/src/openssl/crypto/ec/ec_local.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved |
4 | | * |
5 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
6 | | * this file except in compliance with the License. You can obtain a copy |
7 | | * in the file LICENSE in the source distribution or at |
8 | | * https://www.openssl.org/source/license.html |
9 | | */ |
10 | | |
11 | | #include <stdlib.h> |
12 | | |
13 | | #include <openssl/obj_mac.h> |
14 | | #include <openssl/ec.h> |
15 | | #include <openssl/bn.h> |
16 | | #include "internal/refcount.h" |
17 | | #include "crypto/ec.h" |
18 | | |
19 | | #if defined(__SUNPRO_C) |
20 | | # if __SUNPRO_C >= 0x520 |
21 | | # pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE) |
22 | | # endif |
23 | | #endif |
24 | | |
25 | | /* Use default functions for poin2oct, oct2point and compressed coordinates */ |
26 | 12.1k | #define EC_FLAGS_DEFAULT_OCT 0x1 |
27 | | |
28 | | /* Use custom formats for EC_GROUP, EC_POINT and EC_KEY */ |
29 | 7.30k | #define EC_FLAGS_CUSTOM_CURVE 0x2 |
30 | | |
31 | | /* Curve does not support signing operations */ |
32 | 0 | #define EC_FLAGS_NO_SIGN 0x4 |
33 | | |
34 | | #ifdef OPENSSL_NO_DEPRECATED_3_0 |
35 | | typedef struct ec_method_st EC_METHOD; |
36 | | #endif |
37 | | |
38 | | /* |
39 | | * Structure details are not part of the exported interface, so all this may |
40 | | * change in future versions. |
41 | | */ |
42 | | |
43 | | struct ec_method_st { |
44 | | /* Various method flags */ |
45 | | int flags; |
46 | | /* used by EC_METHOD_get_field_type: */ |
47 | | int field_type; /* a NID */ |
48 | | /* |
49 | | * used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, |
50 | | * EC_GROUP_copy: |
51 | | */ |
52 | | int (*group_init) (EC_GROUP *); |
53 | | void (*group_finish) (EC_GROUP *); |
54 | | void (*group_clear_finish) (EC_GROUP *); |
55 | | int (*group_copy) (EC_GROUP *, const EC_GROUP *); |
56 | | /* used by EC_GROUP_set_curve, EC_GROUP_get_curve: */ |
57 | | int (*group_set_curve) (EC_GROUP *, const BIGNUM *p, const BIGNUM *a, |
58 | | const BIGNUM *b, BN_CTX *); |
59 | | int (*group_get_curve) (const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, |
60 | | BN_CTX *); |
61 | | /* used by EC_GROUP_get_degree: */ |
62 | | int (*group_get_degree) (const EC_GROUP *); |
63 | | int (*group_order_bits) (const EC_GROUP *); |
64 | | /* used by EC_GROUP_check: */ |
65 | | int (*group_check_discriminant) (const EC_GROUP *, BN_CTX *); |
66 | | /* |
67 | | * used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, |
68 | | * EC_POINT_copy: |
69 | | */ |
70 | | int (*point_init) (EC_POINT *); |
71 | | void (*point_finish) (EC_POINT *); |
72 | | void (*point_clear_finish) (EC_POINT *); |
73 | | int (*point_copy) (EC_POINT *, const EC_POINT *); |
74 | | /*- |
75 | | * used by EC_POINT_set_to_infinity, |
76 | | * EC_POINT_set_Jprojective_coordinates_GFp, |
77 | | * EC_POINT_get_Jprojective_coordinates_GFp, |
78 | | * EC_POINT_set_affine_coordinates, |
79 | | * EC_POINT_get_affine_coordinates, |
80 | | * EC_POINT_set_compressed_coordinates: |
81 | | */ |
82 | | int (*point_set_to_infinity) (const EC_GROUP *, EC_POINT *); |
83 | | int (*point_set_affine_coordinates) (const EC_GROUP *, EC_POINT *, |
84 | | const BIGNUM *x, const BIGNUM *y, |
85 | | BN_CTX *); |
86 | | int (*point_get_affine_coordinates) (const EC_GROUP *, const EC_POINT *, |
87 | | BIGNUM *x, BIGNUM *y, BN_CTX *); |
88 | | int (*point_set_compressed_coordinates) (const EC_GROUP *, EC_POINT *, |
89 | | const BIGNUM *x, int y_bit, |
90 | | BN_CTX *); |
91 | | /* used by EC_POINT_point2oct, EC_POINT_oct2point: */ |
92 | | size_t (*point2oct) (const EC_GROUP *, const EC_POINT *, |
93 | | point_conversion_form_t form, unsigned char *buf, |
94 | | size_t len, BN_CTX *); |
95 | | int (*oct2point) (const EC_GROUP *, EC_POINT *, const unsigned char *buf, |
96 | | size_t len, BN_CTX *); |
97 | | /* used by EC_POINT_add, EC_POINT_dbl, ECP_POINT_invert: */ |
98 | | int (*add) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
99 | | const EC_POINT *b, BN_CTX *); |
100 | | int (*dbl) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *); |
101 | | int (*invert) (const EC_GROUP *, EC_POINT *, BN_CTX *); |
102 | | /* |
103 | | * used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp: |
104 | | */ |
105 | | int (*is_at_infinity) (const EC_GROUP *, const EC_POINT *); |
106 | | int (*is_on_curve) (const EC_GROUP *, const EC_POINT *, BN_CTX *); |
107 | | int (*point_cmp) (const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, |
108 | | BN_CTX *); |
109 | | /* used by EC_POINT_make_affine, EC_POINTs_make_affine: */ |
110 | | int (*make_affine) (const EC_GROUP *, EC_POINT *, BN_CTX *); |
111 | | int (*points_make_affine) (const EC_GROUP *, size_t num, EC_POINT *[], |
112 | | BN_CTX *); |
113 | | /* |
114 | | * used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, |
115 | | * EC_POINT_have_precompute_mult (default implementations are used if the |
116 | | * 'mul' pointer is 0): |
117 | | */ |
118 | | /*- |
119 | | * mul() calculates the value |
120 | | * |
121 | | * r := generator * scalar |
122 | | * + points[0] * scalars[0] |
123 | | * + ... |
124 | | * + points[num-1] * scalars[num-1]. |
125 | | * |
126 | | * For a fixed point multiplication (scalar != NULL, num == 0) |
127 | | * or a variable point multiplication (scalar == NULL, num == 1), |
128 | | * mul() must use a constant time algorithm: in both cases callers |
129 | | * should provide an input scalar (either scalar or scalars[0]) |
130 | | * in the range [0, ec_group_order); for robustness, implementers |
131 | | * should handle the case when the scalar has not been reduced, but |
132 | | * may treat it as an unusual input, without any constant-timeness |
133 | | * guarantee. |
134 | | */ |
135 | | int (*mul) (const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, |
136 | | size_t num, const EC_POINT *points[], const BIGNUM *scalars[], |
137 | | BN_CTX *); |
138 | | int (*precompute_mult) (EC_GROUP *group, BN_CTX *); |
139 | | int (*have_precompute_mult) (const EC_GROUP *group); |
140 | | /* internal functions */ |
141 | | /* |
142 | | * 'field_mul', 'field_sqr', and 'field_div' can be used by 'add' and |
143 | | * 'dbl' so that the same implementations of point operations can be used |
144 | | * with different optimized implementations of expensive field |
145 | | * operations: |
146 | | */ |
147 | | int (*field_mul) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
148 | | const BIGNUM *b, BN_CTX *); |
149 | | int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); |
150 | | int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
151 | | const BIGNUM *b, BN_CTX *); |
152 | | /*- |
153 | | * 'field_inv' computes the multiplicative inverse of a in the field, |
154 | | * storing the result in r. |
155 | | * |
156 | | * If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error. |
157 | | */ |
158 | | int (*field_inv) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); |
159 | | /* e.g. to Montgomery */ |
160 | | int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
161 | | BN_CTX *); |
162 | | /* e.g. from Montgomery */ |
163 | | int (*field_decode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
164 | | BN_CTX *); |
165 | | int (*field_set_to_one) (const EC_GROUP *, BIGNUM *r, BN_CTX *); |
166 | | /* private key operations */ |
167 | | size_t (*priv2oct)(const EC_KEY *eckey, unsigned char *buf, size_t len); |
168 | | int (*oct2priv)(EC_KEY *eckey, const unsigned char *buf, size_t len); |
169 | | int (*set_private)(EC_KEY *eckey, const BIGNUM *priv_key); |
170 | | int (*keygen)(EC_KEY *eckey); |
171 | | int (*keycheck)(const EC_KEY *eckey); |
172 | | int (*keygenpub)(EC_KEY *eckey); |
173 | | int (*keycopy)(EC_KEY *dst, const EC_KEY *src); |
174 | | void (*keyfinish)(EC_KEY *eckey); |
175 | | /* custom ECDH operation */ |
176 | | int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen, |
177 | | const EC_POINT *pub_key, const EC_KEY *ecdh); |
178 | | /* custom ECDSA */ |
179 | | int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinvp, |
180 | | BIGNUM **rp); |
181 | | ECDSA_SIG *(*ecdsa_sign_sig)(const unsigned char *dgst, int dgstlen, |
182 | | const BIGNUM *kinv, const BIGNUM *r, |
183 | | EC_KEY *eckey); |
184 | | int (*ecdsa_verify_sig)(const unsigned char *dgst, int dgstlen, |
185 | | const ECDSA_SIG *sig, EC_KEY *eckey); |
186 | | /* Inverse modulo order */ |
187 | | int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r, |
188 | | const BIGNUM *x, BN_CTX *); |
189 | | int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); |
190 | | int (*ladder_pre)(const EC_GROUP *group, |
191 | | EC_POINT *r, EC_POINT *s, |
192 | | EC_POINT *p, BN_CTX *ctx); |
193 | | int (*ladder_step)(const EC_GROUP *group, |
194 | | EC_POINT *r, EC_POINT *s, |
195 | | EC_POINT *p, BN_CTX *ctx); |
196 | | int (*ladder_post)(const EC_GROUP *group, |
197 | | EC_POINT *r, EC_POINT *s, |
198 | | EC_POINT *p, BN_CTX *ctx); |
199 | | int (*group_full_init)(EC_GROUP *group, const unsigned char *data); |
200 | | }; |
201 | | |
202 | | /* |
203 | | * Types and functions to manipulate pre-computed values. |
204 | | */ |
205 | | typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP; |
206 | | typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP; |
207 | | typedef struct nistp384_pre_comp_st NISTP384_PRE_COMP; |
208 | | typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP; |
209 | | typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP; |
210 | | typedef struct ec_pre_comp_st EC_PRE_COMP; |
211 | | |
212 | | struct ec_group_st { |
213 | | const EC_METHOD *meth; |
214 | | EC_POINT *generator; /* optional */ |
215 | | BIGNUM *order, *cofactor; |
216 | | int curve_name; /* optional NID for named curve */ |
217 | | int asn1_flag; /* flag to control the asn1 encoding */ |
218 | | int decoded_from_explicit_params; /* set if decoded from explicit |
219 | | * curve parameters encoding */ |
220 | | point_conversion_form_t asn1_form; |
221 | | unsigned char *seed; /* optional seed for parameters (appears in |
222 | | * ASN1) */ |
223 | | size_t seed_len; |
224 | | /* |
225 | | * The following members are handled by the method functions, even if |
226 | | * they appear generic |
227 | | */ |
228 | | /* |
229 | | * Field specification. For curves over GF(p), this is the modulus; for |
230 | | * curves over GF(2^m), this is the irreducible polynomial defining the |
231 | | * field. |
232 | | */ |
233 | | BIGNUM *field; |
234 | | /* |
235 | | * Field specification for curves over GF(2^m). The irreducible f(t) is |
236 | | * then of the form: t^poly[0] + t^poly[1] + ... + t^poly[k] where m = |
237 | | * poly[0] > poly[1] > ... > poly[k] = 0. The array is terminated with |
238 | | * poly[k+1]=-1. All elliptic curve irreducibles have at most 5 non-zero |
239 | | * terms. |
240 | | */ |
241 | | int poly[6]; |
242 | | /* |
243 | | * Curve coefficients. (Here the assumption is that BIGNUMs can be used |
244 | | * or abused for all kinds of fields, not just GF(p).) For characteristic |
245 | | * > 3, the curve is defined by a Weierstrass equation of the form y^2 = |
246 | | * x^3 + a*x + b. For characteristic 2, the curve is defined by an |
247 | | * equation of the form y^2 + x*y = x^3 + a*x^2 + b. |
248 | | */ |
249 | | BIGNUM *a, *b; |
250 | | /* enable optimized point arithmetic for special case */ |
251 | | int a_is_minus3; |
252 | | /* method-specific (e.g., Montgomery structure) */ |
253 | | void *field_data1; |
254 | | /* method-specific */ |
255 | | void *field_data2; |
256 | | /* method-specific */ |
257 | | int (*field_mod_func) (BIGNUM *, const BIGNUM *, const BIGNUM *, |
258 | | BN_CTX *); |
259 | | /* data for ECDSA inverse */ |
260 | | BN_MONT_CTX *mont_data; |
261 | | |
262 | | /* |
263 | | * Precomputed values for speed. The PCT_xxx names match the |
264 | | * pre_comp.xxx union names; see the SETPRECOMP and HAVEPRECOMP |
265 | | * macros, below. |
266 | | */ |
267 | | enum { |
268 | | PCT_none, |
269 | | PCT_nistp224, PCT_nistp256, PCT_nistp384, PCT_nistp521, PCT_nistz256, |
270 | | PCT_ec |
271 | | } pre_comp_type; |
272 | | union { |
273 | | NISTP224_PRE_COMP *nistp224; |
274 | | NISTP256_PRE_COMP *nistp256; |
275 | | NISTP384_PRE_COMP *nistp384; |
276 | | NISTP521_PRE_COMP *nistp521; |
277 | | NISTZ256_PRE_COMP *nistz256; |
278 | | EC_PRE_COMP *ec; |
279 | | } pre_comp; |
280 | | |
281 | | OSSL_LIB_CTX *libctx; |
282 | | char *propq; |
283 | | }; |
284 | | |
285 | | #define SETPRECOMP(g, type, pre) \ |
286 | 0 | g->pre_comp_type = PCT_##type, g->pre_comp.type = pre |
287 | | #define HAVEPRECOMP(g, type) \ |
288 | 0 | g->pre_comp_type == PCT_##type && g->pre_comp.type != NULL |
289 | | |
290 | | struct ec_key_st { |
291 | | const EC_KEY_METHOD *meth; |
292 | | ENGINE *engine; |
293 | | int version; |
294 | | EC_GROUP *group; |
295 | | EC_POINT *pub_key; |
296 | | BIGNUM *priv_key; |
297 | | unsigned int enc_flag; |
298 | | point_conversion_form_t conv_form; |
299 | | CRYPTO_REF_COUNT references; |
300 | | int flags; |
301 | | #ifndef FIPS_MODULE |
302 | | CRYPTO_EX_DATA ex_data; |
303 | | #endif |
304 | | OSSL_LIB_CTX *libctx; |
305 | | char *propq; |
306 | | |
307 | | /* Provider data */ |
308 | | size_t dirty_cnt; /* If any key material changes, increment this */ |
309 | | }; |
310 | | |
311 | | struct ec_point_st { |
312 | | const EC_METHOD *meth; |
313 | | /* NID for the curve if known */ |
314 | | int curve_name; |
315 | | /* |
316 | | * All members except 'meth' are handled by the method functions, even if |
317 | | * they appear generic |
318 | | */ |
319 | | BIGNUM *X; |
320 | | BIGNUM *Y; |
321 | | BIGNUM *Z; /* Jacobian projective coordinates: * (X, Y, |
322 | | * Z) represents (X/Z^2, Y/Z^3) if Z != 0 */ |
323 | | int Z_is_one; /* enable optimized point arithmetic for |
324 | | * special case */ |
325 | | }; |
326 | | |
327 | | static ossl_inline int ec_point_is_compat(const EC_POINT *point, |
328 | | const EC_GROUP *group) |
329 | 408k | { |
330 | 408k | return group->meth == point->meth |
331 | 408k | && (group->curve_name == 0 |
332 | 408k | || point->curve_name == 0 |
333 | 408k | || group->curve_name == point->curve_name); |
334 | 408k | } Unexecuted instantiation: curve25519.c:ec_point_is_compat Unexecuted instantiation: ec_ameth.c:ec_point_is_compat Unexecuted instantiation: ec_asn1.c:ec_point_is_compat Unexecuted instantiation: ec_backend.c:ec_point_is_compat Unexecuted instantiation: ec_check.c:ec_point_is_compat Unexecuted instantiation: ec_curve.c:ec_point_is_compat Unexecuted instantiation: ec_cvt.c:ec_point_is_compat Unexecuted instantiation: ec_key.c:ec_point_is_compat Unexecuted instantiation: ec_kmeth.c:ec_point_is_compat ec_lib.c:ec_point_is_compat Line | Count | Source | 329 | 403k | { | 330 | 403k | return group->meth == point->meth | 331 | 403k | && (group->curve_name == 0 | 332 | 403k | || point->curve_name == 0 | 333 | 403k | || group->curve_name == point->curve_name); | 334 | 403k | } |
Unexecuted instantiation: ec_mult.c:ec_point_is_compat ec_oct.c:ec_point_is_compat Line | Count | Source | 329 | 4.94k | { | 330 | 4.94k | return group->meth == point->meth | 331 | 4.94k | && (group->curve_name == 0 | 332 | 4.94k | || point->curve_name == 0 | 333 | 4.94k | || group->curve_name == point->curve_name); | 334 | 4.94k | } |
Unexecuted instantiation: ec_pmeth.c:ec_point_is_compat Unexecuted instantiation: ecdh_kdf.c:ec_point_is_compat Unexecuted instantiation: ecdh_ossl.c:ec_point_is_compat Unexecuted instantiation: ecdsa_ossl.c:ec_point_is_compat Unexecuted instantiation: ecdsa_sign.c:ec_point_is_compat Unexecuted instantiation: ecdsa_vrf.c:ec_point_is_compat Unexecuted instantiation: ecp_mont.c:ec_point_is_compat Unexecuted instantiation: ecp_nistp224.c:ec_point_is_compat Unexecuted instantiation: ecp_nistp256.c:ec_point_is_compat Unexecuted instantiation: ecp_nistp384.c:ec_point_is_compat Unexecuted instantiation: ecp_nistp521.c:ec_point_is_compat Unexecuted instantiation: ecp_nistputil.c:ec_point_is_compat Unexecuted instantiation: ecp_nistz256.c:ec_point_is_compat Unexecuted instantiation: ecp_oct.c:ec_point_is_compat Unexecuted instantiation: ecp_smpl.c:ec_point_is_compat Unexecuted instantiation: ecx_meth.c:ec_point_is_compat Unexecuted instantiation: ec2_oct.c:ec_point_is_compat Unexecuted instantiation: ec2_smpl.c:ec_point_is_compat Unexecuted instantiation: ecp_nist.c:ec_point_is_compat |
335 | | |
336 | | NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); |
337 | | NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); |
338 | | NISTP384_PRE_COMP *ossl_ec_nistp384_pre_comp_dup(NISTP384_PRE_COMP *); |
339 | | NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); |
340 | | NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *); |
341 | | NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); |
342 | | EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_COMP *); |
343 | | |
344 | | void EC_pre_comp_free(EC_GROUP *group); |
345 | | void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *); |
346 | | void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *); |
347 | | void ossl_ec_nistp384_pre_comp_free(NISTP384_PRE_COMP *); |
348 | | void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *); |
349 | | void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *); |
350 | | void EC_ec_pre_comp_free(EC_PRE_COMP *); |
351 | | |
352 | | /* |
353 | | * method functions in ec_mult.c (ec_lib.c uses these as defaults if |
354 | | * group->method->mul is 0) |
355 | | */ |
356 | | int ossl_ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, |
357 | | size_t num, const EC_POINT *points[], |
358 | | const BIGNUM *scalars[], BN_CTX *); |
359 | | int ossl_ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *); |
360 | | int ossl_ec_wNAF_have_precompute_mult(const EC_GROUP *group); |
361 | | |
362 | | /* method functions in ecp_smpl.c */ |
363 | | int ossl_ec_GFp_simple_group_init(EC_GROUP *); |
364 | | void ossl_ec_GFp_simple_group_finish(EC_GROUP *); |
365 | | void ossl_ec_GFp_simple_group_clear_finish(EC_GROUP *); |
366 | | int ossl_ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *); |
367 | | int ossl_ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, |
368 | | const BIGNUM *a, const BIGNUM *b, |
369 | | BN_CTX *); |
370 | | int ossl_ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, |
371 | | BIGNUM *b, BN_CTX *); |
372 | | int ossl_ec_GFp_simple_group_get_degree(const EC_GROUP *); |
373 | | int ossl_ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); |
374 | | int ossl_ec_GFp_simple_point_init(EC_POINT *); |
375 | | void ossl_ec_GFp_simple_point_finish(EC_POINT *); |
376 | | void ossl_ec_GFp_simple_point_clear_finish(EC_POINT *); |
377 | | int ossl_ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *); |
378 | | int ossl_ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); |
379 | | int ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, |
380 | | EC_POINT *, |
381 | | const BIGNUM *x, |
382 | | const BIGNUM *y, |
383 | | const BIGNUM *z, |
384 | | BN_CTX *); |
385 | | int ossl_ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, |
386 | | const EC_POINT *, |
387 | | BIGNUM *x, |
388 | | BIGNUM *y, BIGNUM *z, |
389 | | BN_CTX *); |
390 | | int ossl_ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *, |
391 | | const BIGNUM *x, |
392 | | const BIGNUM *y, BN_CTX *); |
393 | | int ossl_ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *, |
394 | | const EC_POINT *, BIGNUM *x, |
395 | | BIGNUM *y, BN_CTX *); |
396 | | int ossl_ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, |
397 | | const BIGNUM *x, int y_bit, |
398 | | BN_CTX *); |
399 | | size_t ossl_ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, |
400 | | point_conversion_form_t form, |
401 | | unsigned char *buf, size_t len, BN_CTX *); |
402 | | int ossl_ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *, |
403 | | const unsigned char *buf, size_t len, BN_CTX *); |
404 | | int ossl_ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
405 | | const EC_POINT *b, BN_CTX *); |
406 | | int ossl_ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
407 | | BN_CTX *); |
408 | | int ossl_ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); |
409 | | int ossl_ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); |
410 | | int ossl_ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); |
411 | | int ossl_ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, |
412 | | const EC_POINT *b, BN_CTX *); |
413 | | int ossl_ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); |
414 | | int ossl_ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, |
415 | | EC_POINT *[], BN_CTX *); |
416 | | int ossl_ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
417 | | const BIGNUM *b, BN_CTX *); |
418 | | int ossl_ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
419 | | BN_CTX *); |
420 | | int ossl_ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
421 | | BN_CTX *); |
422 | | int ossl_ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, |
423 | | BN_CTX *ctx); |
424 | | int ossl_ec_GFp_simple_ladder_pre(const EC_GROUP *group, |
425 | | EC_POINT *r, EC_POINT *s, |
426 | | EC_POINT *p, BN_CTX *ctx); |
427 | | int ossl_ec_GFp_simple_ladder_step(const EC_GROUP *group, |
428 | | EC_POINT *r, EC_POINT *s, |
429 | | EC_POINT *p, BN_CTX *ctx); |
430 | | int ossl_ec_GFp_simple_ladder_post(const EC_GROUP *group, |
431 | | EC_POINT *r, EC_POINT *s, |
432 | | EC_POINT *p, BN_CTX *ctx); |
433 | | |
434 | | /* method functions in ecp_mont.c */ |
435 | | int ossl_ec_GFp_mont_group_init(EC_GROUP *); |
436 | | int ossl_ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, |
437 | | const BIGNUM *a, |
438 | | const BIGNUM *b, BN_CTX *); |
439 | | void ossl_ec_GFp_mont_group_finish(EC_GROUP *); |
440 | | void ossl_ec_GFp_mont_group_clear_finish(EC_GROUP *); |
441 | | int ossl_ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *); |
442 | | int ossl_ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
443 | | const BIGNUM *b, BN_CTX *); |
444 | | int ossl_ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
445 | | BN_CTX *); |
446 | | int ossl_ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
447 | | BN_CTX *); |
448 | | int ossl_ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
449 | | BN_CTX *); |
450 | | int ossl_ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
451 | | BN_CTX *); |
452 | | int ossl_ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *); |
453 | | |
454 | | /* method functions in ecp_nist.c */ |
455 | | int ossl_ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src); |
456 | | int ossl_ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, |
457 | | const BIGNUM *a, const BIGNUM *b, BN_CTX *); |
458 | | int ossl_ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
459 | | const BIGNUM *b, BN_CTX *); |
460 | | int ossl_ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
461 | | BN_CTX *); |
462 | | |
463 | | /* method functions in ec2_smpl.c */ |
464 | | int ossl_ec_GF2m_simple_group_init(EC_GROUP *); |
465 | | void ossl_ec_GF2m_simple_group_finish(EC_GROUP *); |
466 | | void ossl_ec_GF2m_simple_group_clear_finish(EC_GROUP *); |
467 | | int ossl_ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *); |
468 | | int ossl_ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, |
469 | | const BIGNUM *a, const BIGNUM *b, |
470 | | BN_CTX *); |
471 | | int ossl_ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, |
472 | | BIGNUM *b, BN_CTX *); |
473 | | int ossl_ec_GF2m_simple_group_get_degree(const EC_GROUP *); |
474 | | int ossl_ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); |
475 | | int ossl_ec_GF2m_simple_point_init(EC_POINT *); |
476 | | void ossl_ec_GF2m_simple_point_finish(EC_POINT *); |
477 | | void ossl_ec_GF2m_simple_point_clear_finish(EC_POINT *); |
478 | | int ossl_ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *); |
479 | | int ossl_ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); |
480 | | int ossl_ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, |
481 | | EC_POINT *, |
482 | | const BIGNUM *x, |
483 | | const BIGNUM *y, BN_CTX *); |
484 | | int ossl_ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *, |
485 | | const EC_POINT *, BIGNUM *x, |
486 | | BIGNUM *y, BN_CTX *); |
487 | | int ossl_ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, |
488 | | const BIGNUM *x, int y_bit, |
489 | | BN_CTX *); |
490 | | size_t ossl_ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *, |
491 | | point_conversion_form_t form, |
492 | | unsigned char *buf, size_t len, BN_CTX *); |
493 | | int ossl_ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *, |
494 | | const unsigned char *buf, size_t len, BN_CTX *); |
495 | | int ossl_ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
496 | | const EC_POINT *b, BN_CTX *); |
497 | | int ossl_ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
498 | | BN_CTX *); |
499 | | int ossl_ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); |
500 | | int ossl_ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); |
501 | | int ossl_ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); |
502 | | int ossl_ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, |
503 | | const EC_POINT *b, BN_CTX *); |
504 | | int ossl_ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); |
505 | | int ossl_ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num, |
506 | | EC_POINT *[], BN_CTX *); |
507 | | int ossl_ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
508 | | const BIGNUM *b, BN_CTX *); |
509 | | int ossl_ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
510 | | BN_CTX *); |
511 | | int ossl_ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
512 | | const BIGNUM *b, BN_CTX *); |
513 | | |
514 | | #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 |
515 | | # ifdef B_ENDIAN |
516 | | # error "Can not enable ec_nistp_64_gcc_128 on big-endian systems" |
517 | | # endif |
518 | | |
519 | | /* method functions in ecp_nistp224.c */ |
520 | | int ossl_ec_GFp_nistp224_group_init(EC_GROUP *group); |
521 | | int ossl_ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, |
522 | | const BIGNUM *a, const BIGNUM *n, |
523 | | BN_CTX *); |
524 | | int ossl_ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, |
525 | | const EC_POINT *point, |
526 | | BIGNUM *x, BIGNUM *y, |
527 | | BN_CTX *ctx); |
528 | | int ossl_ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r, |
529 | | const BIGNUM *scalar, size_t num, |
530 | | const EC_POINT *points[], const BIGNUM *scalars[], |
531 | | BN_CTX *); |
532 | | int ossl_ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, |
533 | | const BIGNUM *scalar, size_t num, |
534 | | const EC_POINT *points[], |
535 | | const BIGNUM *scalars[], BN_CTX *ctx); |
536 | | int ossl_ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx); |
537 | | int ossl_ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group); |
538 | | |
539 | | /* method functions in ecp_nistp256.c */ |
540 | | int ossl_ec_GFp_nistp256_group_init(EC_GROUP *group); |
541 | | int ossl_ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, |
542 | | const BIGNUM *a, const BIGNUM *n, |
543 | | BN_CTX *); |
544 | | int ossl_ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, |
545 | | const EC_POINT *point, |
546 | | BIGNUM *x, BIGNUM *y, |
547 | | BN_CTX *ctx); |
548 | | int ossl_ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r, |
549 | | const BIGNUM *scalar, size_t num, |
550 | | const EC_POINT *points[], const BIGNUM *scalars[], |
551 | | BN_CTX *); |
552 | | int ossl_ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, |
553 | | const BIGNUM *scalar, size_t num, |
554 | | const EC_POINT *points[], |
555 | | const BIGNUM *scalars[], BN_CTX *ctx); |
556 | | int ossl_ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx); |
557 | | int ossl_ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); |
558 | | |
559 | | /* method functions in ecp_nistp384.c */ |
560 | | int ossl_ec_GFp_nistp384_group_init(EC_GROUP *group); |
561 | | int ossl_ec_GFp_nistp384_group_set_curve(EC_GROUP *group, const BIGNUM *p, |
562 | | const BIGNUM *a, const BIGNUM *n, |
563 | | BN_CTX *); |
564 | | int ossl_ec_GFp_nistp384_point_get_affine_coordinates(const EC_GROUP *group, |
565 | | const EC_POINT *point, |
566 | | BIGNUM *x, BIGNUM *y, |
567 | | BN_CTX *ctx); |
568 | | int ossl_ec_GFp_nistp384_mul(const EC_GROUP *group, EC_POINT *r, |
569 | | const BIGNUM *scalar, size_t num, |
570 | | const EC_POINT *points[], const BIGNUM *scalars[], |
571 | | BN_CTX *); |
572 | | int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r, |
573 | | const BIGNUM *scalar, size_t num, |
574 | | const EC_POINT *points[], |
575 | | const BIGNUM *scalars[], BN_CTX *ctx); |
576 | | int ossl_ec_GFp_nistp384_precompute_mult(EC_GROUP *group, BN_CTX *ctx); |
577 | | int ossl_ec_GFp_nistp384_have_precompute_mult(const EC_GROUP *group); |
578 | | const EC_METHOD *ossl_ec_GFp_nistp384_method(void); |
579 | | |
580 | | /* method functions in ecp_nistp521.c */ |
581 | | int ossl_ec_GFp_nistp521_group_init(EC_GROUP *group); |
582 | | int ossl_ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, |
583 | | const BIGNUM *a, const BIGNUM *n, |
584 | | BN_CTX *); |
585 | | int ossl_ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, |
586 | | const EC_POINT *point, |
587 | | BIGNUM *x, BIGNUM *y, |
588 | | BN_CTX *ctx); |
589 | | int ossl_ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r, |
590 | | const BIGNUM *scalar, size_t num, |
591 | | const EC_POINT *points[], const BIGNUM *scalars[], |
592 | | BN_CTX *); |
593 | | int ossl_ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, |
594 | | const BIGNUM *scalar, size_t num, |
595 | | const EC_POINT *points[], |
596 | | const BIGNUM *scalars[], BN_CTX *ctx); |
597 | | int ossl_ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx); |
598 | | int ossl_ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group); |
599 | | |
600 | | /* utility functions in ecp_nistputil.c */ |
601 | | void ossl_ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, |
602 | | size_t felem_size, |
603 | | void *tmp_felems, |
604 | | void (*felem_one) (void *out), |
605 | | int (*felem_is_zero) |
606 | | (const void *in), |
607 | | void (*felem_assign) |
608 | | (void *out, const void *in), |
609 | | void (*felem_square) |
610 | | (void *out, const void *in), |
611 | | void (*felem_mul) |
612 | | (void *out, |
613 | | const void *in1, |
614 | | const void *in2), |
615 | | void (*felem_inv) |
616 | | (void *out, const void *in), |
617 | | void (*felem_contract) |
618 | | (void *out, const void *in)); |
619 | | void ossl_ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, |
620 | | unsigned char *digit, |
621 | | unsigned char in); |
622 | | #endif |
623 | | int ossl_ec_group_simple_order_bits(const EC_GROUP *group); |
624 | | |
625 | | /** |
626 | | * Creates a new EC_GROUP object |
627 | | * \param libctx The associated library context or NULL for the default |
628 | | * library context |
629 | | * \param propq Any property query string |
630 | | * \param meth EC_METHOD to use |
631 | | * \return newly created EC_GROUP object or NULL in case of an error. |
632 | | */ |
633 | | EC_GROUP *ossl_ec_group_new_ex(OSSL_LIB_CTX *libctx, const char *propq, |
634 | | const EC_METHOD *meth); |
635 | | |
636 | | #ifdef ECP_NISTZ256_ASM |
637 | | /** Returns GFp methods using montgomery multiplication, with x86-64 optimized |
638 | | * P256. See http://eprint.iacr.org/2013/816. |
639 | | * \return EC_METHOD object |
640 | | */ |
641 | | const EC_METHOD *EC_GFp_nistz256_method(void); |
642 | | #endif |
643 | | #ifdef S390X_EC_ASM |
644 | | const EC_METHOD *EC_GFp_s390x_nistp256_method(void); |
645 | | const EC_METHOD *EC_GFp_s390x_nistp384_method(void); |
646 | | const EC_METHOD *EC_GFp_s390x_nistp521_method(void); |
647 | | #endif |
648 | | |
649 | | size_t ossl_ec_key_simple_priv2oct(const EC_KEY *eckey, |
650 | | unsigned char *buf, size_t len); |
651 | | int ossl_ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, |
652 | | size_t len); |
653 | | int ossl_ec_key_simple_generate_key(EC_KEY *eckey); |
654 | | int ossl_ec_key_simple_generate_public_key(EC_KEY *eckey); |
655 | | int ossl_ec_key_simple_check_key(const EC_KEY *eckey); |
656 | | |
657 | | #ifdef ECP_SM2P256_ASM |
658 | | /* Returns optimized methods for SM2 */ |
659 | | const EC_METHOD *EC_GFp_sm2p256_method(void); |
660 | | #endif |
661 | | |
662 | | int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx); |
663 | | |
664 | | /* EC_METHOD definitions */ |
665 | | |
666 | | struct ec_key_method_st { |
667 | | const char *name; |
668 | | int32_t flags; |
669 | | int (*init)(EC_KEY *key); |
670 | | void (*finish)(EC_KEY *key); |
671 | | int (*copy)(EC_KEY *dest, const EC_KEY *src); |
672 | | int (*set_group)(EC_KEY *key, const EC_GROUP *grp); |
673 | | int (*set_private)(EC_KEY *key, const BIGNUM *priv_key); |
674 | | int (*set_public)(EC_KEY *key, const EC_POINT *pub_key); |
675 | | int (*keygen)(EC_KEY *key); |
676 | | int (*compute_key)(unsigned char **pout, size_t *poutlen, |
677 | | const EC_POINT *pub_key, const EC_KEY *ecdh); |
678 | | int (*sign)(int type, const unsigned char *dgst, int dlen, unsigned char |
679 | | *sig, unsigned int *siglen, const BIGNUM *kinv, |
680 | | const BIGNUM *r, EC_KEY *eckey); |
681 | | int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, |
682 | | BIGNUM **rp); |
683 | | ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgst_len, |
684 | | const BIGNUM *in_kinv, const BIGNUM *in_r, |
685 | | EC_KEY *eckey); |
686 | | |
687 | | int (*verify)(int type, const unsigned char *dgst, int dgst_len, |
688 | | const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); |
689 | | int (*verify_sig)(const unsigned char *dgst, int dgst_len, |
690 | | const ECDSA_SIG *sig, EC_KEY *eckey); |
691 | | }; |
692 | | |
693 | 0 | #define EC_KEY_METHOD_DYNAMIC 1 |
694 | | |
695 | | EC_KEY *ossl_ec_key_new_method_int(OSSL_LIB_CTX *libctx, const char *propq, |
696 | | ENGINE *engine); |
697 | | |
698 | | int ossl_ec_key_gen(EC_KEY *eckey); |
699 | | int ossl_ecdh_compute_key(unsigned char **pout, size_t *poutlen, |
700 | | const EC_POINT *pub_key, const EC_KEY *ecdh); |
701 | | int ossl_ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, |
702 | | const EC_POINT *pub_key, const EC_KEY *ecdh); |
703 | | |
704 | | struct ECDSA_SIG_st { |
705 | | BIGNUM *r; |
706 | | BIGNUM *s; |
707 | | }; |
708 | | |
709 | | int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, |
710 | | BIGNUM **rp); |
711 | | int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, |
712 | | unsigned char *sig, unsigned int *siglen, |
713 | | const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey); |
714 | | ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, |
715 | | const BIGNUM *in_kinv, const BIGNUM *in_r, |
716 | | EC_KEY *eckey); |
717 | | int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, |
718 | | const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); |
719 | | int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, |
720 | | const ECDSA_SIG *sig, EC_KEY *eckey); |
721 | | int ossl_ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, |
722 | | BIGNUM **rp); |
723 | | ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, |
724 | | const BIGNUM *in_kinv, const BIGNUM *in_r, |
725 | | EC_KEY *eckey); |
726 | | int ossl_ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, |
727 | | const ECDSA_SIG *sig, EC_KEY *eckey); |
728 | | |
729 | | |
730 | | /*- |
731 | | * This functions computes a single point multiplication over the EC group, |
732 | | * using, at a high level, a Montgomery ladder with conditional swaps, with |
733 | | * various timing attack defenses. |
734 | | * |
735 | | * It performs either a fixed point multiplication |
736 | | * (scalar * generator) |
737 | | * when point is NULL, or a variable point multiplication |
738 | | * (scalar * point) |
739 | | * when point is not NULL. |
740 | | * |
741 | | * `scalar` cannot be NULL and should be in the range [0,n) otherwise all |
742 | | * constant time bets are off (where n is the cardinality of the EC group). |
743 | | * |
744 | | * This function expects `group->order` and `group->cardinality` to be well |
745 | | * defined and non-zero: it fails with an error code otherwise. |
746 | | * |
747 | | * NB: This says nothing about the constant-timeness of the ladder step |
748 | | * implementation (i.e., the default implementation is based on EC_POINT_add and |
749 | | * EC_POINT_dbl, which of course are not constant time themselves) or the |
750 | | * underlying multiprecision arithmetic. |
751 | | * |
752 | | * The product is stored in `r`. |
753 | | * |
754 | | * This is an internal function: callers are in charge of ensuring that the |
755 | | * input parameters `group`, `r`, `scalar` and `ctx` are not NULL. |
756 | | * |
757 | | * Returns 1 on success, 0 otherwise. |
758 | | */ |
759 | | int ossl_ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, |
760 | | const BIGNUM *scalar, const EC_POINT *point, |
761 | | BN_CTX *ctx); |
762 | | |
763 | | int ossl_ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, |
764 | | BN_CTX *ctx); |
765 | | |
766 | | static ossl_inline int ec_point_ladder_pre(const EC_GROUP *group, |
767 | | EC_POINT *r, EC_POINT *s, |
768 | | EC_POINT *p, BN_CTX *ctx) |
769 | 1.81k | { |
770 | 1.81k | if (group->meth->ladder_pre != NULL) |
771 | 1.81k | return group->meth->ladder_pre(group, r, s, p, ctx); |
772 | | |
773 | 0 | if (!EC_POINT_copy(s, p) |
774 | 0 | || !EC_POINT_dbl(group, r, s, ctx)) |
775 | 0 | return 0; |
776 | | |
777 | 0 | return 1; |
778 | 0 | } Unexecuted instantiation: curve25519.c:ec_point_ladder_pre Unexecuted instantiation: ec_ameth.c:ec_point_ladder_pre Unexecuted instantiation: ec_asn1.c:ec_point_ladder_pre Unexecuted instantiation: ec_backend.c:ec_point_ladder_pre Unexecuted instantiation: ec_check.c:ec_point_ladder_pre Unexecuted instantiation: ec_curve.c:ec_point_ladder_pre Unexecuted instantiation: ec_cvt.c:ec_point_ladder_pre Unexecuted instantiation: ec_key.c:ec_point_ladder_pre Unexecuted instantiation: ec_kmeth.c:ec_point_ladder_pre Unexecuted instantiation: ec_lib.c:ec_point_ladder_pre ec_mult.c:ec_point_ladder_pre Line | Count | Source | 769 | 1.81k | { | 770 | 1.81k | if (group->meth->ladder_pre != NULL) | 771 | 1.81k | return group->meth->ladder_pre(group, r, s, p, ctx); | 772 | | | 773 | 0 | if (!EC_POINT_copy(s, p) | 774 | 0 | || !EC_POINT_dbl(group, r, s, ctx)) | 775 | 0 | return 0; | 776 | | | 777 | 0 | return 1; | 778 | 0 | } |
Unexecuted instantiation: ec_oct.c:ec_point_ladder_pre Unexecuted instantiation: ec_pmeth.c:ec_point_ladder_pre Unexecuted instantiation: ecdh_kdf.c:ec_point_ladder_pre Unexecuted instantiation: ecdh_ossl.c:ec_point_ladder_pre Unexecuted instantiation: ecdsa_ossl.c:ec_point_ladder_pre Unexecuted instantiation: ecdsa_sign.c:ec_point_ladder_pre Unexecuted instantiation: ecdsa_vrf.c:ec_point_ladder_pre Unexecuted instantiation: ecp_mont.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nistp224.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nistp256.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nistp384.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nistp521.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nistputil.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nistz256.c:ec_point_ladder_pre Unexecuted instantiation: ecp_oct.c:ec_point_ladder_pre Unexecuted instantiation: ecp_smpl.c:ec_point_ladder_pre Unexecuted instantiation: ecx_meth.c:ec_point_ladder_pre Unexecuted instantiation: ec2_oct.c:ec_point_ladder_pre Unexecuted instantiation: ec2_smpl.c:ec_point_ladder_pre Unexecuted instantiation: ecp_nist.c:ec_point_ladder_pre |
779 | | |
780 | | static ossl_inline int ec_point_ladder_step(const EC_GROUP *group, |
781 | | EC_POINT *r, EC_POINT *s, |
782 | | EC_POINT *p, BN_CTX *ctx) |
783 | 406k | { |
784 | 406k | if (group->meth->ladder_step != NULL) |
785 | 406k | return group->meth->ladder_step(group, r, s, p, ctx); |
786 | | |
787 | 0 | if (!EC_POINT_add(group, s, r, s, ctx) |
788 | 0 | || !EC_POINT_dbl(group, r, r, ctx)) |
789 | 0 | return 0; |
790 | | |
791 | 0 | return 1; |
792 | |
|
793 | 0 | } Unexecuted instantiation: curve25519.c:ec_point_ladder_step Unexecuted instantiation: ec_ameth.c:ec_point_ladder_step Unexecuted instantiation: ec_asn1.c:ec_point_ladder_step Unexecuted instantiation: ec_backend.c:ec_point_ladder_step Unexecuted instantiation: ec_check.c:ec_point_ladder_step Unexecuted instantiation: ec_curve.c:ec_point_ladder_step Unexecuted instantiation: ec_cvt.c:ec_point_ladder_step Unexecuted instantiation: ec_key.c:ec_point_ladder_step Unexecuted instantiation: ec_kmeth.c:ec_point_ladder_step Unexecuted instantiation: ec_lib.c:ec_point_ladder_step ec_mult.c:ec_point_ladder_step Line | Count | Source | 783 | 406k | { | 784 | 406k | if (group->meth->ladder_step != NULL) | 785 | 406k | return group->meth->ladder_step(group, r, s, p, ctx); | 786 | | | 787 | 0 | if (!EC_POINT_add(group, s, r, s, ctx) | 788 | 0 | || !EC_POINT_dbl(group, r, r, ctx)) | 789 | 0 | return 0; | 790 | | | 791 | 0 | return 1; | 792 | |
| 793 | 0 | } |
Unexecuted instantiation: ec_oct.c:ec_point_ladder_step Unexecuted instantiation: ec_pmeth.c:ec_point_ladder_step Unexecuted instantiation: ecdh_kdf.c:ec_point_ladder_step Unexecuted instantiation: ecdh_ossl.c:ec_point_ladder_step Unexecuted instantiation: ecdsa_ossl.c:ec_point_ladder_step Unexecuted instantiation: ecdsa_sign.c:ec_point_ladder_step Unexecuted instantiation: ecdsa_vrf.c:ec_point_ladder_step Unexecuted instantiation: ecp_mont.c:ec_point_ladder_step Unexecuted instantiation: ecp_nistp224.c:ec_point_ladder_step Unexecuted instantiation: ecp_nistp256.c:ec_point_ladder_step Unexecuted instantiation: ecp_nistp384.c:ec_point_ladder_step Unexecuted instantiation: ecp_nistp521.c:ec_point_ladder_step Unexecuted instantiation: ecp_nistputil.c:ec_point_ladder_step Unexecuted instantiation: ecp_nistz256.c:ec_point_ladder_step Unexecuted instantiation: ecp_oct.c:ec_point_ladder_step Unexecuted instantiation: ecp_smpl.c:ec_point_ladder_step Unexecuted instantiation: ecx_meth.c:ec_point_ladder_step Unexecuted instantiation: ec2_oct.c:ec_point_ladder_step Unexecuted instantiation: ec2_smpl.c:ec_point_ladder_step Unexecuted instantiation: ecp_nist.c:ec_point_ladder_step |
794 | | |
795 | | static ossl_inline int ec_point_ladder_post(const EC_GROUP *group, |
796 | | EC_POINT *r, EC_POINT *s, |
797 | | EC_POINT *p, BN_CTX *ctx) |
798 | 1.81k | { |
799 | 1.81k | if (group->meth->ladder_post != NULL) |
800 | 1.81k | return group->meth->ladder_post(group, r, s, p, ctx); |
801 | | |
802 | 0 | return 1; |
803 | 1.81k | } Unexecuted instantiation: curve25519.c:ec_point_ladder_post Unexecuted instantiation: ec_ameth.c:ec_point_ladder_post Unexecuted instantiation: ec_asn1.c:ec_point_ladder_post Unexecuted instantiation: ec_backend.c:ec_point_ladder_post Unexecuted instantiation: ec_check.c:ec_point_ladder_post Unexecuted instantiation: ec_curve.c:ec_point_ladder_post Unexecuted instantiation: ec_cvt.c:ec_point_ladder_post Unexecuted instantiation: ec_key.c:ec_point_ladder_post Unexecuted instantiation: ec_kmeth.c:ec_point_ladder_post Unexecuted instantiation: ec_lib.c:ec_point_ladder_post ec_mult.c:ec_point_ladder_post Line | Count | Source | 798 | 1.81k | { | 799 | 1.81k | if (group->meth->ladder_post != NULL) | 800 | 1.81k | return group->meth->ladder_post(group, r, s, p, ctx); | 801 | | | 802 | 0 | return 1; | 803 | 1.81k | } |
Unexecuted instantiation: ec_oct.c:ec_point_ladder_post Unexecuted instantiation: ec_pmeth.c:ec_point_ladder_post Unexecuted instantiation: ecdh_kdf.c:ec_point_ladder_post Unexecuted instantiation: ecdh_ossl.c:ec_point_ladder_post Unexecuted instantiation: ecdsa_ossl.c:ec_point_ladder_post Unexecuted instantiation: ecdsa_sign.c:ec_point_ladder_post Unexecuted instantiation: ecdsa_vrf.c:ec_point_ladder_post Unexecuted instantiation: ecp_mont.c:ec_point_ladder_post Unexecuted instantiation: ecp_nistp224.c:ec_point_ladder_post Unexecuted instantiation: ecp_nistp256.c:ec_point_ladder_post Unexecuted instantiation: ecp_nistp384.c:ec_point_ladder_post Unexecuted instantiation: ecp_nistp521.c:ec_point_ladder_post Unexecuted instantiation: ecp_nistputil.c:ec_point_ladder_post Unexecuted instantiation: ecp_nistz256.c:ec_point_ladder_post Unexecuted instantiation: ecp_oct.c:ec_point_ladder_post Unexecuted instantiation: ecp_smpl.c:ec_point_ladder_post Unexecuted instantiation: ecx_meth.c:ec_point_ladder_post Unexecuted instantiation: ec2_oct.c:ec_point_ladder_post Unexecuted instantiation: ec2_smpl.c:ec_point_ladder_post Unexecuted instantiation: ecp_nist.c:ec_point_ladder_post |