Merge compressed coordinate setting back into ecp_smpl and ec_lib

The reason these were in separate files was FIPS. Not our problem.

1 files changed, 99 insertions, 1 deletions

diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index ab79680742..5890ca994a 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_smpl.c,v 1.57 2024/10/31 15:37:53 tb Exp $ */
+/* $OpenBSD: ecp_smpl.c,v 1.58 2024/11/02 15:50:50 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project.
  * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -469,6 +469,104 @@ ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
 }
 
 int
+ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
+    EC_POINT *point, const BIGNUM *in_x, int y_bit, BN_CTX *ctx)
+{
+        const BIGNUM *p = &group->field, *a = &group->a, *b = &group->b;
+        BIGNUM *w, *x, *y;
+        int ret = 0;
+
+        y_bit = (y_bit != 0);
+
+        BN_CTX_start(ctx);
+
+        if ((w = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if ((x = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if ((y = BN_CTX_get(ctx)) == NULL)
+                goto err;
+
+        /*
+         * Weierstrass equation: y^2 = x^3 + ax + b, so y is one of the
+         * square roots of x^3 + ax + b. The y-bit indicates which one.
+         */
+
+        /* XXX - should we not insist on 0 <= x < p instead? */
+        if (!BN_nnmod(x, in_x, p, ctx))
+                goto err;
+
+        if (group->meth->field_encode != NULL) {
+                if (!group->meth->field_encode(group, x, x, ctx))
+                        goto err;
+        }
+
+        /* y = x^3 */
+        if (!group->meth->field_sqr(group, y, x, ctx))
+                goto err;
+        if (!group->meth->field_mul(group, y, y, x, ctx))
+                goto err;
+
+        /* y += ax */
+        if (group->a_is_minus3) {
+                if (!BN_mod_lshift1_quick(w, x, p))
+                        goto err;
+                if (!BN_mod_add_quick(w, w, x, p))
+                        goto err;
+                if (!BN_mod_sub_quick(y, y, w, p))
+                        goto err;
+        } else {
+                if (!group->meth->field_mul(group, w, a, x, ctx))
+                        goto err;
+                if (!BN_mod_add_quick(y, y, w, p))
+                        goto err;
+        }
+
+        /* y += b */
+        if (!BN_mod_add_quick(y, y, b, p))
+                goto err;
+
+        if (group->meth->field_decode != NULL) {
+                if (!group->meth->field_decode(group, x, x, ctx))
+                        goto err;
+                if (!group->meth->field_decode(group, y, y, ctx))
+                        goto err;
+        }
+
+        if (!BN_mod_sqrt(y, y, p, ctx)) {
+                ECerror(EC_R_INVALID_COMPRESSED_POINT);
+                goto err;
+        }
+
+        if (y_bit == BN_is_odd(y))
+                goto done;
+
+        if (BN_is_zero(y)) {
+                ECerror(EC_R_INVALID_COMPRESSION_BIT);
+                goto err;
+        }
+        if (!BN_usub(y, &group->field, y))
+                goto err;
+
+        if (y_bit != BN_is_odd(y)) {
+                /* Can only happen if p is even and should not be reachable. */
+                ECerror(ERR_R_INTERNAL_ERROR);
+                goto err;
+        }
+
+ done:
+        if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
+                goto err;
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+
+        return ret;
+}
+
+int
 ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
 {
         int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);