Check discriminant directly in EC_GROUP_set_discriminant()

After possibly decoding a and b in EC_GROUP_get_curve(), this is a pure
calculation in GFp and as such doesn't make use of any method-specifics.
Let's perform this calculation directly in the public API implementation
rather than redirecting through the methods and remove yet another method
handler.

ok jsing

3 files changed, 47 insertions, 68 deletions

diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 7a82eb23f8..a50b1e5633 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.102 2025/01/06 19:23:25 tb Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.103 2025/01/07 08:30:52 tb Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -600,6 +600,7 @@ int
 EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx_in)
 {
         BN_CTX *ctx;
+        BIGNUM *p, *a, *b, *discriminant;
         int ret = 0;
 
         if ((ctx = ctx_in) == NULL)
@@ -607,11 +608,50 @@ EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx_in)
         if (ctx == NULL)
                 goto err;
 
-        if (group->meth->group_check_discriminant == NULL) {
-                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+        BN_CTX_start(ctx);
+
+        if ((p = BN_CTX_get(ctx)) == NULL)
                 goto err;
-        }
-        ret = group->meth->group_check_discriminant(group, ctx);
+        if ((a = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if ((b = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if ((discriminant = BN_CTX_get(ctx)) == NULL)
+                goto err;
+
+        if (!EC_GROUP_get_curve(group, p, a, b, ctx))
+                goto err;
+
+        /*
+         * Check that the discriminant 4a^3 + 27b^2 is non-zero modulo p.
+         */
+
+        if (BN_is_zero(a) && BN_is_zero(b))
+                goto err;
+        if (BN_is_zero(a) || BN_is_zero(b))
+                goto done;
+
+        /* Compute the discriminant: first 4a^3, then 27b^2, then their sum. */
+        if (!BN_mod_sqr(discriminant, a, p, ctx))
+                goto err;
+        if (!BN_mod_mul(discriminant, discriminant, a, p, ctx))
+                goto err;
+        if (!BN_lshift(discriminant, discriminant, 2))
+                goto err;
+
+        if (!BN_mod_sqr(b, b, p, ctx))
+                goto err;
+        if (!BN_mul_word(b, 27))
+                goto err;
+
+        if (!BN_mod_add(discriminant, discriminant, b, p, ctx))
+                goto err;
+
+        if (BN_is_zero(discriminant))
+                goto err;
+
+ done:
+        ret = 1;
 
  err:
         if (ctx != ctx_in)
diff --git a/src/lib/libcrypto/ec/ec_local.h b/src/lib/libcrypto/ec/ec_local.h
index 03fda6876b..49442786e7 100644
--- a/src/lib/libcrypto/ec/ec_local.h
+++ b/src/lib/libcrypto/ec/ec_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_local.h,v 1.52 2025/01/06 14:34:47 tb Exp $ */
+/* $OpenBSD: ec_local.h,v 1.53 2025/01/07 08:30:52 tb Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -93,8 +93,6 @@ struct ec_method_st {
         int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
             BIGNUM *b, BN_CTX *);
 
-        int (*group_check_discriminant)(const EC_GROUP *, BN_CTX *);
-
         int (*point_set_affine_coordinates)(const EC_GROUP *, EC_POINT *,
             const BIGNUM *x, const BIGNUM *y, BN_CTX *);
         int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_POINT *,
diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c
index 8623131ffa..9593428870 100644
--- a/src/lib/libcrypto/ec/ecp_methods.c
+++ b/src/lib/libcrypto/ec/ecp_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_methods.c,v 1.25 2025/01/06 18:43:27 tb Exp $ */
+/* $OpenBSD: ecp_methods.c,v 1.26 2025/01/07 08:30:52 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project.
  * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -167,63 +167,6 @@ ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
 }
 
 static int
-ec_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
-{
-        BIGNUM *p, *a, *b, *discriminant;
-        int ret = 0;
-
-        BN_CTX_start(ctx);
-
-        if ((p = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((a = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((b = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((discriminant = BN_CTX_get(ctx)) == NULL)
-                goto err;
-
-        if (!EC_GROUP_get_curve(group, p, a, b, ctx))
-                goto err;
-
-        /*
-         * Check that the discriminant 4a^3 + 27b^2 is non-zero modulo p.
-         */
-
-        if (BN_is_zero(a) && BN_is_zero(b))
-                goto err;
-        if (BN_is_zero(a) || BN_is_zero(b))
-                goto done;
-
-        /* Compute the discriminant: first 4a^3, then 27b^2, then their sum. */
-        if (!BN_mod_sqr(discriminant, a, p, ctx))
-                goto err;
-        if (!BN_mod_mul(discriminant, discriminant, a, p, ctx))
-                goto err;
-        if (!BN_lshift(discriminant, discriminant, 2))
-                goto err;
-
-        if (!BN_mod_sqr(b, b, p, ctx))
-                goto err;
-        if (!BN_mul_word(b, 27))
-                goto err;
-
-        if (!BN_mod_add(discriminant, discriminant, b, p, ctx))
-                goto err;
-
-        if (BN_is_zero(discriminant))
-                goto err;
-
- done:
-        ret = 1;
-
- err:
-        BN_CTX_end(ctx);
-
-        return ret;
-}
-
-static int
 ec_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
     const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
 {
@@ -1511,7 +1454,6 @@ static const EC_METHOD ec_GFp_simple_method = {
         .field_type = NID_X9_62_prime_field,
         .group_set_curve = ec_group_set_curve,
         .group_get_curve = ec_group_get_curve,
-        .group_check_discriminant = ec_group_check_discriminant,
         .point_set_affine_coordinates = ec_point_set_affine_coordinates,
         .point_get_affine_coordinates = ec_point_get_affine_coordinates,
         .point_set_compressed_coordinates = ec_set_compressed_coordinates,
@@ -1540,7 +1482,6 @@ static const EC_METHOD ec_GFp_mont_method = {
         .field_type = NID_X9_62_prime_field,
         .group_set_curve = ec_mont_group_set_curve,
         .group_get_curve = ec_group_get_curve,
-        .group_check_discriminant = ec_group_check_discriminant,
         .point_set_affine_coordinates = ec_point_set_affine_coordinates,
         .point_get_affine_coordinates = ec_point_get_affine_coordinates,
         .point_set_compressed_coordinates = ec_set_compressed_coordinates,