Google Git
Sign in
boringssl / boringssl / 417069f8b2fd6dd4f8c2f5f69de7c038a2397050 / . / crypto / fipsmodule / ec / ec.c
blob: 00587a1f2e631bdf9eee51b11cc2477a6f8d06b4 [file] [log] [blame]
/* Originally written by Bodo Moeller for the OpenSSL project.
* ====================================================================
* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
* Portions of the attached software ("Contribution") are developed by
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
*
* The Contribution is licensed pursuant to the OpenSSL open source
* license provided above.
*
* The elliptic curve binary polynomial software is originally written by
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
* Laboratories. */
#include <openssl/ec.h>
#include <assert.h>
#include <string.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/nid.h>
#include "internal.h"
#include "../../internal.h"
#include "../bn/internal.h"
#include "../delocate.h"
#include "builtin_curves.h"
static void ec_point_free(EC_POINT *point, int free_group);
static void ec_group_init_static_mont(BN_MONT_CTX *mont, size_t num_words,
const BN_ULONG *modulus,
const BN_ULONG *rr, uint64_t n0) {
bn_set_static_words(&mont->N, modulus, num_words);
bn_set_static_words(&mont->RR, rr, num_words);
#if defined(OPENSSL_64_BIT)
mont->n0[0] = n0;
#elif defined(OPENSSL_32_BIT)
mont->n0[0] = (uint32_t)n0;
mont->n0[1] = (uint32_t)(n0 >> 32);
#else
#error "unknown word length"
#endif
}
static void ec_group_set_a_minus3(EC_GROUP *group) {
const EC_FELEM *one = ec_felem_one(group);
group->a_is_minus3 = 1;
ec_felem_neg(group, &group->a, one);
ec_felem_sub(group, &group->a, &group->a, one);
ec_felem_sub(group, &group->a, &group->a, one);
}
DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p224) {
out->curve_name = NID_secp224r1;
out->comment = "NIST P-224";
// 1.3.132.0.33
static const uint8_t kOIDP224[] = {0x2b, 0x81, 0x04, 0x00, 0x21};
OPENSSL_memcpy(out->oid, kOIDP224, sizeof(kOIDP224));
out->oid_len = sizeof(kOIDP224);
ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP224Field),
kP224Field, kP224FieldRR, kP224FieldN0);
ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP224Order),
kP224Order, kP224OrderRR, kP224OrderN0);
#if defined(BORINGSSL_HAS_UINT128) && !defined(OPENSSL_SMALL)
out->meth = EC_GFp_nistp224_method();
OPENSSL_memcpy(out->generator.raw.X.words, kP224GX, sizeof(kP224GX));
OPENSSL_memcpy(out->generator.raw.Y.words, kP224GY, sizeof(kP224GY));
out->generator.raw.Z.words[0] = 1;
OPENSSL_memcpy(out->b.words, kP224B, sizeof(kP224B));
#else
out->meth = EC_GFp_mont_method();
OPENSSL_memcpy(out->generator.raw.X.words, kP224MontGX, sizeof(kP224MontGX));
OPENSSL_memcpy(out->generator.raw.Y.words, kP224MontGY, sizeof(kP224MontGY));
OPENSSL_memcpy(out->generator.raw.Z.words, kP224FieldR, sizeof(kP224FieldR));
OPENSSL_memcpy(out->b.words, kP224MontB, sizeof(kP224MontB));
#endif
out->generator.group = out;
ec_group_set_a_minus3(out);
out->has_order = 1;
out->field_greater_than_order = 1;
}
DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p256) {
out->curve_name = NID_X9_62_prime256v1;
out->comment = "NIST P-256";
// 1.2.840.10045.3.1.7
static const uint8_t kOIDP256[] = {0x2a, 0x86, 0x48, 0xce,
0x3d, 0x03, 0x01, 0x07};
OPENSSL_memcpy(out->oid, kOIDP256, sizeof(kOIDP256));
out->oid_len = sizeof(kOIDP256);
ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP256Field),
kP256Field, kP256FieldRR, kP256FieldN0);
ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP256Order),
kP256Order, kP256OrderRR, kP256OrderN0);
#if !defined(OPENSSL_NO_ASM) && \
(defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \
!defined(OPENSSL_SMALL)
out->meth = EC_GFp_nistz256_method();
#else
out->meth = EC_GFp_nistp256_method();
#endif
out->generator.group = out;
OPENSSL_memcpy(out->generator.raw.X.words, kP256MontGX, sizeof(kP256MontGX));
OPENSSL_memcpy(out->generator.raw.Y.words, kP256MontGY, sizeof(kP256MontGY));
OPENSSL_memcpy(out->generator.raw.Z.words, kP256FieldR, sizeof(kP256FieldR));
OPENSSL_memcpy(out->b.words, kP256MontB, sizeof(kP256MontB));
ec_group_set_a_minus3(out);
out->has_order = 1;
out->field_greater_than_order = 1;
}
DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p384) {
out->curve_name = NID_secp384r1;
out->comment = "NIST P-384";
// 1.3.132.0.34
static const uint8_t kOIDP384[] = {0x2b, 0x81, 0x04, 0x00, 0x22};
OPENSSL_memcpy(out->oid, kOIDP384, sizeof(kOIDP384));
out->oid_len = sizeof(kOIDP384);
ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP384Field),
kP384Field, kP384FieldRR, kP384FieldN0);
ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP384Order),
kP384Order, kP384OrderRR, kP384OrderN0);
out->meth = EC_GFp_mont_method();
out->generator.group = out;
OPENSSL_memcpy(out->generator.raw.X.words, kP384MontGX, sizeof(kP384MontGX));
OPENSSL_memcpy(out->generator.raw.Y.words, kP384MontGY, sizeof(kP384MontGY));
OPENSSL_memcpy(out->generator.raw.Z.words, kP384FieldR, sizeof(kP384FieldR));
OPENSSL_memcpy(out->b.words, kP384MontB, sizeof(kP384MontB));
ec_group_set_a_minus3(out);
out->has_order = 1;
out->field_greater_than_order = 1;
}
DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p521) {
out->curve_name = NID_secp521r1;
out->comment = "NIST P-521";
// 1.3.132.0.35
static const uint8_t kOIDP521[] = {0x2b, 0x81, 0x04, 0x00, 0x23};
OPENSSL_memcpy(out->oid, kOIDP521, sizeof(kOIDP521));
out->oid_len = sizeof(kOIDP521);
ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP521Field),
kP521Field, kP521FieldRR, kP521FieldN0);
ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP521Order),
kP521Order, kP521OrderRR, kP521OrderN0);
out->meth = EC_GFp_mont_method();
out->generator.group = out;
OPENSSL_memcpy(out->generator.raw.X.words, kP521MontGX, sizeof(kP521MontGX));
OPENSSL_memcpy(out->generator.raw.Y.words, kP521MontGY, sizeof(kP521MontGY));
OPENSSL_memcpy(out->generator.raw.Z.words, kP521FieldR, sizeof(kP521FieldR));
OPENSSL_memcpy(out->b.words, kP521MontB, sizeof(kP521MontB));
ec_group_set_a_minus3(out);
out->has_order = 1;
out->field_greater_than_order = 1;
}
EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
const BIGNUM *b, BN_CTX *ctx) {
if (BN_num_bytes(p) > EC_MAX_BYTES) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD);
return NULL;
}
BN_CTX *new_ctx = NULL;
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) {
return NULL;
}
}
// Historically, |a| and |b| were not required to be fully reduced.
// TODO(davidben): Can this be removed?
EC_GROUP *ret = NULL;
BN_CTX_start(ctx);
BIGNUM *a_reduced = BN_CTX_get(ctx);
BIGNUM *b_reduced = BN_CTX_get(ctx);
if (a_reduced == NULL || b_reduced == NULL ||
!BN_nnmod(a_reduced, a, p, ctx) ||
!BN_nnmod(b_reduced, b, p, ctx)) {
goto err;
}
ret = OPENSSL_malloc(sizeof(EC_GROUP));
if (ret == NULL) {
return NULL;
}
OPENSSL_memset(ret, 0, sizeof(EC_GROUP));
ret->references = 1;
ret->meth = EC_GFp_mont_method();
bn_mont_ctx_init(&ret->field);
bn_mont_ctx_init(&ret->order);
ret->generator.group = ret;
if (!ec_GFp_simple_group_set_curve(ret, p, a_reduced, b_reduced, ctx)) {
EC_GROUP_free(ret);
ret = NULL;
goto err;
}
err:
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
const BIGNUM *order, const BIGNUM *cofactor) {
if (group->curve_name != NID_undef || group->has_order ||
generator->group != group) {
// |EC_GROUP_set_generator| may only be used with |EC_GROUP|s returned by
// |EC_GROUP_new_curve_GFp| and may only used once on each group.
// |generator| must have been created from |EC_GROUP_new_curve_GFp|, not a
// copy, so that |generator->group->generator| is set correctly.
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (BN_num_bytes(order) > EC_MAX_BYTES) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
return 0;
}
// Require a cofactor of one for custom curves, which implies prime order.
if (!BN_is_one(cofactor)) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COFACTOR);
return 0;
}
// Require that p < 2×order. This simplifies some ECDSA operations.
//
// Note any curve which did not satisfy this must have been invalid or use a
// tiny prime (less than 17). See the proof in |field_element_to_scalar| in
// the ECDSA implementation.
int ret = 0;
BIGNUM *tmp = BN_new();
if (tmp == NULL ||
!BN_lshift1(tmp, order)) {
goto err;
}
if (BN_cmp(tmp, &group->field.N) <= 0) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
goto err;
}
EC_AFFINE affine;
if (!ec_jacobian_to_affine(group, &affine, &generator->raw) ||
!BN_MONT_CTX_set(&group->order, order, NULL)) {
goto err;
}
group->field_greater_than_order = BN_cmp(&group->field.N, order) > 0;
group->generator.raw.X = affine.X;
group->generator.raw.Y = affine.Y;
// |raw.Z| was set to 1 by |EC_GROUP_new_curve_GFp|.
group->has_order = 1;
ret = 1;
err:
BN_free(tmp);
return ret;
}
EC_GROUP *EC_GROUP_new_by_curve_name(int nid) {
switch (nid) {
case NID_secp224r1:
return (EC_GROUP *)EC_group_p224();
case NID_X9_62_prime256v1:
return (EC_GROUP *)EC_group_p256();
case NID_secp384r1:
return (EC_GROUP *)EC_group_p384();
case NID_secp521r1:
return (EC_GROUP *)EC_group_p521();
default:
OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);
return NULL;
}
}
void EC_GROUP_free(EC_GROUP *group) {
if (group == NULL ||
// Built-in curves are static.
group->curve_name != NID_undef ||
!CRYPTO_refcount_dec_and_test_zero(&group->references)) {
return;
}
bn_mont_ctx_cleanup(&group->order);
bn_mont_ctx_cleanup(&group->field);
OPENSSL_free(group);
}
EC_GROUP *EC_GROUP_dup(const EC_GROUP *a) {
if (a == NULL ||
// Built-in curves are static.
a->curve_name != NID_undef) {
return (EC_GROUP *)a;
}
// Groups are logically immutable (but for |EC_GROUP_set_generator| which must
// be called early on), so we simply take a reference.
EC_GROUP *group = (EC_GROUP *)a;
CRYPTO_refcount_inc(&group->references);
return group;
}
int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ignored) {
// Note this function returns 0 if equal and non-zero otherwise.
if (a == b) {
return 0;
}
if (a->curve_name != b->curve_name) {
return 1;
}
if (a->curve_name != NID_undef) {
// Built-in curves may be compared by curve name alone.
return 0;
}
// |a| and |b| are both custom curves. We compare the entire curve
// structure. If |a| or |b| is incomplete (due to legacy OpenSSL mistakes,
// custom curve construction is sadly done in two parts) but otherwise not the
// same object, we consider them always unequal.
return a->meth != b->meth || //
!a->has_order || !b->has_order ||
BN_cmp(&a->order.N, &b->order.N) != 0 ||
BN_cmp(&a->field.N, &b->field.N) != 0 ||
!ec_felem_equal(a, &a->a, &b->a) || //
!ec_felem_equal(a, &a->b, &b->b) ||
!ec_GFp_simple_points_equal(a, &a->generator.raw, &b->generator.raw);
}
const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) {
return group->has_order ? &group->generator : NULL;
}
const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group) {
assert(group->has_order);
return &group->order.N;
}
int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) {
if (BN_copy(order, EC_GROUP_get0_order(group)) == NULL) {
return 0;
}
return 1;
}
int EC_GROUP_order_bits(const EC_GROUP *group) {
return BN_num_bits(&group->order.N);
}
int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor,
BN_CTX *ctx) {
// All |EC_GROUP|s have cofactor 1.
return BN_set_word(cofactor, 1);
}
int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *out_p, BIGNUM *out_a,
BIGNUM *out_b, BN_CTX *ctx) {
return ec_GFp_simple_group_get_curve(group, out_p, out_a, out_b);
}
int EC_GROUP_get_curve_name(const EC_GROUP *group) { return group->curve_name; }
unsigned EC_GROUP_get_degree(const EC_GROUP *group) {
return BN_num_bits(&group->field.N);
}
const char *EC_curve_nid2nist(int nid) {
switch (nid) {
case NID_secp224r1:
return "P-224";
case NID_X9_62_prime256v1:
return "P-256";
case NID_secp384r1:
return "P-384";
case NID_secp521r1:
return "P-521";
}
return NULL;
}
int EC_curve_nist2nid(const char *name) {
if (strcmp(name, "P-224") == 0) {
return NID_secp224r1;
}
if (strcmp(name, "P-256") == 0) {
return NID_X9_62_prime256v1;
}
if (strcmp(name, "P-384") == 0) {
return NID_secp384r1;
}
if (strcmp(name, "P-521") == 0) {
return NID_secp521r1;
}
return NID_undef;
}
EC_POINT *EC_POINT_new(const EC_GROUP *group) {
if (group == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
EC_POINT *ret = OPENSSL_malloc(sizeof *ret);
if (ret == NULL) {
return NULL;
}
ret->group = EC_GROUP_dup(group);
ec_GFp_simple_point_init(&ret->raw);
return ret;
}
static void ec_point_free(EC_POINT *point, int free_group) {
if (!point) {
return;
}
if (free_group) {
EC_GROUP_free(point->group);
}
OPENSSL_free(point);
}
void EC_POINT_free(EC_POINT *point) {
ec_point_free(point, 1 /* free group */);
}
void EC_POINT_clear_free(EC_POINT *point) { EC_POINT_free(point); }
int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) {
if (EC_GROUP_cmp(dest->group, src->group, NULL) != 0) {
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
if (dest == src) {
return 1;
}
ec_GFp_simple_point_copy(&dest->raw, &src->raw);
return 1;
}
EC_POINT *EC_POINT_dup(const EC_POINT *a, const EC_GROUP *group) {
if (a == NULL) {
return NULL;
}
EC_POINT *ret = EC_POINT_new(group);
if (ret == NULL ||
!EC_POINT_copy(ret, a)) {
EC_POINT_free(ret);
return NULL;
}
return ret;
}
int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point) {
if (EC_GROUP_cmp(group, point->group, NULL) != 0) {
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
ec_GFp_simple_point_set_to_infinity(group, &point->raw);
return 1;
}
int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) {
if (EC_GROUP_cmp(group, point->group, NULL) != 0) {
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
return ec_GFp_simple_is_at_infinity(group, &point->raw);
}
int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
BN_CTX *ctx) {
if (EC_GROUP_cmp(group, point->group, NULL) != 0) {
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
return ec_GFp_simple_is_on_curve(group, &point->raw);
}
int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b,
BN_CTX *ctx) {
if (EC_GROUP_cmp(group, a->group, NULL) != 0 ||
EC_GROUP_cmp(group, b->group, NULL) != 0) {
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
return -1;
}
// Note |EC_POINT_cmp| returns zero for equality and non-zero for inequality.
return ec_GFp_simple_points_equal(group, &a->raw, &b->raw) ? 0 : 1;
}
int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
const EC_POINT *point, BIGNUM *x,
BIGNUM *y, BN_CTX *ctx) {
if (group->meth->point_get_affine_coordinates == 0) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (EC_GROUP_cmp(group, point->group, NULL) != 0) {
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
EC_FELEM x_felem, y_felem;
if (!group->meth->point_get_affine_coordinates(group, &point->raw,
x == NULL ? NULL : &x_felem,
y == NULL ? NULL : &y_felem) ||
(x != NULL && !ec_felem_to_bignum(group, x, &x_felem)) ||
(y != NULL && !ec_felem_to_bignum(group, y, &y_felem))) {
return 0;
}
return 1;
}
int EC_POINT_get_affine_coordinates(const EC_GROUP *group,
const EC_POINT *point, BIGNUM *x, BIGNUM *y,
BN_CTX *ctx) {
return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
}
void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *p) {
out->X = p->X;
out->Y = p->Y;
out->Z = *ec_felem_one(group);
}
int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out,
const EC_JACOBIAN *p) {
return group->meth->point_get_affine_coordinates(group, p, &out->X, &out->Y);
}
int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out,
const EC_JACOBIAN *in, size_t num) {
if (group->meth->jacobian_to_affine_batch == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
return group->meth->jacobian_to_affine_batch(group, out, in, num);
}
int ec_point_set_affine_coordinates(const EC_GROUP *group, EC_AFFINE *out,
const EC_FELEM *x, const EC_FELEM *y) {
void (*const felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,
const EC_FELEM *b) = group->meth->felem_mul;
void (*const felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a) =
group->meth->felem_sqr;
// Check if the point is on the curve.
EC_FELEM lhs, rhs;
felem_sqr(group, &lhs, y); // lhs = y^2
felem_sqr(group, &rhs, x); // rhs = x^2
ec_felem_add(group, &rhs, &rhs, &group->a); // rhs = x^2 + a
felem_mul(group, &rhs, &rhs, x); // rhs = x^3 + ax
ec_felem_add(group, &rhs, &rhs, &group->b); // rhs = x^3 + ax + b
if (!ec_felem_equal(group, &lhs, &rhs)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_IS_NOT_ON_CURVE);
// In the event of an error, defend against the caller not checking the
// return value by setting a known safe value. Note this may not be possible
// if the caller is in the process of constructing an arbitrary group and
// the generator is missing.
if (group->has_order) {
out->X = group->generator.raw.X;
out->Y = group->generator.raw.Y;
}
return 0;
}
out->X = *x;
out->Y = *y;
return 1;
}
int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
const BIGNUM *x, const BIGNUM *y,
BN_CTX *ctx) {
if (EC_GROUP_cmp(group, point->group, NULL) != 0) {
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
if (x == NULL || y == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
EC_FELEM x_felem, y_felem;
EC_AFFINE affine;
if (!ec_bignum_to_felem(group, &x_felem, x) ||
!ec_bignum_to_felem(group, &y_felem, y) ||
!ec_point_set_affine_coordinates(group, &affine, &x_felem, &y_felem)) {
// In the event of an error, defend against the caller not checking the
// return value by setting a known safe value.
ec_set_to_safe_point(group, &point->raw);
return 0;
}
ec_affine_to_jacobian(group, &point->raw, &affine);
return 1;
}
int EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
const BIGNUM *x, const BIGNUM *y,
BN_CTX *ctx) {
return EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx);
}
int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
const EC_POINT *b, BN_CTX *ctx) {
if (EC_GROUP_cmp(group, r->group, NULL) != 0 ||
EC_GROUP_cmp(group, a->group, NULL) != 0 ||
EC_GROUP_cmp(group, b->group, NULL) != 0) {
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
group->meth->add(group, &r->raw, &a->raw, &b->raw);
return 1;
}
int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
BN_CTX *ctx) {
if (EC_GROUP_cmp(group, r->group, NULL) != 0 ||
EC_GROUP_cmp(group, a->group, NULL) != 0) {
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
group->meth->dbl(group, &r->raw, &a->raw);
return 1;
}
int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) {
if (EC_GROUP_cmp(group, a->group, NULL) != 0) {
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
ec_GFp_simple_invert(group, &a->raw);
return 1;
}
static int arbitrary_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
const BIGNUM *in, BN_CTX *ctx) {
if (ec_bignum_to_scalar(group, out, in)) {
return 1;
}
ERR_clear_error();
// This is an unusual input, so we do not guarantee constant-time processing.
BN_CTX_start(ctx);
BIGNUM *tmp = BN_CTX_get(ctx);
int ok = tmp != NULL &&
BN_nnmod(tmp, in, EC_GROUP_get0_order(group), ctx) &&
ec_bignum_to_scalar(group, out, tmp);
BN_CTX_end(ctx);
return ok;
}
int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r,
const BIGNUM *g_scalar, const EC_POINT *p,
const BIGNUM *p_scalar, BN_CTX *ctx) {
// Previously, this function set |r| to the point at infinity if there was
// nothing to multiply. But, nobody should be calling this function with
// nothing to multiply in the first place.
if ((g_scalar == NULL && p_scalar == NULL) ||
(p == NULL) != (p_scalar == NULL)) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (EC_GROUP_cmp(group, r->group, NULL) != 0 ||
(p != NULL && EC_GROUP_cmp(group, p->group, NULL) != 0)) {
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
int ret = 0;
BN_CTX *new_ctx = NULL;
if (ctx == NULL) {
new_ctx = BN_CTX_new();
if (new_ctx == NULL) {
goto err;
}
ctx = new_ctx;
}
// If both |g_scalar| and |p_scalar| are non-NULL,
// |ec_point_mul_scalar_public| would share the doublings between the two
// products, which would be more efficient. However, we conservatively assume
// the caller needs a constant-time operation. (ECDSA verification does not
// use this function.)
//
// Previously, the low-level constant-time multiplication function aligned
// with this function's calling convention, but this was misleading. Curves
// which combined the two multiplications did not avoid the doubling case
// in the incomplete addition formula and were not constant-time.
if (g_scalar != NULL) {
EC_SCALAR scalar;
if (!arbitrary_bignum_to_scalar(group, &scalar, g_scalar, ctx) ||
!ec_point_mul_scalar_base(group, &r->raw, &scalar)) {
goto err;
}
}
if (p_scalar != NULL) {
EC_SCALAR scalar;
EC_JACOBIAN tmp;
if (!arbitrary_bignum_to_scalar(group, &scalar, p_scalar, ctx) ||
!ec_point_mul_scalar(group, &tmp, &p->raw, &scalar)) {
goto err;
}
if (g_scalar == NULL) {
OPENSSL_memcpy(&r->raw, &tmp, sizeof(EC_JACOBIAN));
} else {
group->meth->add(group, &r->raw, &r->raw, &tmp);
}
}
ret = 1;
err:
BN_CTX_free(new_ctx);
return ret;
}
int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx) {
boringssl_ensure_ecc_self_test();
return ec_point_mul_no_self_test(group, r, g_scalar, p, p_scalar, ctx);
}
int ec_point_mul_scalar_public(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar, const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar) {
if (g_scalar == NULL || p_scalar == NULL || p == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (group->meth->mul_public == NULL) {
return group->meth->mul_public_batch(group, r, g_scalar, p, p_scalar, 1);
}
group->meth->mul_public(group, r, g_scalar, p, p_scalar);
return 1;
}
int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
const EC_JACOBIAN *points,
const EC_SCALAR *scalars, size_t num) {
if (group->meth->mul_public_batch == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
return group->meth->mul_public_batch(group, r, g_scalar, points, scalars,
num);
}
int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p, const EC_SCALAR *scalar) {
if (p == NULL || scalar == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
group->meth->mul(group, r, p, scalar);
// Check the result is on the curve to defend against fault attacks or bugs.
// This has negligible cost compared to the multiplication.
if (!ec_GFp_simple_is_on_curve(group, r)) {
OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
return 0;
}
return 1;
}
int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar) {
if (scalar == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
group->meth->mul_base(group, r, scalar);
// Check the result is on the curve to defend against fault attacks or bugs.
// This has negligible cost compared to the multiplication. This can only
// happen on bug or CPU fault, so it okay to leak this. The alternative would
// be to proceed with bad data.
if (!constant_time_declassify_int(ec_GFp_simple_is_on_curve(group, r))) {
OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
return 0;
}
return 1;
}
int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
const EC_JACOBIAN *p2,
const EC_SCALAR *scalar2) {
if (group->meth->mul_batch == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
group->meth->mul_batch(group, r, p0, scalar0, p1, scalar1, p2, scalar2);
// Check the result is on the curve to defend against fault attacks or bugs.
// This has negligible cost compared to the multiplication.
if (!ec_GFp_simple_is_on_curve(group, r)) {
OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
return 0;
}
return 1;
}
int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
const EC_JACOBIAN *p) {
if (group->meth->init_precomp == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
return group->meth->init_precomp(group, out, p);
}
int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
const EC_PRECOMP *p2,
const EC_SCALAR *scalar2) {
if (group->meth->mul_precomp == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
group->meth->mul_precomp(group, r, p0, scalar0, p1, scalar1, p2, scalar2);
// Check the result is on the curve to defend against fault attacks or bugs.
// This has negligible cost compared to the multiplication.
if (!ec_GFp_simple_is_on_curve(group, r)) {
OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
return 0;
}
return 1;
}
void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask,
const EC_JACOBIAN *a, const EC_JACOBIAN *b) {
ec_felem_select(group, &out->X, mask, &a->X, &b->X);
ec_felem_select(group, &out->Y, mask, &a->Y, &b->Y);
ec_felem_select(group, &out->Z, mask, &a->Z, &b->Z);
}
void ec_affine_select(const EC_GROUP *group, EC_AFFINE *out, BN_ULONG mask,
const EC_AFFINE *a, const EC_AFFINE *b) {
ec_felem_select(group, &out->X, mask, &a->X, &b->X);
ec_felem_select(group, &out->Y, mask, &a->Y, &b->Y);
}
void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask,
const EC_PRECOMP *a, const EC_PRECOMP *b) {
static_assert(sizeof(out->comb) == sizeof(*out),
"out->comb does not span the entire structure");
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(out->comb); i++) {
ec_affine_select(group, &out->comb[i], mask, &a->comb[i], &b->comb[i]);
}
}
int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
const EC_SCALAR *r) {
return group->meth->cmp_x_coordinate(group, p, r);
}
int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
const EC_JACOBIAN *p) {
uint8_t bytes[EC_MAX_BYTES];
size_t len;
if (!ec_get_x_coordinate_as_bytes(group, bytes, &len, sizeof(bytes), p)) {
return 0;
}
// The x-coordinate is bounded by p, but we need a scalar, bounded by the
// order. These may not have the same size. However, we must have p < 2×order,
// assuming p is not tiny (p >= 17).
//
// Thus |bytes| will fit in |order.width + 1| words, and we can reduce by
// performing at most one subtraction.
//
// Proof: We only work with prime order curves, so the number of points on
// the curve is the order. Thus Hasse's theorem gives:
//
// |order - (p + 1)| <= 2×sqrt(p)
// p + 1 - order <= 2×sqrt(p)
// p + 1 - 2×sqrt(p) <= order
// p + 1 - 2×(p/4) < order (p/4 > sqrt(p) for p >= 17)
// p/2 < p/2 + 1 < order
// p < 2×order
//
// Additionally, one can manually check this property for built-in curves. It
// is enforced for legacy custom curves in |EC_GROUP_set_generator|.
const BIGNUM *order = EC_GROUP_get0_order(group);
BN_ULONG words[EC_MAX_WORDS + 1] = {0};
bn_big_endian_to_words(words, order->width + 1, bytes, len);
bn_reduce_once(out->words, words, /*carry=*/words[order->width], order->d,
order->width);
return 1;
}
int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out,
size_t *out_len, size_t max_out,
const EC_JACOBIAN *p) {
size_t len = BN_num_bytes(&group->field.N);
assert(len <= EC_MAX_BYTES);
if (max_out < len) {
OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);
return 0;
}
EC_FELEM x;
if (!group->meth->point_get_affine_coordinates(group, p, &x, NULL)) {
return 0;
}
ec_felem_to_bytes(group, out, out_len, &x);
*out_len = len;
return 1;
}
void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out) {
if (group->has_order) {
ec_GFp_simple_point_copy(out, &group->generator.raw);
} else {
// The generator can be missing if the caller is in the process of
// constructing an arbitrary group. In this case, we give up and use the
// point at infinity.
ec_GFp_simple_point_set_to_infinity(group, out);
}
}
void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) {}
int EC_GROUP_get_asn1_flag(const EC_GROUP *group) {
return OPENSSL_EC_NAMED_CURVE;
}
const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group) {
// This function exists purely to give callers a way to call
// |EC_METHOD_get_field_type|. cryptography.io crashes if |EC_GROUP_method_of|
// returns NULL, so return some other garbage pointer.
return (const EC_METHOD *)0x12340000;
}
int EC_METHOD_get_field_type(const EC_METHOD *meth) {
return NID_X9_62_prime_field;
}
void EC_GROUP_set_point_conversion_form(EC_GROUP *group,
point_conversion_form_t form) {
if (form != POINT_CONVERSION_UNCOMPRESSED) {
abort();
}
}