Remove BIGNUM consistency macros.

Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.

Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.

"Good riddance." tb@

Author: jsing

src/lib/libcrypto/bn/bn_add.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_add.c,v 1.14 2022/11/24 01:30:01 jsing Exp $ */
+/* $OpenBSD: bn_add.c,v 1.15 2022/11/26 13:56:33 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -67,8 +67,6 @@ BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 {
 	int ret, r_neg;
 
-	bn_check_top(a);
-	bn_check_top(b);
 
 	if (a->neg == b->neg) {
 		r_neg = a->neg;
@@ -90,7 +88,6 @@ BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	}
 
 	r->neg = r_neg;
-	bn_check_top(r);
 	return ret;
 }
 
@@ -101,8 +98,6 @@ BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	const BN_ULONG *ap, *bp;
 	BN_ULONG *rp, carry, t1, t2;
 
-	bn_check_top(a);
-	bn_check_top(b);
 
 	if (a->top < b->top) {
 		const BIGNUM *tmp;
@@ -139,7 +134,6 @@ BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	r->top += carry;
 
 	r->neg = 0;
-	bn_check_top(r);
 	return 1;
 }
 
@@ -150,8 +144,6 @@ BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	const BN_ULONG *ap, *bp;
 	BN_ULONG t1, t2, borrow, *rp;
 
-	bn_check_top(a);
-	bn_check_top(b);
 
 	max = a->top;
 	min = b->top;
@@ -195,8 +187,6 @@ BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 {
 	int ret, r_neg;
 
-	bn_check_top(a);
-	bn_check_top(b);
 
 	if (a->neg != b->neg) {
 		r_neg = a->neg;
@@ -218,6 +208,5 @@ BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	}
 
 	r->neg = r_neg;
-	bn_check_top(r);
 	return ret;
 }

src/lib/libcrypto/bn/bn_blind.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_blind.c,v 1.17 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: bn_blind.c,v 1.18 2022/11/26 13:56:33 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -141,7 +141,6 @@ BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
 {
 	BN_BLINDING *ret = NULL;
 
-	bn_check_top(mod);
 
 	if ((ret = calloc(1, sizeof(BN_BLINDING))) == NULL) {
 		BNerror(ERR_R_MALLOC_FAILURE);
@@ -232,7 +231,6 @@ BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
 {
 	int ret = 1;
 
-	bn_check_top(n);
 
 	if ((b->A == NULL) || (b->Ai == NULL)) {
 		BNerror(BN_R_NOT_INITIALIZED);
@@ -267,7 +265,6 @@ BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
 {
 	int ret;
 
-	bn_check_top(n);
 
 	if (r != NULL)
 		ret = BN_mod_mul(n, n, r, b->mod, ctx);
@@ -279,7 +276,6 @@ BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
 		ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
 	}
 
-	bn_check_top(n);
 	return (ret);
 }
 

src/lib/libcrypto/bn/bn_ctx.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_ctx.c,v 1.16 2019/08/20 10:59:09 schwarze Exp $ */
+/* $OpenBSD: bn_ctx.c,v 1.17 2022/11/26 13:56:33 jsing Exp $ */
 /* Written by Ulf Moeller for the OpenSSL project. */
 /* ====================================================================
  * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
@@ -471,7 +471,6 @@ BN_POOL_release(BN_POOL *p, unsigned int num)
 
 	p->used -= num;
 	while (num--) {
-		bn_check_top(p->current->vals + offset);
 		if (!offset) {
 			offset = BN_CTX_POOL_SIZE - 1;
 			p->current = p->current->prev;

src/lib/libcrypto/bn/bn_div.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_div.c,v 1.26 2022/11/24 01:30:01 jsing Exp $ */
+/* $OpenBSD: bn_div.c,v 1.27 2022/11/26 13:56:33 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -127,23 +127,16 @@ BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor
 	int num_n, div_n;
 	int no_branch = 0;
 
-	/* Invalid zero-padding would have particularly bad consequences
-	 * in the case of 'num', so don't just rely on bn_check_top() for this one
-	 * (bn_check_top() works only for BN_DEBUG builds) */
+	/* Invalid zero-padding would have particularly bad consequences. */
 	if (num->top > 0 && num->d[num->top - 1] == 0) {
 		BNerror(BN_R_NOT_INITIALIZED);
 		return 0;
 	}
 
-	bn_check_top(num);
 
 	if (ct)
 		no_branch = 1;
 
-	bn_check_top(dv);
-	bn_check_top(rm);
-	/* bn_check_top(num); */ /* 'num' has been checked already */
-	bn_check_top(divisor);
 
 	if (BN_is_zero(divisor)) {
 		BNerror(BN_R_DIV_BY_ZERO);
@@ -234,10 +227,6 @@ BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor
 
 	if (!no_branch) {
 		if (BN_ucmp(&wnum, sdiv) >= 0) {
-			/* If BN_DEBUG_RAND is defined BN_ucmp changes (via
-			 * bn_pollute) the const bignum arguments =>
-			 * clean the values between top and max again */
-			bn_clear_top2max(&wnum);
 			bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
 			*resp = 1;
 		} else
@@ -365,15 +354,13 @@ BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor
 		BN_rshift(rm, snum, norm_shift);
 		if (!BN_is_zero(rm))
 			rm->neg = neg;
-		bn_check_top(rm);
 	}
 	if (no_branch)
 		bn_correct_top(res);
 	BN_CTX_end(ctx);
 	return (1);
 
 err:
-	bn_check_top(rm);
 	BN_CTX_end(ctx);
 	return (0);
 }

src/lib/libcrypto/bn/bn_exp.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.33 2022/11/24 01:30:01 jsing Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.34 2022/11/26 13:56:33 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -168,7 +168,6 @@ BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 	if (r != rr && rr != NULL)
 		BN_copy(r, rr);
 	BN_CTX_end(ctx);
-	bn_check_top(r);
 	return (ret);
 }
 
@@ -178,9 +177,6 @@ BN_mod_exp_internal(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m
 {
 	int ret;
 
-	bn_check_top(a);
-	bn_check_top(p);
-	bn_check_top(m);
 
 	/* For even modulus  m = 2^k*m_odd,  it might make sense to compute
 	 * a^p mod m_odd  and  a^p mod 2^k  separately (with Montgomery
@@ -222,7 +218,6 @@ BN_mod_exp_internal(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m
 		ret = BN_mod_exp_recp(r, a,p, m, ctx);
 	}
 
-	bn_check_top(r);
 	return (ret);
 }
 
@@ -381,7 +376,6 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 err:
 	BN_CTX_end(ctx);
 	BN_RECP_CTX_free(&recp);
-	bn_check_top(r);
 	return (ret);
 }
 
@@ -401,9 +395,6 @@ BN_mod_exp_mont_internal(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIG
 		return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont);
 	}
 
-	bn_check_top(a);
-	bn_check_top(p);
-	bn_check_top(m);
 
 	if (!BN_is_odd(m)) {
 		BNerror(BN_R_CALLED_WITH_EVEN_MODULUS);
@@ -533,7 +524,6 @@ BN_mod_exp_mont_internal(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIG
 	if ((in_mont == NULL) && (mont != NULL))
 		BN_MONT_CTX_free(mont);
 	BN_CTX_end(ctx);
-	bn_check_top(rr);
 	return (ret);
 }
 
@@ -658,9 +648,6 @@ BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 	unsigned char *powerbuf = NULL;
 	BIGNUM tmp, am;
 
-	bn_check_top(a);
-	bn_check_top(p);
-	bn_check_top(m);
 
 	if (!BN_is_odd(m)) {
 		BNerror(BN_R_CALLED_WITH_EVEN_MODULUS);
@@ -937,8 +924,6 @@ BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m,
 		return -1;
 	}
 
-	bn_check_top(p);
-	bn_check_top(m);
 
 	if (!BN_is_odd(m)) {
 		BNerror(BN_R_CALLED_WITH_EVEN_MODULUS);
@@ -1052,7 +1037,6 @@ BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m,
 	if ((in_mont == NULL) && (mont != NULL))
 		BN_MONT_CTX_free(mont);
 	BN_CTX_end(ctx);
-	bn_check_top(rr);
 	return (ret);
 }
 
@@ -1172,6 +1156,5 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 
 err:
 	BN_CTX_end(ctx);
-	bn_check_top(r);
 	return (ret);
 }

src/lib/libcrypto/bn/bn_exp2.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp2.c,v 1.13 2022/02/07 19:49:56 tb Exp $ */
+/* $OpenBSD: bn_exp2.c,v 1.14 2022/11/26 13:56:33 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -130,11 +130,6 @@ BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
 	BIGNUM *val1[TABLE_SIZE], *val2[TABLE_SIZE];
 	BN_MONT_CTX *mont = NULL;
 
-	bn_check_top(a1);
-	bn_check_top(p1);
-	bn_check_top(a2);
-	bn_check_top(p2);
-	bn_check_top(m);
 
 	if (!BN_is_odd(m)) {
 		BNerror(BN_R_CALLED_WITH_EVEN_MODULUS);
@@ -303,6 +298,5 @@ BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
 	if ((in_mont == NULL) && (mont != NULL))
 		BN_MONT_CTX_free(mont);
 	BN_CTX_end(ctx);
-	bn_check_top(rr);
 	return (ret);
 }

src/lib/libcrypto/bn/bn_gcd.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_gcd.c,v 1.16 2021/12/26 15:16:50 tb Exp $ */
+/* $OpenBSD: bn_gcd.c,v 1.17 2022/11/26 13:56:33 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -123,8 +123,6 @@ BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
 	BIGNUM *a, *b, *t;
 	int ret = 0;
 
-	bn_check_top(in_a);
-	bn_check_top(in_b);
 
 	BN_CTX_start(ctx);
 	if ((a = BN_CTX_get(ctx)) == NULL)
@@ -154,7 +152,6 @@ BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
 
 err:
 	BN_CTX_end(ctx);
-	bn_check_top(r);
 	return (ret);
 }
 
@@ -179,8 +176,6 @@ euclid(BIGNUM *a, BIGNUM *b)
 	BIGNUM *t;
 	int shifts = 0;
 
-	bn_check_top(a);
-	bn_check_top(b);
 
 	/* 0 <= b <= a */
 	while (!BN_is_zero(b)) {
@@ -236,7 +231,6 @@ euclid(BIGNUM *a, BIGNUM *b)
 		if (!BN_lshift(a, a, shifts))
 			goto err;
 	}
-	bn_check_top(a);
 	return (a);
 
 err:
@@ -259,8 +253,6 @@ BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ct
 	if (ct)
 		return BN_mod_inverse_no_branch(in, a, n, ctx);
 
-	bn_check_top(a);
-	bn_check_top(n);
 
 	BN_CTX_start(ctx);
 	if ((A = BN_CTX_get(ctx)) == NULL)
@@ -536,7 +528,6 @@ BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ct
 	if ((ret == NULL) && (in == NULL))
 		BN_free(R);
 	BN_CTX_end(ctx);
-	bn_check_top(ret);
 	return (ret);
 }
 
@@ -573,8 +564,6 @@ BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
 	BIGNUM *ret = NULL;
 	int sign;
 
-	bn_check_top(a);
-	bn_check_top(n);
 
 	BN_init(&local_A);
 	BN_init(&local_B);
@@ -725,7 +714,6 @@ BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
 	if ((ret == NULL) && (in == NULL))
 		BN_free(R);
 	BN_CTX_end(ctx);
-	bn_check_top(ret);
 	return (ret);
 }
 
@@ -750,8 +738,6 @@ BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
 	BN_init(&local_A);
 	BN_init(&local_B);
 
-	bn_check_top(a);
-	bn_check_top(n);
 
 	BN_CTX_start(ctx);
 	if ((A = BN_CTX_get(ctx)) == NULL)
@@ -871,6 +857,5 @@ BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
 	if ((ret == NULL) && (in == NULL))
 		BN_free(R);
 	BN_CTX_end(ctx);
-	bn_check_top(ret);
 	return (ret);
 }