resolve conflicts, fix local changes

author: djm <> 2010-10-01 22:59:01 +0000
committer: djm <> 2010-10-01 22:59:01 +0000
commit: 8922d4bc4a8b8893d72a48deb2cdf58215f98505 (patch)
tree: 939b752540947d33507b3acc48d76a8bfb7c3dc3 /src/lib/libcrypto/ec/ec2_smpl.c
parent: 76262f7bf9262f965142b1b2b2105cb279c5c696 (diff)
download: openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.tar.gz
openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.tar.bz2
openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.zip
1 files changed, 89 insertions, 23 deletions
diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c
index 522d036ca1..cf357b462a 100644
--- a/src/lib/libcrypto/ec/ec2_smpl.c
+++ b/src/lib/libcrypto/ec/ec2_smpl.c
@@ -14,7 +14,7 @@
 *
 */
 /* ====================================================================
- * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -157,6 +157,7 @@ void ec_GF2m_simple_group_clear_finish(EC_GROUP *group)
        group->poly[2] = 0;
        group->poly[3] = 0;
        group->poly[4] = 0;
+        group->poly[5] = -1;
        }
@@ -174,10 +175,9 @@ int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
        dest->poly[2] = src->poly[2];
        dest->poly[3] = src->poly[3];
        dest->poly[4] = src->poly[4];
-        if(bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
+        dest->poly[5] = src->poly[5];
-                return 0;
+        if (bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) return 0;
-        if(bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
+        if (bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) return 0;
-                return 0;
        for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;
        for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;
        return 1;
@@ -192,7 +192,7 @@ int ec_GF2m_simple_group_set_curve(EC_GROUP *group,
        /* group->field */
        if (!BN_copy(&group->field, p)) goto err;
-        i = BN_GF2m_poly2arr(&group->field, group->poly, 5);
+        i = BN_GF2m_poly2arr(&group->field, group->poly, 6) - 1;
        if ((i != 5) && (i != 3))
                {
                ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
@@ -406,18 +406,94 @@ int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_
        }
-/* Include patented algorithms. */
+/* Calculates and sets the affine coordinates of an EC_POINT from the given
-#include "ec2_smpt.c"
+ * compressed coordinates.  Uses algorithm 2.3.4 of SEC 1. 
+ * Note that the simple implementation only uses affine coordinates.
+ *
+ * The method is from the following publication:
+ * 
+ *     Harper, Menezes, Vanstone:
+ *     "Public-Key Cryptosystems with Very Small Key Lengths",
+ *     EUROCRYPT '92, Springer-Verlag LNCS 658,
+ *     published February 1993
+ *
+ * US Patents 6,141,420 and 6,618,483 (Vanstone, Mullin, Agnew) describe
+ * the same method, but claim no priority date earlier than July 29, 1994
+ * (and additionally fail to cite the EUROCRYPT '92 publication as prior art).
+ */
+int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x_, int y_bit, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp, *x, *y, *z;
+        int ret = 0, z0;
+        /* clear error queue */
+        ERR_clear_error();
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+        y_bit = (y_bit != 0) ? 1 : 0;
+        BN_CTX_start(ctx);
+        tmp = BN_CTX_get(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        z = BN_CTX_get(ctx);
+        if (z == NULL) goto err;
+        if (!BN_GF2m_mod_arr(x, x_, group->poly)) goto err;
+        if (BN_is_zero(x))
+                {
+                if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx)) goto err;
+                }
+        else
+                {
+                if (!group->meth->field_sqr(group, tmp, x, ctx)) goto err;
+                if (!group->meth->field_div(group, tmp, &group->b, tmp, ctx)) goto err;
+                if (!BN_GF2m_add(tmp, &group->a, tmp)) goto err;
+                if (!BN_GF2m_add(tmp, x, tmp)) goto err;
+                if (!BN_GF2m_mod_solve_quad_arr(z, tmp, group->poly, ctx))
+                        {
+                        unsigned long err = ERR_peek_last_error();
+                        
+                        if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NO_SOLUTION)
+                                {
+                                ERR_clear_error();
+                                ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
+                                }
+                        else
+                                ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB);
+                        goto err;
+                        }
+                z0 = (BN_is_odd(z)) ? 1 : 0;
+                if (!group->meth->field_mul(group, y, x, z, ctx)) goto err;
+                if (z0 != y_bit)
+                        {
+                        if (!BN_GF2m_add(y, y, x)) goto err;
+                        }
+                }
+        if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
+        ret = 1;
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
 /* Converts an EC_POINT to an octet string.  
 * If buf is NULL, the encoded length will be returned.
 * If the length len of buf is smaller than required an error will be returned.
- *
- * The point compression section of this function is patented by Certicom Corp. 
- * under US Patent 6,141,420.  Point compression is disabled by default and can 
- * be enabled by defining the preprocessor macro OPENSSL_EC_BIN_PT_COMP at 
- * Configure-time.
 */
 size_t ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
        unsigned char *buf, size_t len, BN_CTX *ctx)
@@ -428,14 +504,6 @@ size_t ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, po
        BIGNUM *x, *y, *yxi;
        size_t field_len, i, skip;
-#ifndef OPENSSL_EC_BIN_PT_COMP
-        if ((form == POINT_CONVERSION_COMPRESSED) || (form == POINT_CONVERSION_HYBRID)) 
-                {
-                ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_DISABLED);
-                goto err;
-                }
-#endif
        if ((form != POINT_CONVERSION_COMPRESSED)
                && (form != POINT_CONVERSION_UNCOMPRESSED)
                && (form != POINT_CONVERSION_HYBRID))
@@ -490,13 +558,11 @@ size_t ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, po
                if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
                buf[0] = form;
-#ifdef OPENSSL_EC_BIN_PT_COMP
                if ((form != POINT_CONVERSION_UNCOMPRESSED) && !BN_is_zero(x))
                        {
                        if (!group->meth->field_div(group, yxi, y, x, ctx)) goto err;
                        if (BN_is_odd(yxi)) buf[0]++;
                        }
-#endif
                i = 1;
author	djm <>	2010-10-01 22:59:01 +0000
committer	djm <>	2010-10-01 22:59:01 +0000
commit	8922d4bc4a8b8893d72a48deb2cdf58215f98505 (patch)
tree	939b752540947d33507b3acc48d76a8bfb7c3dc3 /src/lib/libcrypto/ec/ec2_smpl.c
parent	76262f7bf9262f965142b1b2b2105cb279c5c696 (diff)
download	openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.tar.gz openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.tar.bz2 openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.zip

diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c index 522d036ca1..cf357b462a 100644 --- a/src/lib/libcrypto/ec/ec2_smpl.c +++ b/src/lib/libcrypto/ec/ec2_smpl.c
@@ -14,7 +14,7 @@
14	*	14	*
15	*/	15	*/
16	/* ====================================================================	16	/* ====================================================================
17	* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.	17	* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
18	*	18	*
19	* Redistribution and use in source and binary forms, with or without	19	* Redistribution and use in source and binary forms, with or without
20	* modification, are permitted provided that the following conditions	20	* modification, are permitted provided that the following conditions
@@ -157,6 +157,7 @@ void ec_GF2m_simple_group_clear_finish(EC_GROUP *group)
157	group->poly[2] = 0;	157	group->poly[2] = 0;
158	group->poly[3] = 0;	158	group->poly[3] = 0;
159	group->poly[4] = 0;	159	group->poly[4] = 0;
		160	group->poly[5] = -1;
160	}	161	}
161		162
162		163
@@ -174,10 +175,9 @@ int ec_GF2m_simple_group_copy(EC_GROUP dest, const EC_GROUP src)
174	dest->poly[2] = src->poly[2];	175	dest->poly[2] = src->poly[2];
175	dest->poly[3] = src->poly[3];	176	dest->poly[3] = src->poly[3];
176	dest->poly[4] = src->poly[4];	177	dest->poly[4] = src->poly[4];
177	if(bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)	178	dest->poly[5] = src->poly[5];
178	return 0;	179	if (bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) return 0;
179	if(bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)	180	if (bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) return 0;
180	return 0;
181	for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;	181	for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;
182	for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;	182	for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;
183	return 1;	183	return 1;
@@ -192,7 +192,7 @@ int ec_GF2m_simple_group_set_curve(EC_GROUP *group,
192		192
193	/* group->field */	193	/* group->field */
194	if (!BN_copy(&group->field, p)) goto err;	194	if (!BN_copy(&group->field, p)) goto err;
195	i = BN_GF2m_poly2arr(&group->field, group->poly, 5);	195	i = BN_GF2m_poly2arr(&group->field, group->poly, 6) - 1;
196	if ((i != 5) && (i != 3))	196	if ((i != 5) && (i != 3))
197	{	197	{
198	ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);	198	ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
@@ -406,18 +406,94 @@ int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_
406	}	406	}
407		407
408		408
409	/* Include patented algorithms. */	409	/* Calculates and sets the affine coordinates of an EC_POINT from the given
410	#include "ec2_smpt.c"	410	* compressed coordinates. Uses algorithm 2.3.4 of SEC 1.
		411	* Note that the simple implementation only uses affine coordinates.
		412	*
		413	* The method is from the following publication:
		414	*
		415	* Harper, Menezes, Vanstone:
		416	* "Public-Key Cryptosystems with Very Small Key Lengths",
		417	* EUROCRYPT '92, Springer-Verlag LNCS 658,
		418	* published February 1993
		419	*
		420	* US Patents 6,141,420 and 6,618,483 (Vanstone, Mullin, Agnew) describe
		421	* the same method, but claim no priority date earlier than July 29, 1994
		422	* (and additionally fail to cite the EUROCRYPT '92 publication as prior art).
		423	*/
		424	int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP group, EC_POINT point,
		425	const BIGNUM x_, int y_bit, BN_CTX ctx)
		426	{
		427	BN_CTX *new_ctx = NULL;
		428	BIGNUM tmp, x, y, z;
		429	int ret = 0, z0;
		430
		431	/* clear error queue */
		432	ERR_clear_error();
		433
		434	if (ctx == NULL)
		435	{
		436	ctx = new_ctx = BN_CTX_new();
		437	if (ctx == NULL)
		438	return 0;
		439	}
		440
		441	y_bit = (y_bit != 0) ? 1 : 0;
		442
		443	BN_CTX_start(ctx);
		444	tmp = BN_CTX_get(ctx);
		445	x = BN_CTX_get(ctx);
		446	y = BN_CTX_get(ctx);
		447	z = BN_CTX_get(ctx);
		448	if (z == NULL) goto err;
		449
		450	if (!BN_GF2m_mod_arr(x, x_, group->poly)) goto err;
		451	if (BN_is_zero(x))
		452	{
		453	if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx)) goto err;
		454	}
		455	else
		456	{
		457	if (!group->meth->field_sqr(group, tmp, x, ctx)) goto err;
		458	if (!group->meth->field_div(group, tmp, &group->b, tmp, ctx)) goto err;
		459	if (!BN_GF2m_add(tmp, &group->a, tmp)) goto err;
		460	if (!BN_GF2m_add(tmp, x, tmp)) goto err;
		461	if (!BN_GF2m_mod_solve_quad_arr(z, tmp, group->poly, ctx))
		462	{
		463	unsigned long err = ERR_peek_last_error();
		464
		465	if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NO_SOLUTION)
		466	{
		467	ERR_clear_error();
		468	ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
		469	}
		470	else
		471	ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB);
		472	goto err;
		473	}
		474	z0 = (BN_is_odd(z)) ? 1 : 0;
		475	if (!group->meth->field_mul(group, y, x, z, ctx)) goto err;
		476	if (z0 != y_bit)
		477	{
		478	if (!BN_GF2m_add(y, y, x)) goto err;
		479	}
		480	}
		481
		482	if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
		483
		484	ret = 1;
		485
		486	err:
		487	BN_CTX_end(ctx);
		488	if (new_ctx != NULL)
		489	BN_CTX_free(new_ctx);
		490	return ret;
		491	}
411		492
412		493
413	/* Converts an EC_POINT to an octet string.	494	/* Converts an EC_POINT to an octet string.
414	* If buf is NULL, the encoded length will be returned.	495	* If buf is NULL, the encoded length will be returned.
415	* If the length len of buf is smaller than required an error will be returned.	496	* If the length len of buf is smaller than required an error will be returned.
416	*
417	* The point compression section of this function is patented by Certicom Corp.
418	* under US Patent 6,141,420. Point compression is disabled by default and can
419	* be enabled by defining the preprocessor macro OPENSSL_EC_BIN_PT_COMP at
420	* Configure-time.
421	*/	497	*/
422	size_t ec_GF2m_simple_point2oct(const EC_GROUP group, const EC_POINT point, point_conversion_form_t form,	498	size_t ec_GF2m_simple_point2oct(const EC_GROUP group, const EC_POINT point, point_conversion_form_t form,
423	unsigned char buf, size_t len, BN_CTX ctx)	499	unsigned char buf, size_t len, BN_CTX ctx)
@@ -428,14 +504,6 @@ size_t ec_GF2m_simple_point2oct(const EC_GROUP group, const EC_POINT point, po
428	BIGNUM x, y, *yxi;	504	BIGNUM x, y, *yxi;
429	size_t field_len, i, skip;	505	size_t field_len, i, skip;
430		506
431	#ifndef OPENSSL_EC_BIN_PT_COMP
432	if ((form == POINT_CONVERSION_COMPRESSED) \|\| (form == POINT_CONVERSION_HYBRID))
433	{
434	ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_DISABLED);
435	goto err;
436	}
437	#endif
438
439	if ((form != POINT_CONVERSION_COMPRESSED)	507	if ((form != POINT_CONVERSION_COMPRESSED)
440	&& (form != POINT_CONVERSION_UNCOMPRESSED)	508	&& (form != POINT_CONVERSION_UNCOMPRESSED)
441	&& (form != POINT_CONVERSION_HYBRID))	509	&& (form != POINT_CONVERSION_HYBRID))
@@ -490,13 +558,11 @@ size_t ec_GF2m_simple_point2oct(const EC_GROUP group, const EC_POINT point, po
490	if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;	558	if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
491		559
492	buf[0] = form;	560	buf[0] = form;
493	#ifdef OPENSSL_EC_BIN_PT_COMP
494	if ((form != POINT_CONVERSION_UNCOMPRESSED) && !BN_is_zero(x))	561	if ((form != POINT_CONVERSION_UNCOMPRESSED) && !BN_is_zero(x))
495	{	562	{
496	if (!group->meth->field_div(group, yxi, y, x, ctx)) goto err;	563	if (!group->meth->field_div(group, yxi, y, x, ctx)) goto err;
497	if (BN_is_odd(yxi)) buf[0]++;	564	if (BN_is_odd(yxi)) buf[0]++;
498	}	565	}
499	#endif
500		566
501	i = 1;	567	i = 1;
502		568