define constant macros specifying the size of buffers for Karatsuba

crypto/fipsmodule/bn/montgomery.c

@@ -139,8 +139,13 @@ OPENSSL_INLINE int montgomery_use_s2n_bignum(unsigned int num) {
   // (4) Temporary buffer's size (t and mulres) used in
   //     montgomery_s2n_bignum_mul_mont does not exceed
   //     BN_MONTGOMERY_MAX_WORDS.
+  assert(S2NBIGNUM_KSQR_16_32_TEMP_NWORDS <= S2NBIGNUM_KMUL_32_64_TEMP_NWORDS &&
+         S2NBIGNUM_KSQR_32_64_TEMP_NWORDS <= S2NBIGNUM_KMUL_32_64_TEMP_NWORDS &&
+         S2NBIGNUM_KMUL_16_32_TEMP_NWORDS <= S2NBIGNUM_KMUL_32_64_TEMP_NWORDS);
+  const uint64_t temp_buffer_nwords =
+      S2NBIGNUM_KMUL_32_64_TEMP_NWORDS + 2 * (uint64_t)num;
   return !CRYPTO_is_ARMv8_wide_multiplier_capable() && (num % 8 == 0) &&
-         BN_BITS2 == 64 && (2 * (uint64_t)num + 96) <= BN_MONTGOMERY_MAX_WORDS;
+         BN_BITS2 == 64 && temp_buffer_nwords <= BN_MONTGOMERY_MAX_WORDS;
 }
 
 #else
@@ -465,15 +470,15 @@ static void montgomery_s2n_bignum_mul_mont(BN_ULONG *rp, const BN_ULONG *ap,
 
 #if defined(BN_MONTGOMERY_USE_S2N_BIGNUM)
 
-  // t is a temporary buffer used by big-int multiplication.
+  // t is a temporary buffer used by Karatsuba multiplication.
   // bignum_kmul_32_64 requires 96 words.
-  uint64_t t[96];
+  uint64_t t[S2NBIGNUM_KMUL_32_64_TEMP_NWORDS];
   // mulres is the output buffer of big-int multiplication.
-  // If BN_MONTGOMERY_MAX_WORDS - 96 is larger than num*2, its low num*2
-  // elements are used.
+  // If BN_MONTGOMERY_MAX_WORDS - S2NBIGNUM_KMUL_32_64_TEMP_NWORDS is larger
+  // than num*2, its low num*2 elements are used.
   // It is montgomery_use_s2n_bignum() that checks whether num*2 fits in the
   // size of mulres array.
-  uint64_t mulres[BN_MONTGOMERY_MAX_WORDS - 96];
+  uint64_t mulres[BN_MONTGOMERY_MAX_WORDS - S2NBIGNUM_KMUL_32_64_TEMP_NWORDS];
 
   // Given m the prime number stored at np, m * w = -1 mod 2^64.
   uint64_t w = n0[0];

third_party/s2n-bignum/include/s2n-bignum_aws-lc.h

@@ -133,23 +133,33 @@ extern void curve25519_x25519base_byte_alt(uint8_t res[static 32], const uint8_t
 
 // Evaluate z := x^2 where x is a 2048-bit integer.
 // Input: x[32]; output: z[64]; temporary buffer: t[>=72]
-extern void bignum_ksqr_32_64(uint64_t z[static 64], const uint64_t x[static 32],
-                              uint64_t t[static 72]);
+#define S2NBIGNUM_KSQR_32_64_TEMP_NWORDS 72
+extern void
+bignum_ksqr_32_64(uint64_t z[static 64], const uint64_t x[static 32],
+                  uint64_t t[static S2NBIGNUM_KSQR_32_64_TEMP_NWORDS]);
 
 // Evaluate z := x^2 where x is a 1024-bit integer.
 // Input: x[16]; output: z[32]; temporary buffer: t[>=24]
-extern void bignum_ksqr_16_32(uint64_t z[static 32], const uint64_t x[static 16],
-                              uint64_t t[static 24]);
+#define S2NBIGNUM_KSQR_16_32_TEMP_NWORDS 24
+extern void
+bignum_ksqr_16_32(uint64_t z[static 32], const uint64_t x[static 16],
+                  uint64_t t[static S2NBIGNUM_KSQR_16_32_TEMP_NWORDS]);
 
 // Evaluate z := x * y where x and y are 2048-bit integers.
 // Inputs: x[32], y[32]; output: z[64]; temporary buffer t[>=96]
-extern void bignum_kmul_32_64(uint64_t z[static 64], const uint64_t x[static 32],
-                              const uint64_t y[static 32], uint64_t t[static 96]);
+#define S2NBIGNUM_KMUL_32_64_TEMP_NWORDS 96
+extern void
+bignum_kmul_32_64(uint64_t z[static 64], const uint64_t x[static 32],
+                  const uint64_t y[static 32],
+                  uint64_t t[static S2NBIGNUM_KMUL_32_64_TEMP_NWORDS]);
 
 // Evaluate z := x * y where x and y are 1024-bit integers.
 // Inputs: x[16], y[16]; output: z[32]; temporary buffer t[>=32]
-extern void bignum_kmul_16_32(uint64_t z[static 32], const uint64_t x[static 16],
-                              const uint64_t y[static 16], uint64_t t[static 32]);
+#define S2NBIGNUM_KMUL_16_32_TEMP_NWORDS 32
+extern void
+bignum_kmul_16_32(uint64_t z[static 32], const uint64_t x[static 16],
+                  const uint64_t y[static 16],
+                  uint64_t t[static S2NBIGNUM_KMUL_16_32_TEMP_NWORDS]);
 
 // Extended Montgomery reduce in 8-digit blocks.
 // Assumes that z initially holds a 2k-digit bignum z_0, m is a k-digit odd