/src/boringssl/crypto/fipsmodule/ec/oct.cc.inc
Line | Count | Source |
1 | | // Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. |
2 | | // Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved. |
3 | | // |
4 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
5 | | // you may not use this file except in compliance with the License. |
6 | | // You may obtain a copy of the License at |
7 | | // |
8 | | // https://www.apache.org/licenses/LICENSE-2.0 |
9 | | // |
10 | | // Unless required by applicable law or agreed to in writing, software |
11 | | // distributed under the License is distributed on an "AS IS" BASIS, |
12 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
13 | | // See the License for the specific language governing permissions and |
14 | | // limitations under the License. |
15 | | |
16 | | #include <openssl/ec.h> |
17 | | |
18 | | #include <openssl/bn.h> |
19 | | #include <openssl/err.h> |
20 | | |
21 | | #include "internal.h" |
22 | | |
23 | | |
24 | | using namespace bssl; |
25 | | |
26 | | size_t bssl::ec_point_byte_len(const EC_GROUP *group, |
27 | 39.7k | point_conversion_form_t form) { |
28 | 39.7k | if (form != POINT_CONVERSION_COMPRESSED && |
29 | 39.7k | form != POINT_CONVERSION_UNCOMPRESSED) { |
30 | 0 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FORM); |
31 | 0 | return 0; |
32 | 0 | } |
33 | | |
34 | 39.7k | const size_t field_len = BN_num_bytes(&group->field.N); |
35 | 39.7k | size_t output_len = 1 /* type byte */ + field_len; |
36 | 39.7k | if (form == POINT_CONVERSION_UNCOMPRESSED) { |
37 | | // Uncompressed points have a second coordinate. |
38 | 39.7k | output_len += field_len; |
39 | 39.7k | } |
40 | 39.7k | return output_len; |
41 | 39.7k | } |
42 | | |
43 | | size_t bssl::ec_point_to_bytes(const EC_GROUP *group, const EC_AFFINE *point, |
44 | | point_conversion_form_t form, uint8_t *buf, |
45 | 19.8k | size_t max_out) { |
46 | 19.8k | size_t output_len = ec_point_byte_len(group, form); |
47 | 19.8k | if (max_out < output_len) { |
48 | 0 | OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL); |
49 | 0 | return 0; |
50 | 0 | } |
51 | | |
52 | 19.8k | size_t field_len; |
53 | 19.8k | ec_felem_to_bytes(group, buf + 1, &field_len, &point->X); |
54 | 19.8k | assert(field_len == BN_num_bytes(&group->field.N)); |
55 | | |
56 | 19.8k | if (form == POINT_CONVERSION_UNCOMPRESSED) { |
57 | 19.8k | ec_felem_to_bytes(group, buf + 1 + field_len, &field_len, &point->Y); |
58 | 19.8k | assert(field_len == BN_num_bytes(&group->field.N)); |
59 | 19.8k | buf[0] = form; |
60 | 19.8k | } else { |
61 | 3 | uint8_t y_buf[EC_MAX_BYTES]; |
62 | 3 | ec_felem_to_bytes(group, y_buf, &field_len, &point->Y); |
63 | 3 | buf[0] = form + (y_buf[field_len - 1] & 1); |
64 | 3 | } |
65 | | |
66 | 19.8k | return output_len; |
67 | 19.8k | } |
68 | | |
69 | | int bssl::ec_point_from_uncompressed(const EC_GROUP *group, EC_AFFINE *out, |
70 | 58.5k | const uint8_t *in, size_t len) { |
71 | 58.5k | const size_t field_len = BN_num_bytes(&group->field.N); |
72 | 58.5k | if (len != 1 + 2 * field_len || in[0] != POINT_CONVERSION_UNCOMPRESSED) { |
73 | 149 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_ENCODING); |
74 | 149 | return 0; |
75 | 149 | } |
76 | | |
77 | 58.4k | EC_FELEM x, y; |
78 | 58.4k | if (!ec_felem_from_bytes(group, &x, in + 1, field_len) || |
79 | 58.3k | !ec_felem_from_bytes(group, &y, in + 1 + field_len, field_len) || |
80 | 58.1k | !ec_point_set_affine_coordinates(group, out, &x, &y)) { |
81 | 14.4k | return 0; |
82 | 14.4k | } |
83 | | |
84 | 43.9k | return 1; |
85 | 58.4k | } |
86 | | |
87 | | static int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, |
88 | | const uint8_t *buf, size_t len, |
89 | 63.2k | BN_CTX *ctx) { |
90 | 63.2k | if (len == 0) { |
91 | 9 | OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL); |
92 | 9 | return 0; |
93 | 9 | } |
94 | | |
95 | 63.2k | uint8_t form = buf[0]; |
96 | 63.2k | if (form == static_cast<uint8_t>(POINT_CONVERSION_UNCOMPRESSED)) { |
97 | 58.5k | EC_AFFINE affine; |
98 | 58.5k | if (!ec_point_from_uncompressed(group, &affine, buf, len)) { |
99 | | // In the event of an error, defend against the caller not checking the |
100 | | // return value by setting a known safe value. |
101 | 14.6k | ec_set_to_safe_point(group, &point->raw); |
102 | 14.6k | return 0; |
103 | 14.6k | } |
104 | 43.9k | ec_affine_to_jacobian(group, &point->raw, &affine); |
105 | 43.9k | return 1; |
106 | 58.5k | } |
107 | | |
108 | 4.64k | const int y_bit = form & 1; |
109 | 4.64k | const size_t field_len = BN_num_bytes(&group->field.N); |
110 | 4.64k | form = form & ~1u; |
111 | 4.64k | if (form != static_cast<uint8_t>(POINT_CONVERSION_COMPRESSED) || |
112 | 3.90k | len != 1 /* type byte */ + field_len) { |
113 | 904 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_ENCODING); |
114 | 904 | return 0; |
115 | 904 | } |
116 | | |
117 | | // TODO(davidben): Integrate compressed coordinates with the lower-level EC |
118 | | // abstractions. This requires a way to compute square roots, which is tricky |
119 | | // for primes which are not 3 (mod 4), namely P-224 and custom curves. P-224's |
120 | | // prime is particularly inconvenient for compressed coordinates. See |
121 | | // https://cr.yp.to/papers/sqroot.pdf |
122 | 3.73k | UniquePtr<BN_CTX> new_ctx; |
123 | 3.73k | if (ctx == nullptr) { |
124 | 3.73k | new_ctx.reset(BN_CTX_new()); |
125 | 3.73k | if (new_ctx == nullptr) { |
126 | 0 | return 0; |
127 | 0 | } |
128 | 3.73k | ctx = new_ctx.get(); |
129 | 3.73k | } |
130 | | |
131 | 3.73k | BN_CTXScope scope(ctx); |
132 | 3.73k | BIGNUM *x = BN_CTX_get(ctx); |
133 | 3.73k | if (x == nullptr || !BN_bin2bn(buf + 1, field_len, x)) { |
134 | 0 | return 0; |
135 | 0 | } |
136 | 3.73k | if (BN_ucmp(x, &group->field.N) >= 0) { |
137 | 18 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_ENCODING); |
138 | 18 | return 0; |
139 | 18 | } |
140 | | |
141 | 3.71k | if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) { |
142 | 824 | return 0; |
143 | 824 | } |
144 | | |
145 | 2.89k | return 1; |
146 | 3.71k | } |
147 | | |
148 | | int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point, |
149 | 63.2k | const uint8_t *buf, size_t len, BN_CTX *ctx) { |
150 | 63.2k | if (EC_GROUP_cmp(group, point->group, nullptr) != 0) { |
151 | 0 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
152 | 0 | return 0; |
153 | 0 | } |
154 | 63.2k | return ec_GFp_simple_oct2point(group, point, buf, len, ctx); |
155 | 63.2k | } |
156 | | |
157 | | size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, |
158 | | point_conversion_form_t form, uint8_t *buf, |
159 | 39.7k | size_t max_out, BN_CTX *ctx) { |
160 | 39.7k | if (EC_GROUP_cmp(group, point->group, nullptr) != 0) { |
161 | 0 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
162 | 0 | return 0; |
163 | 0 | } |
164 | 39.7k | if (buf == nullptr) { |
165 | | // When |buf| is NULL, just return the number of bytes that would be |
166 | | // written, without doing an expensive Jacobian-to-affine conversion. |
167 | 19.8k | if (ec_GFp_simple_is_at_infinity(group, &point->raw)) { |
168 | 0 | OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY); |
169 | 0 | return 0; |
170 | 0 | } |
171 | 19.8k | return ec_point_byte_len(group, form); |
172 | 19.8k | } |
173 | 19.8k | EC_AFFINE affine; |
174 | 19.8k | if (!ec_jacobian_to_affine(group, &affine, &point->raw)) { |
175 | 0 | return 0; |
176 | 0 | } |
177 | 19.8k | return ec_point_to_bytes(group, &affine, form, buf, max_out); |
178 | 19.8k | } |
179 | | |
180 | | size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point, |
181 | | point_conversion_form_t form, uint8_t **out_buf, |
182 | 1.92k | BN_CTX *ctx) { |
183 | 1.92k | *out_buf = nullptr; |
184 | 1.92k | size_t len = EC_POINT_point2oct(group, point, form, nullptr, 0, ctx); |
185 | 1.92k | if (len == 0) { |
186 | 0 | return 0; |
187 | 0 | } |
188 | 1.92k | uint8_t *buf = reinterpret_cast<uint8_t *>(OPENSSL_malloc(len)); |
189 | 1.92k | if (buf == nullptr) { |
190 | 0 | return 0; |
191 | 0 | } |
192 | 1.92k | len = EC_POINT_point2oct(group, point, form, buf, len, ctx); |
193 | 1.92k | if (len == 0) { |
194 | 0 | OPENSSL_free(buf); |
195 | 0 | return 0; |
196 | 0 | } |
197 | 1.92k | *out_buf = buf; |
198 | 1.92k | return len; |
199 | 1.92k | } |
200 | | |
201 | | int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, |
202 | | EC_POINT *point, const BIGNUM *x, |
203 | 3.71k | int y_bit, BN_CTX *ctx) { |
204 | 3.71k | if (EC_GROUP_cmp(group, point->group, nullptr) != 0) { |
205 | 0 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
206 | 0 | return 0; |
207 | 0 | } |
208 | | |
209 | 3.71k | const BIGNUM *field = &group->field.N; |
210 | 3.71k | if (BN_is_negative(x) || BN_cmp(x, field) >= 0) { |
211 | 0 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSED_POINT); |
212 | 0 | return 0; |
213 | 0 | } |
214 | | |
215 | 3.71k | ERR_clear_error(); |
216 | | |
217 | 3.71k | UniquePtr<BN_CTX> new_ctx; |
218 | 3.71k | if (ctx == nullptr) { |
219 | 0 | new_ctx.reset(BN_CTX_new()); |
220 | 0 | if (new_ctx == nullptr) { |
221 | 0 | return 0; |
222 | 0 | } |
223 | 0 | ctx = new_ctx.get(); |
224 | 0 | } |
225 | | |
226 | 3.71k | y_bit = (y_bit != 0); |
227 | | |
228 | 3.71k | BN_CTXScope scope(ctx); |
229 | 3.71k | BIGNUM *tmp1 = BN_CTX_get(ctx); |
230 | 3.71k | BIGNUM *tmp2 = BN_CTX_get(ctx); |
231 | 3.71k | BIGNUM *a = BN_CTX_get(ctx); |
232 | 3.71k | BIGNUM *b = BN_CTX_get(ctx); |
233 | 3.71k | BIGNUM *y = BN_CTX_get(ctx); |
234 | 3.71k | if (y == nullptr || !EC_GROUP_get_curve_GFp(group, nullptr, a, b, ctx)) { |
235 | 0 | return 0; |
236 | 0 | } |
237 | | |
238 | | // Recover y. We have a Weierstrass equation |
239 | | // y^2 = x^3 + a*x + b, |
240 | | // so y is one of the square roots of x^3 + a*x + b. |
241 | | |
242 | | // tmp1 := x^3 |
243 | 3.71k | if (!BN_mod_sqr(tmp2, x, field, ctx) || |
244 | 3.71k | !BN_mod_mul(tmp1, tmp2, x, field, ctx)) { |
245 | 0 | return 0; |
246 | 0 | } |
247 | | |
248 | | // tmp1 := tmp1 + a*x |
249 | 3.71k | if (group->a_is_minus3) { |
250 | 3.71k | if (!bn_mod_lshift1_consttime(tmp2, x, field, ctx) || |
251 | 3.71k | !bn_mod_add_consttime(tmp2, tmp2, x, field, ctx) || |
252 | 3.71k | !bn_mod_sub_consttime(tmp1, tmp1, tmp2, field, ctx)) { |
253 | 0 | return 0; |
254 | 0 | } |
255 | 3.71k | } else { |
256 | 0 | if (!BN_mod_mul(tmp2, a, x, field, ctx) || |
257 | 0 | !bn_mod_add_consttime(tmp1, tmp1, tmp2, field, ctx)) { |
258 | 0 | return 0; |
259 | 0 | } |
260 | 0 | } |
261 | | |
262 | | // tmp1 := tmp1 + b |
263 | 3.71k | if (!bn_mod_add_consttime(tmp1, tmp1, b, field, ctx)) { |
264 | 0 | return 0; |
265 | 0 | } |
266 | | |
267 | 3.71k | if (!BN_mod_sqrt(y, tmp1, field, ctx)) { |
268 | 824 | if (ERR_equals(ERR_peek_last_error(), ERR_LIB_BN, BN_R_NOT_A_SQUARE)) { |
269 | 824 | ERR_clear_error(); |
270 | 824 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSED_POINT); |
271 | 824 | } else { |
272 | 0 | OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB); |
273 | 0 | } |
274 | 824 | return 0; |
275 | 824 | } |
276 | | |
277 | 2.89k | if (y_bit != BN_is_odd(y)) { |
278 | 1.77k | if (BN_is_zero(y)) { |
279 | 0 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSION_BIT); |
280 | 0 | return 0; |
281 | 0 | } |
282 | 1.77k | if (!BN_usub(y, field, y)) { |
283 | 0 | return 0; |
284 | 0 | } |
285 | 1.77k | } |
286 | 2.89k | if (y_bit != BN_is_odd(y)) { |
287 | 0 | OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR); |
288 | 0 | return 0; |
289 | 0 | } |
290 | | |
291 | 2.89k | if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) { |
292 | 0 | return 0; |
293 | 0 | } |
294 | | |
295 | 2.89k | return 1; |
296 | 2.89k | } |