Rewrite EC_GROUP_cmp()

Use better variable names (cf. https://jmilne.org/math/tips.html#4) and avoid the weird style of assigning to r (what does r stand for anyway?) and short circuiting subsequent tests using if (r || ...). Also, do not reuse the variables for order and cofactor that were previously used for the curve coefficients. ok jsing
author: tb <> 2024-11-17 06:33:35 +0000
committer: tb <> 2024-11-17 06:33:35 +0000
commit: a62b48c76c324585e4b919de1818465e2667289e (patch)
tree: a900f623295736978677750d1aa360fd50900a65
parent: b4c334cf7760113f167c0d700e27fb65de2f189a (diff)
download: openbsd-a62b48c76c324585e4b919de1818465e2667289e.tar.gz
openbsd-a62b48c76c324585e4b919de1818465e2667289e.tar.bz2
openbsd-a62b48c76c324585e4b919de1818465e2667289e.zip
1 files changed, 75 insertions, 51 deletions
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index d61dea9f12..01e21e9eb8 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.85 2024/11/08 13:55:45 tb Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.86 2024/11/17 06:33:35 tb Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -662,77 +662,101 @@ EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx_in)
 }
 LCRYPTO_ALIAS(EC_GROUP_check);
+/*
+ * Returns -1 on error, 0 if the groups are equal, 1 if they are distinct.
+ */
 int
-EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx)
+EC_GROUP_cmp(const EC_GROUP *group1, const EC_GROUP *group2, BN_CTX *ctx_in)
 {
-        int r = 0;
+        BN_CTX *ctx = NULL;
-        BIGNUM *a1, *a2, *a3, *b1, *b2, *b3;
+        BIGNUM *p1, *a1, *b1, *p2, *a2, *b2;
-        BN_CTX *ctx_new = NULL;
+        const EC_POINT *generator1, *generator2;
+        const BIGNUM *order1, *order2, *cofactor1, *cofactor2;
-        /* compare the field types */
+        int nid1, nid2;
-        if (ec_group_get_field_type(a) != ec_group_get_field_type(b))
+        int cmp = 1;
-                return 1;
+        int ret = -1;
-        /* compare the curve name (if present in both) */
-        if (EC_GROUP_get_curve_name(a) && EC_GROUP_get_curve_name(b) &&
-            EC_GROUP_get_curve_name(a) != EC_GROUP_get_curve_name(b))
-                return 1;
-        if (!ctx)
+        if ((ctx = ctx_in) == NULL)
-                ctx_new = ctx = BN_CTX_new();
+                ctx = BN_CTX_new();
-        if (!ctx)
+        if (ctx == NULL)
-                return -1;
+                goto err;
        BN_CTX_start(ctx);
+        if (ec_group_get_field_type(group1) != ec_group_get_field_type(group2))
+                goto distinct;
+        if ((nid1 = EC_GROUP_get_curve_name(group1)) != NID_undef &&
+            (nid2 = EC_GROUP_get_curve_name(group2)) != NID_undef) {
+                if (nid1 != nid2)
+                        goto distinct;
+        }
+        if ((p1 = BN_CTX_get(ctx)) == NULL)
+                goto err;
        if ((a1 = BN_CTX_get(ctx)) == NULL)
                goto err;
-        if ((a2 = BN_CTX_get(ctx)) == NULL)
+        if ((b1 = BN_CTX_get(ctx)) == NULL)
                goto err;
-        if ((a3 = BN_CTX_get(ctx)) == NULL)
+        if ((p2 = BN_CTX_get(ctx)) == NULL)
                goto err;
-        if ((b1 = BN_CTX_get(ctx)) == NULL)
+        if ((a2 = BN_CTX_get(ctx)) == NULL)
                goto err;
        if ((b2 = BN_CTX_get(ctx)) == NULL)
                goto err;
-        if ((b3 = BN_CTX_get(ctx)) == NULL)
+        /*
+         * If we ever support curves in non-Weierstrass form, this check needs
+         * to be adjusted. The comparison of the generators will fail anyway.
+         */
+        if (!EC_GROUP_get_curve(group1, p1, a1, b1, ctx))
+                goto err;
+        if (!EC_GROUP_get_curve(group2, p2, a2, b2, ctx))
+                goto err;
+        if (BN_cmp(p1, p2) != 0 || BN_cmp(a1, a2) != 0 || BN_cmp(b1, b2) != 0)
+                goto distinct;
+        if ((generator1 = EC_GROUP_get0_generator(group1)) == NULL)
+                goto err;
+        if ((generator2 = EC_GROUP_get0_generator(group2)) == NULL)
                goto err;
        /*
-         * XXX This approach assumes that the external representation of
+         * It does not matter whether group1 or group2 is used: both points must
-         * curves over the same field type is the same.
+         * have a matching method for this to succeed.
         */
-        if (!a->meth->group_get_curve(a, a1, a2, a3, ctx) ||
+        if ((cmp = EC_POINT_cmp(group1, generator1, generator2, ctx)) < 0)
-            !b->meth->group_get_curve(b, b1, b2, b3, ctx))
+                goto err;
-                r = 1;
+        if (cmp == 1)
+                goto distinct;
-        if (r || BN_cmp(a1, b1) || BN_cmp(a2, b2) || BN_cmp(a3, b3))
+        cmp = 1;
-                r = 1;
+        if ((order1 = EC_GROUP_get0_order(group1)) == NULL)
-        /* XXX EC_POINT_cmp() assumes that the methods are equal */
+                goto err;
-        if (r || EC_POINT_cmp(a, EC_GROUP_get0_generator(a),
+        if ((order2 = EC_GROUP_get0_order(group2)) == NULL)
-                EC_GROUP_get0_generator(b), ctx))
+                goto err;
-                r = 1;
+        if ((cofactor1 = EC_GROUP_get0_cofactor(group1)) == NULL)
-        if (!r) {
+                goto err;
-                /* compare the order and cofactor */
+        if ((cofactor2 = EC_GROUP_get0_cofactor(group2)) == NULL)
-                if (!EC_GROUP_get_order(a, a1, ctx) ||
+                goto err;
-                    !EC_GROUP_get_order(b, b1, ctx) ||
-                    !EC_GROUP_get_cofactor(a, a2, ctx) ||
+        if (BN_cmp(order1, order2) != 0 || BN_cmp(cofactor1, cofactor2) != 0)
-                    !EC_GROUP_get_cofactor(b, b2, ctx))
+                goto distinct;
-                        goto err;
-                if (BN_cmp(a1, b1) || BN_cmp(a2, b2))
-                        r = 1;
-        }
-        BN_CTX_end(ctx);
-        if (ctx_new)
-                BN_CTX_free(ctx);
-        return r;
+        /* All parameters match: the groups are equal. */
+        cmp = 0;
+ distinct:
+        ret = cmp;
 err:
        BN_CTX_end(ctx);
-        if (ctx_new)
+        if (ctx != ctx_in)
                BN_CTX_free(ctx);
-        return -1;
+        return ret;
 }
 LCRYPTO_ALIAS(EC_GROUP_cmp);
author	tb <>	2024-11-17 06:33:35 +0000
committer	tb <>	2024-11-17 06:33:35 +0000
commit	a62b48c76c324585e4b919de1818465e2667289e (patch)
tree	a900f623295736978677750d1aa360fd50900a65
parent	b4c334cf7760113f167c0d700e27fb65de2f189a (diff)
download	openbsd-a62b48c76c324585e4b919de1818465e2667289e.tar.gz openbsd-a62b48c76c324585e4b919de1818465e2667289e.tar.bz2 openbsd-a62b48c76c324585e4b919de1818465e2667289e.zip

diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c index d61dea9f12..01e21e9eb8 100644 --- a/src/lib/libcrypto/ec/ec_lib.c +++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ec_lib.c,v 1.85 2024/11/08 13:55:45 tb Exp $ */	1	/* $OpenBSD: ec_lib.c,v 1.86 2024/11/17 06:33:35 tb Exp $ */
2	/*	2	/*
3	* Originally written by Bodo Moeller for the OpenSSL project.	3	* Originally written by Bodo Moeller for the OpenSSL project.
4	*/	4	*/
@@ -662,77 +662,101 @@ EC_GROUP_check(const EC_GROUP group, BN_CTX ctx_in)
662	}	662	}
663	LCRYPTO_ALIAS(EC_GROUP_check);	663	LCRYPTO_ALIAS(EC_GROUP_check);
664		664
		665	/*
		666	* Returns -1 on error, 0 if the groups are equal, 1 if they are distinct.
		667	*/
665	int	668	int
666	EC_GROUP_cmp(const EC_GROUP a, const EC_GROUP b, BN_CTX *ctx)	669	EC_GROUP_cmp(const EC_GROUP group1, const EC_GROUP group2, BN_CTX *ctx_in)
667	{	670	{
668	int r = 0;	671	BN_CTX *ctx = NULL;
669	BIGNUM a1, a2, a3, b1, b2, b3;	672	BIGNUM p1, a1, b1, p2, a2, b2;
670	BN_CTX *ctx_new = NULL;	673	const EC_POINT generator1, generator2;
671		674	const BIGNUM order1, order2, cofactor1, cofactor2;
672	/* compare the field types */	675	int nid1, nid2;
673	if (ec_group_get_field_type(a) != ec_group_get_field_type(b))	676	int cmp = 1;
674	return 1;	677	int ret = -1;
675	/* compare the curve name (if present in both) */
676	if (EC_GROUP_get_curve_name(a) && EC_GROUP_get_curve_name(b) &&
677	EC_GROUP_get_curve_name(a) != EC_GROUP_get_curve_name(b))
678	return 1;
679		678
680	if (!ctx)	679	if ((ctx = ctx_in) == NULL)
681	ctx_new = ctx = BN_CTX_new();	680	ctx = BN_CTX_new();
682	if (!ctx)	681	if (ctx == NULL)
683	return -1;	682	goto err;
684		683
685	BN_CTX_start(ctx);	684	BN_CTX_start(ctx);
		685
		686	if (ec_group_get_field_type(group1) != ec_group_get_field_type(group2))
		687	goto distinct;
		688	if ((nid1 = EC_GROUP_get_curve_name(group1)) != NID_undef &&
		689	(nid2 = EC_GROUP_get_curve_name(group2)) != NID_undef) {
		690	if (nid1 != nid2)
		691	goto distinct;
		692	}
		693
		694	if ((p1 = BN_CTX_get(ctx)) == NULL)
		695	goto err;
686	if ((a1 = BN_CTX_get(ctx)) == NULL)	696	if ((a1 = BN_CTX_get(ctx)) == NULL)
687	goto err;	697	goto err;
688	if ((a2 = BN_CTX_get(ctx)) == NULL)	698	if ((b1 = BN_CTX_get(ctx)) == NULL)
689	goto err;	699	goto err;
690	if ((a3 = BN_CTX_get(ctx)) == NULL)	700	if ((p2 = BN_CTX_get(ctx)) == NULL)
691	goto err;	701	goto err;
692	if ((b1 = BN_CTX_get(ctx)) == NULL)	702	if ((a2 = BN_CTX_get(ctx)) == NULL)
693	goto err;	703	goto err;
694	if ((b2 = BN_CTX_get(ctx)) == NULL)	704	if ((b2 = BN_CTX_get(ctx)) == NULL)
695	goto err;	705	goto err;
696	if ((b3 = BN_CTX_get(ctx)) == NULL)	706
		707	/*
		708	* If we ever support curves in non-Weierstrass form, this check needs
		709	* to be adjusted. The comparison of the generators will fail anyway.
		710	*/
		711	if (!EC_GROUP_get_curve(group1, p1, a1, b1, ctx))
		712	goto err;
		713	if (!EC_GROUP_get_curve(group2, p2, a2, b2, ctx))
		714	goto err;
		715
		716	if (BN_cmp(p1, p2) != 0 \|\| BN_cmp(a1, a2) != 0 \|\| BN_cmp(b1, b2) != 0)
		717	goto distinct;
		718
		719	if ((generator1 = EC_GROUP_get0_generator(group1)) == NULL)
		720	goto err;
		721	if ((generator2 = EC_GROUP_get0_generator(group2)) == NULL)
697	goto err;	722	goto err;
698		723
699	/*	724	/*
700	* XXX This approach assumes that the external representation of	725	* It does not matter whether group1 or group2 is used: both points must
701	* curves over the same field type is the same.	726	* have a matching method for this to succeed.
702	*/	727	*/
703	if (!a->meth->group_get_curve(a, a1, a2, a3, ctx) \|\|	728	if ((cmp = EC_POINT_cmp(group1, generator1, generator2, ctx)) < 0)
704	!b->meth->group_get_curve(b, b1, b2, b3, ctx))	729	goto err;
705	r = 1;	730	if (cmp == 1)
706		731	goto distinct;
707	if (r \|\| BN_cmp(a1, b1) \|\| BN_cmp(a2, b2) \|\| BN_cmp(a3, b3))	732	cmp = 1;
708	r = 1;	733
709		734	if ((order1 = EC_GROUP_get0_order(group1)) == NULL)
710	/* XXX EC_POINT_cmp() assumes that the methods are equal */	735	goto err;
711	if (r \|\| EC_POINT_cmp(a, EC_GROUP_get0_generator(a),	736	if ((order2 = EC_GROUP_get0_order(group2)) == NULL)
712	EC_GROUP_get0_generator(b), ctx))	737	goto err;
713	r = 1;	738
714		739	if ((cofactor1 = EC_GROUP_get0_cofactor(group1)) == NULL)
715	if (!r) {	740	goto err;
716	/* compare the order and cofactor */	741	if ((cofactor2 = EC_GROUP_get0_cofactor(group2)) == NULL)
717	if (!EC_GROUP_get_order(a, a1, ctx) \|\|	742	goto err;
718	!EC_GROUP_get_order(b, b1, ctx) \|\|	743
719	!EC_GROUP_get_cofactor(a, a2, ctx) \|\|	744	if (BN_cmp(order1, order2) != 0 \|\| BN_cmp(cofactor1, cofactor2) != 0)
720	!EC_GROUP_get_cofactor(b, b2, ctx))	745	goto distinct;
721	goto err;
722	if (BN_cmp(a1, b1) \|\| BN_cmp(a2, b2))
723	r = 1;
724	}
725	BN_CTX_end(ctx);
726	if (ctx_new)
727	BN_CTX_free(ctx);
728		746
729	return r;	747	/* All parameters match: the groups are equal. */
		748	cmp = 0;
		749
		750	distinct:
		751	ret = cmp;
730		752
731	err:	753	err:
732	BN_CTX_end(ctx);	754	BN_CTX_end(ctx);
733	if (ctx_new)	755
		756	if (ctx != ctx_in)
734	BN_CTX_free(ctx);	757	BN_CTX_free(ctx);
735	return -1;	758
		759	return ret;
736	}	760	}
737	LCRYPTO_ALIAS(EC_GROUP_cmp);	761	LCRYPTO_ALIAS(EC_GROUP_cmp);
738		762