summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authortb <>2023-04-25 17:42:07 +0000
committertb <>2023-04-25 17:42:07 +0000
commitc99645e206c6a6fd786d7548a1c886d5b2d6c9cb (patch)
tree6dff91fd2b36aed111abc1147137b91c71f95e39 /src/lib
parentdfacb5f80885e54f09c7b607c4c2aa10d9f2d2cb (diff)
downloadopenbsd-c99645e206c6a6fd786d7548a1c886d5b2d6c9cb.tar.gz
openbsd-c99645e206c6a6fd786d7548a1c886d5b2d6c9cb.tar.bz2
openbsd-c99645e206c6a6fd786d7548a1c886d5b2d6c9cb.zip
Remove the horror show that is bn_nist and ecp_nist
This code is full of problematic C and is also otherwise of questionable quality. It is far from constant time and jsing informs me it also isn't faster. Good riddance.
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libcrypto/Makefile4
-rw-r--r--src/lib/libcrypto/bn/bn.h18
-rw-r--r--src/lib/libcrypto/bn/bn_nist.c1332
-rw-r--r--src/lib/libcrypto/ec/ecp_nist.c177
4 files changed, 2 insertions, 1529 deletions
diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index 87b699bb2f..a993755d24 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.110 2023/04/25 16:50:33 tb Exp $ 1# $OpenBSD: Makefile,v 1.111 2023/04/25 17:42:07 tb Exp $
2 2
3LIB= crypto 3LIB= crypto
4LIBREBUILD=y 4LIBREBUILD=y
@@ -196,7 +196,6 @@ SRCS+= bn_mod.c
196SRCS+= bn_mod_sqrt.c 196SRCS+= bn_mod_sqrt.c
197SRCS+= bn_mont.c 197SRCS+= bn_mont.c
198SRCS+= bn_mul.c 198SRCS+= bn_mul.c
199#SRCS+= bn_nist.c
200SRCS+= bn_prime.c 199SRCS+= bn_prime.c
201SRCS+= bn_rand.c 200SRCS+= bn_rand.c
202SRCS+= bn_recp.c 201SRCS+= bn_recp.c
@@ -353,7 +352,6 @@ SRCS+= ec_pmeth.c
353SRCS+= ec_print.c 352SRCS+= ec_print.c
354SRCS+= eck_prn.c 353SRCS+= eck_prn.c
355SRCS+= ecp_mont.c 354SRCS+= ecp_mont.c
356#SRCS+= ecp_nist.c
357SRCS+= ecp_oct.c 355SRCS+= ecp_oct.c
358SRCS+= ecp_smpl.c 356SRCS+= ecp_smpl.c
359SRCS+= ecx_methods.c 357SRCS+= ecx_methods.c
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 4fd795671d..52e3d078ab 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: bn.h,v 1.67 2023/04/25 17:20:24 tb Exp $ */ 1/* $OpenBSD: bn.h,v 1.68 2023/04/25 17:42:07 tb Exp $ */
2/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -566,22 +566,6 @@ int BN_GF2m_arr2poly(const int p[], BIGNUM *a);
566 566
567#endif 567#endif
568 568
569#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
570/* faster mod functions for the 'NIST primes'
571 * 0 <= a < p^2 */
572int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
573int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
574int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
575int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
576int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
577
578const BIGNUM *BN_get0_nist_prime_192(void);
579const BIGNUM *BN_get0_nist_prime_224(void);
580const BIGNUM *BN_get0_nist_prime_256(void);
581const BIGNUM *BN_get0_nist_prime_384(void);
582const BIGNUM *BN_get0_nist_prime_521(void);
583#endif
584
585/* Primes from RFC 2409 */ 569/* Primes from RFC 2409 */
586BIGNUM *get_rfc2409_prime_768(BIGNUM *bn); 570BIGNUM *get_rfc2409_prime_768(BIGNUM *bn);
587BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn); 571BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn);
diff --git a/src/lib/libcrypto/bn/bn_nist.c b/src/lib/libcrypto/bn/bn_nist.c
deleted file mode 100644
index 1b4c25cacf..0000000000
--- a/src/lib/libcrypto/bn/bn_nist.c
+++ /dev/null
@@ -1,1332 +0,0 @@
1/* $OpenBSD: bn_nist.c,v 1.25 2023/03/27 08:41:35 tb Exp $ */
2/*
3 * Written by Nils Larsch for the OpenSSL project
4 */
5/* ====================================================================
6 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <endian.h>
60#include <stdint.h>
61#include <string.h>
62
63#include "bn_local.h"
64
65#define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \
66 __attribute__((__unused__))
67
68#define BN_NIST_192_TOP (192+BN_BITS2-1)/BN_BITS2
69#define BN_NIST_224_TOP (224+BN_BITS2-1)/BN_BITS2
70#define BN_NIST_256_TOP (256+BN_BITS2-1)/BN_BITS2
71#define BN_NIST_384_TOP (384+BN_BITS2-1)/BN_BITS2
72#define BN_NIST_521_TOP (521+BN_BITS2-1)/BN_BITS2
73
74/* pre-computed tables are "carry-less" values of modulus*(i+1) */
75#if BN_BITS2 == 64
76static const BN_ULONG _nist_p_192[][BN_NIST_192_TOP] = {
77 {0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFEULL, 0xFFFFFFFFFFFFFFFFULL},
78 {0xFFFFFFFFFFFFFFFEULL, 0xFFFFFFFFFFFFFFFDULL, 0xFFFFFFFFFFFFFFFFULL},
79 {0xFFFFFFFFFFFFFFFDULL, 0xFFFFFFFFFFFFFFFCULL, 0xFFFFFFFFFFFFFFFFULL}
80};
81static const BN_ULONG _nist_p_192_sqr[] = {
82 0x0000000000000001ULL, 0x0000000000000002ULL, 0x0000000000000001ULL,
83 0xFFFFFFFFFFFFFFFEULL, 0xFFFFFFFFFFFFFFFDULL, 0xFFFFFFFFFFFFFFFFULL
84};
85static const BN_ULONG _nist_p_224[][BN_NIST_224_TOP] = {
86 {
87 0x0000000000000001ULL, 0xFFFFFFFF00000000ULL,
88 0xFFFFFFFFFFFFFFFFULL, 0x00000000FFFFFFFFULL
89 },
90 {
91 0x0000000000000002ULL, 0xFFFFFFFE00000000ULL,
92 0xFFFFFFFFFFFFFFFFULL, 0x00000001FFFFFFFFULL
93 } /* this one is "carry-full" */
94};
95static const BN_ULONG _nist_p_224_sqr[] = {
96 0x0000000000000001ULL, 0xFFFFFFFE00000000ULL,
97 0xFFFFFFFFFFFFFFFFULL, 0x0000000200000000ULL,
98 0x0000000000000000ULL, 0xFFFFFFFFFFFFFFFEULL,
99 0xFFFFFFFFFFFFFFFFULL
100};
101static const BN_ULONG _nist_p_256[][BN_NIST_256_TOP] = {
102 {
103 0xFFFFFFFFFFFFFFFFULL, 0x00000000FFFFFFFFULL,
104 0x0000000000000000ULL, 0xFFFFFFFF00000001ULL
105 },
106 {
107 0xFFFFFFFFFFFFFFFEULL, 0x00000001FFFFFFFFULL,
108 0x0000000000000000ULL, 0xFFFFFFFE00000002ULL
109 },
110 {
111 0xFFFFFFFFFFFFFFFDULL, 0x00000002FFFFFFFFULL,
112 0x0000000000000000ULL, 0xFFFFFFFD00000003ULL
113 },
114 {
115 0xFFFFFFFFFFFFFFFCULL, 0x00000003FFFFFFFFULL,
116 0x0000000000000000ULL, 0xFFFFFFFC00000004ULL
117 },
118 {
119 0xFFFFFFFFFFFFFFFBULL, 0x00000004FFFFFFFFULL,
120 0x0000000000000000ULL, 0xFFFFFFFB00000005ULL
121 },
122};
123static const BN_ULONG _nist_p_256_sqr[] = {
124 0x0000000000000001ULL, 0xFFFFFFFE00000000ULL,
125 0xFFFFFFFFFFFFFFFFULL, 0x00000001FFFFFFFEULL,
126 0x00000001FFFFFFFEULL, 0x00000001FFFFFFFEULL,
127 0xFFFFFFFE00000001ULL, 0xFFFFFFFE00000002ULL
128};
129static const BN_ULONG _nist_p_384[][BN_NIST_384_TOP] = {
130 {
131 0x00000000FFFFFFFFULL, 0xFFFFFFFF00000000ULL,
132 0xFFFFFFFFFFFFFFFEULL, 0xFFFFFFFFFFFFFFFFULL,
133 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL
134 },
135 {
136 0x00000001FFFFFFFEULL, 0xFFFFFFFE00000000ULL,
137 0xFFFFFFFFFFFFFFFDULL, 0xFFFFFFFFFFFFFFFFULL,
138 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL
139 },
140 {
141 0x00000002FFFFFFFDULL, 0xFFFFFFFD00000000ULL,
142 0xFFFFFFFFFFFFFFFCULL, 0xFFFFFFFFFFFFFFFFULL,
143 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL
144 },
145 {
146 0x00000003FFFFFFFCULL, 0xFFFFFFFC00000000ULL,
147 0xFFFFFFFFFFFFFFFBULL, 0xFFFFFFFFFFFFFFFFULL,
148 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL
149 },
150 {
151 0x00000004FFFFFFFBULL, 0xFFFFFFFB00000000ULL,
152 0xFFFFFFFFFFFFFFFAULL, 0xFFFFFFFFFFFFFFFFULL,
153 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL
154 },
155};
156static const BN_ULONG _nist_p_384_sqr[] = {
157 0xFFFFFFFE00000001ULL, 0x0000000200000000ULL, 0xFFFFFFFE00000000ULL,
158 0x0000000200000000ULL, 0x0000000000000001ULL, 0x0000000000000000ULL,
159 0x00000001FFFFFFFEULL, 0xFFFFFFFE00000000ULL, 0xFFFFFFFFFFFFFFFDULL,
160 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL
161};
162static const BN_ULONG _nist_p_521[] = {
163 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL,
164 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL,
165 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0x00000000000001FFULL
166};
167static const BN_ULONG _nist_p_521_sqr[] = {
168 0x0000000000000001ULL, 0x0000000000000000ULL, 0x0000000000000000ULL,
169 0x0000000000000000ULL, 0x0000000000000000ULL, 0x0000000000000000ULL,
170 0x0000000000000000ULL, 0x0000000000000000ULL, 0xFFFFFFFFFFFFFC00ULL,
171 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL,
172 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL,
173 0xFFFFFFFFFFFFFFFFULL, 0x000000000003FFFFULL
174};
175#elif BN_BITS2 == 32
176static const BN_ULONG _nist_p_192[][BN_NIST_192_TOP] = {
177 {
178 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFFFF,
179 0xFFFFFFFF, 0xFFFFFFFF
180 },
181 {
182 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFD, 0xFFFFFFFF,
183 0xFFFFFFFF, 0xFFFFFFFF
184 },
185 {
186 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFC, 0xFFFFFFFF,
187 0xFFFFFFFF, 0xFFFFFFFF
188 }
189};
190static const BN_ULONG _nist_p_192_sqr[] = {
191 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000001, 0x00000000,
192 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF
193};
194static const BN_ULONG _nist_p_224[][BN_NIST_224_TOP] = {
195 {
196 0x00000001, 0x00000000, 0x00000000, 0xFFFFFFFF,
197 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF
198 },
199 {
200 0x00000002, 0x00000000, 0x00000000, 0xFFFFFFFE,
201 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF
202 }
203};
204static const BN_ULONG _nist_p_224_sqr[] = {
205 0x00000001, 0x00000000, 0x00000000, 0xFFFFFFFE,
206 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000002,
207 0x00000000, 0x00000000, 0xFFFFFFFE, 0xFFFFFFFF,
208 0xFFFFFFFF, 0xFFFFFFFF
209};
210static const BN_ULONG _nist_p_256[][BN_NIST_256_TOP] = {
211 {
212 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000,
213 0x00000000, 0x00000000, 0x00000001, 0xFFFFFFFF
214 },
215 {
216 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000001,
217 0x00000000, 0x00000000, 0x00000002, 0xFFFFFFFE
218 },
219 {
220 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000002,
221 0x00000000, 0x00000000, 0x00000003, 0xFFFFFFFD
222 },
223 {
224 0xFFFFFFFC, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000003,
225 0x00000000, 0x00000000, 0x00000004, 0xFFFFFFFC
226 },
227 {
228 0xFFFFFFFB, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000004,
229 0x00000000, 0x00000000, 0x00000005, 0xFFFFFFFB
230 },
231};
232static const BN_ULONG _nist_p_256_sqr[] = {
233 0x00000001, 0x00000000, 0x00000000, 0xFFFFFFFE,
234 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000001,
235 0xFFFFFFFE, 0x00000001, 0xFFFFFFFE, 0x00000001,
236 0x00000001, 0xFFFFFFFE, 0x00000002, 0xFFFFFFFE
237};
238static const BN_ULONG _nist_p_384[][BN_NIST_384_TOP] = {
239 {
240 0xFFFFFFFF, 0x00000000, 0x00000000, 0xFFFFFFFF,
241 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
242 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF
243 },
244 {
245 0xFFFFFFFE, 0x00000001, 0x00000000, 0xFFFFFFFE,
246 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
247 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF
248 },
249 {
250 0xFFFFFFFD, 0x00000002, 0x00000000, 0xFFFFFFFD,
251 0xFFFFFFFC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
252 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF
253 },
254 {
255 0xFFFFFFFC, 0x00000003, 0x00000000, 0xFFFFFFFC,
256 0xFFFFFFFB, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
257 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF
258 },
259 {
260 0xFFFFFFFB, 0x00000004, 0x00000000, 0xFFFFFFFB,
261 0xFFFFFFFA, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
262 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF
263 },
264};
265static const BN_ULONG _nist_p_384_sqr[] = {
266 0x00000001, 0xFFFFFFFE, 0x00000000, 0x00000002, 0x00000000, 0xFFFFFFFE,
267 0x00000000, 0x00000002, 0x00000001, 0x00000000, 0x00000000, 0x00000000,
268 0xFFFFFFFE, 0x00000001, 0x00000000, 0xFFFFFFFE, 0xFFFFFFFD, 0xFFFFFFFF,
269 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF
270};
271static const BN_ULONG _nist_p_521[] = {
272 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
273 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
274 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
275 0xFFFFFFFF, 0x000001FF
276};
277static const BN_ULONG _nist_p_521_sqr[] = {
278 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
279 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
280 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0xFFFFFC00, 0xFFFFFFFF,
281 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
282 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
283 0xFFFFFFFF, 0xFFFFFFFF, 0x0003FFFF
284};
285#else
286#error "unsupported BN_BITS2"
287#endif
288
289static const BIGNUM _bignum_nist_p_192 = {
290 .d = (BN_ULONG *)_nist_p_192[0],
291 .top = BN_NIST_192_TOP,
292 .dmax = BN_NIST_192_TOP,
293 .neg = 0,
294 .flags = BN_FLG_STATIC_DATA,
295};
296
297static const BIGNUM _bignum_nist_p_192_sqr = {
298 .d = (BN_ULONG *)_nist_p_192_sqr,
299 .top = sizeof(_nist_p_192_sqr) / sizeof(_nist_p_192_sqr[0]),
300 .dmax = sizeof(_nist_p_192_sqr) / sizeof(_nist_p_192_sqr[0]),
301 .neg = 0,
302 .flags = BN_FLG_STATIC_DATA,
303};
304
305static const BIGNUM _bignum_nist_p_224 = {
306 .d = (BN_ULONG *)_nist_p_224[0],
307 .top = BN_NIST_224_TOP,
308 .dmax = BN_NIST_224_TOP,
309 .neg = 0,
310 .flags = BN_FLG_STATIC_DATA,
311};
312
313static const BIGNUM _bignum_nist_p_224_sqr = {
314 .d = (BN_ULONG *)_nist_p_224_sqr,
315 .top = sizeof(_nist_p_224_sqr) / sizeof(_nist_p_224_sqr[0]),
316 .dmax = sizeof(_nist_p_224_sqr) / sizeof(_nist_p_224_sqr[0]),
317 .neg = 0,
318 .flags = BN_FLG_STATIC_DATA,
319};
320
321static const BIGNUM _bignum_nist_p_256 = {
322 .d = (BN_ULONG *)_nist_p_256[0],
323 .top = BN_NIST_256_TOP,
324 .dmax = BN_NIST_256_TOP,
325 .neg = 0,
326 .flags = BN_FLG_STATIC_DATA,
327};
328
329static const BIGNUM _bignum_nist_p_256_sqr = {
330 .d = (BN_ULONG *)_nist_p_256_sqr,
331 .top = sizeof(_nist_p_256_sqr) / sizeof(_nist_p_256_sqr[0]),
332 .dmax = sizeof(_nist_p_256_sqr) / sizeof(_nist_p_256_sqr[0]),
333 .neg = 0,
334 .flags = BN_FLG_STATIC_DATA,
335};
336
337static const BIGNUM _bignum_nist_p_384 = {
338 .d = (BN_ULONG *)_nist_p_384[0],
339 .top = BN_NIST_384_TOP,
340 .dmax = BN_NIST_384_TOP,
341 .neg = 0,
342 .flags = BN_FLG_STATIC_DATA,
343};
344
345static const BIGNUM _bignum_nist_p_384_sqr = {
346 .d = (BN_ULONG *)_nist_p_384_sqr,
347 .top = sizeof(_nist_p_384_sqr) / sizeof(_nist_p_384_sqr[0]),
348 .dmax = sizeof(_nist_p_384_sqr) / sizeof(_nist_p_384_sqr[0]),
349 .neg = 0,
350 .flags = BN_FLG_STATIC_DATA,
351};
352
353static const BIGNUM _bignum_nist_p_521 = {
354 .d = (BN_ULONG *)_nist_p_521,
355 .top = BN_NIST_521_TOP,
356 .dmax = BN_NIST_521_TOP,
357 .neg = 0,
358 .flags = BN_FLG_STATIC_DATA,
359};
360
361static const BIGNUM _bignum_nist_p_521_sqr = {
362 .d = (BN_ULONG *)_nist_p_521_sqr,
363 .top = sizeof(_nist_p_521_sqr) / sizeof(_nist_p_521_sqr[0]),
364 .dmax = sizeof(_nist_p_521_sqr) / sizeof(_nist_p_521_sqr[0]),
365 .neg = 0,
366 .flags = BN_FLG_STATIC_DATA,
367};
368
369const BIGNUM *
370BN_get0_nist_prime_192(void)
371{
372 return &_bignum_nist_p_192;
373}
374
375const BIGNUM *
376BN_get0_nist_prime_224(void)
377{
378 return &_bignum_nist_p_224;
379}
380
381const BIGNUM *
382BN_get0_nist_prime_256(void)
383{
384 return &_bignum_nist_p_256;
385}
386
387const BIGNUM *
388BN_get0_nist_prime_384(void)
389{
390 return &_bignum_nist_p_384;
391}
392
393const BIGNUM *
394BN_get0_nist_prime_521(void)
395{
396 return &_bignum_nist_p_521;
397}
398
399static void
400nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max)
401{
402 int i;
403
404 for (i = 0; i < top; i++)
405 dst[i] = src[i];
406 for (; i < max; i++)
407 dst[i] = 0;
408}
409
410static void nist_cp_bn(BN_ULONG *dst, const BN_ULONG *src, int top)
411{
412 int i;
413
414 for (i = 0; i < top; i++)
415 dst[i] = src[i];
416}
417
418#if BN_BITS2 == 64
419#define bn_cp_64(to, n, from, m) (to)[n] = (m>=0)?((from)[m]):0;
420#define bn_64_set_0(to, n) (to)[n] = (BN_ULONG)0;
421/*
422 * two following macros are implemented under assumption that they
423 * are called in a sequence with *ascending* n, i.e. as they are...
424 */
425#define bn_cp_32_naked(to, n, from, m) (((n)&1)?(to[(n)/2]|=((m)&1)?(from[(m)/2]&BN_MASK2h):(from[(m)/2]<<32))\
426 :(to[(n)/2] =((m)&1)?(from[(m)/2]>>32):(from[(m)/2]&BN_MASK2l)))
427#define bn_32_set_0(to, n) (((n)&1)?(to[(n)/2]&=BN_MASK2l):(to[(n)/2]=0));
428#define bn_cp_32(to,n,from,m) ((m)>=0)?bn_cp_32_naked(to,n,from,m):bn_32_set_0(to,n)
429# if BYTE_ORDER == LITTLE_ENDIAN
430# if defined(_LP64)
431# define NIST_INT64 long
432# else
433# define NIST_INT64 long long
434# endif
435# endif
436#else
437#define bn_cp_64(to, n, from, m) \
438 { \
439 bn_cp_32(to, (n)*2, from, (m)*2); \
440 bn_cp_32(to, (n)*2+1, from, (m)*2+1); \
441 }
442#define bn_64_set_0(to, n) \
443 { \
444 bn_32_set_0(to, (n)*2); \
445 bn_32_set_0(to, (n)*2+1); \
446 }
447#define bn_cp_32(to, n, from, m) (to)[n] = (m>=0)?((from)[m]):0;
448#define bn_32_set_0(to, n) (to)[n] = (BN_ULONG)0;
449# if defined(BN_LLONG)
450# define NIST_INT64 long long
451# endif
452#endif /* BN_BITS2 != 64 */
453
454#define nist_set_192(to, from, a1, a2, a3) \
455 { \
456 bn_cp_64(to, 0, from, (a3) - 3) \
457 bn_cp_64(to, 1, from, (a2) - 3) \
458 bn_cp_64(to, 2, from, (a1) - 3) \
459 }
460
461int
462BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx)
463{
464 BN_ULONG bnbuf[BN_NIST_192_TOP] = { 0 };
465 BN_ULONG c_d[BN_NIST_192_TOP] = { 0 };
466 BN_ULONG *a_d = a->d;
467 BN_ULONG *r_d, *res;
468 uintptr_t mask;
469 int top = a->top;
470 int carry, i;
471
472 field = &_bignum_nist_p_192; /* just to make sure */
473
474 if (BN_is_negative(a) || BN_ucmp(a, &_bignum_nist_p_192_sqr) >= 0)
475 return BN_nnmod(r, a, field, ctx);
476
477 i = BN_ucmp(field, a);
478 if (i == 0) {
479 BN_zero(r);
480 return 1;
481 } else if (i > 0)
482 return bn_copy(r, a);
483
484 if (r != a) {
485 if (!bn_wexpand(r, BN_NIST_192_TOP))
486 return 0;
487 r_d = r->d;
488 nist_cp_bn(r_d, a_d, BN_NIST_192_TOP);
489 } else
490 r_d = a_d;
491
492 nist_cp_bn_0(bnbuf, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP,
493 BN_NIST_192_TOP);
494
495#if defined(NIST_INT64)
496 {
497 NIST_INT64 acc; /* accumulator */
498 unsigned int bbuf[BN_NIST_192_TOP *
499 sizeof(BN_ULONG) / sizeof(unsigned int)];
500 unsigned int rbuf[BN_NIST_192_TOP *
501 sizeof(BN_ULONG) / sizeof(unsigned int)];
502 const unsigned int *bp = bbuf;
503 unsigned int *rp = rbuf;
504
505 CTASSERT(sizeof(bbuf) == sizeof(bnbuf));
506 CTASSERT(sizeof(rbuf) == sizeof(bnbuf));
507
508 /*
509 * Avoid strict aliasing violations by copying from an unsigned
510 * long array to an unsigned int array, then copying back the
511 * result. Any sensible compiler will omit the copies, while
512 * avoiding undefined behaviour that would result from unsafe
513 * type punning via pointer type casting.
514 */
515 memcpy(bbuf, bnbuf, sizeof(bbuf));
516 memcpy(rbuf, r_d, sizeof(rbuf));
517
518 acc = rp[0];
519 acc += bp[3 * 2 - 6];
520 acc += bp[5 * 2 - 6];
521 rp[0] = (unsigned int)acc;
522 acc >>= 32;
523
524 acc += rp[1];
525 acc += bp[3 * 2 - 5];
526 acc += bp[5 * 2 - 5];
527 rp[1] = (unsigned int)acc;
528 acc >>= 32;
529
530 acc += rp[2];
531 acc += bp[3 * 2 - 6];
532 acc += bp[4 * 2 - 6];
533 acc += bp[5 * 2 - 6];
534 rp[2] = (unsigned int)acc;
535 acc >>= 32;
536
537 acc += rp[3];
538 acc += bp[3 * 2 - 5];
539 acc += bp[4 * 2 - 5];
540 acc += bp[5 * 2 - 5];
541 rp[3] = (unsigned int)acc;
542 acc >>= 32;
543
544 acc += rp[4];
545 acc += bp[4 * 2 - 6];
546 acc += bp[5 * 2 - 6];
547 rp[4] = (unsigned int)acc;
548 acc >>= 32;
549
550 acc += rp[5];
551 acc += bp[4 * 2 - 5];
552 acc += bp[5 * 2 - 5];
553 rp[5] = (unsigned int)acc;
554
555 memcpy(r_d, rbuf, sizeof(rbuf));
556
557 carry = (int)(acc >> 32);
558 }
559#else
560 {
561 BN_ULONG t_d[BN_NIST_192_TOP] = {0};
562
563 nist_set_192(t_d, bnbuf, 0, 3, 3);
564 carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
565 nist_set_192(t_d, bnbuf, 4, 4, 0);
566 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
567 nist_set_192(t_d, bnbuf, 5, 5, 5)
568 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
569 }
570#endif
571 if (carry > 0)
572 carry = (int)bn_sub_words(r_d, r_d, _nist_p_192[carry - 1],
573 BN_NIST_192_TOP);
574 else
575 carry = 1;
576
577 /*
578 * we need 'if (carry==0 || result>=modulus) result-=modulus;'
579 * as comparison implies subtraction, we can write
580 * 'tmp=result-modulus; if (!carry || !borrow) result=tmp;'
581 * this is what happens below, but without explicit if:-) a.
582 */
583 mask = 0 - (uintptr_t)bn_sub_words(c_d, r_d, _nist_p_192[0],
584 BN_NIST_192_TOP);
585 mask &= 0 - (uintptr_t)carry;
586 res = c_d;
587 res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask));
588 nist_cp_bn(r_d, res, BN_NIST_192_TOP);
589 r->top = BN_NIST_192_TOP;
590 bn_correct_top(r);
591
592 return 1;
593}
594
595typedef BN_ULONG (*bn_addsub_f)(BN_ULONG *, const BN_ULONG *,
596 const BN_ULONG *, int);
597
598#define nist_set_224(to, from, a1, a2, a3, a4, a5, a6, a7) \
599 { \
600 bn_cp_32(to, 0, from, (a7) - 7) \
601 bn_cp_32(to, 1, from, (a6) - 7) \
602 bn_cp_32(to, 2, from, (a5) - 7) \
603 bn_cp_32(to, 3, from, (a4) - 7) \
604 bn_cp_32(to, 4, from, (a3) - 7) \
605 bn_cp_32(to, 5, from, (a2) - 7) \
606 bn_cp_32(to, 6, from, (a1) - 7) \
607 }
608
609int
610BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx)
611{
612 BN_ULONG bnbuf[BN_NIST_224_TOP] = { 0 };
613 BN_ULONG c_d[BN_NIST_224_TOP] = { 0 };
614 BN_ULONG *a_d = a->d;
615 BN_ULONG *r_d, *res;
616 bn_addsub_f addsubf;
617 uintptr_t mask;
618 int top = a->top;
619 int carry, i;
620
621 field = &_bignum_nist_p_224; /* just to make sure */
622
623 if (BN_is_negative(a) || BN_ucmp(a, &_bignum_nist_p_224_sqr) >= 0)
624 return BN_nnmod(r, a, field, ctx);
625
626 i = BN_ucmp(field, a);
627 if (i == 0) {
628 BN_zero(r);
629 return 1;
630 } else if (i > 0)
631 return bn_copy(r, a);
632
633 if (r != a) {
634 if (!bn_wexpand(r, BN_NIST_224_TOP))
635 return 0;
636 r_d = r->d;
637 nist_cp_bn(r_d, a_d, BN_NIST_224_TOP);
638 } else
639 r_d = a_d;
640
641 memset(&bnbuf, 0, sizeof(bnbuf));
642
643#if BN_BITS2==64
644 /* copy upper 256 bits of 448 bit number ... */
645 nist_cp_bn_0(c_d, a_d + (BN_NIST_224_TOP - 1),
646 top - (BN_NIST_224_TOP - 1), BN_NIST_224_TOP);
647 /* ... and right shift by 32 to obtain upper 224 bits */
648 nist_set_224(bnbuf, c_d, 14, 13, 12, 11, 10, 9, 8);
649 /* truncate lower part to 224 bits too */
650 r_d[BN_NIST_224_TOP - 1] &= BN_MASK2l;
651#else
652 nist_cp_bn_0(bnbuf, a_d + BN_NIST_224_TOP,
653 top - BN_NIST_224_TOP, BN_NIST_224_TOP);
654#endif
655
656#if defined(NIST_INT64) && BN_BITS2!=64
657 {
658 NIST_INT64 acc; /* accumulator */
659 unsigned int bbuf[BN_NIST_224_TOP *
660 sizeof(BN_ULONG) / sizeof(unsigned int)];
661 unsigned int rbuf[BN_NIST_224_TOP *
662 sizeof(BN_ULONG) / sizeof(unsigned int)];
663 const unsigned int *bp = bbuf;
664 unsigned int *rp = rbuf;
665
666 CTASSERT(sizeof(bbuf) == sizeof(bnbuf));
667 CTASSERT(sizeof(rbuf) == sizeof(bnbuf));
668
669 /*
670 * Avoid strict aliasing violations by copying from an unsigned
671 * long array to an unsigned int array, then copying back the
672 * result. Any sensible compiler will omit the copies, while
673 * avoiding undefined behaviour that would result from unsafe
674 * type punning via pointer type casting.
675 */
676 memcpy(bbuf, bnbuf, sizeof(bbuf));
677 memcpy(rbuf, r_d, sizeof(rbuf));
678
679 acc = rp[0];
680 acc -= bp[7 - 7];
681 acc -= bp[11 - 7];
682 rp[0] = (unsigned int)acc;
683 acc >>= 32;
684
685 acc += rp[1];
686 acc -= bp[8 - 7];
687 acc -= bp[12 - 7];
688 rp[1] = (unsigned int)acc;
689 acc >>= 32;
690
691 acc += rp[2];
692 acc -= bp[9 - 7];
693 acc -= bp[13 - 7];
694 rp[2] = (unsigned int)acc;
695 acc >>= 32;
696
697 acc += rp[3];
698 acc += bp[7 - 7];
699 acc += bp[11 - 7];
700 acc -= bp[10 - 7];
701 rp[3] = (unsigned int)acc;
702 acc >>= 32;
703
704 acc += rp[4];
705 acc += bp[8 - 7];
706 acc += bp[12 - 7];
707 acc -= bp[11 - 7];
708 rp[4] = (unsigned int)acc;
709 acc >>= 32;
710
711 acc += rp[5];
712 acc += bp[9 - 7];
713 acc += bp[13 - 7];
714 acc -= bp[12 - 7];
715 rp[5] = (unsigned int)acc;
716 acc >>= 32;
717
718 acc += rp[6];
719 acc += bp[10 - 7];
720 acc -= bp[13 - 7];
721 rp[6] = (unsigned int)acc;
722
723 memcpy(r_d, rbuf, sizeof(rbuf));
724
725 carry = (int)(acc >> 32);
726# if BN_BITS2==64
727 rp[7] = carry;
728# endif
729 }
730#else
731 {
732 BN_ULONG t_d[BN_NIST_224_TOP] = {0};
733
734 nist_set_224(t_d, bnbuf, 10, 9, 8, 7, 0, 0, 0);
735 carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
736 nist_set_224(t_d, bnbuf, 0, 13, 12, 11, 0, 0, 0);
737 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
738 nist_set_224(t_d, bnbuf, 13, 12, 11, 10, 9, 8, 7);
739 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
740 nist_set_224(t_d, bnbuf, 0, 0, 0, 0, 13, 12, 11);
741 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
742
743#if BN_BITS2==64
744 carry = (int)(r_d[BN_NIST_224_TOP - 1] >> 32);
745#endif
746 }
747#endif
748 addsubf = bn_sub_words;
749 if (carry > 0) {
750 carry = (int)bn_sub_words(r_d, r_d, _nist_p_224[carry - 1],
751 BN_NIST_224_TOP);
752#if BN_BITS2==64
753 carry = (int)(~(r_d[BN_NIST_224_TOP - 1] >> 32)) & 1;
754#endif
755 } else if (carry < 0) {
756 /* it's a bit more complicated logic in this case.
757 * if bn_add_words yields no carry, then result
758 * has to be adjusted by unconditionally *adding*
759 * the modulus. but if it does, then result has
760 * to be compared to the modulus and conditionally
761 * adjusted by *subtracting* the latter. */
762 carry = (int)bn_add_words(r_d, r_d, _nist_p_224[-carry - 1],
763 BN_NIST_224_TOP);
764 if (carry == 0)
765 addsubf = bn_add_words;
766 } else
767 carry = 1;
768
769 /* otherwise it's effectively same as in BN_nist_mod_192... */
770 mask = 0 - (uintptr_t)(*addsubf)(c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP);
771 mask &= 0 - (uintptr_t)carry;
772 res = c_d;
773 res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask));
774 nist_cp_bn(r_d, res, BN_NIST_224_TOP);
775 r->top = BN_NIST_224_TOP;
776 bn_correct_top(r);
777
778 return 1;
779}
780
781#define nist_set_256(to, from, a1, a2, a3, a4, a5, a6, a7, a8) \
782 { \
783 bn_cp_32(to, 0, from, (a8) - 8) \
784 bn_cp_32(to, 1, from, (a7) - 8) \
785 bn_cp_32(to, 2, from, (a6) - 8) \
786 bn_cp_32(to, 3, from, (a5) - 8) \
787 bn_cp_32(to, 4, from, (a4) - 8) \
788 bn_cp_32(to, 5, from, (a3) - 8) \
789 bn_cp_32(to, 6, from, (a2) - 8) \
790 bn_cp_32(to, 7, from, (a1) - 8) \
791 }
792
793int
794BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx)
795{
796 BN_ULONG bnbuf[BN_NIST_256_TOP] = { 0 };
797 BN_ULONG c_d[BN_NIST_256_TOP] = { 0 };
798 BN_ULONG *a_d = a->d;
799 BN_ULONG *r_d, *res;
800 bn_addsub_f addsubf;
801 uintptr_t mask;
802 int top = a->top;
803 int carry, i;
804
805 field = &_bignum_nist_p_256; /* just to make sure */
806
807 if (BN_is_negative(a) || BN_ucmp(a, &_bignum_nist_p_256_sqr) >= 0)
808 return BN_nnmod(r, a, field, ctx);
809
810 i = BN_ucmp(field, a);
811 if (i == 0) {
812 BN_zero(r);
813 return 1;
814 } else if (i > 0)
815 return bn_copy(r, a);
816
817 if (r != a) {
818 if (!bn_wexpand(r, BN_NIST_256_TOP))
819 return 0;
820 r_d = r->d;
821 nist_cp_bn(r_d, a_d, BN_NIST_256_TOP);
822 } else
823 r_d = a_d;
824
825 nist_cp_bn_0(bnbuf, a_d + BN_NIST_256_TOP,
826 top - BN_NIST_256_TOP, BN_NIST_256_TOP);
827
828#if defined(NIST_INT64)
829 {
830 NIST_INT64 acc; /* accumulator */
831 unsigned int bbuf[BN_NIST_256_TOP *
832 sizeof(BN_ULONG) / sizeof(unsigned int)];
833 unsigned int rbuf[BN_NIST_256_TOP *
834 sizeof(BN_ULONG) / sizeof(unsigned int)];
835 const unsigned int *bp = bbuf;
836 unsigned int *rp = rbuf;
837
838 CTASSERT(sizeof(bbuf) == sizeof(bnbuf));
839 CTASSERT(sizeof(rbuf) == sizeof(bnbuf));
840
841 /*
842 * Avoid strict aliasing violations by copying from an unsigned
843 * long array to an unsigned int array, then copying back the
844 * result. Any sensible compiler will omit the copies, while
845 * avoiding undefined behaviour that would result from unsafe
846 * type punning via pointer type casting.
847 */
848 memcpy(bbuf, bnbuf, sizeof(bbuf));
849 memcpy(rbuf, r_d, sizeof(rbuf));
850
851 acc = rp[0];
852 acc += bp[8 - 8];
853 acc += bp[9 - 8];
854 acc -= bp[11 - 8];
855 acc -= bp[12 - 8];
856 acc -= bp[13 - 8];
857 acc -= bp[14 - 8];
858 rp[0] = (unsigned int)acc;
859 acc >>= 32;
860
861 acc += rp[1];
862 acc += bp[9 - 8];
863 acc += bp[10 - 8];
864 acc -= bp[12 - 8];
865 acc -= bp[13 - 8];
866 acc -= bp[14 - 8];
867 acc -= bp[15 - 8];
868 rp[1] = (unsigned int)acc;
869 acc >>= 32;
870
871 acc += rp[2];
872 acc += bp[10 - 8];
873 acc += bp[11 - 8];
874 acc -= bp[13 - 8];
875 acc -= bp[14 - 8];
876 acc -= bp[15 - 8];
877 rp[2] = (unsigned int)acc;
878 acc >>= 32;
879
880 acc += rp[3];
881 acc += bp[11 - 8];
882 acc += bp[11 - 8];
883 acc += bp[12 - 8];
884 acc += bp[12 - 8];
885 acc += bp[13 - 8];
886 acc -= bp[15 - 8];
887 acc -= bp[8 - 8];
888 acc -= bp[9 - 8];
889 rp[3] = (unsigned int)acc;
890 acc >>= 32;
891
892 acc += rp[4];
893 acc += bp[12 - 8];
894 acc += bp[12 - 8];
895 acc += bp[13 - 8];
896 acc += bp[13 - 8];
897 acc += bp[14 - 8];
898 acc -= bp[9 - 8];
899 acc -= bp[10 - 8];
900 rp[4] = (unsigned int)acc;
901 acc >>= 32;
902
903 acc += rp[5];
904 acc += bp[13 - 8];
905 acc += bp[13 - 8];
906 acc += bp[14 - 8];
907 acc += bp[14 - 8];
908 acc += bp[15 - 8];
909 acc -= bp[10 - 8];
910 acc -= bp[11 - 8];
911 rp[5] = (unsigned int)acc;
912 acc >>= 32;
913
914 acc += rp[6];
915 acc += bp[14 - 8];
916 acc += bp[14 - 8];
917 acc += bp[15 - 8];
918 acc += bp[15 - 8];
919 acc += bp[14 - 8];
920 acc += bp[13 - 8];
921 acc -= bp[8 - 8];
922 acc -= bp[9 - 8];
923 rp[6] = (unsigned int)acc;
924 acc >>= 32;
925
926 acc += rp[7];
927 acc += bp[15 - 8];
928 acc += bp[15 - 8];
929 acc += bp[15 - 8];
930 acc += bp[8 - 8];
931 acc -= bp[10 - 8];
932 acc -= bp[11 - 8];
933 acc -= bp[12 - 8];
934 acc -= bp[13 - 8];
935 rp[7] = (unsigned int)acc;
936
937 memcpy(r_d, rbuf, sizeof(rbuf));
938
939 carry = (int)(acc >> 32);
940 }
941#else
942 {
943 BN_ULONG t_d[BN_NIST_256_TOP] = {0};
944
945 /*S1*/
946 nist_set_256(t_d, bnbuf, 15, 14, 13, 12, 11, 0, 0, 0);
947 /*S2*/
948 nist_set_256(c_d, bnbuf, 0, 15, 14, 13, 12, 0, 0, 0);
949 carry = (int)bn_add_words(t_d, t_d, c_d, BN_NIST_256_TOP);
950 /* left shift */
951 {
952 BN_ULONG *ap, t, c;
953 ap = t_d;
954 c = 0;
955 for (i = BN_NIST_256_TOP; i != 0; --i) {
956 t = *ap;
957 *(ap++) = ((t << 1) | c) & BN_MASK2;
958 c = (t & BN_TBIT) ? 1 : 0;
959 }
960 carry <<= 1;
961 carry |= c;
962 }
963 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
964 /*S3*/
965 nist_set_256(t_d, bnbuf, 15, 14, 0, 0, 0, 10, 9, 8);
966 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
967 /*S4*/
968 nist_set_256(t_d, bnbuf, 8, 13, 15, 14, 13, 11, 10, 9);
969 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
970 /*D1*/
971 nist_set_256(t_d, bnbuf, 10, 8, 0, 0, 0, 13, 12, 11);
972 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
973 /*D2*/
974 nist_set_256(t_d, bnbuf, 11, 9, 0, 0, 15, 14, 13, 12);
975 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
976 /*D3*/
977 nist_set_256(t_d, bnbuf, 12, 0, 10, 9, 8, 15, 14, 13);
978 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
979 /*D4*/
980 nist_set_256(t_d, bnbuf, 13, 0, 11, 10, 9, 0, 15, 14);
981 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
982
983 }
984#endif
985 /* see BN_nist_mod_224 for explanation */
986 addsubf = bn_sub_words;
987 if (carry > 0)
988 carry = (int)bn_sub_words(r_d, r_d, _nist_p_256[carry - 1],
989 BN_NIST_256_TOP);
990 else if (carry < 0) {
991 carry = (int)bn_add_words(r_d, r_d, _nist_p_256[-carry - 1],
992 BN_NIST_256_TOP);
993 if (carry == 0)
994 addsubf = bn_add_words;
995 } else
996 carry = 1;
997
998 mask = 0 - (uintptr_t)(*addsubf)(c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP);
999 mask &= 0 - (uintptr_t)carry;
1000 res = c_d;
1001 res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask));
1002 nist_cp_bn(r_d, res, BN_NIST_256_TOP);
1003 r->top = BN_NIST_256_TOP;
1004 bn_correct_top(r);
1005
1006 return 1;
1007}
1008
1009#define nist_set_384(to,from,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12) \
1010 { \
1011 bn_cp_32(to, 0, from, (a12) - 12) \
1012 bn_cp_32(to, 1, from, (a11) - 12) \
1013 bn_cp_32(to, 2, from, (a10) - 12) \
1014 bn_cp_32(to, 3, from, (a9) - 12) \
1015 bn_cp_32(to, 4, from, (a8) - 12) \
1016 bn_cp_32(to, 5, from, (a7) - 12) \
1017 bn_cp_32(to, 6, from, (a6) - 12) \
1018 bn_cp_32(to, 7, from, (a5) - 12) \
1019 bn_cp_32(to, 8, from, (a4) - 12) \
1020 bn_cp_32(to, 9, from, (a3) - 12) \
1021 bn_cp_32(to, 10, from, (a2) - 12) \
1022 bn_cp_32(to, 11, from, (a1) - 12) \
1023 }
1024
1025int
1026BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx)
1027{
1028 BN_ULONG bnbuf[BN_NIST_384_TOP] = { 0 };
1029 BN_ULONG c_d[BN_NIST_384_TOP] = { 0 };
1030 BN_ULONG *a_d = a->d;
1031 BN_ULONG *r_d, *res;
1032 bn_addsub_f addsubf;
1033 uintptr_t mask;
1034 int top = a->top;
1035 int carry, i;
1036
1037 field = &_bignum_nist_p_384; /* just to make sure */
1038
1039 if (BN_is_negative(a) || BN_ucmp(a, &_bignum_nist_p_384_sqr) >= 0)
1040 return BN_nnmod(r, a, field, ctx);
1041
1042 i = BN_ucmp(field, a);
1043 if (i == 0) {
1044 BN_zero(r);
1045 return 1;
1046 } else if (i > 0)
1047 return bn_copy(r, a);
1048
1049 if (r != a) {
1050 if (!bn_wexpand(r, BN_NIST_384_TOP))
1051 return 0;
1052 r_d = r->d;
1053 nist_cp_bn(r_d, a_d, BN_NIST_384_TOP);
1054 } else
1055 r_d = a_d;
1056
1057 nist_cp_bn_0(bnbuf, a_d + BN_NIST_384_TOP,
1058 top - BN_NIST_384_TOP, BN_NIST_384_TOP);
1059
1060#if defined(NIST_INT64)
1061 {
1062 NIST_INT64 acc; /* accumulator */
1063 unsigned int bbuf[BN_NIST_384_TOP *
1064 sizeof(BN_ULONG) / sizeof(unsigned int)];
1065 unsigned int rbuf[BN_NIST_384_TOP *
1066 sizeof(BN_ULONG) / sizeof(unsigned int)];
1067 const unsigned int *bp = bbuf;
1068 unsigned int *rp = rbuf;
1069
1070 CTASSERT(sizeof(bbuf) == sizeof(bnbuf));
1071 CTASSERT(sizeof(rbuf) == sizeof(bnbuf));
1072
1073 /*
1074 * Avoid strict aliasing violations by copying from an unsigned
1075 * long array to an unsigned int array, then copying back the
1076 * result. Any sensible compiler will omit the copies, while
1077 * avoiding undefined behaviour that would result from unsafe
1078 * type punning via pointer type casting.
1079 */
1080 memcpy(bbuf, bnbuf, sizeof(bbuf));
1081 memcpy(rbuf, r_d, sizeof(rbuf));
1082
1083 acc = rp[0];
1084 acc += bp[12 - 12];
1085 acc += bp[21 - 12];
1086 acc += bp[20 - 12];
1087 acc -= bp[23 - 12];
1088 rp[0] = (unsigned int)acc;
1089 acc >>= 32;
1090
1091 acc += rp[1];
1092 acc += bp[13 - 12];
1093 acc += bp[22 - 12];
1094 acc += bp[23 - 12];
1095 acc -= bp[12 - 12];
1096 acc -= bp[20 - 12];
1097 rp[1] = (unsigned int)acc;
1098 acc >>= 32;
1099
1100 acc += rp[2];
1101 acc += bp[14 - 12];
1102 acc += bp[23 - 12];
1103 acc -= bp[13 - 12];
1104 acc -= bp[21 - 12];
1105 rp[2] = (unsigned int)acc;
1106 acc >>= 32;
1107
1108 acc += rp[3];
1109 acc += bp[15 - 12];
1110 acc += bp[12 - 12];
1111 acc += bp[20 - 12];
1112 acc += bp[21 - 12];
1113 acc -= bp[14 - 12];
1114 acc -= bp[22 - 12];
1115 acc -= bp[23 - 12];
1116 rp[3] = (unsigned int)acc;
1117 acc >>= 32;
1118
1119 acc += rp[4];
1120 acc += bp[21 - 12];
1121 acc += bp[21 - 12];
1122 acc += bp[16 - 12];
1123 acc += bp[13 - 12];
1124 acc += bp[12 - 12];
1125 acc += bp[20 - 12];
1126 acc += bp[22 - 12];
1127 acc -= bp[15 - 12];
1128 acc -= bp[23 - 12];
1129 acc -= bp[23 - 12];
1130 rp[4] = (unsigned int)acc;
1131 acc >>= 32;
1132
1133 acc += rp[5];
1134 acc += bp[22 - 12];
1135 acc += bp[22 - 12];
1136 acc += bp[17 - 12];
1137 acc += bp[14 - 12];
1138 acc += bp[13 - 12];
1139 acc += bp[21 - 12];
1140 acc += bp[23 - 12];
1141 acc -= bp[16 - 12];
1142 rp[5] = (unsigned int)acc;
1143 acc >>= 32;
1144
1145 acc += rp[6];
1146 acc += bp[23 - 12];
1147 acc += bp[23 - 12];
1148 acc += bp[18 - 12];
1149 acc += bp[15 - 12];
1150 acc += bp[14 - 12];
1151 acc += bp[22 - 12];
1152 acc -= bp[17 - 12];
1153 rp[6] = (unsigned int)acc;
1154 acc >>= 32;
1155
1156 acc += rp[7];
1157 acc += bp[19 - 12];
1158 acc += bp[16 - 12];
1159 acc += bp[15 - 12];
1160 acc += bp[23 - 12];
1161 acc -= bp[18 - 12];
1162 rp[7] = (unsigned int)acc;
1163 acc >>= 32;
1164
1165 acc += rp[8];
1166 acc += bp[20 - 12];
1167 acc += bp[17 - 12];
1168 acc += bp[16 - 12];
1169 acc -= bp[19 - 12];
1170 rp[8] = (unsigned int)acc;
1171 acc >>= 32;
1172
1173 acc += rp[9];
1174 acc += bp[21 - 12];
1175 acc += bp[18 - 12];
1176 acc += bp[17 - 12];
1177 acc -= bp[20 - 12];
1178 rp[9] = (unsigned int)acc;
1179 acc >>= 32;
1180
1181 acc += rp[10];
1182 acc += bp[22 - 12];
1183 acc += bp[19 - 12];
1184 acc += bp[18 - 12];
1185 acc -= bp[21 - 12];
1186 rp[10] = (unsigned int)acc;
1187 acc >>= 32;
1188
1189 acc += rp[11];
1190 acc += bp[23 - 12];
1191 acc += bp[20 - 12];
1192 acc += bp[19 - 12];
1193 acc -= bp[22 - 12];
1194 rp[11] = (unsigned int)acc;
1195
1196 memcpy(r_d, rbuf, sizeof(rbuf));
1197
1198 carry = (int)(acc >> 32);
1199 }
1200#else
1201 {
1202 BN_ULONG t_d[BN_NIST_384_TOP] = {0};
1203
1204 /*S1*/
1205 nist_set_256(t_d, bnbuf, 0, 0, 0, 0, 0, 23 - 4, 22 - 4,
1206 21 - 4);
1207 /* left shift */
1208 {
1209 BN_ULONG *ap, t, c;
1210 ap = t_d;
1211 c = 0;
1212 for (i = 3; i != 0; --i) {
1213 t= *ap;
1214 *(ap++) = ((t << 1)|c) & BN_MASK2;
1215 c = (t & BN_TBIT) ? 1 : 0;
1216 }
1217 *ap = c;
1218 }
1219 carry = (int)bn_add_words(r_d + (128 / BN_BITS2),
1220 r_d + (128 / BN_BITS2), t_d, BN_NIST_256_TOP);
1221 /*S2 */
1222 carry += (int)bn_add_words(r_d, r_d, bnbuf, BN_NIST_384_TOP);
1223 /*S3*/
1224 nist_set_384(t_d, bnbuf, 20, 19, 18, 17, 16, 15, 14, 13, 12,
1225 23, 22, 21);
1226 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
1227 /*S4*/
1228 nist_set_384(t_d, bnbuf, 19, 18, 17, 16, 15, 14, 13, 12, 20,
1229 0, 23, 0);
1230 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
1231 /*S5*/
1232 nist_set_384(t_d, bnbuf, 0,0, 0,0, 23, 22, 21, 20, 0,0, 0, 0);
1233 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
1234 /*S6*/
1235 nist_set_384(t_d, bnbuf, 0,0, 0,0, 0,0, 23, 22, 21, 0,0, 20);
1236 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
1237 /*D1*/
1238 nist_set_384(t_d, bnbuf, 22, 21, 20, 19, 18, 17, 16, 15, 14,
1239 13, 12, 23);
1240 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
1241 /*D2*/
1242 nist_set_384(t_d, bnbuf, 0,0, 0,0, 0,0, 0,23, 22, 21, 20, 0);
1243 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
1244 /*D3*/
1245 nist_set_384(t_d, bnbuf, 0,0, 0,0, 0,0, 0,23, 23, 0,0, 0);
1246 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
1247
1248 }
1249#endif
1250 /* see BN_nist_mod_224 for explanation */
1251 addsubf = bn_sub_words;
1252 if (carry > 0)
1253 carry = (int)bn_sub_words(r_d, r_d, _nist_p_384[carry - 1],
1254 BN_NIST_384_TOP);
1255 else if (carry < 0) {
1256 carry = (int)bn_add_words(r_d, r_d, _nist_p_384[-carry - 1],
1257 BN_NIST_384_TOP);
1258 if (carry == 0)
1259 addsubf = bn_add_words;
1260 } else
1261 carry = 1;
1262
1263 mask = 0 - (uintptr_t)(*addsubf)(c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP);
1264 mask &= 0 - (uintptr_t)carry;
1265 res = c_d;
1266 res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask));
1267 nist_cp_bn(r_d, res, BN_NIST_384_TOP);
1268 r->top = BN_NIST_384_TOP;
1269 bn_correct_top(r);
1270
1271 return 1;
1272}
1273
1274#define BN_NIST_521_RSHIFT (521%BN_BITS2)
1275#define BN_NIST_521_LSHIFT (BN_BITS2-BN_NIST_521_RSHIFT)
1276#define BN_NIST_521_TOP_MASK ((BN_ULONG)BN_MASK2>>BN_NIST_521_LSHIFT)
1277
1278int
1279BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx)
1280{
1281 BN_ULONG t_d[BN_NIST_521_TOP] = { 0 };
1282 BN_ULONG *a_d = a->d;
1283 BN_ULONG *r_d, *res;
1284 BN_ULONG tmp, val;
1285 uintptr_t mask;
1286 int top = a->top;
1287 int i;
1288
1289 field = &_bignum_nist_p_521; /* just to make sure */
1290
1291 if (BN_is_negative(a) || BN_ucmp(a, &_bignum_nist_p_521_sqr) >= 0)
1292 return BN_nnmod(r, a, field, ctx);
1293
1294 i = BN_ucmp(field, a);
1295 if (i == 0) {
1296 BN_zero(r);
1297 return 1;
1298 } else if (i > 0)
1299 return bn_copy(r, a);
1300
1301 if (r != a) {
1302 if (!bn_wexpand(r, BN_NIST_521_TOP))
1303 return 0;
1304 r_d = r->d;
1305 nist_cp_bn(r_d, a_d, BN_NIST_521_TOP);
1306 } else
1307 r_d = a_d;
1308
1309 /* upper 521 bits, copy ... */
1310 nist_cp_bn_0(t_d, a_d + (BN_NIST_521_TOP - 1),
1311 top - (BN_NIST_521_TOP - 1), BN_NIST_521_TOP);
1312 /* ... and right shift */
1313 for (val = t_d[0], i = 0; i < BN_NIST_521_TOP - 1; i++) {
1314 tmp = val >> BN_NIST_521_RSHIFT;
1315 val = t_d[i + 1];
1316 t_d[i] = (tmp | val << BN_NIST_521_LSHIFT) & BN_MASK2;
1317 }
1318 t_d[i] = val >> BN_NIST_521_RSHIFT;
1319 /* lower 521 bits */
1320 r_d[i] &= BN_NIST_521_TOP_MASK;
1321
1322 bn_add_words(r_d, r_d, t_d, BN_NIST_521_TOP);
1323 mask = 0 - (uintptr_t)bn_sub_words(t_d, r_d, _nist_p_521,
1324 BN_NIST_521_TOP);
1325 res = t_d;
1326 res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask));
1327 nist_cp_bn(r_d, res, BN_NIST_521_TOP);
1328 r->top = BN_NIST_521_TOP;
1329 bn_correct_top(r);
1330
1331 return 1;
1332}
diff --git a/src/lib/libcrypto/ec/ecp_nist.c b/src/lib/libcrypto/ec/ecp_nist.c
deleted file mode 100644
index 9478b4dc6e..0000000000
--- a/src/lib/libcrypto/ec/ecp_nist.c
+++ /dev/null
@@ -1,177 +0,0 @@
1/* $OpenBSD: ecp_nist.c,v 1.26 2023/04/11 18:58:20 jsing Exp $ */
2/*
3 * Written by Nils Larsch for the OpenSSL project.
4 */
5/* ====================================================================
6 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Portions of this software developed by SUN MICROSYSTEMS, INC.,
61 * and contributed to the OpenSSL project.
62 */
63
64#include <limits.h>
65
66#include <openssl/err.h>
67#include <openssl/objects.h>
68
69#include "ec_local.h"
70
71static int
72ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src)
73{
74 dest->field_mod_func = src->field_mod_func;
75
76 return ec_GFp_simple_group_copy(dest, src);
77}
78
79static int
80ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p,
81 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
82{
83 if (BN_ucmp(BN_get0_nist_prime_192(), p) == 0)
84 group->field_mod_func = BN_nist_mod_192;
85 else if (BN_ucmp(BN_get0_nist_prime_224(), p) == 0)
86 group->field_mod_func = BN_nist_mod_224;
87 else if (BN_ucmp(BN_get0_nist_prime_256(), p) == 0)
88 group->field_mod_func = BN_nist_mod_256;
89 else if (BN_ucmp(BN_get0_nist_prime_384(), p) == 0)
90 group->field_mod_func = BN_nist_mod_384;
91 else if (BN_ucmp(BN_get0_nist_prime_521(), p) == 0)
92 group->field_mod_func = BN_nist_mod_521;
93 else {
94 ECerror(EC_R_NOT_A_NIST_PRIME);
95 return 0;
96 }
97
98 return ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
99}
100
101static int
102ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
103 const BIGNUM *b, BN_CTX *ctx)
104{
105 if (group == NULL || r == NULL || a == NULL || b == NULL) {
106 ECerror(ERR_R_PASSED_NULL_PARAMETER);
107 return 0;
108 }
109
110 if (!BN_mul(r, a, b, ctx))
111 return 0;
112
113 return group->field_mod_func(r, r, &group->field, ctx);
114}
115
116static int
117ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
118 BN_CTX *ctx)
119{
120 if (group == NULL || r == NULL || a == NULL) {
121 ECerror(EC_R_PASSED_NULL_PARAMETER);
122 return 0;
123 }
124
125 if (!BN_sqr(r, a, ctx))
126 return 0;
127
128 return group->field_mod_func(r, r, &group->field, ctx);
129}
130
131static const EC_METHOD ec_GFp_nist_method = {
132 .field_type = NID_X9_62_prime_field,
133 .group_init = ec_GFp_simple_group_init,
134 .group_finish = ec_GFp_simple_group_finish,
135 .group_copy = ec_GFp_nist_group_copy,
136 .group_set_curve = ec_GFp_nist_group_set_curve,
137 .group_get_curve = ec_GFp_simple_group_get_curve,
138 .group_get_degree = ec_GFp_simple_group_get_degree,
139 .group_order_bits = ec_group_simple_order_bits,
140 .group_check_discriminant = ec_GFp_simple_group_check_discriminant,
141 .point_init = ec_GFp_simple_point_init,
142 .point_finish = ec_GFp_simple_point_finish,
143 .point_copy = ec_GFp_simple_point_copy,
144 .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
145 .point_set_Jprojective_coordinates =
146 ec_GFp_simple_set_Jprojective_coordinates,
147 .point_get_Jprojective_coordinates =
148 ec_GFp_simple_get_Jprojective_coordinates,
149 .point_set_affine_coordinates =
150 ec_GFp_simple_point_set_affine_coordinates,
151 .point_get_affine_coordinates =
152 ec_GFp_simple_point_get_affine_coordinates,
153 .point_set_compressed_coordinates =
154 ec_GFp_simple_set_compressed_coordinates,
155 .point2oct = ec_GFp_simple_point2oct,
156 .oct2point = ec_GFp_simple_oct2point,
157 .add = ec_GFp_simple_add,
158 .dbl = ec_GFp_simple_dbl,
159 .invert = ec_GFp_simple_invert,
160 .is_at_infinity = ec_GFp_simple_is_at_infinity,
161 .is_on_curve = ec_GFp_simple_is_on_curve,
162 .point_cmp = ec_GFp_simple_cmp,
163 .make_affine = ec_GFp_simple_make_affine,
164 .points_make_affine = ec_GFp_simple_points_make_affine,
165 .mul_generator_ct = ec_GFp_simple_mul_generator_ct,
166 .mul_single_ct = ec_GFp_simple_mul_single_ct,
167 .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
168 .field_mul = ec_GFp_nist_field_mul,
169 .field_sqr = ec_GFp_nist_field_sqr,
170 .blind_coordinates = ec_GFp_simple_blind_coordinates,
171};
172
173const EC_METHOD *
174EC_GFp_nist_method(void)
175{
176 return &ec_GFp_nist_method;
177}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 00:52:47 +0000