aboutsummaryrefslogtreecommitdiffstats
path: root/contrib/libs/openssl/crypto/bn
diff options
context:
space:
mode:
authortpashkin <tpashkin@yandex-team.ru>2022-02-10 16:46:42 +0300
committerDaniil Cherednik <dcherednik@yandex-team.ru>2022-02-10 16:46:42 +0300
commit656921707c02b816d730f31c1fdc1d615adbfe00 (patch)
tree49e222ea1c5804306084bb3ae065bb702625360f /contrib/libs/openssl/crypto/bn
parent5475379a04e37df30085bd1724f1c57e3f40996f (diff)
downloadydb-656921707c02b816d730f31c1fdc1d615adbfe00.tar.gz
Restoring authorship annotation for <tpashkin@yandex-team.ru>. Commit 2 of 2.
Diffstat (limited to 'contrib/libs/openssl/crypto/bn')
-rw-r--r--contrib/libs/openssl/crypto/bn/asm/x86_64-gcc.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_add.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_asm.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_blind.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_ctx.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_depr.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_dh.c4
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_div.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_exp.c4
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_exp2.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_gcd.c226
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_gf2m.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_intern.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_kron.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_lib.c4
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_local.h1336
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_mod.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_mont.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_mpi.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_mul.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_nist.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_prime.c122
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_print.c4
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_rand.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_recp.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_shift.c32
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_sqr.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_sqrt.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_srp.c4
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_word.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/bn_x931p.c2
-rw-r--r--contrib/libs/openssl/crypto/bn/rsaz_exp.h4
32 files changed, 892 insertions, 892 deletions
diff --git a/contrib/libs/openssl/crypto/bn/asm/x86_64-gcc.c b/contrib/libs/openssl/crypto/bn/asm/x86_64-gcc.c
index f58b7276aa..e6fdaadf0e 100644
--- a/contrib/libs/openssl/crypto/bn/asm/x86_64-gcc.c
+++ b/contrib/libs/openssl/crypto/bn/asm/x86_64-gcc.c
@@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
-#include "../bn_local.h"
+#include "../bn_local.h"
#if !(defined(__GNUC__) && __GNUC__>=2)
# include "../bn_asm.c" /* kind of dirty hack for Sun Studio */
#else
diff --git a/contrib/libs/openssl/crypto/bn/bn_add.c b/contrib/libs/openssl/crypto/bn/bn_add.c
index a7316dee68..8ffe49618a 100644
--- a/contrib/libs/openssl/crypto/bn/bn_add.c
+++ b/contrib/libs/openssl/crypto/bn/bn_add.c
@@ -8,7 +8,7 @@
*/
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
/* signed add of b to a. */
int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
diff --git a/contrib/libs/openssl/crypto/bn/bn_asm.c b/contrib/libs/openssl/crypto/bn/bn_asm.c
index 0cf20c597d..4d83a8cf11 100644
--- a/contrib/libs/openssl/crypto/bn/bn_asm.c
+++ b/contrib/libs/openssl/crypto/bn/bn_asm.c
@@ -10,7 +10,7 @@
#include <assert.h>
#include <openssl/crypto.h>
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
#if defined(BN_LLONG) || defined(BN_UMULT_HIGH)
diff --git a/contrib/libs/openssl/crypto/bn/bn_blind.c b/contrib/libs/openssl/crypto/bn/bn_blind.c
index 4fa510dadb..76fc7ebcff 100644
--- a/contrib/libs/openssl/crypto/bn/bn_blind.c
+++ b/contrib/libs/openssl/crypto/bn/bn_blind.c
@@ -9,7 +9,7 @@
#include <openssl/opensslconf.h>
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
#define BN_BLINDING_COUNTER 32
diff --git a/contrib/libs/openssl/crypto/bn/bn_ctx.c b/contrib/libs/openssl/crypto/bn/bn_ctx.c
index 8ccc9ccf14..042cb247d3 100644
--- a/contrib/libs/openssl/crypto/bn/bn_ctx.c
+++ b/contrib/libs/openssl/crypto/bn/bn_ctx.c
@@ -8,7 +8,7 @@
*/
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
/*-
* TODO list
diff --git a/contrib/libs/openssl/crypto/bn/bn_depr.c b/contrib/libs/openssl/crypto/bn/bn_depr.c
index 361de165d4..b60269cd57 100644
--- a/contrib/libs/openssl/crypto/bn/bn_depr.c
+++ b/contrib/libs/openssl/crypto/bn/bn_depr.c
@@ -20,7 +20,7 @@ NON_EMPTY_TRANSLATION_UNIT
# include <stdio.h>
# include <time.h>
# include "internal/cryptlib.h"
-# include "bn_local.h"
+# include "bn_local.h"
BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
const BIGNUM *add, const BIGNUM *rem,
diff --git a/contrib/libs/openssl/crypto/bn/bn_dh.c b/contrib/libs/openssl/crypto/bn/bn_dh.c
index 3cdcd78133..58c44f0b17 100644
--- a/contrib/libs/openssl/crypto/bn/bn_dh.c
+++ b/contrib/libs/openssl/crypto/bn/bn_dh.c
@@ -7,12 +7,12 @@
* https://www.openssl.org/source/license.html
*/
-#include "bn_local.h"
+#include "bn_local.h"
#include "internal/nelem.h"
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
-#include "crypto/bn_dh.h"
+#include "crypto/bn_dh.h"
/* DH parameters from RFC5114 */
# if BN_BITS2 == 64
diff --git a/contrib/libs/openssl/crypto/bn/bn_div.c b/contrib/libs/openssl/crypto/bn/bn_div.c
index 03cbb416fd..0da9f39b31 100644
--- a/contrib/libs/openssl/crypto/bn/bn_div.c
+++ b/contrib/libs/openssl/crypto/bn/bn_div.c
@@ -10,7 +10,7 @@
#include <assert.h>
#include <openssl/bn.h>
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
/* The old slow way */
#if 0
diff --git a/contrib/libs/openssl/crypto/bn/bn_exp.c b/contrib/libs/openssl/crypto/bn/bn_exp.c
index ea10cb3e13..9531acfc3c 100644
--- a/contrib/libs/openssl/crypto/bn/bn_exp.c
+++ b/contrib/libs/openssl/crypto/bn/bn_exp.c
@@ -8,8 +8,8 @@
*/
#include "internal/cryptlib.h"
-#include "internal/constant_time.h"
-#include "bn_local.h"
+#include "internal/constant_time.h"
+#include "bn_local.h"
#include <stdlib.h>
#ifdef _WIN32
diff --git a/contrib/libs/openssl/crypto/bn/bn_exp2.c b/contrib/libs/openssl/crypto/bn/bn_exp2.c
index 5c179e684b..e542abe46f 100644
--- a/contrib/libs/openssl/crypto/bn/bn_exp2.c
+++ b/contrib/libs/openssl/crypto/bn/bn_exp2.c
@@ -9,7 +9,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
#define TABLE_SIZE 32
diff --git a/contrib/libs/openssl/crypto/bn/bn_gcd.c b/contrib/libs/openssl/crypto/bn/bn_gcd.c
index d0b2c376d2..0941f7b97f 100644
--- a/contrib/libs/openssl/crypto/bn/bn_gcd.c
+++ b/contrib/libs/openssl/crypto/bn/bn_gcd.c
@@ -8,7 +8,7 @@
*/
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
/*
* bn_mod_inverse_no_branch is a special version of BN_mod_inverse. It does
@@ -531,115 +531,115 @@ BIGNUM *BN_mod_inverse(BIGNUM *in,
BN_CTX_free(new_ctx);
return rv;
}
-
-/*-
- * This function is based on the constant-time GCD work by Bernstein and Yang:
- * https://eprint.iacr.org/2019/266
- * Generalized fast GCD function to allow even inputs.
- * The algorithm first finds the shared powers of 2 between
- * the inputs, and removes them, reducing at least one of the
- * inputs to an odd value. Then it proceeds to calculate the GCD.
- * Before returning the resulting GCD, we take care of adding
- * back the powers of two removed at the beginning.
- * Note 1: we assume the bit length of both inputs is public information,
- * since access to top potentially leaks this information.
- */
-int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
-{
- BIGNUM *g, *temp = NULL;
- BN_ULONG mask = 0;
- int i, j, top, rlen, glen, m, bit = 1, delta = 1, cond = 0, shifts = 0, ret = 0;
-
- /* Note 2: zero input corner cases are not constant-time since they are
- * handled immediately. An attacker can run an attack under this
- * assumption without the need of side-channel information. */
- if (BN_is_zero(in_b)) {
- ret = BN_copy(r, in_a) != NULL;
- r->neg = 0;
- return ret;
- }
- if (BN_is_zero(in_a)) {
- ret = BN_copy(r, in_b) != NULL;
- r->neg = 0;
- return ret;
- }
-
- bn_check_top(in_a);
- bn_check_top(in_b);
-
- BN_CTX_start(ctx);
- temp = BN_CTX_get(ctx);
- g = BN_CTX_get(ctx);
-
- /* make r != 0, g != 0 even, so BN_rshift is not a potential nop */
- if (g == NULL
- || !BN_lshift1(g, in_b)
- || !BN_lshift1(r, in_a))
- goto err;
-
- /* find shared powers of two, i.e. "shifts" >= 1 */
- for (i = 0; i < r->dmax && i < g->dmax; i++) {
- mask = ~(r->d[i] | g->d[i]);
- for (j = 0; j < BN_BITS2; j++) {
- bit &= mask;
- shifts += bit;
- mask >>= 1;
- }
- }
-
- /* subtract shared powers of two; shifts >= 1 */
- if (!BN_rshift(r, r, shifts)
- || !BN_rshift(g, g, shifts))
- goto err;
-
- /* expand to biggest nword, with room for a possible extra word */
- top = 1 + ((r->top >= g->top) ? r->top : g->top);
- if (bn_wexpand(r, top) == NULL
- || bn_wexpand(g, top) == NULL
- || bn_wexpand(temp, top) == NULL)
- goto err;
-
- /* re arrange inputs s.t. r is odd */
- BN_consttime_swap((~r->d[0]) & 1, r, g, top);
-
- /* compute the number of iterations */
- rlen = BN_num_bits(r);
- glen = BN_num_bits(g);
- m = 4 + 3 * ((rlen >= glen) ? rlen : glen);
-
- for (i = 0; i < m; i++) {
- /* conditionally flip signs if delta is positive and g is odd */
- cond = (-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1
- /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
- & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1)));
- delta = (-cond & -delta) | ((cond - 1) & delta);
- r->neg ^= cond;
- /* swap */
- BN_consttime_swap(cond, r, g, top);
-
- /* elimination step */
- delta++;
- if (!BN_add(temp, g, r))
- goto err;
- BN_consttime_swap(g->d[0] & 1 /* g is odd */
- /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
- & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1))),
- g, temp, top);
- if (!BN_rshift1(g, g))
- goto err;
- }
-
- /* remove possible negative sign */
- r->neg = 0;
- /* add powers of 2 removed, then correct the artificial shift */
- if (!BN_lshift(r, r, shifts)
- || !BN_rshift1(r, r))
- goto err;
-
- ret = 1;
-
- err:
- BN_CTX_end(ctx);
- bn_check_top(r);
- return ret;
-}
+
+/*-
+ * This function is based on the constant-time GCD work by Bernstein and Yang:
+ * https://eprint.iacr.org/2019/266
+ * Generalized fast GCD function to allow even inputs.
+ * The algorithm first finds the shared powers of 2 between
+ * the inputs, and removes them, reducing at least one of the
+ * inputs to an odd value. Then it proceeds to calculate the GCD.
+ * Before returning the resulting GCD, we take care of adding
+ * back the powers of two removed at the beginning.
+ * Note 1: we assume the bit length of both inputs is public information,
+ * since access to top potentially leaks this information.
+ */
+int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
+{
+ BIGNUM *g, *temp = NULL;
+ BN_ULONG mask = 0;
+ int i, j, top, rlen, glen, m, bit = 1, delta = 1, cond = 0, shifts = 0, ret = 0;
+
+ /* Note 2: zero input corner cases are not constant-time since they are
+ * handled immediately. An attacker can run an attack under this
+ * assumption without the need of side-channel information. */
+ if (BN_is_zero(in_b)) {
+ ret = BN_copy(r, in_a) != NULL;
+ r->neg = 0;
+ return ret;
+ }
+ if (BN_is_zero(in_a)) {
+ ret = BN_copy(r, in_b) != NULL;
+ r->neg = 0;
+ return ret;
+ }
+
+ bn_check_top(in_a);
+ bn_check_top(in_b);
+
+ BN_CTX_start(ctx);
+ temp = BN_CTX_get(ctx);
+ g = BN_CTX_get(ctx);
+
+ /* make r != 0, g != 0 even, so BN_rshift is not a potential nop */
+ if (g == NULL
+ || !BN_lshift1(g, in_b)
+ || !BN_lshift1(r, in_a))
+ goto err;
+
+ /* find shared powers of two, i.e. "shifts" >= 1 */
+ for (i = 0; i < r->dmax && i < g->dmax; i++) {
+ mask = ~(r->d[i] | g->d[i]);
+ for (j = 0; j < BN_BITS2; j++) {
+ bit &= mask;
+ shifts += bit;
+ mask >>= 1;
+ }
+ }
+
+ /* subtract shared powers of two; shifts >= 1 */
+ if (!BN_rshift(r, r, shifts)
+ || !BN_rshift(g, g, shifts))
+ goto err;
+
+ /* expand to biggest nword, with room for a possible extra word */
+ top = 1 + ((r->top >= g->top) ? r->top : g->top);
+ if (bn_wexpand(r, top) == NULL
+ || bn_wexpand(g, top) == NULL
+ || bn_wexpand(temp, top) == NULL)
+ goto err;
+
+ /* re arrange inputs s.t. r is odd */
+ BN_consttime_swap((~r->d[0]) & 1, r, g, top);
+
+ /* compute the number of iterations */
+ rlen = BN_num_bits(r);
+ glen = BN_num_bits(g);
+ m = 4 + 3 * ((rlen >= glen) ? rlen : glen);
+
+ for (i = 0; i < m; i++) {
+ /* conditionally flip signs if delta is positive and g is odd */
+ cond = (-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1
+ /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
+ & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1)));
+ delta = (-cond & -delta) | ((cond - 1) & delta);
+ r->neg ^= cond;
+ /* swap */
+ BN_consttime_swap(cond, r, g, top);
+
+ /* elimination step */
+ delta++;
+ if (!BN_add(temp, g, r))
+ goto err;
+ BN_consttime_swap(g->d[0] & 1 /* g is odd */
+ /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
+ & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1))),
+ g, temp, top);
+ if (!BN_rshift1(g, g))
+ goto err;
+ }
+
+ /* remove possible negative sign */
+ r->neg = 0;
+ /* add powers of 2 removed, then correct the artificial shift */
+ if (!BN_lshift(r, r, shifts)
+ || !BN_rshift1(r, r))
+ goto err;
+
+ ret = 1;
+
+ err:
+ BN_CTX_end(ctx);
+ bn_check_top(r);
+ return ret;
+}
diff --git a/contrib/libs/openssl/crypto/bn/bn_gf2m.c b/contrib/libs/openssl/crypto/bn/bn_gf2m.c
index 3d725c66f3..a2ea867551 100644
--- a/contrib/libs/openssl/crypto/bn/bn_gf2m.c
+++ b/contrib/libs/openssl/crypto/bn/bn_gf2m.c
@@ -12,7 +12,7 @@
#include <limits.h>
#include <stdio.h>
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
#ifndef OPENSSL_NO_EC2M
diff --git a/contrib/libs/openssl/crypto/bn/bn_intern.c b/contrib/libs/openssl/crypto/bn/bn_intern.c
index 58101fc20f..147b4fa022 100644
--- a/contrib/libs/openssl/crypto/bn/bn_intern.c
+++ b/contrib/libs/openssl/crypto/bn/bn_intern.c
@@ -8,7 +8,7 @@
*/
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
/*
* Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
diff --git a/contrib/libs/openssl/crypto/bn/bn_kron.c b/contrib/libs/openssl/crypto/bn/bn_kron.c
index dcd0bc72ff..c1e09d2721 100644
--- a/contrib/libs/openssl/crypto/bn/bn_kron.c
+++ b/contrib/libs/openssl/crypto/bn/bn_kron.c
@@ -8,7 +8,7 @@
*/
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
/* least significant word */
#define BN_lsw(n) (((n)->top == 0) ? (BN_ULONG) 0 : (n)->d[0])
diff --git a/contrib/libs/openssl/crypto/bn/bn_lib.c b/contrib/libs/openssl/crypto/bn/bn_lib.c
index d66eb1ba2c..eb4a31849b 100644
--- a/contrib/libs/openssl/crypto/bn/bn_lib.c
+++ b/contrib/libs/openssl/crypto/bn/bn_lib.c
@@ -10,9 +10,9 @@
#include <assert.h>
#include <limits.h>
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
#include <openssl/opensslconf.h>
-#include "internal/constant_time.h"
+#include "internal/constant_time.h"
/* This stuff appears to be completely unused, so is deprecated */
#if OPENSSL_API_COMPAT < 0x00908000L
diff --git a/contrib/libs/openssl/crypto/bn/bn_local.h b/contrib/libs/openssl/crypto/bn/bn_local.h
index adf52da2e0..8ad69ccd36 100644
--- a/contrib/libs/openssl/crypto/bn/bn_local.h
+++ b/contrib/libs/openssl/crypto/bn/bn_local.h
@@ -1,668 +1,668 @@
-/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OSSL_CRYPTO_BN_LOCAL_H
-# define OSSL_CRYPTO_BN_LOCAL_H
-
-/*
- * The EDK2 build doesn't use bn_conf.h; it sets THIRTY_TWO_BIT or
- * SIXTY_FOUR_BIT in its own environment since it doesn't re-run our
- * Configure script and needs to support both 32-bit and 64-bit.
- */
-# include <openssl/opensslconf.h>
-
-# if !defined(OPENSSL_SYS_UEFI)
-# include "crypto/bn_conf.h"
-# endif
-
-# include "crypto/bn.h"
-
-/*
- * These preprocessor symbols control various aspects of the bignum headers
- * and library code. They're not defined by any "normal" configuration, as
- * they are intended for development and testing purposes. NB: defining all
- * three can be useful for debugging application code as well as openssl
- * itself. BN_DEBUG - turn on various debugging alterations to the bignum
- * code BN_DEBUG_RAND - uses random poisoning of unused words to trip up
- * mismanagement of bignum internals. You must also define BN_DEBUG.
- */
-/* #define BN_DEBUG */
-/* #define BN_DEBUG_RAND */
-
-# ifndef OPENSSL_SMALL_FOOTPRINT
-# define BN_MUL_COMBA
-# define BN_SQR_COMBA
-# define BN_RECURSION
-# endif
-
-/*
- * This next option uses the C libraries (2 word)/(1 word) function. If it is
- * not defined, I use my C version (which is slower). The reason for this
- * flag is that when the particular C compiler library routine is used, and
- * the library is linked with a different compiler, the library is missing.
- * This mostly happens when the library is built with gcc and then linked
- * using normal cc. This would be a common occurrence because gcc normally
- * produces code that is 2 times faster than system compilers for the big
- * number stuff. For machines with only one compiler (or shared libraries),
- * this should be on. Again this in only really a problem on machines using
- * "long long's", are 32bit, and are not using my assembler code.
- */
-# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || \
- defined(OPENSSL_SYS_WIN32) || defined(linux)
-# define BN_DIV2W
-# endif
-
-/*
- * 64-bit processor with LP64 ABI
- */
-# ifdef SIXTY_FOUR_BIT_LONG
-# define BN_ULLONG unsigned long long
-# define BN_BITS4 32
-# define BN_MASK2 (0xffffffffffffffffL)
-# define BN_MASK2l (0xffffffffL)
-# define BN_MASK2h (0xffffffff00000000L)
-# define BN_MASK2h1 (0xffffffff80000000L)
-# define BN_DEC_CONV (10000000000000000000UL)
-# define BN_DEC_NUM 19
-# define BN_DEC_FMT1 "%lu"
-# define BN_DEC_FMT2 "%019lu"
-# endif
-
-/*
- * 64-bit processor other than LP64 ABI
- */
-# ifdef SIXTY_FOUR_BIT
-# undef BN_LLONG
-# undef BN_ULLONG
-# define BN_BITS4 32
-# define BN_MASK2 (0xffffffffffffffffLL)
-# define BN_MASK2l (0xffffffffL)
-# define BN_MASK2h (0xffffffff00000000LL)
-# define BN_MASK2h1 (0xffffffff80000000LL)
-# define BN_DEC_CONV (10000000000000000000ULL)
-# define BN_DEC_NUM 19
-# define BN_DEC_FMT1 "%llu"
-# define BN_DEC_FMT2 "%019llu"
-# endif
-
-# ifdef THIRTY_TWO_BIT
-# ifdef BN_LLONG
-# if defined(_WIN32) && !defined(__GNUC__)
-# define BN_ULLONG unsigned __int64
-# else
-# define BN_ULLONG unsigned long long
-# endif
-# endif
-# define BN_BITS4 16
-# define BN_MASK2 (0xffffffffL)
-# define BN_MASK2l (0xffff)
-# define BN_MASK2h1 (0xffff8000L)
-# define BN_MASK2h (0xffff0000L)
-# define BN_DEC_CONV (1000000000L)
-# define BN_DEC_NUM 9
-# define BN_DEC_FMT1 "%u"
-# define BN_DEC_FMT2 "%09u"
-# endif
-
-
-/*-
- * Bignum consistency macros
- * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
- * bignum data after direct manipulations on the data. There is also an
- * "internal" macro, bn_check_top(), for verifying that there are no leading
- * zeroes. Unfortunately, some auditing is required due to the fact that
- * bn_fix_top() has become an overabused duct-tape because bignum data is
- * occasionally passed around in an inconsistent state. So the following
- * changes have been made to sort this out;
- * - bn_fix_top()s implementation has been moved to bn_correct_top()
- * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and
- * bn_check_top() is as before.
- * - if BN_DEBUG *is* defined;
- * - bn_check_top() tries to pollute unused words even if the bignum 'top' is
- * consistent. (ed: only if BN_DEBUG_RAND is defined)
- * - bn_fix_top() maps to bn_check_top() rather than "fixing" anything.
- * The idea is to have debug builds flag up inconsistent bignums when they
- * occur. If that occurs in a bn_fix_top(), we examine the code in question; if
- * the use of bn_fix_top() was appropriate (ie. it follows directly after code
- * that manipulates the bignum) it is converted to bn_correct_top(), and if it
- * was not appropriate, we convert it permanently to bn_check_top() and track
- * down the cause of the bug. Eventually, no internal code should be using the
- * bn_fix_top() macro. External applications and libraries should try this with
- * their own code too, both in terms of building against the openssl headers
- * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it
- * defined. This not only improves external code, it provides more test
- * coverage for openssl's own code.
- */
-
-# ifdef BN_DEBUG
-/*
- * The new BN_FLG_FIXED_TOP flag marks vectors that were not treated with
- * bn_correct_top, in other words such vectors are permitted to have zeros
- * in most significant limbs. Such vectors are used internally to achieve
- * execution time invariance for critical operations with private keys.
- * It's BN_DEBUG-only flag, because user application is not supposed to
- * observe it anyway. Moreover, optimizing compiler would actually remove
- * all operations manipulating the bit in question in non-BN_DEBUG build.
- */
-# define BN_FLG_FIXED_TOP 0x10000
-# ifdef BN_DEBUG_RAND
-# define bn_pollute(a) \
- do { \
- const BIGNUM *_bnum1 = (a); \
- if (_bnum1->top < _bnum1->dmax) { \
- unsigned char _tmp_char; \
- /* We cast away const without the compiler knowing, any \
- * *genuinely* constant variables that aren't mutable \
- * wouldn't be constructed with top!=dmax. */ \
- BN_ULONG *_not_const; \
- memcpy(&_not_const, &_bnum1->d, sizeof(_not_const)); \
- RAND_bytes(&_tmp_char, 1); /* Debug only - safe to ignore error return */\
- memset(_not_const + _bnum1->top, _tmp_char, \
- sizeof(*_not_const) * (_bnum1->dmax - _bnum1->top)); \
- } \
- } while(0)
-# else
-# define bn_pollute(a)
-# endif
-# define bn_check_top(a) \
- do { \
- const BIGNUM *_bnum2 = (a); \
- if (_bnum2 != NULL) { \
- int _top = _bnum2->top; \
- (void)ossl_assert((_top == 0 && !_bnum2->neg) || \
- (_top && ((_bnum2->flags & BN_FLG_FIXED_TOP) \
- || _bnum2->d[_top - 1] != 0))); \
- bn_pollute(_bnum2); \
- } \
- } while(0)
-
-# define bn_fix_top(a) bn_check_top(a)
-
-# define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
-# define bn_wcheck_size(bn, words) \
- do { \
- const BIGNUM *_bnum2 = (bn); \
- assert((words) <= (_bnum2)->dmax && \
- (words) >= (_bnum2)->top); \
- /* avoid unused variable warning with NDEBUG */ \
- (void)(_bnum2); \
- } while(0)
-
-# else /* !BN_DEBUG */
-
-# define BN_FLG_FIXED_TOP 0
-# define bn_pollute(a)
-# define bn_check_top(a)
-# define bn_fix_top(a) bn_correct_top(a)
-# define bn_check_size(bn, bits)
-# define bn_wcheck_size(bn, words)
-
-# endif
-
-BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
- BN_ULONG w);
-BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
-void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
-BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
-BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
- int num);
-BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
- int num);
-
-struct bignum_st {
- BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit
- * chunks. */
- int top; /* Index of last used d +1. */
- /* The next are internal book keeping for bn_expand. */
- int dmax; /* Size of the d array. */
- int neg; /* one if the number is negative */
- int flags;
-};
-
-/* Used for montgomery multiplication */
-struct bn_mont_ctx_st {
- int ri; /* number of bits in R */
- BIGNUM RR; /* used to convert to montgomery form,
- possibly zero-padded */
- BIGNUM N; /* The modulus */
- BIGNUM Ni; /* R*(1/R mod N) - N*Ni = 1 (Ni is only
- * stored for bignum algorithm) */
- BN_ULONG n0[2]; /* least significant word(s) of Ni; (type
- * changed with 0.9.9, was "BN_ULONG n0;"
- * before) */
- int flags;
-};
-
-/*
- * Used for reciprocal division/mod functions It cannot be shared between
- * threads
- */
-struct bn_recp_ctx_st {
- BIGNUM N; /* the divisor */
- BIGNUM Nr; /* the reciprocal */
- int num_bits;
- int shift;
- int flags;
-};
-
-/* Used for slow "generation" functions. */
-struct bn_gencb_st {
- unsigned int ver; /* To handle binary (in)compatibility */
- void *arg; /* callback-specific data */
- union {
- /* if (ver==1) - handles old style callbacks */
- void (*cb_1) (int, int, void *);
- /* if (ver==2) - new callback style */
- int (*cb_2) (int, int, BN_GENCB *);
- } cb;
-};
-
-/*-
- * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
- *
- *
- * For window size 'w' (w >= 2) and a random 'b' bits exponent,
- * the number of multiplications is a constant plus on average
- *
- * 2^(w-1) + (b-w)/(w+1);
- *
- * here 2^(w-1) is for precomputing the table (we actually need
- * entries only for windows that have the lowest bit set), and
- * (b-w)/(w+1) is an approximation for the expected number of
- * w-bit windows, not counting the first one.
- *
- * Thus we should use
- *
- * w >= 6 if b > 671
- * w = 5 if 671 > b > 239
- * w = 4 if 239 > b > 79
- * w = 3 if 79 > b > 23
- * w <= 2 if 23 > b
- *
- * (with draws in between). Very small exponents are often selected
- * with low Hamming weight, so we use w = 1 for b <= 23.
- */
-# define BN_window_bits_for_exponent_size(b) \
- ((b) > 671 ? 6 : \
- (b) > 239 ? 5 : \
- (b) > 79 ? 4 : \
- (b) > 23 ? 3 : 1)
-
-/*
- * BN_mod_exp_mont_consttime is based on the assumption that the L1 data cache
- * line width of the target processor is at least the following value.
- */
-# define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 )
-# define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
-
-/*
- * Window sizes optimized for fixed window size modular exponentiation
- * algorithm (BN_mod_exp_mont_consttime). To achieve the security goals of
- * BN_mode_exp_mont_consttime, the maximum size of the window must not exceed
- * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH). Window size thresholds are
- * defined for cache line sizes of 32 and 64, cache line sizes where
- * log_2(32)=5 and log_2(64)=6 respectively. A window size of 7 should only be
- * used on processors that have a 128 byte or greater cache line size.
- */
-# if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
-
-# define BN_window_bits_for_ctime_exponent_size(b) \
- ((b) > 937 ? 6 : \
- (b) > 306 ? 5 : \
- (b) > 89 ? 4 : \
- (b) > 22 ? 3 : 1)
-# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (6)
-
-# elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32
-
-# define BN_window_bits_for_ctime_exponent_size(b) \
- ((b) > 306 ? 5 : \
- (b) > 89 ? 4 : \
- (b) > 22 ? 3 : 1)
-# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (5)
-
-# endif
-
-/* Pentium pro 16,16,16,32,64 */
-/* Alpha 16,16,16,16.64 */
-# define BN_MULL_SIZE_NORMAL (16)/* 32 */
-# define BN_MUL_RECURSIVE_SIZE_NORMAL (16)/* 32 less than */
-# define BN_SQR_RECURSIVE_SIZE_NORMAL (16)/* 32 */
-# define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32)/* 32 */
-# define BN_MONT_CTX_SET_SIZE_WORD (64)/* 32 */
-
-/*
- * 2011-02-22 SMS. In various places, a size_t variable or a type cast to
- * size_t was used to perform integer-only operations on pointers. This
- * failed on VMS with 64-bit pointers (CC /POINTER_SIZE = 64) because size_t
- * is still only 32 bits. What's needed in these cases is an integer type
- * with the same size as a pointer, which size_t is not certain to be. The
- * only fix here is VMS-specific.
- */
-# if defined(OPENSSL_SYS_VMS)
-# if __INITIAL_POINTER_SIZE == 64
-# define PTR_SIZE_INT long long
-# else /* __INITIAL_POINTER_SIZE == 64 */
-# define PTR_SIZE_INT int
-# endif /* __INITIAL_POINTER_SIZE == 64 [else] */
-# elif !defined(PTR_SIZE_INT) /* defined(OPENSSL_SYS_VMS) */
-# define PTR_SIZE_INT size_t
-# endif /* defined(OPENSSL_SYS_VMS) [else] */
-
-# if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
-/*
- * BN_UMULT_HIGH section.
- * If the compiler doesn't support 2*N integer type, then you have to
- * replace every N*N multiplication with 4 (N/2)*(N/2) accompanied by some
- * shifts and additions which unavoidably results in severe performance
- * penalties. Of course provided that the hardware is capable of producing
- * 2*N result... That's when you normally start considering assembler
- * implementation. However! It should be pointed out that some CPUs (e.g.,
- * PowerPC, Alpha, and IA-64) provide *separate* instruction calculating
- * the upper half of the product placing the result into a general
- * purpose register. Now *if* the compiler supports inline assembler,
- * then it's not impossible to implement the "bignum" routines (and have
- * the compiler optimize 'em) exhibiting "native" performance in C. That's
- * what BN_UMULT_HIGH macro is about:-) Note that more recent compilers do
- * support 2*64 integer type, which is also used here.
- */
-# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16 && \
- (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
-# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64)
-# define BN_UMULT_LOHI(low,high,a,b) ({ \
- __uint128_t ret=(__uint128_t)(a)*(b); \
- (high)=ret>>64; (low)=ret; })
-# elif defined(__alpha) && (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
-# if defined(__DECC)
-# include <c_asm.h>
-# define BN_UMULT_HIGH(a,b) (BN_ULONG)asm("umulh %a0,%a1,%v0",(a),(b))
-# elif defined(__GNUC__) && __GNUC__>=2
-# define BN_UMULT_HIGH(a,b) ({ \
- register BN_ULONG ret; \
- asm ("umulh %1,%2,%0" \
- : "=r"(ret) \
- : "r"(a), "r"(b)); \
- ret; })
-# endif /* compiler */
-# elif defined(_ARCH_PPC64) && defined(SIXTY_FOUR_BIT_LONG)
-# if defined(__GNUC__) && __GNUC__>=2
-# define BN_UMULT_HIGH(a,b) ({ \
- register BN_ULONG ret; \
- asm ("mulhdu %0,%1,%2" \
- : "=r"(ret) \
- : "r"(a), "r"(b)); \
- ret; })
-# endif /* compiler */
-# elif (defined(__x86_64) || defined(__x86_64__)) && \
- (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
-# if defined(__GNUC__) && __GNUC__>=2
-# define BN_UMULT_HIGH(a,b) ({ \
- register BN_ULONG ret,discard; \
- asm ("mulq %3" \
- : "=a"(discard),"=d"(ret) \
- : "a"(a), "g"(b) \
- : "cc"); \
- ret; })
-# define BN_UMULT_LOHI(low,high,a,b) \
- asm ("mulq %3" \
- : "=a"(low),"=d"(high) \
- : "a"(a),"g"(b) \
- : "cc");
-# endif
-# elif (defined(_M_AMD64) || defined(_M_X64)) && defined(SIXTY_FOUR_BIT)
-# if defined(_MSC_VER) && _MSC_VER>=1400
-unsigned __int64 __umulh(unsigned __int64 a, unsigned __int64 b);
-unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
- unsigned __int64 *h);
-# pragma intrinsic(__umulh,_umul128)
-# define BN_UMULT_HIGH(a,b) __umulh((a),(b))
-# define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high)))
-# endif
-# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
-# if defined(__GNUC__) && __GNUC__>=2
-# define BN_UMULT_HIGH(a,b) ({ \
- register BN_ULONG ret; \
- asm ("dmultu %1,%2" \
- : "=h"(ret) \
- : "r"(a), "r"(b) : "l"); \
- ret; })
-# define BN_UMULT_LOHI(low,high,a,b) \
- asm ("dmultu %2,%3" \
- : "=l"(low),"=h"(high) \
- : "r"(a), "r"(b));
-# endif
-# elif defined(__aarch64__) && defined(SIXTY_FOUR_BIT_LONG)
-# if defined(__GNUC__) && __GNUC__>=2
-# define BN_UMULT_HIGH(a,b) ({ \
- register BN_ULONG ret; \
- asm ("umulh %0,%1,%2" \
- : "=r"(ret) \
- : "r"(a), "r"(b)); \
- ret; })
-# endif
-# endif /* cpu */
-# endif /* OPENSSL_NO_ASM */
-
-# ifdef BN_DEBUG_RAND
-# define bn_clear_top2max(a) \
- { \
- int ind = (a)->dmax - (a)->top; \
- BN_ULONG *ftl = &(a)->d[(a)->top-1]; \
- for (; ind != 0; ind--) \
- *(++ftl) = 0x0; \
- }
-# else
-# define bn_clear_top2max(a)
-# endif
-
-# ifdef BN_LLONG
-/*******************************************************************
- * Using the long long type, has to be twice as wide as BN_ULONG...
- */
-# define Lw(t) (((BN_ULONG)(t))&BN_MASK2)
-# define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
-
-# define mul_add(r,a,w,c) { \
- BN_ULLONG t; \
- t=(BN_ULLONG)w * (a) + (r) + (c); \
- (r)= Lw(t); \
- (c)= Hw(t); \
- }
-
-# define mul(r,a,w,c) { \
- BN_ULLONG t; \
- t=(BN_ULLONG)w * (a) + (c); \
- (r)= Lw(t); \
- (c)= Hw(t); \
- }
-
-# define sqr(r0,r1,a) { \
- BN_ULLONG t; \
- t=(BN_ULLONG)(a)*(a); \
- (r0)=Lw(t); \
- (r1)=Hw(t); \
- }
-
-# elif defined(BN_UMULT_LOHI)
-# define mul_add(r,a,w,c) { \
- BN_ULONG high,low,ret,tmp=(a); \
- ret = (r); \
- BN_UMULT_LOHI(low,high,w,tmp); \
- ret += (c); \
- (c) = (ret<(c))?1:0; \
- (c) += high; \
- ret += low; \
- (c) += (ret<low)?1:0; \
- (r) = ret; \
- }
-
-# define mul(r,a,w,c) { \
- BN_ULONG high,low,ret,ta=(a); \
- BN_UMULT_LOHI(low,high,w,ta); \
- ret = low + (c); \
- (c) = high; \
- (c) += (ret<low)?1:0; \
- (r) = ret; \
- }
-
-# define sqr(r0,r1,a) { \
- BN_ULONG tmp=(a); \
- BN_UMULT_LOHI(r0,r1,tmp,tmp); \
- }
-
-# elif defined(BN_UMULT_HIGH)
-# define mul_add(r,a,w,c) { \
- BN_ULONG high,low,ret,tmp=(a); \
- ret = (r); \
- high= BN_UMULT_HIGH(w,tmp); \
- ret += (c); \
- low = (w) * tmp; \
- (c) = (ret<(c))?1:0; \
- (c) += high; \
- ret += low; \
- (c) += (ret<low)?1:0; \
- (r) = ret; \
- }
-
-# define mul(r,a,w,c) { \
- BN_ULONG high,low,ret,ta=(a); \
- low = (w) * ta; \
- high= BN_UMULT_HIGH(w,ta); \
- ret = low + (c); \
- (c) = high; \
- (c) += (ret<low)?1:0; \
- (r) = ret; \
- }
-
-# define sqr(r0,r1,a) { \
- BN_ULONG tmp=(a); \
- (r0) = tmp * tmp; \
- (r1) = BN_UMULT_HIGH(tmp,tmp); \
- }
-
-# else
-/*************************************************************
- * No long long type
- */
-
-# define LBITS(a) ((a)&BN_MASK2l)
-# define HBITS(a) (((a)>>BN_BITS4)&BN_MASK2l)
-# define L2HBITS(a) (((a)<<BN_BITS4)&BN_MASK2)
-
-# define LLBITS(a) ((a)&BN_MASKl)
-# define LHBITS(a) (((a)>>BN_BITS2)&BN_MASKl)
-# define LL2HBITS(a) ((BN_ULLONG)((a)&BN_MASKl)<<BN_BITS2)
-
-# define mul64(l,h,bl,bh) \
- { \
- BN_ULONG m,m1,lt,ht; \
- \
- lt=l; \
- ht=h; \
- m =(bh)*(lt); \
- lt=(bl)*(lt); \
- m1=(bl)*(ht); \
- ht =(bh)*(ht); \
- m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \
- ht+=HBITS(m); \
- m1=L2HBITS(m); \
- lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \
- (l)=lt; \
- (h)=ht; \
- }
-
-# define sqr64(lo,ho,in) \
- { \
- BN_ULONG l,h,m; \
- \
- h=(in); \
- l=LBITS(h); \
- h=HBITS(h); \
- m =(l)*(h); \
- l*=l; \
- h*=h; \
- h+=(m&BN_MASK2h1)>>(BN_BITS4-1); \
- m =(m&BN_MASK2l)<<(BN_BITS4+1); \
- l=(l+m)&BN_MASK2; if (l < m) h++; \
- (lo)=l; \
- (ho)=h; \
- }
-
-# define mul_add(r,a,bl,bh,c) { \
- BN_ULONG l,h; \
- \
- h= (a); \
- l=LBITS(h); \
- h=HBITS(h); \
- mul64(l,h,(bl),(bh)); \
- \
- /* non-multiply part */ \
- l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
- (c)=(r); \
- l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
- (c)=h&BN_MASK2; \
- (r)=l; \
- }
-
-# define mul(r,a,bl,bh,c) { \
- BN_ULONG l,h; \
- \
- h= (a); \
- l=LBITS(h); \
- h=HBITS(h); \
- mul64(l,h,(bl),(bh)); \
- \
- /* non-multiply part */ \
- l+=(c); if ((l&BN_MASK2) < (c)) h++; \
- (c)=h&BN_MASK2; \
- (r)=l&BN_MASK2; \
- }
-# endif /* !BN_LLONG */
-
-void BN_RECP_CTX_init(BN_RECP_CTX *recp);
-void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
-
-void bn_init(BIGNUM *a);
-void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb);
-void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
-void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
-void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp);
-void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a);
-void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a);
-int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n);
-int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl);
-void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
- int dna, int dnb, BN_ULONG *t);
-void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b,
- int n, int tna, int tnb, BN_ULONG *t);
-void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t);
-void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n);
-void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
- BN_ULONG *t);
-BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
- int cl, int dl);
-int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
- const BN_ULONG *np, const BN_ULONG *n0, int num);
-
-BIGNUM *int_bn_mod_inverse(BIGNUM *in,
- const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
- int *noinv);
-
-static ossl_inline BIGNUM *bn_expand(BIGNUM *a, int bits)
-{
- if (bits > (INT_MAX - BN_BITS2 + 1))
- return NULL;
-
- if (((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax)
- return a;
-
- return bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2);
-}
-
-#endif
+/*
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_BN_LOCAL_H
+# define OSSL_CRYPTO_BN_LOCAL_H
+
+/*
+ * The EDK2 build doesn't use bn_conf.h; it sets THIRTY_TWO_BIT or
+ * SIXTY_FOUR_BIT in its own environment since it doesn't re-run our
+ * Configure script and needs to support both 32-bit and 64-bit.
+ */
+# include <openssl/opensslconf.h>
+
+# if !defined(OPENSSL_SYS_UEFI)
+# include "crypto/bn_conf.h"
+# endif
+
+# include "crypto/bn.h"
+
+/*
+ * These preprocessor symbols control various aspects of the bignum headers
+ * and library code. They're not defined by any "normal" configuration, as
+ * they are intended for development and testing purposes. NB: defining all
+ * three can be useful for debugging application code as well as openssl
+ * itself. BN_DEBUG - turn on various debugging alterations to the bignum
+ * code BN_DEBUG_RAND - uses random poisoning of unused words to trip up
+ * mismanagement of bignum internals. You must also define BN_DEBUG.
+ */
+/* #define BN_DEBUG */
+/* #define BN_DEBUG_RAND */
+
+# ifndef OPENSSL_SMALL_FOOTPRINT
+# define BN_MUL_COMBA
+# define BN_SQR_COMBA
+# define BN_RECURSION
+# endif
+
+/*
+ * This next option uses the C libraries (2 word)/(1 word) function. If it is
+ * not defined, I use my C version (which is slower). The reason for this
+ * flag is that when the particular C compiler library routine is used, and
+ * the library is linked with a different compiler, the library is missing.
+ * This mostly happens when the library is built with gcc and then linked
+ * using normal cc. This would be a common occurrence because gcc normally
+ * produces code that is 2 times faster than system compilers for the big
+ * number stuff. For machines with only one compiler (or shared libraries),
+ * this should be on. Again this in only really a problem on machines using
+ * "long long's", are 32bit, and are not using my assembler code.
+ */
+# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || \
+ defined(OPENSSL_SYS_WIN32) || defined(linux)
+# define BN_DIV2W
+# endif
+
+/*
+ * 64-bit processor with LP64 ABI
+ */
+# ifdef SIXTY_FOUR_BIT_LONG
+# define BN_ULLONG unsigned long long
+# define BN_BITS4 32
+# define BN_MASK2 (0xffffffffffffffffL)
+# define BN_MASK2l (0xffffffffL)
+# define BN_MASK2h (0xffffffff00000000L)
+# define BN_MASK2h1 (0xffffffff80000000L)
+# define BN_DEC_CONV (10000000000000000000UL)
+# define BN_DEC_NUM 19
+# define BN_DEC_FMT1 "%lu"
+# define BN_DEC_FMT2 "%019lu"
+# endif
+
+/*
+ * 64-bit processor other than LP64 ABI
+ */
+# ifdef SIXTY_FOUR_BIT
+# undef BN_LLONG
+# undef BN_ULLONG
+# define BN_BITS4 32
+# define BN_MASK2 (0xffffffffffffffffLL)
+# define BN_MASK2l (0xffffffffL)
+# define BN_MASK2h (0xffffffff00000000LL)
+# define BN_MASK2h1 (0xffffffff80000000LL)
+# define BN_DEC_CONV (10000000000000000000ULL)
+# define BN_DEC_NUM 19
+# define BN_DEC_FMT1 "%llu"
+# define BN_DEC_FMT2 "%019llu"
+# endif
+
+# ifdef THIRTY_TWO_BIT
+# ifdef BN_LLONG
+# if defined(_WIN32) && !defined(__GNUC__)
+# define BN_ULLONG unsigned __int64
+# else
+# define BN_ULLONG unsigned long long
+# endif
+# endif
+# define BN_BITS4 16
+# define BN_MASK2 (0xffffffffL)
+# define BN_MASK2l (0xffff)
+# define BN_MASK2h1 (0xffff8000L)
+# define BN_MASK2h (0xffff0000L)
+# define BN_DEC_CONV (1000000000L)
+# define BN_DEC_NUM 9
+# define BN_DEC_FMT1 "%u"
+# define BN_DEC_FMT2 "%09u"
+# endif
+
+
+/*-
+ * Bignum consistency macros
+ * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
+ * bignum data after direct manipulations on the data. There is also an
+ * "internal" macro, bn_check_top(), for verifying that there are no leading
+ * zeroes. Unfortunately, some auditing is required due to the fact that
+ * bn_fix_top() has become an overabused duct-tape because bignum data is
+ * occasionally passed around in an inconsistent state. So the following
+ * changes have been made to sort this out;
+ * - bn_fix_top()s implementation has been moved to bn_correct_top()
+ * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and
+ * bn_check_top() is as before.
+ * - if BN_DEBUG *is* defined;
+ * - bn_check_top() tries to pollute unused words even if the bignum 'top' is
+ * consistent. (ed: only if BN_DEBUG_RAND is defined)
+ * - bn_fix_top() maps to bn_check_top() rather than "fixing" anything.
+ * The idea is to have debug builds flag up inconsistent bignums when they
+ * occur. If that occurs in a bn_fix_top(), we examine the code in question; if
+ * the use of bn_fix_top() was appropriate (ie. it follows directly after code
+ * that manipulates the bignum) it is converted to bn_correct_top(), and if it
+ * was not appropriate, we convert it permanently to bn_check_top() and track
+ * down the cause of the bug. Eventually, no internal code should be using the
+ * bn_fix_top() macro. External applications and libraries should try this with
+ * their own code too, both in terms of building against the openssl headers
+ * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it
+ * defined. This not only improves external code, it provides more test
+ * coverage for openssl's own code.
+ */
+
+# ifdef BN_DEBUG
+/*
+ * The new BN_FLG_FIXED_TOP flag marks vectors that were not treated with
+ * bn_correct_top, in other words such vectors are permitted to have zeros
+ * in most significant limbs. Such vectors are used internally to achieve
+ * execution time invariance for critical operations with private keys.
+ * It's BN_DEBUG-only flag, because user application is not supposed to
+ * observe it anyway. Moreover, optimizing compiler would actually remove
+ * all operations manipulating the bit in question in non-BN_DEBUG build.
+ */
+# define BN_FLG_FIXED_TOP 0x10000
+# ifdef BN_DEBUG_RAND
+# define bn_pollute(a) \
+ do { \
+ const BIGNUM *_bnum1 = (a); \
+ if (_bnum1->top < _bnum1->dmax) { \
+ unsigned char _tmp_char; \
+ /* We cast away const without the compiler knowing, any \
+ * *genuinely* constant variables that aren't mutable \
+ * wouldn't be constructed with top!=dmax. */ \
+ BN_ULONG *_not_const; \
+ memcpy(&_not_const, &_bnum1->d, sizeof(_not_const)); \
+ RAND_bytes(&_tmp_char, 1); /* Debug only - safe to ignore error return */\
+ memset(_not_const + _bnum1->top, _tmp_char, \
+ sizeof(*_not_const) * (_bnum1->dmax - _bnum1->top)); \
+ } \
+ } while(0)
+# else
+# define bn_pollute(a)
+# endif
+# define bn_check_top(a) \
+ do { \
+ const BIGNUM *_bnum2 = (a); \
+ if (_bnum2 != NULL) { \
+ int _top = _bnum2->top; \
+ (void)ossl_assert((_top == 0 && !_bnum2->neg) || \
+ (_top && ((_bnum2->flags & BN_FLG_FIXED_TOP) \
+ || _bnum2->d[_top - 1] != 0))); \
+ bn_pollute(_bnum2); \
+ } \
+ } while(0)
+
+# define bn_fix_top(a) bn_check_top(a)
+
+# define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
+# define bn_wcheck_size(bn, words) \
+ do { \
+ const BIGNUM *_bnum2 = (bn); \
+ assert((words) <= (_bnum2)->dmax && \
+ (words) >= (_bnum2)->top); \
+ /* avoid unused variable warning with NDEBUG */ \
+ (void)(_bnum2); \
+ } while(0)
+
+# else /* !BN_DEBUG */
+
+# define BN_FLG_FIXED_TOP 0
+# define bn_pollute(a)
+# define bn_check_top(a)
+# define bn_fix_top(a) bn_correct_top(a)
+# define bn_check_size(bn, bits)
+# define bn_wcheck_size(bn, words)
+
+# endif
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
+ BN_ULONG w);
+BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
+void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
+BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
+BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+ int num);
+BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+ int num);
+
+struct bignum_st {
+ BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit
+ * chunks. */
+ int top; /* Index of last used d +1. */
+ /* The next are internal book keeping for bn_expand. */
+ int dmax; /* Size of the d array. */
+ int neg; /* one if the number is negative */
+ int flags;
+};
+
+/* Used for montgomery multiplication */
+struct bn_mont_ctx_st {
+ int ri; /* number of bits in R */
+ BIGNUM RR; /* used to convert to montgomery form,
+ possibly zero-padded */
+ BIGNUM N; /* The modulus */
+ BIGNUM Ni; /* R*(1/R mod N) - N*Ni = 1 (Ni is only
+ * stored for bignum algorithm) */
+ BN_ULONG n0[2]; /* least significant word(s) of Ni; (type
+ * changed with 0.9.9, was "BN_ULONG n0;"
+ * before) */
+ int flags;
+};
+
+/*
+ * Used for reciprocal division/mod functions It cannot be shared between
+ * threads
+ */
+struct bn_recp_ctx_st {
+ BIGNUM N; /* the divisor */
+ BIGNUM Nr; /* the reciprocal */
+ int num_bits;
+ int shift;
+ int flags;
+};
+
+/* Used for slow "generation" functions. */
+struct bn_gencb_st {
+ unsigned int ver; /* To handle binary (in)compatibility */
+ void *arg; /* callback-specific data */
+ union {
+ /* if (ver==1) - handles old style callbacks */
+ void (*cb_1) (int, int, void *);
+ /* if (ver==2) - new callback style */
+ int (*cb_2) (int, int, BN_GENCB *);
+ } cb;
+};
+
+/*-
+ * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
+ *
+ *
+ * For window size 'w' (w >= 2) and a random 'b' bits exponent,
+ * the number of multiplications is a constant plus on average
+ *
+ * 2^(w-1) + (b-w)/(w+1);
+ *
+ * here 2^(w-1) is for precomputing the table (we actually need
+ * entries only for windows that have the lowest bit set), and
+ * (b-w)/(w+1) is an approximation for the expected number of
+ * w-bit windows, not counting the first one.
+ *
+ * Thus we should use
+ *
+ * w >= 6 if b > 671
+ * w = 5 if 671 > b > 239
+ * w = 4 if 239 > b > 79
+ * w = 3 if 79 > b > 23
+ * w <= 2 if 23 > b
+ *
+ * (with draws in between). Very small exponents are often selected
+ * with low Hamming weight, so we use w = 1 for b <= 23.
+ */
+# define BN_window_bits_for_exponent_size(b) \
+ ((b) > 671 ? 6 : \
+ (b) > 239 ? 5 : \
+ (b) > 79 ? 4 : \
+ (b) > 23 ? 3 : 1)
+
+/*
+ * BN_mod_exp_mont_consttime is based on the assumption that the L1 data cache
+ * line width of the target processor is at least the following value.
+ */
+# define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 )
+# define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
+
+/*
+ * Window sizes optimized for fixed window size modular exponentiation
+ * algorithm (BN_mod_exp_mont_consttime). To achieve the security goals of
+ * BN_mode_exp_mont_consttime, the maximum size of the window must not exceed
+ * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH). Window size thresholds are
+ * defined for cache line sizes of 32 and 64, cache line sizes where
+ * log_2(32)=5 and log_2(64)=6 respectively. A window size of 7 should only be
+ * used on processors that have a 128 byte or greater cache line size.
+ */
+# if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
+
+# define BN_window_bits_for_ctime_exponent_size(b) \
+ ((b) > 937 ? 6 : \
+ (b) > 306 ? 5 : \
+ (b) > 89 ? 4 : \
+ (b) > 22 ? 3 : 1)
+# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (6)
+
+# elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32
+
+# define BN_window_bits_for_ctime_exponent_size(b) \
+ ((b) > 306 ? 5 : \
+ (b) > 89 ? 4 : \
+ (b) > 22 ? 3 : 1)
+# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (5)
+
+# endif
+
+/* Pentium pro 16,16,16,32,64 */
+/* Alpha 16,16,16,16.64 */
+# define BN_MULL_SIZE_NORMAL (16)/* 32 */
+# define BN_MUL_RECURSIVE_SIZE_NORMAL (16)/* 32 less than */
+# define BN_SQR_RECURSIVE_SIZE_NORMAL (16)/* 32 */
+# define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32)/* 32 */
+# define BN_MONT_CTX_SET_SIZE_WORD (64)/* 32 */
+
+/*
+ * 2011-02-22 SMS. In various places, a size_t variable or a type cast to
+ * size_t was used to perform integer-only operations on pointers. This
+ * failed on VMS with 64-bit pointers (CC /POINTER_SIZE = 64) because size_t
+ * is still only 32 bits. What's needed in these cases is an integer type
+ * with the same size as a pointer, which size_t is not certain to be. The
+ * only fix here is VMS-specific.
+ */
+# if defined(OPENSSL_SYS_VMS)
+# if __INITIAL_POINTER_SIZE == 64
+# define PTR_SIZE_INT long long
+# else /* __INITIAL_POINTER_SIZE == 64 */
+# define PTR_SIZE_INT int
+# endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+# elif !defined(PTR_SIZE_INT) /* defined(OPENSSL_SYS_VMS) */
+# define PTR_SIZE_INT size_t
+# endif /* defined(OPENSSL_SYS_VMS) [else] */
+
+# if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
+/*
+ * BN_UMULT_HIGH section.
+ * If the compiler doesn't support 2*N integer type, then you have to
+ * replace every N*N multiplication with 4 (N/2)*(N/2) accompanied by some
+ * shifts and additions which unavoidably results in severe performance
+ * penalties. Of course provided that the hardware is capable of producing
+ * 2*N result... That's when you normally start considering assembler
+ * implementation. However! It should be pointed out that some CPUs (e.g.,
+ * PowerPC, Alpha, and IA-64) provide *separate* instruction calculating
+ * the upper half of the product placing the result into a general
+ * purpose register. Now *if* the compiler supports inline assembler,
+ * then it's not impossible to implement the "bignum" routines (and have
+ * the compiler optimize 'em) exhibiting "native" performance in C. That's
+ * what BN_UMULT_HIGH macro is about:-) Note that more recent compilers do
+ * support 2*64 integer type, which is also used here.
+ */
+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16 && \
+ (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
+# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64)
+# define BN_UMULT_LOHI(low,high,a,b) ({ \
+ __uint128_t ret=(__uint128_t)(a)*(b); \
+ (high)=ret>>64; (low)=ret; })
+# elif defined(__alpha) && (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
+# if defined(__DECC)
+# include <c_asm.h>
+# define BN_UMULT_HIGH(a,b) (BN_ULONG)asm("umulh %a0,%a1,%v0",(a),(b))
+# elif defined(__GNUC__) && __GNUC__>=2
+# define BN_UMULT_HIGH(a,b) ({ \
+ register BN_ULONG ret; \
+ asm ("umulh %1,%2,%0" \
+ : "=r"(ret) \
+ : "r"(a), "r"(b)); \
+ ret; })
+# endif /* compiler */
+# elif defined(_ARCH_PPC64) && defined(SIXTY_FOUR_BIT_LONG)
+# if defined(__GNUC__) && __GNUC__>=2
+# define BN_UMULT_HIGH(a,b) ({ \
+ register BN_ULONG ret; \
+ asm ("mulhdu %0,%1,%2" \
+ : "=r"(ret) \
+ : "r"(a), "r"(b)); \
+ ret; })
+# endif /* compiler */
+# elif (defined(__x86_64) || defined(__x86_64__)) && \
+ (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
+# if defined(__GNUC__) && __GNUC__>=2
+# define BN_UMULT_HIGH(a,b) ({ \
+ register BN_ULONG ret,discard; \
+ asm ("mulq %3" \
+ : "=a"(discard),"=d"(ret) \
+ : "a"(a), "g"(b) \
+ : "cc"); \
+ ret; })
+# define BN_UMULT_LOHI(low,high,a,b) \
+ asm ("mulq %3" \
+ : "=a"(low),"=d"(high) \
+ : "a"(a),"g"(b) \
+ : "cc");
+# endif
+# elif (defined(_M_AMD64) || defined(_M_X64)) && defined(SIXTY_FOUR_BIT)
+# if defined(_MSC_VER) && _MSC_VER>=1400
+unsigned __int64 __umulh(unsigned __int64 a, unsigned __int64 b);
+unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
+ unsigned __int64 *h);
+# pragma intrinsic(__umulh,_umul128)
+# define BN_UMULT_HIGH(a,b) __umulh((a),(b))
+# define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high)))
+# endif
+# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
+# if defined(__GNUC__) && __GNUC__>=2
+# define BN_UMULT_HIGH(a,b) ({ \
+ register BN_ULONG ret; \
+ asm ("dmultu %1,%2" \
+ : "=h"(ret) \
+ : "r"(a), "r"(b) : "l"); \
+ ret; })
+# define BN_UMULT_LOHI(low,high,a,b) \
+ asm ("dmultu %2,%3" \
+ : "=l"(low),"=h"(high) \
+ : "r"(a), "r"(b));
+# endif
+# elif defined(__aarch64__) && defined(SIXTY_FOUR_BIT_LONG)
+# if defined(__GNUC__) && __GNUC__>=2
+# define BN_UMULT_HIGH(a,b) ({ \
+ register BN_ULONG ret; \
+ asm ("umulh %0,%1,%2" \
+ : "=r"(ret) \
+ : "r"(a), "r"(b)); \
+ ret; })
+# endif
+# endif /* cpu */
+# endif /* OPENSSL_NO_ASM */
+
+# ifdef BN_DEBUG_RAND
+# define bn_clear_top2max(a) \
+ { \
+ int ind = (a)->dmax - (a)->top; \
+ BN_ULONG *ftl = &(a)->d[(a)->top-1]; \
+ for (; ind != 0; ind--) \
+ *(++ftl) = 0x0; \
+ }
+# else
+# define bn_clear_top2max(a)
+# endif
+
+# ifdef BN_LLONG
+/*******************************************************************
+ * Using the long long type, has to be twice as wide as BN_ULONG...
+ */
+# define Lw(t) (((BN_ULONG)(t))&BN_MASK2)
+# define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
+
+# define mul_add(r,a,w,c) { \
+ BN_ULLONG t; \
+ t=(BN_ULLONG)w * (a) + (r) + (c); \
+ (r)= Lw(t); \
+ (c)= Hw(t); \
+ }
+
+# define mul(r,a,w,c) { \
+ BN_ULLONG t; \
+ t=(BN_ULLONG)w * (a) + (c); \
+ (r)= Lw(t); \
+ (c)= Hw(t); \
+ }
+
+# define sqr(r0,r1,a) { \
+ BN_ULLONG t; \
+ t=(BN_ULLONG)(a)*(a); \
+ (r0)=Lw(t); \
+ (r1)=Hw(t); \
+ }
+
+# elif defined(BN_UMULT_LOHI)
+# define mul_add(r,a,w,c) { \
+ BN_ULONG high,low,ret,tmp=(a); \
+ ret = (r); \
+ BN_UMULT_LOHI(low,high,w,tmp); \
+ ret += (c); \
+ (c) = (ret<(c))?1:0; \
+ (c) += high; \
+ ret += low; \
+ (c) += (ret<low)?1:0; \
+ (r) = ret; \
+ }
+
+# define mul(r,a,w,c) { \
+ BN_ULONG high,low,ret,ta=(a); \
+ BN_UMULT_LOHI(low,high,w,ta); \
+ ret = low + (c); \
+ (c) = high; \
+ (c) += (ret<low)?1:0; \
+ (r) = ret; \
+ }
+
+# define sqr(r0,r1,a) { \
+ BN_ULONG tmp=(a); \
+ BN_UMULT_LOHI(r0,r1,tmp,tmp); \
+ }
+
+# elif defined(BN_UMULT_HIGH)
+# define mul_add(r,a,w,c) { \
+ BN_ULONG high,low,ret,tmp=(a); \
+ ret = (r); \
+ high= BN_UMULT_HIGH(w,tmp); \
+ ret += (c); \
+ low = (w) * tmp; \
+ (c) = (ret<(c))?1:0; \
+ (c) += high; \
+ ret += low; \
+ (c) += (ret<low)?1:0; \
+ (r) = ret; \
+ }
+
+# define mul(r,a,w,c) { \
+ BN_ULONG high,low,ret,ta=(a); \
+ low = (w) * ta; \
+ high= BN_UMULT_HIGH(w,ta); \
+ ret = low + (c); \
+ (c) = high; \
+ (c) += (ret<low)?1:0; \
+ (r) = ret; \
+ }
+
+# define sqr(r0,r1,a) { \
+ BN_ULONG tmp=(a); \
+ (r0) = tmp * tmp; \
+ (r1) = BN_UMULT_HIGH(tmp,tmp); \
+ }
+
+# else
+/*************************************************************
+ * No long long type
+ */
+
+# define LBITS(a) ((a)&BN_MASK2l)
+# define HBITS(a) (((a)>>BN_BITS4)&BN_MASK2l)
+# define L2HBITS(a) (((a)<<BN_BITS4)&BN_MASK2)
+
+# define LLBITS(a) ((a)&BN_MASKl)
+# define LHBITS(a) (((a)>>BN_BITS2)&BN_MASKl)
+# define LL2HBITS(a) ((BN_ULLONG)((a)&BN_MASKl)<<BN_BITS2)
+
+# define mul64(l,h,bl,bh) \
+ { \
+ BN_ULONG m,m1,lt,ht; \
+ \
+ lt=l; \
+ ht=h; \
+ m =(bh)*(lt); \
+ lt=(bl)*(lt); \
+ m1=(bl)*(ht); \
+ ht =(bh)*(ht); \
+ m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \
+ ht+=HBITS(m); \
+ m1=L2HBITS(m); \
+ lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \
+ (l)=lt; \
+ (h)=ht; \
+ }
+
+# define sqr64(lo,ho,in) \
+ { \
+ BN_ULONG l,h,m; \
+ \
+ h=(in); \
+ l=LBITS(h); \
+ h=HBITS(h); \
+ m =(l)*(h); \
+ l*=l; \
+ h*=h; \
+ h+=(m&BN_MASK2h1)>>(BN_BITS4-1); \
+ m =(m&BN_MASK2l)<<(BN_BITS4+1); \
+ l=(l+m)&BN_MASK2; if (l < m) h++; \
+ (lo)=l; \
+ (ho)=h; \
+ }
+
+# define mul_add(r,a,bl,bh,c) { \
+ BN_ULONG l,h; \
+ \
+ h= (a); \
+ l=LBITS(h); \
+ h=HBITS(h); \
+ mul64(l,h,(bl),(bh)); \
+ \
+ /* non-multiply part */ \
+ l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
+ (c)=(r); \
+ l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
+ (c)=h&BN_MASK2; \
+ (r)=l; \
+ }
+
+# define mul(r,a,bl,bh,c) { \
+ BN_ULONG l,h; \
+ \
+ h= (a); \
+ l=LBITS(h); \
+ h=HBITS(h); \
+ mul64(l,h,(bl),(bh)); \
+ \
+ /* non-multiply part */ \
+ l+=(c); if ((l&BN_MASK2) < (c)) h++; \
+ (c)=h&BN_MASK2; \
+ (r)=l&BN_MASK2; \
+ }
+# endif /* !BN_LLONG */
+
+void BN_RECP_CTX_init(BN_RECP_CTX *recp);
+void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
+
+void bn_init(BIGNUM *a);
+void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb);
+void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
+void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
+void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp);
+void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a);
+void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a);
+int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n);
+int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl);
+void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
+ int dna, int dnb, BN_ULONG *t);
+void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b,
+ int n, int tna, int tnb, BN_ULONG *t);
+void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t);
+void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n);
+void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
+ BN_ULONG *t);
+BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+ int cl, int dl);
+int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+ const BN_ULONG *np, const BN_ULONG *n0, int num);
+
+BIGNUM *int_bn_mod_inverse(BIGNUM *in,
+ const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
+ int *noinv);
+
+static ossl_inline BIGNUM *bn_expand(BIGNUM *a, int bits)
+{
+ if (bits > (INT_MAX - BN_BITS2 + 1))
+ return NULL;
+
+ if (((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax)
+ return a;
+
+ return bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2);
+}
+
+#endif
diff --git a/contrib/libs/openssl/crypto/bn/bn_mod.c b/contrib/libs/openssl/crypto/bn/bn_mod.c
index d7677fdbfd..f7d2e2650e 100644
--- a/contrib/libs/openssl/crypto/bn/bn_mod.c
+++ b/contrib/libs/openssl/crypto/bn/bn_mod.c
@@ -8,7 +8,7 @@
*/
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
{
diff --git a/contrib/libs/openssl/crypto/bn/bn_mont.c b/contrib/libs/openssl/crypto/bn/bn_mont.c
index 107deb4b86..1e5045a010 100644
--- a/contrib/libs/openssl/crypto/bn/bn_mont.c
+++ b/contrib/libs/openssl/crypto/bn/bn_mont.c
@@ -15,7 +15,7 @@
*/
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
#define MONT_WORD /* use the faster word-based algorithm */
diff --git a/contrib/libs/openssl/crypto/bn/bn_mpi.c b/contrib/libs/openssl/crypto/bn/bn_mpi.c
index 14d9688d42..0902da5d07 100644
--- a/contrib/libs/openssl/crypto/bn/bn_mpi.c
+++ b/contrib/libs/openssl/crypto/bn/bn_mpi.c
@@ -9,7 +9,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
int BN_bn2mpi(const BIGNUM *a, unsigned char *d)
{
diff --git a/contrib/libs/openssl/crypto/bn/bn_mul.c b/contrib/libs/openssl/crypto/bn/bn_mul.c
index 28e84b5a70..6743e7be81 100644
--- a/contrib/libs/openssl/crypto/bn/bn_mul.c
+++ b/contrib/libs/openssl/crypto/bn/bn_mul.c
@@ -9,7 +9,7 @@
#include <assert.h>
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
#if defined(OPENSSL_NO_ASM) || !defined(OPENSSL_BN_ASM_PART_WORDS)
/*
diff --git a/contrib/libs/openssl/crypto/bn/bn_nist.c b/contrib/libs/openssl/crypto/bn/bn_nist.c
index b831d28fc0..325dc22849 100644
--- a/contrib/libs/openssl/crypto/bn/bn_nist.c
+++ b/contrib/libs/openssl/crypto/bn/bn_nist.c
@@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
-#include "bn_local.h"
+#include "bn_local.h"
#include "internal/cryptlib.h"
#define BN_NIST_192_TOP (192+BN_BITS2-1)/BN_BITS2
diff --git a/contrib/libs/openssl/crypto/bn/bn_prime.c b/contrib/libs/openssl/crypto/bn/bn_prime.c
index 0a78bed9b7..d0cf3779fa 100644
--- a/contrib/libs/openssl/crypto/bn/bn_prime.c
+++ b/contrib/libs/openssl/crypto/bn/bn_prime.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -10,7 +10,7 @@
#include <stdio.h>
#include <time.h>
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
/*
* The quick sieve algorithm approach to weeding out primes is Philip
@@ -22,13 +22,13 @@
static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
const BIGNUM *a1_odd, int k, BN_CTX *ctx,
BN_MONT_CTX *mont);
-static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods);
-static int probable_prime_dh(BIGNUM *rnd, int bits, int safe, prime_t *mods,
- const BIGNUM *add, const BIGNUM *rem,
- BN_CTX *ctx);
+static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods);
+static int probable_prime_dh(BIGNUM *rnd, int bits, int safe, prime_t *mods,
+ const BIGNUM *add, const BIGNUM *rem,
+ BN_CTX *ctx);
+
+#define square(x) ((BN_ULONG)(x) * (BN_ULONG)(x))
-#define square(x) ((BN_ULONG)(x) * (BN_ULONG)(x))
-
int BN_GENCB_call(BN_GENCB *cb, int a, int b)
{
/* No callback means continue */
@@ -89,11 +89,11 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
loop:
/* make a random number and set the top and bottom bits */
if (add == NULL) {
- if (!probable_prime(ret, bits, safe, mods))
+ if (!probable_prime(ret, bits, safe, mods))
goto err;
} else {
- if (!probable_prime_dh(ret, bits, safe, mods, add, rem, ctx))
- goto err;
+ if (!probable_prime_dh(ret, bits, safe, mods, add, rem, ctx))
+ goto err;
}
if (!BN_GENCB_call(cb, 0, c1++))
@@ -269,7 +269,7 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
return 1;
}
-static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods)
+static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods)
{
int i;
BN_ULONG delta;
@@ -279,8 +279,8 @@ static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods)
/* TODO: Not all primes are private */
if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))
return 0;
- if (safe && !BN_set_bit(rnd, 1))
- return 0;
+ if (safe && !BN_set_bit(rnd, 1))
+ return 0;
/* we now have a random number 'rnd' to test. */
for (i = 1; i < NUMPRIMES; i++) {
BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
@@ -290,23 +290,23 @@ static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods)
}
delta = 0;
loop:
- for (i = 1; i < NUMPRIMES; i++) {
- /*
- * check that rnd is a prime and also that
- * gcd(rnd-1,primes) == 1 (except for 2)
- * do the second check only if we are interested in safe primes
- * in the case that the candidate prime is a single word then
- * we check only the primes up to sqrt(rnd)
+ for (i = 1; i < NUMPRIMES; i++) {
+ /*
+ * check that rnd is a prime and also that
+ * gcd(rnd-1,primes) == 1 (except for 2)
+ * do the second check only if we are interested in safe primes
+ * in the case that the candidate prime is a single word then
+ * we check only the primes up to sqrt(rnd)
*/
- if (bits <= 31 && delta <= 0x7fffffff
- && square(primes[i]) > BN_get_word(rnd) + delta)
- break;
- if (safe ? (mods[i] + delta) % primes[i] <= 1
- : (mods[i] + delta) % primes[i] == 0) {
- delta += safe ? 4 : 2;
- if (delta > maxdelta)
- goto again;
- goto loop;
+ if (bits <= 31 && delta <= 0x7fffffff
+ && square(primes[i]) > BN_get_word(rnd) + delta)
+ break;
+ if (safe ? (mods[i] + delta) % primes[i] <= 1
+ : (mods[i] + delta) % primes[i] == 0) {
+ delta += safe ? 4 : 2;
+ if (delta > maxdelta)
+ goto again;
+ goto loop;
}
}
if (!BN_add_word(rnd, delta))
@@ -317,23 +317,23 @@ static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods)
return 1;
}
-static int probable_prime_dh(BIGNUM *rnd, int bits, int safe, prime_t *mods,
- const BIGNUM *add, const BIGNUM *rem,
- BN_CTX *ctx)
+static int probable_prime_dh(BIGNUM *rnd, int bits, int safe, prime_t *mods,
+ const BIGNUM *add, const BIGNUM *rem,
+ BN_CTX *ctx)
{
int i, ret = 0;
BIGNUM *t1;
- BN_ULONG delta;
- BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
+ BN_ULONG delta;
+ BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
BN_CTX_start(ctx);
if ((t1 = BN_CTX_get(ctx)) == NULL)
goto err;
- if (maxdelta > BN_MASK2 - BN_get_word(add))
- maxdelta = BN_MASK2 - BN_get_word(add);
-
- again:
+ if (maxdelta > BN_MASK2 - BN_get_word(add))
+ maxdelta = BN_MASK2 - BN_get_word(add);
+
+ again:
if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
goto err;
@@ -344,48 +344,48 @@ static int probable_prime_dh(BIGNUM *rnd, int bits, int safe, prime_t *mods,
if (!BN_sub(rnd, rnd, t1))
goto err;
if (rem == NULL) {
- if (!BN_add_word(rnd, safe ? 3u : 1u))
+ if (!BN_add_word(rnd, safe ? 3u : 1u))
goto err;
} else {
if (!BN_add(rnd, rnd, rem))
goto err;
}
- if (BN_num_bits(rnd) < bits
- || BN_get_word(rnd) < (safe ? 5u : 3u)) {
- if (!BN_add(rnd, rnd, add))
- goto err;
- }
+ if (BN_num_bits(rnd) < bits
+ || BN_get_word(rnd) < (safe ? 5u : 3u)) {
+ if (!BN_add(rnd, rnd, add))
+ goto err;
+ }
- /* we now have a random number 'rnd' to test. */
+ /* we now have a random number 'rnd' to test. */
for (i = 1; i < NUMPRIMES; i++) {
BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
if (mod == (BN_ULONG)-1)
goto err;
- mods[i] = (prime_t) mod;
+ mods[i] = (prime_t) mod;
}
- delta = 0;
+ delta = 0;
loop:
for (i = 1; i < NUMPRIMES; i++) {
- /* check that rnd is a prime */
- if (bits <= 31 && delta <= 0x7fffffff
- && square(primes[i]) > BN_get_word(rnd) + delta)
- break;
- /* rnd mod p == 1 implies q = (rnd-1)/2 is divisible by p */
- if (safe ? (mods[i] + delta) % primes[i] <= 1
- : (mods[i] + delta) % primes[i] == 0) {
- delta += BN_get_word(add);
- if (delta > maxdelta)
- goto again;
+ /* check that rnd is a prime */
+ if (bits <= 31 && delta <= 0x7fffffff
+ && square(primes[i]) > BN_get_word(rnd) + delta)
+ break;
+ /* rnd mod p == 1 implies q = (rnd-1)/2 is divisible by p */
+ if (safe ? (mods[i] + delta) % primes[i] <= 1
+ : (mods[i] + delta) % primes[i] == 0) {
+ delta += BN_get_word(add);
+ if (delta > maxdelta)
+ goto again;
goto loop;
}
}
- if (!BN_add_word(rnd, delta))
- goto err;
+ if (!BN_add_word(rnd, delta))
+ goto err;
ret = 1;
err:
BN_CTX_end(ctx);
- bn_check_top(rnd);
+ bn_check_top(rnd);
return ret;
}
diff --git a/contrib/libs/openssl/crypto/bn/bn_print.c b/contrib/libs/openssl/crypto/bn/bn_print.c
index 1ec2def823..69749a9fa7 100644
--- a/contrib/libs/openssl/crypto/bn/bn_print.c
+++ b/contrib/libs/openssl/crypto/bn/bn_print.c
@@ -8,11 +8,11 @@
*/
#include <stdio.h>
-#include "crypto/ctype.h"
+#include "crypto/ctype.h"
#include <limits.h>
#include "internal/cryptlib.h"
#include <openssl/buffer.h>
-#include "bn_local.h"
+#include "bn_local.h"
static const char Hex[] = "0123456789ABCDEF";
diff --git a/contrib/libs/openssl/crypto/bn/bn_rand.c b/contrib/libs/openssl/crypto/bn/bn_rand.c
index f7e9ba8d50..6b4b50a068 100644
--- a/contrib/libs/openssl/crypto/bn/bn_rand.c
+++ b/contrib/libs/openssl/crypto/bn/bn_rand.c
@@ -10,7 +10,7 @@
#include <stdio.h>
#include <time.h>
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
#include <openssl/rand.h>
#include <openssl/sha.h>
diff --git a/contrib/libs/openssl/crypto/bn/bn_recp.c b/contrib/libs/openssl/crypto/bn/bn_recp.c
index f0529fbfa8..e822313341 100644
--- a/contrib/libs/openssl/crypto/bn/bn_recp.c
+++ b/contrib/libs/openssl/crypto/bn/bn_recp.c
@@ -8,7 +8,7 @@
*/
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
void BN_RECP_CTX_init(BN_RECP_CTX *recp)
{
diff --git a/contrib/libs/openssl/crypto/bn/bn_shift.c b/contrib/libs/openssl/crypto/bn/bn_shift.c
index d475574bf9..210a83f586 100644
--- a/contrib/libs/openssl/crypto/bn/bn_shift.c
+++ b/contrib/libs/openssl/crypto/bn/bn_shift.c
@@ -9,7 +9,7 @@
#include <assert.h>
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
int BN_lshift1(BIGNUM *r, const BIGNUM *a)
{
@@ -34,10 +34,10 @@ int BN_lshift1(BIGNUM *r, const BIGNUM *a)
for (i = 0; i < a->top; i++) {
t = *(ap++);
*(rp++) = ((t << 1) | c) & BN_MASK2;
- c = t >> (BN_BITS2 - 1);
+ c = t >> (BN_BITS2 - 1);
}
- *rp = c;
- r->top += c;
+ *rp = c;
+ r->top += c;
bn_check_top(r);
return 1;
}
@@ -45,7 +45,7 @@ int BN_lshift1(BIGNUM *r, const BIGNUM *a)
int BN_rshift1(BIGNUM *r, const BIGNUM *a)
{
BN_ULONG *ap, *rp, t, c;
- int i;
+ int i;
bn_check_top(r);
bn_check_top(a);
@@ -57,20 +57,20 @@ int BN_rshift1(BIGNUM *r, const BIGNUM *a)
i = a->top;
ap = a->d;
if (a != r) {
- if (bn_wexpand(r, i) == NULL)
+ if (bn_wexpand(r, i) == NULL)
return 0;
r->neg = a->neg;
}
rp = r->d;
- r->top = i;
+ r->top = i;
t = ap[--i];
- rp[i] = t >> 1;
- c = t << (BN_BITS2 - 1);
- r->top -= (t == 1);
+ rp[i] = t >> 1;
+ c = t << (BN_BITS2 - 1);
+ r->top -= (t == 1);
while (i > 0) {
t = ap[--i];
rp[i] = ((t >> 1) & BN_MASK2) | c;
- c = t << (BN_BITS2 - 1);
+ c = t << (BN_BITS2 - 1);
}
if (!r->top)
r->neg = 0; /* don't allow negative zero */
@@ -149,19 +149,19 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n)
int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
{
- int ret = 0;
+ int ret = 0;
if (n < 0) {
BNerr(BN_F_BN_RSHIFT, BN_R_INVALID_SHIFT);
return 0;
}
- ret = bn_rshift_fixed_top(r, a, n);
+ ret = bn_rshift_fixed_top(r, a, n);
- bn_correct_top(r);
- bn_check_top(r);
+ bn_correct_top(r);
+ bn_check_top(r);
- return ret;
+ return ret;
}
/*
diff --git a/contrib/libs/openssl/crypto/bn/bn_sqr.c b/contrib/libs/openssl/crypto/bn/bn_sqr.c
index fbe301ebc8..7f3a179177 100644
--- a/contrib/libs/openssl/crypto/bn/bn_sqr.c
+++ b/contrib/libs/openssl/crypto/bn/bn_sqr.c
@@ -8,7 +8,7 @@
*/
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
/* r must not be a */
/*
diff --git a/contrib/libs/openssl/crypto/bn/bn_sqrt.c b/contrib/libs/openssl/crypto/bn/bn_sqrt.c
index 8cb93ff4ed..1723d5ded5 100644
--- a/contrib/libs/openssl/crypto/bn/bn_sqrt.c
+++ b/contrib/libs/openssl/crypto/bn/bn_sqrt.c
@@ -8,7 +8,7 @@
*/
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/*
diff --git a/contrib/libs/openssl/crypto/bn/bn_srp.c b/contrib/libs/openssl/crypto/bn/bn_srp.c
index aad60c67aa..820757be60 100644
--- a/contrib/libs/openssl/crypto/bn/bn_srp.c
+++ b/contrib/libs/openssl/crypto/bn/bn_srp.c
@@ -7,13 +7,13 @@
* https://www.openssl.org/source/license.html
*/
-#include "bn_local.h"
+#include "bn_local.h"
#include "internal/nelem.h"
#ifndef OPENSSL_NO_SRP
#include <openssl/srp.h>
-#include "crypto/bn_srp.h"
+#include "crypto/bn_srp.h"
# if (BN_BYTES == 8)
# if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
diff --git a/contrib/libs/openssl/crypto/bn/bn_word.c b/contrib/libs/openssl/crypto/bn/bn_word.c
index 7aedd69f9a..18fb3030a8 100644
--- a/contrib/libs/openssl/crypto/bn/bn_word.c
+++ b/contrib/libs/openssl/crypto/bn/bn_word.c
@@ -8,7 +8,7 @@
*/
#include "internal/cryptlib.h"
-#include "bn_local.h"
+#include "bn_local.h"
BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w)
{
diff --git a/contrib/libs/openssl/crypto/bn/bn_x931p.c b/contrib/libs/openssl/crypto/bn/bn_x931p.c
index ae676fc51e..009950259d 100644
--- a/contrib/libs/openssl/crypto/bn/bn_x931p.c
+++ b/contrib/libs/openssl/crypto/bn/bn_x931p.c
@@ -9,7 +9,7 @@
#include <stdio.h>
#include <openssl/bn.h>
-#include "bn_local.h"
+#include "bn_local.h"
/* X9.31 routines for prime derivation */
diff --git a/contrib/libs/openssl/crypto/bn/rsaz_exp.h b/contrib/libs/openssl/crypto/bn/rsaz_exp.h
index ad718aa1d5..88f65a4bae 100644
--- a/contrib/libs/openssl/crypto/bn/rsaz_exp.h
+++ b/contrib/libs/openssl/crypto/bn/rsaz_exp.h
@@ -12,8 +12,8 @@
* (2) University of Haifa, Israel
*/
-#ifndef OSSL_CRYPTO_BN_RSAZ_EXP_H
-# define OSSL_CRYPTO_BN_RSAZ_EXP_H
+#ifndef OSSL_CRYPTO_BN_RSAZ_EXP_H
+# define OSSL_CRYPTO_BN_RSAZ_EXP_H
# undef RSAZ_ENABLED
# if defined(OPENSSL_BN_ASM_MONT) && \