Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1 | /* Originally written by Bodo Moeller for the OpenSSL project. |
| 2 | * ==================================================================== |
| 3 | * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. |
| 4 | * |
| 5 | * Redistribution and use in source and binary forms, with or without |
| 6 | * modification, are permitted provided that the following conditions |
| 7 | * are met: |
| 8 | * |
| 9 | * 1. Redistributions of source code must retain the above copyright |
| 10 | * notice, this list of conditions and the following disclaimer. |
| 11 | * |
| 12 | * 2. Redistributions in binary form must reproduce the above copyright |
| 13 | * notice, this list of conditions and the following disclaimer in |
| 14 | * the documentation and/or other materials provided with the |
| 15 | * distribution. |
| 16 | * |
| 17 | * 3. All advertising materials mentioning features or use of this |
| 18 | * software must display the following acknowledgment: |
| 19 | * "This product includes software developed by the OpenSSL Project |
| 20 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
| 21 | * |
| 22 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| 23 | * endorse or promote products derived from this software without |
| 24 | * prior written permission. For written permission, please contact |
| 25 | * openssl-core@openssl.org. |
| 26 | * |
| 27 | * 5. Products derived from this software may not be called "OpenSSL" |
| 28 | * nor may "OpenSSL" appear in their names without prior written |
| 29 | * permission of the OpenSSL Project. |
| 30 | * |
| 31 | * 6. Redistributions of any form whatsoever must retain the following |
| 32 | * acknowledgment: |
| 33 | * "This product includes software developed by the OpenSSL Project |
| 34 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
| 35 | * |
| 36 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| 37 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 38 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 39 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| 40 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 41 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 42 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 43 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 44 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 45 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 46 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 47 | * OF THE POSSIBILITY OF SUCH DAMAGE. |
| 48 | * ==================================================================== |
| 49 | * |
| 50 | * This product includes cryptographic software written by Eric Young |
| 51 | * (eay@cryptsoft.com). This product includes software written by Tim |
| 52 | * Hudson (tjh@cryptsoft.com). |
| 53 | * |
| 54 | */ |
| 55 | /* ==================================================================== |
| 56 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. |
| 57 | * |
| 58 | * Portions of the attached software ("Contribution") are developed by |
| 59 | * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. |
| 60 | * |
| 61 | * The Contribution is licensed pursuant to the OpenSSL open source |
| 62 | * license provided above. |
| 63 | * |
| 64 | * The elliptic curve binary polynomial software is originally written by |
| 65 | * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems |
| 66 | * Laboratories. */ |
| 67 | |
| 68 | #include <openssl/ec.h> |
| 69 | |
Adam Langley | fad6327 | 2015-11-12 12:15:39 -0800 | [diff] [blame] | 70 | #include <assert.h> |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 71 | #include <string.h> |
| 72 | |
| 73 | #include <openssl/bn.h> |
| 74 | #include <openssl/err.h> |
| 75 | #include <openssl/mem.h> |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 76 | #include <openssl/nid.h> |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 77 | |
| 78 | #include "internal.h" |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 79 | #include "../../internal.h" |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 80 | #include "../bn/internal.h" |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 81 | #include "../delocate.h" |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 82 | |
| 83 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 84 | static void ec_point_free(EC_POINT *point, int free_group); |
| 85 | |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 86 | static const uint8_t kP224Params[6 * 28] = { |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 87 | // p |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 88 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 89 | 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
| 90 | 0x00, 0x00, 0x00, 0x01, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 91 | // a |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 92 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 93 | 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 94 | 0xFF, 0xFF, 0xFF, 0xFE, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 95 | // b |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 96 | 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, |
| 97 | 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, |
| 98 | 0x23, 0x55, 0xFF, 0xB4, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 99 | // x |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 100 | 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, |
| 101 | 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, |
| 102 | 0x11, 0x5C, 0x1D, 0x21, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 103 | // y |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 104 | 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, |
| 105 | 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, |
| 106 | 0x85, 0x00, 0x7e, 0x34, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 107 | // order |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 108 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 109 | 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, |
| 110 | 0x5C, 0x5C, 0x2A, 0x3D, |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 111 | }; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 112 | |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 113 | static const uint8_t kP256Params[6 * 32] = { |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 114 | // p |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 115 | 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, |
| 116 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, |
| 117 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 118 | // a |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 119 | 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, |
| 120 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, |
| 121 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 122 | // b |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 123 | 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55, |
| 124 | 0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6, |
| 125 | 0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 126 | // x |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 127 | 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5, |
| 128 | 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0, |
| 129 | 0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 130 | // y |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 131 | 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, |
| 132 | 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, |
| 133 | 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 134 | // order |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 135 | 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, |
| 136 | 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, |
| 137 | 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51, |
| 138 | }; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 139 | |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 140 | static const uint8_t kP384Params[6 * 48] = { |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 141 | // p |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 142 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 143 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 144 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, |
| 145 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 146 | // a |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 147 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 148 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 149 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, |
| 150 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 151 | // b |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 152 | 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, |
| 153 | 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, |
| 154 | 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, |
| 155 | 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 156 | // x |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 157 | 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, |
| 158 | 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, |
| 159 | 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, |
| 160 | 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 161 | // y |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 162 | 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf, |
| 163 | 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c, |
| 164 | 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce, |
| 165 | 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 166 | // order |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 167 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 168 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 169 | 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2, |
| 170 | 0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73, |
| 171 | }; |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 172 | |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 173 | static const uint8_t kP521Params[6 * 66] = { |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 174 | // p |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 175 | 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 176 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 177 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 178 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 179 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 180 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 181 | // a |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 182 | 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 183 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 184 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 185 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 186 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 187 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 188 | // b |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 189 | 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A, |
| 190 | 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3, |
| 191 | 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19, |
| 192 | 0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1, |
| 193 | 0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45, |
| 194 | 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 195 | // x |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 196 | 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E, |
| 197 | 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F, |
| 198 | 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B, |
| 199 | 0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF, |
| 200 | 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E, |
| 201 | 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 202 | // y |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 203 | 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, |
| 204 | 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, |
| 205 | 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, |
| 206 | 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, |
| 207 | 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, |
| 208 | 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 209 | // order |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 210 | 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 211 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
| 212 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86, |
| 213 | 0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09, |
| 214 | 0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F, |
| 215 | 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09, |
| 216 | }; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 217 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 218 | DEFINE_METHOD_FUNCTION(struct built_in_curves, OPENSSL_built_in_curves) { |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 219 | // 1.3.132.0.35 |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 220 | static const uint8_t kOIDP521[] = {0x2b, 0x81, 0x04, 0x00, 0x23}; |
| 221 | out->curves[0].nid = NID_secp521r1; |
| 222 | out->curves[0].oid = kOIDP521; |
| 223 | out->curves[0].oid_len = sizeof(kOIDP521); |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 224 | out->curves[0].comment = "NIST P-521"; |
| 225 | out->curves[0].param_len = 66; |
| 226 | out->curves[0].params = kP521Params; |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 227 | out->curves[0].method = EC_GFp_mont_method(); |
| 228 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 229 | // 1.3.132.0.34 |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 230 | static const uint8_t kOIDP384[] = {0x2b, 0x81, 0x04, 0x00, 0x22}; |
| 231 | out->curves[1].nid = NID_secp384r1; |
| 232 | out->curves[1].oid = kOIDP384; |
| 233 | out->curves[1].oid_len = sizeof(kOIDP384); |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 234 | out->curves[1].comment = "NIST P-384"; |
| 235 | out->curves[1].param_len = 48; |
| 236 | out->curves[1].params = kP384Params; |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 237 | out->curves[1].method = EC_GFp_mont_method(); |
| 238 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 239 | // 1.2.840.10045.3.1.7 |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 240 | static const uint8_t kOIDP256[] = {0x2a, 0x86, 0x48, 0xce, |
| 241 | 0x3d, 0x03, 0x01, 0x07}; |
| 242 | out->curves[2].nid = NID_X9_62_prime256v1; |
| 243 | out->curves[2].oid = kOIDP256; |
| 244 | out->curves[2].oid_len = sizeof(kOIDP256); |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 245 | out->curves[2].comment = "NIST P-256"; |
| 246 | out->curves[2].param_len = 32; |
| 247 | out->curves[2].params = kP256Params; |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 248 | out->curves[2].method = |
Adam Langley | fad6327 | 2015-11-12 12:15:39 -0800 | [diff] [blame] | 249 | #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ |
| 250 | !defined(OPENSSL_SMALL) |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 251 | EC_GFp_nistz256_method(); |
Adam Langley | fad6327 | 2015-11-12 12:15:39 -0800 | [diff] [blame] | 252 | #else |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 253 | EC_GFp_nistp256_method(); |
Adam Langley | fad6327 | 2015-11-12 12:15:39 -0800 | [diff] [blame] | 254 | #endif |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 255 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 256 | // 1.3.132.0.33 |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 257 | static const uint8_t kOIDP224[] = {0x2b, 0x81, 0x04, 0x00, 0x21}; |
| 258 | out->curves[3].nid = NID_secp224r1; |
| 259 | out->curves[3].oid = kOIDP224; |
| 260 | out->curves[3].oid_len = sizeof(kOIDP224); |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 261 | out->curves[3].comment = "NIST P-224"; |
| 262 | out->curves[3].param_len = 28; |
| 263 | out->curves[3].params = kP224Params; |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 264 | out->curves[3].method = |
Robert Sloan | 5581810 | 2017-12-18 11:26:17 -0800 | [diff] [blame] | 265 | #if defined(BORINGSSL_HAS_UINT128) && !defined(OPENSSL_SMALL) |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 266 | EC_GFp_nistp224_method(); |
Kenny Root | e99801b | 2015-11-06 15:31:15 -0800 | [diff] [blame] | 267 | #else |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 268 | EC_GFp_mont_method(); |
Kenny Root | e99801b | 2015-11-06 15:31:15 -0800 | [diff] [blame] | 269 | #endif |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 270 | } |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 271 | |
| 272 | EC_GROUP *ec_group_new(const EC_METHOD *meth) { |
| 273 | EC_GROUP *ret; |
| 274 | |
| 275 | if (meth == NULL) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 276 | OPENSSL_PUT_ERROR(EC, EC_R_SLOT_FULL); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 277 | return NULL; |
| 278 | } |
| 279 | |
| 280 | if (meth->group_init == 0) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 281 | OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 282 | return NULL; |
| 283 | } |
| 284 | |
| 285 | ret = OPENSSL_malloc(sizeof(EC_GROUP)); |
| 286 | if (ret == NULL) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 287 | OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 288 | return NULL; |
| 289 | } |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 290 | OPENSSL_memset(ret, 0, sizeof(EC_GROUP)); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 291 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 292 | ret->references = 1; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 293 | ret->meth = meth; |
| 294 | BN_init(&ret->order); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 295 | |
| 296 | if (!meth->group_init(ret)) { |
| 297 | OPENSSL_free(ret); |
| 298 | return NULL; |
| 299 | } |
| 300 | |
| 301 | return ret; |
| 302 | } |
| 303 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 304 | static void ec_group_set0_generator(EC_GROUP *group, EC_POINT *generator) { |
| 305 | assert(group->generator == NULL); |
| 306 | assert(group == generator->group); |
| 307 | |
| 308 | // Avoid a reference cycle. |group->generator| does not maintain an owning |
| 309 | // pointer to |group|. |
| 310 | group->generator = generator; |
| 311 | int is_zero = CRYPTO_refcount_dec_and_test_zero(&group->references); |
| 312 | |
| 313 | assert(!is_zero); |
| 314 | (void)is_zero; |
| 315 | } |
| 316 | |
Adam Langley | 430091c | 2015-05-12 19:09:47 -0700 | [diff] [blame] | 317 | EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, |
| 318 | const BIGNUM *b, BN_CTX *ctx) { |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 319 | if (BN_num_bytes(p) > EC_MAX_SCALAR_BYTES) { |
| 320 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD); |
| 321 | return NULL; |
| 322 | } |
| 323 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 324 | EC_GROUP *ret = ec_group_new(EC_GFp_mont_method()); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 325 | if (ret == NULL) { |
| 326 | return NULL; |
| 327 | } |
| 328 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 329 | if (ret->meth->group_set_curve == NULL) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 330 | OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 331 | EC_GROUP_free(ret); |
| 332 | return NULL; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 333 | } |
| 334 | if (!ret->meth->group_set_curve(ret, p, a, b, ctx)) { |
| 335 | EC_GROUP_free(ret); |
| 336 | return NULL; |
| 337 | } |
| 338 | return ret; |
| 339 | } |
| 340 | |
Adam Langley | 430091c | 2015-05-12 19:09:47 -0700 | [diff] [blame] | 341 | int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, |
| 342 | const BIGNUM *order, const BIGNUM *cofactor) { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 343 | if (group->curve_name != NID_undef || group->generator != NULL || |
| 344 | generator->group != group) { |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 345 | // |EC_GROUP_set_generator| may only be used with |EC_GROUP|s returned by |
| 346 | // |EC_GROUP_new_curve_GFp| and may only used once on each group. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 347 | // Additionally, |generator| must been created from |
| 348 | // |EC_GROUP_new_curve_GFp|, not a copy, so that |
| 349 | // |generator->group->generator| is set correctly. |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 350 | OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 351 | return 0; |
| 352 | } |
| 353 | |
| 354 | if (BN_num_bytes(order) > EC_MAX_SCALAR_BYTES) { |
Robert Sloan | 5cbb5c8 | 2018-04-24 11:35:46 -0700 | [diff] [blame] | 355 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 356 | return 0; |
| 357 | } |
| 358 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 359 | // Require a cofactor of one for custom curves, which implies prime order. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 360 | if (!BN_is_one(cofactor)) { |
| 361 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COFACTOR); |
| 362 | return 0; |
| 363 | } |
| 364 | |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 365 | // Require that p < 2×order. This simplifies some ECDSA operations. |
| 366 | // |
| 367 | // Note any curve which did not satisfy this must have been invalid or use a |
| 368 | // tiny prime (less than 17). See the proof in |field_element_to_scalar| in |
| 369 | // the ECDSA implementation. |
| 370 | BIGNUM *tmp = BN_new(); |
| 371 | if (tmp == NULL || |
| 372 | !BN_lshift1(tmp, order)) { |
| 373 | BN_free(tmp); |
| 374 | return 0; |
| 375 | } |
| 376 | int ok = BN_cmp(tmp, &group->field) > 0; |
| 377 | BN_free(tmp); |
| 378 | if (!ok) { |
| 379 | OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER); |
| 380 | return 0; |
| 381 | } |
| 382 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 383 | EC_POINT *copy = EC_POINT_new(group); |
| 384 | if (copy == NULL || |
| 385 | !EC_POINT_copy(copy, generator) || |
| 386 | !BN_copy(&group->order, order)) { |
| 387 | EC_POINT_free(copy); |
| 388 | return 0; |
| 389 | } |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 390 | // Store the order in minimal form, so it can be used with |BN_ULONG| arrays. |
| 391 | bn_set_minimal_width(&group->order); |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 392 | |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 393 | BN_MONT_CTX_free(group->order_mont); |
Robert Sloan | 8542c08 | 2018-02-05 09:07:34 -0800 | [diff] [blame] | 394 | group->order_mont = BN_MONT_CTX_new_for_modulus(&group->order, NULL); |
| 395 | if (group->order_mont == NULL) { |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 396 | return 0; |
| 397 | } |
| 398 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 399 | ec_group_set0_generator(group, copy); |
| 400 | return 1; |
Adam Langley | 430091c | 2015-05-12 19:09:47 -0700 | [diff] [blame] | 401 | } |
| 402 | |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 403 | static EC_GROUP *ec_group_new_from_data(const struct built_in_curve *curve) { |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 404 | EC_GROUP *group = NULL; |
| 405 | EC_POINT *P = NULL; |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 406 | BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL; |
Adam Langley | fad6327 | 2015-11-12 12:15:39 -0800 | [diff] [blame] | 407 | int ok = 0; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 408 | |
Adam Langley | fad6327 | 2015-11-12 12:15:39 -0800 | [diff] [blame] | 409 | BN_CTX *ctx = BN_CTX_new(); |
| 410 | if (ctx == NULL) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 411 | OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 412 | goto err; |
| 413 | } |
| 414 | |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 415 | const unsigned param_len = curve->param_len; |
| 416 | const uint8_t *params = curve->params; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 417 | |
| 418 | if (!(p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) || |
| 419 | !(a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) || |
| 420 | !(b = BN_bin2bn(params + 2 * param_len, param_len, NULL))) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 421 | OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 422 | goto err; |
| 423 | } |
| 424 | |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 425 | group = ec_group_new(curve->method); |
| 426 | if (group == NULL || |
| 427 | !group->meth->group_set_curve(group, p, a, b, ctx)) { |
| 428 | OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); |
| 429 | goto err; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 430 | } |
| 431 | |
| 432 | if ((P = EC_POINT_new(group)) == NULL) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 433 | OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 434 | goto err; |
| 435 | } |
| 436 | |
| 437 | if (!(x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) || |
| 438 | !(y = BN_bin2bn(params + 4 * param_len, param_len, NULL))) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 439 | OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 440 | goto err; |
| 441 | } |
| 442 | |
| 443 | if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 444 | OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 445 | goto err; |
| 446 | } |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 447 | if (!BN_bin2bn(params + 5 * param_len, param_len, &group->order)) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 448 | OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 449 | goto err; |
| 450 | } |
| 451 | |
Robert Sloan | 8542c08 | 2018-02-05 09:07:34 -0800 | [diff] [blame] | 452 | group->order_mont = BN_MONT_CTX_new_for_modulus(&group->order, ctx); |
| 453 | if (group->order_mont == NULL) { |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 454 | OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB); |
| 455 | goto err; |
Adam Langley | fad6327 | 2015-11-12 12:15:39 -0800 | [diff] [blame] | 456 | } |
| 457 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 458 | ec_group_set0_generator(group, P); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 459 | P = NULL; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 460 | ok = 1; |
| 461 | |
| 462 | err: |
| 463 | if (!ok) { |
| 464 | EC_GROUP_free(group); |
| 465 | group = NULL; |
| 466 | } |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 467 | EC_POINT_free(P); |
| 468 | BN_CTX_free(ctx); |
| 469 | BN_free(p); |
| 470 | BN_free(a); |
| 471 | BN_free(b); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 472 | BN_free(x); |
| 473 | BN_free(y); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 474 | return group; |
| 475 | } |
| 476 | |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 477 | // Built-in groups are allocated lazily and static once allocated. |
| 478 | // TODO(davidben): Make these actually static. https://crbug.com/boringssl/20. |
| 479 | struct built_in_groups_st { |
| 480 | EC_GROUP *groups[OPENSSL_NUM_BUILT_IN_CURVES]; |
| 481 | }; |
| 482 | DEFINE_BSS_GET(struct built_in_groups_st, built_in_groups); |
| 483 | DEFINE_STATIC_MUTEX(built_in_groups_lock); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 484 | |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 485 | EC_GROUP *EC_GROUP_new_by_curve_name(int nid) { |
| 486 | struct built_in_groups_st *groups = built_in_groups_bss_get(); |
| 487 | EC_GROUP **group_ptr = NULL; |
| 488 | const struct built_in_curves *const curves = OPENSSL_built_in_curves(); |
| 489 | const struct built_in_curve *curve = NULL; |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 490 | for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) { |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 491 | if (curves->curves[i].nid == nid) { |
| 492 | curve = &curves->curves[i]; |
| 493 | group_ptr = &groups->groups[i]; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 494 | break; |
| 495 | } |
| 496 | } |
| 497 | |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 498 | if (curve == NULL) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 499 | OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 500 | return NULL; |
| 501 | } |
| 502 | |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 503 | CRYPTO_STATIC_MUTEX_lock_read(built_in_groups_lock_bss_get()); |
| 504 | EC_GROUP *ret = *group_ptr; |
| 505 | CRYPTO_STATIC_MUTEX_unlock_read(built_in_groups_lock_bss_get()); |
| 506 | if (ret != NULL) { |
| 507 | return ret; |
| 508 | } |
| 509 | |
| 510 | ret = ec_group_new_from_data(curve); |
| 511 | if (ret == NULL) { |
| 512 | return NULL; |
| 513 | } |
| 514 | |
| 515 | EC_GROUP *to_free = NULL; |
| 516 | CRYPTO_STATIC_MUTEX_lock_write(built_in_groups_lock_bss_get()); |
| 517 | if (*group_ptr == NULL) { |
| 518 | *group_ptr = ret; |
| 519 | // Filling in |ret->curve_name| makes |EC_GROUP_free| and |EC_GROUP_dup| |
| 520 | // into no-ops. At this point, |ret| is considered static. |
| 521 | ret->curve_name = nid; |
| 522 | } else { |
| 523 | to_free = ret; |
| 524 | ret = *group_ptr; |
| 525 | } |
| 526 | CRYPTO_STATIC_MUTEX_unlock_write(built_in_groups_lock_bss_get()); |
| 527 | |
| 528 | EC_GROUP_free(to_free); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 529 | return ret; |
| 530 | } |
| 531 | |
| 532 | void EC_GROUP_free(EC_GROUP *group) { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 533 | if (group == NULL || |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 534 | // Built-in curves are static. |
| 535 | group->curve_name != NID_undef || |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 536 | !CRYPTO_refcount_dec_and_test_zero(&group->references)) { |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 537 | return; |
| 538 | } |
| 539 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 540 | if (group->meth->group_finish != NULL) { |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 541 | group->meth->group_finish(group); |
| 542 | } |
| 543 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 544 | ec_point_free(group->generator, 0 /* don't free group */); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 545 | BN_free(&group->order); |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 546 | BN_MONT_CTX_free(group->order_mont); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 547 | |
| 548 | OPENSSL_free(group); |
| 549 | } |
| 550 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 551 | EC_GROUP *EC_GROUP_dup(const EC_GROUP *a) { |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 552 | if (a == NULL || |
| 553 | // Built-in curves are static. |
| 554 | a->curve_name != NID_undef) { |
| 555 | return (EC_GROUP *)a; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 556 | } |
| 557 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 558 | // Groups are logically immutable (but for |EC_GROUP_set_generator| which must |
| 559 | // be called early on), so we simply take a reference. |
| 560 | EC_GROUP *group = (EC_GROUP *)a; |
| 561 | CRYPTO_refcount_inc(&group->references); |
| 562 | return group; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 563 | } |
| 564 | |
Kenny Root | c897c7e | 2015-02-27 13:00:38 -0800 | [diff] [blame] | 565 | int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ignored) { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 566 | // Note this function returns 0 if equal and non-zero otherwise. |
| 567 | if (a == b) { |
| 568 | return 0; |
| 569 | } |
| 570 | if (a->curve_name != b->curve_name) { |
| 571 | return 1; |
| 572 | } |
| 573 | if (a->curve_name != NID_undef) { |
| 574 | // Built-in curves may be compared by curve name alone. |
| 575 | return 0; |
| 576 | } |
| 577 | |
| 578 | // |a| and |b| are both custom curves. We compare the entire curve |
| 579 | // structure. If |a| or |b| is incomplete (due to legacy OpenSSL mistakes, |
| 580 | // custom curve construction is sadly done in two parts) but otherwise not the |
| 581 | // same object, we consider them always unequal. |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 582 | return a->meth != b->meth || |
| 583 | a->generator == NULL || |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 584 | b->generator == NULL || |
| 585 | BN_cmp(&a->order, &b->order) != 0 || |
| 586 | BN_cmp(&a->field, &b->field) != 0 || |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 587 | !ec_felem_equal(a, &a->a, &b->a) || |
| 588 | !ec_felem_equal(a, &a->b, &b->b) || |
| 589 | ec_GFp_simple_cmp(a, &a->generator->raw, &b->generator->raw) != 0; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 590 | } |
| 591 | |
| 592 | const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) { |
| 593 | return group->generator; |
| 594 | } |
| 595 | |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 596 | const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group) { |
| 597 | assert(!BN_is_zero(&group->order)); |
| 598 | return &group->order; |
| 599 | } |
| 600 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 601 | int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) { |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 602 | if (BN_copy(order, EC_GROUP_get0_order(group)) == NULL) { |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 603 | return 0; |
| 604 | } |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 605 | return 1; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 606 | } |
| 607 | |
| 608 | int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, |
| 609 | BN_CTX *ctx) { |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 610 | // All |EC_GROUP|s have cofactor 1. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 611 | return BN_set_word(cofactor, 1); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 612 | } |
| 613 | |
| 614 | int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *out_p, BIGNUM *out_a, |
| 615 | BIGNUM *out_b, BN_CTX *ctx) { |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 616 | return ec_GFp_simple_group_get_curve(group, out_p, out_a, out_b); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 617 | } |
| 618 | |
| 619 | int EC_GROUP_get_curve_name(const EC_GROUP *group) { return group->curve_name; } |
| 620 | |
Kenny Root | e99801b | 2015-11-06 15:31:15 -0800 | [diff] [blame] | 621 | unsigned EC_GROUP_get_degree(const EC_GROUP *group) { |
Robert Sloan | a51059f | 2018-11-12 13:38:50 -0800 | [diff] [blame^] | 622 | return BN_num_bits(&group->field); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 623 | } |
| 624 | |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 625 | const char *EC_curve_nid2nist(int nid) { |
| 626 | switch (nid) { |
| 627 | case NID_secp224r1: |
| 628 | return "P-224"; |
| 629 | case NID_X9_62_prime256v1: |
| 630 | return "P-256"; |
| 631 | case NID_secp384r1: |
| 632 | return "P-384"; |
| 633 | case NID_secp521r1: |
| 634 | return "P-521"; |
| 635 | } |
| 636 | return NULL; |
| 637 | } |
| 638 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 639 | EC_POINT *EC_POINT_new(const EC_GROUP *group) { |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 640 | if (group == NULL) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 641 | OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 642 | return NULL; |
| 643 | } |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 644 | |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 645 | EC_POINT *ret = OPENSSL_malloc(sizeof *ret); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 646 | if (ret == NULL) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 647 | OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 648 | return NULL; |
| 649 | } |
| 650 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 651 | ret->group = EC_GROUP_dup(group); |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 652 | ec_GFp_simple_point_init(&ret->raw); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 653 | return ret; |
| 654 | } |
| 655 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 656 | static void ec_point_free(EC_POINT *point, int free_group) { |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 657 | if (!point) { |
| 658 | return; |
| 659 | } |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 660 | if (free_group) { |
| 661 | EC_GROUP_free(point->group); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 662 | } |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 663 | OPENSSL_free(point); |
| 664 | } |
| 665 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 666 | void EC_POINT_free(EC_POINT *point) { |
| 667 | ec_point_free(point, 1 /* free group */); |
| 668 | } |
| 669 | |
| 670 | void EC_POINT_clear_free(EC_POINT *point) { EC_POINT_free(point); } |
| 671 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 672 | int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 673 | if (EC_GROUP_cmp(dest->group, src->group, NULL) != 0) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 674 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 675 | return 0; |
| 676 | } |
| 677 | if (dest == src) { |
| 678 | return 1; |
| 679 | } |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 680 | ec_GFp_simple_point_copy(&dest->raw, &src->raw); |
| 681 | return 1; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 682 | } |
| 683 | |
| 684 | EC_POINT *EC_POINT_dup(const EC_POINT *a, const EC_GROUP *group) { |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 685 | if (a == NULL) { |
| 686 | return NULL; |
| 687 | } |
| 688 | |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 689 | EC_POINT *ret = EC_POINT_new(group); |
| 690 | if (ret == NULL || |
| 691 | !EC_POINT_copy(ret, a)) { |
| 692 | EC_POINT_free(ret); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 693 | return NULL; |
| 694 | } |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 695 | |
| 696 | return ret; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 697 | } |
| 698 | |
| 699 | int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point) { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 700 | if (EC_GROUP_cmp(group, point->group, NULL) != 0) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 701 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 702 | return 0; |
| 703 | } |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 704 | ec_GFp_simple_point_set_to_infinity(group, &point->raw); |
| 705 | return 1; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 706 | } |
| 707 | |
| 708 | int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 709 | if (EC_GROUP_cmp(group, point->group, NULL) != 0) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 710 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 711 | return 0; |
| 712 | } |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 713 | return ec_GFp_simple_is_at_infinity(group, &point->raw); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 714 | } |
| 715 | |
| 716 | int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, |
| 717 | BN_CTX *ctx) { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 718 | if (EC_GROUP_cmp(group, point->group, NULL) != 0) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 719 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 720 | return 0; |
| 721 | } |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 722 | return ec_GFp_simple_is_on_curve(group, &point->raw); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 723 | } |
| 724 | |
| 725 | int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, |
| 726 | BN_CTX *ctx) { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 727 | if (EC_GROUP_cmp(group, a->group, NULL) != 0 || |
| 728 | EC_GROUP_cmp(group, b->group, NULL) != 0) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 729 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 730 | return -1; |
| 731 | } |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 732 | return ec_GFp_simple_cmp(group, &a->raw, &b->raw); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 733 | } |
| 734 | |
| 735 | int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, |
| 736 | const EC_POINT *point, BIGNUM *x, |
| 737 | BIGNUM *y, BN_CTX *ctx) { |
| 738 | if (group->meth->point_get_affine_coordinates == 0) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 739 | OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 740 | return 0; |
| 741 | } |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 742 | if (EC_GROUP_cmp(group, point->group, NULL) != 0) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 743 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 744 | return 0; |
| 745 | } |
Robert Sloan | a51059f | 2018-11-12 13:38:50 -0800 | [diff] [blame^] | 746 | EC_FELEM x_felem, y_felem; |
| 747 | if (!group->meth->point_get_affine_coordinates(group, &point->raw, |
| 748 | x == NULL ? NULL : &x_felem, |
| 749 | y == NULL ? NULL : &y_felem) || |
| 750 | (x != NULL && !bn_set_words(x, x_felem.words, group->field.width)) || |
| 751 | (y != NULL && !bn_set_words(y, y_felem.words, group->field.width))) { |
| 752 | return 0; |
| 753 | } |
| 754 | return 1; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 755 | } |
| 756 | |
| 757 | int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, |
| 758 | const BIGNUM *x, const BIGNUM *y, |
| 759 | BN_CTX *ctx) { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 760 | if (EC_GROUP_cmp(group, point->group, NULL) != 0) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 761 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 762 | return 0; |
| 763 | } |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 764 | if (!ec_GFp_simple_point_set_affine_coordinates(group, &point->raw, x, y)) { |
Adam Langley | fad6327 | 2015-11-12 12:15:39 -0800 | [diff] [blame] | 765 | return 0; |
| 766 | } |
| 767 | |
| 768 | if (!EC_POINT_is_on_curve(group, point, ctx)) { |
Robert Sloan | 8542c08 | 2018-02-05 09:07:34 -0800 | [diff] [blame] | 769 | // In the event of an error, defend against the caller not checking the |
| 770 | // return value by setting a known safe value: the base point. |
Adam Langley | 9083ef9 | 2018-03-05 10:15:53 -0800 | [diff] [blame] | 771 | const EC_POINT *generator = EC_GROUP_get0_generator(group); |
| 772 | // The generator can be missing if the caller is in the process of |
| 773 | // constructing an arbitrary group. In this, we give up and hope they're |
| 774 | // checking the return value. |
| 775 | if (generator) { |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 776 | ec_GFp_simple_point_copy(&point->raw, &generator->raw); |
Adam Langley | 9083ef9 | 2018-03-05 10:15:53 -0800 | [diff] [blame] | 777 | } |
Adam Langley | fad6327 | 2015-11-12 12:15:39 -0800 | [diff] [blame] | 778 | OPENSSL_PUT_ERROR(EC, EC_R_POINT_IS_NOT_ON_CURVE); |
| 779 | return 0; |
| 780 | } |
| 781 | |
| 782 | return 1; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 783 | } |
| 784 | |
| 785 | int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, |
| 786 | const EC_POINT *b, BN_CTX *ctx) { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 787 | if (EC_GROUP_cmp(group, r->group, NULL) != 0 || |
| 788 | EC_GROUP_cmp(group, a->group, NULL) != 0 || |
| 789 | EC_GROUP_cmp(group, b->group, NULL) != 0) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 790 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 791 | return 0; |
| 792 | } |
Robert Sloan | a51059f | 2018-11-12 13:38:50 -0800 | [diff] [blame^] | 793 | group->meth->add(group, &r->raw, &a->raw, &b->raw); |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 794 | return 1; |
Robert Sloan | dc2f609 | 2018-04-10 10:22:33 -0700 | [diff] [blame] | 795 | } |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 796 | |
| 797 | int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, |
| 798 | BN_CTX *ctx) { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 799 | if (EC_GROUP_cmp(group, r->group, NULL) != 0 || |
| 800 | EC_GROUP_cmp(group, a->group, NULL) != 0) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 801 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 802 | return 0; |
| 803 | } |
Robert Sloan | a51059f | 2018-11-12 13:38:50 -0800 | [diff] [blame^] | 804 | group->meth->dbl(group, &r->raw, &a->raw); |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 805 | return 1; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 806 | } |
| 807 | |
| 808 | |
| 809 | int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 810 | if (EC_GROUP_cmp(group, a->group, NULL) != 0) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 811 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 812 | return 0; |
| 813 | } |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 814 | ec_GFp_simple_invert(group, &a->raw); |
| 815 | return 1; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 816 | } |
| 817 | |
Robert Sloan | a815d5a | 2017-12-04 11:49:16 -0800 | [diff] [blame] | 818 | static int arbitrary_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, |
| 819 | const BIGNUM *in, BN_CTX *ctx) { |
Robert Sloan | cd79cde | 2017-12-11 09:06:12 -0800 | [diff] [blame] | 820 | if (ec_bignum_to_scalar(group, out, in)) { |
| 821 | return 1; |
Robert Sloan | a815d5a | 2017-12-04 11:49:16 -0800 | [diff] [blame] | 822 | } |
| 823 | |
Robert Sloan | cd79cde | 2017-12-11 09:06:12 -0800 | [diff] [blame] | 824 | ERR_clear_error(); |
| 825 | |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 826 | // This is an unusual input, so we do not guarantee constant-time processing. |
Robert Sloan | cd79cde | 2017-12-11 09:06:12 -0800 | [diff] [blame] | 827 | const BIGNUM *order = &group->order; |
| 828 | BN_CTX_start(ctx); |
| 829 | BIGNUM *tmp = BN_CTX_get(ctx); |
| 830 | int ok = tmp != NULL && |
| 831 | BN_nnmod(tmp, in, order, ctx) && |
Robert Sloan | 5cbb5c8 | 2018-04-24 11:35:46 -0700 | [diff] [blame] | 832 | ec_bignum_to_scalar(group, out, tmp); |
Robert Sloan | cd79cde | 2017-12-11 09:06:12 -0800 | [diff] [blame] | 833 | BN_CTX_end(ctx); |
| 834 | return ok; |
Robert Sloan | a815d5a | 2017-12-04 11:49:16 -0800 | [diff] [blame] | 835 | } |
| 836 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 837 | int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 838 | const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx) { |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 839 | // Previously, this function set |r| to the point at infinity if there was |
| 840 | // nothing to multiply. But, nobody should be calling this function with |
| 841 | // nothing to multiply in the first place. |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 842 | if ((g_scalar == NULL && p_scalar == NULL) || |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 843 | (p == NULL) != (p_scalar == NULL)) { |
| 844 | OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); |
| 845 | return 0; |
| 846 | } |
| 847 | |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 848 | int ret = 0; |
| 849 | EC_SCALAR g_scalar_storage, p_scalar_storage; |
| 850 | EC_SCALAR *g_scalar_arg = NULL, *p_scalar_arg = NULL; |
Robert Sloan | a815d5a | 2017-12-04 11:49:16 -0800 | [diff] [blame] | 851 | BN_CTX *new_ctx = NULL; |
| 852 | if (ctx == NULL) { |
| 853 | new_ctx = BN_CTX_new(); |
| 854 | if (new_ctx == NULL) { |
| 855 | goto err; |
| 856 | } |
| 857 | ctx = new_ctx; |
| 858 | } |
| 859 | |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 860 | if (g_scalar != NULL) { |
Robert Sloan | a815d5a | 2017-12-04 11:49:16 -0800 | [diff] [blame] | 861 | if (!arbitrary_bignum_to_scalar(group, &g_scalar_storage, g_scalar, ctx)) { |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 862 | goto err; |
| 863 | } |
| 864 | g_scalar_arg = &g_scalar_storage; |
| 865 | } |
| 866 | |
| 867 | if (p_scalar != NULL) { |
Robert Sloan | a815d5a | 2017-12-04 11:49:16 -0800 | [diff] [blame] | 868 | if (!arbitrary_bignum_to_scalar(group, &p_scalar_storage, p_scalar, ctx)) { |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 869 | goto err; |
| 870 | } |
| 871 | p_scalar_arg = &p_scalar_storage; |
| 872 | } |
| 873 | |
| 874 | ret = ec_point_mul_scalar(group, r, g_scalar_arg, p, p_scalar_arg, ctx); |
| 875 | |
| 876 | err: |
Robert Sloan | a815d5a | 2017-12-04 11:49:16 -0800 | [diff] [blame] | 877 | BN_CTX_free(new_ctx); |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 878 | OPENSSL_cleanse(&g_scalar_storage, sizeof(g_scalar_storage)); |
| 879 | OPENSSL_cleanse(&p_scalar_storage, sizeof(p_scalar_storage)); |
| 880 | return ret; |
| 881 | } |
| 882 | |
Robert Sloan | 5581810 | 2017-12-18 11:26:17 -0800 | [diff] [blame] | 883 | int ec_point_mul_scalar_public(const EC_GROUP *group, EC_POINT *r, |
| 884 | const EC_SCALAR *g_scalar, const EC_POINT *p, |
| 885 | const EC_SCALAR *p_scalar, BN_CTX *ctx) { |
| 886 | if ((g_scalar == NULL && p_scalar == NULL) || |
| 887 | (p == NULL) != (p_scalar == NULL)) { |
| 888 | OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); |
| 889 | return 0; |
| 890 | } |
| 891 | |
| 892 | if (EC_GROUP_cmp(group, r->group, NULL) != 0 || |
| 893 | (p != NULL && EC_GROUP_cmp(group, p->group, NULL) != 0)) { |
| 894 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
| 895 | return 0; |
| 896 | } |
| 897 | |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 898 | group->meth->mul_public(group, &r->raw, g_scalar, &p->raw, p_scalar); |
| 899 | return 1; |
Robert Sloan | 5581810 | 2017-12-18 11:26:17 -0800 | [diff] [blame] | 900 | } |
| 901 | |
Robert Sloan | 99319a1 | 2017-11-27 10:32:46 -0800 | [diff] [blame] | 902 | int ec_point_mul_scalar(const EC_GROUP *group, EC_POINT *r, |
| 903 | const EC_SCALAR *g_scalar, const EC_POINT *p, |
| 904 | const EC_SCALAR *p_scalar, BN_CTX *ctx) { |
| 905 | if ((g_scalar == NULL && p_scalar == NULL) || |
| 906 | (p == NULL) != (p_scalar == NULL)) { |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 907 | OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); |
| 908 | return 0; |
| 909 | } |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 910 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 911 | if (EC_GROUP_cmp(group, r->group, NULL) != 0 || |
| 912 | (p != NULL && EC_GROUP_cmp(group, p->group, NULL) != 0)) { |
Adam Langley | fad6327 | 2015-11-12 12:15:39 -0800 | [diff] [blame] | 913 | OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); |
| 914 | return 0; |
| 915 | } |
| 916 | |
Robert Sloan | c6ebb28 | 2018-04-30 10:10:26 -0700 | [diff] [blame] | 917 | group->meth->mul(group, &r->raw, g_scalar, (p == NULL) ? NULL : &p->raw, |
| 918 | p_scalar); |
| 919 | return 1; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 920 | } |
| 921 | |
Robert Sloan | a51059f | 2018-11-12 13:38:50 -0800 | [diff] [blame^] | 922 | int ec_cmp_x_coordinate(int *out_result, const EC_GROUP *group, |
| 923 | const EC_POINT *p, const BIGNUM *r, BN_CTX *ctx) { |
| 924 | return group->meth->cmp_x_coordinate(out_result, group, p, r, ctx); |
| 925 | } |
| 926 | |
| 927 | int ec_field_element_to_scalar(const EC_GROUP *group, BIGNUM *r) { |
| 928 | // We must have p < 2×order, assuming p is not tiny (p >= 17). Thus rather we |
| 929 | // can reduce by performing at most one subtraction. |
| 930 | // |
| 931 | // Proof: We only work with prime order curves, so the number of points on |
| 932 | // the curve is the order. Thus Hasse's theorem gives: |
| 933 | // |
| 934 | // |order - (p + 1)| <= 2×sqrt(p) |
| 935 | // p + 1 - order <= 2×sqrt(p) |
| 936 | // p + 1 - 2×sqrt(p) <= order |
| 937 | // p + 1 - 2×(p/4) < order (p/4 > sqrt(p) for p >= 17) |
| 938 | // p/2 < p/2 + 1 < order |
| 939 | // p < 2×order |
| 940 | // |
| 941 | // Additionally, one can manually check this property for built-in curves. It |
| 942 | // is enforced for legacy custom curves in |EC_GROUP_set_generator|. |
| 943 | // |
| 944 | // TODO(davidben): Introduce |EC_FIELD_ELEMENT|, make this a function from |
| 945 | // |EC_FIELD_ELEMENT| to |EC_SCALAR|, and cut out the |BIGNUM|. Does this need |
| 946 | // to be constant-time for signing? |r| is the x-coordinate for kG, which is |
| 947 | // public unless k was rerolled because |s| was zero. |
| 948 | assert(!BN_is_negative(r)); |
| 949 | assert(BN_cmp(r, &group->field) < 0); |
| 950 | if (BN_cmp(r, &group->order) >= 0 && |
| 951 | !BN_sub(r, r, &group->order)) { |
| 952 | return 0; |
| 953 | } |
| 954 | assert(!BN_is_negative(r)); |
| 955 | assert(BN_cmp(r, &group->order) < 0); |
| 956 | return 1; |
| 957 | } |
| 958 | |
Adam Langley | f7e890d | 2015-03-31 18:58:05 -0700 | [diff] [blame] | 959 | void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) {} |
| 960 | |
| 961 | const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group) { |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 962 | // This function exists purely to give callers a way to call |
| 963 | // |EC_METHOD_get_field_type|. cryptography.io crashes if |EC_GROUP_method_of| |
| 964 | // returns NULL, so return some other garbage pointer. |
| 965 | return (const EC_METHOD *)0x12340000; |
Adam Langley | f7e890d | 2015-03-31 18:58:05 -0700 | [diff] [blame] | 966 | } |
| 967 | |
| 968 | int EC_METHOD_get_field_type(const EC_METHOD *meth) { |
| 969 | return NID_X9_62_prime_field; |
| 970 | } |
Adam Langley | 830beae | 2015-04-20 10:49:33 -0700 | [diff] [blame] | 971 | |
| 972 | void EC_GROUP_set_point_conversion_form(EC_GROUP *group, |
| 973 | point_conversion_form_t form) { |
| 974 | if (form != POINT_CONVERSION_UNCOMPRESSED) { |
| 975 | abort(); |
| 976 | } |
| 977 | } |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 978 | |
| 979 | size_t EC_get_builtin_curves(EC_builtin_curve *out_curves, |
| 980 | size_t max_num_curves) { |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 981 | const struct built_in_curves *const curves = OPENSSL_built_in_curves(); |
| 982 | |
| 983 | for (size_t i = 0; i < max_num_curves && i < OPENSSL_NUM_BUILT_IN_CURVES; |
| 984 | i++) { |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 985 | out_curves[i].comment = curves->curves[i].comment; |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 986 | out_curves[i].nid = curves->curves[i].nid; |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 987 | } |
| 988 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 989 | return OPENSSL_NUM_BUILT_IN_CURVES; |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 990 | } |