1
/*
2
 * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9

10
#ifndef OSSL_CRYPTO_BN_LOCAL_H
11
#define OSSL_CRYPTO_BN_LOCAL_H
12

13
/*
14
 * The EDK2 build doesn't use bn_conf.h; it sets THIRTY_TWO_BIT or
15
 * SIXTY_FOUR_BIT in its own environment since it doesn't re-run our
16
 * Configure script and needs to support both 32-bit and 64-bit.
17
 */
18
#include <openssl/opensslconf.h>
19

20
#if !defined(OPENSSL_SYS_UEFI)
21
#include "crypto/bn_conf.h"
22
#endif
23

24
#include "crypto/bn.h"
25
#include "internal/cryptlib.h"
26
#include "internal/numbers.h"
27

28
/*
29
 * These preprocessor symbols control various aspects of the bignum headers
30
 * and library code. They're not defined by any "normal" configuration, as
31
 * they are intended for development and testing purposes. NB: defining
32
 * them can be useful for debugging application code as well as openssl
33
 * itself. BN_DEBUG - turn on various debugging alterations to the bignum
34
 * code BN_RAND_DEBUG - uses random poisoning of unused words to trip up
35
 * mismanagement of bignum internals. Enable BN_RAND_DEBUG is known to
36
 * break some of the OpenSSL tests.
37
 */
38
#if defined(BN_RAND_DEBUG) && !defined(BN_DEBUG)
39
#define BN_DEBUG
40
#endif
41
#if defined(BN_RAND_DEBUG)
42
#include <openssl/rand.h>
43
#endif
44

45
/*
46
 * This should limit the stack usage due to alloca to about 4K.
47
 * BN_SOFT_LIMIT is a soft limit equivalent to 2*OPENSSL_RSA_MAX_MODULUS_BITS.
48
 * Beyond that size bn_mul_mont is no longer used, and the constant time
49
 * assembler code is disabled, due to the blatant alloca and bn_mul_mont usage.
50
 * Note that bn_mul_mont does an alloca that is hidden away in assembly.
51
 * It is not recommended to do computations with numbers exceeding this limit,
52
 * since the result will be highly version dependent:
53
 * While the current OpenSSL version will use non-optimized, but safe code,
54
 * previous versions will use optimized code, that may crash due to unexpected
55
 * stack overflow, and future versions may very well turn this into a hard
56
 * limit.
57
 * Note however, that it is possible to override the size limit using
58
 * "./config -DBN_SOFT_LIMIT=<limit>" if necessary, and the O/S specific
59
 * stack limit is known and taken into consideration.
60
 */
61
#ifndef BN_SOFT_LIMIT
62
#define BN_SOFT_LIMIT (4096 / BN_BYTES)
63
#endif
64

65
#ifndef OPENSSL_SMALL_FOOTPRINT
66
#define BN_MUL_COMBA
67
#define BN_SQR_COMBA
68
#define BN_RECURSION
69
#endif
70

71
/*
72
 * This next option uses the C libraries (2 word)/(1 word) function. If it is
73
 * not defined, I use my C version (which is slower). The reason for this
74
 * flag is that when the particular C compiler library routine is used, and
75
 * the library is linked with a different compiler, the library is missing.
76
 * This mostly happens when the library is built with gcc and then linked
77
 * using normal cc.  This would be a common occurrence because gcc normally
78
 * produces code that is 2 times faster than system compilers for the big
79
 * number stuff. For machines with only one compiler (or shared libraries),
80
 * this should be on.  Again this in only really a problem on machines using
81
 * "long long's", are 32bit, and are not using my assembler code.
82
 */
83
#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(linux)
84
#define BN_DIV2W
85
#endif
86

87
/*
88
 * 64-bit processor with LP64 ABI
89
 */
90
#ifdef SIXTY_FOUR_BIT_LONG
91
#define BN_ULLONG unsigned long long
92
#define BN_BITS4 32
93
#define BN_MASK2 (0xffffffffffffffffL)
94
#define BN_MASK2l (0xffffffffL)
95
#define BN_MASK2h (0xffffffff00000000L)
96
#define BN_MASK2h1 (0xffffffff80000000L)
97
#define BN_DEC_CONV (10000000000000000000UL)
98
#define BN_DEC_NUM 19
99
#define BN_DEC_FMT1 "%lu"
100
#define BN_DEC_FMT2 "%019lu"
101
#endif
102

103
/*
104
 * 64-bit processor other than LP64 ABI
105
 */
106
#ifdef SIXTY_FOUR_BIT
107
#undef BN_LLONG
108
#undef BN_ULLONG
109
#define BN_BITS4 32
110
#define BN_MASK2 (0xffffffffffffffffLL)
111
#define BN_MASK2l (0xffffffffL)
112
#define BN_MASK2h (0xffffffff00000000LL)
113
#define BN_MASK2h1 (0xffffffff80000000LL)
114
#define BN_DEC_CONV (10000000000000000000ULL)
115
#define BN_DEC_NUM 19
116
#define BN_DEC_FMT1 "%llu"
117
#define BN_DEC_FMT2 "%019llu"
118
#endif
119

120
#ifdef THIRTY_TWO_BIT
121
#ifdef BN_LLONG
122
#if defined(_WIN32) && !defined(__GNUC__)
123
#define BN_ULLONG unsigned __int64
124
#else
125
#define BN_ULLONG unsigned long long
126
#endif
127
#endif
128
#define BN_BITS4 16
129
#define BN_MASK2 (0xffffffffL)
130
#define BN_MASK2l (0xffff)
131
#define BN_MASK2h1 (0xffff8000L)
132
#define BN_MASK2h (0xffff0000L)
133
#define BN_DEC_CONV (1000000000L)
134
#define BN_DEC_NUM 9
135
#define BN_DEC_FMT1 "%u"
136
#define BN_DEC_FMT2 "%09u"
137
#endif
138

139
/*-
140
 * Bignum consistency macros
141
 * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
142
 * bignum data after direct manipulations on the data. There is also an
143
 * "internal" macro, bn_check_top(), for verifying that there are no leading
144
 * zeroes. Unfortunately, some auditing is required due to the fact that
145
 * bn_fix_top() has become an overabused duct-tape because bignum data is
146
 * occasionally passed around in an inconsistent state. So the following
147
 * changes have been made to sort this out;
148
 * - bn_fix_top()s implementation has been moved to bn_correct_top()
149
 * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and
150
 *   bn_check_top() is as before.
151
 * - if BN_DEBUG *is* defined;
152
 *   - bn_check_top() tries to pollute unused words even if the bignum 'top' is
153
 *     consistent. (ed: only if BN_RAND_DEBUG is defined)
154
 *   - bn_fix_top() maps to bn_check_top() rather than "fixing" anything.
155
 * The idea is to have debug builds flag up inconsistent bignums when they
156
 * occur. If that occurs in a bn_fix_top(), we examine the code in question; if
157
 * the use of bn_fix_top() was appropriate (ie. it follows directly after code
158
 * that manipulates the bignum) it is converted to bn_correct_top(), and if it
159
 * was not appropriate, we convert it permanently to bn_check_top() and track
160
 * down the cause of the bug. Eventually, no internal code should be using the
161
 * bn_fix_top() macro. External applications and libraries should try this with
162
 * their own code too, both in terms of building against the openssl headers
163
 * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it
164
 * defined. This not only improves external code, it provides more test
165
 * coverage for openssl's own code.
166
 */
167

168
#ifdef BN_DEBUG
169
/*
170
 * The new BN_FLG_FIXED_TOP flag marks vectors that were not treated with
171
 * bn_correct_top, in other words such vectors are permitted to have zeros
172
 * in most significant limbs. Such vectors are used internally to achieve
173
 * execution time invariance for critical operations with private keys.
174
 * It's BN_DEBUG-only flag, because user application is not supposed to
175
 * observe it anyway. Moreover, optimizing compiler would actually remove
176
 * all operations manipulating the bit in question in non-BN_DEBUG build.
177
 */
178
#define BN_FLG_FIXED_TOP 0x10000
179
#ifdef BN_RAND_DEBUG
180
#define bn_pollute(a)                                                                       \
181
    do {                                                                                    \
182
        const BIGNUM *_bnum1 = (a);                                                         \
183
        if (_bnum1->top < _bnum1->dmax) {                                                   \
184
            unsigned char _tmp_char;                                                        \
185
            /* We cast away const without the compiler knowing, any                         \
186
             * *genuinely* constant variables that aren't mutable                           \
187
             * wouldn't be constructed with top!=dmax. */                                   \
188
            BN_ULONG *_not_const;                                                           \
189
            memcpy(&_not_const, &_bnum1->d, sizeof(_not_const));                            \
190
            (void)RAND_bytes(&_tmp_char, 1); /* Debug only - safe to ignore error return */ \
191
            memset(_not_const + _bnum1->top, _tmp_char,                                     \
192
                sizeof(*_not_const) * (_bnum1->dmax - _bnum1->top));                        \
193
        }                                                                                   \
194
    } while (0)
195
#else
196
#define bn_pollute(a)
197
#endif
198
#define bn_check_top(a)                                                                                                                   \
199
    do {                                                                                                                                  \
200
        const BIGNUM *_bnum2 = (a);                                                                                                       \
201
        if (_bnum2 != NULL) {                                                                                                             \
202
            int _top = _bnum2->top;                                                                                                       \
203
            (void)ossl_assert((_top == 0 && !_bnum2->neg) || (_top && ((_bnum2->flags & BN_FLG_FIXED_TOP) || _bnum2->d[_top - 1] != 0))); \
204
            bn_pollute(_bnum2);                                                                                                           \
205
        }                                                                                                                                 \
206
    } while (0)
207

208
#define bn_fix_top(a) bn_check_top(a)
209

210
#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits + BN_BITS2 - 1)) / BN_BITS2)
211
#define bn_wcheck_size(bn, words)                                      \
212
    do {                                                               \
213
        const BIGNUM *_bnum2 = (bn);                                   \
214
        assert((words) <= (_bnum2)->dmax && (words) >= (_bnum2)->top); \
215
        /* avoid unused variable warning with NDEBUG */                \
216
        (void)(_bnum2);                                                \
217
    } while (0)
218

219
#else /* !BN_DEBUG */
220

221
#define BN_FLG_FIXED_TOP 0
222
#define bn_pollute(a)
223
#define bn_check_top(a)
224
#define bn_fix_top(a) bn_correct_top(a)
225
#define bn_check_size(bn, bits)
226
#define bn_wcheck_size(bn, words)
227

228
#endif
229

230
BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
231
    BN_ULONG w);
232
BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
233
void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
234
BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
235
BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
236
    int num);
237
BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
238
    int num);
239

240
struct bignum_st {
241
    BN_ULONG *d; /*
242
                  * Pointer to an array of 'BN_BITS2' bit
243
                  * chunks. These chunks are organised in
244
                  * a least significant chunk first order.
245
                  */
246
    int top; /* Index of last used d +1. */
247
    /* The next are internal book keeping for bn_expand. */
248
    int dmax; /* Size of the d array. */
249
    int neg; /* one if the number is negative */
250
    int flags;
251
};
252

253
/* Used for montgomery multiplication */
254
struct bn_mont_ctx_st {
255
    int ri; /* number of bits in R */
256
    BIGNUM RR; /* used to convert to montgomery form,
257
                  possibly zero-padded */
258
    BIGNUM N; /* The modulus */
259
    BIGNUM Ni; /* R*(1/R mod N) - N*Ni = 1 (Ni is only
260
                * stored for bignum algorithm) */
261
    BN_ULONG n0[2]; /* least significant word(s) of Ni; (type
262
                     * changed with 0.9.9, was "BN_ULONG n0;"
263
                     * before) */
264
    int flags;
265
};
266

267
/*
268
 * Used for reciprocal division/mod functions It cannot be shared between
269
 * threads
270
 */
271
struct bn_recp_ctx_st {
272
    BIGNUM N; /* the divisor */
273
    BIGNUM Nr; /* the reciprocal */
274
    int num_bits;
275
    int shift;
276
    int flags;
277
};
278

279
/* Used for slow "generation" functions. */
280
struct bn_gencb_st {
281
    unsigned int ver; /* To handle binary (in)compatibility */
282
    void *arg; /* callback-specific data */
283
    union {
284
        /* if (ver==1) - handles old style callbacks */
285
        void (*cb_1)(int, int, void *);
286
        /* if (ver==2) - new callback style */
287
        int (*cb_2)(int, int, BN_GENCB *);
288
    } cb;
289
};
290

291
/*-
292
 * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
293
 *
294
 *
295
 * For window size 'w' (w >= 2) and a random 'b' bits exponent,
296
 * the number of multiplications is a constant plus on average
297
 *
298
 *    2^(w-1) + (b-w)/(w+1);
299
 *
300
 * here  2^(w-1)  is for precomputing the table (we actually need
301
 * entries only for windows that have the lowest bit set), and
302
 * (b-w)/(w+1)  is an approximation for the expected number of
303
 * w-bit windows, not counting the first one.
304
 *
305
 * Thus we should use
306
 *
307
 *    w >= 6  if        b > 671
308
 *     w = 5  if  671 > b > 239
309
 *     w = 4  if  239 > b >  79
310
 *     w = 3  if   79 > b >  23
311
 *    w <= 2  if   23 > b
312
 *
313
 * (with draws in between).  Very small exponents are often selected
314
 * with low Hamming weight, so we use  w = 1  for b <= 23.
315
 */
316
#define BN_window_bits_for_exponent_size(b) \
317
    ((b) > 671 ? 6 : (b) > 239 ? 5          \
318
            : (b) > 79         ? 4          \
319
            : (b) > 23         ? 3          \
320
                               : 1)
321

322
/*
323
 * BN_mod_exp_mont_consttime is based on the assumption that the L1 data cache
324
 * line width of the target processor is at least the following value.
325
 */
326
#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH (64)
327
#define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
328

329
/*
330
 * Window sizes optimized for fixed window size modular exponentiation
331
 * algorithm (BN_mod_exp_mont_consttime). To achieve the security goals of
332
 * BN_mode_exp_mont_consttime, the maximum size of the window must not exceed
333
 * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH). Window size thresholds are
334
 * defined for cache line sizes of 32 and 64, cache line sizes where
335
 * log_2(32)=5 and log_2(64)=6 respectively. A window size of 7 should only be
336
 * used on processors that have a 128 byte or greater cache line size.
337
 */
338
#if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
339

340
#define BN_window_bits_for_ctime_exponent_size(b) \
341
    ((b) > 937 ? 6 : (b) > 306 ? 5                \
342
            : (b) > 89         ? 4                \
343
            : (b) > 22         ? 3                \
344
                               : 1)
345
#define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (6)
346

347
#elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32
348

349
#define BN_window_bits_for_ctime_exponent_size(b) \
350
    ((b) > 306 ? 5 : (b) > 89 ? 4                 \
351
            : (b) > 22        ? 3                 \
352
                              : 1)
353
#define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (5)
354

355
#endif
356

357
/* Pentium pro 16,16,16,32,64 */
358
/* Alpha       16,16,16,16.64 */
359
#define BN_MULL_SIZE_NORMAL (16) /* 32 */
360
#define BN_MUL_RECURSIVE_SIZE_NORMAL (16) /* 32 less than */
361
#define BN_SQR_RECURSIVE_SIZE_NORMAL (16) /* 32 */
362
#define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32) /* 32 */
363
#define BN_MONT_CTX_SET_SIZE_WORD (64) /* 32 */
364

365
#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
366
/*
367
 * BN_UMULT_HIGH section.
368
 * If the compiler doesn't support 2*N integer type, then you have to
369
 * replace every N*N multiplication with 4 (N/2)*(N/2) accompanied by some
370
 * shifts and additions which unavoidably results in severe performance
371
 * penalties. Of course provided that the hardware is capable of producing
372
 * 2*N result... That's when you normally start considering assembler
373
 * implementation. However! It should be pointed out that some CPUs (e.g.,
374
 * PowerPC, Alpha, and IA-64) provide *separate* instruction calculating
375
 * the upper half of the product placing the result into a general
376
 * purpose register. Now *if* the compiler supports inline assembler,
377
 * then it's not impossible to implement the "bignum" routines (and have
378
 * the compiler optimize 'em) exhibiting "native" performance in C. That's
379
 * what BN_UMULT_HIGH macro is about:-) Note that more recent compilers do
380
 * support 2*64 integer type, which is also used here.
381
 */
382
#if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
383
#define BN_UMULT_HIGH(a, b) (((uint128_t)(a) * (b)) >> 64)
384
#define BN_UMULT_LOHI(low, high, a, b) ({       \
385
        uint128_t ret=(uint128_t)(a)*(b);   \
386
        (high)=ret>>64; (low)=ret; })
387
#elif defined(__alpha) && (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
388
#if defined(__DECC)
389
#include <c_asm.h>
390
#define BN_UMULT_HIGH(a, b) (BN_ULONG) asm("umulh %a0,%a1,%v0", (a), (b))
391
#elif defined(__GNUC__) && __GNUC__ >= 2
392
#define BN_UMULT_HIGH(a, b) ({     \
393
        register BN_ULONG ret;          \
394
        asm ("umulh     %1,%2,%0"       \
395
             : "=r"(ret)                \
396
             : "r"(a), "r"(b));         \
397
        ret; })
398
#endif /* compiler */
399
#elif defined(_ARCH_PPC64) && defined(SIXTY_FOUR_BIT_LONG)
400
#if defined(__GNUC__) && __GNUC__ >= 2
401
#define BN_UMULT_HIGH(a, b) ({     \
402
        register BN_ULONG ret;          \
403
        asm ("mulhdu    %0,%1,%2"       \
404
             : "=r"(ret)                \
405
             : "r"(a), "r"(b));         \
406
        ret; })
407
#endif /* compiler */
408
#elif (defined(__x86_64) || defined(__x86_64__)) && (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
409
#if defined(__GNUC__) && __GNUC__ >= 2
410
#define BN_UMULT_HIGH(a, b) ({     \
411
        register BN_ULONG ret,discard;  \
412
        asm ("mulq      %3"             \
413
             : "=a"(discard),"=d"(ret)  \
414
             : "a"(a), "g"(b)           \
415
             : "cc");                   \
416
        ret; })
417
#define BN_UMULT_LOHI(low, high, a, b) \
418
    asm("mulq      %3"                 \
419
        : "=a"(low), "=d"(high)        \
420
        : "a"(a), "g"(b)               \
421
        : "cc");
422
#endif
423
#elif (defined(_M_AMD64) || defined(_M_X64)) && defined(SIXTY_FOUR_BIT)
424
#if defined(_MSC_VER) && _MSC_VER >= 1400
425
unsigned __int64 __umulh(unsigned __int64 a, unsigned __int64 b);
426
unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
427
    unsigned __int64 *h);
428
#pragma intrinsic(__umulh, _umul128)
429
#define BN_UMULT_HIGH(a, b) __umulh((a), (b))
430
#define BN_UMULT_LOHI(low, high, a, b) ((low) = _umul128((a), (b), &(high)))
431
#endif
432
#elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
433
#if defined(__GNUC__) && __GNUC__ >= 2
434
#define BN_UMULT_HIGH(a, b) ({       \
435
        register BN_ULONG ret;          \
436
        asm ("dmultu    %1,%2"          \
437
             : "=h"(ret)                \
438
             : "r"(a), "r"(b) : "l");   \
439
        ret; })
440
#define BN_UMULT_LOHI(low, high, a, b) \
441
    asm("dmultu    %2,%3"              \
442
        : "=l"(low), "=h"(high)        \
443
        : "r"(a), "r"(b));
444
#endif
445
#elif defined(__aarch64__) && defined(SIXTY_FOUR_BIT_LONG)
446
#if defined(__GNUC__) && __GNUC__ >= 2
447
#define BN_UMULT_HIGH(a, b) ({     \
448
        register BN_ULONG ret;          \
449
        asm ("umulh     %0,%1,%2"       \
450
             : "=r"(ret)                \
451
             : "r"(a), "r"(b));         \
452
        ret; })
453
#endif
454
#endif /* cpu */
455
#endif /* OPENSSL_NO_ASM */
456

457
#ifdef BN_RAND_DEBUG
458
#define bn_clear_top2max(a)                    \
459
    {                                          \
460
        int ind = (a)->dmax - (a)->top;        \
461
        BN_ULONG *ftl = &(a)->d[(a)->top - 1]; \
462
        for (; ind != 0; ind--)                \
463
            *(++ftl) = 0x0;                    \
464
    }
465
#else
466
#define bn_clear_top2max(a)
467
#endif
468

469
#ifdef BN_LLONG
470
/*******************************************************************
471
 * Using the long long type, has to be twice as wide as BN_ULONG...
472
 */
473
#define Lw(t) (((BN_ULONG)(t)) & BN_MASK2)
474
#define Hw(t) (((BN_ULONG)((t) >> BN_BITS2)) & BN_MASK2)
475

476
#define mul_add(r, a, w, c)                 \
477
    {                                       \
478
        BN_ULLONG t;                        \
479
        t = (BN_ULLONG)w * (a) + (r) + (c); \
480
        (r) = Lw(t);                        \
481
        (c) = Hw(t);                        \
482
    }
483

484
#define mul(r, a, w, c)               \
485
    {                                 \
486
        BN_ULLONG t;                  \
487
        t = (BN_ULLONG)w * (a) + (c); \
488
        (r) = Lw(t);                  \
489
        (c) = Hw(t);                  \
490
    }
491

492
#define sqr(r0, r1, a)            \
493
    {                             \
494
        BN_ULLONG t;              \
495
        t = (BN_ULLONG)(a) * (a); \
496
        (r0) = Lw(t);             \
497
        (r1) = Hw(t);             \
498
    }
499

500
#elif defined(BN_UMULT_LOHI)
501
#define mul_add(r, a, w, c)                 \
502
    {                                       \
503
        BN_ULONG high, low, ret, tmp = (a); \
504
        ret = (r);                          \
505
        BN_UMULT_LOHI(low, high, w, tmp);   \
506
        ret += (c);                         \
507
        (c) = (ret < (c));                  \
508
        (c) += high;                        \
509
        ret += low;                         \
510
        (c) += (ret < low);                 \
511
        (r) = ret;                          \
512
    }
513

514
#define mul(r, a, w, c)                    \
515
    {                                      \
516
        BN_ULONG high, low, ret, ta = (a); \
517
        BN_UMULT_LOHI(low, high, w, ta);   \
518
        ret = low + (c);                   \
519
        (c) = high;                        \
520
        (c) += (ret < low);                \
521
        (r) = ret;                         \
522
    }
523

524
#define sqr(r0, r1, a)                   \
525
    {                                    \
526
        BN_ULONG tmp = (a);              \
527
        BN_UMULT_LOHI(r0, r1, tmp, tmp); \
528
    }
529

530
#elif defined(BN_UMULT_HIGH)
531
#define mul_add(r, a, w, c)                 \
532
    {                                       \
533
        BN_ULONG high, low, ret, tmp = (a); \
534
        ret = (r);                          \
535
        high = BN_UMULT_HIGH(w, tmp);       \
536
        ret += (c);                         \
537
        low = (w) * tmp;                    \
538
        (c) = (ret < (c));                  \
539
        (c) += high;                        \
540
        ret += low;                         \
541
        (c) += (ret < low);                 \
542
        (r) = ret;                          \
543
    }
544

545
#define mul(r, a, w, c)                    \
546
    {                                      \
547
        BN_ULONG high, low, ret, ta = (a); \
548
        low = (w) * ta;                    \
549
        high = BN_UMULT_HIGH(w, ta);       \
550
        ret = low + (c);                   \
551
        (c) = high;                        \
552
        (c) += (ret < low);                \
553
        (r) = ret;                         \
554
    }
555

556
#define sqr(r0, r1, a)                  \
557
    {                                   \
558
        BN_ULONG tmp = (a);             \
559
        (r0) = tmp * tmp;               \
560
        (r1) = BN_UMULT_HIGH(tmp, tmp); \
561
    }
562

563
#else
564
/*************************************************************
565
 * No long long type
566
 */
567

568
#define LBITS(a) ((a) & BN_MASK2l)
569
#define HBITS(a) (((a) >> BN_BITS4) & BN_MASK2l)
570
#define L2HBITS(a) (((a) << BN_BITS4) & BN_MASK2)
571

572
#define LLBITS(a) ((a) & BN_MASKl)
573
#define LHBITS(a) (((a) >> BN_BITS2) & BN_MASKl)
574
#define LL2HBITS(a) ((BN_ULLONG)((a) & BN_MASKl) << BN_BITS2)
575

576
#define mul64(l, h, bl, bh)                \
577
    {                                      \
578
        BN_ULONG m, m1, lt, ht;            \
579
                                           \
580
        lt = l;                            \
581
        ht = h;                            \
582
        m = (bh) * (lt);                   \
583
        lt = (bl) * (lt);                  \
584
        m1 = (bl) * (ht);                  \
585
        ht = (bh) * (ht);                  \
586
        m = (m + m1) & BN_MASK2;           \
587
        ht += L2HBITS((BN_ULONG)(m < m1)); \
588
        ht += HBITS(m);                    \
589
        m1 = L2HBITS(m);                   \
590
        lt = (lt + m1) & BN_MASK2;         \
591
        ht += (lt < m1);                   \
592
        (l) = lt;                          \
593
        (h) = ht;                          \
594
    }
595

596
#define sqr64(lo, ho, in)                        \
597
    {                                            \
598
        BN_ULONG l, h, m;                        \
599
                                                 \
600
        h = (in);                                \
601
        l = LBITS(h);                            \
602
        h = HBITS(h);                            \
603
        m = (l) * (h);                           \
604
        l *= l;                                  \
605
        h *= h;                                  \
606
        h += (m & BN_MASK2h1) >> (BN_BITS4 - 1); \
607
        m = (m & BN_MASK2l) << (BN_BITS4 + 1);   \
608
        l = (l + m) & BN_MASK2;                  \
609
        h += (l < m);                            \
610
        (lo) = l;                                \
611
        (ho) = h;                                \
612
    }
613

614
#define mul_add(r, a, bl, bh, c)  \
615
    {                             \
616
        BN_ULONG l, h;            \
617
                                  \
618
        h = (a);                  \
619
        l = LBITS(h);             \
620
        h = HBITS(h);             \
621
        mul64(l, h, (bl), (bh));  \
622
                                  \
623
        /* non-multiply part */   \
624
        l = (l + (c)) & BN_MASK2; \
625
        h += (l < (c));           \
626
        (c) = (r);                \
627
        l = (l + (c)) & BN_MASK2; \
628
        h += (l < (c));           \
629
        (c) = h & BN_MASK2;       \
630
        (r) = l;                  \
631
    }
632

633
#define mul(r, a, bl, bh, c)         \
634
    {                                \
635
        BN_ULONG l, h;               \
636
                                     \
637
        h = (a);                     \
638
        l = LBITS(h);                \
639
        h = HBITS(h);                \
640
        mul64(l, h, (bl), (bh));     \
641
                                     \
642
        /* non-multiply part */      \
643
        l += (c);                    \
644
        h += ((l & BN_MASK2) < (c)); \
645
        (c) = h & BN_MASK2;          \
646
        (r) = l & BN_MASK2;          \
647
    }
648
#endif /* !BN_LLONG */
649

650
void BN_RECP_CTX_init(BN_RECP_CTX *recp);
651
void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
652

653
void bn_init(BIGNUM *a);
654
void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb);
655
void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
656
void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
657
void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp);
658
void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a);
659
void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a);
660
int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n);
661
int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl);
662
void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
663
    int dna, int dnb, BN_ULONG *t);
664
void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b,
665
    int n, int tna, int tnb, BN_ULONG *t);
666
void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t);
667
void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n);
668
void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
669
    BN_ULONG *t);
670
BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
671
    int cl, int dl);
672
int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
673
    const BN_ULONG *np, const BN_ULONG *n0, int num);
674
void bn_correct_top_consttime(BIGNUM *a);
675
BIGNUM *int_bn_mod_inverse(BIGNUM *in,
676
    const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
677
    int *noinv);
678

679
static ossl_inline BIGNUM *bn_expand(BIGNUM *a, int bits)
680
{
681
    if (bits > (INT_MAX - BN_BITS2 + 1))
682
        return NULL;
683

684
    if (((bits + BN_BITS2 - 1) / BN_BITS2) <= (a)->dmax)
685
        return a;
686

687
    return bn_expand2((a), (bits + BN_BITS2 - 1) / BN_BITS2);
688
}
689

690
int ossl_bn_check_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
691
    int do_trial_division, BN_GENCB *cb);
692

693
#endif
694

695