grpc-flamingo 1.11.0 → 1.15.0

data/third_party/boringssl/crypto/fipsmodule/bn/montgomery_inv.c

@@ -71,7 +71,7 @@ uint64_t bn_mont_n0(const BIGNUM *n) {
   // |BN_MONT_CTX_N0_LIMBS| limbs of |n|.
   uint64_t n_mod_r = n->d[0];
 #if BN_MONT_CTX_N0_LIMBS == 2
-  if (n->top > 1) {
+  if (n->width > 1) {
     n_mod_r |= (uint64_t)n->d[1] << BN_BITS2;
   }
 #endif
@@ -159,10 +159,8 @@ static uint64_t bn_neg_inv_mod_r_u64(uint64_t n) {
   return v;
 }
 
-// bn_mod_exp_base_2_vartime calculates r = 2**p (mod n). |p| must be larger
-// than log_2(n); i.e. 2**p must be larger than |n|. |n| must be positive and
-// odd.
-int bn_mod_exp_base_2_vartime(BIGNUM *r, unsigned p, const BIGNUM *n) {
+int bn_mod_exp_base_2_consttime(BIGNUM *r, unsigned p, const BIGNUM *n,
+                                BN_CTX *ctx) {
   assert(!BN_is_zero(n));
   assert(!BN_is_negative(n));
   assert(BN_is_odd(n));
@@ -171,37 +169,17 @@ int bn_mod_exp_base_2_vartime(BIGNUM *r, unsigned p, const BIGNUM *n) {
 
   unsigned n_bits = BN_num_bits(n);
   assert(n_bits != 0);
+  assert(p > n_bits);
   if (n_bits == 1) {
     return 1;
   }
 
-  // Set |r| to the smallest power of two larger than |n|.
-  assert(p > n_bits);
-  if (!BN_set_bit(r, n_bits)) {
-    return 0;
-  }
-
-  // Unconditionally reduce |r|.
-  assert(BN_cmp(r, n) > 0);
-  if (!BN_usub(r, r, n)) {
+  // Set |r| to the larger power of two smaller than |n|, then shift with
+  // reductions the rest of the way.
+  if (!BN_set_bit(r, n_bits - 1) ||
+      !bn_mod_lshift_consttime(r, r, p - (n_bits - 1), n, ctx)) {
     return 0;
   }
-  assert(BN_cmp(r, n) < 0);
-
-  for (unsigned i = n_bits; i < p; ++i) {
-    // This is like |BN_mod_lshift1_quick| except using |BN_usub|.
-    //
-    // TODO: Replace this with the use of a constant-time variant of
-    // |BN_mod_lshift1_quick|.
-    if (!BN_lshift1(r, r)) {
-      return 0;
-    }
-    if (BN_cmp(r, n) >= 0) {
-      if (!BN_usub(r, r, n)) {
-        return 0;
-      }
-    }
-  }
 
   return 1;
 }

data/third_party/boringssl/crypto/fipsmodule/bn/mul.c

@@ -61,6 +61,7 @@
 
 #include <openssl/err.h>
 #include <openssl/mem.h>
+#include <openssl/type_check.h>
 
 #include "internal.h"
 #include "../../internal.h"
@@ -70,6 +71,13 @@
 #define BN_SQR_RECURSIVE_SIZE_NORMAL BN_MUL_RECURSIVE_SIZE_NORMAL
 
 
+static void bn_abs_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+                             size_t num, BN_ULONG *tmp) {
+  BN_ULONG borrow = bn_sub_words(tmp, a, b, num);
+  bn_sub_words(r, b, a, num);
+  bn_select_words(r, 0 - borrow, r /* tmp < 0 */, tmp /* tmp >= 0 */, num);
+}
+
 static void bn_mul_normal(BN_ULONG *r, const BN_ULONG *a, size_t na,
                           const BN_ULONG *b, size_t nb) {
   if (na < nb) {
@@ -279,25 +287,61 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
                            int cl, int dl);
 #endif
 
+// bn_abs_sub_part_words computes |r| = |a| - |b|, storing the absolute value
+// and returning a mask of all ones if the result was negative and all zeros if
+// the result was positive. |cl| and |dl| follow the |bn_sub_part_words| calling
+// convention.
+//
+// TODO(davidben): Make this take |size_t|. The |cl| + |dl| calling convention
+// is confusing. The trouble is 32-bit x86 implements |bn_sub_part_words| in
+// assembly, but we can probably just delete it?
+static BN_ULONG bn_abs_sub_part_words(BN_ULONG *r, const BN_ULONG *a,
+                                      const BN_ULONG *b, int cl, int dl,
+                                      BN_ULONG *tmp) {
+  BN_ULONG borrow = bn_sub_part_words(tmp, a, b, cl, dl);
+  bn_sub_part_words(r, b, a, cl, -dl);
+  int r_len = cl + (dl < 0 ? -dl : dl);
+  borrow = 0 - borrow;
+  bn_select_words(r, borrow, r /* tmp < 0 */, tmp /* tmp >= 0 */, r_len);
+  return borrow;
+}
+
+int bn_abs_sub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                         BN_CTX *ctx) {
+  int cl = a->width < b->width ? a->width : b->width;
+  int dl = a->width - b->width;
+  int r_len = a->width < b->width ? b->width : a->width;
+  BN_CTX_start(ctx);
+  BIGNUM *tmp = BN_CTX_get(ctx);
+  int ok = tmp != NULL &&
+           bn_wexpand(r, r_len) &&
+           bn_wexpand(tmp, r_len);
+  if (ok) {
+    bn_abs_sub_part_words(r->d, a->d, b->d, cl, dl, tmp->d);
+    r->width = r_len;
+  }
+  BN_CTX_end(ctx);
+  return ok;
+}
+
 // Karatsuba recursive multiplication algorithm
 // (cf. Knuth, The Art of Computer Programming, Vol. 2)
 
-// r is 2*n2 words in size,
-// a and b are both n2 words in size.
-// n2 must be a power of 2.
-// We multiply and return the result.
-// t must be 2*n2 words in size
-// We calculate
-// a[0]*b[0]
-// a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
-// a[1]*b[1]
-// dnX may not be positive, but n2/2+dnX has to be
+// bn_mul_recursive sets |r| to |a| * |b|, using |t| as scratch space. |r| has
+// length 2*|n2|, |a| has length |n2| + |dna|, |b| has length |n2| + |dnb|, and
+// |t| has length 4*|n2|. |n2| must be a power of two. Finally, we must have
+// -|BN_MUL_RECURSIVE_SIZE_NORMAL|/2 <= |dna| <= 0 and
+// -|BN_MUL_RECURSIVE_SIZE_NORMAL|/2 <= |dnb| <= 0.
+//
+// TODO(davidben): Simplify and |size_t| the calling convention around lengths
+// here.
 static void bn_mul_recursive(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
                              int n2, int dna, int dnb, BN_ULONG *t) {
-  int n = n2 / 2, c1, c2;
-  int tna = n + dna, tnb = n + dnb;
-  unsigned int neg, zero;
-  BN_ULONG ln, lo, *p;
+  // |n2| is a power of two.
+  assert(n2 != 0 && (n2 & (n2 - 1)) == 0);
+  // Check |dna| and |dnb| are in range.
+  assert(-BN_MUL_RECURSIVE_SIZE_NORMAL/2 <= dna && dna <= 0);
+  assert(-BN_MUL_RECURSIVE_SIZE_NORMAL/2 <= dnb && dnb <= 0);
 
   // Only call bn_mul_comba 8 if n2 == 8 and the
   // two arrays are complete [steve]
@@ -309,276 +353,212 @@ static void bn_mul_recursive(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
   // Else do normal multiply
   if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) {
     bn_mul_normal(r, a, n2 + dna, b, n2 + dnb);
-    if ((dna + dnb) < 0) {
+    if (dna + dnb < 0) {
       OPENSSL_memset(&r[2 * n2 + dna + dnb], 0,
                      sizeof(BN_ULONG) * -(dna + dnb));
     }
     return;
   }
 
-  // r=(a[0]-a[1])*(b[1]-b[0])
-  c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
-  c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
-  zero = neg = 0;
-  switch (c1 * 3 + c2) {
-    case -4:
-      bn_sub_part_words(t, &(a[n]), a, tna, tna - n);        // -
-      bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb);  // -
-      break;
-    case -3:
-      zero = 1;
-      break;
-    case -2:
-      bn_sub_part_words(t, &(a[n]), a, tna, tna - n);        // -
-      bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);  // +
-      neg = 1;
-      break;
-    case -1:
-    case 0:
-    case 1:
-      zero = 1;
-      break;
-    case 2:
-      bn_sub_part_words(t, a, &(a[n]), tna, n - tna);        // +
-      bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb);  // -
-      neg = 1;
-      break;
-    case 3:
-      zero = 1;
-      break;
-    case 4:
-      bn_sub_part_words(t, a, &(a[n]), tna, n - tna);
-      bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);
-      break;
-  }
-
+  // Split |a| and |b| into a0,a1 and b0,b1, where a0 and b0 have size |n|.
+  // Split |t| into t0,t1,t2,t3, each of size |n|, with the remaining 4*|n| used
+  // for recursive calls.
+  // Split |r| into r0,r1,r2,r3. We must contribute a0*b0 to r0,r1, a0*a1+b0*b1
+  // to r1,r2, and a1*b1 to r2,r3. The middle term we will compute as:
+  //
+  //   a0*a1 + b0*b1 = (a0 - a1)*(b1 - b0) + a1*b1 + a0*b0
+  //
+  // Note that we know |n| >= |BN_MUL_RECURSIVE_SIZE_NORMAL|/2 above, so
+  // |tna| and |tnb| are non-negative.
+  int n = n2 / 2, tna = n + dna, tnb = n + dnb;
+
+  // t0 = a0 - a1 and t1 = b1 - b0. The result will be multiplied, so we XOR
+  // their sign masks, giving the sign of (a0 - a1)*(b1 - b0). t0 and t1
+  // themselves store the absolute value.
+  BN_ULONG neg = bn_abs_sub_part_words(t, a, &a[n], tna, n - tna, &t[n2]);
+  neg ^= bn_abs_sub_part_words(&t[n], &b[n], b, tnb, tnb - n, &t[n2]);
+
+  // Compute:
+  // t2,t3 = t0 * t1 = |(a0 - a1)*(b1 - b0)|
+  // r0,r1 = a0 * b0
+  // r2,r3 = a1 * b1
   if (n == 4 && dna == 0 && dnb == 0) {
-    // XXX: bn_mul_comba4 could take extra args to do this well
-    if (!zero) {
-      bn_mul_comba4(&(t[n2]), t, &(t[n]));
-    } else {
-      OPENSSL_memset(&(t[n2]), 0, 8 * sizeof(BN_ULONG));
-    }
+    bn_mul_comba4(&t[n2], t, &t[n]);
 
     bn_mul_comba4(r, a, b);
-    bn_mul_comba4(&(r[n2]), &(a[n]), &(b[n]));
+    bn_mul_comba4(&r[n2], &a[n], &b[n]);
   } else if (n == 8 && dna == 0 && dnb == 0) {
-    // XXX: bn_mul_comba8 could take extra args to do this well
-    if (!zero) {
-      bn_mul_comba8(&(t[n2]), t, &(t[n]));
-    } else {
-      OPENSSL_memset(&(t[n2]), 0, 16 * sizeof(BN_ULONG));
-    }
+    bn_mul_comba8(&t[n2], t, &t[n]);
 
     bn_mul_comba8(r, a, b);
-    bn_mul_comba8(&(r[n2]), &(a[n]), &(b[n]));
+    bn_mul_comba8(&r[n2], &a[n], &b[n]);
   } else {
-    p = &(t[n2 * 2]);
-    if (!zero) {
-      bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
-    } else {
-      OPENSSL_memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
-    }
+    BN_ULONG *p = &t[n2 * 2];
+    bn_mul_recursive(&t[n2], t, &t[n], n, 0, 0, p);
     bn_mul_recursive(r, a, b, n, 0, 0, p);
-    bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p);
+    bn_mul_recursive(&r[n2], &a[n], &b[n], n, dna, dnb, p);
   }
 
-  // t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
-  // r[10] holds (a[0]*b[0])
-  // r[32] holds (b[1]*b[1])
+  // t0,t1,c = r0,r1 + r2,r3 = a0*b0 + a1*b1
+  BN_ULONG c = bn_add_words(t, r, &r[n2], n2);
 
-  c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
+  // t2,t3,c = t0,t1,c + neg*t2,t3 = (a0 - a1)*(b1 - b0) + a1*b1 + a0*b0.
+  // The second term is stored as the absolute value, so we do this with a
+  // constant-time select.
+  BN_ULONG c_neg = c - bn_sub_words(&t[n2 * 2], t, &t[n2], n2);
+  BN_ULONG c_pos = c + bn_add_words(&t[n2], t, &t[n2], n2);
+  bn_select_words(&t[n2], neg, &t[n2 * 2], &t[n2], n2);
+  OPENSSL_COMPILE_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
+                         crypto_word_t_too_small);
+  c = constant_time_select_w(neg, c_neg, c_pos);
 
-  if (neg) {
-    // if t[32] is negative
-    c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
-  } else {
-    // Might have a carry
-    c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
-  }
-
-  // t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
-  // r[10] holds (a[0]*b[0])
-  // r[32] holds (b[1]*b[1])
-  // c1 holds the carry bits
-  c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
-  if (c1) {
-    p = &(r[n + n2]);
-    lo = *p;
-    ln = lo + c1;
-    *p = ln;
-
-    // The overflow will stop before we over write
-    // words we should not overwrite
-    if (ln < (BN_ULONG)c1) {
-      do {
-        p++;
-        lo = *p;
-        ln = lo + 1;
-        *p = ln;
-      } while (ln == 0);
-    }
+  // We now have our three components. Add them together.
+  // r1,r2,c = r1,r2 + t2,t3,c
+  c += bn_add_words(&r[n], &r[n], &t[n2], n2);
+
+  // Propagate the carry bit to the end.
+  for (int i = n + n2; i < n2 + n2; i++) {
+    BN_ULONG old = r[i];
+    r[i] = old + c;
+    c = r[i] < old;
   }
+
+  // The product should fit without carries.
+  assert(c == 0);
 }
 
-// n+tn is the word length
-// t needs to be n*4 is size, as does r
-// tnX may not be negative but less than n
+// bn_mul_part_recursive sets |r| to |a| * |b|, using |t| as scratch space. |r|
+// has length 4*|n|, |a| has length |n| + |tna|, |b| has length |n| + |tnb|, and
+// |t| has length 8*|n|. |n| must be a power of two. Additionally, we must have
+// 0 <= tna < n and 0 <= tnb < n, and |tna| and |tnb| must differ by at most
+// one.
+//
+// TODO(davidben): Make this take |size_t| and perhaps the actual lengths of |a|
+// and |b|.
 static void bn_mul_part_recursive(BN_ULONG *r, const BN_ULONG *a,
                                   const BN_ULONG *b, int n, int tna, int tnb,
                                   BN_ULONG *t) {
-  int i, j, n2 = n * 2;
-  int c1, c2, neg;
-  BN_ULONG ln, lo, *p;
-
+  // |n| is a power of two.
+  assert(n != 0 && (n & (n - 1)) == 0);
+  // Check |tna| and |tnb| are in range.
+  assert(0 <= tna && tna < n);
+  assert(0 <= tnb && tnb < n);
+  assert(-1 <= tna - tnb && tna - tnb <= 1);
+
+  int n2 = n * 2;
   if (n < 8) {
     bn_mul_normal(r, a, n + tna, b, n + tnb);
+    OPENSSL_memset(r + n2 + tna + tnb, 0, n2 - tna - tnb);
     return;
   }
 
-  // r=(a[0]-a[1])*(b[1]-b[0])
-  c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
-  c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
-  neg = 0;
-  switch (c1 * 3 + c2) {
-    case -4:
-      bn_sub_part_words(t, &(a[n]), a, tna, tna - n);        // -
-      bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb);  // -
-      break;
-    case -3:
-      // break;
-    case -2:
-      bn_sub_part_words(t, &(a[n]), a, tna, tna - n);        // -
-      bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);  // +
-      neg = 1;
-      break;
-    case -1:
-    case 0:
-    case 1:
-      // break;
-    case 2:
-      bn_sub_part_words(t, a, &(a[n]), tna, n - tna);        // +
-      bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb);  // -
-      neg = 1;
-      break;
-    case 3:
-      // break;
-    case 4:
-      bn_sub_part_words(t, a, &(a[n]), tna, n - tna);
-      bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);
-      break;
-  }
-
+  // Split |a| and |b| into a0,a1 and b0,b1, where a0 and b0 have size |n|. |a1|
+  // and |b1| have size |tna| and |tnb|, respectively.
+  // Split |t| into t0,t1,t2,t3, each of size |n|, with the remaining 4*|n| used
+  // for recursive calls.
+  // Split |r| into r0,r1,r2,r3. We must contribute a0*b0 to r0,r1, a0*a1+b0*b1
+  // to r1,r2, and a1*b1 to r2,r3. The middle term we will compute as:
+  //
+  //   a0*a1 + b0*b1 = (a0 - a1)*(b1 - b0) + a1*b1 + a0*b0
+
+  // t0 = a0 - a1 and t1 = b1 - b0. The result will be multiplied, so we XOR
+  // their sign masks, giving the sign of (a0 - a1)*(b1 - b0). t0 and t1
+  // themselves store the absolute value.
+  BN_ULONG neg = bn_abs_sub_part_words(t, a, &a[n], tna, n - tna, &t[n2]);
+  neg ^= bn_abs_sub_part_words(&t[n], &b[n], b, tnb, tnb - n, &t[n2]);
+
+  // Compute:
+  // t2,t3 = t0 * t1 = |(a0 - a1)*(b1 - b0)|
+  // r0,r1 = a0 * b0
+  // r2,r3 = a1 * b1
   if (n == 8) {
-    bn_mul_comba8(&(t[n2]), t, &(t[n]));
+    bn_mul_comba8(&t[n2], t, &t[n]);
     bn_mul_comba8(r, a, b);
-    bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
-    OPENSSL_memset(&(r[n2 + tna + tnb]), 0, sizeof(BN_ULONG) * (n2 - tna - tnb));
+
+    bn_mul_normal(&r[n2], &a[n], tna, &b[n], tnb);
+    // |bn_mul_normal| only writes |tna| + |tna| words. Zero the rest.
+    OPENSSL_memset(&r[n2 + tna + tnb], 0, sizeof(BN_ULONG) * (n2 - tna - tnb));
   } else {
-    p = &(t[n2 * 2]);
-    bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
+    BN_ULONG *p = &t[n2 * 2];
+    bn_mul_recursive(&t[n2], t, &t[n], n, 0, 0, p);
     bn_mul_recursive(r, a, b, n, 0, 0, p);
-    i = n / 2;
-    // If there is only a bottom half to the number,
-    // just do it
-    if (tna > tnb) {
-      j = tna - i;
-    } else {
-      j = tnb - i;
-    }
 
-    if (j == 0) {
-      bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i, p);
-      OPENSSL_memset(&(r[n2 + i * 2]), 0, sizeof(BN_ULONG) * (n2 - i * 2));
-    } else if (j > 0) {
-      // eg, n == 16, i == 8 and tn == 11
-      bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i, p);
-      OPENSSL_memset(&(r[n2 + tna + tnb]), 0,
-                     sizeof(BN_ULONG) * (n2 - tna - tnb));
+    OPENSSL_memset(&r[n2], 0, sizeof(BN_ULONG) * n2);
+    if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL &&
+        tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) {
+      bn_mul_normal(&r[n2], &a[n], tna, &b[n], tnb);
     } else {
-      // (j < 0) eg, n == 16, i == 8 and tn == 5
-      OPENSSL_memset(&(r[n2]), 0, sizeof(BN_ULONG) * n2);
-      if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL &&
-          tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) {
-        bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
-      } else {
-        for (;;) {
-          i /= 2;
-          // these simplified conditions work
-          // exclusively because difference
-          // between tna and tnb is 1 or 0
-          if (i < tna || i < tnb) {
-            bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i,
-                                  tnb - i, p);
-            break;
-          } else if (i == tna || i == tnb) {
-            bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i,
-                             p);
-            break;
-          }
+      int i = n;
+      for (;;) {
+        i /= 2;
+        if (i < tna || i < tnb) {
+          // E.g., n == 16, i == 8 and tna == 11. |tna| and |tnb| are within one
+          // of each other, so if |tna| is larger and tna > i, then we know
+          // tnb >= i, and this call is valid.
+          bn_mul_part_recursive(&r[n2], &a[n], &b[n], i, tna - i, tnb - i, p);
+          break;
         }
+        if (i == tna || i == tnb) {
+          // If there is only a bottom half to the number, just do it. We know
+          // the larger of |tna - i| and |tnb - i| is zero. The other is zero or
+          // -1 by because of |tna| and |tnb| differ by at most one.
+          bn_mul_recursive(&r[n2], &a[n], &b[n], i, tna - i, tnb - i, p);
+          break;
+        }
+
+        // This loop will eventually terminate when |i| falls below
+        // |BN_MUL_RECURSIVE_SIZE_NORMAL| because we know one of |tna| and |tnb|
+        // exceeds that.
       }
     }
   }
 
-  // t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
-  // r[10] holds (a[0]*b[0])
-  // r[32] holds (b[1]*b[1])
+  // t0,t1,c = r0,r1 + r2,r3 = a0*b0 + a1*b1
+  BN_ULONG c = bn_add_words(t, r, &r[n2], n2);
 
-  c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
+  // t2,t3,c = t0,t1,c + neg*t2,t3 = (a0 - a1)*(b1 - b0) + a1*b1 + a0*b0.
+  // The second term is stored as the absolute value, so we do this with a
+  // constant-time select.
+  BN_ULONG c_neg = c - bn_sub_words(&t[n2 * 2], t, &t[n2], n2);
+  BN_ULONG c_pos = c + bn_add_words(&t[n2], t, &t[n2], n2);
+  bn_select_words(&t[n2], neg, &t[n2 * 2], &t[n2], n2);
+  OPENSSL_COMPILE_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
+                         crypto_word_t_too_small);
+  c = constant_time_select_w(neg, c_neg, c_pos);
 
-  if (neg) {
-    // if t[32] is negative
-    c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
-  } else {
-    // Might have a carry
-    c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
-  }
-
-  // t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
-  // r[10] holds (a[0]*b[0])
-  // r[32] holds (b[1]*b[1])
-  // c1 holds the carry bits
-  c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
-  if (c1) {
-    p = &(r[n + n2]);
-    lo = *p;
-    ln = lo + c1;
-    *p = ln;
-
-    // The overflow will stop before we over write
-    // words we should not overwrite
-    if (ln < (BN_ULONG)c1) {
-      do {
-        p++;
-        lo = *p;
-        ln = lo + 1;
-        *p = ln;
-      } while (ln == 0);
-    }
-  }
-}
+  // We now have our three components. Add them together.
+  // r1,r2,c = r1,r2 + t2,t3,c
+  c += bn_add_words(&r[n], &r[n], &t[n2], n2);
 
-int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
-  int ret = 0;
-  int top, al, bl;
-  BIGNUM *rr;
-  int i;
-  BIGNUM *t = NULL;
-  int j = 0, k;
+  // Propagate the carry bit to the end.
+  for (int i = n + n2; i < n2 + n2; i++) {
+    BN_ULONG old = r[i];
+    r[i] = old + c;
+    c = r[i] < old;
+  }
 
-  al = a->top;
-  bl = b->top;
+  // The product should fit without carries.
+  assert(c == 0);
+}
 
-  if ((al == 0) || (bl == 0)) {
+// bn_mul_impl implements |BN_mul| and |bn_mul_consttime|. Note this function
+// breaks |BIGNUM| invariants and may return a negative zero. This is handled by
+// the callers.
+static int bn_mul_impl(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                       BN_CTX *ctx) {
+  int al = a->width;
+  int bl = b->width;
+  if (al == 0 || bl == 0) {
     BN_zero(r);
     return 1;
   }
-  top = al + bl;
 
+  int ret = 0;
+  BIGNUM *rr;
   BN_CTX_start(ctx);
-  if ((r == a) || (r == b)) {
-    if ((rr = BN_CTX_get(ctx)) == NULL) {
+  if (r == a || r == b) {
+    rr = BN_CTX_get(ctx);
+    if (r == NULL) {
       goto err;
     }
   } else {
@@ -586,55 +566,55 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
   }
   rr->neg = a->neg ^ b->neg;
 
-  i = al - bl;
+  int i = al - bl;
   if (i == 0) {
     if (al == 8) {
       if (!bn_wexpand(rr, 16)) {
         goto err;
       }
-      rr->top = 16;
+      rr->width = 16;
       bn_mul_comba8(rr->d, a->d, b->d);
       goto end;
     }
   }
 
+  int top = al + bl;
   static const int kMulNormalSize = 16;
   if (al >= kMulNormalSize && bl >= kMulNormalSize) {
-    if (i >= -1 && i <= 1) {
-      /* Find out the power of two lower or equal
-         to the longest of the two numbers */
+    if (-1 <= i && i <= 1) {
+      // Find the larger power of two less than or equal to the larger length.
+      int j;
       if (i >= 0) {
         j = BN_num_bits_word((BN_ULONG)al);
-      }
-      if (i == -1) {
+      } else {
         j = BN_num_bits_word((BN_ULONG)bl);
       }
       j = 1 << (j - 1);
       assert(j <= al || j <= bl);
-      k = j + j;
-      t = BN_CTX_get(ctx);
+      BIGNUM *t = BN_CTX_get(ctx);
       if (t == NULL) {
         goto err;
       }
       if (al > j || bl > j) {
-        if (!bn_wexpand(t, k * 4)) {
-          goto err;
-        }
-        if (!bn_wexpand(rr, k * 4)) {
+        // We know |al| and |bl| are at most one from each other, so if al > j,
+        // bl >= j, and vice versa. Thus we can use |bn_mul_part_recursive|.
+        assert(al >= j && bl >= j);
+        if (!bn_wexpand(t, j * 8) ||
+            !bn_wexpand(rr, j * 4)) {
           goto err;
         }
         bn_mul_part_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d);
       } else {
-        // al <= j || bl <= j
-        if (!bn_wexpand(t, k * 2)) {
-          goto err;
-        }
-        if (!bn_wexpand(rr, k * 2)) {
+        // al <= j && bl <= j. Additionally, we know j <= al or j <= bl, so one
+        // of al - j or bl - j is zero. The other, by the bound on |i| above, is
+        // zero or -1. Thus, we can use |bn_mul_recursive|.
+        if (!bn_wexpand(t, j * 4) ||
+            !bn_wexpand(rr, j * 2)) {
           goto err;
         }
         bn_mul_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d);
       }
-      rr->top = top;
+      rr->width = top;
       goto end;
     }
   }
@@ -642,11 +622,10 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
   if (!bn_wexpand(rr, top)) {
     goto err;
   }
-  rr->top = top;
+  rr->width = top;
   bn_mul_normal(rr->d, a->d, al, b->d, bl);
 
 end:
-  bn_correct_top(rr);
   if (r != rr && !BN_copy(r, rr)) {
     goto err;
   }
@@ -657,6 +636,26 @@ err:
   return ret;
 }
 
+int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
+  if (!bn_mul_impl(r, a, b, ctx)) {
+    return 0;
+  }
+
+  // This additionally fixes any negative zeros created by |bn_mul_impl|.
+  bn_set_minimal_width(r);
+  return 1;
+}
+
+int bn_mul_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
+  // Prevent negative zeros.
+  if (a->neg || b->neg) {
+    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
+    return 0;
+  }
+
+  return bn_mul_impl(r, a, b, ctx);
+}
+
 int bn_mul_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a, size_t num_a,
                  const BN_ULONG *b, size_t num_b) {
   if (num_r != num_a + num_b) {
@@ -711,25 +710,19 @@ static void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, size_t n,
   bn_add_words(r, r, tmp, max);
 }
 
-// r is 2*n words in size,
-// a and b are both n words in size.    (There's not actually a 'b' here ...)
-// n must be a power of 2.
-// We multiply and return the result.
-// t must be 2*n words in size
-// We calculate
-// a[0]*b[0]
-// a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
-// a[1]*b[1]
-static void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2,
+// bn_sqr_recursive sets |r| to |a|^2, using |t| as scratch space. |r| has
+// length 2*|n2|, |a| has length |n2|, and |t| has length 4*|n2|. |n2| must be
+// a power of two.
+static void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, size_t n2,
                              BN_ULONG *t) {
-  int n = n2 / 2;
-  int zero, c1;
-  BN_ULONG ln, lo, *p;
+  // |n2| is a power of two.
+  assert(n2 != 0 && (n2 & (n2 - 1)) == 0);
 
   if (n2 == 4) {
     bn_sqr_comba4(r, a);
     return;
-  } else if (n2 == 8) {
+  }
+  if (n2 == 8) {
     bn_sqr_comba8(r, a);
     return;
   }
@@ -737,63 +730,48 @@ static void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2,
     bn_sqr_normal(r, a, n2, t);
     return;
   }
-  // r=(a[0]-a[1])*(a[1]-a[0])
-  c1 = bn_cmp_words(a, &(a[n]), n);
-  zero = 0;
-  if (c1 > 0) {
-    bn_sub_words(t, a, &(a[n]), n);
-  } else if (c1 < 0) {
-    bn_sub_words(t, &(a[n]), a, n);
-  } else {
-    zero = 1;
-  }
 
-  // The result will always be negative unless it is zero
-  p = &(t[n2 * 2]);
+  // Split |a| into a0,a1, each of size |n|.
+  // Split |t| into t0,t1,t2,t3, each of size |n|, with the remaining 4*|n| used
+  // for recursive calls.
+  // Split |r| into r0,r1,r2,r3. We must contribute a0^2 to r0,r1, 2*a0*a1 to
+  // r1,r2, and a1^2 to r2,r3.
+  size_t n = n2 / 2;
+  BN_ULONG *t_recursive = &t[n2 * 2];
 
-  if (!zero) {
-    bn_sqr_recursive(&(t[n2]), t, n, p);
-  } else {
-    OPENSSL_memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
-  }
-  bn_sqr_recursive(r, a, n, p);
-  bn_sqr_recursive(&(r[n2]), &(a[n]), n, p);
-
-  // t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
-  // r[10] holds (a[0]*b[0])
-  // r[32] holds (b[1]*b[1])
-
-  c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
-
-  // t[32] is negative
-  c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
-
-  // t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
-  // r[10] holds (a[0]*a[0])
-  // r[32] holds (a[1]*a[1])
-  // c1 holds the carry bits
-  c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
-  if (c1) {
-    p = &(r[n + n2]);
-    lo = *p;
-    ln = lo + c1;
-    *p = ln;
-
-    // The overflow will stop before we over write
-    // words we should not overwrite
-    if (ln < (BN_ULONG)c1) {
-      do {
-        p++;
-        lo = *p;
-        ln = lo + 1;
-        *p = ln;
-      } while (ln == 0);
-    }
+  // t0 = |a0 - a1|.
+  bn_abs_sub_words(t, a, &a[n], n, &t[n]);
+  // t2,t3 = t0^2 = |a0 - a1|^2 = a0^2 - 2*a0*a1 + a1^2
+  bn_sqr_recursive(&t[n2], t, n, t_recursive);
+
+  // r0,r1 = a0^2
+  bn_sqr_recursive(r, a, n, t_recursive);
+
+  // r2,r3 = a1^2
+  bn_sqr_recursive(&r[n2], &a[n], n, t_recursive);
+
+  // t0,t1,c = r0,r1 + r2,r3 = a0^2 + a1^2
+  BN_ULONG c = bn_add_words(t, r, &r[n2], n2);
+  // t2,t3,c = t0,t1,c - t2,t3 = 2*a0*a1
+  c -= bn_sub_words(&t[n2], t, &t[n2], n2);
+
+  // We now have our three components. Add them together.
+  // r1,r2,c = r1,r2 + t2,t3,c
+  c += bn_add_words(&r[n], &r[n], &t[n2], n2);
+
+  // Propagate the carry bit to the end.
+  for (size_t i = n + n2; i < n2 + n2; i++) {
+    BN_ULONG old = r[i];
+    r[i] = old + c;
+    c = r[i] < old;
   }
+
+  // The square should fit without carries.
+  assert(c == 0);
 }
 
 int BN_mul_word(BIGNUM *bn, BN_ULONG w) {
-  if (!bn->top) {
+  if (!bn->width) {
     return 1;
   }
 
@@ -802,37 +780,34 @@ int BN_mul_word(BIGNUM *bn, BN_ULONG w) {
     return 1;
   }
 
-  BN_ULONG ll = bn_mul_words(bn->d, bn->d, bn->top, w);
+  BN_ULONG ll = bn_mul_words(bn->d, bn->d, bn->width, w);
   if (ll) {
-    if (!bn_wexpand(bn, bn->top + 1)) {
+    if (!bn_wexpand(bn, bn->width + 1)) {
       return 0;
     }
-    bn->d[bn->top++] = ll;
+    bn->d[bn->width++] = ll;
   }
 
   return 1;
 }
 
-int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) {
-  int max, al;
-  int ret = 0;
-  BIGNUM *tmp, *rr;
-
-  al = a->top;
+int bn_sqr_consttime(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) {
+  int al = a->width;
   if (al <= 0) {
-    r->top = 0;
+    r->width = 0;
     r->neg = 0;
     return 1;
   }
 
+  int ret = 0;
   BN_CTX_start(ctx);
-  rr = (a != r) ? r : BN_CTX_get(ctx);
-  tmp = BN_CTX_get(ctx);
+  BIGNUM *rr = (a != r) ? r : BN_CTX_get(ctx);
+  BIGNUM *tmp = BN_CTX_get(ctx);
   if (!rr || !tmp) {
     goto err;
   }
 
-  max = 2 * al;  // Non-zero (from above)
+  int max = 2 * al;  // Non-zero (from above)
   if (!bn_wexpand(rr, max)) {
     goto err;
   }
@@ -846,13 +821,9 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) {
       BN_ULONG t[BN_SQR_RECURSIVE_SIZE_NORMAL * 2];
       bn_sqr_normal(rr->d, a->d, al, t);
     } else {
-      int j, k;
-
-      j = BN_num_bits_word((BN_ULONG)al);
-      j = 1 << (j - 1);
-      k = j + j;
-      if (al == j) {
-        if (!bn_wexpand(tmp, k * 2)) {
+      // If |al| is a power of two, we can use |bn_sqr_recursive|.
+      if (al != 0 && (al & (al - 1)) == 0) {
+        if (!bn_wexpand(tmp, al * 4)) {
           goto err;
         }
         bn_sqr_recursive(rr->d, a->d, al, tmp->d);
@@ -866,13 +837,7 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) {
   }
 
   rr->neg = 0;
-  // If the most-significant half of the top word of 'a' is zero, then
-  // the square of 'a' will max-1 words.
-  if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l)) {
-    rr->top = max - 1;
-  } else {
-    rr->top = max;
-  }
+  rr->width = max;
 
   if (rr != r && !BN_copy(r, rr)) {
     goto err;
@@ -884,6 +849,15 @@ err:
   return ret;
 }
 
+int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) {
+  if (!bn_sqr_consttime(r, a, ctx)) {
+    return 0;
+  }
+
+  bn_set_minimal_width(r);
+  return 1;
+}
+
 int bn_sqr_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a, size_t num_a) {
   if (num_r != 2 * num_a || num_a > BN_SMALL_MAX_WORDS) {
     OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);