/src/boringssl/crypto/fipsmodule/ec/scalar.cc.inc
Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright 2018 The BoringSSL Authors |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #include <openssl/ec.h> |
16 | | #include <openssl/err.h> |
17 | | #include <openssl/mem.h> |
18 | | |
19 | | #include "../../internal.h" |
20 | | #include "../bn/internal.h" |
21 | | #include "internal.h" |
22 | | |
23 | | |
24 | | int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, |
25 | 70.5k | const BIGNUM *in) { |
26 | | // Scalars, which are often secret, must be reduced modulo the order. Those |
27 | | // that are not will be discarded, so leaking the result of the comparison is |
28 | | // safe. |
29 | 70.5k | if (!bn_copy_words(out->words, group->order.N.width, in) || |
30 | 70.5k | !constant_time_declassify_int(bn_less_than_words( |
31 | 69.6k | out->words, group->order.N.d, group->order.N.width))) { |
32 | 889 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); |
33 | 889 | return 0; |
34 | 889 | } |
35 | 69.6k | return 1; |
36 | 70.5k | } |
37 | | |
38 | | int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a, |
39 | 260 | const EC_SCALAR *b) { |
40 | 260 | return OPENSSL_memcmp(a->words, b->words, |
41 | 260 | group->order.N.width * sizeof(BN_ULONG)) == 0; |
42 | 260 | } |
43 | | |
44 | 17.3k | int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) { |
45 | 17.3k | BN_ULONG mask = 0; |
46 | 94.2k | for (int i = 0; i < group->order.N.width; i++) { |
47 | 76.9k | mask |= a->words[i]; |
48 | 76.9k | } |
49 | 17.3k | return mask == 0; |
50 | 17.3k | } |
51 | | |
52 | | int ec_random_scalar(const EC_GROUP *group, EC_SCALAR *out, |
53 | 0 | const uint8_t additional_data[32]) { |
54 | 0 | return bn_rand_range_words(out->words, 0, group->order.N.d, |
55 | 0 | group->order.N.width, additional_data); |
56 | 0 | } |
57 | | |
58 | | int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out, |
59 | 107 | const uint8_t additional_data[32]) { |
60 | 107 | return bn_rand_range_words(out->words, 1, group->order.N.d, |
61 | 107 | group->order.N.width, additional_data); |
62 | 107 | } |
63 | | |
64 | | void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, |
65 | 214 | const EC_SCALAR *in) { |
66 | 214 | size_t len = BN_num_bytes(&group->order.N); |
67 | 214 | bn_words_to_big_endian(out, len, in->words, group->order.N.width); |
68 | 214 | *out_len = len; |
69 | 214 | } |
70 | | |
71 | | int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, |
72 | 13.1k | const uint8_t *in, size_t len) { |
73 | 13.1k | if (len != BN_num_bytes(&group->order.N)) { |
74 | 0 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); |
75 | 0 | return 0; |
76 | 0 | } |
77 | | |
78 | 13.1k | bn_big_endian_to_words(out->words, group->order.N.width, in, len); |
79 | | |
80 | 13.1k | if (!bn_less_than_words(out->words, group->order.N.d, group->order.N.width)) { |
81 | 233 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); |
82 | 233 | return 0; |
83 | 233 | } |
84 | | |
85 | 12.8k | return 1; |
86 | 13.1k | } |
87 | | |
88 | | void ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out, |
89 | 0 | const BN_ULONG *words, size_t num) { |
90 | | // Convert "from" Montgomery form so the value is reduced modulo the order. |
91 | 0 | bn_from_montgomery_small(out->words, group->order.N.width, words, num, |
92 | 0 | &group->order); |
93 | | // Convert "to" Montgomery form to remove the R^-1 factor added. |
94 | 0 | ec_scalar_to_montgomery(group, out, out); |
95 | 0 | } |
96 | | |
97 | | void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, |
98 | 107 | const EC_SCALAR *b) { |
99 | 107 | const BIGNUM *order = &group->order.N; |
100 | 107 | BN_ULONG tmp[EC_MAX_WORDS]; |
101 | 107 | bn_mod_add_words(r->words, a->words, b->words, order->d, tmp, order->width); |
102 | 107 | OPENSSL_cleanse(tmp, sizeof(tmp)); |
103 | 107 | } |
104 | | |
105 | | void ec_scalar_sub(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, |
106 | 0 | const EC_SCALAR *b) { |
107 | 0 | const BIGNUM *order = &group->order.N; |
108 | 0 | BN_ULONG tmp[EC_MAX_WORDS]; |
109 | 0 | bn_mod_sub_words(r->words, a->words, b->words, order->d, tmp, order->width); |
110 | 0 | OPENSSL_cleanse(tmp, sizeof(tmp)); |
111 | 0 | } |
112 | | |
113 | 0 | void ec_scalar_neg(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a) { |
114 | 0 | EC_SCALAR zero; |
115 | 0 | OPENSSL_memset(&zero, 0, sizeof(EC_SCALAR)); |
116 | 0 | ec_scalar_sub(group, r, &zero, a); |
117 | 0 | } |
118 | | |
119 | | void ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask, |
120 | 0 | const EC_SCALAR *a, const EC_SCALAR *b) { |
121 | 0 | const BIGNUM *order = &group->order.N; |
122 | 0 | bn_select_words(out->words, mask, a->words, b->words, order->width); |
123 | 0 | } |
124 | | |
125 | | void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r, |
126 | 5.38k | const EC_SCALAR *a) { |
127 | 5.38k | const BIGNUM *order = &group->order.N; |
128 | 5.38k | bn_to_montgomery_small(r->words, a->words, order->width, &group->order); |
129 | 5.38k | } |
130 | | |
131 | | void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r, |
132 | 1.20k | const EC_SCALAR *a) { |
133 | 1.20k | const BIGNUM *order = &group->order.N; |
134 | 1.20k | bn_from_montgomery_small(r->words, order->width, a->words, order->width, |
135 | 1.20k | &group->order); |
136 | 1.20k | } |
137 | | |
138 | | void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r, |
139 | 12.9k | const EC_SCALAR *a, const EC_SCALAR *b) { |
140 | 12.9k | const BIGNUM *order = &group->order.N; |
141 | 12.9k | bn_mod_mul_montgomery_small(r->words, a->words, b->words, order->width, |
142 | 12.9k | &group->order); |
143 | 12.9k | } |
144 | | |
145 | | void ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, |
146 | 1.10k | const EC_SCALAR *a) { |
147 | 1.10k | const BIGNUM *order = &group->order.N; |
148 | 1.10k | bn_mod_inverse0_prime_mont_small(r->words, a->words, order->width, |
149 | 1.10k | &group->order); |
150 | 1.10k | } |
151 | | |
152 | | int ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, |
153 | | EC_SCALAR *r, |
154 | 1.10k | const EC_SCALAR *a) { |
155 | 1.10k | if (ec_scalar_is_zero(group, a)) { |
156 | 0 | return 0; |
157 | 0 | } |
158 | | |
159 | | // This implementation (in fact) runs in constant time, |
160 | | // even though for this interface it is not mandatory. |
161 | | |
162 | | // r = a^-1 in the Montgomery domain. This is |
163 | | // |ec_scalar_to_montgomery| followed by |ec_scalar_inv0_montgomery|, but |
164 | | // |ec_scalar_inv0_montgomery| followed by |ec_scalar_from_montgomery| is |
165 | | // equivalent and slightly more efficient. |
166 | 1.10k | ec_scalar_inv0_montgomery(group, r, a); |
167 | 1.10k | ec_scalar_from_montgomery(group, r, r); |
168 | 1.10k | return 1; |
169 | 1.10k | } |
170 | | |
171 | | void ec_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, |
172 | 1.20k | const EC_SCALAR *a) { |
173 | 1.20k | group->meth->scalar_inv0_montgomery(group, r, a); |
174 | 1.20k | } |
175 | | |
176 | | int ec_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, EC_SCALAR *r, |
177 | 6.37k | const EC_SCALAR *a) { |
178 | 6.37k | return group->meth->scalar_to_montgomery_inv_vartime(group, r, a); |
179 | 6.37k | } |