Rename EC_RAW_POINT to EC_JACOBIAN
EC_RAW_POINT is a confusing name. It's mostly about whether this is
stack-allocated EC_POINT without the EC_GROUP pointer. Now that we have
EC_AFFINE, EC_JACOBIAN captures what it's doing a bit better.
Fixed: 326
Change-Id: I5b71a387e899a94c79be8cd5e0b54b8432f7d5da
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59565
Reviewed-by: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/crypto/ec_extra/hash_to_curve.c b/crypto/ec_extra/hash_to_curve.c
index 6c9abf9..3940336 100644
--- a/crypto/ec_extra/hash_to_curve.c
+++ b/crypto/ec_extra/hash_to_curve.c
@@ -273,7 +273,7 @@
// in appendix F.2.
static void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z,
const BN_ULONG *c1, size_t num_c1,
- const EC_FELEM *c2, EC_RAW_POINT *out,
+ const EC_FELEM *c2, EC_JACOBIAN *out,
const EC_FELEM *u) {
// This function requires the prime be 3 mod 4, and that A = -3.
assert(is_3mod4(group));
@@ -344,7 +344,7 @@
static int hash_to_curve(const EC_GROUP *group, const EVP_MD *md,
const EC_FELEM *Z, const EC_FELEM *c2, unsigned k,
- EC_RAW_POINT *out, const uint8_t *dst, size_t dst_len,
+ EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
const uint8_t *msg, size_t msg_len) {
EC_FELEM u0, u1;
if (!hash_to_field2(group, md, &u0, &u1, dst, dst_len, k, msg, msg_len)) {
@@ -359,7 +359,7 @@
}
bn_rshift_words(c1, c1, /*shift=*/2, /*num=*/num_c1);
- EC_RAW_POINT Q0, Q1;
+ EC_JACOBIAN Q0, Q1;
map_to_curve_simple_swu(group, Z, c1, num_c1, c2, &Q0, &u0);
map_to_curve_simple_swu(group, Z, c1, num_c1, c2, &Q1, &u1);
@@ -401,7 +401,7 @@
0xa8, 0x0f, 0x7e, 0x19, 0x14, 0xe2, 0xec, 0x69, 0xf5, 0xa6, 0x26, 0xb3};
int ec_hash_to_curve_p256_xmd_sha256_sswu(const EC_GROUP *group,
- EC_RAW_POINT *out, const uint8_t *dst,
+ EC_JACOBIAN *out, const uint8_t *dst,
size_t dst_len, const uint8_t *msg,
size_t msg_len) {
// See section 8.3 of draft-irtf-cfrg-hash-to-curve-16.
@@ -434,7 +434,7 @@
}
int ec_hash_to_curve_p384_xmd_sha384_sswu(const EC_GROUP *group,
- EC_RAW_POINT *out, const uint8_t *dst,
+ EC_JACOBIAN *out, const uint8_t *dst,
size_t dst_len, const uint8_t *msg,
size_t msg_len) {
// See section 8.3 of draft-irtf-cfrg-hash-to-curve-16.
@@ -479,7 +479,7 @@
}
int ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
- const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
+ const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst,
size_t dst_len, const uint8_t *msg, size_t msg_len) {
// See section 8.3 of draft-irtf-cfrg-hash-to-curve-07.
if (EC_GROUP_get_curve_name(group) != NID_secp384r1) {
diff --git a/crypto/ec_extra/internal.h b/crypto/ec_extra/internal.h
index cf6ff2f..8a9d990 100644
--- a/crypto/ec_extra/internal.h
+++ b/crypto/ec_extra/internal.h
@@ -26,23 +26,23 @@
// Hash-to-curve.
//
-// Internal |EC_RAW_POINT| versions of the corresponding public APIs.
+// Internal |EC_JACOBIAN| versions of the corresponding public APIs.
// ec_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and
// writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite
// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
// error.
OPENSSL_EXPORT int ec_hash_to_curve_p256_xmd_sha256_sswu(
- const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
- size_t dst_len, const uint8_t *msg, size_t msg_len);
+ const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
+ const uint8_t *msg, size_t msg_len);
// ec_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and
// writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite
// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
// error.
OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha384_sswu(
- const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
- size_t dst_len, const uint8_t *msg, size_t msg_len);
+ const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
+ const uint8_t *msg, size_t msg_len);
// ec_hash_to_scalar_p384_xmd_sha384 hashes |msg| to a scalar on |group|
// and writes the result to |out|, using the hash_to_field operation from the
@@ -59,8 +59,8 @@
//
// TODO(https://crbug.com/1414562): Migrate this to the final version.
OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
- const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
- size_t dst_len, const uint8_t *msg, size_t msg_len);
+ const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
+ const uint8_t *msg, size_t msg_len);
// ec_hash_to_scalar_p384_xmd_sha512_draft07 hashes |msg| to a scalar on |group|
// and writes the result to |out|, using the hash_to_field operation from the
diff --git a/crypto/ecdh_extra/ecdh_extra.c b/crypto/ecdh_extra/ecdh_extra.c
index 237d973..d275d1d 100644
--- a/crypto/ecdh_extra/ecdh_extra.c
+++ b/crypto/ecdh_extra/ecdh_extra.c
@@ -92,7 +92,7 @@
return -1;
}
- EC_RAW_POINT shared_point;
+ EC_JACOBIAN shared_point;
uint8_t buf[EC_MAX_BYTES];
size_t buf_len;
if (!ec_point_mul_scalar(group, &shared_point, &pub_key->raw, priv) ||
diff --git a/crypto/fipsmodule/ec/ec.c b/crypto/fipsmodule/ec/ec.c
index 61ecc1f..2195d06 100644
--- a/crypto/fipsmodule/ec/ec.c
+++ b/crypto/fipsmodule/ec/ec.c
@@ -801,7 +801,7 @@
return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
}
-void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out,
+void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *p) {
out->X = p->X;
out->Y = p->Y;
@@ -809,12 +809,12 @@
}
int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out,
- const EC_RAW_POINT *p) {
+ const EC_JACOBIAN *p) {
return group->meth->point_get_affine_coordinates(group, p, &out->X, &out->Y);
}
int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out,
- const EC_RAW_POINT *in, size_t num) {
+ const EC_JACOBIAN *in, size_t num) {
if (group->meth->jacobian_to_affine_batch == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
@@ -990,13 +990,13 @@
if (p_scalar != NULL) {
EC_SCALAR scalar;
- EC_RAW_POINT tmp;
+ EC_JACOBIAN tmp;
if (!arbitrary_bignum_to_scalar(group, &scalar, p_scalar, ctx) ||
!ec_point_mul_scalar(group, &tmp, &p->raw, &scalar)) {
goto err;
}
if (g_scalar == NULL) {
- OPENSSL_memcpy(&r->raw, &tmp, sizeof(EC_RAW_POINT));
+ OPENSSL_memcpy(&r->raw, &tmp, sizeof(EC_JACOBIAN));
} else {
group->meth->add(group, &r->raw, &r->raw, &tmp);
}
@@ -1016,8 +1016,8 @@
return ec_point_mul_no_self_test(group, r, g_scalar, p, p_scalar, ctx);
}
-int ec_point_mul_scalar_public(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_SCALAR *g_scalar, const EC_RAW_POINT *p,
+int ec_point_mul_scalar_public(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_SCALAR *g_scalar, const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar) {
if (g_scalar == NULL || p_scalar == NULL || p == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
@@ -1032,9 +1032,9 @@
return 1;
}
-int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
+int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
- const EC_RAW_POINT *points,
+ const EC_JACOBIAN *points,
const EC_SCALAR *scalars, size_t num) {
if (group->meth->mul_public_batch == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -1045,8 +1045,8 @@
num);
}
-int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *p, const EC_SCALAR *scalar) {
+int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *p, const EC_SCALAR *scalar) {
if (p == NULL || scalar == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
return 0;
@@ -1064,7 +1064,7 @@
return 1;
}
-int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r,
+int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar) {
if (scalar == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
@@ -1083,10 +1083,10 @@
return 1;
}
-int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
- const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
- const EC_RAW_POINT *p2,
+int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
+ const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
+ const EC_JACOBIAN *p2,
const EC_SCALAR *scalar2) {
if (group->meth->mul_batch == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -1106,7 +1106,7 @@
}
int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
- const EC_RAW_POINT *p) {
+ const EC_JACOBIAN *p) {
if (group->meth->init_precomp == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
@@ -1115,7 +1115,7 @@
return group->meth->init_precomp(group, out, p);
}
-int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
+int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
const EC_PRECOMP *p2,
@@ -1137,8 +1137,8 @@
return 1;
}
-void ec_point_select(const EC_GROUP *group, EC_RAW_POINT *out, BN_ULONG mask,
- const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
+void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask,
+ const EC_JACOBIAN *a, const EC_JACOBIAN *b) {
ec_felem_select(group, &out->X, mask, &a->X, &b->X);
ec_felem_select(group, &out->Y, mask, &a->Y, &b->Y);
ec_felem_select(group, &out->Z, mask, &a->Z, &b->Z);
@@ -1159,13 +1159,13 @@
}
}
-int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
+int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
const EC_SCALAR *r) {
return group->meth->cmp_x_coordinate(group, p, r);
}
int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
- const EC_RAW_POINT *p) {
+ const EC_JACOBIAN *p) {
uint8_t bytes[EC_MAX_BYTES];
size_t len;
if (!ec_get_x_coordinate_as_bytes(group, bytes, &len, sizeof(bytes), p)) {
@@ -1201,7 +1201,7 @@
int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out,
size_t *out_len, size_t max_out,
- const EC_RAW_POINT *p) {
+ const EC_JACOBIAN *p) {
size_t len = BN_num_bytes(&group->field);
assert(len <= EC_MAX_BYTES);
if (max_out < len) {
@@ -1219,7 +1219,7 @@
return 1;
}
-void ec_set_to_safe_point(const EC_GROUP *group, EC_RAW_POINT *out) {
+void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out) {
if (group->generator != NULL) {
ec_GFp_simple_point_copy(out, &group->generator->raw);
} else {
diff --git a/crypto/fipsmodule/ec/ec_key.c b/crypto/fipsmodule/ec/ec_key.c
index e427e3c..84a29ab 100644
--- a/crypto/fipsmodule/ec/ec_key.c
+++ b/crypto/fipsmodule/ec/ec_key.c
@@ -311,7 +311,7 @@
// NOTE: this is a FIPS pair-wise consistency check for the ECDH case. See SP
// 800-56Ar3, page 36.
if (eckey->priv_key != NULL) {
- EC_RAW_POINT point;
+ EC_JACOBIAN point;
if (!ec_point_mul_scalar_base(eckey->group, &point,
&eckey->priv_key->scalar)) {
OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);
diff --git a/crypto/fipsmodule/ec/ec_montgomery.c b/crypto/fipsmodule/ec/ec_montgomery.c
index f458df9..eeaee64 100644
--- a/crypto/fipsmodule/ec/ec_montgomery.c
+++ b/crypto/fipsmodule/ec/ec_montgomery.c
@@ -175,7 +175,7 @@
}
static int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group,
- const EC_RAW_POINT *point,
+ const EC_JACOBIAN *point,
EC_FELEM *x, EC_FELEM *y) {
if (ec_GFp_simple_is_at_infinity(group, point)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
@@ -202,7 +202,7 @@
static int ec_GFp_mont_jacobian_to_affine_batch(const EC_GROUP *group,
EC_AFFINE *out,
- const EC_RAW_POINT *in,
+ const EC_JACOBIAN *in,
size_t num) {
if (num == 0) {
return 1;
@@ -246,8 +246,8 @@
return 1;
}
-void ec_GFp_mont_add(const EC_GROUP *group, EC_RAW_POINT *out,
- const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
+void ec_GFp_mont_add(const EC_GROUP *group, EC_JACOBIAN *out,
+ const EC_JACOBIAN *a, const EC_JACOBIAN *b) {
if (a == b) {
ec_GFp_mont_dbl(group, out, a);
return;
@@ -357,8 +357,8 @@
ec_felem_select(group, &out->Z, z2nz, &z_out, &a->Z);
}
-void ec_GFp_mont_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *a) {
+void ec_GFp_mont_dbl(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *a) {
if (group->a_is_minus3) {
// The method is taken from:
// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
@@ -453,7 +453,7 @@
}
static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,
- const EC_RAW_POINT *p,
+ const EC_JACOBIAN *p,
const EC_SCALAR *r) {
if (!group->field_greater_than_order ||
group->field.width != group->order.width) {
diff --git a/crypto/fipsmodule/ec/ec_test.cc b/crypto/fipsmodule/ec/ec_test.cc
index 9ccc54b..a40dd16 100644
--- a/crypto/fipsmodule/ec/ec_test.cc
+++ b/crypto/fipsmodule/ec/ec_test.cc
@@ -1343,7 +1343,7 @@
ASSERT_TRUE(p224);
bssl::UniquePtr<EC_GROUP> p384(EC_GROUP_new_by_curve_name(NID_secp384r1));
ASSERT_TRUE(p384);
- EC_RAW_POINT raw;
+ EC_JACOBIAN raw;
bssl::UniquePtr<EC_POINT> p_p384(EC_POINT_new(p384.get()));
ASSERT_TRUE(p_p384);
bssl::UniquePtr<EC_POINT> p_p224(EC_POINT_new(p224.get()));
diff --git a/crypto/fipsmodule/ec/internal.h b/crypto/fipsmodule/ec/internal.h
index 3b6fa4a..8532026 100644
--- a/crypto/fipsmodule/ec/internal.h
+++ b/crypto/fipsmodule/ec/internal.h
@@ -243,16 +243,14 @@
// Points.
//
// Points may represented in affine coordinates as |EC_AFFINE| or Jacobian
-// coordinates as |EC_RAW_POINT|. Affine coordinates directly represent a
+// coordinates as |EC_JACOBIAN|. Affine coordinates directly represent a
// point on the curve, but point addition over affine coordinates requires
// costly field inversions, so arithmetic is done in Jacobian coordinates.
// Converting from affine to Jacobian is cheap, while converting from Jacobian
// to affine costs a field inversion. (Jacobian coordinates amortize the field
// inversions needed in a sequence of point operations.)
-//
-// TODO(davidben): Rename |EC_RAW_POINT| to |EC_JACOBIAN|.
-// An EC_RAW_POINT represents an elliptic curve point in Jacobian coordinates.
+// An EC_JACOBIAN represents an elliptic curve point in Jacobian coordinates.
// Unlike |EC_POINT|, it is a plain struct which can be stack-allocated and
// needs no cleanup. It is specific to an |EC_GROUP| and must not be mixed
// between groups.
@@ -260,7 +258,7 @@
// X, Y, and Z are Jacobian projective coordinates. They represent
// (X/Z^2, Y/Z^3) if Z != 0 and the point at infinity otherwise.
EC_FELEM X, Y, Z;
-} EC_RAW_POINT;
+} EC_JACOBIAN;
// An EC_AFFINE represents an elliptic curve point in affine coordinates.
// coordinates. Note the point at infinity cannot be represented in affine
@@ -271,7 +269,7 @@
// ec_affine_to_jacobian converts |p| to Jacobian form and writes the result to
// |*out|. This operation is very cheap and only costs a few copies.
-void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out,
+void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *p);
// ec_jacobian_to_affine converts |p| to affine form and writes the result to
@@ -282,7 +280,7 @@
// If only extracting the x-coordinate, use |ec_get_x_coordinate_*| which is
// slightly faster.
OPENSSL_EXPORT int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out,
- const EC_RAW_POINT *p);
+ const EC_JACOBIAN *p);
// ec_jacobian_to_affine_batch converts |num| points in |in| from Jacobian
// coordinates to affine coordinates and writes the results to |out|. It returns
@@ -291,7 +289,7 @@
// This function is not implemented for all curves. Add implementations as
// needed.
int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out,
- const EC_RAW_POINT *in, size_t num);
+ const EC_JACOBIAN *in, size_t num);
// ec_point_set_affine_coordinates sets |out|'s to a point with affine
// coordinates |x| and |y|. It returns one if the point is on the curve and
@@ -309,12 +307,12 @@
// ec_point_mul_scalar sets |r| to |p| * |scalar|. Both inputs are considered
// secret.
-int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *p, const EC_SCALAR *scalar);
+int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *p, const EC_SCALAR *scalar);
// ec_point_mul_scalar_base sets |r| to generator * |scalar|. |scalar| is
// treated as secret.
-int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r,
+int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar);
// ec_point_mul_scalar_batch sets |r| to |p0| * |scalar0| + |p1| * |scalar1| +
@@ -335,10 +333,10 @@
// none. If generalizing to tuned curves, this may be useful. However, we still
// must double up to the least efficient input, so precomputed tables can only
// save table setup and allow a wider window size.
-int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
- const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
- const EC_RAW_POINT *p2, const EC_SCALAR *scalar2);
+int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
+ const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
+ const EC_JACOBIAN *p2, const EC_SCALAR *scalar2);
#define EC_MONT_PRECOMP_COMB_SIZE 5
@@ -357,7 +355,7 @@
// This function is not implemented for all curves. Add implementations as
// needed.
int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
- const EC_RAW_POINT *p);
+ const EC_JACOBIAN *p);
// ec_point_mul_scalar_precomp sets |r| to |p0| * |scalar0| + |p1| * |scalar1| +
// |p2| * |scalar2|. |p1| or |p2| may be NULL to skip the corresponding term.
@@ -381,7 +379,7 @@
// none. If generalizing to tuned curves, we should add a parameter for the base
// point and arrange for the generic implementation to have base point tables
// available.
-int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
+int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
const EC_PRECOMP *p2, const EC_SCALAR *scalar2);
@@ -390,9 +388,9 @@
// generator * |g_scalar| + |p| * |p_scalar|. It assumes that the inputs are
// public so there is no concern about leaking their values through timing.
OPENSSL_EXPORT int ec_point_mul_scalar_public(const EC_GROUP *group,
- EC_RAW_POINT *r,
+ EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
- const EC_RAW_POINT *p,
+ const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar);
// ec_point_mul_scalar_public_batch sets |r| to the sum of generator *
@@ -403,15 +401,15 @@
//
// This function is not implemented for all curves. Add implementations as
// needed.
-int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
+int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
- const EC_RAW_POINT *points,
+ const EC_JACOBIAN *points,
const EC_SCALAR *scalars, size_t num);
// ec_point_select, in constant time, sets |out| to |a| if |mask| is all ones
// and |b| if |mask| is all zeros.
-void ec_point_select(const EC_GROUP *group, EC_RAW_POINT *out, BN_ULONG mask,
- const EC_RAW_POINT *a, const EC_RAW_POINT *b);
+void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask,
+ const EC_JACOBIAN *a, const EC_JACOBIAN *b);
// ec_affine_select behaves like |ec_point_select| but acts on affine points.
void ec_affine_select(const EC_GROUP *group, EC_AFFINE *out, BN_ULONG mask,
@@ -424,14 +422,14 @@
// ec_cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group
// order, with |r|. It returns one if the values match and zero if |p| is the
// point at infinity of the values do not match.
-int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
+int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
const EC_SCALAR *r);
// ec_get_x_coordinate_as_scalar sets |*out| to |p|'s x-coordinate, modulo
// |group->order|. It returns one on success and zero if |p| is the point at
// infinity.
int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
- const EC_RAW_POINT *p);
+ const EC_JACOBIAN *p);
// ec_get_x_coordinate_as_bytes writes |p|'s affine x-coordinate to |out|, which
// must have at must |max_out| bytes. It sets |*out_len| to the number of bytes
@@ -439,7 +437,7 @@
// field. This function returns one on success and zero on failure.
int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out,
size_t *out_len, size_t max_out,
- const EC_RAW_POINT *p);
+ const EC_JACOBIAN *p);
// ec_point_byte_len returns the number of bytes in the byte representation of
// a non-infinity point in |group|, encoded according to |form|, or zero if
@@ -463,12 +461,12 @@
// ec_set_to_safe_point sets |out| to an arbitrary point on |group|, either the
// generator or the point at infinity. This is used to guard against callers of
// external APIs not checking the return value.
-void ec_set_to_safe_point(const EC_GROUP *group, EC_RAW_POINT *out);
+void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out);
// ec_affine_jacobian_equal returns one if |a| and |b| represent the same point
// and zero otherwise. It treats both inputs as secret.
int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a,
- const EC_RAW_POINT *b);
+ const EC_JACOBIAN *b);
// Implementation details.
@@ -482,48 +480,48 @@
// point_get_affine_coordinates sets |*x| and |*y| to the affine coordinates
// of |p|. Either |x| or |y| may be NULL to omit it. It returns one on success
// and zero if |p| is the point at infinity.
- int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_RAW_POINT *p,
+ int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_JACOBIAN *p,
EC_FELEM *x, EC_FELEM *y);
// jacobian_to_affine_batch implements |ec_jacobian_to_affine_batch|.
int (*jacobian_to_affine_batch)(const EC_GROUP *group, EC_AFFINE *out,
- const EC_RAW_POINT *in, size_t num);
+ const EC_JACOBIAN *in, size_t num);
// add sets |r| to |a| + |b|.
- void (*add)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *a,
- const EC_RAW_POINT *b);
+ void (*add)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *a,
+ const EC_JACOBIAN *b);
// dbl sets |r| to |a| + |a|.
- void (*dbl)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *a);
+ void (*dbl)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *a);
// mul sets |r| to |scalar|*|p|.
- void (*mul)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *p,
+ void (*mul)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p,
const EC_SCALAR *scalar);
// mul_base sets |r| to |scalar|*generator.
- void (*mul_base)(const EC_GROUP *group, EC_RAW_POINT *r,
+ void (*mul_base)(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar);
// mul_batch implements |ec_mul_scalar_batch|.
- void (*mul_batch)(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
- const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
- const EC_RAW_POINT *p2, const EC_SCALAR *scalar2);
+ void (*mul_batch)(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
+ const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
+ const EC_JACOBIAN *p2, const EC_SCALAR *scalar2);
// mul_public sets |r| to |g_scalar|*generator + |p_scalar|*|p|. It assumes
// that the inputs are public so there is no concern about leaking their
// values through timing.
//
// This function may be omitted if |mul_public_batch| is provided.
- void (*mul_public)(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_SCALAR *g_scalar, const EC_RAW_POINT *p,
+ void (*mul_public)(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_SCALAR *g_scalar, const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar);
// mul_public_batch implements |ec_point_mul_scalar_public_batch|.
- int (*mul_public_batch)(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_SCALAR *g_scalar, const EC_RAW_POINT *points,
+ int (*mul_public_batch)(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_SCALAR *g_scalar, const EC_JACOBIAN *points,
const EC_SCALAR *scalars, size_t num);
// init_precomp implements |ec_init_precomp|.
int (*init_precomp)(const EC_GROUP *group, EC_PRECOMP *out,
- const EC_RAW_POINT *p);
+ const EC_JACOBIAN *p);
// mul_precomp implements |ec_point_mul_scalar_precomp|.
- void (*mul_precomp)(const EC_GROUP *group, EC_RAW_POINT *r,
+ void (*mul_precomp)(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
const EC_PRECOMP *p2, const EC_SCALAR *scalar2);
@@ -583,7 +581,7 @@
// cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group
// order, with |r|. It returns one if the values match and zero if |p| is the
// point at infinity of the values do not match.
- int (*cmp_x_coordinate)(const EC_GROUP *group, const EC_RAW_POINT *p,
+ int (*cmp_x_coordinate)(const EC_GROUP *group, const EC_JACOBIAN *p,
const EC_SCALAR *r);
} /* EC_METHOD */;
@@ -637,24 +635,24 @@
EC_GROUP *group;
// raw is the group-specific point data. Functions that take |EC_POINT|
// typically check consistency with |EC_GROUP| while functions that take
- // |EC_RAW_POINT| do not. Thus accesses to this field should be externally
+ // |EC_JACOBIAN| do not. Thus accesses to this field should be externally
// checked for consistency.
- EC_RAW_POINT raw;
+ EC_JACOBIAN raw;
} /* EC_POINT */;
EC_GROUP *ec_group_new(const EC_METHOD *meth);
-void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *p, const EC_SCALAR *scalar);
-void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
+void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *p, const EC_SCALAR *scalar);
+void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar);
-void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
- const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
- const EC_RAW_POINT *p2, const EC_SCALAR *scalar2);
+void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
+ const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
+ const EC_JACOBIAN *p2, const EC_SCALAR *scalar2);
int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
- const EC_RAW_POINT *p);
-void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
+ const EC_JACOBIAN *p);
+void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
const EC_PRECOMP *p2, const EC_SCALAR *scalar2);
@@ -675,9 +673,9 @@
void ec_compute_wNAF(const EC_GROUP *group, int8_t *out,
const EC_SCALAR *scalar, size_t bits, int w);
-int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
+int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
- const EC_RAW_POINT *points,
+ const EC_JACOBIAN *points,
const EC_SCALAR *scalars, size_t num);
// method functions in simple.c
@@ -687,17 +685,17 @@
const BIGNUM *b, BN_CTX *);
int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
BIGNUM *b);
-void ec_GFp_simple_point_init(EC_RAW_POINT *);
-void ec_GFp_simple_point_copy(EC_RAW_POINT *, const EC_RAW_POINT *);
-void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_RAW_POINT *);
-void ec_GFp_mont_add(const EC_GROUP *, EC_RAW_POINT *r, const EC_RAW_POINT *a,
- const EC_RAW_POINT *b);
-void ec_GFp_mont_dbl(const EC_GROUP *, EC_RAW_POINT *r, const EC_RAW_POINT *a);
-void ec_GFp_simple_invert(const EC_GROUP *, EC_RAW_POINT *);
-int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_RAW_POINT *);
-int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_RAW_POINT *);
-int ec_GFp_simple_points_equal(const EC_GROUP *, const EC_RAW_POINT *a,
- const EC_RAW_POINT *b);
+void ec_GFp_simple_point_init(EC_JACOBIAN *);
+void ec_GFp_simple_point_copy(EC_JACOBIAN *, const EC_JACOBIAN *);
+void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_JACOBIAN *);
+void ec_GFp_mont_add(const EC_GROUP *, EC_JACOBIAN *r, const EC_JACOBIAN *a,
+ const EC_JACOBIAN *b);
+void ec_GFp_mont_dbl(const EC_GROUP *, EC_JACOBIAN *r, const EC_JACOBIAN *a);
+void ec_GFp_simple_invert(const EC_GROUP *, EC_JACOBIAN *);
+int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_JACOBIAN *);
+int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_JACOBIAN *);
+int ec_GFp_simple_points_equal(const EC_GROUP *, const EC_JACOBIAN *a,
+ const EC_JACOBIAN *b);
void ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r,
const EC_SCALAR *a);
@@ -705,7 +703,7 @@
EC_SCALAR *r,
const EC_SCALAR *a);
-int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
+int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
const EC_SCALAR *r);
void ec_GFp_simple_felem_to_bytes(const EC_GROUP *group, uint8_t *out,
diff --git a/crypto/fipsmodule/ec/p224-64.c b/crypto/fipsmodule/ec/p224-64.c
index 0f51970..ef83b29 100644
--- a/crypto/fipsmodule/ec/p224-64.c
+++ b/crypto/fipsmodule/ec/p224-64.c
@@ -860,7 +860,7 @@
// Takes the Jacobian coordinates (X, Y, Z) of a point and returns
// (X', Y') = (X/Z^2, Y/Z^3)
static int ec_GFp_nistp224_point_get_affine_coordinates(
- const EC_GROUP *group, const EC_RAW_POINT *point, EC_FELEM *x,
+ const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x,
EC_FELEM *y) {
if (ec_GFp_simple_is_at_infinity(group, point)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
@@ -895,8 +895,8 @@
return 1;
}
-static void ec_GFp_nistp224_add(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
+static void ec_GFp_nistp224_add(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *a, const EC_JACOBIAN *b) {
p224_felem x1, y1, z1, x2, y2, z2;
p224_generic_to_felem(x1, &a->X);
p224_generic_to_felem(y1, &a->Y);
@@ -911,8 +911,8 @@
p224_felem_to_generic(&r->Z, z1);
}
-static void ec_GFp_nistp224_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *a) {
+static void ec_GFp_nistp224_dbl(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *a) {
p224_felem x, y, z;
p224_generic_to_felem(x, &a->X);
p224_generic_to_felem(y, &a->Y);
@@ -925,7 +925,7 @@
}
static void ec_GFp_nistp224_make_precomp(p224_felem out[17][3],
- const EC_RAW_POINT *p) {
+ const EC_JACOBIAN *p) {
OPENSSL_memset(out[0], 0, sizeof(p224_felem) * 3);
p224_generic_to_felem(out[1][0], &p->X);
@@ -943,8 +943,8 @@
}
}
-static void ec_GFp_nistp224_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *p,
+static void ec_GFp_nistp224_point_mul(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *p,
const EC_SCALAR *scalar) {
p224_felem p_pre_comp[17][3];
ec_GFp_nistp224_make_precomp(p_pre_comp, p);
@@ -992,7 +992,7 @@
}
static void ec_GFp_nistp224_point_mul_base(const EC_GROUP *group,
- EC_RAW_POINT *r,
+ EC_JACOBIAN *r,
const EC_SCALAR *scalar) {
// Set nq to the point at infinity.
p224_felem nq[3], tmp[3];
@@ -1039,9 +1039,9 @@
}
static void ec_GFp_nistp224_point_mul_public(const EC_GROUP *group,
- EC_RAW_POINT *r,
+ EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
- const EC_RAW_POINT *p,
+ const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar) {
// TODO(davidben): If P-224 ECDSA verify performance ever matters, using
// |ec_compute_wNAF| for |p_scalar| would likely be an easy improvement.
diff --git a/crypto/fipsmodule/ec/p256-nistz.c b/crypto/fipsmodule/ec/p256-nistz.c
index c56222b..dfde2f4 100644
--- a/crypto/fipsmodule/ec/p256-nistz.c
+++ b/crypto/fipsmodule/ec/p256-nistz.c
@@ -187,7 +187,7 @@
// r = p * p_scalar
static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,
- const EC_RAW_POINT *p,
+ const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar) {
assert(p != NULL);
assert(p_scalar != NULL);
@@ -299,8 +299,8 @@
return booth_recode_w7(wvalue);
}
-static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *p,
+static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *p,
const EC_SCALAR *scalar) {
alignas(32) P256_POINT out;
ecp_nistz256_windowed_mul(group, &out, p, scalar);
@@ -311,7 +311,7 @@
OPENSSL_memcpy(r->Z.words, out.Z, P256_LIMBS * sizeof(BN_ULONG));
}
-static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
+static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar) {
uint8_t p_str[33];
OPENSSL_memcpy(p_str, scalar->words, 32);
@@ -356,9 +356,9 @@
}
static void ecp_nistz256_points_mul_public(const EC_GROUP *group,
- EC_RAW_POINT *r,
+ EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
- const EC_RAW_POINT *p_,
+ const EC_JACOBIAN *p_,
const EC_SCALAR *p_scalar) {
assert(p_ != NULL && p_scalar != NULL && g_scalar != NULL);
@@ -420,7 +420,7 @@
}
static int ecp_nistz256_get_affine(const EC_GROUP *group,
- const EC_RAW_POINT *point, EC_FELEM *x,
+ const EC_JACOBIAN *point, EC_FELEM *x,
EC_FELEM *y) {
if (ec_GFp_simple_is_at_infinity(group, point)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
@@ -444,8 +444,8 @@
return 1;
}
-static void ecp_nistz256_add(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *a_, const EC_RAW_POINT *b_) {
+static void ecp_nistz256_add(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *a_, const EC_JACOBIAN *b_) {
P256_POINT a, b;
OPENSSL_memcpy(a.X, a_->X.words, P256_LIMBS * sizeof(BN_ULONG));
OPENSSL_memcpy(a.Y, a_->Y.words, P256_LIMBS * sizeof(BN_ULONG));
@@ -459,8 +459,8 @@
OPENSSL_memcpy(r->Z.words, a.Z, P256_LIMBS * sizeof(BN_ULONG));
}
-static void ecp_nistz256_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *a_) {
+static void ecp_nistz256_dbl(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *a_) {
P256_POINT a;
OPENSSL_memcpy(a.X, a_->X.words, P256_LIMBS * sizeof(BN_ULONG));
OPENSSL_memcpy(a.Y, a_->Y.words, P256_LIMBS * sizeof(BN_ULONG));
@@ -573,7 +573,7 @@
}
static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group,
- const EC_RAW_POINT *p,
+ const EC_JACOBIAN *p,
const EC_SCALAR *r) {
if (ec_GFp_simple_is_at_infinity(group, p)) {
return 0;
diff --git a/crypto/fipsmodule/ec/p256.c b/crypto/fipsmodule/ec/p256.c
index cd2b6fc..af211be 100644
--- a/crypto/fipsmodule/ec/p256.c
+++ b/crypto/fipsmodule/ec/p256.c
@@ -414,7 +414,7 @@
// Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') =
// (X/Z^2, Y/Z^3).
static int ec_GFp_nistp256_point_get_affine_coordinates(
- const EC_GROUP *group, const EC_RAW_POINT *point, EC_FELEM *x_out,
+ const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x_out,
EC_FELEM *y_out) {
if (ec_GFp_simple_is_at_infinity(group, point)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
@@ -444,8 +444,8 @@
return 1;
}
-static void ec_GFp_nistp256_add(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
+static void ec_GFp_nistp256_add(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *a, const EC_JACOBIAN *b) {
fiat_p256_felem x1, y1, z1, x2, y2, z2;
fiat_p256_from_generic(x1, &a->X);
fiat_p256_from_generic(y1, &a->Y);
@@ -460,8 +460,8 @@
fiat_p256_to_generic(&r->Z, z1);
}
-static void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *a) {
+static void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *a) {
fiat_p256_felem x, y, z;
fiat_p256_from_generic(x, &a->X);
fiat_p256_from_generic(y, &a->Y);
@@ -472,8 +472,8 @@
fiat_p256_to_generic(&r->Z, z);
}
-static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *p,
+static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *p,
const EC_SCALAR *scalar) {
fiat_p256_felem p_pre_comp[17][3];
OPENSSL_memset(&p_pre_comp, 0, sizeof(p_pre_comp));
@@ -540,7 +540,7 @@
}
static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group,
- EC_RAW_POINT *r,
+ EC_JACOBIAN *r,
const EC_SCALAR *scalar) {
// Set nq to the point at infinity.
fiat_p256_felem nq[3] = {{0}, {0}, {0}}, tmp[3];
@@ -588,9 +588,9 @@
}
static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group,
- EC_RAW_POINT *r,
+ EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
- const EC_RAW_POINT *p,
+ const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar) {
#define P256_WSIZE_PUBLIC 4
// Precompute multiples of |p|. p_pre_comp[i] is (2*i+1) * |p|.
@@ -680,7 +680,7 @@
}
static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group,
- const EC_RAW_POINT *p,
+ const EC_JACOBIAN *p,
const EC_SCALAR *r) {
if (ec_GFp_simple_is_at_infinity(group, p)) {
return 0;
diff --git a/crypto/fipsmodule/ec/simple.c b/crypto/fipsmodule/ec/simple.c
index 58d8121..6498bdc 100644
--- a/crypto/fipsmodule/ec/simple.c
+++ b/crypto/fipsmodule/ec/simple.c
@@ -152,36 +152,36 @@
return 1;
}
-void ec_GFp_simple_point_init(EC_RAW_POINT *point) {
+void ec_GFp_simple_point_init(EC_JACOBIAN *point) {
OPENSSL_memset(&point->X, 0, sizeof(EC_FELEM));
OPENSSL_memset(&point->Y, 0, sizeof(EC_FELEM));
OPENSSL_memset(&point->Z, 0, sizeof(EC_FELEM));
}
-void ec_GFp_simple_point_copy(EC_RAW_POINT *dest, const EC_RAW_POINT *src) {
+void ec_GFp_simple_point_copy(EC_JACOBIAN *dest, const EC_JACOBIAN *src) {
OPENSSL_memcpy(&dest->X, &src->X, sizeof(EC_FELEM));
OPENSSL_memcpy(&dest->Y, &src->Y, sizeof(EC_FELEM));
OPENSSL_memcpy(&dest->Z, &src->Z, sizeof(EC_FELEM));
}
void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,
- EC_RAW_POINT *point) {
+ EC_JACOBIAN *point) {
// Although it is strictly only necessary to zero Z, we zero the entire point
// in case |point| was stack-allocated and yet to be initialized.
ec_GFp_simple_point_init(point);
}
-void ec_GFp_simple_invert(const EC_GROUP *group, EC_RAW_POINT *point) {
+void ec_GFp_simple_invert(const EC_GROUP *group, EC_JACOBIAN *point) {
ec_felem_neg(group, &point->Y, &point->Y);
}
int ec_GFp_simple_is_at_infinity(const EC_GROUP *group,
- const EC_RAW_POINT *point) {
+ const EC_JACOBIAN *point) {
return ec_felem_non_zero_mask(group, &point->Z) == 0;
}
int ec_GFp_simple_is_on_curve(const EC_GROUP *group,
- const EC_RAW_POINT *point) {
+ const EC_JACOBIAN *point) {
// We have a curve defined by a Weierstrass equation
// y^2 = x^3 + a*x + b.
// The point to consider is given in Jacobian projective coordinates
@@ -237,8 +237,8 @@
return 1 & ~(not_infinity & not_equal);
}
-int ec_GFp_simple_points_equal(const EC_GROUP *group, const EC_RAW_POINT *a,
- const EC_RAW_POINT *b) {
+int ec_GFp_simple_points_equal(const EC_GROUP *group, const EC_JACOBIAN *a,
+ const EC_JACOBIAN *b) {
// This function is implemented in constant-time for two reasons. First,
// although EC points are usually public, their Jacobian Z coordinates may be
// secret, or at least are not obviously public. Second, more complex
@@ -285,7 +285,7 @@
}
int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a,
- const EC_RAW_POINT *b) {
+ const EC_JACOBIAN *b) {
// If |b| is not infinity, we have to decide whether
// (X_a, Y_a) = (X_b/Z_b^2, Y_b/Z_b^3),
// or equivalently, whether
@@ -314,7 +314,7 @@
return equal & 1;
}
-int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
+int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
const EC_SCALAR *r) {
if (ec_GFp_simple_is_at_infinity(group, p)) {
// |ec_get_x_coordinate_as_scalar| will check this internally, but this way
diff --git a/crypto/fipsmodule/ec/simple_mul.c b/crypto/fipsmodule/ec/simple_mul.c
index 024155d..9a72a66 100644
--- a/crypto/fipsmodule/ec/simple_mul.c
+++ b/crypto/fipsmodule/ec/simple_mul.c
@@ -21,14 +21,14 @@
#include "../../internal.h"
-void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *p, const EC_SCALAR *scalar) {
+void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *p, const EC_SCALAR *scalar) {
// This is a generic implementation for uncommon curves that not do not
// warrant a tuned one. It uses unsigned digits so that the doubling case in
// |ec_GFp_mont_add| is always unreachable, erring on safety and simplicity.
// Compute a table of the first 32 multiples of |p| (including infinity).
- EC_RAW_POINT precomp[32];
+ EC_JACOBIAN precomp[32];
ec_GFp_simple_point_set_to_infinity(group, &precomp[0]);
ec_GFp_simple_point_copy(&precomp[1], p);
for (size_t j = 2; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
@@ -56,8 +56,8 @@
window |= bn_is_bit_set_words(scalar->words, width, i);
// Select the entry in constant-time.
- EC_RAW_POINT tmp;
- OPENSSL_memset(&tmp, 0, sizeof(EC_RAW_POINT));
+ EC_JACOBIAN tmp;
+ OPENSSL_memset(&tmp, 0, sizeof(EC_JACOBIAN));
for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
BN_ULONG mask = constant_time_eq_w(j, window);
ec_point_select(group, &tmp, mask, &precomp[j], &tmp);
@@ -76,13 +76,13 @@
}
}
-void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
+void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar) {
ec_GFp_mont_mul(group, r, &group->generator->raw, scalar);
}
-static void ec_GFp_mont_batch_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
- size_t num, const EC_RAW_POINT *p) {
+static void ec_GFp_mont_batch_precomp(const EC_GROUP *group, EC_JACOBIAN *out,
+ size_t num, const EC_JACOBIAN *p) {
assert(num > 1);
ec_GFp_simple_point_set_to_infinity(group, &out[0]);
ec_GFp_simple_point_copy(&out[1], p);
@@ -96,8 +96,8 @@
}
static void ec_GFp_mont_batch_get_window(const EC_GROUP *group,
- EC_RAW_POINT *out,
- const EC_RAW_POINT precomp[17],
+ EC_JACOBIAN *out,
+ const EC_JACOBIAN precomp[17],
const EC_SCALAR *scalar, unsigned i) {
const size_t width = group->order.width;
uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 5;
@@ -112,7 +112,7 @@
ec_GFp_nistp_recode_scalar_bits(&sign, &digit, window);
// Select the entry in constant-time.
- OPENSSL_memset(out, 0, sizeof(EC_RAW_POINT));
+ OPENSSL_memset(out, 0, sizeof(EC_JACOBIAN));
for (size_t j = 0; j < 17; j++) {
BN_ULONG mask = constant_time_eq_w(j, digit);
ec_point_select(group, out, mask, &precomp[j], out);
@@ -126,11 +126,11 @@
ec_felem_select(group, &out->Y, sign_mask, &neg_Y, &out->Y);
}
-void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_RAW_POINT *r,
- const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
- const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
- const EC_RAW_POINT *p2, const EC_SCALAR *scalar2) {
- EC_RAW_POINT precomp[3][17];
+void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r,
+ const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
+ const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
+ const EC_JACOBIAN *p2, const EC_SCALAR *scalar2) {
+ EC_JACOBIAN precomp[3][17];
ec_GFp_mont_batch_precomp(group, precomp[0], 17, p0);
ec_GFp_mont_batch_precomp(group, precomp[1], 17, p1);
if (p2 != NULL) {
@@ -145,7 +145,7 @@
ec_GFp_mont_dbl(group, r, r);
}
if (i % 5 == 0) {
- EC_RAW_POINT tmp;
+ EC_JACOBIAN tmp;
ec_GFp_mont_batch_get_window(group, &tmp, precomp[0], scalar0, i);
if (r_is_at_infinity) {
ec_GFp_simple_point_copy(r, &tmp);
@@ -174,13 +174,13 @@
}
int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
- const EC_RAW_POINT *p) {
+ const EC_JACOBIAN *p) {
// comb[i - 1] stores the ith element of the comb. That is, if i is
// b4 * 2^4 + b3 * 2^3 + ... + b0 * 2^0, it stores k * |p|, where k is
// b4 * 2^(4*stride) + b3 * 2^(3*stride) + ... + b0 * 2^(0*stride). stride
// here is |ec_GFp_mont_comb_stride|. We store at index i - 1 because the 0th
// comb entry is always infinity.
- EC_RAW_POINT comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1];
+ EC_JACOBIAN comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1];
unsigned stride = ec_GFp_mont_comb_stride(group);
// We compute the comb sequentially by the highest set bit. Initially, all
@@ -209,7 +209,7 @@
}
static void ec_GFp_mont_get_comb_window(const EC_GROUP *group,
- EC_RAW_POINT *out,
+ EC_JACOBIAN *out,
const EC_PRECOMP *precomp,
const EC_SCALAR *scalar, unsigned i) {
const size_t width = group->order.width;
@@ -223,7 +223,7 @@
// Select precomp->comb[window - 1]. If |window| is zero, |match| will always
// be zero, which will leave |out| at infinity.
- OPENSSL_memset(out, 0, sizeof(EC_RAW_POINT));
+ OPENSSL_memset(out, 0, sizeof(EC_JACOBIAN));
for (unsigned j = 0; j < OPENSSL_ARRAY_SIZE(precomp->comb); j++) {
BN_ULONG match = constant_time_eq_w(window, j + 1);
ec_felem_select(group, &out->X, match, &precomp->comb[j].X, &out->X);
@@ -233,7 +233,7 @@
ec_felem_select(group, &out->Z, is_infinity, &out->Z, &group->one);
}
-void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
+void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
const EC_PRECOMP *p2, const EC_SCALAR *scalar2) {
@@ -244,7 +244,7 @@
ec_GFp_mont_dbl(group, r, r);
}
- EC_RAW_POINT tmp;
+ EC_JACOBIAN tmp;
ec_GFp_mont_get_comb_window(group, &tmp, p0, scalar0, i);
if (r_is_at_infinity) {
ec_GFp_simple_point_copy(r, &tmp);
diff --git a/crypto/fipsmodule/ec/wnaf.c b/crypto/fipsmodule/ec/wnaf.c
index ce0d4b8..beb9295 100644
--- a/crypto/fipsmodule/ec/wnaf.c
+++ b/crypto/fipsmodule/ec/wnaf.c
@@ -148,18 +148,18 @@
}
// compute_precomp sets |out[i]| to (2*i+1)*p, for i from 0 to |len|.
-static void compute_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
- const EC_RAW_POINT *p, size_t len) {
+static void compute_precomp(const EC_GROUP *group, EC_JACOBIAN *out,
+ const EC_JACOBIAN *p, size_t len) {
ec_GFp_simple_point_copy(&out[0], p);
- EC_RAW_POINT two_p;
+ EC_JACOBIAN two_p;
ec_GFp_mont_dbl(group, &two_p, p);
for (size_t i = 1; i < len; i++) {
ec_GFp_mont_add(group, &out[i], &out[i - 1], &two_p);
}
}
-static void lookup_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
- const EC_RAW_POINT *precomp, int digit) {
+static void lookup_precomp(const EC_GROUP *group, EC_JACOBIAN *out,
+ const EC_JACOBIAN *precomp, int digit) {
if (digit < 0) {
digit = -digit;
ec_GFp_simple_point_copy(out, &precomp[digit >> 1]);
@@ -179,9 +179,9 @@
// avoid a malloc.
#define EC_WNAF_STACK 3
-int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
+int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
- const EC_RAW_POINT *points,
+ const EC_JACOBIAN *points,
const EC_SCALAR *scalars, size_t num) {
size_t bits = BN_num_bits(&group->order);
size_t wNAF_len = bits + 1;
@@ -190,9 +190,9 @@
int8_t wNAF_stack[EC_WNAF_STACK][EC_MAX_BYTES * 8 + 1];
int8_t (*wNAF_alloc)[EC_MAX_BYTES * 8 + 1] = NULL;
int8_t (*wNAF)[EC_MAX_BYTES * 8 + 1];
- EC_RAW_POINT precomp_stack[EC_WNAF_STACK][EC_WNAF_TABLE_SIZE];
- EC_RAW_POINT (*precomp_alloc)[EC_WNAF_TABLE_SIZE] = NULL;
- EC_RAW_POINT (*precomp)[EC_WNAF_TABLE_SIZE];
+ EC_JACOBIAN precomp_stack[EC_WNAF_STACK][EC_WNAF_TABLE_SIZE];
+ EC_JACOBIAN (*precomp_alloc)[EC_WNAF_TABLE_SIZE] = NULL;
+ EC_JACOBIAN (*precomp)[EC_WNAF_TABLE_SIZE];
if (num <= EC_WNAF_STACK) {
wNAF = wNAF_stack;
precomp = precomp_stack;
@@ -212,9 +212,9 @@
}
int8_t g_wNAF[EC_MAX_BYTES * 8 + 1];
- EC_RAW_POINT g_precomp[EC_WNAF_TABLE_SIZE];
+ EC_JACOBIAN g_precomp[EC_WNAF_TABLE_SIZE];
assert(wNAF_len <= OPENSSL_ARRAY_SIZE(g_wNAF));
- const EC_RAW_POINT *g = &group->generator->raw;
+ const EC_JACOBIAN *g = &group->generator->raw;
if (g_scalar != NULL) {
ec_compute_wNAF(group, g_wNAF, g_scalar, bits, EC_WNAF_WINDOW_BITS);
compute_precomp(group, g_precomp, g, EC_WNAF_TABLE_SIZE);
@@ -226,7 +226,7 @@
compute_precomp(group, precomp[i], &points[i], EC_WNAF_TABLE_SIZE);
}
- EC_RAW_POINT tmp;
+ EC_JACOBIAN tmp;
int r_is_at_infinity = 1;
for (size_t k = wNAF_len - 1; k < wNAF_len; k--) {
if (!r_is_at_infinity) {
diff --git a/crypto/fipsmodule/ecdh/ecdh.c b/crypto/fipsmodule/ecdh/ecdh.c
index 25d0702..eeb591f 100644
--- a/crypto/fipsmodule/ecdh/ecdh.c
+++ b/crypto/fipsmodule/ecdh/ecdh.c
@@ -94,7 +94,7 @@
return 0;
}
- EC_RAW_POINT shared_point;
+ EC_JACOBIAN shared_point;
uint8_t buf[EC_MAX_BYTES];
size_t buflen;
if (!ec_point_mul_scalar(group, &shared_point, &pub_key->raw, priv) ||
diff --git a/crypto/fipsmodule/ecdsa/ecdsa.c b/crypto/fipsmodule/ecdsa/ecdsa.c
index 4cd95bb..be19540 100644
--- a/crypto/fipsmodule/ecdsa/ecdsa.c
+++ b/crypto/fipsmodule/ecdsa/ecdsa.c
@@ -181,7 +181,7 @@
ec_scalar_mul_montgomery(group, &u1, &m, &s_inv_mont);
ec_scalar_mul_montgomery(group, &u2, &r, &s_inv_mont);
- EC_RAW_POINT point;
+ EC_JACOBIAN point;
if (!ec_point_mul_scalar_public(group, &point, &u1, &pub_key->raw, &u2)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
return 0;
@@ -216,7 +216,7 @@
}
// Compute r, the x-coordinate of k * generator.
- EC_RAW_POINT tmp_point;
+ EC_JACOBIAN tmp_point;
EC_SCALAR r;
if (!ec_point_mul_scalar_base(group, &tmp_point, k) ||
!ec_get_x_coordinate_as_scalar(group, &r, &tmp_point)) {
diff --git a/crypto/trust_token/pmbtoken.c b/crypto/trust_token/pmbtoken.c
index dcb9466..d49a2b8 100644
--- a/crypto/trust_token/pmbtoken.c
+++ b/crypto/trust_token/pmbtoken.c
@@ -30,9 +30,9 @@
#include "internal.h"
-typedef int (*hash_t_func_t)(const EC_GROUP *group, EC_RAW_POINT *out,
+typedef int (*hash_t_func_t)(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]);
-typedef int (*hash_s_func_t)(const EC_GROUP *group, EC_RAW_POINT *out,
+typedef int (*hash_s_func_t)(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *t,
const uint8_t s[TRUST_TOKEN_NONCE_SIZE]);
typedef int (*hash_c_func_t)(const EC_GROUP *group, EC_SCALAR *out,
@@ -44,7 +44,7 @@
const EC_GROUP *group;
EC_PRECOMP g_precomp;
EC_PRECOMP h_precomp;
- EC_RAW_POINT h;
+ EC_JACOBIAN h;
// hash_t implements the H_t operation in PMBTokens. It returns one on success
// and zero on error.
hash_t_func_t hash_t;
@@ -173,11 +173,11 @@
return 1;
}
-static int mul_public_3(const EC_GROUP *group, EC_RAW_POINT *out,
- const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
- const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
- const EC_RAW_POINT *p2, const EC_SCALAR *scalar2) {
- EC_RAW_POINT points[3] = {*p0, *p1, *p2};
+static int mul_public_3(const EC_GROUP *group, EC_JACOBIAN *out,
+ const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
+ const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
+ const EC_JACOBIAN *p2, const EC_SCALAR *scalar2) {
+ EC_JACOBIAN points[3] = {*p0, *p1, *p2};
EC_SCALAR scalars[3] = {*scalar0, *scalar1, *scalar2};
return ec_point_mul_scalar_public_batch(group, out, /*g_scalar=*/NULL, points,
scalars, 3);
@@ -189,7 +189,7 @@
const EC_SCALAR *x1, const EC_SCALAR *y1,
const EC_SCALAR *xs, const EC_SCALAR *ys) {
const EC_GROUP *group = method->group;
- EC_RAW_POINT pub[3];
+ EC_JACOBIAN pub[3];
if (!ec_point_mul_scalar_precomp(group, &pub[0], &method->g_precomp,
x0, &method->h_precomp, y0, NULL, NULL) ||
!ec_point_mul_scalar_precomp(group, &pub[1], &method->g_precomp,
@@ -303,7 +303,7 @@
}
// Recompute the public key.
- EC_RAW_POINT pub[3];
+ EC_JACOBIAN pub[3];
EC_AFFINE pub_affine[3];
if (!ec_point_mul_scalar_precomp(group, &pub[0], &method->g_precomp, &key->x0,
&method->h_precomp, &key->y0, NULL, NULL) ||
@@ -367,7 +367,7 @@
ec_scalar_from_montgomery(group, &pretoken->r, &pretoken->r);
ec_scalar_from_montgomery(group, &rinv, &rinv);
- EC_RAW_POINT T, Tp;
+ EC_JACOBIAN T, Tp;
if (!method->hash_t(group, &T, pretoken->t) ||
!ec_point_mul_scalar(group, &Tp, &T, &rinv) ||
!ec_jacobian_to_affine(group, &pretoken->Tp, &Tp)) {
@@ -516,8 +516,8 @@
static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb,
const TRUST_TOKEN_ISSUER_KEY *priv,
- const EC_RAW_POINT *T, const EC_RAW_POINT *S,
- const EC_RAW_POINT *W, const EC_RAW_POINT *Ws,
+ const EC_JACOBIAN *T, const EC_JACOBIAN *S,
+ const EC_JACOBIAN *W, const EC_JACOBIAN *Ws,
uint8_t private_metadata) {
const EC_GROUP *group = method->group;
@@ -537,7 +537,7 @@
idx_Ko1,
num_idx,
};
- EC_RAW_POINT jacobians[num_idx];
+ EC_JACOBIAN jacobians[num_idx];
// Setup the DLEQ proof.
EC_SCALAR ks0, ks1;
@@ -675,11 +675,11 @@
}
static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs,
- const TRUST_TOKEN_CLIENT_KEY *pub, const EC_RAW_POINT *T,
- const EC_RAW_POINT *S, const EC_RAW_POINT *W,
- const EC_RAW_POINT *Ws) {
+ const TRUST_TOKEN_CLIENT_KEY *pub, const EC_JACOBIAN *T,
+ const EC_JACOBIAN *S, const EC_JACOBIAN *W,
+ const EC_JACOBIAN *Ws) {
const EC_GROUP *group = method->group;
- const EC_RAW_POINT *g = &group->generator->raw;
+ const EC_JACOBIAN *g = &group->generator->raw;
// We verify a DLEQ proof for the validity token and a DLEQOR2 proof for the
// private metadata token. To allow amortizing Jacobian-to-affine conversions,
@@ -699,7 +699,7 @@
idx_K11,
num_idx,
};
- EC_RAW_POINT jacobians[num_idx];
+ EC_JACOBIAN jacobians[num_idx];
// Decode the DLEQ proof.
EC_SCALAR cs, us, vs;
@@ -711,7 +711,7 @@
}
// Ks = us*(G;T) + vs*(H;S) - cs*(pubs;Ws)
- EC_RAW_POINT pubs;
+ EC_JACOBIAN pubs;
ec_affine_to_jacobian(group, &pubs, &pub->pubs);
EC_SCALAR minus_cs;
ec_scalar_neg(group, &minus_cs, &cs);
@@ -734,7 +734,7 @@
return 0;
}
- EC_RAW_POINT pub0, pub1;
+ EC_JACOBIAN pub0, pub1;
ec_affine_to_jacobian(group, &pub0, &pub->pub0);
ec_affine_to_jacobian(group, &pub1, &pub->pub1);
EC_SCALAR minus_c0, minus_c1;
@@ -803,17 +803,17 @@
return 0;
}
- if (num_to_issue > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
+ if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
return 0;
}
int ret = 0;
- EC_RAW_POINT *Tps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
- EC_RAW_POINT *Sps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
- EC_RAW_POINT *Wps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
- EC_RAW_POINT *Wsps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
+ EC_JACOBIAN *Tps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
+ EC_JACOBIAN *Sps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
+ EC_JACOBIAN *Wps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
+ EC_JACOBIAN *Wsps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
EC_SCALAR *es = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR));
CBB batch_cbb;
CBB_zero(&batch_cbb);
@@ -831,7 +831,7 @@
for (size_t i = 0; i < num_to_issue; i++) {
EC_AFFINE Tp_affine;
- EC_RAW_POINT Tp;
+ EC_JACOBIAN Tp;
if (!cbs_get_prefixed_point(cbs, group, &Tp_affine, method->prefix_point)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
goto err;
@@ -846,7 +846,7 @@
uint8_t s[TRUST_TOKEN_NONCE_SIZE];
RAND_bytes(s, TRUST_TOKEN_NONCE_SIZE);
// The |jacobians| and |affines| contain Sp, Wp, and Wsp.
- EC_RAW_POINT jacobians[3];
+ EC_JACOBIAN jacobians[3];
EC_AFFINE affines[3];
if (!method->hash_s(group, &jacobians[0], &Tp_affine, s) ||
!ec_point_mul_scalar_batch(group, &jacobians[1], &Tp, &xb,
@@ -887,7 +887,7 @@
}
}
- EC_RAW_POINT Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
+ EC_JACOBIAN Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
if (!ec_point_mul_scalar_public_batch(group, &Tp_batch,
/*g_scalar=*/NULL, Tps, es,
num_to_issue) ||
@@ -944,7 +944,7 @@
return NULL;
}
- if (count > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
+ if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
count > ((size_t)-1) / sizeof(EC_SCALAR)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
return NULL;
@@ -952,10 +952,10 @@
int ok = 0;
STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null();
- EC_RAW_POINT *Tps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
- EC_RAW_POINT *Sps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
- EC_RAW_POINT *Wps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
- EC_RAW_POINT *Wsps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
+ EC_JACOBIAN *Tps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
+ EC_JACOBIAN *Sps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
+ EC_JACOBIAN *Wps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
+ EC_JACOBIAN *Wsps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
EC_SCALAR *es = OPENSSL_malloc(count * sizeof(EC_SCALAR));
CBB batch_cbb;
CBB_zero(&batch_cbb);
@@ -1003,7 +1003,7 @@
}
// Unblind the token.
- EC_RAW_POINT jacobians[3];
+ EC_JACOBIAN jacobians[3];
EC_AFFINE affines[3];
if (!ec_point_mul_scalar(group, &jacobians[0], &Sps[i], &pretoken->r) ||
!ec_point_mul_scalar(group, &jacobians[1], &Wps[i], &pretoken->r) ||
@@ -1050,7 +1050,7 @@
}
}
- EC_RAW_POINT Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
+ EC_JACOBIAN Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
if (!ec_point_mul_scalar_public_batch(group, &Tp_batch,
/*g_scalar=*/NULL, Tps, es, count) ||
!ec_point_mul_scalar_public_batch(group, &Sp_batch,
@@ -1116,14 +1116,14 @@
OPENSSL_memcpy(out_nonce, CBS_data(&salt), CBS_len(&salt));
}
- EC_RAW_POINT T;
+ EC_JACOBIAN T;
if (!method->hash_t(group, &T, out_nonce)) {
return 0;
}
// We perform three multiplications with S and T. This is enough that it is
// worth using |ec_point_mul_scalar_precomp|.
- EC_RAW_POINT S_jacobian;
+ EC_JACOBIAN S_jacobian;
EC_PRECOMP S_precomp, T_precomp;
ec_affine_to_jacobian(group, &S_jacobian, &S);
if (!ec_init_precomp(group, &S_precomp, &S_jacobian) ||
@@ -1131,7 +1131,7 @@
return 0;
}
- EC_RAW_POINT Ws_calculated;
+ EC_JACOBIAN Ws_calculated;
// Check the validity of the token.
if (!ec_point_mul_scalar_precomp(group, &Ws_calculated, &T_precomp, &key->xs,
&S_precomp, &key->ys, NULL, NULL) ||
@@ -1140,7 +1140,7 @@
return 0;
}
- EC_RAW_POINT W0, W1;
+ EC_JACOBIAN W0, W1;
if (!ec_point_mul_scalar_precomp(group, &W0, &T_precomp, &key->x0, &S_precomp,
&key->y0, NULL, NULL) ||
!ec_point_mul_scalar_precomp(group, &W1, &T_precomp, &key->x1, &S_precomp,
@@ -1164,14 +1164,14 @@
// PMBTokens experiment v1.
-static int pmbtoken_exp1_hash_t(const EC_GROUP *group, EC_RAW_POINT *out,
+static int pmbtoken_exp1_hash_t(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashTLabel[] = "PMBTokens Experiment V1 HashT";
return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);
}
-static int pmbtoken_exp1_hash_s(const EC_GROUP *group, EC_RAW_POINT *out,
+static int pmbtoken_exp1_hash_s(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *t,
const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashSLabel[] = "PMBTokens Experiment V1 HashS";
@@ -1337,14 +1337,14 @@
// PMBTokens experiment v2.
-static int pmbtoken_exp2_hash_t(const EC_GROUP *group, EC_RAW_POINT *out,
+static int pmbtoken_exp2_hash_t(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashTLabel[] = "PMBTokens Experiment V2 HashT";
return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);
}
-static int pmbtoken_exp2_hash_s(const EC_GROUP *group, EC_RAW_POINT *out,
+static int pmbtoken_exp2_hash_s(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *t,
const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashSLabel[] = "PMBTokens Experiment V2 HashS";
@@ -1511,14 +1511,14 @@
// PMBTokens PST v1.
-static int pmbtoken_pst1_hash_t(const EC_GROUP *group, EC_RAW_POINT *out,
+static int pmbtoken_pst1_hash_t(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashTLabel[] = "PMBTokens PST V1 HashT";
return ec_hash_to_curve_p384_xmd_sha384_sswu(
group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);
}
-static int pmbtoken_pst1_hash_s(const EC_GROUP *group, EC_RAW_POINT *out,
+static int pmbtoken_pst1_hash_s(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *t,
const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashSLabel[] = "PMBTokens PST V1 HashS";
diff --git a/crypto/trust_token/voprf.c b/crypto/trust_token/voprf.c
index aa7df8e..ea7c193 100644
--- a/crypto/trust_token/voprf.c
+++ b/crypto/trust_token/voprf.c
@@ -29,7 +29,7 @@
#include "internal.h"
-typedef int (*hash_to_group_func_t)(const EC_GROUP *group, EC_RAW_POINT *out,
+typedef int (*hash_to_group_func_t)(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]);
typedef int (*hash_to_scalar_func_t)(const EC_GROUP *group, EC_SCALAR *out,
uint8_t *buf, size_t len);
@@ -118,7 +118,7 @@
static int voprf_calculate_key(const VOPRF_METHOD *method, CBB *out_private,
CBB *out_public, const EC_SCALAR *priv) {
const EC_GROUP *group = method->group;
- EC_RAW_POINT pub;
+ EC_JACOBIAN pub;
EC_AFFINE pub_affine;
if (!ec_point_mul_scalar_base(group, &pub, priv) ||
!ec_jacobian_to_affine(group, &pub_affine, &pub)) {
@@ -197,7 +197,7 @@
}
// Recompute the public key.
- EC_RAW_POINT pub;
+ EC_JACOBIAN pub;
if (!ec_point_mul_scalar_base(group, &pub, &key->xs) ||
!ec_jacobian_to_affine(group, &key->pubs, &pub)) {
return 0;
@@ -255,7 +255,7 @@
ec_scalar_from_montgomery(group, &pretoken->r, &pretoken->r);
// Tp is the blinded token in the VOPRF protocol.
- EC_RAW_POINT P, Tp;
+ EC_JACOBIAN P, Tp;
if (!method->hash_to_group(group, &P, pretoken->t) ||
!ec_point_mul_scalar(group, &Tp, &P, &r) ||
!ec_jacobian_to_affine(group, &pretoken->Tp, &Tp)) {
@@ -362,7 +362,7 @@
static int dleq_generate(const VOPRF_METHOD *method, CBB *cbb,
const TRUST_TOKEN_ISSUER_KEY *priv,
- const EC_RAW_POINT *T, const EC_RAW_POINT *W) {
+ const EC_JACOBIAN *T, const EC_JACOBIAN *W) {
const EC_GROUP *group = method->group;
enum {
@@ -372,7 +372,7 @@
idx_k1,
num_idx,
};
- EC_RAW_POINT jacobians[num_idx];
+ EC_JACOBIAN jacobians[num_idx];
// Setup the DLEQ proof.
EC_SCALAR r;
@@ -417,18 +417,18 @@
return 1;
}
-static int mul_public_2(const EC_GROUP *group, EC_RAW_POINT *out,
- const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
- const EC_RAW_POINT *p1, const EC_SCALAR *scalar1) {
- EC_RAW_POINT points[2] = {*p0, *p1};
+static int mul_public_2(const EC_GROUP *group, EC_JACOBIAN *out,
+ const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
+ const EC_JACOBIAN *p1, const EC_SCALAR *scalar1) {
+ EC_JACOBIAN points[2] = {*p0, *p1};
EC_SCALAR scalars[2] = {*scalar0, *scalar1};
return ec_point_mul_scalar_public_batch(group, out, /*g_scalar=*/NULL, points,
scalars, 2);
}
static int dleq_verify(const VOPRF_METHOD *method, CBS *cbs,
- const TRUST_TOKEN_CLIENT_KEY *pub, const EC_RAW_POINT *T,
- const EC_RAW_POINT *W) {
+ const TRUST_TOKEN_CLIENT_KEY *pub, const EC_JACOBIAN *T,
+ const EC_JACOBIAN *W) {
const EC_GROUP *group = method->group;
@@ -439,7 +439,7 @@
idx_k1,
num_idx,
};
- EC_RAW_POINT jacobians[num_idx];
+ EC_JACOBIAN jacobians[num_idx];
// Decode the DLEQ proof.
EC_SCALAR c, u;
@@ -450,7 +450,7 @@
}
// k0;k1 = u*(G;T) - c*(pub;W)
- EC_RAW_POINT pubs;
+ EC_JACOBIAN pubs;
ec_affine_to_jacobian(group, &pubs, &pub->pubs);
EC_SCALAR minus_c;
ec_scalar_neg(group, &minus_c, &c);
@@ -494,15 +494,15 @@
return 0;
}
- if (num_to_issue > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
+ if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
return 0;
}
int ret = 0;
- EC_RAW_POINT *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
- EC_RAW_POINT *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
+ EC_JACOBIAN *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
+ EC_JACOBIAN *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
EC_SCALAR *es = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR));
CBB batch_cbb;
CBB_zero(&batch_cbb);
@@ -516,7 +516,7 @@
for (size_t i = 0; i < num_to_issue; i++) {
EC_AFFINE BT_affine, Z_affine;
- EC_RAW_POINT BT, Z;
+ EC_JACOBIAN BT, Z;
if (!cbs_get_point(cbs, group, &BT_affine)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
goto err;
@@ -549,7 +549,7 @@
}
}
- EC_RAW_POINT BT_batch, Z_batch;
+ EC_JACOBIAN BT_batch, Z_batch;
if (!ec_point_mul_scalar_public_batch(group, &BT_batch,
/*g_scalar=*/NULL, BTs, es,
num_to_issue) ||
@@ -593,7 +593,7 @@
return NULL;
}
- if (count > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
+ if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
count > ((size_t)-1) / sizeof(EC_SCALAR)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
return NULL;
@@ -601,8 +601,8 @@
int ok = 0;
STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null();
- EC_RAW_POINT *BTs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
- EC_RAW_POINT *Zs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
+ EC_JACOBIAN *BTs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
+ EC_JACOBIAN *Zs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
EC_SCALAR *es = OPENSSL_malloc(count * sizeof(EC_SCALAR));
CBB batch_cbb;
CBB_zero(&batch_cbb);
@@ -635,7 +635,7 @@
// Unblind the token.
// pretoken->r is rinv.
- EC_RAW_POINT N;
+ EC_JACOBIAN N;
EC_AFFINE N_affine;
if (!ec_point_mul_scalar(group, &N, &Zs[i], &pretoken->r) ||
!ec_jacobian_to_affine(group, &N_affine, &N)) {
@@ -674,7 +674,7 @@
}
}
- EC_RAW_POINT BT_batch, Z_batch;
+ EC_JACOBIAN BT_batch, Z_batch;
if (!ec_point_mul_scalar_public_batch(group, &BT_batch,
/*g_scalar=*/NULL, BTs, es, count) ||
!ec_point_mul_scalar_public_batch(group, &Z_batch,
@@ -767,8 +767,8 @@
static int generate_proof(const VOPRF_METHOD *method, CBB *cbb,
const TRUST_TOKEN_ISSUER_KEY *priv,
- const EC_SCALAR *r, const EC_RAW_POINT *M,
- const EC_RAW_POINT *Z) {
+ const EC_SCALAR *r, const EC_JACOBIAN *M,
+ const EC_JACOBIAN *Z) {
const EC_GROUP *group = method->group;
enum {
@@ -778,7 +778,7 @@
idx_t3,
num_idx,
};
- EC_RAW_POINT jacobians[num_idx];
+ EC_JACOBIAN jacobians[num_idx];
if (!ec_point_mul_scalar_base(group, &jacobians[idx_t2], r) ||
!ec_point_mul_scalar(group, &jacobians[idx_t3], M, r)) {
@@ -819,7 +819,7 @@
static int verify_proof(const VOPRF_METHOD *method, CBS *cbs,
const TRUST_TOKEN_CLIENT_KEY *pub,
- const EC_RAW_POINT *M, const EC_RAW_POINT *Z) {
+ const EC_JACOBIAN *M, const EC_JACOBIAN *Z) {
const EC_GROUP *group = method->group;
enum {
@@ -829,7 +829,7 @@
idx_t3,
num_idx,
};
- EC_RAW_POINT jacobians[num_idx];
+ EC_JACOBIAN jacobians[num_idx];
EC_SCALAR c, s;
if (!scalar_from_cbs(cbs, group, &c) ||
@@ -838,7 +838,7 @@
return 0;
}
- EC_RAW_POINT pubs;
+ EC_JACOBIAN pubs;
ec_affine_to_jacobian(group, &pubs, &pub->pubs);
if (!ec_point_mul_scalar_public(group, &jacobians[idx_t2], &s, &pubs,
&c) ||
@@ -879,15 +879,15 @@
return 0;
}
- if (num_to_issue > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
+ if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
return 0;
}
int ret = 0;
- EC_RAW_POINT *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
- EC_RAW_POINT *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
+ EC_JACOBIAN *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
+ EC_JACOBIAN *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
EC_SCALAR *dis = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR));
if (!BTs || !Zs || !dis) {
goto err;
@@ -905,7 +905,7 @@
// the proof generation.
for (size_t i = 0; i < num_to_issue; i++) {
EC_AFFINE BT_affine, Z_affine;
- EC_RAW_POINT BT, Z;
+ EC_JACOBIAN BT, Z;
if (!cbs_get_point(cbs, group, &BT_affine)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
goto err;
@@ -928,7 +928,7 @@
}
}
- EC_RAW_POINT M, Z;
+ EC_JACOBIAN M, Z;
if (!ec_point_mul_scalar_public_batch(group, &M,
/*g_scalar=*/NULL, BTs, dis,
num_to_issue) ||
@@ -995,7 +995,7 @@
return NULL;
}
- if (count > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
+ if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
count > ((size_t)-1) / sizeof(EC_SCALAR)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
return NULL;
@@ -1003,8 +1003,8 @@
int ok = 0;
STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null();
- EC_RAW_POINT *BTs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
- EC_RAW_POINT *Zs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
+ EC_JACOBIAN *BTs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
+ EC_JACOBIAN *Zs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
EC_SCALAR *dis = OPENSSL_malloc(count * sizeof(EC_SCALAR));
if (ret == NULL || !BTs || !Zs || !dis) {
goto err;
@@ -1034,7 +1034,7 @@
// Unblind the token.
// pretoken->r is rinv.
- EC_RAW_POINT N;
+ EC_JACOBIAN N;
EC_AFFINE N_affine;
if (!ec_point_mul_scalar(group, &N, &Zs[i], &pretoken->r) ||
!ec_jacobian_to_affine(group, &N_affine, &N)) {
@@ -1064,7 +1064,7 @@
}
}
- EC_RAW_POINT M, Z;
+ EC_JACOBIAN M, Z;
if (!ec_point_mul_scalar_public_batch(group, &M,
/*g_scalar=*/NULL, BTs, dis,
count) ||
@@ -1122,12 +1122,12 @@
}
- EC_RAW_POINT T;
+ EC_JACOBIAN T;
if (!method->hash_to_group(group, &T, out_nonce)) {
return 0;
}
- EC_RAW_POINT Ws_calculated;
+ EC_JACOBIAN Ws_calculated;
if (!ec_point_mul_scalar(group, &Ws_calculated, &T, &key->xs) ||
!ec_affine_jacobian_equal(group, &Ws, &Ws_calculated)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BAD_VALIDITY_CHECK);
@@ -1140,7 +1140,7 @@
// VOPRF experiment v2.
-static int voprf_exp2_hash_to_group(const EC_GROUP *group, EC_RAW_POINT *out,
+static int voprf_exp2_hash_to_group(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashTLabel[] = "TrustToken VOPRF Experiment V2 HashToGroup";
return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
@@ -1254,7 +1254,7 @@
// VOPRF PST v1.
-static int voprf_pst1_hash_to_group(const EC_GROUP *group, EC_RAW_POINT *out,
+static int voprf_pst1_hash_to_group(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashTLabel[] = "HashToGroup-OPRFV1-\x01-P384-SHA384";
return ec_hash_to_curve_p384_xmd_sha384_sswu(group, out, kHashTLabel,
diff --git a/tool/speed.cc b/tool/speed.cc
index 794bed7..5b02059 100644
--- a/tool/speed.cc
+++ b/tool/speed.cc
@@ -1024,7 +1024,7 @@
return false;
}
if (!TimeFunction(&results, [&]() -> bool {
- EC_RAW_POINT out;
+ EC_JACOBIAN out;
return ec_hash_to_curve_p256_xmd_sha256_sswu(
p256, &out, kLabel, sizeof(kLabel), input, sizeof(input));
})) {
@@ -1038,7 +1038,7 @@
return false;
}
if (!TimeFunction(&results, [&]() -> bool {
- EC_RAW_POINT out;
+ EC_JACOBIAN out;
return ec_hash_to_curve_p384_xmd_sha384_sswu(
p384, &out, kLabel, sizeof(kLabel), input, sizeof(input));
})) {
