diff options
| author | tb <> | 2025-01-07 08:30:52 +0000 |
|---|---|---|
| committer | tb <> | 2025-01-07 08:30:52 +0000 |
| commit | 7430d2975936e60b42b326878d4404f91aebacea (patch) | |
| tree | 6ecbe239120c7d74f351796a659e9df26c4523c6 /src | |
| parent | f62644a3fec4a1c2ba18134913f454106247493d (diff) | |
| download | openbsd-7430d2975936e60b42b326878d4404f91aebacea.tar.gz openbsd-7430d2975936e60b42b326878d4404f91aebacea.tar.bz2 openbsd-7430d2975936e60b42b326878d4404f91aebacea.zip | |
Check discriminant directly in EC_GROUP_set_discriminant()
After possibly decoding a and b in EC_GROUP_get_curve(), this is a pure
calculation in GFp and as such doesn't make use of any method-specifics.
Let's perform this calculation directly in the public API implementation
rather than redirecting through the methods and remove yet another method
handler.
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/ec/ec_lib.c | 50 | ||||
| -rw-r--r-- | src/lib/libcrypto/ec/ec_local.h | 4 | ||||
| -rw-r--r-- | src/lib/libcrypto/ec/ecp_methods.c | 61 |
3 files changed, 47 insertions, 68 deletions
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c index 7a82eb23f8..a50b1e5633 100644 --- a/src/lib/libcrypto/ec/ec_lib.c +++ b/src/lib/libcrypto/ec/ec_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ec_lib.c,v 1.102 2025/01/06 19:23:25 tb Exp $ */ | 1 | /* $OpenBSD: ec_lib.c,v 1.103 2025/01/07 08:30:52 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Originally written by Bodo Moeller for the OpenSSL project. | 3 | * Originally written by Bodo Moeller for the OpenSSL project. |
| 4 | */ | 4 | */ |
| @@ -600,6 +600,7 @@ int | |||
| 600 | EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx_in) | 600 | EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx_in) |
| 601 | { | 601 | { |
| 602 | BN_CTX *ctx; | 602 | BN_CTX *ctx; |
| 603 | BIGNUM *p, *a, *b, *discriminant; | ||
| 603 | int ret = 0; | 604 | int ret = 0; |
| 604 | 605 | ||
| 605 | if ((ctx = ctx_in) == NULL) | 606 | if ((ctx = ctx_in) == NULL) |
| @@ -607,11 +608,50 @@ EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx_in) | |||
| 607 | if (ctx == NULL) | 608 | if (ctx == NULL) |
| 608 | goto err; | 609 | goto err; |
| 609 | 610 | ||
| 610 | if (group->meth->group_check_discriminant == NULL) { | 611 | BN_CTX_start(ctx); |
| 611 | ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | 612 | |
| 613 | if ((p = BN_CTX_get(ctx)) == NULL) | ||
| 612 | goto err; | 614 | goto err; |
| 613 | } | 615 | if ((a = BN_CTX_get(ctx)) == NULL) |
| 614 | ret = group->meth->group_check_discriminant(group, ctx); | 616 | goto err; |
| 617 | if ((b = BN_CTX_get(ctx)) == NULL) | ||
| 618 | goto err; | ||
| 619 | if ((discriminant = BN_CTX_get(ctx)) == NULL) | ||
| 620 | goto err; | ||
| 621 | |||
| 622 | if (!EC_GROUP_get_curve(group, p, a, b, ctx)) | ||
| 623 | goto err; | ||
| 624 | |||
| 625 | /* | ||
| 626 | * Check that the discriminant 4a^3 + 27b^2 is non-zero modulo p. | ||
| 627 | */ | ||
| 628 | |||
| 629 | if (BN_is_zero(a) && BN_is_zero(b)) | ||
| 630 | goto err; | ||
| 631 | if (BN_is_zero(a) || BN_is_zero(b)) | ||
| 632 | goto done; | ||
| 633 | |||
| 634 | /* Compute the discriminant: first 4a^3, then 27b^2, then their sum. */ | ||
| 635 | if (!BN_mod_sqr(discriminant, a, p, ctx)) | ||
| 636 | goto err; | ||
| 637 | if (!BN_mod_mul(discriminant, discriminant, a, p, ctx)) | ||
| 638 | goto err; | ||
| 639 | if (!BN_lshift(discriminant, discriminant, 2)) | ||
| 640 | goto err; | ||
| 641 | |||
| 642 | if (!BN_mod_sqr(b, b, p, ctx)) | ||
| 643 | goto err; | ||
| 644 | if (!BN_mul_word(b, 27)) | ||
| 645 | goto err; | ||
| 646 | |||
| 647 | if (!BN_mod_add(discriminant, discriminant, b, p, ctx)) | ||
| 648 | goto err; | ||
| 649 | |||
| 650 | if (BN_is_zero(discriminant)) | ||
| 651 | goto err; | ||
| 652 | |||
| 653 | done: | ||
| 654 | ret = 1; | ||
| 615 | 655 | ||
| 616 | err: | 656 | err: |
| 617 | if (ctx != ctx_in) | 657 | if (ctx != ctx_in) |
diff --git a/src/lib/libcrypto/ec/ec_local.h b/src/lib/libcrypto/ec/ec_local.h index 03fda6876b..49442786e7 100644 --- a/src/lib/libcrypto/ec/ec_local.h +++ b/src/lib/libcrypto/ec/ec_local.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ec_local.h,v 1.52 2025/01/06 14:34:47 tb Exp $ */ | 1 | /* $OpenBSD: ec_local.h,v 1.53 2025/01/07 08:30:52 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Originally written by Bodo Moeller for the OpenSSL project. | 3 | * Originally written by Bodo Moeller for the OpenSSL project. |
| 4 | */ | 4 | */ |
| @@ -93,8 +93,6 @@ struct ec_method_st { | |||
| 93 | int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, | 93 | int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, |
| 94 | BIGNUM *b, BN_CTX *); | 94 | BIGNUM *b, BN_CTX *); |
| 95 | 95 | ||
| 96 | int (*group_check_discriminant)(const EC_GROUP *, BN_CTX *); | ||
| 97 | |||
| 98 | int (*point_set_affine_coordinates)(const EC_GROUP *, EC_POINT *, | 96 | int (*point_set_affine_coordinates)(const EC_GROUP *, EC_POINT *, |
| 99 | const BIGNUM *x, const BIGNUM *y, BN_CTX *); | 97 | const BIGNUM *x, const BIGNUM *y, BN_CTX *); |
| 100 | int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_POINT *, | 98 | int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_POINT *, |
diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c index 8623131ffa..9593428870 100644 --- a/src/lib/libcrypto/ec/ecp_methods.c +++ b/src/lib/libcrypto/ec/ecp_methods.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ecp_methods.c,v 1.25 2025/01/06 18:43:27 tb Exp $ */ | 1 | /* $OpenBSD: ecp_methods.c,v 1.26 2025/01/07 08:30:52 tb Exp $ */ |
| 2 | /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> | 2 | /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> |
| 3 | * for the OpenSSL project. | 3 | * for the OpenSSL project. |
| 4 | * Includes code written by Bodo Moeller for the OpenSSL project. | 4 | * Includes code written by Bodo Moeller for the OpenSSL project. |
| @@ -167,63 +167,6 @@ ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, | |||
| 167 | } | 167 | } |
| 168 | 168 | ||
| 169 | static int | 169 | static int |
| 170 | ec_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx) | ||
| 171 | { | ||
| 172 | BIGNUM *p, *a, *b, *discriminant; | ||
| 173 | int ret = 0; | ||
| 174 | |||
| 175 | BN_CTX_start(ctx); | ||
| 176 | |||
| 177 | if ((p = BN_CTX_get(ctx)) == NULL) | ||
| 178 | goto err; | ||
| 179 | if ((a = BN_CTX_get(ctx)) == NULL) | ||
| 180 | goto err; | ||
| 181 | if ((b = BN_CTX_get(ctx)) == NULL) | ||
| 182 | goto err; | ||
| 183 | if ((discriminant = BN_CTX_get(ctx)) == NULL) | ||
| 184 | goto err; | ||
| 185 | |||
| 186 | if (!EC_GROUP_get_curve(group, p, a, b, ctx)) | ||
| 187 | goto err; | ||
| 188 | |||
| 189 | /* | ||
| 190 | * Check that the discriminant 4a^3 + 27b^2 is non-zero modulo p. | ||
| 191 | */ | ||
| 192 | |||
| 193 | if (BN_is_zero(a) && BN_is_zero(b)) | ||
| 194 | goto err; | ||
| 195 | if (BN_is_zero(a) || BN_is_zero(b)) | ||
| 196 | goto done; | ||
| 197 | |||
| 198 | /* Compute the discriminant: first 4a^3, then 27b^2, then their sum. */ | ||
| 199 | if (!BN_mod_sqr(discriminant, a, p, ctx)) | ||
| 200 | goto err; | ||
| 201 | if (!BN_mod_mul(discriminant, discriminant, a, p, ctx)) | ||
| 202 | goto err; | ||
| 203 | if (!BN_lshift(discriminant, discriminant, 2)) | ||
| 204 | goto err; | ||
| 205 | |||
| 206 | if (!BN_mod_sqr(b, b, p, ctx)) | ||
| 207 | goto err; | ||
| 208 | if (!BN_mul_word(b, 27)) | ||
| 209 | goto err; | ||
| 210 | |||
| 211 | if (!BN_mod_add(discriminant, discriminant, b, p, ctx)) | ||
| 212 | goto err; | ||
| 213 | |||
| 214 | if (BN_is_zero(discriminant)) | ||
| 215 | goto err; | ||
| 216 | |||
| 217 | done: | ||
| 218 | ret = 1; | ||
| 219 | |||
| 220 | err: | ||
| 221 | BN_CTX_end(ctx); | ||
| 222 | |||
| 223 | return ret; | ||
| 224 | } | ||
| 225 | |||
| 226 | static int | ||
| 227 | ec_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point, | 170 | ec_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point, |
| 228 | const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) | 171 | const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) |
| 229 | { | 172 | { |
| @@ -1511,7 +1454,6 @@ static const EC_METHOD ec_GFp_simple_method = { | |||
| 1511 | .field_type = NID_X9_62_prime_field, | 1454 | .field_type = NID_X9_62_prime_field, |
| 1512 | .group_set_curve = ec_group_set_curve, | 1455 | .group_set_curve = ec_group_set_curve, |
| 1513 | .group_get_curve = ec_group_get_curve, | 1456 | .group_get_curve = ec_group_get_curve, |
| 1514 | .group_check_discriminant = ec_group_check_discriminant, | ||
| 1515 | .point_set_affine_coordinates = ec_point_set_affine_coordinates, | 1457 | .point_set_affine_coordinates = ec_point_set_affine_coordinates, |
| 1516 | .point_get_affine_coordinates = ec_point_get_affine_coordinates, | 1458 | .point_get_affine_coordinates = ec_point_get_affine_coordinates, |
| 1517 | .point_set_compressed_coordinates = ec_set_compressed_coordinates, | 1459 | .point_set_compressed_coordinates = ec_set_compressed_coordinates, |
| @@ -1540,7 +1482,6 @@ static const EC_METHOD ec_GFp_mont_method = { | |||
| 1540 | .field_type = NID_X9_62_prime_field, | 1482 | .field_type = NID_X9_62_prime_field, |
| 1541 | .group_set_curve = ec_mont_group_set_curve, | 1483 | .group_set_curve = ec_mont_group_set_curve, |
| 1542 | .group_get_curve = ec_group_get_curve, | 1484 | .group_get_curve = ec_group_get_curve, |
| 1543 | .group_check_discriminant = ec_group_check_discriminant, | ||
| 1544 | .point_set_affine_coordinates = ec_point_set_affine_coordinates, | 1485 | .point_set_affine_coordinates = ec_point_set_affine_coordinates, |
| 1545 | .point_get_affine_coordinates = ec_point_get_affine_coordinates, | 1486 | .point_get_affine_coordinates = ec_point_get_affine_coordinates, |
| 1546 | .point_set_compressed_coordinates = ec_set_compressed_coordinates, | 1487 | .point_set_compressed_coordinates = ec_set_compressed_coordinates, |