| 1 | /* |
|---|---|
| 2 | * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved |
| 4 | * |
| 5 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
| 6 | * this file except in compliance with the License. You can obtain a copy |
| 7 | * in the file LICENSE in the source distribution or at |
| 8 | * https://www.openssl.org/source/license.html |
| 9 | */ |
| 10 | |
| 11 | #include <stdlib.h> |
| 12 | |
| 13 | #include <openssl/obj_mac.h> |
| 14 | #include <openssl/ec.h> |
| 15 | #include <openssl/bn.h> |
| 16 | #include "internal/refcount.h" |
| 17 | #include "crypto/ec.h" |
| 18 | |
| 19 | #if defined(__SUNPRO_C) |
| 20 | # if __SUNPRO_C >= 0x520 |
| 21 | # pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE) |
| 22 | # endif |
| 23 | #endif |
| 24 | |
| 25 | /* Use default functions for poin2oct, oct2point and compressed coordinates */ |
| 26 | #define EC_FLAGS_DEFAULT_OCT 0x1 |
| 27 | |
| 28 | /* Use custom formats for EC_GROUP, EC_POINT and EC_KEY */ |
| 29 | #define EC_FLAGS_CUSTOM_CURVE 0x2 |
| 30 | |
| 31 | /* Curve does not support signing operations */ |
| 32 | #define EC_FLAGS_NO_SIGN 0x4 |
| 33 | |
| 34 | /* |
| 35 | * Structure details are not part of the exported interface, so all this may |
| 36 | * change in future versions. |
| 37 | */ |
| 38 | |
| 39 | struct ec_method_st { |
| 40 | /* Various method flags */ |
| 41 | int flags; |
| 42 | /* used by EC_METHOD_get_field_type: */ |
| 43 | int field_type; /* a NID */ |
| 44 | /* |
| 45 | * used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, |
| 46 | * EC_GROUP_copy: |
| 47 | */ |
| 48 | int (*group_init) (EC_GROUP *); |
| 49 | void (*group_finish) (EC_GROUP *); |
| 50 | void (*group_clear_finish) (EC_GROUP *); |
| 51 | int (*group_copy) (EC_GROUP *, const EC_GROUP *); |
| 52 | /* used by EC_GROUP_set_curve, EC_GROUP_get_curve: */ |
| 53 | int (*group_set_curve) (EC_GROUP *, const BIGNUM *p, const BIGNUM *a, |
| 54 | const BIGNUM *b, BN_CTX *); |
| 55 | int (*group_get_curve) (const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, |
| 56 | BN_CTX *); |
| 57 | /* used by EC_GROUP_get_degree: */ |
| 58 | int (*group_get_degree) (const EC_GROUP *); |
| 59 | int (*group_order_bits) (const EC_GROUP *); |
| 60 | /* used by EC_GROUP_check: */ |
| 61 | int (*group_check_discriminant) (const EC_GROUP *, BN_CTX *); |
| 62 | /* |
| 63 | * used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, |
| 64 | * EC_POINT_copy: |
| 65 | */ |
| 66 | int (*point_init) (EC_POINT *); |
| 67 | void (*point_finish) (EC_POINT *); |
| 68 | void (*point_clear_finish) (EC_POINT *); |
| 69 | int (*point_copy) (EC_POINT *, const EC_POINT *); |
| 70 | /*- |
| 71 | * used by EC_POINT_set_to_infinity, |
| 72 | * EC_POINT_set_Jprojective_coordinates_GFp, |
| 73 | * EC_POINT_get_Jprojective_coordinates_GFp, |
| 74 | * EC_POINT_set_affine_coordinates, |
| 75 | * EC_POINT_get_affine_coordinates, |
| 76 | * EC_POINT_set_compressed_coordinates: |
| 77 | */ |
| 78 | int (*point_set_to_infinity) (const EC_GROUP *, EC_POINT *); |
| 79 | int (*point_set_Jprojective_coordinates_GFp) (const EC_GROUP *, |
| 80 | EC_POINT *, const BIGNUM *x, |
| 81 | const BIGNUM *y, |
| 82 | const BIGNUM *z, BN_CTX *); |
| 83 | int (*point_get_Jprojective_coordinates_GFp) (const EC_GROUP *, |
| 84 | const EC_POINT *, BIGNUM *x, |
| 85 | BIGNUM *y, BIGNUM *z, |
| 86 | BN_CTX *); |
| 87 | int (*point_set_affine_coordinates) (const EC_GROUP *, EC_POINT *, |
| 88 | const BIGNUM *x, const BIGNUM *y, |
| 89 | BN_CTX *); |
| 90 | int (*point_get_affine_coordinates) (const EC_GROUP *, const EC_POINT *, |
| 91 | BIGNUM *x, BIGNUM *y, BN_CTX *); |
| 92 | int (*point_set_compressed_coordinates) (const EC_GROUP *, EC_POINT *, |
| 93 | const BIGNUM *x, int y_bit, |
| 94 | BN_CTX *); |
| 95 | /* used by EC_POINT_point2oct, EC_POINT_oct2point: */ |
| 96 | size_t (*point2oct) (const EC_GROUP *, const EC_POINT *, |
| 97 | point_conversion_form_t form, unsigned char *buf, |
| 98 | size_t len, BN_CTX *); |
| 99 | int (*oct2point) (const EC_GROUP *, EC_POINT *, const unsigned char *buf, |
| 100 | size_t len, BN_CTX *); |
| 101 | /* used by EC_POINT_add, EC_POINT_dbl, ECP_POINT_invert: */ |
| 102 | int (*add) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
| 103 | const EC_POINT *b, BN_CTX *); |
| 104 | int (*dbl) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *); |
| 105 | int (*invert) (const EC_GROUP *, EC_POINT *, BN_CTX *); |
| 106 | /* |
| 107 | * used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp: |
| 108 | */ |
| 109 | int (*is_at_infinity) (const EC_GROUP *, const EC_POINT *); |
| 110 | int (*is_on_curve) (const EC_GROUP *, const EC_POINT *, BN_CTX *); |
| 111 | int (*point_cmp) (const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, |
| 112 | BN_CTX *); |
| 113 | /* used by EC_POINT_make_affine, EC_POINTs_make_affine: */ |
| 114 | int (*make_affine) (const EC_GROUP *, EC_POINT *, BN_CTX *); |
| 115 | int (*points_make_affine) (const EC_GROUP *, size_t num, EC_POINT *[], |
| 116 | BN_CTX *); |
| 117 | /* |
| 118 | * used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, |
| 119 | * EC_POINT_have_precompute_mult (default implementations are used if the |
| 120 | * 'mul' pointer is 0): |
| 121 | */ |
| 122 | /*- |
| 123 | * mul() calculates the value |
| 124 | * |
| 125 | * r := generator * scalar |
| 126 | * + points[0] * scalars[0] |
| 127 | * + ... |
| 128 | * + points[num-1] * scalars[num-1]. |
| 129 | * |
| 130 | * For a fixed point multiplication (scalar != NULL, num == 0) |
| 131 | * or a variable point multiplication (scalar == NULL, num == 1), |
| 132 | * mul() must use a constant time algorithm: in both cases callers |
| 133 | * should provide an input scalar (either scalar or scalars[0]) |
| 134 | * in the range [0, ec_group_order); for robustness, implementers |
| 135 | * should handle the case when the scalar has not been reduced, but |
| 136 | * may treat it as an unusual input, without any constant-timeness |
| 137 | * guarantee. |
| 138 | */ |
| 139 | int (*mul) (const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, |
| 140 | size_t num, const EC_POINT *points[], const BIGNUM *scalars[], |
| 141 | BN_CTX *); |
| 142 | int (*precompute_mult) (EC_GROUP *group, BN_CTX *); |
| 143 | int (*have_precompute_mult) (const EC_GROUP *group); |
| 144 | /* internal functions */ |
| 145 | /* |
| 146 | * 'field_mul', 'field_sqr', and 'field_div' can be used by 'add' and |
| 147 | * 'dbl' so that the same implementations of point operations can be used |
| 148 | * with different optimized implementations of expensive field |
| 149 | * operations: |
| 150 | */ |
| 151 | int (*field_mul) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 152 | const BIGNUM *b, BN_CTX *); |
| 153 | int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); |
| 154 | int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 155 | const BIGNUM *b, BN_CTX *); |
| 156 | /*- |
| 157 | * 'field_inv' computes the multiplicative inverse of a in the field, |
| 158 | * storing the result in r. |
| 159 | * |
| 160 | * If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error. |
| 161 | */ |
| 162 | int (*field_inv) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); |
| 163 | /* e.g. to Montgomery */ |
| 164 | int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 165 | BN_CTX *); |
| 166 | /* e.g. from Montgomery */ |
| 167 | int (*field_decode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 168 | BN_CTX *); |
| 169 | int (*field_set_to_one) (const EC_GROUP *, BIGNUM *r, BN_CTX *); |
| 170 | /* private key operations */ |
| 171 | size_t (*priv2oct)(const EC_KEY *eckey, unsigned char *buf, size_t len); |
| 172 | int (*oct2priv)(EC_KEY *eckey, const unsigned char *buf, size_t len); |
| 173 | int (*set_private)(EC_KEY *eckey, const BIGNUM *priv_key); |
| 174 | int (*keygen)(EC_KEY *eckey); |
| 175 | int (*keycheck)(const EC_KEY *eckey); |
| 176 | int (*keygenpub)(EC_KEY *eckey); |
| 177 | int (*keycopy)(EC_KEY *dst, const EC_KEY *src); |
| 178 | void (*keyfinish)(EC_KEY *eckey); |
| 179 | /* custom ECDH operation */ |
| 180 | int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen, |
| 181 | const EC_POINT *pub_key, const EC_KEY *ecdh); |
| 182 | /* custom ECDSA */ |
| 183 | int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinvp, |
| 184 | BIGNUM **rp); |
| 185 | ECDSA_SIG *(*ecdsa_sign_sig)(const unsigned char *dgst, int dgstlen, |
| 186 | const BIGNUM *kinv, const BIGNUM *r, |
| 187 | EC_KEY *eckey); |
| 188 | int (*ecdsa_verify_sig)(const unsigned char *dgst, int dgstlen, |
| 189 | const ECDSA_SIG *sig, EC_KEY *eckey); |
| 190 | /* Inverse modulo order */ |
| 191 | int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r, |
| 192 | const BIGNUM *x, BN_CTX *); |
| 193 | int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); |
| 194 | int (*ladder_pre)(const EC_GROUP *group, |
| 195 | EC_POINT *r, EC_POINT *s, |
| 196 | EC_POINT *p, BN_CTX *ctx); |
| 197 | int (*ladder_step)(const EC_GROUP *group, |
| 198 | EC_POINT *r, EC_POINT *s, |
| 199 | EC_POINT *p, BN_CTX *ctx); |
| 200 | int (*ladder_post)(const EC_GROUP *group, |
| 201 | EC_POINT *r, EC_POINT *s, |
| 202 | EC_POINT *p, BN_CTX *ctx); |
| 203 | }; |
| 204 | |
| 205 | /* |
| 206 | * Types and functions to manipulate pre-computed values. |
| 207 | */ |
| 208 | typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP; |
| 209 | typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP; |
| 210 | typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP; |
| 211 | typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP; |
| 212 | typedef struct ec_pre_comp_st EC_PRE_COMP; |
| 213 | |
| 214 | struct ec_group_st { |
| 215 | const EC_METHOD *meth; |
| 216 | EC_POINT *generator; /* optional */ |
| 217 | BIGNUM *order, *cofactor; |
| 218 | int curve_name; /* optional NID for named curve */ |
| 219 | int asn1_flag; /* flag to control the asn1 encoding */ |
| 220 | point_conversion_form_t asn1_form; |
| 221 | unsigned char *seed; /* optional seed for parameters (appears in |
| 222 | * ASN1) */ |
| 223 | size_t seed_len; |
| 224 | /* |
| 225 | * The following members are handled by the method functions, even if |
| 226 | * they appear generic |
| 227 | */ |
| 228 | /* |
| 229 | * Field specification. For curves over GF(p), this is the modulus; for |
| 230 | * curves over GF(2^m), this is the irreducible polynomial defining the |
| 231 | * field. |
| 232 | */ |
| 233 | BIGNUM *field; |
| 234 | /* |
| 235 | * Field specification for curves over GF(2^m). The irreducible f(t) is |
| 236 | * then of the form: t^poly[0] + t^poly[1] + ... + t^poly[k] where m = |
| 237 | * poly[0] > poly[1] > ... > poly[k] = 0. The array is terminated with |
| 238 | * poly[k+1]=-1. All elliptic curve irreducibles have at most 5 non-zero |
| 239 | * terms. |
| 240 | */ |
| 241 | int poly[6]; |
| 242 | /* |
| 243 | * Curve coefficients. (Here the assumption is that BIGNUMs can be used |
| 244 | * or abused for all kinds of fields, not just GF(p).) For characteristic |
| 245 | * > 3, the curve is defined by a Weierstrass equation of the form y^2 = |
| 246 | * x^3 + a*x + b. For characteristic 2, the curve is defined by an |
| 247 | * equation of the form y^2 + x*y = x^3 + a*x^2 + b. |
| 248 | */ |
| 249 | BIGNUM *a, *b; |
| 250 | /* enable optimized point arithmetics for special case */ |
| 251 | int a_is_minus3; |
| 252 | /* method-specific (e.g., Montgomery structure) */ |
| 253 | void *field_data1; |
| 254 | /* method-specific */ |
| 255 | void *field_data2; |
| 256 | /* method-specific */ |
| 257 | int (*field_mod_func) (BIGNUM *, const BIGNUM *, const BIGNUM *, |
| 258 | BN_CTX *); |
| 259 | /* data for ECDSA inverse */ |
| 260 | BN_MONT_CTX *mont_data; |
| 261 | |
| 262 | /* |
| 263 | * Precomputed values for speed. The PCT_xxx names match the |
| 264 | * pre_comp.xxx union names; see the SETPRECOMP and HAVEPRECOMP |
| 265 | * macros, below. |
| 266 | */ |
| 267 | enum { |
| 268 | PCT_none, |
| 269 | PCT_nistp224, PCT_nistp256, PCT_nistp521, PCT_nistz256, |
| 270 | PCT_ec |
| 271 | } pre_comp_type; |
| 272 | union { |
| 273 | NISTP224_PRE_COMP *nistp224; |
| 274 | NISTP256_PRE_COMP *nistp256; |
| 275 | NISTP521_PRE_COMP *nistp521; |
| 276 | NISTZ256_PRE_COMP *nistz256; |
| 277 | EC_PRE_COMP *ec; |
| 278 | } pre_comp; |
| 279 | |
| 280 | OPENSSL_CTX *libctx; |
| 281 | }; |
| 282 | |
| 283 | #define SETPRECOMP(g, type, pre) \ |
| 284 | g->pre_comp_type = PCT_##type, g->pre_comp.type = pre |
| 285 | #define HAVEPRECOMP(g, type) \ |
| 286 | g->pre_comp_type == PCT_##type && g->pre_comp.type != NULL |
| 287 | |
| 288 | struct ec_key_st { |
| 289 | const EC_KEY_METHOD *meth; |
| 290 | ENGINE *engine; |
| 291 | int version; |
| 292 | EC_GROUP *group; |
| 293 | EC_POINT *pub_key; |
| 294 | BIGNUM *priv_key; |
| 295 | unsigned int enc_flag; |
| 296 | point_conversion_form_t conv_form; |
| 297 | CRYPTO_REF_COUNT references; |
| 298 | int flags; |
| 299 | #ifndef FIPS_MODE |
| 300 | CRYPTO_EX_DATA ex_data; |
| 301 | #endif |
| 302 | CRYPTO_RWLOCK *lock; |
| 303 | OPENSSL_CTX *libctx; |
| 304 | }; |
| 305 | |
| 306 | struct ec_point_st { |
| 307 | const EC_METHOD *meth; |
| 308 | /* NID for the curve if known */ |
| 309 | int curve_name; |
| 310 | /* |
| 311 | * All members except 'meth' are handled by the method functions, even if |
| 312 | * they appear generic |
| 313 | */ |
| 314 | BIGNUM *X; |
| 315 | BIGNUM *Y; |
| 316 | BIGNUM *Z; /* Jacobian projective coordinates: * (X, Y, |
| 317 | * Z) represents (X/Z^2, Y/Z^3) if Z != 0 */ |
| 318 | int Z_is_one; /* enable optimized point arithmetics for |
| 319 | * special case */ |
| 320 | }; |
| 321 | |
| 322 | static ossl_inline int ec_point_is_compat(const EC_POINT *point, |
| 323 | const EC_GROUP *group) |
| 324 | { |
| 325 | return group->meth == point->meth |
| 326 | && (group->curve_name == 0 |
| 327 | || point->curve_name == 0 |
| 328 | || group->curve_name == point->curve_name); |
| 329 | } |
| 330 | |
| 331 | NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); |
| 332 | NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); |
| 333 | NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); |
| 334 | NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *); |
| 335 | NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); |
| 336 | EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_COMP *); |
| 337 | |
| 338 | void EC_pre_comp_free(EC_GROUP *group); |
| 339 | void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *); |
| 340 | void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *); |
| 341 | void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *); |
| 342 | void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *); |
| 343 | void EC_ec_pre_comp_free(EC_PRE_COMP *); |
| 344 | |
| 345 | /* |
| 346 | * method functions in ec_mult.c (ec_lib.c uses these as defaults if |
| 347 | * group->method->mul is 0) |
| 348 | */ |
| 349 | int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, |
| 350 | size_t num, const EC_POINT *points[], const BIGNUM *scalars[], |
| 351 | BN_CTX *); |
| 352 | int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *); |
| 353 | int ec_wNAF_have_precompute_mult(const EC_GROUP *group); |
| 354 | |
| 355 | /* method functions in ecp_smpl.c */ |
| 356 | int ec_GFp_simple_group_init(EC_GROUP *); |
| 357 | void ec_GFp_simple_group_finish(EC_GROUP *); |
| 358 | void ec_GFp_simple_group_clear_finish(EC_GROUP *); |
| 359 | int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *); |
| 360 | int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, |
| 361 | const BIGNUM *a, const BIGNUM *b, BN_CTX *); |
| 362 | int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, |
| 363 | BIGNUM *b, BN_CTX *); |
| 364 | int ec_GFp_simple_group_get_degree(const EC_GROUP *); |
| 365 | int ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); |
| 366 | int ec_GFp_simple_point_init(EC_POINT *); |
| 367 | void ec_GFp_simple_point_finish(EC_POINT *); |
| 368 | void ec_GFp_simple_point_clear_finish(EC_POINT *); |
| 369 | int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *); |
| 370 | int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); |
| 371 | int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, |
| 372 | EC_POINT *, const BIGNUM *x, |
| 373 | const BIGNUM *y, |
| 374 | const BIGNUM *z, BN_CTX *); |
| 375 | int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, |
| 376 | const EC_POINT *, BIGNUM *x, |
| 377 | BIGNUM *y, BIGNUM *z, |
| 378 | BN_CTX *); |
| 379 | int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *, |
| 380 | const BIGNUM *x, |
| 381 | const BIGNUM *y, BN_CTX *); |
| 382 | int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *, |
| 383 | const EC_POINT *, BIGNUM *x, |
| 384 | BIGNUM *y, BN_CTX *); |
| 385 | int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, |
| 386 | const BIGNUM *x, int y_bit, |
| 387 | BN_CTX *); |
| 388 | size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, |
| 389 | point_conversion_form_t form, |
| 390 | unsigned char *buf, size_t len, BN_CTX *); |
| 391 | int ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *, |
| 392 | const unsigned char *buf, size_t len, BN_CTX *); |
| 393 | int ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
| 394 | const EC_POINT *b, BN_CTX *); |
| 395 | int ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
| 396 | BN_CTX *); |
| 397 | int ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); |
| 398 | int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); |
| 399 | int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); |
| 400 | int ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, |
| 401 | BN_CTX *); |
| 402 | int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); |
| 403 | int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, |
| 404 | EC_POINT *[], BN_CTX *); |
| 405 | int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 406 | const BIGNUM *b, BN_CTX *); |
| 407 | int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 408 | BN_CTX *); |
| 409 | int ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 410 | BN_CTX *); |
| 411 | int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, |
| 412 | BN_CTX *ctx); |
| 413 | int ec_GFp_simple_ladder_pre(const EC_GROUP *group, |
| 414 | EC_POINT *r, EC_POINT *s, |
| 415 | EC_POINT *p, BN_CTX *ctx); |
| 416 | int ec_GFp_simple_ladder_step(const EC_GROUP *group, |
| 417 | EC_POINT *r, EC_POINT *s, |
| 418 | EC_POINT *p, BN_CTX *ctx); |
| 419 | int ec_GFp_simple_ladder_post(const EC_GROUP *group, |
| 420 | EC_POINT *r, EC_POINT *s, |
| 421 | EC_POINT *p, BN_CTX *ctx); |
| 422 | |
| 423 | /* method functions in ecp_mont.c */ |
| 424 | int ec_GFp_mont_group_init(EC_GROUP *); |
| 425 | int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, |
| 426 | const BIGNUM *b, BN_CTX *); |
| 427 | void ec_GFp_mont_group_finish(EC_GROUP *); |
| 428 | void ec_GFp_mont_group_clear_finish(EC_GROUP *); |
| 429 | int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *); |
| 430 | int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 431 | const BIGNUM *b, BN_CTX *); |
| 432 | int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 433 | BN_CTX *); |
| 434 | int ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 435 | BN_CTX *); |
| 436 | int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 437 | BN_CTX *); |
| 438 | int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 439 | BN_CTX *); |
| 440 | int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *); |
| 441 | |
| 442 | /* method functions in ecp_nist.c */ |
| 443 | int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src); |
| 444 | int ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, |
| 445 | const BIGNUM *b, BN_CTX *); |
| 446 | int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 447 | const BIGNUM *b, BN_CTX *); |
| 448 | int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 449 | BN_CTX *); |
| 450 | |
| 451 | /* method functions in ec2_smpl.c */ |
| 452 | int ec_GF2m_simple_group_init(EC_GROUP *); |
| 453 | void ec_GF2m_simple_group_finish(EC_GROUP *); |
| 454 | void ec_GF2m_simple_group_clear_finish(EC_GROUP *); |
| 455 | int ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *); |
| 456 | int ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, |
| 457 | const BIGNUM *a, const BIGNUM *b, |
| 458 | BN_CTX *); |
| 459 | int ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, |
| 460 | BIGNUM *b, BN_CTX *); |
| 461 | int ec_GF2m_simple_group_get_degree(const EC_GROUP *); |
| 462 | int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); |
| 463 | int ec_GF2m_simple_point_init(EC_POINT *); |
| 464 | void ec_GF2m_simple_point_finish(EC_POINT *); |
| 465 | void ec_GF2m_simple_point_clear_finish(EC_POINT *); |
| 466 | int ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *); |
| 467 | int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); |
| 468 | int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *, |
| 469 | const BIGNUM *x, |
| 470 | const BIGNUM *y, BN_CTX *); |
| 471 | int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *, |
| 472 | const EC_POINT *, BIGNUM *x, |
| 473 | BIGNUM *y, BN_CTX *); |
| 474 | int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, |
| 475 | const BIGNUM *x, int y_bit, |
| 476 | BN_CTX *); |
| 477 | size_t ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *, |
| 478 | point_conversion_form_t form, |
| 479 | unsigned char *buf, size_t len, BN_CTX *); |
| 480 | int ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *, |
| 481 | const unsigned char *buf, size_t len, BN_CTX *); |
| 482 | int ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
| 483 | const EC_POINT *b, BN_CTX *); |
| 484 | int ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, |
| 485 | BN_CTX *); |
| 486 | int ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); |
| 487 | int ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); |
| 488 | int ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); |
| 489 | int ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, |
| 490 | BN_CTX *); |
| 491 | int ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); |
| 492 | int ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num, |
| 493 | EC_POINT *[], BN_CTX *); |
| 494 | int ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 495 | const BIGNUM *b, BN_CTX *); |
| 496 | int ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 497 | BN_CTX *); |
| 498 | int ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, |
| 499 | const BIGNUM *b, BN_CTX *); |
| 500 | |
| 501 | #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 |
| 502 | /* method functions in ecp_nistp224.c */ |
| 503 | int ec_GFp_nistp224_group_init(EC_GROUP *group); |
| 504 | int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, |
| 505 | const BIGNUM *a, const BIGNUM *n, |
| 506 | BN_CTX *); |
| 507 | int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, |
| 508 | const EC_POINT *point, |
| 509 | BIGNUM *x, BIGNUM *y, |
| 510 | BN_CTX *ctx); |
| 511 | int ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r, |
| 512 | const BIGNUM *scalar, size_t num, |
| 513 | const EC_POINT *points[], const BIGNUM *scalars[], |
| 514 | BN_CTX *); |
| 515 | int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, |
| 516 | const BIGNUM *scalar, size_t num, |
| 517 | const EC_POINT *points[], |
| 518 | const BIGNUM *scalars[], BN_CTX *ctx); |
| 519 | int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx); |
| 520 | int ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group); |
| 521 | |
| 522 | /* method functions in ecp_nistp256.c */ |
| 523 | int ec_GFp_nistp256_group_init(EC_GROUP *group); |
| 524 | int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, |
| 525 | const BIGNUM *a, const BIGNUM *n, |
| 526 | BN_CTX *); |
| 527 | int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, |
| 528 | const EC_POINT *point, |
| 529 | BIGNUM *x, BIGNUM *y, |
| 530 | BN_CTX *ctx); |
| 531 | int ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r, |
| 532 | const BIGNUM *scalar, size_t num, |
| 533 | const EC_POINT *points[], const BIGNUM *scalars[], |
| 534 | BN_CTX *); |
| 535 | int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, |
| 536 | const BIGNUM *scalar, size_t num, |
| 537 | const EC_POINT *points[], |
| 538 | const BIGNUM *scalars[], BN_CTX *ctx); |
| 539 | int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx); |
| 540 | int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); |
| 541 | |
| 542 | /* method functions in ecp_nistp521.c */ |
| 543 | int ec_GFp_nistp521_group_init(EC_GROUP *group); |
| 544 | int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, |
| 545 | const BIGNUM *a, const BIGNUM *n, |
| 546 | BN_CTX *); |
| 547 | int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, |
| 548 | const EC_POINT *point, |
| 549 | BIGNUM *x, BIGNUM *y, |
| 550 | BN_CTX *ctx); |
| 551 | int ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r, |
| 552 | const BIGNUM *scalar, size_t num, |
| 553 | const EC_POINT *points[], const BIGNUM *scalars[], |
| 554 | BN_CTX *); |
| 555 | int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, |
| 556 | const BIGNUM *scalar, size_t num, |
| 557 | const EC_POINT *points[], |
| 558 | const BIGNUM *scalars[], BN_CTX *ctx); |
| 559 | int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx); |
| 560 | int ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group); |
| 561 | |
| 562 | /* utility functions in ecp_nistputil.c */ |
| 563 | void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, |
| 564 | size_t felem_size, |
| 565 | void *tmp_felems, |
| 566 | void (*felem_one) (void *out), |
| 567 | int (*felem_is_zero) (const void |
| 568 | *in), |
| 569 | void (*felem_assign) (void *out, |
| 570 | const void |
| 571 | *in), |
| 572 | void (*felem_square) (void *out, |
| 573 | const void |
| 574 | *in), |
| 575 | void (*felem_mul) (void *out, |
| 576 | const void |
| 577 | *in1, |
| 578 | const void |
| 579 | *in2), |
| 580 | void (*felem_inv) (void *out, |
| 581 | const void |
| 582 | *in), |
| 583 | void (*felem_contract) (void |
| 584 | *out, |
| 585 | const |
| 586 | void |
| 587 | *in)); |
| 588 | void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, |
| 589 | unsigned char *digit, unsigned char in); |
| 590 | #endif |
| 591 | int ec_group_simple_order_bits(const EC_GROUP *group); |
| 592 | |
| 593 | #ifdef ECP_NISTZ256_ASM |
| 594 | /** Returns GFp methods using montgomery multiplication, with x86-64 optimized |
| 595 | * P256. See http://eprint.iacr.org/2013/816. |
| 596 | * \return EC_METHOD object |
| 597 | */ |
| 598 | const EC_METHOD *EC_GFp_nistz256_method(void); |
| 599 | #endif |
| 600 | #ifdef S390X_EC_ASM |
| 601 | const EC_METHOD *EC_GFp_s390x_nistp256_method(void); |
| 602 | const EC_METHOD *EC_GFp_s390x_nistp384_method(void); |
| 603 | const EC_METHOD *EC_GFp_s390x_nistp521_method(void); |
| 604 | #endif |
| 605 | |
| 606 | size_t ec_key_simple_priv2oct(const EC_KEY *eckey, |
| 607 | unsigned char *buf, size_t len); |
| 608 | int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len); |
| 609 | int ec_key_simple_generate_key(EC_KEY *eckey); |
| 610 | int ec_key_simple_generate_public_key(EC_KEY *eckey); |
| 611 | int ec_key_simple_check_key(const EC_KEY *eckey); |
| 612 | |
| 613 | int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx); |
| 614 | |
| 615 | /* EC_METHOD definitions */ |
| 616 | |
| 617 | struct ec_key_method_st { |
| 618 | const char *name; |
| 619 | int32_t flags; |
| 620 | int (*init)(EC_KEY *key); |
| 621 | void (*finish)(EC_KEY *key); |
| 622 | int (*copy)(EC_KEY *dest, const EC_KEY *src); |
| 623 | int (*set_group)(EC_KEY *key, const EC_GROUP *grp); |
| 624 | int (*set_private)(EC_KEY *key, const BIGNUM *priv_key); |
| 625 | int (*set_public)(EC_KEY *key, const EC_POINT *pub_key); |
| 626 | int (*keygen)(EC_KEY *key); |
| 627 | int (*compute_key)(unsigned char **pout, size_t *poutlen, |
| 628 | const EC_POINT *pub_key, const EC_KEY *ecdh); |
| 629 | int (*sign)(int type, const unsigned char *dgst, int dlen, unsigned char |
| 630 | *sig, unsigned int *siglen, const BIGNUM *kinv, |
| 631 | const BIGNUM *r, EC_KEY *eckey); |
| 632 | int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, |
| 633 | BIGNUM **rp); |
| 634 | ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgst_len, |
| 635 | const BIGNUM *in_kinv, const BIGNUM *in_r, |
| 636 | EC_KEY *eckey); |
| 637 | |
| 638 | int (*verify)(int type, const unsigned char *dgst, int dgst_len, |
| 639 | const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); |
| 640 | int (*verify_sig)(const unsigned char *dgst, int dgst_len, |
| 641 | const ECDSA_SIG *sig, EC_KEY *eckey); |
| 642 | }; |
| 643 | |
| 644 | #define EC_KEY_METHOD_DYNAMIC 1 |
| 645 | |
| 646 | EC_KEY *ec_key_new_method_int(OPENSSL_CTX *libctx, ENGINE *engine); |
| 647 | |
| 648 | int ossl_ec_key_gen(EC_KEY *eckey); |
| 649 | int ossl_ecdh_compute_key(unsigned char **pout, size_t *poutlen, |
| 650 | const EC_POINT *pub_key, const EC_KEY *ecdh); |
| 651 | int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, |
| 652 | const EC_POINT *pub_key, const EC_KEY *ecdh); |
| 653 | |
| 654 | struct ECDSA_SIG_st { |
| 655 | BIGNUM *r; |
| 656 | BIGNUM *s; |
| 657 | }; |
| 658 | |
| 659 | int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, |
| 660 | BIGNUM **rp); |
| 661 | int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, |
| 662 | unsigned char *sig, unsigned int *siglen, |
| 663 | const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey); |
| 664 | ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, |
| 665 | const BIGNUM *in_kinv, const BIGNUM *in_r, |
| 666 | EC_KEY *eckey); |
| 667 | int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, |
| 668 | const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); |
| 669 | int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, |
| 670 | const ECDSA_SIG *sig, EC_KEY *eckey); |
| 671 | int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, |
| 672 | BIGNUM **rp); |
| 673 | ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, |
| 674 | const BIGNUM *in_kinv, const BIGNUM *in_r, |
| 675 | EC_KEY *eckey); |
| 676 | int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, |
| 677 | const ECDSA_SIG *sig, EC_KEY *eckey); |
| 678 | |
| 679 | int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, |
| 680 | const uint8_t public_key[32], const uint8_t private_key[32]); |
| 681 | int ED25519_verify(const uint8_t *message, size_t message_len, |
| 682 | const uint8_t signature[64], const uint8_t public_key[32]); |
| 683 | void ED25519_public_from_private(uint8_t out_public_key[32], |
| 684 | const uint8_t private_key[32]); |
| 685 | |
| 686 | int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32], |
| 687 | const uint8_t peer_public_value[32]); |
| 688 | void X25519_public_from_private(uint8_t out_public_value[32], |
| 689 | const uint8_t private_key[32]); |
| 690 | |
| 691 | /*- |
| 692 | * This functions computes a single point multiplication over the EC group, |
| 693 | * using, at a high level, a Montgomery ladder with conditional swaps, with |
| 694 | * various timing attack defenses. |
| 695 | * |
| 696 | * It performs either a fixed point multiplication |
| 697 | * (scalar * generator) |
| 698 | * when point is NULL, or a variable point multiplication |
| 699 | * (scalar * point) |
| 700 | * when point is not NULL. |
| 701 | * |
| 702 | * `scalar` cannot be NULL and should be in the range [0,n) otherwise all |
| 703 | * constant time bets are off (where n is the cardinality of the EC group). |
| 704 | * |
| 705 | * This function expects `group->order` and `group->cardinality` to be well |
| 706 | * defined and non-zero: it fails with an error code otherwise. |
| 707 | * |
| 708 | * NB: This says nothing about the constant-timeness of the ladder step |
| 709 | * implementation (i.e., the default implementation is based on EC_POINT_add and |
| 710 | * EC_POINT_dbl, which of course are not constant time themselves) or the |
| 711 | * underlying multiprecision arithmetic. |
| 712 | * |
| 713 | * The product is stored in `r`. |
| 714 | * |
| 715 | * This is an internal function: callers are in charge of ensuring that the |
| 716 | * input parameters `group`, `r`, `scalar` and `ctx` are not NULL. |
| 717 | * |
| 718 | * Returns 1 on success, 0 otherwise. |
| 719 | */ |
| 720 | int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, |
| 721 | const BIGNUM *scalar, const EC_POINT *point, |
| 722 | BN_CTX *ctx); |
| 723 | |
| 724 | int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); |
| 725 | |
| 726 | static ossl_inline int ec_point_ladder_pre(const EC_GROUP *group, |
| 727 | EC_POINT *r, EC_POINT *s, |
| 728 | EC_POINT *p, BN_CTX *ctx) |
| 729 | { |
| 730 | if (group->meth->ladder_pre != NULL) |
| 731 | return group->meth->ladder_pre(group, r, s, p, ctx); |
| 732 | |
| 733 | if (!EC_POINT_copy(s, p) |
| 734 | || !EC_POINT_dbl(group, r, s, ctx)) |
| 735 | return 0; |
| 736 | |
| 737 | return 1; |
| 738 | } |
| 739 | |
| 740 | static ossl_inline int ec_point_ladder_step(const EC_GROUP *group, |
| 741 | EC_POINT *r, EC_POINT *s, |
| 742 | EC_POINT *p, BN_CTX *ctx) |
| 743 | { |
| 744 | if (group->meth->ladder_step != NULL) |
| 745 | return group->meth->ladder_step(group, r, s, p, ctx); |
| 746 | |
| 747 | if (!EC_POINT_add(group, s, r, s, ctx) |
| 748 | || !EC_POINT_dbl(group, r, r, ctx)) |
| 749 | return 0; |
| 750 | |
| 751 | return 1; |
| 752 | |
| 753 | } |
| 754 | |
| 755 | static ossl_inline int ec_point_ladder_post(const EC_GROUP *group, |
| 756 | EC_POINT *r, EC_POINT *s, |
| 757 | EC_POINT *p, BN_CTX *ctx) |
| 758 | { |
| 759 | if (group->meth->ladder_post != NULL) |
| 760 | return group->meth->ladder_post(group, r, s, p, ctx); |
| 761 | |
| 762 | return 1; |
| 763 | } |
| 764 |
Generated while processing ClickHouse/contrib/openssl/crypto/ec/curve25519.c
Generated on 2020-Jan-04 from project ClickHouse revision 19.17.6
Powered by 
Code Browser 2.1
Generator usage only permitted with license.