Blame - src/crypto/fipsmodule/ec/simple.c - platform/external/boringssl

blob: 57a9099def47407d40bb4f6c348aa378cca064db [file] [log] [blame]

Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	1	/* Originally written by Bodo Moeller for the OpenSSL project.
				2	* ====================================================================
				3	* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
				4	*
				5	* Redistribution and use in source and binary forms, with or without
				6	* modification, are permitted provided that the following conditions
				7	* are met:
				8	*
				9	* 1. Redistributions of source code must retain the above copyright
				10	* notice, this list of conditions and the following disclaimer.
				11	*
				12	* 2. Redistributions in binary form must reproduce the above copyright
				13	* notice, this list of conditions and the following disclaimer in
				14	* the documentation and/or other materials provided with the
				15	* distribution.
				16	*
				17	* 3. All advertising materials mentioning features or use of this
				18	* software must display the following acknowledgment:
				19	* "This product includes software developed by the OpenSSL Project
				20	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
				21	*
				22	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
				23	* endorse or promote products derived from this software without
				24	* prior written permission. For written permission, please contact
				25	* openssl-core@openssl.org.
				26	*
				27	* 5. Products derived from this software may not be called "OpenSSL"
				28	* nor may "OpenSSL" appear in their names without prior written
				29	* permission of the OpenSSL Project.
				30	*
				31	* 6. Redistributions of any form whatsoever must retain the following
				32	* acknowledgment:
				33	* "This product includes software developed by the OpenSSL Project
				34	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
				35	*
				36	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
				37	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
				38	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
				39	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
				40	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
				41	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				42	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
				43	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
				44	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
				45	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
				46	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
				47	* OF THE POSSIBILITY OF SUCH DAMAGE.
				48	* ====================================================================
				49	*
				50	* This product includes cryptographic software written by Eric Young
				51	* (eay@cryptsoft.com). This product includes software written by Tim
				52	* Hudson (tjh@cryptsoft.com).
				53	*
				54	*/
				55	/* ====================================================================
				56	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
				57	*
				58	* Portions of the attached software ("Contribution") are developed by
				59	* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
				60	*
				61	* The Contribution is licensed pursuant to the OpenSSL open source
				62	* license provided above.
				63	*
				64	* The elliptic curve binary polynomial software is originally written by
				65	* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
				66	* Laboratories. */
				67
				68	#include <openssl/ec.h>
				69
				70	#include <string.h>
				71
				72	#include <openssl/bn.h>
				73	#include <openssl/err.h>
				74	#include <openssl/mem.h>
				75
				76	#include "internal.h"
Robert Sloan	8ff0355	2017-06-14 12:40:58 -0700	[diff] [blame]	77	#include "../../internal.h"
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	78
				79
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	80	// Most method functions in this file are designed to work with non-trivial
				81	// representations of field elements if necessary (see ecp_mont.c): while
				82	// standard modular addition and subtraction are used, the field_mul and
				83	// field_sqr methods will be used for multiplication, and field_encode and
				84	// field_decode (if defined) will be used for converting between
				85	// representations.
				86	//
				87	// Functions here specifically assume that if a non-trivial representation is
				88	// used, it is a Montgomery representation (i.e. 'encoding' means multiplying
				89	// by some factor R).
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	90
				91	int ec_GFp_simple_group_init(EC_GROUP *group) {
				92	BN_init(&group->field);
				93	BN_init(&group->a);
				94	BN_init(&group->b);
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	95	BN_init(&group->one);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	96	group->a_is_minus3 = 0;
				97	return 1;
				98	}
				99
				100	void ec_GFp_simple_group_finish(EC_GROUP *group) {
				101	BN_free(&group->field);
				102	BN_free(&group->a);
				103	BN_free(&group->b);
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	104	BN_free(&group->one);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	105	}
				106
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	107	int ec_GFp_simple_group_set_curve(EC_GROUP group, const BIGNUM p,
				108	const BIGNUM a, const BIGNUM b,
				109	BN_CTX *ctx) {
				110	int ret = 0;
				111	BN_CTX *new_ctx = NULL;
				112	BIGNUM *tmp_a;
				113
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	114	// p must be a prime > 3
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	115	if (BN_num_bits(p) <= 2 \|\| !BN_is_odd(p)) {
Kenny Root	b849459	2015-09-25 02:29:14 +0000	[diff] [blame]	116	OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	117	return 0;
				118	}
				119
				120	if (ctx == NULL) {
				121	ctx = new_ctx = BN_CTX_new();
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	122	if (ctx == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	123	return 0;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	124	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	125	}
				126
				127	BN_CTX_start(ctx);
				128	tmp_a = BN_CTX_get(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	129	if (tmp_a == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	130	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	131	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	132
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	133	// group->field
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	134	if (!BN_copy(&group->field, p)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	135	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	136	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	137	BN_set_negative(&group->field, 0);
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	138	// Store the field in minimal form, so it can be used with \|BN_ULONG\| arrays.
				139	bn_set_minimal_width(&group->field);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	140
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	141	// group->a
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	142	if (!BN_nnmod(tmp_a, a, &group->field, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	143	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	144	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	145	if (group->meth->field_encode) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	146	if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	147	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	148	}
				149	} else if (!BN_copy(&group->a, tmp_a)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	150	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	151	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	152
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	153	// group->b
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	154	if (!BN_nnmod(&group->b, b, &group->field, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	155	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	156	}
				157	if (group->meth->field_encode &&
				158	!group->meth->field_encode(group, &group->b, &group->b, ctx)) {
				159	goto err;
				160	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	161
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	162	// group->a_is_minus3
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	163	if (!BN_add_word(tmp_a, 3)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	164	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	165	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	166	group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
				167
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	168	if (group->meth->field_encode != NULL) {
				169	if (!group->meth->field_encode(group, &group->one, BN_value_one(), ctx)) {
				170	goto err;
				171	}
				172	} else if (!BN_copy(&group->one, BN_value_one())) {
				173	goto err;
				174	}
				175
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	176	ret = 1;
				177
				178	err:
				179	BN_CTX_end(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	180	BN_CTX_free(new_ctx);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	181	return ret;
				182	}
				183
				184	int ec_GFp_simple_group_get_curve(const EC_GROUP group, BIGNUM p, BIGNUM *a,
				185	BIGNUM b, BN_CTX ctx) {
				186	int ret = 0;
				187	BN_CTX *new_ctx = NULL;
				188
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	189	if (p != NULL && !BN_copy(p, &group->field)) {
				190	return 0;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	191	}
				192
				193	if (a != NULL \|\| b != NULL) {
				194	if (group->meth->field_decode) {
				195	if (ctx == NULL) {
				196	ctx = new_ctx = BN_CTX_new();
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	197	if (ctx == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	198	return 0;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	199	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	200	}
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	201	if (a != NULL && !group->meth->field_decode(group, a, &group->a, ctx)) {
				202	goto err;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	203	}
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	204	if (b != NULL && !group->meth->field_decode(group, b, &group->b, ctx)) {
				205	goto err;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	206	}
				207	} else {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	208	if (a != NULL && !BN_copy(a, &group->a)) {
				209	goto err;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	210	}
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	211	if (b != NULL && !BN_copy(b, &group->b)) {
				212	goto err;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	213	}
				214	}
				215	}
				216
				217	ret = 1;
				218
				219	err:
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	220	BN_CTX_free(new_ctx);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	221	return ret;
				222	}
				223
Kenny Root	e99801b	2015-11-06 15:31:15 -0800	[diff] [blame]	224	unsigned ec_GFp_simple_group_get_degree(const EC_GROUP *group) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	225	return BN_num_bits(&group->field);
				226	}
				227
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	228	int ec_GFp_simple_point_init(EC_POINT *point) {
				229	BN_init(&point->X);
				230	BN_init(&point->Y);
				231	BN_init(&point->Z);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	232
				233	return 1;
				234	}
				235
				236	void ec_GFp_simple_point_finish(EC_POINT *point) {
				237	BN_free(&point->X);
				238	BN_free(&point->Y);
				239	BN_free(&point->Z);
				240	}
				241
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	242	int ec_GFp_simple_point_copy(EC_POINT dest, const EC_POINT src) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	243	if (!BN_copy(&dest->X, &src->X) \|\|
				244	!BN_copy(&dest->Y, &src->Y) \|\|
				245	!BN_copy(&dest->Z, &src->Z)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	246	return 0;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	247	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	248
				249	return 1;
				250	}
				251
				252	int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,
				253	EC_POINT *point) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	254	BN_zero(&point->Z);
				255	return 1;
				256	}
				257
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	258	static int set_Jprojective_coordinate_GFp(const EC_GROUP group, BIGNUM out,
				259	const BIGNUM in, BN_CTX ctx) {
				260	if (in == NULL) {
				261	return 1;
				262	}
				263	if (BN_is_negative(in) \|\|
				264	BN_cmp(in, &group->field) >= 0) {
				265	OPENSSL_PUT_ERROR(EC, EC_R_COORDINATES_OUT_OF_RANGE);
				266	return 0;
				267	}
				268	if (group->meth->field_encode) {
				269	return group->meth->field_encode(group, out, in, ctx);
				270	}
				271	return BN_copy(out, in) != NULL;
				272	}
				273
Robert Sloan	0db7f54	2018-01-16 15:48:33 -0800	[diff] [blame]	274	int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group,
				275	EC_POINT point, const BIGNUM x,
				276	const BIGNUM y, BN_CTX ctx) {
				277	if (x == NULL \|\| y == NULL) {
				278	OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
				279	return 0;
				280	}
				281
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	282	BN_CTX *new_ctx = NULL;
				283	int ret = 0;
				284
				285	if (ctx == NULL) {
				286	ctx = new_ctx = BN_CTX_new();
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	287	if (ctx == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	288	return 0;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	289	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	290	}
				291
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	292	if (!set_Jprojective_coordinate_GFp(group, &point->X, x, ctx) \|\|
				293	!set_Jprojective_coordinate_GFp(group, &point->Y, y, ctx) \|\|
Robert Sloan	0db7f54	2018-01-16 15:48:33 -0800	[diff] [blame]	294	!BN_copy(&point->Z, &group->one)) {
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	295	goto err;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	296	}
				297
				298	ret = 1;
				299
				300	err:
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	301	BN_CTX_free(new_ctx);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	302	return ret;
				303	}
				304
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	305	int ec_GFp_simple_add(const EC_GROUP group, EC_POINT r, const EC_POINT *a,
				306	const EC_POINT b, BN_CTX ctx) {
				307	int (field_mul)(const EC_GROUP , BIGNUM , const BIGNUM , const BIGNUM *,
				308	BN_CTX *);
				309	int (field_sqr)(const EC_GROUP , BIGNUM , const BIGNUM , BN_CTX *);
				310	const BIGNUM *p;
				311	BN_CTX *new_ctx = NULL;
				312	BIGNUM n0, n1, n2, n3, n4, n5, *n6;
				313	int ret = 0;
				314
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	315	if (a == b) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	316	return EC_POINT_dbl(group, r, a, ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	317	}
				318	if (EC_POINT_is_at_infinity(group, a)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	319	return EC_POINT_copy(r, b);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	320	}
				321	if (EC_POINT_is_at_infinity(group, b)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	322	return EC_POINT_copy(r, a);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	323	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	324
				325	field_mul = group->meth->field_mul;
				326	field_sqr = group->meth->field_sqr;
				327	p = &group->field;
				328
				329	if (ctx == NULL) {
				330	ctx = new_ctx = BN_CTX_new();
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	331	if (ctx == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	332	return 0;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	333	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	334	}
				335
				336	BN_CTX_start(ctx);
				337	n0 = BN_CTX_get(ctx);
				338	n1 = BN_CTX_get(ctx);
				339	n2 = BN_CTX_get(ctx);
				340	n3 = BN_CTX_get(ctx);
				341	n4 = BN_CTX_get(ctx);
				342	n5 = BN_CTX_get(ctx);
				343	n6 = BN_CTX_get(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	344	if (n6 == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	345	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	346	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	347
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	348	// Note that in this function we must not read components of 'a' or 'b'
				349	// once we have written the corresponding components of 'r'.
				350	// ('r' might be one of 'a' or 'b'.)
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	351
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	352	// n1, n2
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	353	int b_Z_is_one = BN_cmp(&b->Z, &group->one) == 0;
				354
				355	if (b_Z_is_one) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	356	if (!BN_copy(n1, &a->X) \|\| !BN_copy(n2, &a->Y)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	357	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	358	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	359	// n1 = X_a
				360	// n2 = Y_a
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	361	} else {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	362	if (!field_sqr(group, n0, &b->Z, ctx) \|\|
				363	!field_mul(group, n1, &a->X, n0, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	364	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	365	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	366	// n1 = X_a * Z_b^2
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	367
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	368	if (!field_mul(group, n0, n0, &b->Z, ctx) \|\|
				369	!field_mul(group, n2, &a->Y, n0, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	370	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	371	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	372	// n2 = Y_a * Z_b^3
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	373	}
				374
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	375	// n3, n4
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	376	int a_Z_is_one = BN_cmp(&a->Z, &group->one) == 0;
				377	if (a_Z_is_one) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	378	if (!BN_copy(n3, &b->X) \|\| !BN_copy(n4, &b->Y)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	379	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	380	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	381	// n3 = X_b
				382	// n4 = Y_b
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	383	} else {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	384	if (!field_sqr(group, n0, &a->Z, ctx) \|\|
				385	!field_mul(group, n3, &b->X, n0, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	386	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	387	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	388	// n3 = X_b * Z_a^2
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	389
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	390	if (!field_mul(group, n0, n0, &a->Z, ctx) \|\|
				391	!field_mul(group, n4, &b->Y, n0, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	392	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	393	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	394	// n4 = Y_b * Z_a^3
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	395	}
				396
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	397	// n5, n6
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	398	if (!bn_mod_sub_quick_ctx(n5, n1, n3, p, ctx) \|\|
				399	!bn_mod_sub_quick_ctx(n6, n2, n4, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	400	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	401	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	402	// n5 = n1 - n3
				403	// n6 = n2 - n4
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	404
				405	if (BN_is_zero(n5)) {
				406	if (BN_is_zero(n6)) {
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	407	// a is the same point as b
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	408	BN_CTX_end(ctx);
				409	ret = EC_POINT_dbl(group, r, a, ctx);
				410	ctx = NULL;
				411	goto end;
				412	} else {
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	413	// a is the inverse of b
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	414	BN_zero(&r->Z);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	415	ret = 1;
				416	goto end;
				417	}
				418	}
				419
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	420	// 'n7', 'n8'
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	421	if (!bn_mod_add_quick_ctx(n1, n1, n3, p, ctx) \|\|
				422	!bn_mod_add_quick_ctx(n2, n2, n4, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	423	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	424	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	425	// 'n7' = n1 + n3
				426	// 'n8' = n2 + n4
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	427
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	428	// Z_r
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	429	if (a_Z_is_one && b_Z_is_one) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	430	if (!BN_copy(&r->Z, n5)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	431	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	432	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	433	} else {
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	434	if (a_Z_is_one) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	435	if (!BN_copy(n0, &b->Z)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	436	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	437	}
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	438	} else if (b_Z_is_one) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	439	if (!BN_copy(n0, &a->Z)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	440	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	441	}
				442	} else if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	443	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	444	}
				445	if (!field_mul(group, &r->Z, n0, n5, ctx)) {
				446	goto end;
				447	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	448	}
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	449
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	450	// Z_r = Z_a * Z_b * n5
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	451
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	452	// X_r
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	453	if (!field_sqr(group, n0, n6, ctx) \|\|
				454	!field_sqr(group, n4, n5, ctx) \|\|
				455	!field_mul(group, n3, n1, n4, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	456	!bn_mod_sub_quick_ctx(&r->X, n0, n3, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	457	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	458	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	459	// X_r = n6^2 - n5^2 * 'n7'
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	460
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	461	// 'n9'
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	462	if (!bn_mod_lshift1_quick_ctx(n0, &r->X, p, ctx) \|\|
				463	!bn_mod_sub_quick_ctx(n0, n3, n0, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	464	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	465	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	466	// n9 = n5^2 * 'n7' - 2 * X_r
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	467
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	468	// Y_r
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	469	if (!field_mul(group, n0, n0, n6, ctx) \|\|
				470	!field_mul(group, n5, n4, n5, ctx)) {
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	471	goto end; // now n5 is n5^3
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	472	}
				473	if (!field_mul(group, n1, n2, n5, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	474	!bn_mod_sub_quick_ctx(n0, n0, n1, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	475	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	476	}
				477	if (BN_is_odd(n0) && !BN_add(n0, n0, p)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	478	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	479	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	480	// now 0 <= n0 < 2*p, and n0 is even
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	481	if (!BN_rshift1(&r->Y, n0)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	482	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	483	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	484	// Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	485
				486	ret = 1;
				487
				488	end:
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	489	if (ctx) {
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	490	// otherwise we already called BN_CTX_end
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	491	BN_CTX_end(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	492	}
				493	BN_CTX_free(new_ctx);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	494	return ret;
				495	}
				496
				497	int ec_GFp_simple_dbl(const EC_GROUP group, EC_POINT r, const EC_POINT *a,
				498	BN_CTX *ctx) {
				499	int (field_mul)(const EC_GROUP , BIGNUM , const BIGNUM , const BIGNUM *,
				500	BN_CTX *);
				501	int (field_sqr)(const EC_GROUP , BIGNUM , const BIGNUM , BN_CTX *);
				502	const BIGNUM *p;
				503	BN_CTX *new_ctx = NULL;
				504	BIGNUM n0, n1, n2, n3;
				505	int ret = 0;
				506
				507	if (EC_POINT_is_at_infinity(group, a)) {
				508	BN_zero(&r->Z);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	509	return 1;
				510	}
				511
				512	field_mul = group->meth->field_mul;
				513	field_sqr = group->meth->field_sqr;
				514	p = &group->field;
				515
				516	if (ctx == NULL) {
				517	ctx = new_ctx = BN_CTX_new();
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	518	if (ctx == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	519	return 0;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	520	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	521	}
				522
				523	BN_CTX_start(ctx);
				524	n0 = BN_CTX_get(ctx);
				525	n1 = BN_CTX_get(ctx);
				526	n2 = BN_CTX_get(ctx);
				527	n3 = BN_CTX_get(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	528	if (n3 == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	529	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	530	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	531
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	532	// Note that in this function we must not read components of 'a'
				533	// once we have written the corresponding components of 'r'.
				534	// ('r' might the same as 'a'.)
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	535
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	536	// n1
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	537	if (BN_cmp(&a->Z, &group->one) == 0) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	538	if (!field_sqr(group, n0, &a->X, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	539	!bn_mod_lshift1_quick_ctx(n1, n0, p, ctx) \|\|
				540	!bn_mod_add_quick_ctx(n0, n0, n1, p, ctx) \|\|
				541	!bn_mod_add_quick_ctx(n1, n0, &group->a, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	542	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	543	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	544	// n1 = 3 * X_a^2 + a_curve
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	545	} else if (group->a_is_minus3) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	546	if (!field_sqr(group, n1, &a->Z, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	547	!bn_mod_add_quick_ctx(n0, &a->X, n1, p, ctx) \|\|
				548	!bn_mod_sub_quick_ctx(n2, &a->X, n1, p, ctx) \|\|
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	549	!field_mul(group, n1, n0, n2, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	550	!bn_mod_lshift1_quick_ctx(n0, n1, p, ctx) \|\|
				551	!bn_mod_add_quick_ctx(n1, n0, n1, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	552	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	553	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	554	// n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
				555	// = 3 * X_a^2 - 3 * Z_a^4
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	556	} else {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	557	if (!field_sqr(group, n0, &a->X, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	558	!bn_mod_lshift1_quick_ctx(n1, n0, p, ctx) \|\|
				559	!bn_mod_add_quick_ctx(n0, n0, n1, p, ctx) \|\|
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	560	!field_sqr(group, n1, &a->Z, ctx) \|\|
				561	!field_sqr(group, n1, n1, ctx) \|\|
				562	!field_mul(group, n1, n1, &group->a, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	563	!bn_mod_add_quick_ctx(n1, n1, n0, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	564	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	565	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	566	// n1 = 3 * X_a^2 + a_curve * Z_a^4
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	567	}
				568
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	569	// Z_r
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	570	if (BN_cmp(&a->Z, &group->one) == 0) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	571	if (!BN_copy(n0, &a->Y)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	572	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	573	}
				574	} else if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	575	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	576	}
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	577	if (!bn_mod_lshift1_quick_ctx(&r->Z, n0, p, ctx)) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	578	goto err;
				579	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	580	// Z_r = 2 * Y_a * Z_a
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	581
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	582	// n2
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	583	if (!field_sqr(group, n3, &a->Y, ctx) \|\|
				584	!field_mul(group, n2, &a->X, n3, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	585	!bn_mod_lshift_quick_ctx(n2, n2, 2, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	586	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	587	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	588	// n2 = 4 * X_a * Y_a^2
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	589
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	590	// X_r
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	591	if (!bn_mod_lshift1_quick_ctx(n0, n2, p, ctx) \|\|
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	592	!field_sqr(group, &r->X, n1, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	593	!bn_mod_sub_quick_ctx(&r->X, &r->X, n0, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	594	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	595	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	596	// X_r = n1^2 - 2 * n2
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	597
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	598	// n3
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	599	if (!field_sqr(group, n0, n3, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	600	!bn_mod_lshift_quick_ctx(n3, n0, 3, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	601	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	602	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	603	// n3 = 8 * Y_a^4
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	604
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	605	// Y_r
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	606	if (!bn_mod_sub_quick_ctx(n0, n2, &r->X, p, ctx) \|\|
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	607	!field_mul(group, n0, n1, n0, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	608	!bn_mod_sub_quick_ctx(&r->Y, n0, n3, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	609	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	610	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	611	// Y_r = n1 * (n2 - X_r) - n3
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	612
				613	ret = 1;
				614
				615	err:
				616	BN_CTX_end(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	617	BN_CTX_free(new_ctx);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	618	return ret;
				619	}
				620
				621	int ec_GFp_simple_invert(const EC_GROUP group, EC_POINT point, BN_CTX *ctx) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	622	if (EC_POINT_is_at_infinity(group, point) \|\| BN_is_zero(&point->Y)) {
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	623	// point is its own inverse
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	624	return 1;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	625	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	626
				627	return BN_usub(&point->Y, &group->field, &point->Y);
				628	}
				629
				630	int ec_GFp_simple_is_at_infinity(const EC_GROUP group, const EC_POINT point) {
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	631	return BN_is_zero(&point->Z);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	632	}
				633
				634	int ec_GFp_simple_is_on_curve(const EC_GROUP group, const EC_POINT point,
				635	BN_CTX *ctx) {
				636	int (field_mul)(const EC_GROUP , BIGNUM , const BIGNUM , const BIGNUM *,
				637	BN_CTX *);
				638	int (field_sqr)(const EC_GROUP , BIGNUM , const BIGNUM , BN_CTX *);
				639	const BIGNUM *p;
				640	BN_CTX *new_ctx = NULL;
				641	BIGNUM rh, tmp, Z4, Z6;
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	642	int ret = 0;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	643
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	644	if (EC_POINT_is_at_infinity(group, point)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	645	return 1;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	646	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	647
				648	field_mul = group->meth->field_mul;
				649	field_sqr = group->meth->field_sqr;
				650	p = &group->field;
				651
				652	if (ctx == NULL) {
				653	ctx = new_ctx = BN_CTX_new();
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	654	if (ctx == NULL) {
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	655	return 0;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	656	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	657	}
				658
				659	BN_CTX_start(ctx);
				660	rh = BN_CTX_get(ctx);
				661	tmp = BN_CTX_get(ctx);
				662	Z4 = BN_CTX_get(ctx);
				663	Z6 = BN_CTX_get(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	664	if (Z6 == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	665	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	666	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	667
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	668	// We have a curve defined by a Weierstrass equation
				669	// y^2 = x^3 + a*x + b.
				670	// The point to consider is given in Jacobian projective coordinates
				671	// where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
				672	// Substituting this and multiplying by Z^6 transforms the above equation
				673	// into
				674	// Y^2 = X^3 + aXZ^4 + b*Z^6.
				675	// To test this, we add up the right-hand side in 'rh'.
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	676
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	677	// rh := X^2
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	678	if (!field_sqr(group, rh, &point->X, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	679	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	680	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	681
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	682	if (BN_cmp(&point->Z, &group->one) != 0) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	683	if (!field_sqr(group, tmp, &point->Z, ctx) \|\|
				684	!field_sqr(group, Z4, tmp, ctx) \|\|
				685	!field_mul(group, Z6, Z4, tmp, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	686	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	687	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	688
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	689	// rh := (rh + aZ^4)X
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	690	if (group->a_is_minus3) {
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	691	if (!bn_mod_lshift1_quick_ctx(tmp, Z4, p, ctx) \|\|
				692	!bn_mod_add_quick_ctx(tmp, tmp, Z4, p, ctx) \|\|
				693	!bn_mod_sub_quick_ctx(rh, rh, tmp, p, ctx) \|\|
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	694	!field_mul(group, rh, rh, &point->X, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	695	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	696	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	697	} else {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	698	if (!field_mul(group, tmp, Z4, &group->a, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	699	!bn_mod_add_quick_ctx(rh, rh, tmp, p, ctx) \|\|
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	700	!field_mul(group, rh, rh, &point->X, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	701	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	702	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	703	}
				704
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	705	// rh := rh + b*Z^6
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	706	if (!field_mul(group, tmp, &group->b, Z6, ctx) \|\|
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	707	!bn_mod_add_quick_ctx(rh, rh, tmp, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	708	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	709	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	710	} else {
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	711	// rh := (rh + a)*X
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	712	if (!bn_mod_add_quick_ctx(rh, rh, &group->a, p, ctx) \|\|
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	713	!field_mul(group, rh, rh, &point->X, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	714	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	715	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	716	// rh := rh + b
Robert Sloan	ab8b888	2018-03-26 11:39:51 -0700	[diff] [blame^]	717	if (!bn_mod_add_quick_ctx(rh, rh, &group->b, p, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	718	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	719	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	720	}
				721
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	722	// 'lh' := Y^2
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	723	if (!field_sqr(group, tmp, &point->Y, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	724	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	725	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	726
				727	ret = (0 == BN_ucmp(tmp, rh));
				728
				729	err:
				730	BN_CTX_end(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	731	BN_CTX_free(new_ctx);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	732	return ret;
				733	}
				734
				735	int ec_GFp_simple_cmp(const EC_GROUP group, const EC_POINT a,
				736	const EC_POINT b, BN_CTX ctx) {
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	737	// return values:
				738	// -1 error
				739	// 0 equal (in affine coordinates)
				740	// 1 not equal
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	741
				742	int (field_mul)(const EC_GROUP , BIGNUM , const BIGNUM , const BIGNUM *,
				743	BN_CTX *);
				744	int (field_sqr)(const EC_GROUP , BIGNUM , const BIGNUM , BN_CTX *);
				745	BN_CTX *new_ctx = NULL;
				746	BIGNUM tmp1, tmp2, Za23, Zb23;
				747	const BIGNUM tmp1_, tmp2_;
				748	int ret = -1;
				749
Robert Sloan	29c1d2c	2017-10-30 14:10:28 -0700	[diff] [blame]	750	if (ec_GFp_simple_is_at_infinity(group, a)) {
				751	return ec_GFp_simple_is_at_infinity(group, b) ? 0 : 1;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	752	}
				753
Robert Sloan	29c1d2c	2017-10-30 14:10:28 -0700	[diff] [blame]	754	if (ec_GFp_simple_is_at_infinity(group, b)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	755	return 1;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	756	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	757
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	758	int a_Z_is_one = BN_cmp(&a->Z, &group->one) == 0;
				759	int b_Z_is_one = BN_cmp(&b->Z, &group->one) == 0;
				760
				761	if (a_Z_is_one && b_Z_is_one) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	762	return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
				763	}
				764
				765	field_mul = group->meth->field_mul;
				766	field_sqr = group->meth->field_sqr;
				767
				768	if (ctx == NULL) {
				769	ctx = new_ctx = BN_CTX_new();
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	770	if (ctx == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	771	return -1;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	772	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	773	}
				774
				775	BN_CTX_start(ctx);
				776	tmp1 = BN_CTX_get(ctx);
				777	tmp2 = BN_CTX_get(ctx);
				778	Za23 = BN_CTX_get(ctx);
				779	Zb23 = BN_CTX_get(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	780	if (Zb23 == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	781	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	782	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	783
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	784	// We have to decide whether
				785	// (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
				786	// or equivalently, whether
				787	// (X_aZ_b^2, Y_aZ_b^3) = (X_bZ_a^2, Y_bZ_a^3).
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	788
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	789	if (!b_Z_is_one) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	790	if (!field_sqr(group, Zb23, &b->Z, ctx) \|\|
				791	!field_mul(group, tmp1, &a->X, Zb23, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	792	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	793	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	794	tmp1_ = tmp1;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	795	} else {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	796	tmp1_ = &a->X;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	797	}
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	798	if (!a_Z_is_one) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	799	if (!field_sqr(group, Za23, &a->Z, ctx) \|\|
				800	!field_mul(group, tmp2, &b->X, Za23, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	801	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	802	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	803	tmp2_ = tmp2;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	804	} else {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	805	tmp2_ = &b->X;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	806	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	807
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	808	// compare X_aZ_b^2 with X_bZ_a^2
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	809	if (BN_cmp(tmp1_, tmp2_) != 0) {
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	810	ret = 1; // points differ
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	811	goto end;
				812	}
				813
				814
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	815	if (!b_Z_is_one) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	816	if (!field_mul(group, Zb23, Zb23, &b->Z, ctx) \|\|
				817	!field_mul(group, tmp1, &a->Y, Zb23, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	818	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	819	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	820	// tmp1_ = tmp1
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	821	} else {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	822	tmp1_ = &a->Y;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	823	}
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	824	if (!a_Z_is_one) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	825	if (!field_mul(group, Za23, Za23, &a->Z, ctx) \|\|
				826	!field_mul(group, tmp2, &b->Y, Za23, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	827	goto end;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	828	}
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	829	// tmp2_ = tmp2
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	830	} else {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	831	tmp2_ = &b->Y;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	832	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	833
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	834	// compare Y_aZ_b^3 with Y_bZ_a^3
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	835	if (BN_cmp(tmp1_, tmp2_) != 0) {
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	836	ret = 1; // points differ
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	837	goto end;
				838	}
				839
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	840	// points are equal
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	841	ret = 0;
				842
				843	end:
				844	BN_CTX_end(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	845	BN_CTX_free(new_ctx);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	846	return ret;
				847	}
				848
				849	int ec_GFp_simple_make_affine(const EC_GROUP group, EC_POINT point,
				850	BN_CTX *ctx) {
				851	BN_CTX *new_ctx = NULL;
				852	BIGNUM x, y;
				853	int ret = 0;
				854
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	855	if (BN_cmp(&point->Z, &group->one) == 0 \|\|
				856	EC_POINT_is_at_infinity(group, point)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	857	return 1;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	858	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	859
				860	if (ctx == NULL) {
				861	ctx = new_ctx = BN_CTX_new();
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	862	if (ctx == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	863	return 0;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	864	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	865	}
				866
				867	BN_CTX_start(ctx);
				868	x = BN_CTX_get(ctx);
				869	y = BN_CTX_get(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	870	if (y == NULL) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	871	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	872	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	873
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	874	if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx) \|\|
				875	!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	876	goto err;
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	877	}
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	878	if (BN_cmp(&point->Z, &group->one) != 0) {
Kenny Root	b849459	2015-09-25 02:29:14 +0000	[diff] [blame]	879	OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	880	goto err;
				881	}
				882
				883	ret = 1;
				884
				885	err:
				886	BN_CTX_end(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	887	BN_CTX_free(new_ctx);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	888	return ret;
				889	}
				890
				891	int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
				892	EC_POINT points[], BN_CTX ctx) {
				893	BN_CTX *new_ctx = NULL;
				894	BIGNUM tmp, tmp_Z;
				895	BIGNUM **prod_Z = NULL;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	896	int ret = 0;
				897
				898	if (num == 0) {
				899	return 1;
				900	}
				901
				902	if (ctx == NULL) {
				903	ctx = new_ctx = BN_CTX_new();
				904	if (ctx == NULL) {
				905	return 0;
				906	}
				907	}
				908
				909	BN_CTX_start(ctx);
				910	tmp = BN_CTX_get(ctx);
				911	tmp_Z = BN_CTX_get(ctx);
				912	if (tmp == NULL \|\| tmp_Z == NULL) {
				913	goto err;
				914	}
				915
				916	prod_Z = OPENSSL_malloc(num * sizeof(prod_Z[0]));
				917	if (prod_Z == NULL) {
				918	goto err;
				919	}
Robert Sloan	69939df	2017-01-09 10:53:07 -0800	[diff] [blame]	920	OPENSSL_memset(prod_Z, 0, num * sizeof(prod_Z[0]));
David Benjamin	7c0d06c	2016-08-11 13:26:41 -0400	[diff] [blame]	921	for (size_t i = 0; i < num; i++) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	922	prod_Z[i] = BN_new();
				923	if (prod_Z[i] == NULL) {
				924	goto err;
				925	}
				926	}
				927
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	928	// Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
				929	// skipping any zero-valued inputs (pretend that they're 1).
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	930
				931	if (!BN_is_zero(&points[0]->Z)) {
				932	if (!BN_copy(prod_Z[0], &points[0]->Z)) {
				933	goto err;
				934	}
				935	} else {
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	936	if (BN_copy(prod_Z[0], &group->one) == NULL) {
				937	goto err;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	938	}
				939	}
				940
David Benjamin	7c0d06c	2016-08-11 13:26:41 -0400	[diff] [blame]	941	for (size_t i = 1; i < num; i++) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	942	if (!BN_is_zero(&points[i]->Z)) {
				943	if (!group->meth->field_mul(group, prod_Z[i], prod_Z[i - 1],
				944	&points[i]->Z, ctx)) {
				945	goto err;
				946	}
				947	} else {
				948	if (!BN_copy(prod_Z[i], prod_Z[i - 1])) {
				949	goto err;
				950	}
				951	}
				952	}
				953
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	954	// Now use a single explicit inversion to replace every non-zero points[i]->Z
				955	// by its inverse. We use \|BN_mod_inverse_odd\| instead of doing a constant-
				956	// time inversion using Fermat's Little Theorem because this function is
				957	// usually only used for converting multiples of a public key point to
				958	// affine, and a public key point isn't secret. If we were to use Fermat's
				959	// Little Theorem then the cost of the inversion would usually be so high
				960	// that converting the multiples to affine would be counterproductive.
David Benjamin	c895d6b	2016-08-11 13:26:41 -0400	[diff] [blame]	961	int no_inverse;
				962	if (!BN_mod_inverse_odd(tmp, &no_inverse, prod_Z[num - 1], &group->field,
				963	ctx)) {
Kenny Root	b849459	2015-09-25 02:29:14 +0000	[diff] [blame]	964	OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	965	goto err;
				966	}
				967
				968	if (group->meth->field_encode != NULL) {
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	969	// In the Montgomery case, we just turned R*H (representing H)
				970	// into 1/(RH), but we need R(1/H) (representing 1/H);
				971	// i.e. we need to multiply by the Montgomery factor twice.
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	972	if (!group->meth->field_encode(group, tmp, tmp, ctx) \|\|
				973	!group->meth->field_encode(group, tmp, tmp, ctx)) {
				974	goto err;
				975	}
				976	}
				977
David Benjamin	7c0d06c	2016-08-11 13:26:41 -0400	[diff] [blame]	978	for (size_t i = num - 1; i > 0; --i) {
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	979	// Loop invariant: tmp is the product of the inverses of
				980	// points[0]->Z .. points[i]->Z (zero-valued inputs skipped).
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	981	if (BN_is_zero(&points[i]->Z)) {
				982	continue;
				983	}
				984
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	985	// Set tmp_Z to the inverse of points[i]->Z (as product
				986	// of Z inverses 0 .. i, Z values 0 .. i - 1).
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	987	if (!group->meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx) \|\|
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	988	// Update tmp to satisfy the loop invariant for i - 1.
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	989	!group->meth->field_mul(group, tmp, tmp, &points[i]->Z, ctx) \|\|
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	990	// Replace points[i]->Z by its inverse.
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	991	!BN_copy(&points[i]->Z, tmp_Z)) {
				992	goto err;
				993	}
				994	}
				995
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	996	// Replace points[0]->Z by its inverse.
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	997	if (!BN_is_zero(&points[0]->Z) && !BN_copy(&points[0]->Z, tmp)) {
				998	goto err;
				999	}
				1000
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	1001	// Finally, fix up the X and Y coordinates for all points.
David Benjamin	7c0d06c	2016-08-11 13:26:41 -0400	[diff] [blame]	1002	for (size_t i = 0; i < num; i++) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	1003	EC_POINT *p = points[i];
				1004
				1005	if (!BN_is_zero(&p->Z)) {
Robert Sloan	8f860b1	2017-08-28 07:37:06 -0700	[diff] [blame]	1006	// turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1).
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	1007	if (!group->meth->field_sqr(group, tmp, &p->Z, ctx) \|\|
				1008	!group->meth->field_mul(group, &p->X, &p->X, tmp, ctx) \|\|
				1009	!group->meth->field_mul(group, tmp, tmp, &p->Z, ctx) \|\|
				1010	!group->meth->field_mul(group, &p->Y, &p->Y, tmp, ctx)) {
				1011	goto err;
				1012	}
				1013
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	1014	if (BN_copy(&p->Z, &group->one) == NULL) {
				1015	goto err;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	1016	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	1017	}
				1018	}
				1019
				1020	ret = 1;
				1021
				1022	err:
				1023	BN_CTX_end(ctx);
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	1024	BN_CTX_free(new_ctx);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	1025	if (prod_Z != NULL) {
David Benjamin	7c0d06c	2016-08-11 13:26:41 -0400	[diff] [blame]	1026	for (size_t i = 0; i < num; i++) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	1027	if (prod_Z[i] == NULL) {
				1028	break;
				1029	}
				1030	BN_clear_free(prod_Z[i]);
				1031	}
				1032	OPENSSL_free(prod_Z);
				1033	}
				1034
				1035	return ret;
				1036	}
				1037
				1038	int ec_GFp_simple_field_mul(const EC_GROUP group, BIGNUM r, const BIGNUM *a,
				1039	const BIGNUM b, BN_CTX ctx) {
				1040	return BN_mod_mul(r, a, b, &group->field, ctx);
				1041	}
				1042
				1043	int ec_GFp_simple_field_sqr(const EC_GROUP group, BIGNUM r, const BIGNUM *a,
				1044	BN_CTX *ctx) {
				1045	return BN_mod_sqr(r, a, &group->field, ctx);
				1046	}