bn_ctx.c 9.6 KB
Newer Older
R
Rich Salz 已提交
1
/*
2
 * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
8 9
 */

10
#include "internal/cryptlib.h"
11
#include "bn_local.h"
12

13 14
/*-
 * TODO list
15 16 17 18 19 20 21 22 23 24 25 26
 *
 * 1. Check a bunch of "(words+1)" type hacks in various bignum functions and
 * check they can be safely removed.
 *  - Check +1 and other ugliness in BN_from_montgomery()
 *
 * 2. Consider allowing a BN_new_ex() that, at least, lets you specify an
 * appropriate 'block' size that will be honoured by bn_expand_internal() to
 * prevent piddly little reallocations. OTOH, profiling bignum expansions in
 * BN_CTX doesn't show this to be a big issue.
 */

/* How many bignums are in each "pool item"; */
27
#define BN_CTX_POOL_SIZE        16
28
/* The stack frame info is resizing, set a first-time expansion size; */
29
#define BN_CTX_START_FRAMES     32
30 31 32 33 34 35

/***********/
/* BN_POOL */
/***********/

/* A bundle of bignums that can be linked with other bundles */
36 37 38 39 40 41
typedef struct bignum_pool_item {
    /* The bignum values */
    BIGNUM vals[BN_CTX_POOL_SIZE];
    /* Linked-list admin */
    struct bignum_pool_item *prev, *next;
} BN_POOL_ITEM;
42
/* A linked-list of bignums grouped in bundles */
43 44 45 46 47 48 49 50
typedef struct bignum_pool {
    /* Linked-list admin */
    BN_POOL_ITEM *head, *current, *tail;
    /* Stack depth and allocation size */
    unsigned used, size;
} BN_POOL;
static void BN_POOL_init(BN_POOL *);
static void BN_POOL_finish(BN_POOL *);
R
Rich Salz 已提交
51
static BIGNUM *BN_POOL_get(BN_POOL *, int);
52
static void BN_POOL_release(BN_POOL *, unsigned int);
53 54 55 56 57 58

/************/
/* BN_STACK */
/************/

/* A wrapper to manage the "stack frames" */
59 60 61 62 63 64 65 66 67 68
typedef struct bignum_ctx_stack {
    /* Array of indexes into the bignum stack */
    unsigned int *indexes;
    /* Number of stack frames, and the size of the allocated array */
    unsigned int depth, size;
} BN_STACK;
static void BN_STACK_init(BN_STACK *);
static void BN_STACK_finish(BN_STACK *);
static int BN_STACK_push(BN_STACK *, unsigned int);
static unsigned int BN_STACK_pop(BN_STACK *);
69 70 71 72 73 74

/**********/
/* BN_CTX */
/**********/

/* The opaque BN_CTX type */
75 76 77 78 79 80 81 82 83 84 85
struct bignum_ctx {
    /* The bignum bundles */
    BN_POOL pool;
    /* The "stack frames", if you will */
    BN_STACK stack;
    /* The number of bignums currently assigned */
    unsigned int used;
    /* Depth of stack overflow */
    int err_stack;
    /* Block "gets" until an "end" (compatibility behaviour) */
    int too_many;
R
Rich Salz 已提交
86 87
    /* Flags. */
    int flags;
88
};
89

90 91 92 93
/* Enable this to find BN_CTX bugs */
#ifdef BN_CTX_DEBUG
static const char *ctxdbg_cur = NULL;
static void ctxdbg(BN_CTX *ctx)
94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126
{
    unsigned int bnidx = 0, fpidx = 0;
    BN_POOL_ITEM *item = ctx->pool.head;
    BN_STACK *stack = &ctx->stack;
    fprintf(stderr, "(%16p): ", ctx);
    while (bnidx < ctx->used) {
        fprintf(stderr, "%03x ", item->vals[bnidx++ % BN_CTX_POOL_SIZE].dmax);
        if (!(bnidx % BN_CTX_POOL_SIZE))
            item = item->next;
    }
    fprintf(stderr, "\n");
    bnidx = 0;
    fprintf(stderr, "          : ");
    while (fpidx < stack->depth) {
        while (bnidx++ < stack->indexes[fpidx])
            fprintf(stderr, "    ");
        fprintf(stderr, "^^^ ");
        bnidx++;
        fpidx++;
    }
    fprintf(stderr, "\n");
}

# define CTXDBG_ENTRY(str, ctx)  do { \
                                ctxdbg_cur = (str); \
                                fprintf(stderr,"Starting %s\n", ctxdbg_cur); \
                                ctxdbg(ctx); \
                                } while(0)
# define CTXDBG_EXIT(ctx)        do { \
                                fprintf(stderr,"Ending %s\n", ctxdbg_cur); \
                                ctxdbg(ctx); \
                                } while(0)
# define CTXDBG_RET(ctx,ret)
127
#else
128 129 130
# define CTXDBG_ENTRY(str, ctx)
# define CTXDBG_EXIT(ctx)
# define CTXDBG_RET(ctx,ret)
131
#endif
132

133

134
BN_CTX *BN_CTX_new(void)
135
{
R
Rich Salz 已提交
136 137
    BN_CTX *ret;

R
Rich Salz 已提交
138
    if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
139 140 141 142 143 144
        BNerr(BN_F_BN_CTX_NEW, ERR_R_MALLOC_FAILURE);
        return NULL;
    }
    /* Initialise the structure */
    BN_POOL_init(&ret->pool);
    BN_STACK_init(&ret->stack);
R
Rich Salz 已提交
145 146 147 148 149 150 151
    return ret;
}

BN_CTX *BN_CTX_secure_new(void)
{
    BN_CTX *ret = BN_CTX_new();

152
    if (ret != NULL)
R
Rich Salz 已提交
153
        ret->flags = BN_FLG_SECURE;
154 155
    return ret;
}
156

157
void BN_CTX_free(BN_CTX *ctx)
158
{
R
Rich Salz 已提交
159 160
    if (ctx == NULL)
        return;
161
#ifdef BN_CTX_DEBUG
162 163 164 165 166 167 168 169 170 171 172 173 174
    {
        BN_POOL_ITEM *pool = ctx->pool.head;
        fprintf(stderr, "BN_CTX_free, stack-size=%d, pool-bignums=%d\n",
                ctx->stack.size, ctx->pool.size);
        fprintf(stderr, "dmaxs: ");
        while (pool) {
            unsigned loop = 0;
            while (loop < BN_CTX_POOL_SIZE)
                fprintf(stderr, "%02x ", pool->vals[loop++].dmax);
            pool = pool->next;
        }
        fprintf(stderr, "\n");
    }
175
#endif
176 177 178 179
    BN_STACK_finish(&ctx->stack);
    BN_POOL_finish(&ctx->pool);
    OPENSSL_free(ctx);
}
180 181

void BN_CTX_start(BN_CTX *ctx)
182 183 184 185 186 187 188 189 190 191 192 193
{
    CTXDBG_ENTRY("BN_CTX_start", ctx);
    /* If we're already overflowing ... */
    if (ctx->err_stack || ctx->too_many)
        ctx->err_stack++;
    /* (Try to) get a new frame pointer */
    else if (!BN_STACK_push(&ctx->stack, ctx->used)) {
        BNerr(BN_F_BN_CTX_START, BN_R_TOO_MANY_TEMPORARY_VARIABLES);
        ctx->err_stack++;
    }
    CTXDBG_EXIT(ctx);
}
194

195
void BN_CTX_end(BN_CTX *ctx)
196
{
197 198
    if (ctx == NULL)
        return;
199 200 201 202 203 204 205 206 207 208 209 210 211 212
    CTXDBG_ENTRY("BN_CTX_end", ctx);
    if (ctx->err_stack)
        ctx->err_stack--;
    else {
        unsigned int fp = BN_STACK_pop(&ctx->stack);
        /* Does this stack frame have anything to release? */
        if (fp < ctx->used)
            BN_POOL_release(&ctx->pool, ctx->used - fp);
        ctx->used = fp;
        /* Unjam "too_many" in case "get" had failed */
        ctx->too_many = 0;
    }
    CTXDBG_EXIT(ctx);
}
B
Bodo Möller 已提交
213

214
BIGNUM *BN_CTX_get(BN_CTX *ctx)
215 216
{
    BIGNUM *ret;
R
Rich Salz 已提交
217

218 219 220
    CTXDBG_ENTRY("BN_CTX_get", ctx);
    if (ctx->err_stack || ctx->too_many)
        return NULL;
R
Rich Salz 已提交
221
    if ((ret = BN_POOL_get(&ctx->pool, ctx->flags)) == NULL) {
222 223 224 225 226 227 228 229 230 231
        /*
         * Setting too_many prevents repeated "get" attempts from cluttering
         * the error stack.
         */
        ctx->too_many = 1;
        BNerr(BN_F_BN_CTX_GET, BN_R_TOO_MANY_TEMPORARY_VARIABLES);
        return NULL;
    }
    /* OK, make sure the returned bignum is "zero" */
    BN_zero(ret);
232 233
    /* clear BN_FLG_CONSTTIME if leaked from previous frames */
    ret->flags &= (~BN_FLG_CONSTTIME);
234 235 236 237
    ctx->used++;
    CTXDBG_RET(ctx, ret);
    return ret;
}
238

239 240 241 242 243
/************/
/* BN_STACK */
/************/

static void BN_STACK_init(BN_STACK *st)
244 245 246 247
{
    st->indexes = NULL;
    st->depth = st->size = 0;
}
248 249

static void BN_STACK_finish(BN_STACK *st)
250
{
R
Rich Salz 已提交
251 252
    OPENSSL_free(st->indexes);
    st->indexes = NULL;
253
}
254

255 256

static int BN_STACK_push(BN_STACK *st, unsigned int idx)
257
{
R
Rich Salz 已提交
258
    if (st->depth == st->size) {
259
        /* Need to expand */
R
Rich Salz 已提交
260 261
        unsigned int newsize =
            st->size ? (st->size * 3 / 2) : BN_CTX_START_FRAMES;
R
Rich Salz 已提交
262
        unsigned int *newitems;
263

R
Rich Salz 已提交
264 265
        if ((newitems = OPENSSL_malloc(sizeof(*newitems) * newsize)) == NULL) {
            BNerr(BN_F_BN_STACK_PUSH, ERR_R_MALLOC_FAILURE);
266
            return 0;
R
Rich Salz 已提交
267
        }
268
        if (st->depth)
R
Rich Salz 已提交
269 270
            memcpy(newitems, st->indexes, sizeof(*newitems) * st->depth);
        OPENSSL_free(st->indexes);
271 272 273 274 275 276
        st->indexes = newitems;
        st->size = newsize;
    }
    st->indexes[(st->depth)++] = idx;
    return 1;
}
277 278

static unsigned int BN_STACK_pop(BN_STACK *st)
279 280 281
{
    return st->indexes[--(st->depth)];
}
282 283 284 285 286 287

/***********/
/* BN_POOL */
/***********/

static void BN_POOL_init(BN_POOL *p)
288 289 290 291
{
    p->head = p->current = p->tail = NULL;
    p->used = p->size = 0;
}
292 293

static void BN_POOL_finish(BN_POOL *p)
294
{
R
Rich Salz 已提交
295 296 297
    unsigned int loop;
    BIGNUM *bn;

298
    while (p->head) {
R
Rich Salz 已提交
299
        for (loop = 0, bn = p->head->vals; loop++ < BN_CTX_POOL_SIZE; bn++)
300 301 302 303 304 305 306
            if (bn->d)
                BN_clear_free(bn);
        p->current = p->head->next;
        OPENSSL_free(p->head);
        p->head = p->current;
    }
}
307 308


R
Rich Salz 已提交
309
static BIGNUM *BN_POOL_get(BN_POOL *p, int flag)
310
{
R
Rich Salz 已提交
311 312 313 314
    BIGNUM *bn;
    unsigned int loop;

    /* Full; allocate a new pool item and link it in. */
315
    if (p->used == p->size) {
R
Rich Salz 已提交
316
        BN_POOL_ITEM *item;
317

R
Rich Salz 已提交
318 319
        if ((item = OPENSSL_malloc(sizeof(*item))) == NULL) {
            BNerr(BN_F_BN_POOL_GET, ERR_R_MALLOC_FAILURE);
320
            return NULL;
R
Rich Salz 已提交
321
        }
R
Rich Salz 已提交
322
        for (loop = 0, bn = item->vals; loop++ < BN_CTX_POOL_SIZE; bn++) {
R
Rich Salz 已提交
323
            bn_init(bn);
R
Rich Salz 已提交
324 325 326
            if ((flag & BN_FLG_SECURE) != 0)
                BN_set_flags(bn, BN_FLG_SECURE);
        }
327 328
        item->prev = p->tail;
        item->next = NULL;
R
Rich Salz 已提交
329 330

        if (p->head == NULL)
331 332 333 334 335 336 337 338 339 340 341
            p->head = p->current = p->tail = item;
        else {
            p->tail->next = item;
            p->tail = item;
            p->current = item;
        }
        p->size += BN_CTX_POOL_SIZE;
        p->used++;
        /* Return the first bignum from the new pool */
        return item->vals;
    }
R
Rich Salz 已提交
342

343 344 345 346 347 348
    if (!p->used)
        p->current = p->head;
    else if ((p->used % BN_CTX_POOL_SIZE) == 0)
        p->current = p->current->next;
    return p->current->vals + ((p->used++) % BN_CTX_POOL_SIZE);
}
349 350

static void BN_POOL_release(BN_POOL *p, unsigned int num)
351 352
{
    unsigned int offset = (p->used - 1) % BN_CTX_POOL_SIZE;
R
Rich Salz 已提交
353

354 355 356
    p->used -= num;
    while (num--) {
        bn_check_top(p->current->vals + offset);
R
Rich Salz 已提交
357
        if (offset == 0) {
358 359 360 361 362 363
            offset = BN_CTX_POOL_SIZE - 1;
            p->current = p->current->prev;
        } else
            offset--;
    }
}