include "internal.h" 16 17void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, 18 size_t in_len) { 19 // The caller should have sized |out| to fit |in| without truncating. This 20 // condition ensures we do not overflow |out|, so use a runtime check. 21 BSSL_CHECK(in_len <= out_len * sizeof(BN_ULONG)); 22 23 // Load whole words. 24 while (in_len >= sizeof(BN_ULONG)) { 25 in_len -= sizeof(BN_ULONG); 26 out[0] = CRYPTO_load_word_be(in + in_len); 27 out++; 28 out_len--; 29 } 30 31 // Load the last partial word. 32 if (in_len != 0) { 33 BN_ULONG word = 0; 34 for (size_t i = 0; i < in_len; i++) { 35 word = (word << 8) | in[i]; 36 } 37 out[0] = word; 38 out++; 39 out_len--; 40 } 41 42 // Fill the remainder with zeros. 43 OPENSSL_memset(out, 0, out_len * sizeof(BN_ULONG)); 44} 45 46BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { 47 BIGNUM *bn = NULL; 48 if (ret == NULL) { 49 bn = BN_new(); 50 if (bn == NULL) { 51 return NULL; 52 } 53 ret = bn; 54 } 55 56 if (len == 0) { 57 ret->width = 0; 58 return ret; 59 } 60 61 size_t num_words = ((len - 1) / BN_BYTES) + 1; 62 if (!bn_wexpand(ret, num_words)) { 63 BN_free(bn); 64 return NULL; 65 } 66 67 // |bn_wexpand| must check bounds on |num_words| to write it into 68 // |ret->dmax|. 69 assert(num_words <= INT_MAX); 70 ret->width = (int)num_words; 71 ret->neg = 0; 72 73 bn_big_endian_to_words(ret->d, ret->width, in, len); 74 return ret; 75} 76 77BIGNUM *BN_lebin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { 78 BIGNUM *bn = NULL; 79 if (ret == NULL) { 80 bn = BN_new(); 81 if (bn == NULL) { 82 return NULL; 83 } 84 ret = bn; 85 } 86 87 if (len == 0) { 88 ret->width = 0; 89 ret->neg = 0; 90 return ret; 91 } 92 93 // Reserve enough space in |ret|. 94 size_t num_words = ((len - 1) / BN_BYTES) + 1; 95 if (!bn_wexpand(ret, num_words)) { 96 BN_free(bn); 97 return NULL; 98 } 99 ret->width = (int)num_words; 100 101 // Make sure the top bytes will be zeroed. 102 ret->d[num_words - 1] = 0; 103 104 // We only support little-endian platforms, so we can simply memcpy the 105 // internal representation. 106 OPENSSL_memcpy(ret->d, in, len); 107 return ret; 108} 109 110BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) { 111 return BN_lebin2bn(in, len, ret); 112} 113 114// fits_in_bytes returns one if the |num_words| words in |words| can be 115// represented in |num_bytes| bytes. 116static int fits_in_bytes(const BN_ULONG *words, size_t num_words, 117 size_t num_bytes) { 118 const uint8_t *bytes = (const uint8_t *)words; 119 size_t tot_bytes = num_words * sizeof(BN_ULONG); 120 uint8_t mask = 0; 121 for (size_t i = num_bytes; i < tot_bytes; i++) { 122 mask |= bytes[i]; 123 } 124 return mask == 0; 125} 126 127void bn_assert_fits_in_bytes(const BIGNUM *bn, size_t num) { 128 const uint8_t *bytes = (const uint8_t *)bn->d; 129 size_t tot_bytes = bn->width * sizeof(BN_ULONG); 130 if (tot_bytes > num) { 131 CONSTTIME_DECLASSIFY(bytes + num, tot_bytes - num); 132 for (size_t i = num; i < tot_bytes; i++) { 133 assert(bytes[i] == 0); 134 } 135 (void)bytes; 136 } 137} 138 139void bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, 140 size_t in_len) { 141 // The caller should have selected an output length without truncation. 142 declassify_assert(fits_in_bytes(in, in_len, out_len)); 143 144 // We only support little-endian platforms, so the internal representation is 145 // also little-endian as bytes. We can simply copy it in reverse. 146 const uint8_t *bytes = (const uint8_t *)in; 147 size_t num_bytes = in_len * sizeof(BN_ULONG); 148 if (out_len < num_bytes) { 149 num_bytes = out_len; 150 } 151 152 for (size_t i = 0; i < num_bytes; i++) { 153 out[out_len - i - 1] = bytes[i]; 154 } 155 // Pad out the rest of the buffer with zeroes. 156 OPENSSL_memset(out, 0, out_len - num_bytes); 157} 158 159size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) { 160 size_t n = BN_num_bytes(in); 161 bn_words_to_big_endian(out, n, in->d, in->width); 162 return n; 163} 164 165int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in) { 166 if (!fits_in_bytes(in->d, in->width, len)) { 167 return 0; 168 } 169 170 // We only support little-endian platforms, so we can simply memcpy into the 171 // internal representation. 172 const uint8_t *bytes = (const uint8_t *)in->d; 173 size_t num_bytes = in->width * BN_BYTES; 174 if (len < num_bytes) { 175 num_bytes = len; 176 } 177 178 OPENSSL_memcpy(out, bytes, num_bytes); 179 // Pad out the rest of the buffer with zeroes. 180 OPENSSL_memset(out + num_bytes, 0, len - num_bytes); 181 return 1; 182} 183 184int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) { 185 if (!fits_in_bytes(in->d, in->width, len)) { 186 return 0; 187 } 188 189 bn_words_to_big_endian(out, len, in->d, in->width); 190 return 1; 191} 192 193BN_ULONG BN_get_word(const BIGNUM *bn) { 194 switch (bn_minimal_width(bn)) { 195 case 0: 196 return 0; 197 case 1: 198 return bn->d[0]; 199 default: 200 return BN_MASK2; 201 } 202} 203 204int BN_get_u64(const BIGNUM *bn, uint64_t *out) { 205 switch (bn_minimal_width(bn)) { 206 case 0: 207 *out = 0; 208 return 1; 209 case 1: 210 *out = bn->d[0]; 211 return 1; 212#if defined(OPENSSL_32_BIT) 213 case 2: 214 *out = (uint64_t) bn->d[0] | (((uint64_t) bn->d[1]) << 32); 215 return 1; 216#endif 217 default: 218 return 0; 219 } 220} 221