/src/openssl/crypto/ec/ec_local.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved |
4 | | * |
5 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
6 | | * this file except in compliance with the License. You can obtain a copy |
7 | | * in the file LICENSE in the source distribution or at |
8 | | * https://www.openssl.org/source/license.html |
9 | | */ |
10 | | |
11 | | #include <stdlib.h> |
12 | | |
13 | | #include <openssl/obj_mac.h> |
14 | | #include <openssl/ec.h> |
15 | | #include <openssl/bn.h> |
16 | | #include "internal/refcount.h" |
17 | | #include "crypto/ec.h" |
18 | | |
19 | | #if defined(__SUNPRO_C) |
20 | | # if __SUNPRO_C >= 0x520 |
21 | | # pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE) |
22 | | # endif |
23 | | #endif |
24 | | |
25 | | /* Use default functions for poin2oct, oct2point and compressed coordinates */ |
26 | 11.1k | #define EC_FLAGS_DEFAULT_OCT 0x1 |
27 | | |
28 | | /* Use custom formats for EC_GROUP, EC_POINT and EC_KEY */ |
29 | 6.85k | #define EC_FLAGS_CUSTOM_CURVE 0x2 |
30 | | |
31 | | /* Curve does not support signing operations */ |
32 | 0 | #define EC_FLAGS_NO_SIGN 0x4 |
33 | | |
34 | | #ifdef OPENSSL_NO_DEPRECATED_3_0 |
35 | | typedef struct ec_method_st EC_METHOD; |
36 | | #endif |
37 | | |
38 | | /* |
39 | | * Structure details are not part of the exported interface, so all this may |
40 | | * change in future versions. |
41 | | */ |
42 | | |
43 | | struct ec_method_st { |
44 | | /* Various method flags */ |
45 | | int flags; |
46 | | /* used by EC_METHOD_get_field_type: */ |
47 | | int field_type; /* a NID */ |
48 | | /* |
49 | | * used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, |
50 | | * EC_GROUP_copy: |
51 | | */ |
52 | | int (*group_init) (EC_GROUP *); |
53 | | void (*group_finish) (EC_GROUP *); |
54 | | void (*group_clear_finish) (EC_GROUP *); |
55 | | int (*group_copy) (EC_GROUP *, const EC_GROUP *); |
56 | | /* used by EC_GROUP_set_curve, EC_GROUP_get_curve: */ |
57 | | int (*group_set_curve) (EC_GROUP *, const BIGNUM *p, const BIGNUM *a, |
58 | | const BIGNUM *b, BN_CTX *); |
59 | | int (*group_get_curve) (const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, |
60 | | BN_CTX *); |
61 | | /* used by EC_GROUP_get_degree: */ |
62 | | int (*group_get_degree) (const EC_GROUP *); |
63 | | int (*group_order_bits) (const EC_GROUP *); |
64 | | /* used by EC_GROUP_check: */ |
65 | | int (*group_check_discriminant) (const EC_GROUP *, BN_CTX *); |
66 | | /* |
67 | | * used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, |
68 | | * EC_POINT_copy: |
69 | | */ |
70 | | int (*point_init) (EC_POINT *); |
71 | | void (*point_finish) (EC_POINT *); |
72 | | void (*point_clear_finish) (EC_POINT *); |
73 | | int (*point_copy) (EC_POINT *, const EC_POINT *); |
74 | | /*- |
75 | | * used by EC_POINT_set_to_infinity, |
76 | | * EC_POINT_set_Jprojective_coordinates_GFp, |
77 | | * EC_POINT_get_Jprojective_coordinates_GFp, |
78 | | * EC_POINT_set_affine_coordinates, |
79 | | * EC_POINT_get_affine_coordinates, |
80 | | * EC_POINT_set_compressed_coordinates: |
81 | | */ |
82 | | int (*point_set_to_infinity) (const EC_GROUP *, EC_POINT *); |
83 | | int (*point_set_affine_coordinates) (const EC_GROUP *, EC_POINT *, |
84 | | const BIGNUM *x, const BIGNUM *y, |
85 | | BN_CTX *); |
86 | | int (*point_get_affine_coordinates) (const EC_GROUP *, const EC_POINT *, |
87 | | BIGNUM *x, BIGNUM *y, BN_CTX *); |
88 | | int (*point_set_compressed_coordinates) (const EC_GROUP *, EC_POINT *, |
89 | | const BIGNUM *x, int y_bit, |
90 | | BN_CTX *); |
91 | | /* used by EC_POINT_point2oct, EC_POINT_oct2point: */ |
92 | | size_t (*point2oct) (const EC_GROUP *, const EC_POINT *, |
93 | | point_conversion_form_t form, unsigned char *buf, |
94 | | size_t len, BN_CTX *); |
95 | | int (*oct2point) (const EC_GROUP *, EC_POINT *, const unsigned char *buf, |
96 | | size_t len, BN_CTX *); |
97 | | /* used by EC_POINT_add, EC_POINT_dbl, ECP_POINT_invert: */ |
98 | | int (*add) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
99 | | const EC_POINT *b, BN_CTX *); |
100 | | int (*dbl) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *); |
101 | | int (*invert) (const EC_GROUP *, EC_POINT *, BN_CTX *); |
102 | | /* |
103 | | * used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp: |
104 | | */ |
105 | | int (*is_at_infinity) (const EC_GROUP *, const EC_POINT *); |
106 | | int (*is_on_curve) (const EC_GROUP *, const EC_POINT *, BN_CTX *); |
107 | | int (*point_cmp) (const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, |
108 | | BN_CTX *); |
109 | | /* used by EC_POINT_make_affine, EC_POINTs_make_affine: */ |
110 | | int (*make_affine) (const EC_GROUP *, EC_POINT *, BN_CTX *); |
111 | | int (*points_make_affine) (const EC_GROUP *, size_t num, EC_POINT *[], |
112 | | BN_CTX *); |
113 | | /* |
114 | | * used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, |
115 | | * EC_POINT_have_precompute_mult (default implementations are used if the |
116 | | * 'mul' pointer is 0): |
117 | | */ |
118 | | /*- |
119 | | * mul() calculates the value |
120 | | * |
121 | | * r := generator * scalar |
122 | | * + points[0] * scalars[0] |
123 | | * + ... |
124 | | * + points[num-1] * scalars[num-1]. |
125 | | * |
126 | | * For a fixed point multiplication (scalar != NULL, num == 0) |
127 | | * or a variable point multiplication (scalar == NULL, num == 1), |
128 | | * mul() must use a constant time algorithm: in both cases callers |
129 | | * should provide an input scalar (either scalar or scalars[0]) |
130 | | * in the range [0, ec_group_order); for robustness, implementers |
131 | | * should handle the case when the scalar has not been reduced, but |
132 | | * may treat it as an unusual input, without any constant-timeness |
133 | | * guarantee. |
134 | | */ |
135 | | int (*mul) (const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, |
136 | | size_t num, const EC_POINT *points[], const BIGNUM *scalars[], |
137 | | BN_CTX *); |
138 | | int (*precompute_mult) (EC_GROUP *group, BN_CTX *); |
139 | | int (*have_precompute_mult) (const EC_GROUP *group); |
140 | | /* internal functions */ |
141 | | /* |
142 | | * 'field_mul', 'field_sqr', and 'field_div' can be used by 'add' and |
143 | | * 'dbl' so that the same implementations of point operations can be used |
144 | | * with different optimized implementations of expensive field |
145 | | * operations: |
146 | | */ |
147 | | int (*field_mul) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
148 | | const BIGNUM *b, BN_CTX *); |
149 | | int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); |
150 | | int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
151 | | const BIGNUM *b, BN_CTX *); |
152 | | /*- |
153 | | * 'field_inv' computes the multiplicative inverse of a in the field, |
154 | | * storing the result in r. |
155 | | * |
156 | | * If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error. |
157 | | */ |
158 | | int (*field_inv) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); |
159 | | /* e.g. to Montgomery */ |
160 | | int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
161 | | BN_CTX *); |
162 | | /* e.g. from Montgomery */ |
163 | | int (*field_decode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
164 | | BN_CTX *); |
165 | | int (*field_set_to_one) (const EC_GROUP *, BIGNUM *r, BN_CTX *); |
166 | | /* private key operations */ |
167 | | size_t (*priv2oct)(const EC_KEY *eckey, unsigned char *buf, size_t len); |
168 | | int (*oct2priv)(EC_KEY *eckey, const unsigned char *buf, size_t len); |
169 | | int (*set_private)(EC_KEY *eckey, const BIGNUM *priv_key); |
170 | | int (*keygen)(EC_KEY *eckey); |
171 | | int (*keycheck)(const EC_KEY *eckey); |
172 | | int (*keygenpub)(EC_KEY *eckey); |
173 | | int (*keycopy)(EC_KEY *dst, const EC_KEY *src); |
174 | | void (*keyfinish)(EC_KEY *eckey); |
175 | | /* custom ECDH operation */ |
176 | | int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen, |
177 | | const EC_POINT *pub_key, const EC_KEY *ecdh); |
178 | | /* custom ECDSA */ |
179 | | int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinvp, |
180 | | BIGNUM **rp); |
181 | | ECDSA_SIG *(*ecdsa_sign_sig)(const unsigned char *dgst, int dgstlen, |
182 | | const BIGNUM *kinv, const BIGNUM *r, |
183 | | EC_KEY *eckey); |
184 | | int (*ecdsa_verify_sig)(const unsigned char *dgst, int dgstlen, |
185 | | const ECDSA_SIG *sig, EC_KEY *eckey); |
186 | | /* Inverse modulo order */ |
187 | | int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r, |
188 | | const BIGNUM *x, BN_CTX *); |
189 | | int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); |
190 | | int (*ladder_pre)(const EC_GROUP *group, |
191 | | EC_POINT *r, EC_POINT *s, |
192 | | EC_POINT *p, BN_CTX *ctx); |
193 | | int (*ladder_step)(const EC_GROUP *group, |
194 | | EC_POINT *r, EC_POINT *s, |
195 | | EC_POINT *p, BN_CTX *ctx); |
196 | | int (*ladder_post)(const EC_GROUP *group, |
197 | | EC_POINT *r, EC_POINT *s, |
198 | | EC_POINT *p, BN_CTX *ctx); |
199 | | }; |
200 | | |
201 | | /* |
202 | | * Types and functions to manipulate pre-computed values. |
203 | | */ |
204 | | typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP; |
205 | | typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP; |
206 | | typedef struct nistp384_pre_comp_st NISTP384_PRE_COMP; |
207 | | typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP; |
208 | | typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP; |
209 | | typedef struct ec_pre_comp_st EC_PRE_COMP; |
210 | | |
211 | | struct ec_group_st { |
212 | | const EC_METHOD *meth; |
213 | | EC_POINT *generator; /* optional */ |
214 | | BIGNUM *order, *cofactor; |
215 | | int curve_name; /* optional NID for named curve */ |
216 | | int asn1_flag; /* flag to control the asn1 encoding */ |
217 | | int decoded_from_explicit_params; /* set if decoded from explicit |
218 | | * curve parameters encoding */ |
219 | | point_conversion_form_t asn1_form; |
220 | | unsigned char *seed; /* optional seed for parameters (appears in |
221 | | * ASN1) */ |
222 | | size_t seed_len; |
223 | | /* |
224 | | * The following members are handled by the method functions, even if |
225 | | * they appear generic |
226 | | */ |
227 | | /* |
228 | | * Field specification. For curves over GF(p), this is the modulus; for |
229 | | * curves over GF(2^m), this is the irreducible polynomial defining the |
230 | | * field. |
231 | | */ |
232 | | BIGNUM *field; |
233 | | /* |
234 | | * Field specification for curves over GF(2^m). The irreducible f(t) is |
235 | | * then of the form: t^poly[0] + t^poly[1] + ... + t^poly[k] where m = |
236 | | * poly[0] > poly[1] > ... > poly[k] = 0. The array is terminated with |
237 | | * poly[k+1]=-1. All elliptic curve irreducibles have at most 5 non-zero |
238 | | * terms. |
239 | | */ |
240 | | int poly[6]; |
241 | | /* |
242 | | * Curve coefficients. (Here the assumption is that BIGNUMs can be used |
243 | | * or abused for all kinds of fields, not just GF(p).) For characteristic |
244 | | * > 3, the curve is defined by a Weierstrass equation of the form y^2 = |
245 | | * x^3 + a*x + b. For characteristic 2, the curve is defined by an |
246 | | * equation of the form y^2 + x*y = x^3 + a*x^2 + b. |
247 | | */ |
248 | | BIGNUM *a, *b; |
249 | | /* enable optimized point arithmetic for special case */ |
250 | | int a_is_minus3; |
251 | | /* method-specific (e.g., Montgomery structure) */ |
252 | | void *field_data1; |
253 | | /* method-specific */ |
254 | | void *field_data2; |
255 | | /* method-specific */ |
256 | | int (*field_mod_func) (BIGNUM *, const BIGNUM *, const BIGNUM *, |
257 | | BN_CTX *); |
258 | | /* data for ECDSA inverse */ |
259 | | BN_MONT_CTX *mont_data; |
260 | | |
261 | | /* |
262 | | * Precomputed values for speed. The PCT_xxx names match the |
263 | | * pre_comp.xxx union names; see the SETPRECOMP and HAVEPRECOMP |
264 | | * macros, below. |
265 | | */ |
266 | | enum { |
267 | | PCT_none, |
268 | | PCT_nistp224, PCT_nistp256, PCT_nistp384, PCT_nistp521, PCT_nistz256, |
269 | | PCT_ec |
270 | | } pre_comp_type; |
271 | | union { |
272 | | NISTP224_PRE_COMP *nistp224; |
273 | | NISTP256_PRE_COMP *nistp256; |
274 | | NISTP384_PRE_COMP *nistp384; |
275 | | NISTP521_PRE_COMP *nistp521; |
276 | | NISTZ256_PRE_COMP *nistz256; |
277 | | EC_PRE_COMP *ec; |
278 | | } pre_comp; |
279 | | |
280 | | OSSL_LIB_CTX *libctx; |
281 | | char *propq; |
282 | | }; |
283 | | |
284 | | #define SETPRECOMP(g, type, pre) \ |
285 | 0 | g->pre_comp_type = PCT_##type, g->pre_comp.type = pre |
286 | | #define HAVEPRECOMP(g, type) \ |
287 | 0 | g->pre_comp_type == PCT_##type && g->pre_comp.type != NULL |
288 | | |
289 | | struct ec_key_st { |
290 | | const EC_KEY_METHOD *meth; |
291 | | ENGINE *engine; |
292 | | int version; |
293 | | EC_GROUP *group; |
294 | | EC_POINT *pub_key; |
295 | | BIGNUM *priv_key; |
296 | | unsigned int enc_flag; |
297 | | point_conversion_form_t conv_form; |
298 | | CRYPTO_REF_COUNT references; |
299 | | int flags; |
300 | | #ifndef FIPS_MODULE |
301 | | CRYPTO_EX_DATA ex_data; |
302 | | #endif |
303 | | OSSL_LIB_CTX *libctx; |
304 | | char *propq; |
305 | | |
306 | | /* Provider data */ |
307 | | size_t dirty_cnt; /* If any key material changes, increment this */ |
308 | | }; |
309 | | |
310 | | struct ec_point_st { |
311 | | const EC_METHOD *meth; |
312 | | /* NID for the curve if known */ |
313 | | int curve_name; |
314 | | /* |
315 | | * All members except 'meth' are handled by the method functions, even if |
316 | | * they appear generic |
317 | | */ |
318 | | BIGNUM *X; |
319 | | BIGNUM *Y; |
320 | | BIGNUM *Z; /* Jacobian projective coordinates: * (X, Y, |
321 | | * Z) represents (X/Z^2, Y/Z^3) if Z != 0 */ |
322 | | int Z_is_one; /* enable optimized point arithmetic for |
323 | | * special case */ |
324 | | }; |
325 | | |
326 | | static ossl_inline int ec_point_is_compat(const EC_POINT *point, |
327 | | const EC_GROUP *group) |
328 | 639k | { |
329 | 639k | return group->meth == point->meth |
330 | 639k | && (group->curve_name == 0 |
331 | 639k | || point->curve_name == 0 |
332 | 639k | || group->curve_name == point->curve_name); |
333 | 639k | } Unexecuted instantiation: curve25519.c:ec_point_is_compat Unexecuted instantiation: ec_ameth.c:ec_point_is_compat Unexecuted instantiation: ec_asn1.c:ec_point_is_compat Unexecuted instantiation: ec_backend.c:ec_point_is_compat Unexecuted instantiation: ec_check.c:ec_point_is_compat Unexecuted instantiation: ec_curve.c:ec_point_is_compat Unexecuted instantiation: ec_cvt.c:ec_point_is_compat Unexecuted instantiation: ec_key.c:ec_point_is_compat Unexecuted instantiation: ec_kmeth.c:ec_point_is_compat ec_lib.c:ec_point_is_compat Line | Count | Source | 328 | 635k | { | 329 | 635k | return group->meth == point->meth | 330 | 635k | && (group->curve_name == 0 | 331 | 635k | || point->curve_name == 0 | 332 | 635k | || group->curve_name == point->curve_name); | 333 | 635k | } |
Unexecuted instantiation: ec_mult.c:ec_point_is_compat ec_oct.c:ec_point_is_compat Line | Count | Source | 328 | 4.54k | { | 329 | 4.54k | return group->meth == point->meth | 330 | 4.54k | && (group->curve_name == 0 | 331 | 4.54k | || point->curve_name == 0 | 332 | 4.54k | || group->curve_name == point->curve_name); | 333 | 4.54k | } |
Unexecuted instantiation: ec_pmeth.c:ec_point_is_compat Unexecuted instantiation: ecdh_kdf.c:ec_point_is_compat Unexecuted instantiation: ecdh_ossl.c:ec_point_is_compat Unexecuted instantiation: ecdsa_ossl.c:ec_point_is_compat Unexecuted instantiation: ecdsa_sign.c:ec_point_is_compat Unexecuted instantiation: ecdsa_vrf.c:ec_point_is_compat Unexecuted instantiation: ecp_mont.c:ec_point_is_compat Unexecuted instantiation: ecp_nistp224.c:ec_point_is_compat Unexecuted instantiation: ecp_nistp256.c:ec_point_is_compat Unexecuted instantiation: ecp_nistp384.c:ec_point_is_compat Unexecuted instantiation: ecp_nistp521.c:ec_point_is_compat Unexecuted instantiation: ecp_nistputil.c:ec_point_is_compat Unexecuted instantiation: ecp_nistz256.c:ec_point_is_compat Unexecuted instantiation: ecp_oct.c:ec_point_is_compat Unexecuted instantiation: ecp_smpl.c:ec_point_is_compat Unexecuted instantiation: ecx_meth.c:ec_point_is_compat Unexecuted instantiation: ec2_oct.c:ec_point_is_compat Unexecuted instantiation: ec2_smpl.c:ec_point_is_compat Unexecuted instantiation: ecp_nist.c:ec_point_is_compat |
334 | | |
335 | | NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); |
336 | | NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); |
337 | | NISTP384_PRE_COMP *ossl_ec_nistp384_pre_comp_dup(NISTP384_PRE_COMP *); |
338 | | NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); |
339 | | NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *); |
340 | | NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); |
341 | | EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_COMP *); |
342 | | |
343 | | void EC_pre_comp_free(EC_GROUP *group); |
344 | | void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *); |
345 | | void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *); |
346 | | void ossl_ec_nistp384_pre_comp_free(NISTP384_PRE_COMP *); |
347 | | void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *); |
348 | | void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *); |
349 | | void EC_ec_pre_comp_free(EC_PRE_COMP *); |
350 | | |
351 | | /* |
352 | | * method functions in ec_mult.c (ec_lib.c uses these as defaults if |
353 | | * group->method->mul is 0) |
354 | | */ |
355 | | int ossl_ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, |
356 | | size_t num, const EC_POINT *points[], |
357 | | const BIGNUM *scalars[], BN_CTX *); |
358 | | int ossl_ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *); |
359 | | int ossl_ec_wNAF_have_precompute_mult(const EC_GROUP *group); |
360 | | |
361 | | /* method functions in ecp_smpl.c */ |
362 | | int ossl_ec_GFp_simple_group_init(EC_GROUP *); |
363 | | void ossl_ec_GFp_simple_group_finish(EC_GROUP *); |
364 | | void ossl_ec_GFp_simple_group_clear_finish(EC_GROUP *); |
365 | | int ossl_ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *); |
366 | | int ossl_ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, |
367 | | const BIGNUM *a, const BIGNUM *b, |
368 | | BN_CTX *); |
369 | | int ossl_ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, |
370 | | BIGNUM *b, BN_CTX *); |
371 | | int ossl_ec_GFp_simple_group_get_degree(const EC_GROUP *); |
372 | | int ossl_ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); |
373 | | int ossl_ec_GFp_simple_point_init(EC_POINT *); |
374 | | void ossl_ec_GFp_simple_point_finish(EC_POINT *); |
375 | | void ossl_ec_GFp_simple_point_clear_finish(EC_POINT *); |
376 | | int ossl_ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *); |
377 | | int ossl_ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); |
378 | | int ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, |
379 | | EC_POINT *, |
380 | | const BIGNUM *x, |
381 | | const BIGNUM *y, |
382 | | const BIGNUM *z, |
383 | | BN_CTX *); |
384 | | int ossl_ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, |
385 | | const EC_POINT *, |
386 | | BIGNUM *x, |
387 | | BIGNUM *y, BIGNUM *z, |
388 | | BN_CTX *); |
389 | | int ossl_ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *, |
390 | | const BIGNUM *x, |
391 | | const BIGNUM *y, BN_CTX *); |
392 | | int ossl_ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *, |
393 | | const EC_POINT *, BIGNUM *x, |
394 | | BIGNUM *y, BN_CTX *); |
395 | | int ossl_ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, |
396 | | const BIGNUM *x, int y_bit, |
397 | | BN_CTX *); |
398 | | size_t ossl_ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, |
399 | | point_conversion_form_t form, |
400 | | unsigned char *buf, size_t len, BN_CTX *); |
401 | | int ossl_ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *, |
402 | | const unsigned char *buf, size_t len, BN_CTX *); |
403 | | int ossl_ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
404 | | const EC_POINT *b, BN_CTX *); |
405 | | int ossl_ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
406 | | BN_CTX *); |
407 | | int ossl_ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); |
408 | | int ossl_ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); |
409 | | int ossl_ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); |
410 | | int ossl_ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, |
411 | | const EC_POINT *b, BN_CTX *); |
412 | | int ossl_ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); |
413 | | int ossl_ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, |
414 | | EC_POINT *[], BN_CTX *); |
415 | | int ossl_ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
416 | | const BIGNUM *b, BN_CTX *); |
417 | | int ossl_ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
418 | | BN_CTX *); |
419 | | int ossl_ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
420 | | BN_CTX *); |
421 | | int ossl_ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, |
422 | | BN_CTX *ctx); |
423 | | int ossl_ec_GFp_simple_ladder_pre(const EC_GROUP *group, |
424 | | EC_POINT *r, EC_POINT *s, |
425 | | EC_POINT *p, BN_CTX *ctx); |
426 | | int ossl_ec_GFp_simple_ladder_step(const EC_GROUP *group, |
427 | | EC_POINT *r, EC_POINT *s, |
428 | | EC_POINT *p, BN_CTX *ctx); |
429 | | int ossl_ec_GFp_simple_ladder_post(const EC_GROUP *group, |
430 | | EC_POINT *r, EC_POINT *s, |
431 | | EC_POINT *p, BN_CTX *ctx); |
432 | | |
433 | | /* method functions in ecp_mont.c */ |
434 | | int ossl_ec_GFp_mont_group_init(EC_GROUP *); |
435 | | int ossl_ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, |
436 | | const BIGNUM *a, |
437 | | const BIGNUM *b, BN_CTX *); |
438 | | void ossl_ec_GFp_mont_group_finish(EC_GROUP *); |
439 | | void ossl_ec_GFp_mont_group_clear_finish(EC_GROUP *); |
440 | | int ossl_ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *); |
441 | | int ossl_ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
442 | | const BIGNUM *b, BN_CTX *); |
443 | | int ossl_ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
444 | | BN_CTX *); |
445 | | int ossl_ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
446 | | BN_CTX *); |
447 | | int ossl_ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
448 | | BN_CTX *); |
449 | | int ossl_ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
450 | | BN_CTX *); |
451 | | int ossl_ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *); |
452 | | |
453 | | /* method functions in ecp_nist.c */ |
454 | | int ossl_ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src); |
455 | | int ossl_ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, |
456 | | const BIGNUM *a, const BIGNUM *b, BN_CTX *); |
457 | | int ossl_ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
458 | | const BIGNUM *b, BN_CTX *); |
459 | | int ossl_ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
460 | | BN_CTX *); |
461 | | |
462 | | /* method functions in ec2_smpl.c */ |
463 | | int ossl_ec_GF2m_simple_group_init(EC_GROUP *); |
464 | | void ossl_ec_GF2m_simple_group_finish(EC_GROUP *); |
465 | | void ossl_ec_GF2m_simple_group_clear_finish(EC_GROUP *); |
466 | | int ossl_ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *); |
467 | | int ossl_ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, |
468 | | const BIGNUM *a, const BIGNUM *b, |
469 | | BN_CTX *); |
470 | | int ossl_ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, |
471 | | BIGNUM *b, BN_CTX *); |
472 | | int ossl_ec_GF2m_simple_group_get_degree(const EC_GROUP *); |
473 | | int ossl_ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); |
474 | | int ossl_ec_GF2m_simple_point_init(EC_POINT *); |
475 | | void ossl_ec_GF2m_simple_point_finish(EC_POINT *); |
476 | | void ossl_ec_GF2m_simple_point_clear_finish(EC_POINT *); |
477 | | int ossl_ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *); |
478 | | int ossl_ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); |
479 | | int ossl_ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, |
480 | | EC_POINT *, |
481 | | const BIGNUM *x, |
482 | | const BIGNUM *y, BN_CTX *); |
483 | | int ossl_ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *, |
484 | | const EC_POINT *, BIGNUM *x, |
485 | | BIGNUM *y, BN_CTX *); |
486 | | int ossl_ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, |
487 | | const BIGNUM *x, int y_bit, |
488 | | BN_CTX *); |
489 | | size_t ossl_ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *, |
490 | | point_conversion_form_t form, |
491 | | unsigned char *buf, size_t len, BN_CTX *); |
492 | | int ossl_ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *, |
493 | | const unsigned char *buf, size_t len, BN_CTX *); |
494 | | int ossl_ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
495 | | const EC_POINT *b, BN_CTX *); |
496 | | int ossl_ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
497 | | BN_CTX *); |
498 | | int ossl_ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); |
499 | | int ossl_ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); |
500 | | int ossl_ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); |
501 | | int ossl_ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, |
502 | | const EC_POINT *b, BN_CTX *); |
503 | | int ossl_ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); |
504 | | int ossl_ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num, |
505 | | EC_POINT *[], BN_CTX *); |
506 | | int ossl_ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
507 | | const BIGNUM *b, BN_CTX *); |
508 | | int ossl_ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
509 | | BN_CTX *); |
510 | | int ossl_ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
511 | | const BIGNUM *b, BN_CTX *); |
512 | | |
513 | | #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 |
514 | | # ifdef B_ENDIAN |
515 | | # error "Can not enable ec_nistp_64_gcc_128 on big-endian systems" |
516 | | # endif |
517 | | |
518 | | /* method functions in ecp_nistp224.c */ |
519 | | int ossl_ec_GFp_nistp224_group_init(EC_GROUP *group); |
520 | | int ossl_ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, |
521 | | const BIGNUM *a, const BIGNUM *n, |
522 | | BN_CTX *); |
523 | | int ossl_ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, |
524 | | const EC_POINT *point, |
525 | | BIGNUM *x, BIGNUM *y, |
526 | | BN_CTX *ctx); |
527 | | int ossl_ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r, |
528 | | const BIGNUM *scalar, size_t num, |
529 | | const EC_POINT *points[], const BIGNUM *scalars[], |
530 | | BN_CTX *); |
531 | | int ossl_ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, |
532 | | const BIGNUM *scalar, size_t num, |
533 | | const EC_POINT *points[], |
534 | | const BIGNUM *scalars[], BN_CTX *ctx); |
535 | | int ossl_ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx); |
536 | | int ossl_ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group); |
537 | | |
538 | | /* method functions in ecp_nistp256.c */ |
539 | | int ossl_ec_GFp_nistp256_group_init(EC_GROUP *group); |
540 | | int ossl_ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, |
541 | | const BIGNUM *a, const BIGNUM *n, |
542 | | BN_CTX *); |
543 | | int ossl_ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, |
544 | | const EC_POINT *point, |
545 | | BIGNUM *x, BIGNUM *y, |
546 | | BN_CTX *ctx); |
547 | | int ossl_ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r, |
548 | | const BIGNUM *scalar, size_t num, |
549 | | const EC_POINT *points[], const BIGNUM *scalars[], |
550 | | BN_CTX *); |
551 | | int ossl_ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, |
552 | | const BIGNUM *scalar, size_t num, |
553 | | const EC_POINT *points[], |
554 | | const BIGNUM *scalars[], BN_CTX *ctx); |
555 | | int ossl_ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx); |
556 | | int ossl_ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); |
557 | | |
558 | | /* method functions in ecp_nistp384.c */ |
559 | | int ossl_ec_GFp_nistp384_group_init(EC_GROUP *group); |
560 | | int ossl_ec_GFp_nistp384_group_set_curve(EC_GROUP *group, const BIGNUM *p, |
561 | | const BIGNUM *a, const BIGNUM *n, |
562 | | BN_CTX *); |
563 | | int ossl_ec_GFp_nistp384_point_get_affine_coordinates(const EC_GROUP *group, |
564 | | const EC_POINT *point, |
565 | | BIGNUM *x, BIGNUM *y, |
566 | | BN_CTX *ctx); |
567 | | int ossl_ec_GFp_nistp384_mul(const EC_GROUP *group, EC_POINT *r, |
568 | | const BIGNUM *scalar, size_t num, |
569 | | const EC_POINT *points[], const BIGNUM *scalars[], |
570 | | BN_CTX *); |
571 | | int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r, |
572 | | const BIGNUM *scalar, size_t num, |
573 | | const EC_POINT *points[], |
574 | | const BIGNUM *scalars[], BN_CTX *ctx); |
575 | | int ossl_ec_GFp_nistp384_precompute_mult(EC_GROUP *group, BN_CTX *ctx); |
576 | | int ossl_ec_GFp_nistp384_have_precompute_mult(const EC_GROUP *group); |
577 | | const EC_METHOD *ossl_ec_GFp_nistp384_method(void); |
578 | | |
579 | | /* method functions in ecp_nistp521.c */ |
580 | | int ossl_ec_GFp_nistp521_group_init(EC_GROUP *group); |
581 | | int ossl_ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, |
582 | | const BIGNUM *a, const BIGNUM *n, |
583 | | BN_CTX *); |
584 | | int ossl_ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, |
585 | | const EC_POINT *point, |
586 | | BIGNUM *x, BIGNUM *y, |
587 | | BN_CTX *ctx); |
588 | | int ossl_ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r, |
589 | | const BIGNUM *scalar, size_t num, |
590 | | const EC_POINT *points[], const BIGNUM *scalars[], |
591 | | BN_CTX *); |
592 | | int ossl_ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, |
593 | | const BIGNUM *scalar, size_t num, |
594 | | const EC_POINT *points[], |
595 | | const BIGNUM *scalars[], BN_CTX *ctx); |
596 | | int ossl_ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx); |
597 | | int ossl_ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group); |
598 | | |
599 | | /* utility functions in ecp_nistputil.c */ |
600 | | void ossl_ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, |
601 | | size_t felem_size, |
602 | | void *tmp_felems, |
603 | | void (*felem_one) (void *out), |
604 | | int (*felem_is_zero) |
605 | | (const void *in), |
606 | | void (*felem_assign) |
607 | | (void *out, const void *in), |
608 | | void (*felem_square) |
609 | | (void *out, const void *in), |
610 | | void (*felem_mul) |
611 | | (void *out, |
612 | | const void *in1, |
613 | | const void *in2), |
614 | | void (*felem_inv) |
615 | | (void *out, const void *in), |
616 | | void (*felem_contract) |
617 | | (void *out, const void *in)); |
618 | | void ossl_ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, |
619 | | unsigned char *digit, |
620 | | unsigned char in); |
621 | | #endif |
622 | | int ossl_ec_group_simple_order_bits(const EC_GROUP *group); |
623 | | |
624 | | /** |
625 | | * Creates a new EC_GROUP object |
626 | | * \param libctx The associated library context or NULL for the default |
627 | | * library context |
628 | | * \param propq Any property query string |
629 | | * \param meth EC_METHOD to use |
630 | | * \return newly created EC_GROUP object or NULL in case of an error. |
631 | | */ |
632 | | EC_GROUP *ossl_ec_group_new_ex(OSSL_LIB_CTX *libctx, const char *propq, |
633 | | const EC_METHOD *meth); |
634 | | |
635 | | #ifdef ECP_NISTZ256_ASM |
636 | | /** Returns GFp methods using montgomery multiplication, with x86-64 optimized |
637 | | * P256. See http://eprint.iacr.org/2013/816. |
638 | | * \return EC_METHOD object |
639 | | */ |
640 | | const EC_METHOD *EC_GFp_nistz256_method(void); |
641 | | #endif |
642 | | #ifdef S390X_EC_ASM |
643 | | const EC_METHOD *EC_GFp_s390x_nistp256_method(void); |
644 | | const EC_METHOD *EC_GFp_s390x_nistp384_method(void); |
645 | | const EC_METHOD *EC_GFp_s390x_nistp521_method(void); |
646 | | #endif |
647 | | |
648 | | size_t ossl_ec_key_simple_priv2oct(const EC_KEY *eckey, |
649 | | unsigned char *buf, size_t len); |
650 | | int ossl_ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, |
651 | | size_t len); |
652 | | int ossl_ec_key_simple_generate_key(EC_KEY *eckey); |
653 | | int ossl_ec_key_simple_generate_public_key(EC_KEY *eckey); |
654 | | int ossl_ec_key_simple_check_key(const EC_KEY *eckey); |
655 | | |
656 | | #ifdef ECP_SM2P256_ASM |
657 | | /* Returns optimized methods for SM2 */ |
658 | | const EC_METHOD *EC_GFp_sm2p256_method(void); |
659 | | #endif |
660 | | |
661 | | int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx); |
662 | | |
663 | | /* EC_METHOD definitions */ |
664 | | |
665 | | struct ec_key_method_st { |
666 | | const char *name; |
667 | | int32_t flags; |
668 | | int (*init)(EC_KEY *key); |
669 | | void (*finish)(EC_KEY *key); |
670 | | int (*copy)(EC_KEY *dest, const EC_KEY *src); |
671 | | int (*set_group)(EC_KEY *key, const EC_GROUP *grp); |
672 | | int (*set_private)(EC_KEY *key, const BIGNUM *priv_key); |
673 | | int (*set_public)(EC_KEY *key, const EC_POINT *pub_key); |
674 | | int (*keygen)(EC_KEY *key); |
675 | | int (*compute_key)(unsigned char **pout, size_t *poutlen, |
676 | | const EC_POINT *pub_key, const EC_KEY *ecdh); |
677 | | int (*sign)(int type, const unsigned char *dgst, int dlen, unsigned char |
678 | | *sig, unsigned int *siglen, const BIGNUM *kinv, |
679 | | const BIGNUM *r, EC_KEY *eckey); |
680 | | int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, |
681 | | BIGNUM **rp); |
682 | | ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgst_len, |
683 | | const BIGNUM *in_kinv, const BIGNUM *in_r, |
684 | | EC_KEY *eckey); |
685 | | |
686 | | int (*verify)(int type, const unsigned char *dgst, int dgst_len, |
687 | | const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); |
688 | | int (*verify_sig)(const unsigned char *dgst, int dgst_len, |
689 | | const ECDSA_SIG *sig, EC_KEY *eckey); |
690 | | }; |
691 | | |
692 | 0 | #define EC_KEY_METHOD_DYNAMIC 1 |
693 | | |
694 | | EC_KEY *ossl_ec_key_new_method_int(OSSL_LIB_CTX *libctx, const char *propq, |
695 | | ENGINE *engine); |
696 | | |
697 | | int ossl_ec_key_gen(EC_KEY *eckey); |
698 | | int ossl_ecdh_compute_key(unsigned char **pout, size_t *poutlen, |
699 | | const EC_POINT *pub_key, const EC_KEY *ecdh); |
700 | | int ossl_ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, |
701 | | const EC_POINT *pub_key, const EC_KEY *ecdh); |
702 | | |
703 | | struct ECDSA_SIG_st { |
704 | | BIGNUM *r; |
705 | | BIGNUM *s; |
706 | | }; |
707 | | |
708 | | int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, |
709 | | BIGNUM **rp); |
710 | | int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, |
711 | | unsigned char *sig, unsigned int *siglen, |
712 | | const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey); |
713 | | ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, |
714 | | const BIGNUM *in_kinv, const BIGNUM *in_r, |
715 | | EC_KEY *eckey); |
716 | | int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, |
717 | | const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); |
718 | | int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, |
719 | | const ECDSA_SIG *sig, EC_KEY *eckey); |
720 | | int ossl_ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, |
721 | | BIGNUM **rp); |
722 | | ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, |
723 | | const BIGNUM *in_kinv, const BIGNUM *in_r, |
724 | | EC_KEY *eckey); |
725 | | int ossl_ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, |
726 | | const ECDSA_SIG *sig, EC_KEY *eckey); |
727 | | |
728 | | |
729 | | /*- |
730 | | * This functions computes a single point multiplication over the EC group, |
731 | | * using, at a high level, a Montgomery ladder with conditional swaps, with |
732 | | * various timing attack defenses. |
733 | | * |
734 | | * It performs either a fixed point multiplication |
735 | | * (scalar * generator) |
736 | | * when point is NULL, or a variable point multiplication |
737 | | * (scalar * point) |
738 | | * when point is not NULL. |
739 | | * |
740 | | * `scalar` cannot be NULL and should be in the range [0,n) otherwise all |
741 | | * constant time bets are off (where n is the cardinality of the EC group). |
742 | | * |
743 | | * This function expects `group->order` and `group->cardinality` to be well |
744 | | * defined and non-zero: it fails with an error code otherwise. |
745 | | * |
746 | | * NB: This says nothing about the constant-timeness of the ladder step |
747 | | * implementation (i.e., the default implementation is based on EC_POINT_add and |
748 | | * EC_POINT_dbl, which of course are not constant time themselves) or the |
749 | | * underlying multiprecision arithmetic. |
750 | | * |
751 | | * The product is stored in `r`. |
752 | | * |
753 | | * This is an internal function: callers are in charge of ensuring that the |
754 | | * input parameters `group`, `r`, `scalar` and `ctx` are not NULL. |
755 | | * |
756 | | * Returns 1 on success, 0 otherwise. |
757 | | */ |
758 | | int ossl_ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, |
759 | | const BIGNUM *scalar, const EC_POINT *point, |
760 | | BN_CTX *ctx); |
761 | | |
762 | | int ossl_ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, |
763 | | BN_CTX *ctx); |
764 | | |
765 | | static ossl_inline int ec_point_ladder_pre(const EC_GROUP *group, |
766 | | EC_POINT *r, EC_POINT *s, |
767 | | EC_POINT *p, BN_CTX *ctx) |
768 | 1.76k | { |
769 | 1.76k | if (group->meth->ladder_pre != NULL) |
770 | 1.76k | return group->meth->ladder_pre(group, r, s, p, ctx); |
771 | | |
772 | 0 | if (!EC_POINT_copy(s, p) |
773 | 0 | || !EC_POINT_dbl(group, r, s, ctx)) |
774 | 0 | return 0; |
775 | | |
776 | 0 | return 1; |
777 | 0 | } Unexecuted instantiation: curve25519.c:ec_point_ladder_pre Unexecuted instantiation: ec_ameth.c:ec_point_ladder_pre Unexecuted instantiation: ec_asn1.c:ec_point_ladder_pre Unexecuted instantiation: ec_backend.c:ec_point_ladder_pre Unexecuted instantiation: ec_check.c:ec_point_ladder_pre Unexecuted instantiation: ec_curve.c:ec_point_ladder_pre Unexecuted instantiation: ec_cvt.c:ec_point_ladder_pre Unexecuted instantiation: ec_key.c:ec_point_ladder_pre Unexecuted instantiation: ec_kmeth.c:ec_point_ladder_pre Unexecuted instantiation: ec_lib.c:ec_point_ladder_pre ec_mult.c:ec_point_ladder_pre Line | Count | Source | 768 | 1.76k | { | 769 | 1.76k | if (group->meth->ladder_pre != NULL) | 770 | 1.76k | return group->meth->ladder_pre(group, r, s, p, ctx); | 771 | | | 772 | 0 | if (!EC_POINT_copy(s, p) | 773 | 0 | || !EC_POINT_dbl(group, r, s, ctx)) | 774 | 0 | return 0; | 775 | | | 776 | 0 | return 1; | 777 | 0 | } |
Unexecuted instantiation: ec_oct.c:ec_point_ladder_pre Unexecuted instantiation: ec_pmeth.c:ec_point_ladder_pre Unexecuted instantiation: ecdh_kdf.c:ec_point_ladder_pre Unexecuted instantiation: ecdh_ossl.c:ec_point_ladder_pre Unexecuted instantiation: ecdsa_ossl.c:ec_point_ladder_pre Unexecuted instantiation: ecdsa_sign.c:ec_point_ladder_pre Unexecuted instantiation: ecdsa_vrf.c:ec_point_ladder_pre Unexecuted instantiation: ecp_mont.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nistp224.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nistp256.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nistp384.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nistp521.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nistputil.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nistz256.c:ec_point_ladder_pre Unexecuted instantiation: ecp_oct.c:ec_point_ladder_pre Unexecuted instantiation: ecp_smpl.c:ec_point_ladder_pre Unexecuted instantiation: ecx_meth.c:ec_point_ladder_pre Unexecuted instantiation: ec2_oct.c:ec_point_ladder_pre Unexecuted instantiation: ec2_smpl.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nist.c:ec_point_ladder_pre |
778 | | |
779 | | static ossl_inline int ec_point_ladder_step(const EC_GROUP *group, |
780 | | EC_POINT *r, EC_POINT *s, |
781 | | EC_POINT *p, BN_CTX *ctx) |
782 | 389k | { |
783 | 389k | if (group->meth->ladder_step != NULL) |
784 | 389k | return group->meth->ladder_step(group, r, s, p, ctx); |
785 | | |
786 | 0 | if (!EC_POINT_add(group, s, r, s, ctx) |
787 | 0 | || !EC_POINT_dbl(group, r, r, ctx)) |
788 | 0 | return 0; |
789 | | |
790 | 0 | return 1; |
791 | |
|
792 | 0 | } Unexecuted instantiation: curve25519.c:ec_point_ladder_step Unexecuted instantiation: ec_ameth.c:ec_point_ladder_step Unexecuted instantiation: ec_asn1.c:ec_point_ladder_step Unexecuted instantiation: ec_backend.c:ec_point_ladder_step Unexecuted instantiation: ec_check.c:ec_point_ladder_step Unexecuted instantiation: ec_curve.c:ec_point_ladder_step Unexecuted instantiation: ec_cvt.c:ec_point_ladder_step Unexecuted instantiation: ec_key.c:ec_point_ladder_step Unexecuted instantiation: ec_kmeth.c:ec_point_ladder_step Unexecuted instantiation: ec_lib.c:ec_point_ladder_step ec_mult.c:ec_point_ladder_step Line | Count | Source | 782 | 389k | { | 783 | 389k | if (group->meth->ladder_step != NULL) | 784 | 389k | return group->meth->ladder_step(group, r, s, p, ctx); | 785 | | | 786 | 0 | if (!EC_POINT_add(group, s, r, s, ctx) | 787 | 0 | || !EC_POINT_dbl(group, r, r, ctx)) | 788 | 0 | return 0; | 789 | | | 790 | 0 | return 1; | 791 | |
| 792 | 0 | } |
Unexecuted instantiation: ec_oct.c:ec_point_ladder_step Unexecuted instantiation: ec_pmeth.c:ec_point_ladder_step Unexecuted instantiation: ecdh_kdf.c:ec_point_ladder_step Unexecuted instantiation: ecdh_ossl.c:ec_point_ladder_step Unexecuted instantiation: ecdsa_ossl.c:ec_point_ladder_step Unexecuted instantiation: ecdsa_sign.c:ec_point_ladder_step Unexecuted instantiation: ecdsa_vrf.c:ec_point_ladder_step Unexecuted instantiation: ecp_mont.c:ec_point_ladder_step Unexecuted instantiation: ecp_nistp224.c:ec_point_ladder_step Unexecuted instantiation: ecp_nistp256.c:ec_point_ladder_step Unexecuted instantiation: ecp_nistp384.c:ec_point_ladder_step Unexecuted instantiation: ecp_nistp521.c:ec_point_ladder_step Unexecuted instantiation: ecp_nistputil.c:ec_point_ladder_step Unexecuted instantiation: ecp_nistz256.c:ec_point_ladder_step Unexecuted instantiation: ecp_oct.c:ec_point_ladder_step Unexecuted instantiation: ecp_smpl.c:ec_point_ladder_step Unexecuted instantiation: ecx_meth.c:ec_point_ladder_step Unexecuted instantiation: ec2_oct.c:ec_point_ladder_step Unexecuted instantiation: ec2_smpl.c:ec_point_ladder_step Unexecuted instantiation: ecp_nist.c:ec_point_ladder_step |
793 | | |
794 | | static ossl_inline int ec_point_ladder_post(const EC_GROUP *group, |
795 | | EC_POINT *r, EC_POINT *s, |
796 | | EC_POINT *p, BN_CTX *ctx) |
797 | 1.76k | { |
798 | 1.76k | if (group->meth->ladder_post != NULL) |
799 | 1.76k | return group->meth->ladder_post(group, r, s, p, ctx); |
800 | | |
801 | 0 | return 1; |
802 | 1.76k | } Unexecuted instantiation: curve25519.c:ec_point_ladder_post Unexecuted instantiation: ec_ameth.c:ec_point_ladder_post Unexecuted instantiation: ec_asn1.c:ec_point_ladder_post Unexecuted instantiation: ec_backend.c:ec_point_ladder_post Unexecuted instantiation: ec_check.c:ec_point_ladder_post Unexecuted instantiation: ec_curve.c:ec_point_ladder_post Unexecuted instantiation: ec_cvt.c:ec_point_ladder_post Unexecuted instantiation: ec_key.c:ec_point_ladder_post Unexecuted instantiation: ec_kmeth.c:ec_point_ladder_post Unexecuted instantiation: ec_lib.c:ec_point_ladder_post ec_mult.c:ec_point_ladder_post Line | Count | Source | 797 | 1.76k | { | 798 | 1.76k | if (group->meth->ladder_post != NULL) | 799 | 1.76k | return group->meth->ladder_post(group, r, s, p, ctx); | 800 | | | 801 | 0 | return 1; | 802 | 1.76k | } |
Unexecuted instantiation: ec_oct.c:ec_point_ladder_post Unexecuted instantiation: ec_pmeth.c:ec_point_ladder_post Unexecuted instantiation: ecdh_kdf.c:ec_point_ladder_post Unexecuted instantiation: ecdh_ossl.c:ec_point_ladder_post Unexecuted instantiation: ecdsa_ossl.c:ec_point_ladder_post Unexecuted instantiation: ecdsa_sign.c:ec_point_ladder_post Unexecuted instantiation: ecdsa_vrf.c:ec_point_ladder_post Unexecuted instantiation: ecp_mont.c:ec_point_ladder_post Unexecuted instantiation: ecp_nistp224.c:ec_point_ladder_post Unexecuted instantiation: ecp_nistp256.c:ec_point_ladder_post Unexecuted instantiation: ecp_nistp384.c:ec_point_ladder_post Unexecuted instantiation: ecp_nistp521.c:ec_point_ladder_post Unexecuted instantiation: ecp_nistputil.c:ec_point_ladder_post Unexecuted instantiation: ecp_nistz256.c:ec_point_ladder_post Unexecuted instantiation: ecp_oct.c:ec_point_ladder_post Unexecuted instantiation: ecp_smpl.c:ec_point_ladder_post Unexecuted instantiation: ecx_meth.c:ec_point_ladder_post Unexecuted instantiation: ec2_oct.c:ec_point_ladder_post Unexecuted instantiation: ec2_smpl.c:ec_point_ladder_post Unexecuted instantiation: ecp_nist.c:ec_point_ladder_post |