Check discriminant directly in EC_GROUP_set_discriminant()

After possibly decoding a and b in EC_GROUP_get_curve(), this is a pure calculation in GFp and as such doesn't make use of any method-specifics. Let's perform this calculation directly in the public API implementation rather than redirecting through the methods and remove yet another method handler. ok jsing
author: tb <> 2025-01-07 08:30:52 +0000
committer: tb <> 2025-01-07 08:30:52 +0000
commit: d589f6085401b1833475f8ee81e8bd8877cec677 (patch)
tree: 6ecbe239120c7d74f351796a659e9df26c4523c6 /src/lib/libcrypto/ec/ec_lib.c
parent: ee923a8ee6f7ac3ead05a32865fa6794a4960873 (diff)
download: openbsd-d589f6085401b1833475f8ee81e8bd8877cec677.tar.gz
openbsd-d589f6085401b1833475f8ee81e8bd8877cec677.tar.bz2
openbsd-d589f6085401b1833475f8ee81e8bd8877cec677.zip
1 files changed, 45 insertions, 5 deletions
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 7a82eb23f8..a50b1e5633 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.102 2025/01/06 19:23:25 tb Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.103 2025/01/07 08:30:52 tb Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -600,6 +600,7 @@ int
 EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx_in)
 {
        BN_CTX *ctx;
+        BIGNUM *p, *a, *b, *discriminant;
        int ret = 0;
        if ((ctx = ctx_in) == NULL)
@@ -607,11 +608,50 @@ EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx_in)
        if (ctx == NULL)
                goto err;
-        if (group->meth->group_check_discriminant == NULL) {
+        BN_CTX_start(ctx);
-                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+        if ((p = BN_CTX_get(ctx)) == NULL)
                goto err;
-        }
+        if ((a = BN_CTX_get(ctx)) == NULL)
-        ret = group->meth->group_check_discriminant(group, ctx);
+                goto err;
+        if ((b = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if ((discriminant = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if (!EC_GROUP_get_curve(group, p, a, b, ctx))
+                goto err;
+        /*
+         * Check that the discriminant 4a^3 + 27b^2 is non-zero modulo p.
+         */
+        if (BN_is_zero(a) && BN_is_zero(b))
+                goto err;
+        if (BN_is_zero(a) || BN_is_zero(b))
+                goto done;
+        /* Compute the discriminant: first 4a^3, then 27b^2, then their sum. */
+        if (!BN_mod_sqr(discriminant, a, p, ctx))
+                goto err;
+        if (!BN_mod_mul(discriminant, discriminant, a, p, ctx))
+                goto err;
+        if (!BN_lshift(discriminant, discriminant, 2))
+                goto err;
+        if (!BN_mod_sqr(b, b, p, ctx))
+                goto err;
+        if (!BN_mul_word(b, 27))
+                goto err;
+        if (!BN_mod_add(discriminant, discriminant, b, p, ctx))
+                goto err;
+        if (BN_is_zero(discriminant))
+                goto err;
+ done:
+        ret = 1;
 err:
        if (ctx != ctx_in)
author	tb <>	2025-01-07 08:30:52 +0000
committer	tb <>	2025-01-07 08:30:52 +0000
commit	d589f6085401b1833475f8ee81e8bd8877cec677 (patch)
tree	6ecbe239120c7d74f351796a659e9df26c4523c6 /src/lib/libcrypto/ec/ec_lib.c
parent	ee923a8ee6f7ac3ead05a32865fa6794a4960873 (diff)
download	openbsd-d589f6085401b1833475f8ee81e8bd8877cec677.tar.gz openbsd-d589f6085401b1833475f8ee81e8bd8877cec677.tar.bz2 openbsd-d589f6085401b1833475f8ee81e8bd8877cec677.zip

diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c index 7a82eb23f8..a50b1e5633 100644 --- a/src/lib/libcrypto/ec/ec_lib.c +++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ec_lib.c,v 1.102 2025/01/06 19:23:25 tb Exp $ */	1	/* $OpenBSD: ec_lib.c,v 1.103 2025/01/07 08:30:52 tb Exp $ */
2	/*	2	/*
3	* Originally written by Bodo Moeller for the OpenSSL project.	3	* Originally written by Bodo Moeller for the OpenSSL project.
4	*/	4	*/
@@ -600,6 +600,7 @@ int
600	EC_GROUP_check_discriminant(const EC_GROUP group, BN_CTX ctx_in)	600	EC_GROUP_check_discriminant(const EC_GROUP group, BN_CTX ctx_in)
601	{	601	{
602	BN_CTX *ctx;	602	BN_CTX *ctx;
		603	BIGNUM p, a, b, discriminant;
603	int ret = 0;	604	int ret = 0;
604		605
605	if ((ctx = ctx_in) == NULL)	606	if ((ctx = ctx_in) == NULL)
@@ -607,11 +608,50 @@ EC_GROUP_check_discriminant(const EC_GROUP group, BN_CTX ctx_in)
607	if (ctx == NULL)	608	if (ctx == NULL)
608	goto err;	609	goto err;
609		610
610	if (group->meth->group_check_discriminant == NULL) {	611	BN_CTX_start(ctx);
611	ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);	612
		613	if ((p = BN_CTX_get(ctx)) == NULL)
612	goto err;	614	goto err;
613	}	615	if ((a = BN_CTX_get(ctx)) == NULL)
614	ret = group->meth->group_check_discriminant(group, ctx);	616	goto err;
		617	if ((b = BN_CTX_get(ctx)) == NULL)
		618	goto err;
		619	if ((discriminant = BN_CTX_get(ctx)) == NULL)
		620	goto err;
		621
		622	if (!EC_GROUP_get_curve(group, p, a, b, ctx))
		623	goto err;
		624
		625	/*
		626	* Check that the discriminant 4a^3 + 27b^2 is non-zero modulo p.
		627	*/
		628
		629	if (BN_is_zero(a) && BN_is_zero(b))
		630	goto err;
		631	if (BN_is_zero(a) \|\| BN_is_zero(b))
		632	goto done;
		633
		634	/* Compute the discriminant: first 4a^3, then 27b^2, then their sum. */
		635	if (!BN_mod_sqr(discriminant, a, p, ctx))
		636	goto err;
		637	if (!BN_mod_mul(discriminant, discriminant, a, p, ctx))
		638	goto err;
		639	if (!BN_lshift(discriminant, discriminant, 2))
		640	goto err;
		641
		642	if (!BN_mod_sqr(b, b, p, ctx))
		643	goto err;
		644	if (!BN_mul_word(b, 27))
		645	goto err;
		646
		647	if (!BN_mod_add(discriminant, discriminant, b, p, ctx))
		648	goto err;
		649
		650	if (BN_is_zero(discriminant))
		651	goto err;
		652
		653	done:
		654	ret = 1;
615		655
616	err:	656	err:
617	if (ctx != ctx_in)	657	if (ctx != ctx_in)