/src/boringssl/crypto/fipsmodule/ec/scalar.c.inc
Line | Count | Source (jump to first uncovered line) |
1 | | /* Copyright (c) 2018, Google Inc. |
2 | | * |
3 | | * Permission to use, copy, modify, and/or distribute this software for any |
4 | | * purpose with or without fee is hereby granted, provided that the above |
5 | | * copyright notice and this permission notice appear in all copies. |
6 | | * |
7 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
8 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
9 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
10 | | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
11 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
12 | | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
13 | | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
14 | | |
15 | | #include <openssl/ec.h> |
16 | | #include <openssl/err.h> |
17 | | #include <openssl/mem.h> |
18 | | |
19 | | #include "internal.h" |
20 | | #include "../bn/internal.h" |
21 | | #include "../../internal.h" |
22 | | |
23 | | |
24 | | int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, |
25 | 154 | const BIGNUM *in) { |
26 | | // Scalars, which are often secret, must be reduced modulo the order. Those |
27 | | // that are not will be discarded, so leaking the result of the comparison is |
28 | | // safe. |
29 | 154 | if (!bn_copy_words(out->words, group->order.N.width, in) || |
30 | 154 | !constant_time_declassify_int(bn_less_than_words( |
31 | 123 | out->words, group->order.N.d, group->order.N.width))) { |
32 | 33 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); |
33 | 33 | return 0; |
34 | 33 | } |
35 | 121 | return 1; |
36 | 154 | } |
37 | | |
38 | | int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a, |
39 | 0 | const EC_SCALAR *b) { |
40 | 0 | return OPENSSL_memcmp(a->words, b->words, |
41 | 0 | group->order.N.width * sizeof(BN_ULONG)) == 0; |
42 | 0 | } |
43 | | |
44 | 72 | int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) { |
45 | 72 | BN_ULONG mask = 0; |
46 | 448 | for (int i = 0; i < group->order.N.width; i++) { |
47 | 376 | mask |= a->words[i]; |
48 | 376 | } |
49 | 72 | return mask == 0; |
50 | 72 | } |
51 | | |
52 | | int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out, |
53 | 6 | const uint8_t additional_data[32]) { |
54 | 6 | return bn_rand_range_words(out->words, 1, group->order.N.d, |
55 | 6 | group->order.N.width, additional_data); |
56 | 6 | } |
57 | | |
58 | | void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, |
59 | 0 | const EC_SCALAR *in) { |
60 | 0 | size_t len = BN_num_bytes(&group->order.N); |
61 | 0 | bn_words_to_big_endian(out, len, in->words, group->order.N.width); |
62 | 0 | *out_len = len; |
63 | 0 | } |
64 | | |
65 | | int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, |
66 | 26 | const uint8_t *in, size_t len) { |
67 | 26 | if (len != BN_num_bytes(&group->order.N)) { |
68 | 0 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); |
69 | 0 | return 0; |
70 | 0 | } |
71 | | |
72 | 26 | bn_big_endian_to_words(out->words, group->order.N.width, in, len); |
73 | | |
74 | 26 | if (!bn_less_than_words(out->words, group->order.N.d, group->order.N.width)) { |
75 | 0 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); |
76 | 0 | return 0; |
77 | 0 | } |
78 | | |
79 | 26 | return 1; |
80 | 26 | } |
81 | | |
82 | | void ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out, |
83 | 0 | const BN_ULONG *words, size_t num) { |
84 | | // Convert "from" Montgomery form so the value is reduced modulo the order. |
85 | 0 | bn_from_montgomery_small(out->words, group->order.N.width, words, num, |
86 | 0 | &group->order); |
87 | | // Convert "to" Montgomery form to remove the R^-1 factor added. |
88 | 0 | ec_scalar_to_montgomery(group, out, out); |
89 | 0 | } |
90 | | |
91 | | void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, |
92 | 0 | const EC_SCALAR *b) { |
93 | 0 | const BIGNUM *order = &group->order.N; |
94 | 0 | BN_ULONG tmp[EC_MAX_WORDS]; |
95 | 0 | bn_mod_add_words(r->words, a->words, b->words, order->d, tmp, order->width); |
96 | 0 | OPENSSL_cleanse(tmp, sizeof(tmp)); |
97 | 0 | } |
98 | | |
99 | | void ec_scalar_sub(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, |
100 | 0 | const EC_SCALAR *b) { |
101 | 0 | const BIGNUM *order = &group->order.N; |
102 | 0 | BN_ULONG tmp[EC_MAX_WORDS]; |
103 | 0 | bn_mod_sub_words(r->words, a->words, b->words, order->d, tmp, order->width); |
104 | 0 | OPENSSL_cleanse(tmp, sizeof(tmp)); |
105 | 0 | } |
106 | | |
107 | 0 | void ec_scalar_neg(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a) { |
108 | 0 | EC_SCALAR zero; |
109 | 0 | OPENSSL_memset(&zero, 0, sizeof(EC_SCALAR)); |
110 | 0 | ec_scalar_sub(group, r, &zero, a); |
111 | 0 | } |
112 | | |
113 | | void ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask, |
114 | 0 | const EC_SCALAR *a, const EC_SCALAR *b) { |
115 | 0 | const BIGNUM *order = &group->order.N; |
116 | 0 | bn_select_words(out->words, mask, a->words, b->words, order->width); |
117 | 0 | } |
118 | | |
119 | | void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r, |
120 | 9 | const EC_SCALAR *a) { |
121 | 9 | const BIGNUM *order = &group->order.N; |
122 | 9 | bn_to_montgomery_small(r->words, a->words, order->width, &group->order); |
123 | 9 | } |
124 | | |
125 | | void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r, |
126 | 4 | const EC_SCALAR *a) { |
127 | 4 | const BIGNUM *order = &group->order.N; |
128 | 4 | bn_from_montgomery_small(r->words, order->width, a->words, order->width, |
129 | 4 | &group->order); |
130 | 4 | } |
131 | | |
132 | | void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r, |
133 | 26 | const EC_SCALAR *a, const EC_SCALAR *b) { |
134 | 26 | const BIGNUM *order = &group->order.N; |
135 | 26 | bn_mod_mul_montgomery_small(r->words, a->words, b->words, order->width, |
136 | 26 | &group->order); |
137 | 26 | } |
138 | | |
139 | | void ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, |
140 | 4 | const EC_SCALAR *a) { |
141 | 4 | const BIGNUM *order = &group->order.N; |
142 | 4 | bn_mod_inverse0_prime_mont_small(r->words, a->words, order->width, |
143 | 4 | &group->order); |
144 | 4 | } |
145 | | |
146 | | int ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, |
147 | | EC_SCALAR *r, |
148 | 4 | const EC_SCALAR *a) { |
149 | 4 | if (ec_scalar_is_zero(group, a)) { |
150 | 0 | return 0; |
151 | 0 | } |
152 | | |
153 | | // This implementation (in fact) runs in constant time, |
154 | | // even though for this interface it is not mandatory. |
155 | | |
156 | | // r = a^-1 in the Montgomery domain. This is |
157 | | // |ec_scalar_to_montgomery| followed by |ec_scalar_inv0_montgomery|, but |
158 | | // |ec_scalar_inv0_montgomery| followed by |ec_scalar_from_montgomery| is |
159 | | // equivalent and slightly more efficient. |
160 | 4 | ec_scalar_inv0_montgomery(group, r, a); |
161 | 4 | ec_scalar_from_montgomery(group, r, r); |
162 | 4 | return 1; |
163 | 4 | } |
164 | | |
165 | | void ec_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, |
166 | 4 | const EC_SCALAR *a) { |
167 | 4 | group->meth->scalar_inv0_montgomery(group, r, a); |
168 | 4 | } |
169 | | |
170 | | int ec_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, EC_SCALAR *r, |
171 | 13 | const EC_SCALAR *a) { |
172 | 13 | return group->meth->scalar_to_montgomery_inv_vartime(group, r, a); |
173 | 13 | } |