kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2230 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: acb2451807
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'acb2451807'
${ noResults }
boringssl/crypto/bn/convert.c

604 lines
15 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.] */

  56. 

  57. #include <openssl/bn.h>

  58. 

  59. #include <assert.h>

  60. #include <ctype.h>

  61. #include <limits.h>

  62. #include <stdio.h>

  63. #include <string.h>

  64. 

  65. #include <openssl/bio.h>

  66. #include <openssl/bytestring.h>

  67. #include <openssl/err.h>

  68. #include <openssl/mem.h>

  69. 

  70. #include "internal.h"

  71. 

  72. BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) {

  73.   size_t num_words;

  74.   unsigned m;

  75.   BN_ULONG word = 0;

  76.   BIGNUM *bn = NULL;

  77. 

  78.   if (ret == NULL) {

  79.     ret = bn = BN_new();

  80.   }

  81. 

  82.   if (ret == NULL) {

  83.     return NULL;

  84.   }

  85. 

  86.   if (len == 0) {

  87.     ret->top = 0;

  88.     return ret;

  89.   }

  90. 

  91.   num_words = ((len - 1) / BN_BYTES) + 1;

  92.   m = (len - 1) % BN_BYTES;

  93.   if (bn_wexpand(ret, num_words) == NULL) {

  94.     if (bn) {

  95.       BN_free(bn);

  96.     }

  97.     return NULL;

  98.   }

  99. 

  100.   /* |bn_wexpand| must check bounds on |num_words| to write it into

  101.    * |ret->dmax|. */

  102.   assert(num_words <= INT_MAX);

  103.   ret->top = (int)num_words;

  104.   ret->neg = 0;

  105. 

  106.   while (len--) {

  107.     word = (word << 8) | *(in++);

  108.     if (m-- == 0) {

  109.       ret->d[--num_words] = word;

  110.       word = 0;

  111.       m = BN_BYTES - 1;

  112.     }

  113.   }

  114. 

  115.   /* need to call this due to clear byte at top if avoiding having the top bit

  116.    * set (-ve number) */

  117.   bn_correct_top(ret);

  118.   return ret;

  119. }

  120. 

  121. size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) {

  122.   size_t n, i;

  123.   BN_ULONG l;

  124. 

  125.   n = i = BN_num_bytes(in);

  126.   while (i--) {

  127.     l = in->d[i / BN_BYTES];

  128.     *(out++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;

  129.   }

  130.   return n;

  131. }

  132. 

  133. /* constant_time_select_ulong returns |x| if |v| is 1 and |y| if |v| is 0. Its

  134.  * behavior is undefined if |v| takes any other value. */

  135. static BN_ULONG constant_time_select_ulong(int v, BN_ULONG x, BN_ULONG y) {

  136.   BN_ULONG mask = v;

  137.   mask--;

  138. 

  139.   return (~mask & x) | (mask & y);

  140. }

  141. 

  142. /* constant_time_le_size_t returns 1 if |x| <= |y| and 0 otherwise. |x| and |y|

  143.  * must not have their MSBs set. */

  144. static int constant_time_le_size_t(size_t x, size_t y) {

  145.   return ((x - y - 1) >> (sizeof(size_t) * 8 - 1)) & 1;

  146. }

  147. 

  148. /* read_word_padded returns the |i|'th word of |in|, if it is not out of

  149.  * bounds. Otherwise, it returns 0. It does so without branches on the size of

  150.  * |in|, however it necessarily does not have the same memory access pattern. If

  151.  * the access would be out of bounds, it reads the last word of |in|. |in| must

  152.  * not be zero. */

  153. static BN_ULONG read_word_padded(const BIGNUM *in, size_t i) {

  154.   /* Read |in->d[i]| if valid. Otherwise, read the last word. */

  155.   BN_ULONG l = in->d[constant_time_select_ulong(

  156.       constant_time_le_size_t(in->dmax, i), in->dmax - 1, i)];

  157. 

  158.   /* Clamp to zero if above |d->top|. */

  159.   return constant_time_select_ulong(constant_time_le_size_t(in->top, i), 0, l);

  160. }

  161. 

  162. int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) {

  163.   size_t i;

  164.   BN_ULONG l;

  165. 

  166.   /* Special case for |in| = 0. Just branch as the probability is negligible. */

  167.   if (BN_is_zero(in)) {

  168.     memset(out, 0, len);

  169.     return 1;

  170.   }

  171. 

  172.   /* Check if the integer is too big. This case can exit early in non-constant

  173.    * time. */

  174.   if ((size_t)in->top > (len + (BN_BYTES - 1)) / BN_BYTES) {

  175.     return 0;

  176.   }

  177.   if ((len % BN_BYTES) != 0) {

  178.     l = read_word_padded(in, len / BN_BYTES);

  179.     if (l >> (8 * (len % BN_BYTES)) != 0) {

  180.       return 0;

  181.     }

  182.   }

  183. 

  184.   /* Write the bytes out one by one. Serialization is done without branching on

  185.    * the bits of |in| or on |in->top|, but if the routine would otherwise read

  186.    * out of bounds, the memory access pattern can't be fixed. However, for an

  187.    * RSA key of size a multiple of the word size, the probability of BN_BYTES

  188.    * leading zero octets is low.

  189.    *

  190.    * See Falko Stenzke, "Manger's Attack revisited", ICICS 2010. */

  191.   i = len;

  192.   while (i--) {

  193.     l = read_word_padded(in, i / BN_BYTES);

  194.     *(out++) = (uint8_t)(l >> (8 * (i % BN_BYTES))) & 0xff;

  195.   }

  196.   return 1;

  197. }

  198. 

  199. int BN_bn2cbb_padded(CBB *out, size_t len, const BIGNUM *in) {

  200.   uint8_t *ptr;

  201.   return CBB_add_space(out, &ptr, len) && BN_bn2bin_padded(ptr, len, in);

  202. }

  203. 

  204. static const char hextable[] = "0123456789abcdef";

  205. 

  206. char *BN_bn2hex(const BIGNUM *bn) {

  207.   int i, j, v, z = 0;

  208.   char *buf;

  209.   char *p;

  210. 

  211.   buf = (char *)OPENSSL_malloc(bn->top * BN_BYTES * 2 + 2);

  212.   if (buf == NULL) {

  213.     OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);

  214.     return NULL;

  215.   }

  216. 

  217.   p = buf;

  218.   if (bn->neg) {

  219.     *(p++) = '-';

  220.   }

  221. 

  222.   if (BN_is_zero(bn)) {

  223.     *(p++) = '0';

  224.   }

  225. 

  226.   for (i = bn->top - 1; i >= 0; i--) {

  227.     for (j = BN_BITS2 - 8; j >= 0; j -= 8) {

  228.       /* strip leading zeros */

  229.       v = ((int)(bn->d[i] >> (long)j)) & 0xff;

  230.       if (z || v != 0) {

  231.         *(p++) = hextable[v >> 4];

  232.         *(p++) = hextable[v & 0x0f];

  233.         z = 1;

  234.       }

  235.     }

  236.   }

  237.   *p = '\0';

  238. 

  239.   return buf;

  240. }

  241. 

  242. /* decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|. */

  243. static int decode_hex(BIGNUM *bn, const char *in, int in_len) {

  244.   if (in_len > INT_MAX/4) {

  245.     OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);

  246.     return 0;

  247.   }

  248.   /* |in_len| is the number of hex digits. */

  249.   if (bn_expand(bn, in_len * 4) == NULL) {

  250.     return 0;

  251.   }

  252. 

  253.   int i = 0;

  254.   while (in_len > 0) {

  255.     /* Decode one |BN_ULONG| at a time. */

  256.     int todo = BN_BYTES * 2;

  257.     if (todo > in_len) {

  258.       todo = in_len;

  259.     }

  260. 

  261.     BN_ULONG word = 0;

  262.     int j;

  263.     for (j = todo; j > 0; j--) {

  264.       char c = in[in_len - j];

  265. 

  266.       BN_ULONG hex;

  267.       if (c >= '0' && c <= '9') {

  268.         hex = c - '0';

  269.       } else if (c >= 'a' && c <= 'f') {

  270.         hex = c - 'a' + 10;

  271.       } else if (c >= 'A' && c <= 'F') {

  272.         hex = c - 'A' + 10;

  273.       } else {

  274.         hex = 0;

  275.         /* This shouldn't happen. The caller checks |isxdigit|. */

  276.         assert(0);

  277.       }

  278.       word = (word << 4) | hex;

  279.     }

  280. 

  281.     bn->d[i++] = word;

  282.     in_len -= todo;

  283.   }

  284.   assert(i <= bn->dmax);

  285.   bn->top = i;

  286.   return 1;

  287. }

  288. 

  289. /* decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|. */

  290. static int decode_dec(BIGNUM *bn, const char *in, int in_len) {

  291.   int i, j;

  292.   BN_ULONG l = 0;

  293. 

  294.   /* Decode |BN_DEC_NUM| digits at a time. */

  295.   j = BN_DEC_NUM - (in_len % BN_DEC_NUM);

  296.   if (j == BN_DEC_NUM) {

  297.     j = 0;

  298.   }

  299.   l = 0;

  300.   for (i = 0; i < in_len; i++) {

  301.     l *= 10;

  302.     l += in[i] - '0';

  303.     if (++j == BN_DEC_NUM) {

  304.       if (!BN_mul_word(bn, BN_DEC_CONV) ||

  305.           !BN_add_word(bn, l)) {

  306.         return 0;

  307.       }

  308.       l = 0;

  309.       j = 0;

  310.     }

  311.   }

  312.   return 1;

  313. }

  314. 

  315. typedef int (*decode_func) (BIGNUM *bn, const char *in, int in_len);

  316. typedef int (*char_test_func) (int c);

  317. 

  318. static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, char_test_func want_char) {

  319.   BIGNUM *ret = NULL;

  320.   int neg = 0, i;

  321.   int num;

  322. 

  323.   if (in == NULL || *in == 0) {

  324.     return 0;

  325.   }

  326. 

  327.   if (*in == '-') {

  328.     neg = 1;

  329.     in++;

  330.   }

  331. 

  332.   for (i = 0; want_char((unsigned char)in[i]) && i + neg < INT_MAX; i++) {}

  333. 

  334.   num = i + neg;

  335.   if (outp == NULL) {

  336.     return num;

  337.   }

  338. 

  339.   /* in is the start of the hex digits, and it is 'i' long */

  340.   if (*outp == NULL) {

  341.     ret = BN_new();

  342.     if (ret == NULL) {

  343.       return 0;

  344.     }

  345.   } else {

  346.     ret = *outp;

  347.     BN_zero(ret);

  348.   }

  349. 

  350.   if (!decode(ret, in, i)) {

  351.     goto err;

  352.   }

  353. 

  354.   bn_correct_top(ret);

  355.   if (!BN_is_zero(ret)) {

  356.     ret->neg = neg;

  357.   }

  358. 

  359.   *outp = ret;

  360.   return num;

  361. 

  362. err:

  363.   if (*outp == NULL) {

  364.     BN_free(ret);

  365.   }

  366. 

  367.   return 0;

  368. }

  369. 

  370. int BN_hex2bn(BIGNUM **outp, const char *in) {

  371.   return bn_x2bn(outp, in, decode_hex, isxdigit);

  372. }

  373. 

  374. char *BN_bn2dec(const BIGNUM *a) {

  375.   int i = 0, num, ok = 0;

  376.   char *buf = NULL;

  377.   char *p;

  378.   BIGNUM *t = NULL;

  379.   BN_ULONG *bn_data = NULL, *lp;

  380. 

  381.   /* get an upper bound for the length of the decimal integer

  382.    * num <= (BN_num_bits(a) + 1) * log(2)

  383.    *     <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1     (rounding error)

  384.    *     <= BN_num_bits(a)/10 + BN_num_bits/1000 + 1 + 1

  385.    */

  386.   i = BN_num_bits(a) * 3;

  387.   num = i / 10 + i / 1000 + 1 + 1;

  388.   bn_data =

  389.       (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));

  390.   buf = (char *)OPENSSL_malloc(num + 3);

  391.   if ((buf == NULL) || (bn_data == NULL)) {

  392.     OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);

  393.     goto err;

  394.   }

  395.   t = BN_dup(a);

  396.   if (t == NULL) {

  397.     goto err;

  398.   }

  399. 

  400. #define BUF_REMAIN (num + 3 - (size_t)(p - buf))

  401.   p = buf;

  402.   lp = bn_data;

  403.   if (BN_is_zero(t)) {

  404.     *(p++) = '0';

  405.     *(p++) = '\0';

  406.   } else {

  407.     if (BN_is_negative(t)) {

  408.       *p++ = '-';

  409.     }

  410. 

  411.     while (!BN_is_zero(t)) {

  412.       *lp = BN_div_word(t, BN_DEC_CONV);

  413.       lp++;

  414.     }

  415.     lp--;

  416.     /* We now have a series of blocks, BN_DEC_NUM chars

  417.      * in length, where the last one needs truncation.

  418.      * The blocks need to be reversed in order. */

  419.     BIO_snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp);

  420.     while (*p) {

  421.       p++;

  422.     }

  423.     while (lp != bn_data) {

  424.       lp--;

  425.       BIO_snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp);

  426.       while (*p) {

  427.         p++;

  428.       }

  429.     }

  430.   }

  431.   ok = 1;

  432. 

  433. err:

  434.   OPENSSL_free(bn_data);

  435.   BN_free(t);

  436.   if (!ok) {

  437.     OPENSSL_free(buf);

  438.     buf = NULL;

  439.   }

  440. 

  441.   return buf;

  442. }

  443. 

  444. int BN_dec2bn(BIGNUM **outp, const char *in) {

  445.   return bn_x2bn(outp, in, decode_dec, isdigit);

  446. }

  447. 

  448. int BN_asc2bn(BIGNUM **outp, const char *in) {

  449.   const char *const orig_in = in;

  450.   if (*in == '-') {

  451.     in++;

  452.   }

  453. 

  454.   if (in[0] == '0' && (in[1] == 'X' || in[1] == 'x')) {

  455.     if (!BN_hex2bn(outp, in+2)) {

  456.       return 0;

  457.     }

  458.   } else {

  459.     if (!BN_dec2bn(outp, in)) {

  460.       return 0;

  461.     }

  462.   }

  463. 

  464.   if (*orig_in == '-' && !BN_is_zero(*outp)) {

  465.     (*outp)->neg = 1;

  466.   }

  467. 

  468.   return 1;

  469. }

  470. 

  471. int BN_print(BIO *bp, const BIGNUM *a) {

  472.   int i, j, v, z = 0;

  473.   int ret = 0;

  474. 

  475.   if (a->neg && BIO_write(bp, "-", 1) != 1) {

  476.     goto end;

  477.   }

  478. 

  479.   if (BN_is_zero(a) && BIO_write(bp, "0", 1) != 1) {

  480.     goto end;

  481.   }

  482. 

  483.   for (i = a->top - 1; i >= 0; i--) {

  484.     for (j = BN_BITS2 - 4; j >= 0; j -= 4) {

  485.       /* strip leading zeros */

  486.       v = ((int)(a->d[i] >> (long)j)) & 0x0f;

  487.       if (z || v != 0) {

  488.         if (BIO_write(bp, &hextable[v], 1) != 1) {

  489.           goto end;

  490.         }

  491.         z = 1;

  492.       }

  493.     }

  494.   }

  495.   ret = 1;

  496. 

  497. end:

  498.   return ret;

  499. }

  500. 

  501. int BN_print_fp(FILE *fp, const BIGNUM *a) {

  502.   BIO *b;

  503.   int ret;

  504. 

  505.   b = BIO_new(BIO_s_file());

  506.   if (b == NULL) {

  507.     return 0;

  508.   }

  509.   BIO_set_fp(b, fp, BIO_NOCLOSE);

  510.   ret = BN_print(b, a);

  511.   BIO_free(b);

  512. 

  513.   return ret;

  514. }

  515. 

  516. BN_ULONG BN_get_word(const BIGNUM *bn) {

  517.   switch (bn->top) {

  518.     case 0:

  519.       return 0;

  520.     case 1:

  521.       return bn->d[0];

  522.     default:

  523.       return BN_MASK2;

  524.   }

  525. }

  526. 

  527. size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {

  528.   const size_t bits = BN_num_bits(in);

  529.   const size_t bytes = (bits + 7) / 8;

  530.   /* If the number of bits is a multiple of 8, i.e. if the MSB is set,

  531.    * prefix with a zero byte. */

  532.   int extend = 0;

  533.   if (bytes != 0 && (bits & 0x07) == 0) {

  534.     extend = 1;

  535.   }

  536. 

  537.   const size_t len = bytes + extend;

  538.   if (len < bytes ||

  539.       4 + len < len ||

  540.       (len & 0xffffffff) != len) {

  541.     /* If we cannot represent the number then we emit zero as the interface

  542.      * doesn't allow an error to be signalled. */

  543.     if (out) {

  544.       memset(out, 0, 4);

  545.     }

  546.     return 4;

  547.   }

  548. 

  549.   if (out == NULL) {

  550.     return 4 + len;

  551.   }

  552. 

  553.   out[0] = len >> 24;

  554.   out[1] = len >> 16;

  555.   out[2] = len >> 8;

  556.   out[3] = len;

  557.   if (extend) {

  558.     out[4] = 0;

  559.   }

  560.   BN_bn2bin(in, out + 4 + extend);

  561.   if (in->neg && len > 0) {

  562.     out[4] |= 0x80;

  563.   }

  564.   return len + 4;

  565. }

  566. 

  567. BIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out) {

  568.   if (len < 4) {

  569.     OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);

  570.     return NULL;

  571.   }

  572.   const size_t in_len = ((size_t)in[0] << 24) |

  573.                         ((size_t)in[1] << 16) |

  574.                         ((size_t)in[2] << 8) |

  575.                         ((size_t)in[3]);

  576.   if (in_len != len - 4) {

  577.     OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);

  578.     return NULL;

  579.   }

  580. 

  581.   if (out == NULL) {

  582.     out = BN_new();

  583.   }

  584.   if (out == NULL) {

  585.     OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);

  586.     return NULL;

  587.   }

  588. 

  589.   if (in_len == 0) {

  590.     BN_zero(out);

  591.     return out;

  592.   }

  593. 

  594.   in += 4;

  595.   if (BN_bin2bn(in, in_len, out) == NULL) {

  596.     return NULL;

  597.   }

  598.   out->neg = ((*in) & 0x80) != 0;

  599.   if (out->neg) {

  600.     BN_clear_bit(out, BN_num_bits(out) - 1);

  601.   }

  602.   return out;

  603. }