summaryrefslogtreecommitdiff
path: root/src/lib/libc
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/ec/ec2_mult.c374
-rw-r--r--src/lib/libcrypto/ec/ec2_oct.c311
-rw-r--r--src/lib/libcrypto/ec/ec2_smpl.c667
-rw-r--r--src/lib/libcrypto/ec/ec_ameth.c443
-rw-r--r--src/lib/libcrypto/ec/ec_asn1.c1208
-rw-r--r--src/lib/libcrypto/ec/ec_check.c58
-rw-r--r--src/lib/libcrypto/ec/ec_curve.c5124
-rw-r--r--src/lib/libcrypto/ec/ec_cvt.c54
-rw-r--r--src/lib/libcrypto/ec/ec_err.c400
-rw-r--r--src/lib/libcrypto/ec/ec_key.c434
-rw-r--r--src/lib/libcrypto/ec/ec_lib.c953
-rw-r--r--src/lib/libcrypto/ec/ec_mult.c752
-rw-r--r--src/lib/libcrypto/ec/ec_oct.c133
-rw-r--r--src/lib/libcrypto/ec/ec_pmeth.c185
-rw-r--r--src/lib/libcrypto/ec/ec_print.c119
-rw-r--r--src/lib/libcrypto/ec/eck_prn.c290
-rw-r--r--src/lib/libcrypto/ec/ecp_mont.c220
-rw-r--r--src/lib/libcrypto/ec/ecp_nist.c95
-rw-r--r--src/lib/libcrypto/ec/ecp_nistp224.c1016
-rw-r--r--src/lib/libcrypto/ec/ecp_nistp256.c1357
-rw-r--r--src/lib/libcrypto/ec/ecp_nistp521.c1607
-rw-r--r--src/lib/libcrypto/ec/ecp_nistputil.c100
-rw-r--r--src/lib/libcrypto/ec/ecp_oct.c373
-rw-r--r--src/lib/libcrypto/ec/ecp_smpl.c1482
24 files changed, 9136 insertions, 8619 deletions
diff --git a/src/lib/libcrypto/ec/ec2_mult.c b/src/lib/libcrypto/ec/ec2_mult.c
index 1c575dc47a..040d7bb278 100644
--- a/src/lib/libcrypto/ec/ec2_mult.c
+++ b/src/lib/libcrypto/ec/ec2_mult.c
@@ -21,7 +21,7 @@
21 * are met: 21 * are met:
22 * 22 *
23 * 1. Redistributions of source code must retain the above copyright 23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer. 24 * notice, this list of conditions and the following disclaimer.
25 * 25 *
26 * 2. Redistributions in binary form must reproduce the above copyright 26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in 27 * notice, this list of conditions and the following disclaimer in
@@ -74,178 +74,215 @@
74#ifndef OPENSSL_NO_EC2M 74#ifndef OPENSSL_NO_EC2M
75 75
76 76
77/* Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery projective 77/* Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery projective
78 * coordinates. 78 * coordinates.
79 * Uses algorithm Mdouble in appendix of 79 * Uses algorithm Mdouble in appendix of
80 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over 80 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
81 * GF(2^m) without precomputation" (CHES '99, LNCS 1717). 81 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
82 * modified to not require precomputation of c=b^{2^{m-1}}. 82 * modified to not require precomputation of c=b^{2^{m-1}}.
83 */ 83 */
84static int gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx) 84static int
85 { 85gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx)
86{
86 BIGNUM *t1; 87 BIGNUM *t1;
87 int ret = 0; 88 int ret = 0;
88 89
89 /* Since Mdouble is static we can guarantee that ctx != NULL. */ 90 /* Since Mdouble is static we can guarantee that ctx != NULL. */
90 BN_CTX_start(ctx); 91 BN_CTX_start(ctx);
91 t1 = BN_CTX_get(ctx); 92 t1 = BN_CTX_get(ctx);
92 if (t1 == NULL) goto err; 93 if (t1 == NULL)
94 goto err;
93 95
94 if (!group->meth->field_sqr(group, x, x, ctx)) goto err; 96 if (!group->meth->field_sqr(group, x, x, ctx))
95 if (!group->meth->field_sqr(group, t1, z, ctx)) goto err; 97 goto err;
96 if (!group->meth->field_mul(group, z, x, t1, ctx)) goto err; 98 if (!group->meth->field_sqr(group, t1, z, ctx))
97 if (!group->meth->field_sqr(group, x, x, ctx)) goto err; 99 goto err;
98 if (!group->meth->field_sqr(group, t1, t1, ctx)) goto err; 100 if (!group->meth->field_mul(group, z, x, t1, ctx))
99 if (!group->meth->field_mul(group, t1, &group->b, t1, ctx)) goto err; 101 goto err;
100 if (!BN_GF2m_add(x, x, t1)) goto err; 102 if (!group->meth->field_sqr(group, x, x, ctx))
103 goto err;
104 if (!group->meth->field_sqr(group, t1, t1, ctx))
105 goto err;
106 if (!group->meth->field_mul(group, t1, &group->b, t1, ctx))
107 goto err;
108 if (!BN_GF2m_add(x, x, t1))
109 goto err;
101 110
102 ret = 1; 111 ret = 1;
103 112
104 err: 113err:
105 BN_CTX_end(ctx); 114 BN_CTX_end(ctx);
106 return ret; 115 return ret;
107 } 116}
108 117
109/* Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in Montgomery 118/* Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in Montgomery
110 * projective coordinates. 119 * projective coordinates.
111 * Uses algorithm Madd in appendix of 120 * Uses algorithm Madd in appendix of
112 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over 121 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
113 * GF(2^m) without precomputation" (CHES '99, LNCS 1717). 122 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
114 */ 123 */
115static int gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1, 124static int
116 const BIGNUM *x2, const BIGNUM *z2, BN_CTX *ctx) 125gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1,
117 { 126 const BIGNUM *x2, const BIGNUM *z2, BN_CTX *ctx)
127{
118 BIGNUM *t1, *t2; 128 BIGNUM *t1, *t2;
119 int ret = 0; 129 int ret = 0;
120 130
121 /* Since Madd is static we can guarantee that ctx != NULL. */ 131 /* Since Madd is static we can guarantee that ctx != NULL. */
122 BN_CTX_start(ctx); 132 BN_CTX_start(ctx);
123 t1 = BN_CTX_get(ctx); 133 t1 = BN_CTX_get(ctx);
124 t2 = BN_CTX_get(ctx); 134 t2 = BN_CTX_get(ctx);
125 if (t2 == NULL) goto err; 135 if (t2 == NULL)
136 goto err;
126 137
127 if (!BN_copy(t1, x)) goto err; 138 if (!BN_copy(t1, x))
128 if (!group->meth->field_mul(group, x1, x1, z2, ctx)) goto err; 139 goto err;
129 if (!group->meth->field_mul(group, z1, z1, x2, ctx)) goto err; 140 if (!group->meth->field_mul(group, x1, x1, z2, ctx))
130 if (!group->meth->field_mul(group, t2, x1, z1, ctx)) goto err; 141 goto err;
131 if (!BN_GF2m_add(z1, z1, x1)) goto err; 142 if (!group->meth->field_mul(group, z1, z1, x2, ctx))
132 if (!group->meth->field_sqr(group, z1, z1, ctx)) goto err; 143 goto err;
133 if (!group->meth->field_mul(group, x1, z1, t1, ctx)) goto err; 144 if (!group->meth->field_mul(group, t2, x1, z1, ctx))
134 if (!BN_GF2m_add(x1, x1, t2)) goto err; 145 goto err;
146 if (!BN_GF2m_add(z1, z1, x1))
147 goto err;
148 if (!group->meth->field_sqr(group, z1, z1, ctx))
149 goto err;
150 if (!group->meth->field_mul(group, x1, z1, t1, ctx))
151 goto err;
152 if (!BN_GF2m_add(x1, x1, t2))
153 goto err;
135 154
136 ret = 1; 155 ret = 1;
137 156
138 err: 157err:
139 BN_CTX_end(ctx); 158 BN_CTX_end(ctx);
140 return ret; 159 return ret;
141 } 160}
142 161
143/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2) 162/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2)
144 * using Montgomery point multiplication algorithm Mxy() in appendix of 163 * using Montgomery point multiplication algorithm Mxy() in appendix of
145 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over 164 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
146 * GF(2^m) without precomputation" (CHES '99, LNCS 1717). 165 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
147 * Returns: 166 * Returns:
148 * 0 on error 167 * 0 on error
149 * 1 if return value should be the point at infinity 168 * 1 if return value should be the point at infinity
150 * 2 otherwise 169 * 2 otherwise
151 */ 170 */
152static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1, 171static int
153 BIGNUM *z1, BIGNUM *x2, BIGNUM *z2, BN_CTX *ctx) 172gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1,
154 { 173 BIGNUM *z1, BIGNUM *x2, BIGNUM *z2, BN_CTX *ctx)
174{
155 BIGNUM *t3, *t4, *t5; 175 BIGNUM *t3, *t4, *t5;
156 int ret = 0; 176 int ret = 0;
157 177
158 if (BN_is_zero(z1)) 178 if (BN_is_zero(z1)) {
159 {
160 BN_zero(x2); 179 BN_zero(x2);
161 BN_zero(z2); 180 BN_zero(z2);
162 return 1; 181 return 1;
163 } 182 }
164 183 if (BN_is_zero(z2)) {
165 if (BN_is_zero(z2)) 184 if (!BN_copy(x2, x))
166 { 185 return 0;
167 if (!BN_copy(x2, x)) return 0; 186 if (!BN_GF2m_add(z2, x, y))
168 if (!BN_GF2m_add(z2, x, y)) return 0; 187 return 0;
169 return 2; 188 return 2;
170 } 189 }
171
172 /* Since Mxy is static we can guarantee that ctx != NULL. */ 190 /* Since Mxy is static we can guarantee that ctx != NULL. */
173 BN_CTX_start(ctx); 191 BN_CTX_start(ctx);
174 t3 = BN_CTX_get(ctx); 192 t3 = BN_CTX_get(ctx);
175 t4 = BN_CTX_get(ctx); 193 t4 = BN_CTX_get(ctx);
176 t5 = BN_CTX_get(ctx); 194 t5 = BN_CTX_get(ctx);
177 if (t5 == NULL) goto err; 195 if (t5 == NULL)
196 goto err;
178 197
179 if (!BN_one(t5)) goto err; 198 if (!BN_one(t5))
199 goto err;
180 200
181 if (!group->meth->field_mul(group, t3, z1, z2, ctx)) goto err; 201 if (!group->meth->field_mul(group, t3, z1, z2, ctx))
202 goto err;
182 203
183 if (!group->meth->field_mul(group, z1, z1, x, ctx)) goto err; 204 if (!group->meth->field_mul(group, z1, z1, x, ctx))
184 if (!BN_GF2m_add(z1, z1, x1)) goto err; 205 goto err;
185 if (!group->meth->field_mul(group, z2, z2, x, ctx)) goto err; 206 if (!BN_GF2m_add(z1, z1, x1))
186 if (!group->meth->field_mul(group, x1, z2, x1, ctx)) goto err; 207 goto err;
187 if (!BN_GF2m_add(z2, z2, x2)) goto err; 208 if (!group->meth->field_mul(group, z2, z2, x, ctx))
209 goto err;
210 if (!group->meth->field_mul(group, x1, z2, x1, ctx))
211 goto err;
212 if (!BN_GF2m_add(z2, z2, x2))
213 goto err;
188 214
189 if (!group->meth->field_mul(group, z2, z2, z1, ctx)) goto err; 215 if (!group->meth->field_mul(group, z2, z2, z1, ctx))
190 if (!group->meth->field_sqr(group, t4, x, ctx)) goto err; 216 goto err;
191 if (!BN_GF2m_add(t4, t4, y)) goto err; 217 if (!group->meth->field_sqr(group, t4, x, ctx))
192 if (!group->meth->field_mul(group, t4, t4, t3, ctx)) goto err; 218 goto err;
193 if (!BN_GF2m_add(t4, t4, z2)) goto err; 219 if (!BN_GF2m_add(t4, t4, y))
220 goto err;
221 if (!group->meth->field_mul(group, t4, t4, t3, ctx))
222 goto err;
223 if (!BN_GF2m_add(t4, t4, z2))
224 goto err;
194 225
195 if (!group->meth->field_mul(group, t3, t3, x, ctx)) goto err; 226 if (!group->meth->field_mul(group, t3, t3, x, ctx))
196 if (!group->meth->field_div(group, t3, t5, t3, ctx)) goto err; 227 goto err;
197 if (!group->meth->field_mul(group, t4, t3, t4, ctx)) goto err; 228 if (!group->meth->field_div(group, t3, t5, t3, ctx))
198 if (!group->meth->field_mul(group, x2, x1, t3, ctx)) goto err; 229 goto err;
199 if (!BN_GF2m_add(z2, x2, x)) goto err; 230 if (!group->meth->field_mul(group, t4, t3, t4, ctx))
231 goto err;
232 if (!group->meth->field_mul(group, x2, x1, t3, ctx))
233 goto err;
234 if (!BN_GF2m_add(z2, x2, x))
235 goto err;
200 236
201 if (!group->meth->field_mul(group, z2, z2, t4, ctx)) goto err; 237 if (!group->meth->field_mul(group, z2, z2, t4, ctx))
202 if (!BN_GF2m_add(z2, z2, y)) goto err; 238 goto err;
239 if (!BN_GF2m_add(z2, z2, y))
240 goto err;
203 241
204 ret = 2; 242 ret = 2;
205 243
206 err: 244err:
207 BN_CTX_end(ctx); 245 BN_CTX_end(ctx);
208 return ret; 246 return ret;
209 } 247}
210 248
211 249
212/* Computes scalar*point and stores the result in r. 250/* Computes scalar*point and stores the result in r.
213 * point can not equal r. 251 * point can not equal r.
214 * Uses a modified algorithm 2P of 252 * Uses a modified algorithm 2P of
215 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over 253 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
216 * GF(2^m) without precomputation" (CHES '99, LNCS 1717). 254 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
217 * 255 *
218 * To protect against side-channel attack the function uses constant time swap, 256 * To protect against side-channel attack the function uses constant time swap,
219 * avoiding conditional branches. 257 * avoiding conditional branches.
220 */ 258 */
221static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, 259static int
222 const EC_POINT *point, BN_CTX *ctx) 260ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
223 { 261 const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx)
262{
224 BIGNUM *x1, *x2, *z1, *z2; 263 BIGNUM *x1, *x2, *z1, *z2;
225 int ret = 0, i; 264 int ret = 0, i;
226 BN_ULONG mask,word; 265 BN_ULONG mask, word;
227 266
228 if (r == point) 267 if (r == point) {
229 {
230 ECerr(EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY, EC_R_INVALID_ARGUMENT); 268 ECerr(EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY, EC_R_INVALID_ARGUMENT);
231 return 0; 269 return 0;
232 } 270 }
233
234 /* if result should be point at infinity */ 271 /* if result should be point at infinity */
235 if ((scalar == NULL) || BN_is_zero(scalar) || (point == NULL) || 272 if ((scalar == NULL) || BN_is_zero(scalar) || (point == NULL) ||
236 EC_POINT_is_at_infinity(group, point)) 273 EC_POINT_is_at_infinity(group, point)) {
237 {
238 return EC_POINT_set_to_infinity(group, r); 274 return EC_POINT_set_to_infinity(group, r);
239 } 275 }
240
241 /* only support affine coordinates */ 276 /* only support affine coordinates */
242 if (!point->Z_is_one) return 0; 277 if (!point->Z_is_one)
278 return 0;
243 279
244 /* Since point_multiply is static we can guarantee that ctx != NULL. */ 280 /* Since point_multiply is static we can guarantee that ctx != NULL. */
245 BN_CTX_start(ctx); 281 BN_CTX_start(ctx);
246 x1 = BN_CTX_get(ctx); 282 x1 = BN_CTX_get(ctx);
247 z1 = BN_CTX_get(ctx); 283 z1 = BN_CTX_get(ctx);
248 if (z1 == NULL) goto err; 284 if (z1 == NULL)
285 goto err;
249 286
250 x2 = &r->X; 287 x2 = &r->X;
251 z2 = &r->Y; 288 z2 = &r->Y;
@@ -255,53 +292,57 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
255 bn_wexpand(x2, group->field.top); 292 bn_wexpand(x2, group->field.top);
256 bn_wexpand(z2, group->field.top); 293 bn_wexpand(z2, group->field.top);
257 294
258 if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ 295 if (!BN_GF2m_mod_arr(x1, &point->X, group->poly))
259 if (!BN_one(z1)) goto err; /* z1 = 1 */ 296 goto err; /* x1 = x */
260 if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */ 297 if (!BN_one(z1))
261 if (!group->meth->field_sqr(group, x2, z2, ctx)) goto err; 298 goto err; /* z1 = 1 */
262 if (!BN_GF2m_add(x2, x2, &group->b)) goto err; /* x2 = x^4 + b */ 299 if (!group->meth->field_sqr(group, z2, x1, ctx))
300 goto err; /* z2 = x1^2 = x^2 */
301 if (!group->meth->field_sqr(group, x2, z2, ctx))
302 goto err;
303 if (!BN_GF2m_add(x2, x2, &group->b))
304 goto err; /* x2 = x^4 + b */
263 305
264 /* find top most bit and go one past it */ 306 /* find top most bit and go one past it */
265 i = scalar->top - 1; 307 i = scalar->top - 1;
266 mask = BN_TBIT; 308 mask = BN_TBIT;
267 word = scalar->d[i]; 309 word = scalar->d[i];
268 while (!(word & mask)) mask >>= 1; 310 while (!(word & mask))
311 mask >>= 1;
269 mask >>= 1; 312 mask >>= 1;
270 /* if top most bit was at word break, go to next word */ 313 /* if top most bit was at word break, go to next word */
271 if (!mask) 314 if (!mask) {
272 {
273 i--; 315 i--;
274 mask = BN_TBIT; 316 mask = BN_TBIT;
275 } 317 }
276 318 for (; i >= 0; i--) {
277 for (; i >= 0; i--)
278 {
279 word = scalar->d[i]; 319 word = scalar->d[i];
280 while (mask) 320 while (mask) {
281 {
282 BN_consttime_swap(word & mask, x1, x2, group->field.top); 321 BN_consttime_swap(word & mask, x1, x2, group->field.top);
283 BN_consttime_swap(word & mask, z1, z2, group->field.top); 322 BN_consttime_swap(word & mask, z1, z2, group->field.top);
284 if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; 323 if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx))
285 if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; 324 goto err;
325 if (!gf2m_Mdouble(group, x1, z1, ctx))
326 goto err;
286 BN_consttime_swap(word & mask, x1, x2, group->field.top); 327 BN_consttime_swap(word & mask, x1, x2, group->field.top);
287 BN_consttime_swap(word & mask, z1, z2, group->field.top); 328 BN_consttime_swap(word & mask, z1, z2, group->field.top);
288 mask >>= 1; 329 mask >>= 1;
289 }
290 mask = BN_TBIT;
291 } 330 }
331 mask = BN_TBIT;
332 }
292 333
293 /* convert out of "projective" coordinates */ 334 /* convert out of "projective" coordinates */
294 i = gf2m_Mxy(group, &point->X, &point->Y, x1, z1, x2, z2, ctx); 335 i = gf2m_Mxy(group, &point->X, &point->Y, x1, z1, x2, z2, ctx);
295 if (i == 0) goto err; 336 if (i == 0)
296 else if (i == 1) 337 goto err;
297 { 338 else if (i == 1) {
298 if (!EC_POINT_set_to_infinity(group, r)) goto err; 339 if (!EC_POINT_set_to_infinity(group, r))
299 } 340 goto err;
300 else 341 } else {
301 { 342 if (!BN_one(&r->Z))
302 if (!BN_one(&r->Z)) goto err; 343 goto err;
303 r->Z_is_one = 1; 344 r->Z_is_one = 1;
304 } 345 }
305 346
306 /* GF(2^m) field elements should always have BIGNUM::neg = 0 */ 347 /* GF(2^m) field elements should always have BIGNUM::neg = 0 */
307 BN_set_negative(&r->X, 0); 348 BN_set_negative(&r->X, 0);
@@ -309,87 +350,98 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
309 350
310 ret = 1; 351 ret = 1;
311 352
312 err: 353err:
313 BN_CTX_end(ctx); 354 BN_CTX_end(ctx);
314 return ret; 355 return ret;
315 } 356}
316 357
317 358
318/* Computes the sum 359/* Computes the sum
319 * scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1] 360 * scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1]
320 * gracefully ignoring NULL scalar values. 361 * gracefully ignoring NULL scalar values.
321 */ 362 */
322int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, 363int
323 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) 364ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
324 { 365 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
366{
325 BN_CTX *new_ctx = NULL; 367 BN_CTX *new_ctx = NULL;
326 int ret = 0; 368 int ret = 0;
327 size_t i; 369 size_t i;
328 EC_POINT *p=NULL; 370 EC_POINT *p = NULL;
329 EC_POINT *acc = NULL; 371 EC_POINT *acc = NULL;
330 372
331 if (ctx == NULL) 373 if (ctx == NULL) {
332 {
333 ctx = new_ctx = BN_CTX_new(); 374 ctx = new_ctx = BN_CTX_new();
334 if (ctx == NULL) 375 if (ctx == NULL)
335 return 0; 376 return 0;
336 } 377 }
337 378 /*
338 /* This implementation is more efficient than the wNAF implementation for 2 379 * This implementation is more efficient than the wNAF implementation
339 * or fewer points. Use the ec_wNAF_mul implementation for 3 or more points, 380 * for 2 or fewer points. Use the ec_wNAF_mul implementation for 3
340 * or if we can perform a fast multiplication based on precomputation. 381 * or more points, or if we can perform a fast multiplication based
382 * on precomputation.
341 */ 383 */
342 if ((scalar && (num > 1)) || (num > 2) || (num == 0 && EC_GROUP_have_precompute_mult(group))) 384 if ((scalar && (num > 1)) || (num > 2) ||
343 { 385 (num == 0 && EC_GROUP_have_precompute_mult(group))) {
344 ret = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); 386 ret = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
345 goto err; 387 goto err;
346 } 388 }
347 389 if ((p = EC_POINT_new(group)) == NULL)
348 if ((p = EC_POINT_new(group)) == NULL) goto err; 390 goto err;
349 if ((acc = EC_POINT_new(group)) == NULL) goto err; 391 if ((acc = EC_POINT_new(group)) == NULL)
392 goto err;
350 393
351 if (!EC_POINT_set_to_infinity(group, acc)) goto err; 394 if (!EC_POINT_set_to_infinity(group, acc))
395 goto err;
352 396
353 if (scalar) 397 if (scalar) {
354 { 398 if (!ec_GF2m_montgomery_point_multiply(group, p, scalar, group->generator, ctx))
355 if (!ec_GF2m_montgomery_point_multiply(group, p, scalar, group->generator, ctx)) goto err; 399 goto err;
356 if (BN_is_negative(scalar)) 400 if (BN_is_negative(scalar))
357 if (!group->meth->invert(group, p, ctx)) goto err; 401 if (!group->meth->invert(group, p, ctx))
358 if (!group->meth->add(group, acc, acc, p, ctx)) goto err; 402 goto err;
359 } 403 if (!group->meth->add(group, acc, acc, p, ctx))
360 404 goto err;
361 for (i = 0; i < num; i++) 405 }
362 { 406 for (i = 0; i < num; i++) {
363 if (!ec_GF2m_montgomery_point_multiply(group, p, scalars[i], points[i], ctx)) goto err; 407 if (!ec_GF2m_montgomery_point_multiply(group, p, scalars[i], points[i], ctx))
408 goto err;
364 if (BN_is_negative(scalars[i])) 409 if (BN_is_negative(scalars[i]))
365 if (!group->meth->invert(group, p, ctx)) goto err; 410 if (!group->meth->invert(group, p, ctx))
366 if (!group->meth->add(group, acc, acc, p, ctx)) goto err; 411 goto err;
367 } 412 if (!group->meth->add(group, acc, acc, p, ctx))
413 goto err;
414 }
368 415
369 if (!EC_POINT_copy(r, acc)) goto err; 416 if (!EC_POINT_copy(r, acc))
417 goto err;
370 418
371 ret = 1; 419 ret = 1;
372 420
373 err: 421err:
374 if (p) EC_POINT_free(p); 422 if (p)
375 if (acc) EC_POINT_free(acc); 423 EC_POINT_free(p);
424 if (acc)
425 EC_POINT_free(acc);
376 if (new_ctx != NULL) 426 if (new_ctx != NULL)
377 BN_CTX_free(new_ctx); 427 BN_CTX_free(new_ctx);
378 return ret; 428 return ret;
379 } 429}
380 430
381 431
382/* Precomputation for point multiplication: fall back to wNAF methods 432/* Precomputation for point multiplication: fall back to wNAF methods
383 * because ec_GF2m_simple_mul() uses ec_wNAF_mul() if appropriate */ 433 * because ec_GF2m_simple_mul() uses ec_wNAF_mul() if appropriate */
384 434
385int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx) 435int
386 { 436ec_GF2m_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
437{
387 return ec_wNAF_precompute_mult(group, ctx); 438 return ec_wNAF_precompute_mult(group, ctx);
388 } 439}
389 440
390int ec_GF2m_have_precompute_mult(const EC_GROUP *group) 441int
391 { 442ec_GF2m_have_precompute_mult(const EC_GROUP * group)
443{
392 return ec_wNAF_have_precompute_mult(group); 444 return ec_wNAF_have_precompute_mult(group);
393 } 445}
394 446
395#endif 447#endif
diff --git a/src/lib/libcrypto/ec/ec2_oct.c b/src/lib/libcrypto/ec/ec2_oct.c
index f1d75e5ddf..a856a5b1a7 100644
--- a/src/lib/libcrypto/ec/ec2_oct.c
+++ b/src/lib/libcrypto/ec/ec2_oct.c
@@ -21,7 +21,7 @@
21 * are met: 21 * are met:
22 * 22 *
23 * 1. Redistributions of source code must retain the above copyright 23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer. 24 * notice, this list of conditions and the following disclaimer.
25 * 25 *
26 * 2. Redistributions in binary form must reproduce the above copyright 26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in 27 * notice, this list of conditions and the following disclaimer in
@@ -74,11 +74,11 @@
74#ifndef OPENSSL_NO_EC2M 74#ifndef OPENSSL_NO_EC2M
75 75
76/* Calculates and sets the affine coordinates of an EC_POINT from the given 76/* Calculates and sets the affine coordinates of an EC_POINT from the given
77 * compressed coordinates. Uses algorithm 2.3.4 of SEC 1. 77 * compressed coordinates. Uses algorithm 2.3.4 of SEC 1.
78 * Note that the simple implementation only uses affine coordinates. 78 * Note that the simple implementation only uses affine coordinates.
79 * 79 *
80 * The method is from the following publication: 80 * The method is from the following publication:
81 * 81 *
82 * Harper, Menezes, Vanstone: 82 * Harper, Menezes, Vanstone:
83 * "Public-Key Cryptosystems with Very Small Key Lengths", 83 * "Public-Key Cryptosystems with Very Small Key Lengths",
84 * EUROCRYPT '92, Springer-Verlag LNCS 658, 84 * EUROCRYPT '92, Springer-Verlag LNCS 658,
@@ -88,9 +88,10 @@
88 * the same method, but claim no priority date earlier than July 29, 1994 88 * the same method, but claim no priority date earlier than July 29, 1994
89 * (and additionally fail to cite the EUROCRYPT '92 publication as prior art). 89 * (and additionally fail to cite the EUROCRYPT '92 publication as prior art).
90 */ 90 */
91int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point, 91int
92 const BIGNUM *x_, int y_bit, BN_CTX *ctx) 92ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
93 { 93 const BIGNUM *x_, int y_bit, BN_CTX *ctx)
94{
94 BN_CTX *new_ctx = NULL; 95 BN_CTX *new_ctx = NULL;
95 BIGNUM *tmp, *x, *y, *z; 96 BIGNUM *tmp, *x, *y, *z;
96 int ret = 0, z0; 97 int ret = 0, z0;
@@ -98,13 +99,11 @@ int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *p
98 /* clear error queue */ 99 /* clear error queue */
99 ERR_clear_error(); 100 ERR_clear_error();
100 101
101 if (ctx == NULL) 102 if (ctx == NULL) {
102 {
103 ctx = new_ctx = BN_CTX_new(); 103 ctx = new_ctx = BN_CTX_new();
104 if (ctx == NULL) 104 if (ctx == NULL)
105 return 0; 105 return 0;
106 } 106 }
107
108 y_bit = (y_bit != 0) ? 1 : 0; 107 y_bit = (y_bit != 0) ? 1 : 0;
109 108
110 BN_CTX_start(ctx); 109 BN_CTX_start(ctx);
@@ -112,59 +111,65 @@ int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *p
112 x = BN_CTX_get(ctx); 111 x = BN_CTX_get(ctx);
113 y = BN_CTX_get(ctx); 112 y = BN_CTX_get(ctx);
114 z = BN_CTX_get(ctx); 113 z = BN_CTX_get(ctx);
115 if (z == NULL) goto err; 114 if (z == NULL)
115 goto err;
116 116
117 if (!BN_GF2m_mod_arr(x, x_, group->poly)) goto err; 117 if (!BN_GF2m_mod_arr(x, x_, group->poly))
118 if (BN_is_zero(x)) 118 goto err;
119 { 119 if (BN_is_zero(x)) {
120 if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx)) goto err; 120 if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx))
121 } 121 goto err;
122 else 122 } else {
123 { 123 if (!group->meth->field_sqr(group, tmp, x, ctx))
124 if (!group->meth->field_sqr(group, tmp, x, ctx)) goto err; 124 goto err;
125 if (!group->meth->field_div(group, tmp, &group->b, tmp, ctx)) goto err; 125 if (!group->meth->field_div(group, tmp, &group->b, tmp, ctx))
126 if (!BN_GF2m_add(tmp, &group->a, tmp)) goto err; 126 goto err;
127 if (!BN_GF2m_add(tmp, x, tmp)) goto err; 127 if (!BN_GF2m_add(tmp, &group->a, tmp))
128 if (!BN_GF2m_mod_solve_quad_arr(z, tmp, group->poly, ctx)) 128 goto err;
129 { 129 if (!BN_GF2m_add(tmp, x, tmp))
130 goto err;
131 if (!BN_GF2m_mod_solve_quad_arr(z, tmp, group->poly, ctx)) {
130 unsigned long err = ERR_peek_last_error(); 132 unsigned long err = ERR_peek_last_error();
131 133
132 if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NO_SOLUTION) 134 if (ERR_GET_LIB(err) == ERR_LIB_BN &&
133 { 135 ERR_GET_REASON(err) == BN_R_NO_SOLUTION) {
134 ERR_clear_error(); 136 ERR_clear_error();
135 ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT); 137 ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
136 } 138 } else
137 else
138 ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB); 139 ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB);
139 goto err; 140 goto err;
140 } 141 }
141 z0 = (BN_is_odd(z)) ? 1 : 0; 142 z0 = (BN_is_odd(z)) ? 1 : 0;
142 if (!group->meth->field_mul(group, y, x, z, ctx)) goto err; 143 if (!group->meth->field_mul(group, y, x, z, ctx))
143 if (z0 != y_bit) 144 goto err;
144 { 145 if (z0 != y_bit) {
145 if (!BN_GF2m_add(y, y, x)) goto err; 146 if (!BN_GF2m_add(y, y, x))
146 } 147 goto err;
147 } 148 }
149 }
148 150
149 if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err; 151 if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx))
152 goto err;
150 153
151 ret = 1; 154 ret = 1;
152 155
153 err: 156err:
154 BN_CTX_end(ctx); 157 BN_CTX_end(ctx);
155 if (new_ctx != NULL) 158 if (new_ctx != NULL)
156 BN_CTX_free(new_ctx); 159 BN_CTX_free(new_ctx);
157 return ret; 160 return ret;
158 } 161}
159 162
160 163
161/* Converts an EC_POINT to an octet string. 164/* Converts an EC_POINT to an octet string.
162 * If buf is NULL, the encoded length will be returned. 165 * If buf is NULL, the encoded length will be returned.
163 * If the length len of buf is smaller than required an error will be returned. 166 * If the length len of buf is smaller than required an error will be returned.
164 */ 167 */
165size_t ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form, 168size_t
166 unsigned char *buf, size_t len, BN_CTX *ctx) 169ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point,
167 { 170 point_conversion_form_t form,
171 unsigned char *buf, size_t len, BN_CTX * ctx)
172{
168 size_t ret; 173 size_t ret;
169 BN_CTX *new_ctx = NULL; 174 BN_CTX *new_ctx = NULL;
170 int used_ctx = 0; 175 int used_ctx = 0;
@@ -172,131 +177,114 @@ size_t ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, po
172 size_t field_len, i, skip; 177 size_t field_len, i, skip;
173 178
174 if ((form != POINT_CONVERSION_COMPRESSED) 179 if ((form != POINT_CONVERSION_COMPRESSED)
175 && (form != POINT_CONVERSION_UNCOMPRESSED) 180 && (form != POINT_CONVERSION_UNCOMPRESSED)
176 && (form != POINT_CONVERSION_HYBRID)) 181 && (form != POINT_CONVERSION_HYBRID)) {
177 {
178 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_INVALID_FORM); 182 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
179 goto err; 183 goto err;
180 } 184 }
181 185 if (EC_POINT_is_at_infinity(group, point)) {
182 if (EC_POINT_is_at_infinity(group, point))
183 {
184 /* encodes to a single 0 octet */ 186 /* encodes to a single 0 octet */
185 if (buf != NULL) 187 if (buf != NULL) {
186 { 188 if (len < 1) {
187 if (len < 1)
188 {
189 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL); 189 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
190 return 0; 190 return 0;
191 }
192 buf[0] = 0;
193 } 191 }
194 return 1; 192 buf[0] = 0;
195 } 193 }
196 194 return 1;
197 195 }
198 /* ret := required output buffer length */ 196 /* ret := required output buffer length */
199 field_len = (EC_GROUP_get_degree(group) + 7) / 8; 197 field_len = (EC_GROUP_get_degree(group) + 7) / 8;
200 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len; 198 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len :
199 1 + 2 * field_len;
201 200
202 /* if 'buf' is NULL, just return required length */ 201 /* if 'buf' is NULL, just return required length */
203 if (buf != NULL) 202 if (buf != NULL) {
204 { 203 if (len < ret) {
205 if (len < ret)
206 {
207 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL); 204 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
208 goto err; 205 goto err;
209 } 206 }
210 207 if (ctx == NULL) {
211 if (ctx == NULL)
212 {
213 ctx = new_ctx = BN_CTX_new(); 208 ctx = new_ctx = BN_CTX_new();
214 if (ctx == NULL) 209 if (ctx == NULL)
215 return 0; 210 return 0;
216 } 211 }
217
218 BN_CTX_start(ctx); 212 BN_CTX_start(ctx);
219 used_ctx = 1; 213 used_ctx = 1;
220 x = BN_CTX_get(ctx); 214 x = BN_CTX_get(ctx);
221 y = BN_CTX_get(ctx); 215 y = BN_CTX_get(ctx);
222 yxi = BN_CTX_get(ctx); 216 yxi = BN_CTX_get(ctx);
223 if (yxi == NULL) goto err; 217 if (yxi == NULL)
218 goto err;
224 219
225 if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err; 220 if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx))
221 goto err;
226 222
227 buf[0] = form; 223 buf[0] = form;
228 if ((form != POINT_CONVERSION_UNCOMPRESSED) && !BN_is_zero(x)) 224 if ((form != POINT_CONVERSION_UNCOMPRESSED) && !BN_is_zero(x)) {
229 { 225 if (!group->meth->field_div(group, yxi, y, x, ctx))
230 if (!group->meth->field_div(group, yxi, y, x, ctx)) goto err; 226 goto err;
231 if (BN_is_odd(yxi)) buf[0]++; 227 if (BN_is_odd(yxi))
232 } 228 buf[0]++;
233 229 }
234 i = 1; 230 i = 1;
235 231
236 skip = field_len - BN_num_bytes(x); 232 skip = field_len - BN_num_bytes(x);
237 if (skip > field_len) 233 if (skip > field_len) {
238 {
239 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR); 234 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
240 goto err; 235 goto err;
241 } 236 }
242 while (skip > 0) 237 while (skip > 0) {
243 {
244 buf[i++] = 0; 238 buf[i++] = 0;
245 skip--; 239 skip--;
246 } 240 }
247 skip = BN_bn2bin(x, buf + i); 241 skip = BN_bn2bin(x, buf + i);
248 i += skip; 242 i += skip;
249 if (i != 1 + field_len) 243 if (i != 1 + field_len) {
250 {
251 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR); 244 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
252 goto err; 245 goto err;
253 } 246 }
254 247 if (form == POINT_CONVERSION_UNCOMPRESSED ||
255 if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID) 248 form == POINT_CONVERSION_HYBRID) {
256 {
257 skip = field_len - BN_num_bytes(y); 249 skip = field_len - BN_num_bytes(y);
258 if (skip > field_len) 250 if (skip > field_len) {
259 {
260 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR); 251 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
261 goto err; 252 goto err;
262 } 253 }
263 while (skip > 0) 254 while (skip > 0) {
264 {
265 buf[i++] = 0; 255 buf[i++] = 0;
266 skip--; 256 skip--;
267 } 257 }
268 skip = BN_bn2bin(y, buf + i); 258 skip = BN_bn2bin(y, buf + i);
269 i += skip; 259 i += skip;
270 } 260 }
271 261 if (i != ret) {
272 if (i != ret)
273 {
274 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR); 262 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
275 goto err; 263 goto err;
276 }
277 } 264 }
278 265 }
279 if (used_ctx) 266 if (used_ctx)
280 BN_CTX_end(ctx); 267 BN_CTX_end(ctx);
281 if (new_ctx != NULL) 268 if (new_ctx != NULL)
282 BN_CTX_free(new_ctx); 269 BN_CTX_free(new_ctx);
283 return ret; 270 return ret;
284 271
285 err: 272err:
286 if (used_ctx) 273 if (used_ctx)
287 BN_CTX_end(ctx); 274 BN_CTX_end(ctx);
288 if (new_ctx != NULL) 275 if (new_ctx != NULL)
289 BN_CTX_free(new_ctx); 276 BN_CTX_free(new_ctx);
290 return 0; 277 return 0;
291 } 278}
292 279
293 280
294/* Converts an octet string representation to an EC_POINT. 281/* Converts an octet string representation to an EC_POINT.
295 * Note that the simple implementation only uses affine coordinates. 282 * Note that the simple implementation only uses affine coordinates.
296 */ 283 */
297int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, 284int
298 const unsigned char *buf, size_t len, BN_CTX *ctx) 285ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
299 { 286 const unsigned char *buf, size_t len, BN_CTX *ctx)
287{
300 point_conversion_form_t form; 288 point_conversion_form_t form;
301 int y_bit; 289 int y_bit;
302 BN_CTX *new_ctx = NULL; 290 BN_CTX *new_ctx = NULL;
@@ -304,104 +292,89 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
304 size_t field_len, enc_len; 292 size_t field_len, enc_len;
305 int ret = 0; 293 int ret = 0;
306 294
307 if (len == 0) 295 if (len == 0) {
308 {
309 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL); 296 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
310 return 0; 297 return 0;
311 } 298 }
312 form = buf[0]; 299 form = buf[0];
313 y_bit = form & 1; 300 y_bit = form & 1;
314 form = form & ~1U; 301 form = form & ~1U;
315 if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED) 302 if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED) &&
316 && (form != POINT_CONVERSION_UNCOMPRESSED) 303 (form != POINT_CONVERSION_UNCOMPRESSED) &&
317 && (form != POINT_CONVERSION_HYBRID)) 304 (form != POINT_CONVERSION_HYBRID)) {
318 {
319 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 305 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
320 return 0; 306 return 0;
321 } 307 }
322 if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit) 308 if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit) {
323 {
324 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 309 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
325 return 0; 310 return 0;
326 } 311 }
327 312 if (form == 0) {
328 if (form == 0) 313 if (len != 1) {
329 {
330 if (len != 1)
331 {
332 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 314 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
333 return 0; 315 return 0;
334 }
335
336 return EC_POINT_set_to_infinity(group, point);
337 } 316 }
338 317 return EC_POINT_set_to_infinity(group, point);
318 }
339 field_len = (EC_GROUP_get_degree(group) + 7) / 8; 319 field_len = (EC_GROUP_get_degree(group) + 7) / 8;
340 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len; 320 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len :
321 1 + 2 * field_len;
341 322
342 if (len != enc_len) 323 if (len != enc_len) {
343 {
344 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 324 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
345 return 0; 325 return 0;
346 } 326 }
347 327 if (ctx == NULL) {
348 if (ctx == NULL)
349 {
350 ctx = new_ctx = BN_CTX_new(); 328 ctx = new_ctx = BN_CTX_new();
351 if (ctx == NULL) 329 if (ctx == NULL)
352 return 0; 330 return 0;
353 } 331 }
354
355 BN_CTX_start(ctx); 332 BN_CTX_start(ctx);
356 x = BN_CTX_get(ctx); 333 x = BN_CTX_get(ctx);
357 y = BN_CTX_get(ctx); 334 y = BN_CTX_get(ctx);
358 yxi = BN_CTX_get(ctx); 335 yxi = BN_CTX_get(ctx);
359 if (yxi == NULL) goto err; 336 if (yxi == NULL)
337 goto err;
360 338
361 if (!BN_bin2bn(buf + 1, field_len, x)) goto err; 339 if (!BN_bin2bn(buf + 1, field_len, x))
362 if (BN_ucmp(x, &group->field) >= 0) 340 goto err;
363 { 341 if (BN_ucmp(x, &group->field) >= 0) {
364 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 342 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
365 goto err; 343 goto err;
366 } 344 }
367 345 if (form == POINT_CONVERSION_COMPRESSED) {
368 if (form == POINT_CONVERSION_COMPRESSED) 346 if (!EC_POINT_set_compressed_coordinates_GF2m(group, point, x, y_bit, ctx))
369 { 347 goto err;
370 if (!EC_POINT_set_compressed_coordinates_GF2m(group, point, x, y_bit, ctx)) goto err; 348 } else {
371 } 349 if (!BN_bin2bn(buf + 1 + field_len, field_len, y))
372 else 350 goto err;
373 { 351 if (BN_ucmp(y, &group->field) >= 0) {
374 if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
375 if (BN_ucmp(y, &group->field) >= 0)
376 {
377 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 352 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
378 goto err; 353 goto err;
379 } 354 }
380 if (form == POINT_CONVERSION_HYBRID) 355 if (form == POINT_CONVERSION_HYBRID) {
381 { 356 if (!group->meth->field_div(group, yxi, y, x, ctx))
382 if (!group->meth->field_div(group, yxi, y, x, ctx)) goto err; 357 goto err;
383 if (y_bit != BN_is_odd(yxi)) 358 if (y_bit != BN_is_odd(yxi)) {
384 {
385 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 359 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
386 goto err; 360 goto err;
387 }
388 } 361 }
389
390 if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
391 } 362 }
392 363 if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx))
393 if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */ 364 goto err;
394 { 365 }
366
367 if (!EC_POINT_is_on_curve(group, point, ctx)) {
368 /* test required by X9.62 */
395 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); 369 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
396 goto err; 370 goto err;
397 } 371 }
398
399 ret = 1; 372 ret = 1;
400 373
401 err: 374err:
402 BN_CTX_end(ctx); 375 BN_CTX_end(ctx);
403 if (new_ctx != NULL) 376 if (new_ctx != NULL)
404 BN_CTX_free(new_ctx); 377 BN_CTX_free(new_ctx);
405 return ret; 378 return ret;
406 } 379}
407#endif 380#endif
diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c
index 5682bfab37..71bacf71dd 100644
--- a/src/lib/libcrypto/ec/ec2_smpl.c
+++ b/src/lib/libcrypto/ec/ec2_smpl.c
@@ -21,7 +21,7 @@
21 * are met: 21 * are met:
22 * 22 *
23 * 1. Redistributions of source code must retain the above copyright 23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer. 24 * notice, this list of conditions and the following disclaimer.
25 * 25 *
26 * 2. Redistributions in binary form must reproduce the above copyright 26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in 27 * notice, this list of conditions and the following disclaimer in
@@ -87,16 +87,16 @@ EC_GF2m_simple_method(void)
87 .group_get_curve = ec_GF2m_simple_group_get_curve, 87 .group_get_curve = ec_GF2m_simple_group_get_curve,
88 .group_get_degree = ec_GF2m_simple_group_get_degree, 88 .group_get_degree = ec_GF2m_simple_group_get_degree,
89 .group_check_discriminant = 89 .group_check_discriminant =
90 ec_GF2m_simple_group_check_discriminant, 90 ec_GF2m_simple_group_check_discriminant,
91 .point_init = ec_GF2m_simple_point_init, 91 .point_init = ec_GF2m_simple_point_init,
92 .point_finish = ec_GF2m_simple_point_finish, 92 .point_finish = ec_GF2m_simple_point_finish,
93 .point_clear_finish = ec_GF2m_simple_point_clear_finish, 93 .point_clear_finish = ec_GF2m_simple_point_clear_finish,
94 .point_copy = ec_GF2m_simple_point_copy, 94 .point_copy = ec_GF2m_simple_point_copy,
95 .point_set_to_infinity = ec_GF2m_simple_point_set_to_infinity, 95 .point_set_to_infinity = ec_GF2m_simple_point_set_to_infinity,
96 .point_set_affine_coordinates = 96 .point_set_affine_coordinates =
97 ec_GF2m_simple_point_set_affine_coordinates, 97 ec_GF2m_simple_point_set_affine_coordinates,
98 .point_get_affine_coordinates = 98 .point_get_affine_coordinates =
99 ec_GF2m_simple_point_get_affine_coordinates, 99 ec_GF2m_simple_point_get_affine_coordinates,
100 .add = ec_GF2m_simple_add, 100 .add = ec_GF2m_simple_add,
101 .dbl = ec_GF2m_simple_dbl, 101 .dbl = ec_GF2m_simple_dbl,
102 .invert = ec_GF2m_simple_invert, 102 .invert = ec_GF2m_simple_invert,
@@ -106,7 +106,10 @@ EC_GF2m_simple_method(void)
106 .make_affine = ec_GF2m_simple_make_affine, 106 .make_affine = ec_GF2m_simple_make_affine,
107 .points_make_affine = ec_GF2m_simple_points_make_affine, 107 .points_make_affine = ec_GF2m_simple_points_make_affine,
108 108
109 /* the following three method functions are defined in ec2_mult.c */ 109 /*
110 * the following three method functions are defined in
111 * ec2_mult.c
112 */
110 .mul = ec_GF2m_simple_mul, 113 .mul = ec_GF2m_simple_mul,
111 .precompute_mult = ec_GF2m_precompute_mult, 114 .precompute_mult = ec_GF2m_precompute_mult,
112 .have_precompute_mult = ec_GF2m_have_precompute_mult, 115 .have_precompute_mult = ec_GF2m_have_precompute_mult,
@@ -123,31 +126,34 @@ EC_GF2m_simple_method(void)
123/* Initialize a GF(2^m)-based EC_GROUP structure. 126/* Initialize a GF(2^m)-based EC_GROUP structure.
124 * Note that all other members are handled by EC_GROUP_new. 127 * Note that all other members are handled by EC_GROUP_new.
125 */ 128 */
126int ec_GF2m_simple_group_init(EC_GROUP *group) 129int
127 { 130ec_GF2m_simple_group_init(EC_GROUP * group)
131{
128 BN_init(&group->field); 132 BN_init(&group->field);
129 BN_init(&group->a); 133 BN_init(&group->a);
130 BN_init(&group->b); 134 BN_init(&group->b);
131 return 1; 135 return 1;
132 } 136}
133 137
134 138
135/* Free a GF(2^m)-based EC_GROUP structure. 139/* Free a GF(2^m)-based EC_GROUP structure.
136 * Note that all other members are handled by EC_GROUP_free. 140 * Note that all other members are handled by EC_GROUP_free.
137 */ 141 */
138void ec_GF2m_simple_group_finish(EC_GROUP *group) 142void
139 { 143ec_GF2m_simple_group_finish(EC_GROUP * group)
144{
140 BN_free(&group->field); 145 BN_free(&group->field);
141 BN_free(&group->a); 146 BN_free(&group->a);
142 BN_free(&group->b); 147 BN_free(&group->b);
143 } 148}
144 149
145 150
146/* Clear and free a GF(2^m)-based EC_GROUP structure. 151/* Clear and free a GF(2^m)-based EC_GROUP structure.
147 * Note that all other members are handled by EC_GROUP_clear_free. 152 * Note that all other members are handled by EC_GROUP_clear_free.
148 */ 153 */
149void ec_GF2m_simple_group_clear_finish(EC_GROUP *group) 154void
150 { 155ec_GF2m_simple_group_clear_finish(EC_GROUP * group)
156{
151 BN_clear_free(&group->field); 157 BN_clear_free(&group->field);
152 BN_clear_free(&group->a); 158 BN_clear_free(&group->a);
153 BN_clear_free(&group->b); 159 BN_clear_free(&group->b);
@@ -157,127 +163,145 @@ void ec_GF2m_simple_group_clear_finish(EC_GROUP *group)
157 group->poly[3] = 0; 163 group->poly[3] = 0;
158 group->poly[4] = 0; 164 group->poly[4] = 0;
159 group->poly[5] = -1; 165 group->poly[5] = -1;
160 } 166}
161 167
162 168
163/* Copy a GF(2^m)-based EC_GROUP structure. 169/* Copy a GF(2^m)-based EC_GROUP structure.
164 * Note that all other members are handled by EC_GROUP_copy. 170 * Note that all other members are handled by EC_GROUP_copy.
165 */ 171 */
166int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src) 172int
167 { 173ec_GF2m_simple_group_copy(EC_GROUP * dest, const EC_GROUP * src)
174{
168 int i; 175 int i;
169 if (!BN_copy(&dest->field, &src->field)) return 0; 176
170 if (!BN_copy(&dest->a, &src->a)) return 0; 177 if (!BN_copy(&dest->field, &src->field))
171 if (!BN_copy(&dest->b, &src->b)) return 0; 178 return 0;
179 if (!BN_copy(&dest->a, &src->a))
180 return 0;
181 if (!BN_copy(&dest->b, &src->b))
182 return 0;
172 dest->poly[0] = src->poly[0]; 183 dest->poly[0] = src->poly[0];
173 dest->poly[1] = src->poly[1]; 184 dest->poly[1] = src->poly[1];
174 dest->poly[2] = src->poly[2]; 185 dest->poly[2] = src->poly[2];
175 dest->poly[3] = src->poly[3]; 186 dest->poly[3] = src->poly[3];
176 dest->poly[4] = src->poly[4]; 187 dest->poly[4] = src->poly[4];
177 dest->poly[5] = src->poly[5]; 188 dest->poly[5] = src->poly[5];
178 if (bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) return 0; 189 if (bn_wexpand(&dest->a, (int) (dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
179 if (bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) return 0; 190 return 0;
180 for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0; 191 if (bn_wexpand(&dest->b, (int) (dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
181 for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0; 192 return 0;
193 for (i = dest->a.top; i < dest->a.dmax; i++)
194 dest->a.d[i] = 0;
195 for (i = dest->b.top; i < dest->b.dmax; i++)
196 dest->b.d[i] = 0;
182 return 1; 197 return 1;
183 } 198}
184 199
185 200
186/* Set the curve parameters of an EC_GROUP structure. */ 201/* Set the curve parameters of an EC_GROUP structure. */
187int ec_GF2m_simple_group_set_curve(EC_GROUP *group, 202int
188 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 203ec_GF2m_simple_group_set_curve(EC_GROUP * group,
189 { 204 const BIGNUM * p, const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx)
205{
190 int ret = 0, i; 206 int ret = 0, i;
191 207
192 /* group->field */ 208 /* group->field */
193 if (!BN_copy(&group->field, p)) goto err; 209 if (!BN_copy(&group->field, p))
210 goto err;
194 i = BN_GF2m_poly2arr(&group->field, group->poly, 6) - 1; 211 i = BN_GF2m_poly2arr(&group->field, group->poly, 6) - 1;
195 if ((i != 5) && (i != 3)) 212 if ((i != 5) && (i != 3)) {
196 {
197 ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); 213 ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
198 goto err; 214 goto err;
199 } 215 }
200
201 /* group->a */ 216 /* group->a */
202 if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err; 217 if (!BN_GF2m_mod_arr(&group->a, a, group->poly))
203 if(bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err; 218 goto err;
204 for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0; 219 if (bn_wexpand(&group->a, (int) (group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
205 220 goto err;
221 for (i = group->a.top; i < group->a.dmax; i++)
222 group->a.d[i] = 0;
223
206 /* group->b */ 224 /* group->b */
207 if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err; 225 if (!BN_GF2m_mod_arr(&group->b, b, group->poly))
208 if(bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err; 226 goto err;
209 for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0; 227 if (bn_wexpand(&group->b, (int) (group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
210 228 goto err;
229 for (i = group->b.top; i < group->b.dmax; i++)
230 group->b.d[i] = 0;
231
211 ret = 1; 232 ret = 1;
212 err: 233err:
213 return ret; 234 return ret;
214 } 235}
215 236
216 237
217/* Get the curve parameters of an EC_GROUP structure. 238/* Get the curve parameters of an EC_GROUP structure.
218 * If p, a, or b are NULL then there values will not be set but the method will return with success. 239 * If p, a, or b are NULL then there values will not be set but the method will return with success.
219 */ 240 */
220int ec_GF2m_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) 241int
221 { 242ec_GF2m_simple_group_get_curve(const EC_GROUP *group,
243 BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
244{
222 int ret = 0; 245 int ret = 0;
223
224 if (p != NULL)
225 {
226 if (!BN_copy(p, &group->field)) return 0;
227 }
228 246
229 if (a != NULL) 247 if (p != NULL) {
230 { 248 if (!BN_copy(p, &group->field))
231 if (!BN_copy(a, &group->a)) goto err; 249 return 0;
232 } 250 }
233 251 if (a != NULL) {
234 if (b != NULL) 252 if (!BN_copy(a, &group->a))
235 { 253 goto err;
236 if (!BN_copy(b, &group->b)) goto err; 254 }
237 } 255 if (b != NULL) {
238 256 if (!BN_copy(b, &group->b))
257 goto err;
258 }
239 ret = 1; 259 ret = 1;
240 260
241 err: 261err:
242 return ret; 262 return ret;
243 } 263}
244 264
245 265
246/* Gets the degree of the field. For a curve over GF(2^m) this is the value m. */ 266/* Gets the degree of the field. For a curve over GF(2^m) this is the value m. */
247int ec_GF2m_simple_group_get_degree(const EC_GROUP *group) 267int
248 { 268ec_GF2m_simple_group_get_degree(const EC_GROUP * group)
249 return BN_num_bits(&group->field)-1; 269{
250 } 270 return BN_num_bits(&group->field) - 1;
271}
251 272
252 273
253/* Checks the discriminant of the curve. 274/* Checks the discriminant of the curve.
254 * y^2 + x*y = x^3 + a*x^2 + b is an elliptic curve <=> b != 0 (mod p) 275 * y^2 + x*y = x^3 + a*x^2 + b is an elliptic curve <=> b != 0 (mod p)
255 */ 276 */
256int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx) 277int
257 { 278ec_GF2m_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx)
279{
258 int ret = 0; 280 int ret = 0;
259 BIGNUM *b; 281 BIGNUM *b;
260 BN_CTX *new_ctx = NULL; 282 BN_CTX *new_ctx = NULL;
261 283
262 if (ctx == NULL) 284 if (ctx == NULL) {
263 {
264 ctx = new_ctx = BN_CTX_new(); 285 ctx = new_ctx = BN_CTX_new();
265 if (ctx == NULL) 286 if (ctx == NULL) {
266 {
267 ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE); 287 ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE);
268 goto err; 288 goto err;
269 }
270 } 289 }
290 }
271 BN_CTX_start(ctx); 291 BN_CTX_start(ctx);
272 b = BN_CTX_get(ctx); 292 b = BN_CTX_get(ctx);
273 if (b == NULL) goto err; 293 if (b == NULL)
294 goto err;
295
296 if (!BN_GF2m_mod_arr(b, &group->b, group->poly))
297 goto err;
274 298
275 if (!BN_GF2m_mod_arr(b, &group->b, group->poly)) goto err; 299 /*
276 300 * check the discriminant: y^2 + x*y = x^3 + a*x^2 + b is an elliptic
277 /* check the discriminant: 301 * curve <=> b != 0 (mod p)
278 * y^2 + x*y = x^3 + a*x^2 + b is an elliptic curve <=> b != 0 (mod p)
279 */ 302 */
280 if (BN_is_zero(b)) goto err; 303 if (BN_is_zero(b))
304 goto err;
281 305
282 ret = 1; 306 ret = 1;
283 307
@@ -287,151 +311,157 @@ err:
287 if (new_ctx != NULL) 311 if (new_ctx != NULL)
288 BN_CTX_free(new_ctx); 312 BN_CTX_free(new_ctx);
289 return ret; 313 return ret;
290 } 314}
291 315
292 316
293/* Initializes an EC_POINT. */ 317/* Initializes an EC_POINT. */
294int ec_GF2m_simple_point_init(EC_POINT *point) 318int
295 { 319ec_GF2m_simple_point_init(EC_POINT * point)
320{
296 BN_init(&point->X); 321 BN_init(&point->X);
297 BN_init(&point->Y); 322 BN_init(&point->Y);
298 BN_init(&point->Z); 323 BN_init(&point->Z);
299 return 1; 324 return 1;
300 } 325}
301 326
302 327
303/* Frees an EC_POINT. */ 328/* Frees an EC_POINT. */
304void ec_GF2m_simple_point_finish(EC_POINT *point) 329void
305 { 330ec_GF2m_simple_point_finish(EC_POINT * point)
331{
306 BN_free(&point->X); 332 BN_free(&point->X);
307 BN_free(&point->Y); 333 BN_free(&point->Y);
308 BN_free(&point->Z); 334 BN_free(&point->Z);
309 } 335}
310 336
311 337
312/* Clears and frees an EC_POINT. */ 338/* Clears and frees an EC_POINT. */
313void ec_GF2m_simple_point_clear_finish(EC_POINT *point) 339void
314 { 340ec_GF2m_simple_point_clear_finish(EC_POINT * point)
341{
315 BN_clear_free(&point->X); 342 BN_clear_free(&point->X);
316 BN_clear_free(&point->Y); 343 BN_clear_free(&point->Y);
317 BN_clear_free(&point->Z); 344 BN_clear_free(&point->Z);
318 point->Z_is_one = 0; 345 point->Z_is_one = 0;
319 } 346}
320 347
321 348
322/* Copy the contents of one EC_POINT into another. Assumes dest is initialized. */ 349/* Copy the contents of one EC_POINT into another. Assumes dest is initialized. */
323int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src) 350int
324 { 351ec_GF2m_simple_point_copy(EC_POINT * dest, const EC_POINT * src)
325 if (!BN_copy(&dest->X, &src->X)) return 0; 352{
326 if (!BN_copy(&dest->Y, &src->Y)) return 0; 353 if (!BN_copy(&dest->X, &src->X))
327 if (!BN_copy(&dest->Z, &src->Z)) return 0; 354 return 0;
355 if (!BN_copy(&dest->Y, &src->Y))
356 return 0;
357 if (!BN_copy(&dest->Z, &src->Z))
358 return 0;
328 dest->Z_is_one = src->Z_is_one; 359 dest->Z_is_one = src->Z_is_one;
329 360
330 return 1; 361 return 1;
331 } 362}
332 363
333 364
334/* Set an EC_POINT to the point at infinity. 365/* Set an EC_POINT to the point at infinity.
335 * A point at infinity is represented by having Z=0. 366 * A point at infinity is represented by having Z=0.
336 */ 367 */
337int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point) 368int
338 { 369ec_GF2m_simple_point_set_to_infinity(const EC_GROUP * group, EC_POINT * point)
370{
339 point->Z_is_one = 0; 371 point->Z_is_one = 0;
340 BN_zero(&point->Z); 372 BN_zero(&point->Z);
341 return 1; 373 return 1;
342 } 374}
343 375
344 376
345/* Set the coordinates of an EC_POINT using affine coordinates. 377/* Set the coordinates of an EC_POINT using affine coordinates.
346 * Note that the simple implementation only uses affine coordinates. 378 * Note that the simple implementation only uses affine coordinates.
347 */ 379 */
348int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point, 380int
349 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) 381ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * point,
350 { 382 const BIGNUM * x, const BIGNUM * y, BN_CTX * ctx)
351 int ret = 0; 383{
352 if (x == NULL || y == NULL) 384 int ret = 0;
353 { 385 if (x == NULL || y == NULL) {
354 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES, ERR_R_PASSED_NULL_PARAMETER); 386 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES, ERR_R_PASSED_NULL_PARAMETER);
355 return 0; 387 return 0;
356 } 388 }
357 389 if (!BN_copy(&point->X, x))
358 if (!BN_copy(&point->X, x)) goto err; 390 goto err;
359 BN_set_negative(&point->X, 0); 391 BN_set_negative(&point->X, 0);
360 if (!BN_copy(&point->Y, y)) goto err; 392 if (!BN_copy(&point->Y, y))
393 goto err;
361 BN_set_negative(&point->Y, 0); 394 BN_set_negative(&point->Y, 0);
362 if (!BN_copy(&point->Z, BN_value_one())) goto err; 395 if (!BN_copy(&point->Z, BN_value_one()))
396 goto err;
363 BN_set_negative(&point->Z, 0); 397 BN_set_negative(&point->Z, 0);
364 point->Z_is_one = 1; 398 point->Z_is_one = 1;
365 ret = 1; 399 ret = 1;
366 400
367 err: 401err:
368 return ret; 402 return ret;
369 } 403}
370 404
371 405
372/* Gets the affine coordinates of an EC_POINT. 406/* Gets the affine coordinates of an EC_POINT.
373 * Note that the simple implementation only uses affine coordinates. 407 * Note that the simple implementation only uses affine coordinates.
374 */ 408 */
375int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, 409int
376 BIGNUM *x, BIGNUM *y, BN_CTX *ctx) 410ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group,
377 { 411 const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
412{
378 int ret = 0; 413 int ret = 0;
379 414
380 if (EC_POINT_is_at_infinity(group, point)) 415 if (EC_POINT_is_at_infinity(group, point)) {
381 {
382 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY); 416 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY);
383 return 0; 417 return 0;
384 } 418 }
385 419 if (BN_cmp(&point->Z, BN_value_one())) {
386 if (BN_cmp(&point->Z, BN_value_one()))
387 {
388 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 420 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
389 return 0; 421 return 0;
390 } 422 }
391 if (x != NULL) 423 if (x != NULL) {
392 { 424 if (!BN_copy(x, &point->X))
393 if (!BN_copy(x, &point->X)) goto err; 425 goto err;
394 BN_set_negative(x, 0); 426 BN_set_negative(x, 0);
395 } 427 }
396 if (y != NULL) 428 if (y != NULL) {
397 { 429 if (!BN_copy(y, &point->Y))
398 if (!BN_copy(y, &point->Y)) goto err; 430 goto err;
399 BN_set_negative(y, 0); 431 BN_set_negative(y, 0);
400 } 432 }
401 ret = 1; 433 ret = 1;
402 434
403 err: 435err:
404 return ret; 436 return ret;
405 } 437}
406 438
407/* Computes a + b and stores the result in r. r could be a or b, a could be b. 439/* Computes a + b and stores the result in r. r could be a or b, a could be b.
408 * Uses algorithm A.10.2 of IEEE P1363. 440 * Uses algorithm A.10.2 of IEEE P1363.
409 */ 441 */
410int ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) 442int
411 { 443ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
444 const EC_POINT *b, BN_CTX *ctx)
445{
412 BN_CTX *new_ctx = NULL; 446 BN_CTX *new_ctx = NULL;
413 BIGNUM *x0, *y0, *x1, *y1, *x2, *y2, *s, *t; 447 BIGNUM *x0, *y0, *x1, *y1, *x2, *y2, *s, *t;
414 int ret = 0; 448 int ret = 0;
415
416 if (EC_POINT_is_at_infinity(group, a))
417 {
418 if (!EC_POINT_copy(r, b)) return 0;
419 return 1;
420 }
421 449
422 if (EC_POINT_is_at_infinity(group, b)) 450 if (EC_POINT_is_at_infinity(group, a)) {
423 { 451 if (!EC_POINT_copy(r, b))
424 if (!EC_POINT_copy(r, a)) return 0; 452 return 0;
425 return 1; 453 return 1;
426 } 454 }
427 455 if (EC_POINT_is_at_infinity(group, b)) {
428 if (ctx == NULL) 456 if (!EC_POINT_copy(r, a))
429 { 457 return 0;
458 return 1;
459 }
460 if (ctx == NULL) {
430 ctx = new_ctx = BN_CTX_new(); 461 ctx = new_ctx = BN_CTX_new();
431 if (ctx == NULL) 462 if (ctx == NULL)
432 return 0; 463 return 0;
433 } 464 }
434
435 BN_CTX_start(ctx); 465 BN_CTX_start(ctx);
436 x0 = BN_CTX_get(ctx); 466 x0 = BN_CTX_get(ctx);
437 y0 = BN_CTX_get(ctx); 467 y0 = BN_CTX_get(ctx);
@@ -441,149 +471,178 @@ int ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, co
441 y2 = BN_CTX_get(ctx); 471 y2 = BN_CTX_get(ctx);
442 s = BN_CTX_get(ctx); 472 s = BN_CTX_get(ctx);
443 t = BN_CTX_get(ctx); 473 t = BN_CTX_get(ctx);
444 if (t == NULL) goto err; 474 if (t == NULL)
475 goto err;
445 476
446 if (a->Z_is_one) 477 if (a->Z_is_one) {
447 { 478 if (!BN_copy(x0, &a->X))
448 if (!BN_copy(x0, &a->X)) goto err; 479 goto err;
449 if (!BN_copy(y0, &a->Y)) goto err; 480 if (!BN_copy(y0, &a->Y))
450 } 481 goto err;
451 else 482 } else {
452 { 483 if (!EC_POINT_get_affine_coordinates_GF2m(group, a, x0, y0, ctx))
453 if (!EC_POINT_get_affine_coordinates_GF2m(group, a, x0, y0, ctx)) goto err; 484 goto err;
454 } 485 }
455 if (b->Z_is_one) 486 if (b->Z_is_one) {
456 { 487 if (!BN_copy(x1, &b->X))
457 if (!BN_copy(x1, &b->X)) goto err; 488 goto err;
458 if (!BN_copy(y1, &b->Y)) goto err; 489 if (!BN_copy(y1, &b->Y))
459 } 490 goto err;
460 else 491 } else {
461 { 492 if (!EC_POINT_get_affine_coordinates_GF2m(group, b, x1, y1, ctx))
462 if (!EC_POINT_get_affine_coordinates_GF2m(group, b, x1, y1, ctx)) goto err; 493 goto err;
463 } 494 }
464 495
465 496
466 if (BN_GF2m_cmp(x0, x1)) 497 if (BN_GF2m_cmp(x0, x1)) {
467 { 498 if (!BN_GF2m_add(t, x0, x1))
468 if (!BN_GF2m_add(t, x0, x1)) goto err; 499 goto err;
469 if (!BN_GF2m_add(s, y0, y1)) goto err; 500 if (!BN_GF2m_add(s, y0, y1))
470 if (!group->meth->field_div(group, s, s, t, ctx)) goto err; 501 goto err;
471 if (!group->meth->field_sqr(group, x2, s, ctx)) goto err; 502 if (!group->meth->field_div(group, s, s, t, ctx))
472 if (!BN_GF2m_add(x2, x2, &group->a)) goto err; 503 goto err;
473 if (!BN_GF2m_add(x2, x2, s)) goto err; 504 if (!group->meth->field_sqr(group, x2, s, ctx))
474 if (!BN_GF2m_add(x2, x2, t)) goto err; 505 goto err;
475 } 506 if (!BN_GF2m_add(x2, x2, &group->a))
476 else 507 goto err;
477 { 508 if (!BN_GF2m_add(x2, x2, s))
478 if (BN_GF2m_cmp(y0, y1) || BN_is_zero(x1)) 509 goto err;
479 { 510 if (!BN_GF2m_add(x2, x2, t))
480 if (!EC_POINT_set_to_infinity(group, r)) goto err; 511 goto err;
512 } else {
513 if (BN_GF2m_cmp(y0, y1) || BN_is_zero(x1)) {
514 if (!EC_POINT_set_to_infinity(group, r))
515 goto err;
481 ret = 1; 516 ret = 1;
482 goto err; 517 goto err;
483 }
484 if (!group->meth->field_div(group, s, y1, x1, ctx)) goto err;
485 if (!BN_GF2m_add(s, s, x1)) goto err;
486
487 if (!group->meth->field_sqr(group, x2, s, ctx)) goto err;
488 if (!BN_GF2m_add(x2, x2, s)) goto err;
489 if (!BN_GF2m_add(x2, x2, &group->a)) goto err;
490 } 518 }
519 if (!group->meth->field_div(group, s, y1, x1, ctx))
520 goto err;
521 if (!BN_GF2m_add(s, s, x1))
522 goto err;
491 523
492 if (!BN_GF2m_add(y2, x1, x2)) goto err; 524 if (!group->meth->field_sqr(group, x2, s, ctx))
493 if (!group->meth->field_mul(group, y2, y2, s, ctx)) goto err; 525 goto err;
494 if (!BN_GF2m_add(y2, y2, x2)) goto err; 526 if (!BN_GF2m_add(x2, x2, s))
495 if (!BN_GF2m_add(y2, y2, y1)) goto err; 527 goto err;
528 if (!BN_GF2m_add(x2, x2, &group->a))
529 goto err;
530 }
496 531
497 if (!EC_POINT_set_affine_coordinates_GF2m(group, r, x2, y2, ctx)) goto err; 532 if (!BN_GF2m_add(y2, x1, x2))
533 goto err;
534 if (!group->meth->field_mul(group, y2, y2, s, ctx))
535 goto err;
536 if (!BN_GF2m_add(y2, y2, x2))
537 goto err;
538 if (!BN_GF2m_add(y2, y2, y1))
539 goto err;
540
541 if (!EC_POINT_set_affine_coordinates_GF2m(group, r, x2, y2, ctx))
542 goto err;
498 543
499 ret = 1; 544 ret = 1;
500 545
501 err: 546err:
502 BN_CTX_end(ctx); 547 BN_CTX_end(ctx);
503 if (new_ctx != NULL) 548 if (new_ctx != NULL)
504 BN_CTX_free(new_ctx); 549 BN_CTX_free(new_ctx);
505 return ret; 550 return ret;
506 } 551}
507 552
508 553
509/* Computes 2 * a and stores the result in r. r could be a. 554/* Computes 2 * a and stores the result in r. r could be a.
510 * Uses algorithm A.10.2 of IEEE P1363. 555 * Uses algorithm A.10.2 of IEEE P1363.
511 */ 556 */
512int ec_GF2m_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) 557int
513 { 558ec_GF2m_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
559 BN_CTX *ctx)
560{
514 return ec_GF2m_simple_add(group, r, a, a, ctx); 561 return ec_GF2m_simple_add(group, r, a, a, ctx);
515 } 562}
516
517 563
518int ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) 564int
519 { 565ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
566{
520 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y)) 567 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
521 /* point is its own inverse */ 568 /* point is its own inverse */
522 return 1; 569 return 1;
523 570
524 if (!EC_POINT_make_affine(group, point, ctx)) return 0; 571 if (!EC_POINT_make_affine(group, point, ctx))
572 return 0;
525 return BN_GF2m_add(&point->Y, &point->X, &point->Y); 573 return BN_GF2m_add(&point->Y, &point->X, &point->Y);
526 } 574}
527 575
528 576
529/* Indicates whether the given point is the point at infinity. */ 577/* Indicates whether the given point is the point at infinity. */
530int ec_GF2m_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) 578int
531 { 579ec_GF2m_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
580{
532 return BN_is_zero(&point->Z); 581 return BN_is_zero(&point->Z);
533 } 582}
534 583
535 584
536/* Determines whether the given EC_POINT is an actual point on the curve defined 585/* Determines whether the given EC_POINT is an actual point on the curve defined
537 * in the EC_GROUP. A point is valid if it satisfies the Weierstrass equation: 586 * in the EC_GROUP. A point is valid if it satisfies the Weierstrass equation:
538 * y^2 + x*y = x^3 + a*x^2 + b. 587 * y^2 + x*y = x^3 + a*x^2 + b.
539 */ 588 */
540int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx) 589int
541 { 590ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
591{
542 int ret = -1; 592 int ret = -1;
543 BN_CTX *new_ctx = NULL; 593 BN_CTX *new_ctx = NULL;
544 BIGNUM *lh, *y2; 594 BIGNUM *lh, *y2;
545 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); 595 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
546 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); 596 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
547 597
548 if (EC_POINT_is_at_infinity(group, point)) 598 if (EC_POINT_is_at_infinity(group, point))
549 return 1; 599 return 1;
550 600
551 field_mul = group->meth->field_mul; 601 field_mul = group->meth->field_mul;
552 field_sqr = group->meth->field_sqr; 602 field_sqr = group->meth->field_sqr;
553 603
554 /* only support affine coordinates */ 604 /* only support affine coordinates */
555 if (!point->Z_is_one) return -1; 605 if (!point->Z_is_one)
606 return -1;
556 607
557 if (ctx == NULL) 608 if (ctx == NULL) {
558 {
559 ctx = new_ctx = BN_CTX_new(); 609 ctx = new_ctx = BN_CTX_new();
560 if (ctx == NULL) 610 if (ctx == NULL)
561 return -1; 611 return -1;
562 } 612 }
563
564 BN_CTX_start(ctx); 613 BN_CTX_start(ctx);
565 y2 = BN_CTX_get(ctx); 614 y2 = BN_CTX_get(ctx);
566 lh = BN_CTX_get(ctx); 615 lh = BN_CTX_get(ctx);
567 if (lh == NULL) goto err; 616 if (lh == NULL)
617 goto err;
568 618
569 /* We have a curve defined by a Weierstrass equation 619 /*
570 * y^2 + x*y = x^3 + a*x^2 + b. 620 * We have a curve defined by a Weierstrass equation y^2 + x*y = x^3
571 * <=> x^3 + a*x^2 + x*y + b + y^2 = 0 621 * + a*x^2 + b. <=> x^3 + a*x^2 + x*y + b + y^2 = 0 <=> ((x + a) * x
572 * <=> ((x + a) * x + y ) * x + b + y^2 = 0 622 * + y ) * x + b + y^2 = 0
573 */ 623 */
574 if (!BN_GF2m_add(lh, &point->X, &group->a)) goto err; 624 if (!BN_GF2m_add(lh, &point->X, &group->a))
575 if (!field_mul(group, lh, lh, &point->X, ctx)) goto err; 625 goto err;
576 if (!BN_GF2m_add(lh, lh, &point->Y)) goto err; 626 if (!field_mul(group, lh, lh, &point->X, ctx))
577 if (!field_mul(group, lh, lh, &point->X, ctx)) goto err; 627 goto err;
578 if (!BN_GF2m_add(lh, lh, &group->b)) goto err; 628 if (!BN_GF2m_add(lh, lh, &point->Y))
579 if (!field_sqr(group, y2, &point->Y, ctx)) goto err; 629 goto err;
580 if (!BN_GF2m_add(lh, lh, y2)) goto err; 630 if (!field_mul(group, lh, lh, &point->X, ctx))
631 goto err;
632 if (!BN_GF2m_add(lh, lh, &group->b))
633 goto err;
634 if (!field_sqr(group, y2, &point->Y, ctx))
635 goto err;
636 if (!BN_GF2m_add(lh, lh, y2))
637 goto err;
581 ret = BN_is_zero(lh); 638 ret = BN_is_zero(lh);
582 err: 639err:
583 if (ctx) BN_CTX_end(ctx); 640 if (ctx)
584 if (new_ctx) BN_CTX_free(new_ctx); 641 BN_CTX_end(ctx);
642 if (new_ctx)
643 BN_CTX_free(new_ctx);
585 return ret; 644 return ret;
586 } 645}
587 646
588 647
589/* Indicates whether two points are equal. 648/* Indicates whether two points are equal.
@@ -592,118 +651,132 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_
592 * 0 equal (in affine coordinates) 651 * 0 equal (in affine coordinates)
593 * 1 not equal 652 * 1 not equal
594 */ 653 */
595int ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) 654int
596 { 655ec_GF2m_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx)
656{
597 BIGNUM *aX, *aY, *bX, *bY; 657 BIGNUM *aX, *aY, *bX, *bY;
598 BN_CTX *new_ctx = NULL; 658 BN_CTX *new_ctx = NULL;
599 int ret = -1; 659 int ret = -1;
600 660
601 if (EC_POINT_is_at_infinity(group, a)) 661 if (EC_POINT_is_at_infinity(group, a)) {
602 {
603 return EC_POINT_is_at_infinity(group, b) ? 0 : 1; 662 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
604 } 663 }
605
606 if (EC_POINT_is_at_infinity(group, b)) 664 if (EC_POINT_is_at_infinity(group, b))
607 return 1; 665 return 1;
608
609 if (a->Z_is_one && b->Z_is_one)
610 {
611 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
612 }
613 666
614 if (ctx == NULL) 667 if (a->Z_is_one && b->Z_is_one) {
615 { 668 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
669 }
670 if (ctx == NULL) {
616 ctx = new_ctx = BN_CTX_new(); 671 ctx = new_ctx = BN_CTX_new();
617 if (ctx == NULL) 672 if (ctx == NULL)
618 return -1; 673 return -1;
619 } 674 }
620
621 BN_CTX_start(ctx); 675 BN_CTX_start(ctx);
622 aX = BN_CTX_get(ctx); 676 aX = BN_CTX_get(ctx);
623 aY = BN_CTX_get(ctx); 677 aY = BN_CTX_get(ctx);
624 bX = BN_CTX_get(ctx); 678 bX = BN_CTX_get(ctx);
625 bY = BN_CTX_get(ctx); 679 bY = BN_CTX_get(ctx);
626 if (bY == NULL) goto err; 680 if (bY == NULL)
681 goto err;
627 682
628 if (!EC_POINT_get_affine_coordinates_GF2m(group, a, aX, aY, ctx)) goto err; 683 if (!EC_POINT_get_affine_coordinates_GF2m(group, a, aX, aY, ctx))
629 if (!EC_POINT_get_affine_coordinates_GF2m(group, b, bX, bY, ctx)) goto err; 684 goto err;
685 if (!EC_POINT_get_affine_coordinates_GF2m(group, b, bX, bY, ctx))
686 goto err;
630 ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1; 687 ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1;
631 688
632 err: 689err:
633 if (ctx) BN_CTX_end(ctx); 690 if (ctx)
634 if (new_ctx) BN_CTX_free(new_ctx); 691 BN_CTX_end(ctx);
692 if (new_ctx)
693 BN_CTX_free(new_ctx);
635 return ret; 694 return ret;
636 } 695}
637 696
638 697
639/* Forces the given EC_POINT to internally use affine coordinates. */ 698/* Forces the given EC_POINT to internally use affine coordinates. */
640int ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) 699int
641 { 700ec_GF2m_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx)
701{
642 BN_CTX *new_ctx = NULL; 702 BN_CTX *new_ctx = NULL;
643 BIGNUM *x, *y; 703 BIGNUM *x, *y;
644 int ret = 0; 704 int ret = 0;
645 705
646 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point)) 706 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
647 return 1; 707 return 1;
648 708
649 if (ctx == NULL) 709 if (ctx == NULL) {
650 {
651 ctx = new_ctx = BN_CTX_new(); 710 ctx = new_ctx = BN_CTX_new();
652 if (ctx == NULL) 711 if (ctx == NULL)
653 return 0; 712 return 0;
654 } 713 }
655
656 BN_CTX_start(ctx); 714 BN_CTX_start(ctx);
657 x = BN_CTX_get(ctx); 715 x = BN_CTX_get(ctx);
658 y = BN_CTX_get(ctx); 716 y = BN_CTX_get(ctx);
659 if (y == NULL) goto err; 717 if (y == NULL)
660 718 goto err;
661 if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err; 719
662 if (!BN_copy(&point->X, x)) goto err; 720 if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx))
663 if (!BN_copy(&point->Y, y)) goto err; 721 goto err;
664 if (!BN_one(&point->Z)) goto err; 722 if (!BN_copy(&point->X, x))
665 723 goto err;
666 ret = 1; 724 if (!BN_copy(&point->Y, y))
667 725 goto err;
668 err: 726 if (!BN_one(&point->Z))
669 if (ctx) BN_CTX_end(ctx); 727 goto err;
670 if (new_ctx) BN_CTX_free(new_ctx); 728
729 ret = 1;
730
731err:
732 if (ctx)
733 BN_CTX_end(ctx);
734 if (new_ctx)
735 BN_CTX_free(new_ctx);
671 return ret; 736 return ret;
672 } 737}
673 738
674 739
675/* Forces each of the EC_POINTs in the given array to use affine coordinates. */ 740/* Forces each of the EC_POINTs in the given array to use affine coordinates. */
676int ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx) 741int
677 { 742ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num,
743 EC_POINT *points[], BN_CTX *ctx)
744{
678 size_t i; 745 size_t i;
679 746
680 for (i = 0; i < num; i++) 747 for (i = 0; i < num; i++) {
681 { 748 if (!group->meth->make_affine(group, points[i], ctx))
682 if (!group->meth->make_affine(group, points[i], ctx)) return 0; 749 return 0;
683 } 750 }
684 751
685 return 1; 752 return 1;
686 } 753}
687 754
688 755
689/* Wrapper to simple binary polynomial field multiplication implementation. */ 756/* Wrapper to simple binary polynomial field multiplication implementation. */
690int ec_GF2m_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 757int
691 { 758ec_GF2m_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
759 const BIGNUM *b, BN_CTX *ctx)
760{
692 return BN_GF2m_mod_mul_arr(r, a, b, group->poly, ctx); 761 return BN_GF2m_mod_mul_arr(r, a, b, group->poly, ctx);
693 } 762}
694 763
695 764
696/* Wrapper to simple binary polynomial field squaring implementation. */ 765/* Wrapper to simple binary polynomial field squaring implementation. */
697int ec_GF2m_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) 766int
698 { 767ec_GF2m_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
768 BN_CTX *ctx)
769{
699 return BN_GF2m_mod_sqr_arr(r, a, group->poly, ctx); 770 return BN_GF2m_mod_sqr_arr(r, a, group->poly, ctx);
700 } 771}
701 772
702 773
703/* Wrapper to simple binary polynomial field division implementation. */ 774/* Wrapper to simple binary polynomial field division implementation. */
704int ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 775int
705 { 776ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
777 const BIGNUM *b, BN_CTX *ctx)
778{
706 return BN_GF2m_mod_div(r, a, b, &group->field, ctx); 779 return BN_GF2m_mod_div(r, a, b, &group->field, ctx);
707 } 780}
708 781
709#endif 782#endif
diff --git a/src/lib/libcrypto/ec/ec_ameth.c b/src/lib/libcrypto/ec/ec_ameth.c
index 0e6381f543..9b52c3cbfc 100644
--- a/src/lib/libcrypto/ec/ec_ameth.c
+++ b/src/lib/libcrypto/ec/ec_ameth.c
@@ -9,7 +9,7 @@
9 * are met: 9 * are met:
10 * 10 *
11 * 1. Redistributions of source code must retain the above copyright 11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer. 12 * notice, this list of conditions and the following disclaimer.
13 * 13 *
14 * 2. Redistributions in binary form must reproduce the above copyright 14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in 15 * notice, this list of conditions and the following disclaimer in
@@ -65,54 +65,51 @@
65#endif 65#endif
66#include "asn1_locl.h" 66#include "asn1_locl.h"
67 67
68static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key) 68static int
69 { 69eckey_param2type(int *pptype, void **ppval, EC_KEY * ec_key)
70 const EC_GROUP *group; 70{
71 const EC_GROUP *group;
71 int nid; 72 int nid;
72 if (ec_key == NULL || (group = EC_KEY_get0_group(ec_key)) == NULL) 73 if (ec_key == NULL || (group = EC_KEY_get0_group(ec_key)) == NULL) {
73 {
74 ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_PARAMETERS); 74 ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_PARAMETERS);
75 return 0; 75 return 0;
76 } 76 }
77 if (EC_GROUP_get_asn1_flag(group) 77 if (EC_GROUP_get_asn1_flag(group) &&
78 && (nid = EC_GROUP_get_curve_name(group))) 78 (nid = EC_GROUP_get_curve_name(group))) {
79 /* we have a 'named curve' => just set the OID */ 79 /* we have a 'named curve' => just set the OID */
80 {
81 *ppval = OBJ_nid2obj(nid); 80 *ppval = OBJ_nid2obj(nid);
82 *pptype = V_ASN1_OBJECT; 81 *pptype = V_ASN1_OBJECT;
83 } 82 } else {
84 else /* explicit parameters */ 83 /* explicit parameters */
85 {
86 ASN1_STRING *pstr = NULL; 84 ASN1_STRING *pstr = NULL;
87 pstr = ASN1_STRING_new(); 85 pstr = ASN1_STRING_new();
88 if (!pstr) 86 if (!pstr)
89 return 0; 87 return 0;
90 pstr->length = i2d_ECParameters(ec_key, &pstr->data); 88 pstr->length = i2d_ECParameters(ec_key, &pstr->data);
91 if (pstr->length <= 0) 89 if (pstr->length <= 0) {
92 {
93 ASN1_STRING_free(pstr); 90 ASN1_STRING_free(pstr);
94 ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB); 91 ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB);
95 return 0; 92 return 0;
96 } 93 }
97 *ppval = pstr; 94 *ppval = pstr;
98 *pptype = V_ASN1_SEQUENCE; 95 *pptype = V_ASN1_SEQUENCE;
99 }
100 return 1;
101 } 96 }
97 return 1;
98}
102 99
103static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 100static int
104 { 101eckey_pub_encode(X509_PUBKEY * pk, const EVP_PKEY * pkey)
102{
105 EC_KEY *ec_key = pkey->pkey.ec; 103 EC_KEY *ec_key = pkey->pkey.ec;
106 void *pval = NULL; 104 void *pval = NULL;
107 int ptype; 105 int ptype;
108 unsigned char *penc = NULL, *p; 106 unsigned char *penc = NULL, *p;
109 int penclen; 107 int penclen;
110 108
111 if (!eckey_param2type(&ptype, &pval, ec_key)) 109 if (!eckey_param2type(&ptype, &pval, ec_key)) {
112 {
113 ECerr(EC_F_ECKEY_PUB_ENCODE, ERR_R_EC_LIB); 110 ECerr(EC_F_ECKEY_PUB_ENCODE, ERR_R_EC_LIB);
114 return 0; 111 return 0;
115 } 112 }
116 penclen = i2o_ECPublicKey(ec_key, NULL); 113 penclen = i2o_ECPublicKey(ec_key, NULL);
117 if (penclen <= 0) 114 if (penclen <= 0)
118 goto err; 115 goto err;
@@ -124,9 +121,9 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
124 if (penclen <= 0) 121 if (penclen <= 0)
125 goto err; 122 goto err;
126 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC), 123 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC),
127 ptype, pval, penc, penclen)) 124 ptype, pval, penc, penclen))
128 return 1; 125 return 1;
129 err: 126err:
130 if (ptype == V_ASN1_OBJECT) 127 if (ptype == V_ASN1_OBJECT)
131 ASN1_OBJECT_free(pval); 128 ASN1_OBJECT_free(pval);
132 else 129 else
@@ -134,37 +131,36 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
134 if (penc) 131 if (penc)
135 free(penc); 132 free(penc);
136 return 0; 133 return 0;
137 } 134}
138 135
139static EC_KEY *eckey_type2param(int ptype, void *pval) 136static EC_KEY *
140 { 137eckey_type2param(int ptype, void *pval)
138{
141 EC_KEY *eckey = NULL; 139 EC_KEY *eckey = NULL;
142 if (ptype == V_ASN1_SEQUENCE) 140
143 { 141 if (ptype == V_ASN1_SEQUENCE) {
144 ASN1_STRING *pstr = pval; 142 ASN1_STRING *pstr = pval;
145 const unsigned char *pm = NULL; 143 const unsigned char *pm = NULL;
146 int pmlen; 144 int pmlen;
145
147 pm = pstr->data; 146 pm = pstr->data;
148 pmlen = pstr->length; 147 pmlen = pstr->length;
149 if (!(eckey = d2i_ECParameters(NULL, &pm, pmlen))) 148 if (!(eckey = d2i_ECParameters(NULL, &pm, pmlen))) {
150 {
151 ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); 149 ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR);
152 goto ecerr; 150 goto ecerr;
153 }
154 } 151 }
155 else if (ptype == V_ASN1_OBJECT) 152 } else if (ptype == V_ASN1_OBJECT) {
156 {
157 ASN1_OBJECT *poid = pval; 153 ASN1_OBJECT *poid = pval;
158 EC_GROUP *group; 154 EC_GROUP *group;
159 155
160 /* type == V_ASN1_OBJECT => the parameters are given 156 /*
161 * by an asn1 OID 157 * type == V_ASN1_OBJECT => the parameters are given by an
158 * asn1 OID
162 */ 159 */
163 if ((eckey = EC_KEY_new()) == NULL) 160 if ((eckey = EC_KEY_new()) == NULL) {
164 {
165 ECerr(EC_F_ECKEY_TYPE2PARAM, ERR_R_MALLOC_FAILURE); 161 ECerr(EC_F_ECKEY_TYPE2PARAM, ERR_R_MALLOC_FAILURE);
166 goto ecerr; 162 goto ecerr;
167 } 163 }
168 group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(poid)); 164 group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(poid));
169 if (group == NULL) 165 if (group == NULL)
170 goto ecerr; 166 goto ecerr;
@@ -172,23 +168,22 @@ static EC_KEY *eckey_type2param(int ptype, void *pval)
172 if (EC_KEY_set_group(eckey, group) == 0) 168 if (EC_KEY_set_group(eckey, group) == 0)
173 goto ecerr; 169 goto ecerr;
174 EC_GROUP_free(group); 170 EC_GROUP_free(group);
175 } 171 } else {
176 else
177 {
178 ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); 172 ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR);
179 goto ecerr; 173 goto ecerr;
180 } 174 }
181 175
182 return eckey; 176 return eckey;
183 177
184 ecerr: 178ecerr:
185 if (eckey) 179 if (eckey)
186 EC_KEY_free(eckey); 180 EC_KEY_free(eckey);
187 return NULL; 181 return NULL;
188 } 182}
189 183
190static int eckey_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 184static int
191 { 185eckey_pub_decode(EVP_PKEY * pkey, X509_PUBKEY * pubkey)
186{
192 const unsigned char *p = NULL; 187 const unsigned char *p = NULL;
193 void *pval; 188 void *pval;
194 int ptype, pklen; 189 int ptype, pklen;
@@ -201,44 +196,42 @@ static int eckey_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
201 196
202 eckey = eckey_type2param(ptype, pval); 197 eckey = eckey_type2param(ptype, pval);
203 198
204 if (!eckey) 199 if (!eckey) {
205 {
206 ECerr(EC_F_ECKEY_PUB_DECODE, ERR_R_EC_LIB); 200 ECerr(EC_F_ECKEY_PUB_DECODE, ERR_R_EC_LIB);
207 return 0; 201 return 0;
208 } 202 }
209
210 /* We have parameters now set public key */ 203 /* We have parameters now set public key */
211 if (!o2i_ECPublicKey(&eckey, &p, pklen)) 204 if (!o2i_ECPublicKey(&eckey, &p, pklen)) {
212 {
213 ECerr(EC_F_ECKEY_PUB_DECODE, EC_R_DECODE_ERROR); 205 ECerr(EC_F_ECKEY_PUB_DECODE, EC_R_DECODE_ERROR);
214 goto ecerr; 206 goto ecerr;
215 } 207 }
216
217 EVP_PKEY_assign_EC_KEY(pkey, eckey); 208 EVP_PKEY_assign_EC_KEY(pkey, eckey);
218 return 1; 209 return 1;
219 210
220 ecerr: 211ecerr:
221 if (eckey) 212 if (eckey)
222 EC_KEY_free(eckey); 213 EC_KEY_free(eckey);
223 return 0; 214 return 0;
224 } 215}
225 216
226static int eckey_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 217static int
227 { 218eckey_pub_cmp(const EVP_PKEY * a, const EVP_PKEY * b)
228 int r; 219{
220 int r;
229 const EC_GROUP *group = EC_KEY_get0_group(b->pkey.ec); 221 const EC_GROUP *group = EC_KEY_get0_group(b->pkey.ec);
230 const EC_POINT *pa = EC_KEY_get0_public_key(a->pkey.ec), 222 const EC_POINT *pa = EC_KEY_get0_public_key(a->pkey.ec), *pb = EC_KEY_get0_public_key(b->pkey.ec);
231 *pb = EC_KEY_get0_public_key(b->pkey.ec); 223
232 r = EC_POINT_cmp(group, pa, pb, NULL); 224 r = EC_POINT_cmp(group, pa, pb, NULL);
233 if (r == 0) 225 if (r == 0)
234 return 1; 226 return 1;
235 if (r == 1) 227 if (r == 1)
236 return 0; 228 return 0;
237 return -2; 229 return -2;
238 } 230}
239 231
240static int eckey_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) 232static int
241 { 233eckey_priv_decode(EVP_PKEY * pkey, PKCS8_PRIV_KEY_INFO * p8)
234{
242 const unsigned char *p = NULL; 235 const unsigned char *p = NULL;
243 void *pval; 236 void *pval;
244 int ptype, pklen; 237 int ptype, pklen;
@@ -255,100 +248,92 @@ static int eckey_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
255 goto ecliberr; 248 goto ecliberr;
256 249
257 /* We have parameters now set private key */ 250 /* We have parameters now set private key */
258 if (!d2i_ECPrivateKey(&eckey, &p, pklen)) 251 if (!d2i_ECPrivateKey(&eckey, &p, pklen)) {
259 {
260 ECerr(EC_F_ECKEY_PRIV_DECODE, EC_R_DECODE_ERROR); 252 ECerr(EC_F_ECKEY_PRIV_DECODE, EC_R_DECODE_ERROR);
261 goto ecerr; 253 goto ecerr;
262 } 254 }
263
264 /* calculate public key (if necessary) */ 255 /* calculate public key (if necessary) */
265 if (EC_KEY_get0_public_key(eckey) == NULL) 256 if (EC_KEY_get0_public_key(eckey) == NULL) {
266 {
267 const BIGNUM *priv_key; 257 const BIGNUM *priv_key;
268 const EC_GROUP *group; 258 const EC_GROUP *group;
269 EC_POINT *pub_key; 259 EC_POINT *pub_key;
270 /* the public key was not included in the SEC1 private 260 /*
271 * key => calculate the public key */ 261 * the public key was not included in the SEC1 private key =>
272 group = EC_KEY_get0_group(eckey); 262 * calculate the public key
263 */
264 group = EC_KEY_get0_group(eckey);
273 pub_key = EC_POINT_new(group); 265 pub_key = EC_POINT_new(group);
274 if (pub_key == NULL) 266 if (pub_key == NULL) {
275 {
276 ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB); 267 ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB);
277 goto ecliberr; 268 goto ecliberr;
278 } 269 }
279 if (!EC_POINT_copy(pub_key, EC_GROUP_get0_generator(group))) 270 if (!EC_POINT_copy(pub_key, EC_GROUP_get0_generator(group))) {
280 {
281 EC_POINT_free(pub_key); 271 EC_POINT_free(pub_key);
282 ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB); 272 ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB);
283 goto ecliberr; 273 goto ecliberr;
284 } 274 }
285 priv_key = EC_KEY_get0_private_key(eckey); 275 priv_key = EC_KEY_get0_private_key(eckey);
286 if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, NULL)) 276 if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, NULL)) {
287 {
288 EC_POINT_free(pub_key); 277 EC_POINT_free(pub_key);
289 ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB); 278 ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB);
290 goto ecliberr; 279 goto ecliberr;
291 } 280 }
292 if (EC_KEY_set_public_key(eckey, pub_key) == 0) 281 if (EC_KEY_set_public_key(eckey, pub_key) == 0) {
293 {
294 EC_POINT_free(pub_key); 282 EC_POINT_free(pub_key);
295 ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB); 283 ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB);
296 goto ecliberr; 284 goto ecliberr;
297 }
298 EC_POINT_free(pub_key);
299 } 285 }
300 286 EC_POINT_free(pub_key);
287 }
301 EVP_PKEY_assign_EC_KEY(pkey, eckey); 288 EVP_PKEY_assign_EC_KEY(pkey, eckey);
302 return 1; 289 return 1;
303 290
304 ecliberr: 291ecliberr:
305 ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB); 292 ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB);
306 ecerr: 293ecerr:
307 if (eckey) 294 if (eckey)
308 EC_KEY_free(eckey); 295 EC_KEY_free(eckey);
309 return 0; 296 return 0;
310 } 297}
311 298
312static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 299static int
300eckey_priv_encode(PKCS8_PRIV_KEY_INFO * p8, const EVP_PKEY * pkey)
313{ 301{
314 EC_KEY *ec_key; 302 EC_KEY *ec_key;
315 unsigned char *ep, *p; 303 unsigned char *ep, *p;
316 int eplen, ptype; 304 int eplen, ptype;
317 void *pval; 305 void *pval;
318 unsigned int tmp_flags, old_flags; 306 unsigned int tmp_flags, old_flags;
319 307
320 ec_key = pkey->pkey.ec; 308 ec_key = pkey->pkey.ec;
321 309
322 if (!eckey_param2type(&ptype, &pval, ec_key)) 310 if (!eckey_param2type(&ptype, &pval, ec_key)) {
323 {
324 ECerr(EC_F_ECKEY_PRIV_ENCODE, EC_R_DECODE_ERROR); 311 ECerr(EC_F_ECKEY_PRIV_ENCODE, EC_R_DECODE_ERROR);
325 return 0; 312 return 0;
326 } 313 }
327
328 /* set the private key */ 314 /* set the private key */
329 315
330 /* do not include the parameters in the SEC1 private key 316 /*
331 * see PKCS#11 12.11 */ 317 * do not include the parameters in the SEC1 private key see PKCS#11
318 * 12.11
319 */
332 old_flags = EC_KEY_get_enc_flags(ec_key); 320 old_flags = EC_KEY_get_enc_flags(ec_key);
333 tmp_flags = old_flags | EC_PKEY_NO_PARAMETERS; 321 tmp_flags = old_flags | EC_PKEY_NO_PARAMETERS;
334 EC_KEY_set_enc_flags(ec_key, tmp_flags); 322 EC_KEY_set_enc_flags(ec_key, tmp_flags);
335 eplen = i2d_ECPrivateKey(ec_key, NULL); 323 eplen = i2d_ECPrivateKey(ec_key, NULL);
336 if (!eplen) 324 if (!eplen) {
337 {
338 EC_KEY_set_enc_flags(ec_key, old_flags); 325 EC_KEY_set_enc_flags(ec_key, old_flags);
339 ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); 326 ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB);
340 return 0; 327 return 0;
341 } 328 }
342 ep = (unsigned char *) malloc(eplen); 329 ep = (unsigned char *) malloc(eplen);
343 if (!ep) 330 if (!ep) {
344 {
345 EC_KEY_set_enc_flags(ec_key, old_flags); 331 EC_KEY_set_enc_flags(ec_key, old_flags);
346 ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); 332 ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
347 return 0; 333 return 0;
348 } 334 }
349 p = ep; 335 p = ep;
350 if (!i2d_ECPrivateKey(ec_key, &p)) 336 if (!i2d_ECPrivateKey(ec_key, &p)) {
351 {
352 EC_KEY_set_enc_flags(ec_key, old_flags); 337 EC_KEY_set_enc_flags(ec_key, old_flags);
353 free(ep); 338 free(ep);
354 ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); 339 ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB);
@@ -358,49 +343,50 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
358 EC_KEY_set_enc_flags(ec_key, old_flags); 343 EC_KEY_set_enc_flags(ec_key, old_flags);
359 344
360 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0, 345 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0,
361 ptype, pval, ep, eplen)) 346 ptype, pval, ep, eplen))
362 return 0; 347 return 0;
363 348
364 return 1; 349 return 1;
365} 350}
366 351
367static int int_ec_size(const EVP_PKEY *pkey) 352static int
368 { 353int_ec_size(const EVP_PKEY * pkey)
354{
369 return ECDSA_size(pkey->pkey.ec); 355 return ECDSA_size(pkey->pkey.ec);
370 } 356}
371 357
372static int ec_bits(const EVP_PKEY *pkey) 358static int
373 { 359ec_bits(const EVP_PKEY * pkey)
360{
374 BIGNUM *order = BN_new(); 361 BIGNUM *order = BN_new();
375 const EC_GROUP *group; 362 const EC_GROUP *group;
376 int ret; 363 int ret;
377 364
378 if (!order) 365 if (!order) {
379 {
380 ERR_clear_error(); 366 ERR_clear_error();
381 return 0; 367 return 0;
382 } 368 }
383 group = EC_KEY_get0_group(pkey->pkey.ec); 369 group = EC_KEY_get0_group(pkey->pkey.ec);
384 if (!EC_GROUP_get_order(group, order, NULL)) 370 if (!EC_GROUP_get_order(group, order, NULL)) {
385 {
386 ERR_clear_error(); 371 ERR_clear_error();
387 return 0; 372 return 0;
388 } 373 }
389
390 ret = BN_num_bits(order); 374 ret = BN_num_bits(order);
391 BN_free(order); 375 BN_free(order);
392 return ret; 376 return ret;
393 } 377}
394 378
395static int ec_missing_parameters(const EVP_PKEY *pkey) 379static int
396 { 380ec_missing_parameters(const EVP_PKEY * pkey)
381{
397 if (EC_KEY_get0_group(pkey->pkey.ec) == NULL) 382 if (EC_KEY_get0_group(pkey->pkey.ec) == NULL)
398 return 1; 383 return 1;
399 return 0; 384 return 0;
400 } 385}
401 386
402static int ec_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) 387static int
403 { 388ec_copy_parameters(EVP_PKEY * to, const EVP_PKEY * from)
389{
404 EC_GROUP *group = EC_GROUP_dup(EC_KEY_get0_group(from->pkey.ec)); 390 EC_GROUP *group = EC_GROUP_dup(EC_KEY_get0_group(from->pkey.ec));
405 if (group == NULL) 391 if (group == NULL)
406 return 0; 392 return 0;
@@ -408,79 +394,70 @@ static int ec_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
408 return 0; 394 return 0;
409 EC_GROUP_free(group); 395 EC_GROUP_free(group);
410 return 1; 396 return 1;
411 } 397}
412 398
413static int ec_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) 399static int
414 { 400ec_cmp_parameters(const EVP_PKEY * a, const EVP_PKEY * b)
415 const EC_GROUP *group_a = EC_KEY_get0_group(a->pkey.ec), 401{
416 *group_b = EC_KEY_get0_group(b->pkey.ec); 402 const EC_GROUP *group_a = EC_KEY_get0_group(a->pkey.ec), *group_b = EC_KEY_get0_group(b->pkey.ec);
417 if (EC_GROUP_cmp(group_a, group_b, NULL)) 403 if (EC_GROUP_cmp(group_a, group_b, NULL))
418 return 0; 404 return 0;
419 else 405 else
420 return 1; 406 return 1;
421 } 407}
422 408
423static void int_ec_free(EVP_PKEY *pkey) 409static void
424 { 410int_ec_free(EVP_PKEY * pkey)
411{
425 EC_KEY_free(pkey->pkey.ec); 412 EC_KEY_free(pkey->pkey.ec);
426 } 413}
427 414
428static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype) 415static int
429 { 416do_EC_KEY_print(BIO * bp, const EC_KEY * x, int off, int ktype)
430 unsigned char *buffer=NULL; 417{
418 unsigned char *buffer = NULL;
431 const char *ecstr; 419 const char *ecstr;
432 size_t buf_len=0, i; 420 size_t buf_len = 0, i;
433 int ret=0, reason=ERR_R_BIO_LIB; 421 int ret = 0, reason = ERR_R_BIO_LIB;
434 BIGNUM *pub_key=NULL, *order=NULL; 422 BIGNUM *pub_key = NULL, *order = NULL;
435 BN_CTX *ctx=NULL; 423 BN_CTX *ctx = NULL;
436 const EC_GROUP *group; 424 const EC_GROUP *group;
437 const EC_POINT *public_key; 425 const EC_POINT *public_key;
438 const BIGNUM *priv_key; 426 const BIGNUM *priv_key;
439 427
440 if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL) 428 if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL) {
441 {
442 reason = ERR_R_PASSED_NULL_PARAMETER; 429 reason = ERR_R_PASSED_NULL_PARAMETER;
443 goto err; 430 goto err;
444 } 431 }
445
446 ctx = BN_CTX_new(); 432 ctx = BN_CTX_new();
447 if (ctx == NULL) 433 if (ctx == NULL) {
448 {
449 reason = ERR_R_MALLOC_FAILURE; 434 reason = ERR_R_MALLOC_FAILURE;
450 goto err; 435 goto err;
451 } 436 }
452 437 if (ktype > 0) {
453 if (ktype > 0)
454 {
455 public_key = EC_KEY_get0_public_key(x); 438 public_key = EC_KEY_get0_public_key(x);
456 if ((pub_key = EC_POINT_point2bn(group, public_key, 439 if ((pub_key = EC_POINT_point2bn(group, public_key,
457 EC_KEY_get_conv_form(x), NULL, ctx)) == NULL) 440 EC_KEY_get_conv_form(x), NULL, ctx)) == NULL) {
458 {
459 reason = ERR_R_EC_LIB; 441 reason = ERR_R_EC_LIB;
460 goto err; 442 goto err;
461 }
462 if (pub_key)
463 buf_len = (size_t)BN_num_bytes(pub_key);
464 } 443 }
465 444 if (pub_key)
466 if (ktype == 2) 445 buf_len = (size_t) BN_num_bytes(pub_key);
467 { 446 }
447 if (ktype == 2) {
468 priv_key = EC_KEY_get0_private_key(x); 448 priv_key = EC_KEY_get0_private_key(x);
469 if (priv_key && (i = (size_t)BN_num_bytes(priv_key)) > buf_len) 449 if (priv_key && (i = (size_t) BN_num_bytes(priv_key)) > buf_len)
470 buf_len = i; 450 buf_len = i;
471 } 451 } else
472 else
473 priv_key = NULL; 452 priv_key = NULL;
474 453
475 if (ktype > 0) 454 if (ktype > 0) {
476 {
477 buf_len += 10; 455 buf_len += 10;
478 if ((buffer = malloc(buf_len)) == NULL) 456 if ((buffer = malloc(buf_len)) == NULL) {
479 {
480 reason = ERR_R_MALLOC_FAILURE; 457 reason = ERR_R_MALLOC_FAILURE;
481 goto err; 458 goto err;
482 }
483 } 459 }
460 }
484 if (ktype == 2) 461 if (ktype == 2)
485 ecstr = "Private-Key"; 462 ecstr = "Private-Key";
486 else if (ktype == 1) 463 else if (ktype == 1)
@@ -495,9 +472,10 @@ static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype)
495 if (!EC_GROUP_get_order(group, order, NULL)) 472 if (!EC_GROUP_get_order(group, order, NULL))
496 goto err; 473 goto err;
497 if (BIO_printf(bp, "%s: (%d bit)\n", ecstr, 474 if (BIO_printf(bp, "%s: (%d bit)\n", ecstr,
498 BN_num_bits(order)) <= 0) goto err; 475 BN_num_bits(order)) <= 0)
499 476 goto err;
500 if ((priv_key != NULL) && !ASN1_bn_print(bp, "priv:", priv_key, 477
478 if ((priv_key != NULL) && !ASN1_bn_print(bp, "priv:", priv_key,
501 buffer, off)) 479 buffer, off))
502 goto err; 480 goto err;
503 if ((pub_key != NULL) && !ASN1_bn_print(bp, "pub: ", pub_key, 481 if ((pub_key != NULL) && !ASN1_bn_print(bp, "pub: ", pub_key,
@@ -505,11 +483,11 @@ static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype)
505 goto err; 483 goto err;
506 if (!ECPKParameters_print(bp, group, off)) 484 if (!ECPKParameters_print(bp, group, off))
507 goto err; 485 goto err;
508 ret=1; 486 ret = 1;
509err: 487err:
510 if (!ret) 488 if (!ret)
511 ECerr(EC_F_DO_EC_KEY_PRINT, reason); 489 ECerr(EC_F_DO_EC_KEY_PRINT, reason);
512 if (pub_key) 490 if (pub_key)
513 BN_free(pub_key); 491 BN_free(pub_key);
514 if (order) 492 if (order)
515 BN_free(order); 493 BN_free(order);
@@ -517,71 +495,75 @@ err:
517 BN_CTX_free(ctx); 495 BN_CTX_free(ctx);
518 if (buffer != NULL) 496 if (buffer != NULL)
519 free(buffer); 497 free(buffer);
520 return(ret); 498 return (ret);
521 } 499}
522 500
523static int eckey_param_decode(EVP_PKEY *pkey, 501static int
524 const unsigned char **pder, int derlen) 502eckey_param_decode(EVP_PKEY * pkey,
525 { 503 const unsigned char **pder, int derlen)
504{
526 EC_KEY *eckey; 505 EC_KEY *eckey;
527 if (!(eckey = d2i_ECParameters(NULL, pder, derlen))) 506 if (!(eckey = d2i_ECParameters(NULL, pder, derlen))) {
528 {
529 ECerr(EC_F_ECKEY_PARAM_DECODE, ERR_R_EC_LIB); 507 ECerr(EC_F_ECKEY_PARAM_DECODE, ERR_R_EC_LIB);
530 return 0; 508 return 0;
531 } 509 }
532 EVP_PKEY_assign_EC_KEY(pkey, eckey); 510 EVP_PKEY_assign_EC_KEY(pkey, eckey);
533 return 1; 511 return 1;
534 } 512}
535 513
536static int eckey_param_encode(const EVP_PKEY *pkey, unsigned char **pder) 514static int
537 { 515eckey_param_encode(const EVP_PKEY * pkey, unsigned char **pder)
516{
538 return i2d_ECParameters(pkey->pkey.ec, pder); 517 return i2d_ECParameters(pkey->pkey.ec, pder);
539 } 518}
540 519
541static int eckey_param_print(BIO *bp, const EVP_PKEY *pkey, int indent, 520static int
542 ASN1_PCTX *ctx) 521eckey_param_print(BIO * bp, const EVP_PKEY * pkey, int indent,
543 { 522 ASN1_PCTX * ctx)
523{
544 return do_EC_KEY_print(bp, pkey->pkey.ec, indent, 0); 524 return do_EC_KEY_print(bp, pkey->pkey.ec, indent, 0);
545 } 525}
546 526
547static int eckey_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, 527static int
548 ASN1_PCTX *ctx) 528eckey_pub_print(BIO * bp, const EVP_PKEY * pkey, int indent,
549 { 529 ASN1_PCTX * ctx)
530{
550 return do_EC_KEY_print(bp, pkey->pkey.ec, indent, 1); 531 return do_EC_KEY_print(bp, pkey->pkey.ec, indent, 1);
551 } 532}
552 533
553 534
554static int eckey_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, 535static int
555 ASN1_PCTX *ctx) 536eckey_priv_print(BIO * bp, const EVP_PKEY * pkey, int indent,
556 { 537 ASN1_PCTX * ctx)
538{
557 return do_EC_KEY_print(bp, pkey->pkey.ec, indent, 2); 539 return do_EC_KEY_print(bp, pkey->pkey.ec, indent, 2);
558 } 540}
559 541
560static int old_ec_priv_decode(EVP_PKEY *pkey, 542static int
561 const unsigned char **pder, int derlen) 543old_ec_priv_decode(EVP_PKEY * pkey,
562 { 544 const unsigned char **pder, int derlen)
545{
563 EC_KEY *ec; 546 EC_KEY *ec;
564 if (!(ec = d2i_ECPrivateKey (NULL, pder, derlen))) 547 if (!(ec = d2i_ECPrivateKey(NULL, pder, derlen))) {
565 {
566 ECerr(EC_F_OLD_EC_PRIV_DECODE, EC_R_DECODE_ERROR); 548 ECerr(EC_F_OLD_EC_PRIV_DECODE, EC_R_DECODE_ERROR);
567 return 0; 549 return 0;
568 } 550 }
569 EVP_PKEY_assign_EC_KEY(pkey, ec); 551 EVP_PKEY_assign_EC_KEY(pkey, ec);
570 return 1; 552 return 1;
571 } 553}
572 554
573static int old_ec_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 555static int
574 { 556old_ec_priv_encode(const EVP_PKEY * pkey, unsigned char **pder)
557{
575 return i2d_ECPrivateKey(pkey->pkey.ec, pder); 558 return i2d_ECPrivateKey(pkey->pkey.ec, pder);
576 } 559}
577 560
578static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 561static int
579 { 562ec_pkey_ctrl(EVP_PKEY * pkey, int op, long arg1, void *arg2)
580 switch (op) 563{
581 { 564 switch (op) {
582 case ASN1_PKEY_CTRL_PKCS7_SIGN: 565 case ASN1_PKEY_CTRL_PKCS7_SIGN:
583 if (arg1 == 0) 566 if (arg1 == 0) {
584 {
585 int snid, hnid; 567 int snid, hnid;
586 X509_ALGOR *alg1, *alg2; 568 X509_ALGOR *alg1, *alg2;
587 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2); 569 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2);
@@ -591,41 +573,40 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
591 if (hnid == NID_undef) 573 if (hnid == NID_undef)
592 return -1; 574 return -1;
593 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) 575 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
594 return -1; 576 return -1;
595 X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); 577 X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
596 } 578 }
597 return 1; 579 return 1;
598#ifndef OPENSSL_NO_CMS 580#ifndef OPENSSL_NO_CMS
599 case ASN1_PKEY_CTRL_CMS_SIGN: 581 case ASN1_PKEY_CTRL_CMS_SIGN:
600 if (arg1 == 0) 582 if (arg1 == 0) {
601 {
602 int snid, hnid; 583 int snid, hnid;
603 X509_ALGOR *alg1, *alg2; 584 X509_ALGOR *alg1, *alg2;
604 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, 585 CMS_SignerInfo_get0_algs(arg2, NULL, NULL,
605 &alg1, &alg2); 586 &alg1, &alg2);
606 if (alg1 == NULL || alg1->algorithm == NULL) 587 if (alg1 == NULL || alg1->algorithm == NULL)
607 return -1; 588 return -1;
608 hnid = OBJ_obj2nid(alg1->algorithm); 589 hnid = OBJ_obj2nid(alg1->algorithm);
609 if (hnid == NID_undef) 590 if (hnid == NID_undef)
610 return -1; 591 return -1;
611 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) 592 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
612 return -1; 593 return -1;
613 X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); 594 X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
614 } 595 }
615 return 1; 596 return 1;
616#endif 597#endif
617 598
618 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 599 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
619 *(int *)arg2 = NID_sha1; 600 *(int *) arg2 = NID_sha1;
620 return 2; 601 return 2;
621 602
622 default: 603 default:
623 return -2; 604 return -2;
624 605
625 }
626
627 } 606 }
628 607
608}
609
629const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = { 610const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = {
630 .pkey_id = EVP_PKEY_EC, 611 .pkey_id = EVP_PKEY_EC,
631 .pkey_base_id = EVP_PKEY_EC, 612 .pkey_base_id = EVP_PKEY_EC,
diff --git a/src/lib/libcrypto/ec/ec_asn1.c b/src/lib/libcrypto/ec/ec_asn1.c
index 2bde9a6a3c..70670a4c75 100644
--- a/src/lib/libcrypto/ec/ec_asn1.c
+++ b/src/lib/libcrypto/ec/ec_asn1.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -63,12 +63,13 @@
63#include <openssl/objects.h> 63#include <openssl/objects.h>
64 64
65 65
66int EC_GROUP_get_basis_type(const EC_GROUP *group) 66int
67 { 67EC_GROUP_get_basis_type(const EC_GROUP * group)
68 int i=0; 68{
69 int i = 0;
69 70
70 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 71 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
71 NID_X9_62_characteristic_two_field) 72 NID_X9_62_characteristic_two_field)
72 /* everything else is currently not supported */ 73 /* everything else is currently not supported */
73 return 0; 74 return 0;
74 75
@@ -82,40 +83,38 @@ int EC_GROUP_get_basis_type(const EC_GROUP *group)
82 else 83 else
83 /* everything else is currently not supported */ 84 /* everything else is currently not supported */
84 return 0; 85 return 0;
85 } 86}
86#ifndef OPENSSL_NO_EC2M 87#ifndef OPENSSL_NO_EC2M
87int EC_GROUP_get_trinomial_basis(const EC_GROUP *group, unsigned int *k) 88int
88 { 89EC_GROUP_get_trinomial_basis(const EC_GROUP * group, unsigned int *k)
90{
89 if (group == NULL) 91 if (group == NULL)
90 return 0; 92 return 0;
91 93
92 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 94 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
93 NID_X9_62_characteristic_two_field 95 NID_X9_62_characteristic_two_field
94 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0))) 96 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0))) {
95 {
96 ECerr(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 97 ECerr(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
97 return 0; 98 return 0;
98 } 99 }
99
100 if (k) 100 if (k)
101 *k = group->poly[1]; 101 *k = group->poly[1];
102 102
103 return 1; 103 return 1;
104 } 104}
105int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1, 105int
106 unsigned int *k2, unsigned int *k3) 106EC_GROUP_get_pentanomial_basis(const EC_GROUP * group, unsigned int *k1,
107 { 107 unsigned int *k2, unsigned int *k3)
108{
108 if (group == NULL) 109 if (group == NULL)
109 return 0; 110 return 0;
110 111
111 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 112 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
112 NID_X9_62_characteristic_two_field 113 NID_X9_62_characteristic_two_field
113 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0))) 114 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0))) {
114 {
115 ECerr(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 115 ECerr(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
116 return 0; 116 return 0;
117 } 117 }
118
119 if (k1) 118 if (k1)
120 *k1 = group->poly[3]; 119 *k1 = group->poly[3];
121 if (k2) 120 if (k2)
@@ -124,7 +123,7 @@ int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
124 *k3 = group->poly[1]; 123 *k3 = group->poly[1];
125 124
126 return 1; 125 return 1;
127 } 126}
128#endif 127#endif
129 128
130 129
@@ -133,27 +132,27 @@ typedef struct x9_62_pentanomial_st {
133 long k1; 132 long k1;
134 long k2; 133 long k2;
135 long k3; 134 long k3;
136 } X9_62_PENTANOMIAL; 135} X9_62_PENTANOMIAL;
137 136
138typedef struct x9_62_characteristic_two_st { 137typedef struct x9_62_characteristic_two_st {
139 long m; 138 long m;
140 ASN1_OBJECT *type; 139 ASN1_OBJECT *type;
141 union { 140 union {
142 char *ptr; 141 char *ptr;
143 /* NID_X9_62_onBasis */ 142 /* NID_X9_62_onBasis */
144 ASN1_NULL *onBasis; 143 ASN1_NULL *onBasis;
145 /* NID_X9_62_tpBasis */ 144 /* NID_X9_62_tpBasis */
146 ASN1_INTEGER *tpBasis; 145 ASN1_INTEGER *tpBasis;
147 /* NID_X9_62_ppBasis */ 146 /* NID_X9_62_ppBasis */
148 X9_62_PENTANOMIAL *ppBasis; 147 X9_62_PENTANOMIAL *ppBasis;
149 /* anything else */ 148 /* anything else */
150 ASN1_TYPE *other; 149 ASN1_TYPE *other;
151 } p; 150 } p;
152 } X9_62_CHARACTERISTIC_TWO; 151} X9_62_CHARACTERISTIC_TWO;
153 152
154typedef struct x9_62_fieldid_st { 153typedef struct x9_62_fieldid_st {
155 ASN1_OBJECT *fieldType; 154 ASN1_OBJECT *fieldType;
156 union { 155 union {
157 char *ptr; 156 char *ptr;
158 /* NID_X9_62_prime_field */ 157 /* NID_X9_62_prime_field */
159 ASN1_INTEGER *prime; 158 ASN1_INTEGER *prime;
@@ -161,40 +160,40 @@ typedef struct x9_62_fieldid_st {
161 X9_62_CHARACTERISTIC_TWO *char_two; 160 X9_62_CHARACTERISTIC_TWO *char_two;
162 /* anything else */ 161 /* anything else */
163 ASN1_TYPE *other; 162 ASN1_TYPE *other;
164 } p; 163 } p;
165 } X9_62_FIELDID; 164} X9_62_FIELDID;
166 165
167typedef struct x9_62_curve_st { 166typedef struct x9_62_curve_st {
168 ASN1_OCTET_STRING *a; 167 ASN1_OCTET_STRING *a;
169 ASN1_OCTET_STRING *b; 168 ASN1_OCTET_STRING *b;
170 ASN1_BIT_STRING *seed; 169 ASN1_BIT_STRING *seed;
171 } X9_62_CURVE; 170} X9_62_CURVE;
172 171
173typedef struct ec_parameters_st { 172typedef struct ec_parameters_st {
174 long version; 173 long version;
175 X9_62_FIELDID *fieldID; 174 X9_62_FIELDID *fieldID;
176 X9_62_CURVE *curve; 175 X9_62_CURVE *curve;
177 ASN1_OCTET_STRING *base; 176 ASN1_OCTET_STRING *base;
178 ASN1_INTEGER *order; 177 ASN1_INTEGER *order;
179 ASN1_INTEGER *cofactor; 178 ASN1_INTEGER *cofactor;
180 } ECPARAMETERS; 179} ECPARAMETERS;
181 180
182struct ecpk_parameters_st { 181struct ecpk_parameters_st {
183 int type; 182 int type;
184 union { 183 union {
185 ASN1_OBJECT *named_curve; 184 ASN1_OBJECT *named_curve;
186 ECPARAMETERS *parameters; 185 ECPARAMETERS *parameters;
187 ASN1_NULL *implicitlyCA; 186 ASN1_NULL *implicitlyCA;
188 } value; 187 } value;
189 }/* ECPKPARAMETERS */; 188} /* ECPKPARAMETERS */ ;
190 189
191/* SEC1 ECPrivateKey */ 190/* SEC1 ECPrivateKey */
192typedef struct ec_privatekey_st { 191typedef struct ec_privatekey_st {
193 long version; 192 long version;
194 ASN1_OCTET_STRING *privateKey; 193 ASN1_OCTET_STRING *privateKey;
195 ECPKPARAMETERS *parameters; 194 ECPKPARAMETERS *parameters;
196 ASN1_BIT_STRING *publicKey; 195 ASN1_BIT_STRING *publicKey;
197 } EC_PRIVATEKEY; 196} EC_PRIVATEKEY;
198 197
199/* the OpenSSL ASN.1 definitions */ 198/* the OpenSSL ASN.1 definitions */
200ASN1_SEQUENCE(X9_62_PENTANOMIAL) = { 199ASN1_SEQUENCE(X9_62_PENTANOMIAL) = {
@@ -219,10 +218,8 @@ ASN1_SEQUENCE(X9_62_CHARACTERISTIC_TWO) = {
219 ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, type, ASN1_OBJECT), 218 ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, type, ASN1_OBJECT),
220 ASN1_ADB_OBJECT(X9_62_CHARACTERISTIC_TWO) 219 ASN1_ADB_OBJECT(X9_62_CHARACTERISTIC_TWO)
221} ASN1_SEQUENCE_END(X9_62_CHARACTERISTIC_TWO) 220} ASN1_SEQUENCE_END(X9_62_CHARACTERISTIC_TWO)
222
223DECLARE_ASN1_ALLOC_FUNCTIONS(X9_62_CHARACTERISTIC_TWO) 221DECLARE_ASN1_ALLOC_FUNCTIONS(X9_62_CHARACTERISTIC_TWO)
224IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X9_62_CHARACTERISTIC_TWO) 222IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X9_62_CHARACTERISTIC_TWO)
225
226ASN1_ADB_TEMPLATE(fieldID_def) = ASN1_SIMPLE(X9_62_FIELDID, p.other, ASN1_ANY); 223ASN1_ADB_TEMPLATE(fieldID_def) = ASN1_SIMPLE(X9_62_FIELDID, p.other, ASN1_ANY);
227 224
228ASN1_ADB(X9_62_FIELDID) = { 225ASN1_ADB(X9_62_FIELDID) = {
@@ -249,7 +246,6 @@ ASN1_SEQUENCE(ECPARAMETERS) = {
249 ASN1_SIMPLE(ECPARAMETERS, order, ASN1_INTEGER), 246 ASN1_SIMPLE(ECPARAMETERS, order, ASN1_INTEGER),
250 ASN1_OPT(ECPARAMETERS, cofactor, ASN1_INTEGER) 247 ASN1_OPT(ECPARAMETERS, cofactor, ASN1_INTEGER)
251} ASN1_SEQUENCE_END(ECPARAMETERS) 248} ASN1_SEQUENCE_END(ECPARAMETERS)
252
253DECLARE_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS) 249DECLARE_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS)
254IMPLEMENT_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS) 250IMPLEMENT_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS)
255 251
@@ -258,7 +254,6 @@ ASN1_CHOICE(ECPKPARAMETERS) = {
258 ASN1_SIMPLE(ECPKPARAMETERS, value.parameters, ECPARAMETERS), 254 ASN1_SIMPLE(ECPKPARAMETERS, value.parameters, ECPARAMETERS),
259 ASN1_SIMPLE(ECPKPARAMETERS, value.implicitlyCA, ASN1_NULL) 255 ASN1_SIMPLE(ECPKPARAMETERS, value.implicitlyCA, ASN1_NULL)
260} ASN1_CHOICE_END(ECPKPARAMETERS) 256} ASN1_CHOICE_END(ECPKPARAMETERS)
261
262DECLARE_ASN1_FUNCTIONS_const(ECPKPARAMETERS) 257DECLARE_ASN1_FUNCTIONS_const(ECPKPARAMETERS)
263DECLARE_ASN1_ENCODE_FUNCTIONS_const(ECPKPARAMETERS, ECPKPARAMETERS) 258DECLARE_ASN1_ENCODE_FUNCTIONS_const(ECPKPARAMETERS, ECPKPARAMETERS)
264IMPLEMENT_ASN1_FUNCTIONS_const(ECPKPARAMETERS) 259IMPLEMENT_ASN1_FUNCTIONS_const(ECPKPARAMETERS)
@@ -269,39 +264,38 @@ ASN1_SEQUENCE(EC_PRIVATEKEY) = {
269 ASN1_EXP_OPT(EC_PRIVATEKEY, parameters, ECPKPARAMETERS, 0), 264 ASN1_EXP_OPT(EC_PRIVATEKEY, parameters, ECPKPARAMETERS, 0),
270 ASN1_EXP_OPT(EC_PRIVATEKEY, publicKey, ASN1_BIT_STRING, 1) 265 ASN1_EXP_OPT(EC_PRIVATEKEY, publicKey, ASN1_BIT_STRING, 1)
271} ASN1_SEQUENCE_END(EC_PRIVATEKEY) 266} ASN1_SEQUENCE_END(EC_PRIVATEKEY)
272
273DECLARE_ASN1_FUNCTIONS_const(EC_PRIVATEKEY) 267DECLARE_ASN1_FUNCTIONS_const(EC_PRIVATEKEY)
274DECLARE_ASN1_ENCODE_FUNCTIONS_const(EC_PRIVATEKEY, EC_PRIVATEKEY) 268DECLARE_ASN1_ENCODE_FUNCTIONS_const(EC_PRIVATEKEY, EC_PRIVATEKEY)
275IMPLEMENT_ASN1_FUNCTIONS_const(EC_PRIVATEKEY) 269IMPLEMENT_ASN1_FUNCTIONS_const(EC_PRIVATEKEY)
276
277/* some declarations of internal function */ 270/* some declarations of internal function */
278 271
279/* ec_asn1_group2field() sets the values in a X9_62_FIELDID object */ 272/* ec_asn1_group2field() sets the values in a X9_62_FIELDID object */
280static int ec_asn1_group2fieldid(const EC_GROUP *, X9_62_FIELDID *); 273static int ec_asn1_group2fieldid(const EC_GROUP *, X9_62_FIELDID *);
281/* ec_asn1_group2curve() sets the values in a X9_62_CURVE object */ 274/* ec_asn1_group2curve() sets the values in a X9_62_CURVE object */
282static int ec_asn1_group2curve(const EC_GROUP *, X9_62_CURVE *); 275static int ec_asn1_group2curve(const EC_GROUP *, X9_62_CURVE *);
283/* ec_asn1_parameters2group() creates a EC_GROUP object from a 276/* ec_asn1_parameters2group() creates a EC_GROUP object from a
284 * ECPARAMETERS object */ 277 * ECPARAMETERS object */
285static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *); 278static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *);
286/* ec_asn1_group2parameters() creates a ECPARAMETERS object from a 279/* ec_asn1_group2parameters() creates a ECPARAMETERS object from a
287 * EC_GROUP object */ 280 * EC_GROUP object */
288static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *,ECPARAMETERS *); 281static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *, ECPARAMETERS *);
289/* ec_asn1_pkparameters2group() creates a EC_GROUP object from a 282/* ec_asn1_pkparameters2group() creates a EC_GROUP object from a
290 * ECPKPARAMETERS object */ 283 * ECPKPARAMETERS object */
291static EC_GROUP *ec_asn1_pkparameters2group(const ECPKPARAMETERS *); 284static EC_GROUP *ec_asn1_pkparameters2group(const ECPKPARAMETERS *);
292/* ec_asn1_group2pkparameters() creates a ECPKPARAMETERS object from a 285/* ec_asn1_group2pkparameters() creates a ECPKPARAMETERS object from a
293 * EC_GROUP object */ 286 * EC_GROUP object */
294static ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *, 287static ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *,
295 ECPKPARAMETERS *); 288 ECPKPARAMETERS *);
296 289
297 290
298/* the function definitions */ 291/* the function definitions */
299 292
300static int ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field) 293static int
301 { 294ec_asn1_group2fieldid(const EC_GROUP * group, X9_62_FIELDID * field)
302 int ok=0, nid; 295{
303 BIGNUM *tmp = NULL; 296 int ok = 0, nid;
304 297 BIGNUM *tmp = NULL;
298
305 if (group == NULL || field == NULL) 299 if (group == NULL || field == NULL)
306 return 0; 300 return 0;
307 301
@@ -313,248 +307,203 @@ static int ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field)
313 307
314 nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group)); 308 nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
315 /* set OID for the field */ 309 /* set OID for the field */
316 if ((field->fieldType = OBJ_nid2obj(nid)) == NULL) 310 if ((field->fieldType = OBJ_nid2obj(nid)) == NULL) {
317 {
318 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_OBJ_LIB); 311 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_OBJ_LIB);
319 goto err; 312 goto err;
320 } 313 }
321 314 if (nid == NID_X9_62_prime_field) {
322 if (nid == NID_X9_62_prime_field) 315 if ((tmp = BN_new()) == NULL) {
323 {
324 if ((tmp = BN_new()) == NULL)
325 {
326 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE); 316 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
327 goto err; 317 goto err;
328 } 318 }
329 /* the parameters are specified by the prime number p */ 319 /* the parameters are specified by the prime number p */
330 if (!EC_GROUP_get_curve_GFp(group, tmp, NULL, NULL, NULL)) 320 if (!EC_GROUP_get_curve_GFp(group, tmp, NULL, NULL, NULL)) {
331 {
332 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_EC_LIB); 321 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_EC_LIB);
333 goto err; 322 goto err;
334 } 323 }
335 /* set the prime number */ 324 /* set the prime number */
336 field->p.prime = BN_to_ASN1_INTEGER(tmp,NULL); 325 field->p.prime = BN_to_ASN1_INTEGER(tmp, NULL);
337 if (field->p.prime == NULL) 326 if (field->p.prime == NULL) {
338 {
339 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_ASN1_LIB); 327 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_ASN1_LIB);
340 goto err; 328 goto err;
341 }
342 } 329 }
343 else /* nid == NID_X9_62_characteristic_two_field */ 330 } else /* nid == NID_X9_62_characteristic_two_field */
344#ifdef OPENSSL_NO_EC2M 331#ifdef OPENSSL_NO_EC2M
345 { 332 {
346 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, EC_R_GF2M_NOT_SUPPORTED); 333 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, EC_R_GF2M_NOT_SUPPORTED);
347 goto err; 334 goto err;
348 } 335 }
349#else 336#else
350 { 337 {
351 int field_type; 338 int field_type;
352 X9_62_CHARACTERISTIC_TWO *char_two; 339 X9_62_CHARACTERISTIC_TWO *char_two;
353 340
354 field->p.char_two = X9_62_CHARACTERISTIC_TWO_new(); 341 field->p.char_two = X9_62_CHARACTERISTIC_TWO_new();
355 char_two = field->p.char_two; 342 char_two = field->p.char_two;
356 343
357 if (char_two == NULL) 344 if (char_two == NULL) {
358 {
359 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE); 345 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
360 goto err; 346 goto err;
361 } 347 }
362 348 char_two->m = (long) EC_GROUP_get_degree(group);
363 char_two->m = (long)EC_GROUP_get_degree(group);
364 349
365 field_type = EC_GROUP_get_basis_type(group); 350 field_type = EC_GROUP_get_basis_type(group);
366 351
367 if (field_type == 0) 352 if (field_type == 0) {
368 {
369 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_EC_LIB); 353 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_EC_LIB);
370 goto err; 354 goto err;
371 } 355 }
372 /* set base type OID */ 356 /* set base type OID */
373 if ((char_two->type = OBJ_nid2obj(field_type)) == NULL) 357 if ((char_two->type = OBJ_nid2obj(field_type)) == NULL) {
374 {
375 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_OBJ_LIB); 358 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_OBJ_LIB);
376 goto err; 359 goto err;
377 } 360 }
378 361 if (field_type == NID_X9_62_tpBasis) {
379 if (field_type == NID_X9_62_tpBasis)
380 {
381 unsigned int k; 362 unsigned int k;
382 363
383 if (!EC_GROUP_get_trinomial_basis(group, &k)) 364 if (!EC_GROUP_get_trinomial_basis(group, &k))
384 goto err; 365 goto err;
385 366
386 char_two->p.tpBasis = ASN1_INTEGER_new(); 367 char_two->p.tpBasis = ASN1_INTEGER_new();
387 if (!char_two->p.tpBasis) 368 if (!char_two->p.tpBasis) {
388 {
389 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE); 369 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
390 goto err; 370 goto err;
391 } 371 }
392 if (!ASN1_INTEGER_set(char_two->p.tpBasis, (long)k)) 372 if (!ASN1_INTEGER_set(char_two->p.tpBasis, (long) k)) {
393 {
394 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, 373 ECerr(EC_F_EC_ASN1_GROUP2FIELDID,
395 ERR_R_ASN1_LIB); 374 ERR_R_ASN1_LIB);
396 goto err; 375 goto err;
397 }
398 } 376 }
399 else if (field_type == NID_X9_62_ppBasis) 377 } else if (field_type == NID_X9_62_ppBasis) {
400 {
401 unsigned int k1, k2, k3; 378 unsigned int k1, k2, k3;
402 379
403 if (!EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3)) 380 if (!EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3))
404 goto err; 381 goto err;
405 382
406 char_two->p.ppBasis = X9_62_PENTANOMIAL_new(); 383 char_two->p.ppBasis = X9_62_PENTANOMIAL_new();
407 if (!char_two->p.ppBasis) 384 if (!char_two->p.ppBasis) {
408 {
409 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE); 385 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
410 goto err; 386 goto err;
411 }
412
413 /* set k? values */
414 char_two->p.ppBasis->k1 = (long)k1;
415 char_two->p.ppBasis->k2 = (long)k2;
416 char_two->p.ppBasis->k3 = (long)k3;
417 } 387 }
418 else /* field_type == NID_X9_62_onBasis */ 388 /* set k? values */
419 { 389 char_two->p.ppBasis->k1 = (long) k1;
390 char_two->p.ppBasis->k2 = (long) k2;
391 char_two->p.ppBasis->k3 = (long) k3;
392 } else { /* field_type == NID_X9_62_onBasis */
420 /* for ONB the parameters are (asn1) NULL */ 393 /* for ONB the parameters are (asn1) NULL */
421 char_two->p.onBasis = ASN1_NULL_new(); 394 char_two->p.onBasis = ASN1_NULL_new();
422 if (!char_two->p.onBasis) 395 if (!char_two->p.onBasis) {
423 {
424 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE); 396 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
425 goto err; 397 goto err;
426 }
427 } 398 }
428 } 399 }
400 }
429#endif 401#endif
430 402
431 ok = 1; 403 ok = 1;
432 404
433err : if (tmp) 405err: if (tmp)
434 BN_free(tmp); 406 BN_free(tmp);
435 return(ok); 407 return (ok);
436} 408}
437 409
438static int ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve) 410static int
439 { 411ec_asn1_group2curve(const EC_GROUP * group, X9_62_CURVE * curve)
440 int ok=0, nid; 412{
441 BIGNUM *tmp_1=NULL, *tmp_2=NULL; 413 int ok = 0, nid;
442 unsigned char *buffer_1=NULL, *buffer_2=NULL, 414 BIGNUM *tmp_1 = NULL, *tmp_2 = NULL;
443 *a_buf=NULL, *b_buf=NULL; 415 unsigned char *buffer_1 = NULL, *buffer_2 = NULL, *a_buf = NULL,
444 size_t len_1, len_2; 416 *b_buf = NULL;
417 size_t len_1, len_2;
445 unsigned char char_zero = 0; 418 unsigned char char_zero = 0;
446 419
447 if (!group || !curve || !curve->a || !curve->b) 420 if (!group || !curve || !curve->a || !curve->b)
448 return 0; 421 return 0;
449 422
450 if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL) 423 if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL) {
451 {
452 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE); 424 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE);
453 goto err; 425 goto err;
454 } 426 }
455
456 nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group)); 427 nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
457 428
458 /* get a and b */ 429 /* get a and b */
459 if (nid == NID_X9_62_prime_field) 430 if (nid == NID_X9_62_prime_field) {
460 { 431 if (!EC_GROUP_get_curve_GFp(group, NULL, tmp_1, tmp_2, NULL)) {
461 if (!EC_GROUP_get_curve_GFp(group, NULL, tmp_1, tmp_2, NULL))
462 {
463 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_EC_LIB); 432 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_EC_LIB);
464 goto err; 433 goto err;
465 }
466 } 434 }
435 }
467#ifndef OPENSSL_NO_EC2M 436#ifndef OPENSSL_NO_EC2M
468 else /* nid == NID_X9_62_characteristic_two_field */ 437 else { /* nid == NID_X9_62_characteristic_two_field */
469 { 438 if (!EC_GROUP_get_curve_GF2m(group, NULL, tmp_1, tmp_2, NULL)) {
470 if (!EC_GROUP_get_curve_GF2m(group, NULL, tmp_1, tmp_2, NULL))
471 {
472 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_EC_LIB); 439 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_EC_LIB);
473 goto err; 440 goto err;
474 }
475 } 441 }
442 }
476#endif 443#endif
477 len_1 = (size_t)BN_num_bytes(tmp_1); 444 len_1 = (size_t) BN_num_bytes(tmp_1);
478 len_2 = (size_t)BN_num_bytes(tmp_2); 445 len_2 = (size_t) BN_num_bytes(tmp_2);
479 446
480 if (len_1 == 0) 447 if (len_1 == 0) {
481 {
482 /* len_1 == 0 => a == 0 */ 448 /* len_1 == 0 => a == 0 */
483 a_buf = &char_zero; 449 a_buf = &char_zero;
484 len_1 = 1; 450 len_1 = 1;
485 } 451 } else {
486 else 452 if ((buffer_1 = malloc(len_1)) == NULL) {
487 {
488 if ((buffer_1 = malloc(len_1)) == NULL)
489 {
490 ECerr(EC_F_EC_ASN1_GROUP2CURVE, 453 ECerr(EC_F_EC_ASN1_GROUP2CURVE,
491 ERR_R_MALLOC_FAILURE); 454 ERR_R_MALLOC_FAILURE);
492 goto err; 455 goto err;
493 } 456 }
494 if ( (len_1 = BN_bn2bin(tmp_1, buffer_1)) == 0) 457 if ((len_1 = BN_bn2bin(tmp_1, buffer_1)) == 0) {
495 {
496 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_BN_LIB); 458 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_BN_LIB);
497 goto err; 459 goto err;
498 }
499 a_buf = buffer_1;
500 } 460 }
461 a_buf = buffer_1;
462 }
501 463
502 if (len_2 == 0) 464 if (len_2 == 0) {
503 {
504 /* len_2 == 0 => b == 0 */ 465 /* len_2 == 0 => b == 0 */
505 b_buf = &char_zero; 466 b_buf = &char_zero;
506 len_2 = 1; 467 len_2 = 1;
507 } 468 } else {
508 else 469 if ((buffer_2 = malloc(len_2)) == NULL) {
509 {
510 if ((buffer_2 = malloc(len_2)) == NULL)
511 {
512 ECerr(EC_F_EC_ASN1_GROUP2CURVE, 470 ECerr(EC_F_EC_ASN1_GROUP2CURVE,
513 ERR_R_MALLOC_FAILURE); 471 ERR_R_MALLOC_FAILURE);
514 goto err; 472 goto err;
515 } 473 }
516 if ( (len_2 = BN_bn2bin(tmp_2, buffer_2)) == 0) 474 if ((len_2 = BN_bn2bin(tmp_2, buffer_2)) == 0) {
517 {
518 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_BN_LIB); 475 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_BN_LIB);
519 goto err; 476 goto err;
520 }
521 b_buf = buffer_2;
522 } 477 }
523 478 b_buf = buffer_2;
479 }
480
524 /* set a and b */ 481 /* set a and b */
525 if (!M_ASN1_OCTET_STRING_set(curve->a, a_buf, len_1) || 482 if (!M_ASN1_OCTET_STRING_set(curve->a, a_buf, len_1) ||
526 !M_ASN1_OCTET_STRING_set(curve->b, b_buf, len_2)) 483 !M_ASN1_OCTET_STRING_set(curve->b, b_buf, len_2)) {
527 {
528 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_ASN1_LIB); 484 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_ASN1_LIB);
529 goto err; 485 goto err;
530 } 486 }
531
532 /* set the seed (optional) */ 487 /* set the seed (optional) */
533 if (group->seed) 488 if (group->seed) {
534 {
535 if (!curve->seed) 489 if (!curve->seed)
536 if ((curve->seed = ASN1_BIT_STRING_new()) == NULL) 490 if ((curve->seed = ASN1_BIT_STRING_new()) == NULL) {
537 {
538 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE); 491 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE);
539 goto err; 492 goto err;
540 } 493 }
541 curve->seed->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); 494 curve->seed->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
542 curve->seed->flags |= ASN1_STRING_FLAG_BITS_LEFT; 495 curve->seed->flags |= ASN1_STRING_FLAG_BITS_LEFT;
543 if (!ASN1_BIT_STRING_set(curve->seed, group->seed, 496 if (!ASN1_BIT_STRING_set(curve->seed, group->seed,
544 (int)group->seed_len)) 497 (int) group->seed_len)) {
545 {
546 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_ASN1_LIB); 498 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_ASN1_LIB);
547 goto err; 499 goto err;
548 }
549 } 500 }
550 else 501 } else {
551 { 502 if (curve->seed) {
552 if (curve->seed)
553 {
554 ASN1_BIT_STRING_free(curve->seed); 503 ASN1_BIT_STRING_free(curve->seed);
555 curve->seed = NULL; 504 curve->seed = NULL;
556 }
557 } 505 }
506 }
558 507
559 ok = 1; 508 ok = 1;
560 509
@@ -566,880 +515,729 @@ err: if (buffer_1)
566 BN_free(tmp_1); 515 BN_free(tmp_1);
567 if (tmp_2) 516 if (tmp_2)
568 BN_free(tmp_2); 517 BN_free(tmp_2);
569 return(ok); 518 return (ok);
570 } 519}
571 520
572static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *group, 521static ECPARAMETERS *
573 ECPARAMETERS *param) 522ec_asn1_group2parameters(const EC_GROUP * group, ECPARAMETERS * param)
574 { 523{
575 int ok=0; 524 int ok = 0;
576 size_t len=0; 525 size_t len = 0;
577 ECPARAMETERS *ret=NULL; 526 ECPARAMETERS *ret = NULL;
578 BIGNUM *tmp=NULL; 527 BIGNUM *tmp = NULL;
579 unsigned char *buffer=NULL; 528 unsigned char *buffer = NULL;
580 const EC_POINT *point=NULL; 529 const EC_POINT *point = NULL;
581 point_conversion_form_t form; 530 point_conversion_form_t form;
582 531
583 if ((tmp = BN_new()) == NULL) 532 if ((tmp = BN_new()) == NULL) {
584 {
585 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE); 533 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE);
586 goto err; 534 goto err;
587 }
588
589 if (param == NULL)
590 {
591 if ((ret = ECPARAMETERS_new()) == NULL)
592 {
593 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS,
594 ERR_R_MALLOC_FAILURE);
595 goto err;
596 }
597 } 535 }
598 else 536 if (param == NULL) {
537 if ((ret = ECPARAMETERS_new()) == NULL) {
538 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS,
539 ERR_R_MALLOC_FAILURE);
540 goto err;
541 }
542 } else
599 ret = param; 543 ret = param;
600 544
601 /* set the version (always one) */ 545 /* set the version (always one) */
602 ret->version = (long)0x1; 546 ret->version = (long) 0x1;
603 547
604 /* set the fieldID */ 548 /* set the fieldID */
605 if (!ec_asn1_group2fieldid(group, ret->fieldID)) 549 if (!ec_asn1_group2fieldid(group, ret->fieldID)) {
606 {
607 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB); 550 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
608 goto err; 551 goto err;
609 } 552 }
610
611 /* set the curve */ 553 /* set the curve */
612 if (!ec_asn1_group2curve(group, ret->curve)) 554 if (!ec_asn1_group2curve(group, ret->curve)) {
613 {
614 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB); 555 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
615 goto err; 556 goto err;
616 } 557 }
617
618 /* set the base point */ 558 /* set the base point */
619 if ((point = EC_GROUP_get0_generator(group)) == NULL) 559 if ((point = EC_GROUP_get0_generator(group)) == NULL) {
620 {
621 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, EC_R_UNDEFINED_GENERATOR); 560 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, EC_R_UNDEFINED_GENERATOR);
622 goto err; 561 goto err;
623 } 562 }
624
625 form = EC_GROUP_get_point_conversion_form(group); 563 form = EC_GROUP_get_point_conversion_form(group);
626 564
627 len = EC_POINT_point2oct(group, point, form, NULL, len, NULL); 565 len = EC_POINT_point2oct(group, point, form, NULL, len, NULL);
628 if (len == 0) 566 if (len == 0) {
629 {
630 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB); 567 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
631 goto err; 568 goto err;
632 } 569 }
633 if ((buffer = malloc(len)) == NULL) 570 if ((buffer = malloc(len)) == NULL) {
634 {
635 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE); 571 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE);
636 goto err; 572 goto err;
637 } 573 }
638 if (!EC_POINT_point2oct(group, point, form, buffer, len, NULL)) 574 if (!EC_POINT_point2oct(group, point, form, buffer, len, NULL)) {
639 {
640 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB); 575 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
641 goto err; 576 goto err;
642 } 577 }
643 if (ret->base == NULL && (ret->base = ASN1_OCTET_STRING_new()) == NULL) 578 if (ret->base == NULL && (ret->base = ASN1_OCTET_STRING_new()) == NULL) {
644 {
645 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE); 579 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE);
646 goto err; 580 goto err;
647 } 581 }
648 if (!ASN1_OCTET_STRING_set(ret->base, buffer, len)) 582 if (!ASN1_OCTET_STRING_set(ret->base, buffer, len)) {
649 {
650 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB); 583 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB);
651 goto err; 584 goto err;
652 } 585 }
653
654 /* set the order */ 586 /* set the order */
655 if (!EC_GROUP_get_order(group, tmp, NULL)) 587 if (!EC_GROUP_get_order(group, tmp, NULL)) {
656 {
657 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB); 588 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
658 goto err; 589 goto err;
659 } 590 }
660 ret->order = BN_to_ASN1_INTEGER(tmp, ret->order); 591 ret->order = BN_to_ASN1_INTEGER(tmp, ret->order);
661 if (ret->order == NULL) 592 if (ret->order == NULL) {
662 {
663 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB); 593 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB);
664 goto err; 594 goto err;
665 } 595 }
666
667 /* set the cofactor (optional) */ 596 /* set the cofactor (optional) */
668 if (EC_GROUP_get_cofactor(group, tmp, NULL)) 597 if (EC_GROUP_get_cofactor(group, tmp, NULL)) {
669 {
670 ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor); 598 ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor);
671 if (ret->cofactor == NULL) 599 if (ret->cofactor == NULL) {
672 {
673 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB); 600 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB);
674 goto err; 601 goto err;
675 }
676 } 602 }
677 603 }
678 ok = 1; 604 ok = 1;
679 605
680err : if(!ok) 606err: if (!ok) {
681 {
682 if (ret && !param) 607 if (ret && !param)
683 ECPARAMETERS_free(ret); 608 ECPARAMETERS_free(ret);
684 ret = NULL; 609 ret = NULL;
685 } 610 }
686 if (tmp) 611 if (tmp)
687 BN_free(tmp); 612 BN_free(tmp);
688 if (buffer) 613 if (buffer)
689 free(buffer); 614 free(buffer);
690 return(ret); 615 return (ret);
691 } 616}
692 617
693ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *group, 618ECPKPARAMETERS *
694 ECPKPARAMETERS *params) 619ec_asn1_group2pkparameters(const EC_GROUP * group, ECPKPARAMETERS * params)
695 { 620{
696 int ok = 1, tmp; 621 int ok = 1, tmp;
697 ECPKPARAMETERS *ret = params; 622 ECPKPARAMETERS *ret = params;
698 623
699 if (ret == NULL) 624 if (ret == NULL) {
700 { 625 if ((ret = ECPKPARAMETERS_new()) == NULL) {
701 if ((ret = ECPKPARAMETERS_new()) == NULL) 626 ECerr(EC_F_EC_ASN1_GROUP2PKPARAMETERS,
702 { 627 ERR_R_MALLOC_FAILURE);
703 ECerr(EC_F_EC_ASN1_GROUP2PKPARAMETERS,
704 ERR_R_MALLOC_FAILURE);
705 return NULL; 628 return NULL;
706 }
707 } 629 }
708 else 630 } else {
709 {
710 if (ret->type == 0 && ret->value.named_curve) 631 if (ret->type == 0 && ret->value.named_curve)
711 ASN1_OBJECT_free(ret->value.named_curve); 632 ASN1_OBJECT_free(ret->value.named_curve);
712 else if (ret->type == 1 && ret->value.parameters) 633 else if (ret->type == 1 && ret->value.parameters)
713 ECPARAMETERS_free(ret->value.parameters); 634 ECPARAMETERS_free(ret->value.parameters);
714 } 635 }
715 636
716 if (EC_GROUP_get_asn1_flag(group)) 637 if (EC_GROUP_get_asn1_flag(group)) {
717 { 638 /*
718 /* use the asn1 OID to describe the 639 * use the asn1 OID to describe the the elliptic curve
719 * the elliptic curve parameters 640 * parameters
720 */ 641 */
721 tmp = EC_GROUP_get_curve_name(group); 642 tmp = EC_GROUP_get_curve_name(group);
722 if (tmp) 643 if (tmp) {
723 {
724 ret->type = 0; 644 ret->type = 0;
725 if ((ret->value.named_curve = OBJ_nid2obj(tmp)) == NULL) 645 if ((ret->value.named_curve = OBJ_nid2obj(tmp)) == NULL)
726 ok = 0; 646 ok = 0;
727 } 647 } else
728 else
729 /* we don't kmow the nid => ERROR */ 648 /* we don't kmow the nid => ERROR */
730 ok = 0; 649 ok = 0;
731 } 650 } else {
732 else
733 {
734 /* use the ECPARAMETERS structure */ 651 /* use the ECPARAMETERS structure */
735 ret->type = 1; 652 ret->type = 1;
736 if ((ret->value.parameters = ec_asn1_group2parameters( 653 if ((ret->value.parameters = ec_asn1_group2parameters(
737 group, NULL)) == NULL) 654 group, NULL)) == NULL)
738 ok = 0; 655 ok = 0;
739 } 656 }
740 657
741 if (!ok) 658 if (!ok) {
742 {
743 ECPKPARAMETERS_free(ret); 659 ECPKPARAMETERS_free(ret);
744 return NULL; 660 return NULL;
745 }
746 return ret;
747 } 661 }
662 return ret;
663}
748 664
749static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params) 665static EC_GROUP *
750 { 666ec_asn1_parameters2group(const ECPARAMETERS * params)
751 int ok = 0, tmp; 667{
752 EC_GROUP *ret = NULL; 668 int ok = 0, tmp;
753 BIGNUM *p = NULL, *a = NULL, *b = NULL; 669 EC_GROUP *ret = NULL;
754 EC_POINT *point=NULL; 670 BIGNUM *p = NULL, *a = NULL, *b = NULL;
755 long field_bits; 671 EC_POINT *point = NULL;
756 672 long field_bits;
757 if (!params->fieldID || !params->fieldID->fieldType || 673
758 !params->fieldID->p.ptr) 674 if (!params->fieldID || !params->fieldID->fieldType ||
759 { 675 !params->fieldID->p.ptr) {
760 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR); 676 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
761 goto err; 677 goto err;
762 } 678 }
763
764 /* now extract the curve parameters a and b */ 679 /* now extract the curve parameters a and b */
765 if (!params->curve || !params->curve->a || 680 if (!params->curve || !params->curve->a ||
766 !params->curve->a->data || !params->curve->b || 681 !params->curve->a->data || !params->curve->b ||
767 !params->curve->b->data) 682 !params->curve->b->data) {
768 {
769 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR); 683 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
770 goto err; 684 goto err;
771 } 685 }
772 a = BN_bin2bn(params->curve->a->data, params->curve->a->length, NULL); 686 a = BN_bin2bn(params->curve->a->data, params->curve->a->length, NULL);
773 if (a == NULL) 687 if (a == NULL) {
774 {
775 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_BN_LIB); 688 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_BN_LIB);
776 goto err; 689 goto err;
777 } 690 }
778 b = BN_bin2bn(params->curve->b->data, params->curve->b->length, NULL); 691 b = BN_bin2bn(params->curve->b->data, params->curve->b->length, NULL);
779 if (b == NULL) 692 if (b == NULL) {
780 {
781 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_BN_LIB); 693 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_BN_LIB);
782 goto err; 694 goto err;
783 } 695 }
784
785 /* get the field parameters */ 696 /* get the field parameters */
786 tmp = OBJ_obj2nid(params->fieldID->fieldType); 697 tmp = OBJ_obj2nid(params->fieldID->fieldType);
787 if (tmp == NID_X9_62_characteristic_two_field) 698 if (tmp == NID_X9_62_characteristic_two_field)
788#ifdef OPENSSL_NO_EC2M 699#ifdef OPENSSL_NO_EC2M
789 { 700 {
790 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_GF2M_NOT_SUPPORTED); 701 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_GF2M_NOT_SUPPORTED);
791 goto err; 702 goto err;
792 } 703 }
793#else 704#else
794 { 705 {
795 X9_62_CHARACTERISTIC_TWO *char_two; 706 X9_62_CHARACTERISTIC_TWO *char_two;
796 707
797 char_two = params->fieldID->p.char_two; 708 char_two = params->fieldID->p.char_two;
798 709
799 field_bits = char_two->m; 710 field_bits = char_two->m;
800 if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) 711 if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) {
801 {
802 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_FIELD_TOO_LARGE); 712 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_FIELD_TOO_LARGE);
803 goto err; 713 goto err;
804 } 714 }
805 715 if ((p = BN_new()) == NULL) {
806 if ((p = BN_new()) == NULL)
807 {
808 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_MALLOC_FAILURE); 716 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_MALLOC_FAILURE);
809 goto err; 717 goto err;
810 } 718 }
811
812 /* get the base type */ 719 /* get the base type */
813 tmp = OBJ_obj2nid(char_two->type); 720 tmp = OBJ_obj2nid(char_two->type);
814 721
815 if (tmp == NID_X9_62_tpBasis) 722 if (tmp == NID_X9_62_tpBasis) {
816 {
817 long tmp_long; 723 long tmp_long;
818 724
819 if (!char_two->p.tpBasis) 725 if (!char_two->p.tpBasis) {
820 {
821 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR); 726 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
822 goto err; 727 goto err;
823 } 728 }
824
825 tmp_long = ASN1_INTEGER_get(char_two->p.tpBasis); 729 tmp_long = ASN1_INTEGER_get(char_two->p.tpBasis);
826 730
827 if (!(char_two->m > tmp_long && tmp_long > 0)) 731 if (!(char_two->m > tmp_long && tmp_long > 0)) {
828 {
829 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_TRINOMIAL_BASIS); 732 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_TRINOMIAL_BASIS);
830 goto err; 733 goto err;
831 } 734 }
832
833 /* create the polynomial */ 735 /* create the polynomial */
834 if (!BN_set_bit(p, (int)char_two->m)) 736 if (!BN_set_bit(p, (int) char_two->m))
835 goto err; 737 goto err;
836 if (!BN_set_bit(p, (int)tmp_long)) 738 if (!BN_set_bit(p, (int) tmp_long))
837 goto err; 739 goto err;
838 if (!BN_set_bit(p, 0)) 740 if (!BN_set_bit(p, 0))
839 goto err; 741 goto err;
840 } 742 } else if (tmp == NID_X9_62_ppBasis) {
841 else if (tmp == NID_X9_62_ppBasis)
842 {
843 X9_62_PENTANOMIAL *penta; 743 X9_62_PENTANOMIAL *penta;
844 744
845 penta = char_two->p.ppBasis; 745 penta = char_two->p.ppBasis;
846 if (!penta) 746 if (!penta) {
847 {
848 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR); 747 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
849 goto err; 748 goto err;
850 } 749 }
851 750 if (!(char_two->m > penta->k3 && penta->k3 > penta->k2 && penta->k2 > penta->k1 && penta->k1 > 0)) {
852 if (!(char_two->m > penta->k3 && penta->k3 > penta->k2 && penta->k2 > penta->k1 && penta->k1 > 0))
853 {
854 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_PENTANOMIAL_BASIS); 751 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_PENTANOMIAL_BASIS);
855 goto err; 752 goto err;
856 }
857
858 /* create the polynomial */
859 if (!BN_set_bit(p, (int)char_two->m)) goto err;
860 if (!BN_set_bit(p, (int)penta->k1)) goto err;
861 if (!BN_set_bit(p, (int)penta->k2)) goto err;
862 if (!BN_set_bit(p, (int)penta->k3)) goto err;
863 if (!BN_set_bit(p, 0)) goto err;
864 } 753 }
865 else if (tmp == NID_X9_62_onBasis) 754 /* create the polynomial */
866 { 755 if (!BN_set_bit(p, (int) char_two->m))
756 goto err;
757 if (!BN_set_bit(p, (int) penta->k1))
758 goto err;
759 if (!BN_set_bit(p, (int) penta->k2))
760 goto err;
761 if (!BN_set_bit(p, (int) penta->k3))
762 goto err;
763 if (!BN_set_bit(p, 0))
764 goto err;
765 } else if (tmp == NID_X9_62_onBasis) {
867 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_NOT_IMPLEMENTED); 766 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_NOT_IMPLEMENTED);
868 goto err; 767 goto err;
869 } 768 } else { /* error */
870 else /* error */
871 {
872 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR); 769 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
873 goto err; 770 goto err;
874 } 771 }
875 772
876 /* create the EC_GROUP structure */ 773 /* create the EC_GROUP structure */
877 ret = EC_GROUP_new_curve_GF2m(p, a, b, NULL); 774 ret = EC_GROUP_new_curve_GF2m(p, a, b, NULL);
878 } 775 }
879#endif 776#endif
880 else if (tmp == NID_X9_62_prime_field) 777 else if (tmp == NID_X9_62_prime_field) {
881 {
882 /* we have a curve over a prime field */ 778 /* we have a curve over a prime field */
883 /* extract the prime number */ 779 /* extract the prime number */
884 if (!params->fieldID->p.prime) 780 if (!params->fieldID->p.prime) {
885 {
886 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR); 781 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
887 goto err; 782 goto err;
888 } 783 }
889 p = ASN1_INTEGER_to_BN(params->fieldID->p.prime, NULL); 784 p = ASN1_INTEGER_to_BN(params->fieldID->p.prime, NULL);
890 if (p == NULL) 785 if (p == NULL) {
891 {
892 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB); 786 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB);
893 goto err; 787 goto err;
894 } 788 }
895 789 if (BN_is_negative(p) || BN_is_zero(p)) {
896 if (BN_is_negative(p) || BN_is_zero(p))
897 {
898 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_FIELD); 790 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_FIELD);
899 goto err; 791 goto err;
900 } 792 }
901
902 field_bits = BN_num_bits(p); 793 field_bits = BN_num_bits(p);
903 if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) 794 if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) {
904 {
905 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_FIELD_TOO_LARGE); 795 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_FIELD_TOO_LARGE);
906 goto err; 796 goto err;
907 } 797 }
908
909 /* create the EC_GROUP structure */ 798 /* create the EC_GROUP structure */
910 ret = EC_GROUP_new_curve_GFp(p, a, b, NULL); 799 ret = EC_GROUP_new_curve_GFp(p, a, b, NULL);
911 } 800 } else {
912 else
913 {
914 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_FIELD); 801 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_FIELD);
915 goto err; 802 goto err;
916 } 803 }
917 804
918 if (ret == NULL) 805 if (ret == NULL) {
919 {
920 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB); 806 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB);
921 goto err; 807 goto err;
922 } 808 }
923
924 /* extract seed (optional) */ 809 /* extract seed (optional) */
925 if (params->curve->seed != NULL) 810 if (params->curve->seed != NULL) {
926 {
927 if (ret->seed != NULL) 811 if (ret->seed != NULL)
928 free(ret->seed); 812 free(ret->seed);
929 if (!(ret->seed = malloc(params->curve->seed->length))) 813 if (!(ret->seed = malloc(params->curve->seed->length))) {
930 { 814 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP,
931 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, 815 ERR_R_MALLOC_FAILURE);
932 ERR_R_MALLOC_FAILURE);
933 goto err; 816 goto err;
934 }
935 memcpy(ret->seed, params->curve->seed->data,
936 params->curve->seed->length);
937 ret->seed_len = params->curve->seed->length;
938 } 817 }
939 818 memcpy(ret->seed, params->curve->seed->data,
940 if (!params->order || !params->base || !params->base->data) 819 params->curve->seed->length);
941 { 820 ret->seed_len = params->curve->seed->length;
821 }
822 if (!params->order || !params->base || !params->base->data) {
942 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR); 823 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
943 goto err; 824 goto err;
944 } 825 }
945 826 if ((point = EC_POINT_new(ret)) == NULL)
946 if ((point = EC_POINT_new(ret)) == NULL) goto err; 827 goto err;
947 828
948 /* set the point conversion form */ 829 /* set the point conversion form */
949 EC_GROUP_set_point_conversion_form(ret, (point_conversion_form_t) 830 EC_GROUP_set_point_conversion_form(ret, (point_conversion_form_t)
950 (params->base->data[0] & ~0x01)); 831 (params->base->data[0] & ~0x01));
951 832
952 /* extract the ec point */ 833 /* extract the ec point */
953 if (!EC_POINT_oct2point(ret, point, params->base->data, 834 if (!EC_POINT_oct2point(ret, point, params->base->data,
954 params->base->length, NULL)) 835 params->base->length, NULL)) {
955 {
956 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB); 836 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB);
957 goto err; 837 goto err;
958 } 838 }
959
960 /* extract the order */ 839 /* extract the order */
961 if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL) 840 if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL) {
962 {
963 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB); 841 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB);
964 goto err; 842 goto err;
965 } 843 }
966 if (BN_is_negative(a) || BN_is_zero(a)) 844 if (BN_is_negative(a) || BN_is_zero(a)) {
967 {
968 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_GROUP_ORDER); 845 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_GROUP_ORDER);
969 goto err; 846 goto err;
970 } 847 }
971 if (BN_num_bits(a) > (int)field_bits + 1) /* Hasse bound */ 848 if (BN_num_bits(a) > (int) field_bits + 1) { /* Hasse bound */
972 {
973 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_GROUP_ORDER); 849 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_GROUP_ORDER);
974 goto err; 850 goto err;
975 } 851 }
976
977 /* extract the cofactor (optional) */ 852 /* extract the cofactor (optional) */
978 if (params->cofactor == NULL) 853 if (params->cofactor == NULL) {
979 { 854 if (b) {
980 if (b)
981 {
982 BN_free(b); 855 BN_free(b);
983 b = NULL; 856 b = NULL;
984 }
985 } 857 }
986 else 858 } else if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL) {
987 if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL) 859 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB);
988 { 860 goto err;
989 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB); 861 }
990 goto err;
991 }
992 /* set the generator, order and cofactor (if present) */ 862 /* set the generator, order and cofactor (if present) */
993 if (!EC_GROUP_set_generator(ret, point, a, b)) 863 if (!EC_GROUP_set_generator(ret, point, a, b)) {
994 {
995 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB); 864 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB);
996 goto err; 865 goto err;
997 } 866 }
998
999 ok = 1; 867 ok = 1;
1000 868
1001err: if (!ok) 869err: if (!ok) {
1002 { 870 if (ret)
1003 if (ret)
1004 EC_GROUP_clear_free(ret); 871 EC_GROUP_clear_free(ret);
1005 ret = NULL; 872 ret = NULL;
1006 } 873 }
1007 874 if (p)
1008 if (p)
1009 BN_free(p); 875 BN_free(p);
1010 if (a) 876 if (a)
1011 BN_free(a); 877 BN_free(a);
1012 if (b) 878 if (b)
1013 BN_free(b); 879 BN_free(b);
1014 if (point) 880 if (point)
1015 EC_POINT_free(point); 881 EC_POINT_free(point);
1016 return(ret); 882 return (ret);
1017} 883}
1018 884
1019EC_GROUP *ec_asn1_pkparameters2group(const ECPKPARAMETERS *params) 885EC_GROUP *
1020 { 886ec_asn1_pkparameters2group(const ECPKPARAMETERS * params)
1021 EC_GROUP *ret=NULL; 887{
1022 int tmp=0; 888 EC_GROUP *ret = NULL;
889 int tmp = 0;
1023 890
1024 if (params == NULL) 891 if (params == NULL) {
1025 { 892 ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP,
1026 ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP, 893 EC_R_MISSING_PARAMETERS);
1027 EC_R_MISSING_PARAMETERS);
1028 return NULL; 894 return NULL;
1029 } 895 }
1030 896 if (params->type == 0) {/* the curve is given by an OID */
1031 if (params->type == 0)
1032 { /* the curve is given by an OID */
1033 tmp = OBJ_obj2nid(params->value.named_curve); 897 tmp = OBJ_obj2nid(params->value.named_curve);
1034 if ((ret = EC_GROUP_new_by_curve_name(tmp)) == NULL) 898 if ((ret = EC_GROUP_new_by_curve_name(tmp)) == NULL) {
1035 { 899 ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP,
1036 ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP, 900 EC_R_EC_GROUP_NEW_BY_NAME_FAILURE);
1037 EC_R_EC_GROUP_NEW_BY_NAME_FAILURE);
1038 return NULL; 901 return NULL;
1039 }
1040 EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_NAMED_CURVE);
1041 } 902 }
1042 else if (params->type == 1) 903 EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_NAMED_CURVE);
1043 { /* the parameters are given by a ECPARAMETERS 904 } else if (params->type == 1) { /* the parameters are given by a
1044 * structure */ 905 * ECPARAMETERS structure */
1045 ret = ec_asn1_parameters2group(params->value.parameters); 906 ret = ec_asn1_parameters2group(params->value.parameters);
1046 if (!ret) 907 if (!ret) {
1047 {
1048 ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP, ERR_R_EC_LIB); 908 ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP, ERR_R_EC_LIB);
1049 return NULL; 909 return NULL;
1050 }
1051 EC_GROUP_set_asn1_flag(ret, 0x0);
1052 } 910 }
1053 else if (params->type == 2) 911 EC_GROUP_set_asn1_flag(ret, 0x0);
1054 { /* implicitlyCA */ 912 } else if (params->type == 2) { /* implicitlyCA */
1055 return NULL; 913 return NULL;
1056 } 914 } else {
1057 else
1058 {
1059 ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP, EC_R_ASN1_ERROR); 915 ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP, EC_R_ASN1_ERROR);
1060 return NULL; 916 return NULL;
1061 } 917 }
1062 918
1063 return ret; 919 return ret;
1064 } 920}
1065 921
1066/* EC_GROUP <-> DER encoding of ECPKPARAMETERS */ 922/* EC_GROUP <-> DER encoding of ECPKPARAMETERS */
1067 923
1068EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len) 924EC_GROUP *
1069 { 925d2i_ECPKParameters(EC_GROUP ** a, const unsigned char **in, long len)
1070 EC_GROUP *group = NULL; 926{
1071 ECPKPARAMETERS *params = NULL; 927 EC_GROUP *group = NULL;
928 ECPKPARAMETERS *params = NULL;
1072 929
1073 if ((params = d2i_ECPKPARAMETERS(NULL, in, len)) == NULL) 930 if ((params = d2i_ECPKPARAMETERS(NULL, in, len)) == NULL) {
1074 {
1075 ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_D2I_ECPKPARAMETERS_FAILURE); 931 ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_D2I_ECPKPARAMETERS_FAILURE);
1076 ECPKPARAMETERS_free(params); 932 ECPKPARAMETERS_free(params);
1077 return NULL; 933 return NULL;
1078 } 934 }
1079 935 if ((group = ec_asn1_pkparameters2group(params)) == NULL) {
1080 if ((group = ec_asn1_pkparameters2group(params)) == NULL)
1081 {
1082 ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_PKPARAMETERS2GROUP_FAILURE); 936 ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_PKPARAMETERS2GROUP_FAILURE);
1083 ECPKPARAMETERS_free(params); 937 ECPKPARAMETERS_free(params);
1084 return NULL; 938 return NULL;
1085 } 939 }
1086
1087
1088 if (a && *a) 940 if (a && *a)
1089 EC_GROUP_clear_free(*a); 941 EC_GROUP_clear_free(*a);
1090 if (a) 942 if (a)
1091 *a = group; 943 *a = group;
1092 944
1093 ECPKPARAMETERS_free(params); 945 ECPKPARAMETERS_free(params);
1094 return(group); 946 return (group);
1095 } 947}
1096 948
1097int i2d_ECPKParameters(const EC_GROUP *a, unsigned char **out) 949int
1098 { 950i2d_ECPKParameters(const EC_GROUP * a, unsigned char **out)
1099 int ret=0; 951{
1100 ECPKPARAMETERS *tmp = ec_asn1_group2pkparameters(a, NULL); 952 int ret = 0;
1101 if (tmp == NULL) 953 ECPKPARAMETERS *tmp = ec_asn1_group2pkparameters(a, NULL);
1102 { 954 if (tmp == NULL) {
1103 ECerr(EC_F_I2D_ECPKPARAMETERS, EC_R_GROUP2PKPARAMETERS_FAILURE); 955 ECerr(EC_F_I2D_ECPKPARAMETERS, EC_R_GROUP2PKPARAMETERS_FAILURE);
1104 return 0; 956 return 0;
1105 } 957 }
1106 if ((ret = i2d_ECPKPARAMETERS(tmp, out)) == 0) 958 if ((ret = i2d_ECPKPARAMETERS(tmp, out)) == 0) {
1107 {
1108 ECerr(EC_F_I2D_ECPKPARAMETERS, EC_R_I2D_ECPKPARAMETERS_FAILURE); 959 ECerr(EC_F_I2D_ECPKPARAMETERS, EC_R_I2D_ECPKPARAMETERS_FAILURE);
1109 ECPKPARAMETERS_free(tmp); 960 ECPKPARAMETERS_free(tmp);
1110 return 0; 961 return 0;
1111 }
1112 ECPKPARAMETERS_free(tmp);
1113 return(ret);
1114 } 962 }
963 ECPKPARAMETERS_free(tmp);
964 return (ret);
965}
1115 966
1116/* some EC_KEY functions */ 967/* some EC_KEY functions */
1117 968
1118EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) 969EC_KEY *
1119 { 970d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len)
1120 int ok=0; 971{
1121 EC_KEY *ret=NULL; 972 int ok = 0;
1122 EC_PRIVATEKEY *priv_key=NULL; 973 EC_KEY *ret = NULL;
974 EC_PRIVATEKEY *priv_key = NULL;
1123 975
1124 if ((priv_key = EC_PRIVATEKEY_new()) == NULL) 976 if ((priv_key = EC_PRIVATEKEY_new()) == NULL) {
1125 {
1126 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE); 977 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
1127 return NULL; 978 return NULL;
1128 } 979 }
1129 980 if ((priv_key = d2i_EC_PRIVATEKEY(&priv_key, in, len)) == NULL) {
1130 if ((priv_key = d2i_EC_PRIVATEKEY(&priv_key, in, len)) == NULL)
1131 {
1132 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB); 981 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
1133 EC_PRIVATEKEY_free(priv_key); 982 EC_PRIVATEKEY_free(priv_key);
1134 return NULL; 983 return NULL;
1135 } 984 }
1136 985 if (a == NULL || *a == NULL) {
1137 if (a == NULL || *a == NULL) 986 if ((ret = EC_KEY_new()) == NULL) {
1138 {
1139 if ((ret = EC_KEY_new()) == NULL)
1140 {
1141 ECerr(EC_F_D2I_ECPRIVATEKEY, 987 ECerr(EC_F_D2I_ECPRIVATEKEY,
1142 ERR_R_MALLOC_FAILURE); 988 ERR_R_MALLOC_FAILURE);
1143 goto err; 989 goto err;
1144 } 990 }
1145 if (a) 991 if (a)
1146 *a = ret; 992 *a = ret;
1147 } 993 } else
1148 else
1149 ret = *a; 994 ret = *a;
1150 995
1151 if (priv_key->parameters) 996 if (priv_key->parameters) {
1152 {
1153 if (ret->group) 997 if (ret->group)
1154 EC_GROUP_clear_free(ret->group); 998 EC_GROUP_clear_free(ret->group);
1155 ret->group = ec_asn1_pkparameters2group(priv_key->parameters); 999 ret->group = ec_asn1_pkparameters2group(priv_key->parameters);
1156 } 1000 }
1157 1001 if (ret->group == NULL) {
1158 if (ret->group == NULL)
1159 {
1160 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB); 1002 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
1161 goto err; 1003 goto err;
1162 } 1004 }
1163
1164 ret->version = priv_key->version; 1005 ret->version = priv_key->version;
1165 1006
1166 if (priv_key->privateKey) 1007 if (priv_key->privateKey) {
1167 {
1168 ret->priv_key = BN_bin2bn( 1008 ret->priv_key = BN_bin2bn(
1169 M_ASN1_STRING_data(priv_key->privateKey), 1009 M_ASN1_STRING_data(priv_key->privateKey),
1170 M_ASN1_STRING_length(priv_key->privateKey), 1010 M_ASN1_STRING_length(priv_key->privateKey),
1171 ret->priv_key); 1011 ret->priv_key);
1172 if (ret->priv_key == NULL) 1012 if (ret->priv_key == NULL) {
1173 {
1174 ECerr(EC_F_D2I_ECPRIVATEKEY, 1013 ECerr(EC_F_D2I_ECPRIVATEKEY,
1175 ERR_R_BN_LIB); 1014 ERR_R_BN_LIB);
1176 goto err; 1015 goto err;
1177 }
1178 } 1016 }
1179 else 1017 } else {
1180 { 1018 ECerr(EC_F_D2I_ECPRIVATEKEY,
1181 ECerr(EC_F_D2I_ECPRIVATEKEY, 1019 EC_R_MISSING_PRIVATE_KEY);
1182 EC_R_MISSING_PRIVATE_KEY);
1183 goto err; 1020 goto err;
1184 } 1021 }
1185 1022
1186 if (priv_key->publicKey) 1023 if (priv_key->publicKey) {
1187 {
1188 const unsigned char *pub_oct; 1024 const unsigned char *pub_oct;
1189 size_t pub_oct_len; 1025 size_t pub_oct_len;
1190 1026
1191 if (ret->pub_key) 1027 if (ret->pub_key)
1192 EC_POINT_clear_free(ret->pub_key); 1028 EC_POINT_clear_free(ret->pub_key);
1193 ret->pub_key = EC_POINT_new(ret->group); 1029 ret->pub_key = EC_POINT_new(ret->group);
1194 if (ret->pub_key == NULL) 1030 if (ret->pub_key == NULL) {
1195 {
1196 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB); 1031 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
1197 goto err; 1032 goto err;
1198 } 1033 }
1199 pub_oct = M_ASN1_STRING_data(priv_key->publicKey); 1034 pub_oct = M_ASN1_STRING_data(priv_key->publicKey);
1200 pub_oct_len = M_ASN1_STRING_length(priv_key->publicKey); 1035 pub_oct_len = M_ASN1_STRING_length(priv_key->publicKey);
1201 /* save the point conversion form */ 1036 /* save the point conversion form */
1202 ret->conv_form = (point_conversion_form_t)(pub_oct[0] & ~0x01); 1037 ret->conv_form = (point_conversion_form_t) (pub_oct[0] & ~0x01);
1203 if (!EC_POINT_oct2point(ret->group, ret->pub_key, 1038 if (!EC_POINT_oct2point(ret->group, ret->pub_key,
1204 pub_oct, pub_oct_len, NULL)) 1039 pub_oct, pub_oct_len, NULL)) {
1205 {
1206 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB); 1040 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
1207 goto err; 1041 goto err;
1208 }
1209 } 1042 }
1210 1043 }
1211 ok = 1; 1044 ok = 1;
1212err: 1045err:
1213 if (!ok) 1046 if (!ok) {
1214 {
1215 if (ret) 1047 if (ret)
1216 EC_KEY_free(ret); 1048 EC_KEY_free(ret);
1217 ret = NULL; 1049 ret = NULL;
1218 } 1050 }
1219
1220 if (priv_key) 1051 if (priv_key)
1221 EC_PRIVATEKEY_free(priv_key); 1052 EC_PRIVATEKEY_free(priv_key);
1222 1053
1223 return(ret); 1054 return (ret);
1224 } 1055}
1225 1056
1226int i2d_ECPrivateKey(EC_KEY *a, unsigned char **out) 1057int
1227 { 1058i2d_ECPrivateKey(EC_KEY * a, unsigned char **out)
1228 int ret=0, ok=0; 1059{
1229 unsigned char *buffer=NULL; 1060 int ret = 0, ok = 0;
1230 size_t buf_len=0, tmp_len; 1061 unsigned char *buffer = NULL;
1231 EC_PRIVATEKEY *priv_key=NULL; 1062 size_t buf_len = 0, tmp_len;
1063 EC_PRIVATEKEY *priv_key = NULL;
1232 1064
1233 if (a == NULL || a->group == NULL || a->priv_key == NULL) 1065 if (a == NULL || a->group == NULL || a->priv_key == NULL) {
1234 {
1235 ECerr(EC_F_I2D_ECPRIVATEKEY, 1066 ECerr(EC_F_I2D_ECPRIVATEKEY,
1236 ERR_R_PASSED_NULL_PARAMETER); 1067 ERR_R_PASSED_NULL_PARAMETER);
1237 goto err; 1068 goto err;
1238 } 1069 }
1239 1070 if ((priv_key = EC_PRIVATEKEY_new()) == NULL) {
1240 if ((priv_key = EC_PRIVATEKEY_new()) == NULL)
1241 {
1242 ECerr(EC_F_I2D_ECPRIVATEKEY, 1071 ECerr(EC_F_I2D_ECPRIVATEKEY,
1243 ERR_R_MALLOC_FAILURE); 1072 ERR_R_MALLOC_FAILURE);
1244 goto err; 1073 goto err;
1245 } 1074 }
1246
1247 priv_key->version = a->version; 1075 priv_key->version = a->version;
1248 1076
1249 buf_len = (size_t)BN_num_bytes(a->priv_key); 1077 buf_len = (size_t) BN_num_bytes(a->priv_key);
1250 buffer = malloc(buf_len); 1078 buffer = malloc(buf_len);
1251 if (buffer == NULL) 1079 if (buffer == NULL) {
1252 {
1253 ECerr(EC_F_I2D_ECPRIVATEKEY, 1080 ECerr(EC_F_I2D_ECPRIVATEKEY,
1254 ERR_R_MALLOC_FAILURE); 1081 ERR_R_MALLOC_FAILURE);
1255 goto err; 1082 goto err;
1256 } 1083 }
1257 1084 if (!BN_bn2bin(a->priv_key, buffer)) {
1258 if (!BN_bn2bin(a->priv_key, buffer))
1259 {
1260 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_BN_LIB); 1085 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_BN_LIB);
1261 goto err; 1086 goto err;
1262 } 1087 }
1263 1088 if (!M_ASN1_OCTET_STRING_set(priv_key->privateKey, buffer, buf_len)) {
1264 if (!M_ASN1_OCTET_STRING_set(priv_key->privateKey, buffer, buf_len))
1265 {
1266 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_ASN1_LIB); 1089 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_ASN1_LIB);
1267 goto err; 1090 goto err;
1268 } 1091 }
1269 1092 if (!(a->enc_flag & EC_PKEY_NO_PARAMETERS)) {
1270 if (!(a->enc_flag & EC_PKEY_NO_PARAMETERS))
1271 {
1272 if ((priv_key->parameters = ec_asn1_group2pkparameters( 1093 if ((priv_key->parameters = ec_asn1_group2pkparameters(
1273 a->group, priv_key->parameters)) == NULL) 1094 a->group, priv_key->parameters)) == NULL) {
1274 {
1275 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB); 1095 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
1276 goto err; 1096 goto err;
1277 }
1278 } 1097 }
1279 1098 }
1280 if (!(a->enc_flag & EC_PKEY_NO_PUBKEY)) 1099 if (!(a->enc_flag & EC_PKEY_NO_PUBKEY)) {
1281 {
1282 priv_key->publicKey = M_ASN1_BIT_STRING_new(); 1100 priv_key->publicKey = M_ASN1_BIT_STRING_new();
1283 if (priv_key->publicKey == NULL) 1101 if (priv_key->publicKey == NULL) {
1284 {
1285 ECerr(EC_F_I2D_ECPRIVATEKEY, 1102 ECerr(EC_F_I2D_ECPRIVATEKEY,
1286 ERR_R_MALLOC_FAILURE); 1103 ERR_R_MALLOC_FAILURE);
1287 goto err; 1104 goto err;
1288 } 1105 }
1289 1106 tmp_len = EC_POINT_point2oct(a->group, a->pub_key,
1290 tmp_len = EC_POINT_point2oct(a->group, a->pub_key, 1107 a->conv_form, NULL, 0, NULL);
1291 a->conv_form, NULL, 0, NULL);
1292 1108
1293 if (tmp_len > buf_len) 1109 if (tmp_len > buf_len) {
1294 {
1295 unsigned char *tmp_buffer = realloc(buffer, tmp_len); 1110 unsigned char *tmp_buffer = realloc(buffer, tmp_len);
1296 if (!tmp_buffer) 1111 if (!tmp_buffer) {
1297 {
1298 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE); 1112 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
1299 goto err; 1113 goto err;
1300 } 1114 }
1301 buffer = tmp_buffer; 1115 buffer = tmp_buffer;
1302 buf_len = tmp_len; 1116 buf_len = tmp_len;
1303 } 1117 }
1304 1118 if (!EC_POINT_point2oct(a->group, a->pub_key,
1305 if (!EC_POINT_point2oct(a->group, a->pub_key, 1119 a->conv_form, buffer, buf_len, NULL)) {
1306 a->conv_form, buffer, buf_len, NULL))
1307 {
1308 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB); 1120 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
1309 goto err; 1121 goto err;
1310 } 1122 }
1311 1123 priv_key->publicKey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
1312 priv_key->publicKey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
1313 priv_key->publicKey->flags |= ASN1_STRING_FLAG_BITS_LEFT; 1124 priv_key->publicKey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
1314 if (!M_ASN1_BIT_STRING_set(priv_key->publicKey, buffer, 1125 if (!M_ASN1_BIT_STRING_set(priv_key->publicKey, buffer,
1315 buf_len)) 1126 buf_len)) {
1316 {
1317 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_ASN1_LIB); 1127 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_ASN1_LIB);
1318 goto err; 1128 goto err;
1319 }
1320 } 1129 }
1321 1130 }
1322 if ((ret = i2d_EC_PRIVATEKEY(priv_key, out)) == 0) 1131 if ((ret = i2d_EC_PRIVATEKEY(priv_key, out)) == 0) {
1323 {
1324 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB); 1132 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
1325 goto err; 1133 goto err;
1326 } 1134 }
1327 ok=1; 1135 ok = 1;
1328err: 1136err:
1329 if (buffer) 1137 if (buffer)
1330 free(buffer); 1138 free(buffer);
1331 if (priv_key) 1139 if (priv_key)
1332 EC_PRIVATEKEY_free(priv_key); 1140 EC_PRIVATEKEY_free(priv_key);
1333 return(ok?ret:0); 1141 return (ok ? ret : 0);
1334 } 1142}
1335 1143
1336int i2d_ECParameters(EC_KEY *a, unsigned char **out) 1144int
1337 { 1145i2d_ECParameters(EC_KEY * a, unsigned char **out)
1338 if (a == NULL) 1146{
1339 { 1147 if (a == NULL) {
1340 ECerr(EC_F_I2D_ECPARAMETERS, ERR_R_PASSED_NULL_PARAMETER); 1148 ECerr(EC_F_I2D_ECPARAMETERS, ERR_R_PASSED_NULL_PARAMETER);
1341 return 0; 1149 return 0;
1342 }
1343 return i2d_ECPKParameters(a->group, out);
1344 } 1150 }
1151 return i2d_ECPKParameters(a->group, out);
1152}
1345 1153
1346EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len) 1154EC_KEY *
1347 { 1155d2i_ECParameters(EC_KEY ** a, const unsigned char **in, long len)
1348 EC_KEY *ret; 1156{
1157 EC_KEY *ret;
1349 1158
1350 if (in == NULL || *in == NULL) 1159 if (in == NULL || *in == NULL) {
1351 {
1352 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_PASSED_NULL_PARAMETER); 1160 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_PASSED_NULL_PARAMETER);
1353 return NULL; 1161 return NULL;
1354 } 1162 }
1355 1163 if (a == NULL || *a == NULL) {
1356 if (a == NULL || *a == NULL) 1164 if ((ret = EC_KEY_new()) == NULL) {
1357 {
1358 if ((ret = EC_KEY_new()) == NULL)
1359 {
1360 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE); 1165 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
1361 return NULL; 1166 return NULL;
1362 } 1167 }
1363 if (a) 1168 if (a)
1364 *a = ret; 1169 *a = ret;
1365 } 1170 } else
1366 else
1367 ret = *a; 1171 ret = *a;
1368 1172
1369 if (!d2i_ECPKParameters(&ret->group, in, len)) 1173 if (!d2i_ECPKParameters(&ret->group, in, len)) {
1370 {
1371 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB); 1174 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
1372 return NULL; 1175 return NULL;
1373 }
1374
1375 return ret;
1376 } 1176 }
1177 return ret;
1178}
1377 1179
1378EC_KEY *o2i_ECPublicKey(EC_KEY **a, const unsigned char **in, long len) 1180EC_KEY *
1379 { 1181o2i_ECPublicKey(EC_KEY ** a, const unsigned char **in, long len)
1380 EC_KEY *ret=NULL; 1182{
1183 EC_KEY *ret = NULL;
1381 1184
1382 if (a == NULL || (*a) == NULL || (*a)->group == NULL) 1185 if (a == NULL || (*a) == NULL || (*a)->group == NULL) {
1383 { 1186 /*
1384 /* sorry, but a EC_GROUP-structur is necessary 1187 * sorry, but a EC_GROUP-structur is necessary to set the
1385 * to set the public key */ 1188 * public key
1189 */
1386 ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_PASSED_NULL_PARAMETER); 1190 ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_PASSED_NULL_PARAMETER);
1387 return 0; 1191 return 0;
1388 } 1192 }
1389 ret = *a; 1193 ret = *a;
1390 if (ret->pub_key == NULL && 1194 if (ret->pub_key == NULL &&
1391 (ret->pub_key = EC_POINT_new(ret->group)) == NULL) 1195 (ret->pub_key = EC_POINT_new(ret->group)) == NULL) {
1392 {
1393 ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_MALLOC_FAILURE); 1196 ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_MALLOC_FAILURE);
1394 return 0; 1197 return 0;
1395 } 1198 }
1396 if (!EC_POINT_oct2point(ret->group, ret->pub_key, *in, len, NULL)) 1199 if (!EC_POINT_oct2point(ret->group, ret->pub_key, *in, len, NULL)) {
1397 {
1398 ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_EC_LIB); 1200 ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_EC_LIB);
1399 return 0; 1201 return 0;
1400 } 1202 }
1401 /* save the point conversion form */ 1203 /* save the point conversion form */
1402 ret->conv_form = (point_conversion_form_t)(*in[0] & ~0x01); 1204 ret->conv_form = (point_conversion_form_t) (*in[0] & ~0x01);
1403 *in += len; 1205 *in += len;
1404 return ret; 1206 return ret;
1405 } 1207}
1406 1208
1407int i2o_ECPublicKey(EC_KEY *a, unsigned char **out) 1209int
1408 { 1210i2o_ECPublicKey(EC_KEY * a, unsigned char **out)
1409 size_t buf_len=0; 1211{
1212 size_t buf_len = 0;
1410 int new_buffer = 0; 1213 int new_buffer = 0;
1411 1214
1412 if (a == NULL) 1215 if (a == NULL) {
1413 {
1414 ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_PASSED_NULL_PARAMETER); 1216 ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_PASSED_NULL_PARAMETER);
1415 return 0; 1217 return 0;
1416 } 1218 }
1417 1219 buf_len = EC_POINT_point2oct(a->group, a->pub_key,
1418 buf_len = EC_POINT_point2oct(a->group, a->pub_key, 1220 a->conv_form, NULL, 0, NULL);
1419 a->conv_form, NULL, 0, NULL);
1420 1221
1421 if (out == NULL || buf_len == 0) 1222 if (out == NULL || buf_len == 0)
1422 /* out == NULL => just return the length of the octet string */ 1223 /* out == NULL => just return the length of the octet string */
1423 return buf_len; 1224 return buf_len;
1424 1225
1425 if (*out == NULL) 1226 if (*out == NULL) {
1426 { 1227 if ((*out = malloc(buf_len)) == NULL) {
1427 if ((*out = malloc(buf_len)) == NULL)
1428 {
1429 ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_MALLOC_FAILURE); 1228 ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_MALLOC_FAILURE);
1430 return 0; 1229 return 0;
1431 }
1432 new_buffer = 1;
1433 } 1230 }
1434 if (!EC_POINT_point2oct(a->group, a->pub_key, a->conv_form, 1231 new_buffer = 1;
1435 *out, buf_len, NULL)) 1232 }
1436 { 1233 if (!EC_POINT_point2oct(a->group, a->pub_key, a->conv_form,
1234 *out, buf_len, NULL)) {
1437 ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB); 1235 ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB);
1438 free(*out); 1236 free(*out);
1439 *out = NULL; 1237 *out = NULL;
1440 return 0; 1238 return 0;
1441 } 1239 }
1442 if (!new_buffer) 1240 if (!new_buffer)
1443 *out += buf_len; 1241 *out += buf_len;
1444 return buf_len; 1242 return buf_len;
1445 } 1243}
diff --git a/src/lib/libcrypto/ec/ec_check.c b/src/lib/libcrypto/ec/ec_check.c
index 0e316b4b3f..8f533d5ff8 100644
--- a/src/lib/libcrypto/ec/ec_check.c
+++ b/src/lib/libcrypto/ec/ec_check.c
@@ -7,7 +7,7 @@
7 * are met: 7 * are met:
8 * 8 *
9 * 1. Redistributions of source code must retain the above copyright 9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
11 * 11 *
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in 13 * notice, this list of conditions and the following disclaimer in
@@ -56,60 +56,54 @@
56#include "ec_lcl.h" 56#include "ec_lcl.h"
57#include <openssl/err.h> 57#include <openssl/err.h>
58 58
59int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx) 59int
60 { 60EC_GROUP_check(const EC_GROUP * group, BN_CTX * ctx)
61{
61 int ret = 0; 62 int ret = 0;
62 BIGNUM *order; 63 BIGNUM *order;
63 BN_CTX *new_ctx = NULL; 64 BN_CTX *new_ctx = NULL;
64 EC_POINT *point = NULL; 65 EC_POINT *point = NULL;
65 66
66 if (ctx == NULL) 67 if (ctx == NULL) {
67 {
68 ctx = new_ctx = BN_CTX_new(); 68 ctx = new_ctx = BN_CTX_new();
69 if (ctx == NULL) 69 if (ctx == NULL) {
70 {
71 ECerr(EC_F_EC_GROUP_CHECK, ERR_R_MALLOC_FAILURE); 70 ECerr(EC_F_EC_GROUP_CHECK, ERR_R_MALLOC_FAILURE);
72 goto err; 71 goto err;
73 }
74 } 72 }
73 }
75 BN_CTX_start(ctx); 74 BN_CTX_start(ctx);
76 if ((order = BN_CTX_get(ctx)) == NULL) goto err; 75 if ((order = BN_CTX_get(ctx)) == NULL)
76 goto err;
77 77
78 /* check the discriminant */ 78 /* check the discriminant */
79 if (!EC_GROUP_check_discriminant(group, ctx)) 79 if (!EC_GROUP_check_discriminant(group, ctx)) {
80 {
81 ECerr(EC_F_EC_GROUP_CHECK, EC_R_DISCRIMINANT_IS_ZERO); 80 ECerr(EC_F_EC_GROUP_CHECK, EC_R_DISCRIMINANT_IS_ZERO);
82 goto err; 81 goto err;
83 } 82 }
84
85 /* check the generator */ 83 /* check the generator */
86 if (group->generator == NULL) 84 if (group->generator == NULL) {
87 {
88 ECerr(EC_F_EC_GROUP_CHECK, EC_R_UNDEFINED_GENERATOR); 85 ECerr(EC_F_EC_GROUP_CHECK, EC_R_UNDEFINED_GENERATOR);
89 goto err; 86 goto err;
90 } 87 }
91 if (!EC_POINT_is_on_curve(group, group->generator, ctx)) 88 if (!EC_POINT_is_on_curve(group, group->generator, ctx)) {
92 {
93 ECerr(EC_F_EC_GROUP_CHECK, EC_R_POINT_IS_NOT_ON_CURVE); 89 ECerr(EC_F_EC_GROUP_CHECK, EC_R_POINT_IS_NOT_ON_CURVE);
94 goto err; 90 goto err;
95 } 91 }
96
97 /* check the order of the generator */ 92 /* check the order of the generator */
98 if ((point = EC_POINT_new(group)) == NULL) goto err; 93 if ((point = EC_POINT_new(group)) == NULL)
99 if (!EC_GROUP_get_order(group, order, ctx)) goto err; 94 goto err;
100 if (BN_is_zero(order)) 95 if (!EC_GROUP_get_order(group, order, ctx))
101 { 96 goto err;
97 if (BN_is_zero(order)) {
102 ECerr(EC_F_EC_GROUP_CHECK, EC_R_UNDEFINED_ORDER); 98 ECerr(EC_F_EC_GROUP_CHECK, EC_R_UNDEFINED_ORDER);
103 goto err; 99 goto err;
104 } 100 }
105 101 if (!EC_POINT_mul(group, point, order, NULL, NULL, ctx))
106 if (!EC_POINT_mul(group, point, order, NULL, NULL, ctx)) goto err; 102 goto err;
107 if (!EC_POINT_is_at_infinity(group, point)) 103 if (!EC_POINT_is_at_infinity(group, point)) {
108 {
109 ECerr(EC_F_EC_GROUP_CHECK, EC_R_INVALID_GROUP_ORDER); 104 ECerr(EC_F_EC_GROUP_CHECK, EC_R_INVALID_GROUP_ORDER);
110 goto err; 105 goto err;
111 } 106 }
112
113 ret = 1; 107 ret = 1;
114 108
115err: 109err:
@@ -120,4 +114,4 @@ err:
120 if (point) 114 if (point)
121 EC_POINT_free(point); 115 EC_POINT_free(point);
122 return ret; 116 return ret;
123 } 117}
diff --git a/src/lib/libcrypto/ec/ec_curve.c b/src/lib/libcrypto/ec/ec_curve.c
index 23bc3ab94e..daaa8edd7e 100644
--- a/src/lib/libcrypto/ec/ec_curve.c
+++ b/src/lib/libcrypto/ec/ec_curve.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -58,13 +58,13 @@
58/* ==================================================================== 58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * 60 *
61 * Portions of the attached software ("Contribution") are developed by 61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
63 * 63 *
64 * The Contribution is licensed pursuant to the OpenSSL open source 64 * The Contribution is licensed pursuant to the OpenSSL open source
65 * license provided above. 65 * license provided above.
66 * 66 *
67 * The elliptic curve binary polynomial software is originally written by 67 * The elliptic curve binary polynomial software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. 68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
69 * 69 *
70 */ 70 */
@@ -75,1692 +75,2075 @@
75#include <openssl/opensslconf.h> 75#include <openssl/opensslconf.h>
76 76
77typedef struct { 77typedef struct {
78 int field_type, /* either NID_X9_62_prime_field or 78 int field_type, /* either NID_X9_62_prime_field or
79 * NID_X9_62_characteristic_two_field */ 79 * NID_X9_62_characteristic_two_field */
80 seed_len, 80 seed_len, param_len;
81 param_len;
82 unsigned int cofactor; /* promoted to BN_ULONG */ 81 unsigned int cofactor; /* promoted to BN_ULONG */
83} EC_CURVE_DATA; 82} EC_CURVE_DATA;
84 83
85/* the nist prime curves */ 84/* the nist prime curves */
86static const struct { EC_CURVE_DATA h; unsigned char data[20+24*6]; } 85static const struct {
87 _EC_NIST_PRIME_192 = { 86 EC_CURVE_DATA h;
88 { NID_X9_62_prime_field,20,24,1 }, 87 unsigned char data[20 + 24 * 6];
89 { 0x30,0x45,0xAE,0x6F,0xC8,0x42,0x2F,0x64,0xED,0x57, /* seed */ 88}
90 0x95,0x28,0xD3,0x81,0x20,0xEA,0xE1,0x21,0x96,0xD5, 89 _EC_NIST_PRIME_192 = {
91 90 {
92 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 91 NID_X9_62_prime_field, 20, 24, 1
93 0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0xFF, 92 },
94 0xFF,0xFF,0xFF,0xFF, 93 {
95 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 94 0x30, 0x45, 0xAE, 0x6F, 0xC8, 0x42, 0x2F, 0x64, 0xED, 0x57, /* seed */
96 0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0xFF, 95 0x95, 0x28, 0xD3, 0x81, 0x20, 0xEA, 0xE1, 0x21, 0x96, 0xD5,
97 0xFF,0xFF,0xFF,0xFC, 96
98 0x64,0x21,0x05,0x19,0xE5,0x9C,0x80,0xE7,0x0F,0xA7, /* b */ 97 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
99 0xE9,0xAB,0x72,0x24,0x30,0x49,0xFE,0xB8,0xDE,0xEC, 98 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
100 0xC1,0x46,0xB9,0xB1, 99 0xFF, 0xFF, 0xFF, 0xFF,
101 0x18,0x8D,0xA8,0x0E,0xB0,0x30,0x90,0xF6,0x7C,0xBF, /* x */ 100 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
102 0x20,0xEB,0x43,0xA1,0x88,0x00,0xF4,0xFF,0x0A,0xFD, 101 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
103 0x82,0xFF,0x10,0x12, 102 0xFF, 0xFF, 0xFF, 0xFC,
104 0x07,0x19,0x2b,0x95,0xff,0xc8,0xda,0x78,0x63,0x10, /* y */ 103 0x64, 0x21, 0x05, 0x19, 0xE5, 0x9C, 0x80, 0xE7, 0x0F, 0xA7, /* b */
105 0x11,0xed,0x6b,0x24,0xcd,0xd5,0x73,0xf9,0x77,0xa1, 104 0xE9, 0xAB, 0x72, 0x24, 0x30, 0x49, 0xFE, 0xB8, 0xDE, 0xEC,
106 0x1e,0x79,0x48,0x11, 105 0xC1, 0x46, 0xB9, 0xB1,
107 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 106 0x18, 0x8D, 0xA8, 0x0E, 0xB0, 0x30, 0x90, 0xF6, 0x7C, 0xBF, /* x */
108 0xFF,0xFF,0x99,0xDE,0xF8,0x36,0x14,0x6B,0xC9,0xB1, 107 0x20, 0xEB, 0x43, 0xA1, 0x88, 0x00, 0xF4, 0xFF, 0x0A, 0xFD,
109 0xB4,0xD2,0x28,0x31 } 108 0x82, 0xFF, 0x10, 0x12,
110 }; 109 0x07, 0x19, 0x2b, 0x95, 0xff, 0xc8, 0xda, 0x78, 0x63, 0x10, /* y */
111 110 0x11, 0xed, 0x6b, 0x24, 0xcd, 0xd5, 0x73, 0xf9, 0x77, 0xa1,
112static const struct { EC_CURVE_DATA h; unsigned char data[20+28*6]; } 111 0x1e, 0x79, 0x48, 0x11,
113 _EC_NIST_PRIME_224 = { 112 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
114 { NID_X9_62_prime_field,20,28,1 }, 113 0xFF, 0xFF, 0x99, 0xDE, 0xF8, 0x36, 0x14, 0x6B, 0xC9, 0xB1,
115 { 0xBD,0x71,0x34,0x47,0x99,0xD5,0xC7,0xFC,0xDC,0x45, /* seed */ 114 0xB4, 0xD2, 0x28, 0x31
116 0xB5,0x9F,0xA3,0xB9,0xAB,0x8F,0x6A,0x94,0x8B,0xC5, 115 }
117 116};
118 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 117
119 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00, 118static const struct {
120 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, 119 EC_CURVE_DATA h;
121 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 120 unsigned char data[20 + 28 * 6];
122 0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0xFF, 121}
123 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, 122 _EC_NIST_PRIME_224 = {
124 0xB4,0x05,0x0A,0x85,0x0C,0x04,0xB3,0xAB,0xF5,0x41, /* b */ 123 {
125 0x32,0x56,0x50,0x44,0xB0,0xB7,0xD7,0xBF,0xD8,0xBA, 124 NID_X9_62_prime_field, 20, 28, 1
126 0x27,0x0B,0x39,0x43,0x23,0x55,0xFF,0xB4, 125 },
127 0xB7,0x0E,0x0C,0xBD,0x6B,0xB4,0xBF,0x7F,0x32,0x13, /* x */ 126 {
128 0x90,0xB9,0x4A,0x03,0xC1,0xD3,0x56,0xC2,0x11,0x22, 127 0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, /* seed */
129 0x34,0x32,0x80,0xD6,0x11,0x5C,0x1D,0x21, 128 0xB5, 0x9F, 0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5,
130 0xbd,0x37,0x63,0x88,0xb5,0xf7,0x23,0xfb,0x4c,0x22, /* y */ 129
131 0xdf,0xe6,0xcd,0x43,0x75,0xa0,0x5a,0x07,0x47,0x64, 130 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
132 0x44,0xd5,0x81,0x99,0x85,0x00,0x7e,0x34, 131 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00,
133 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 132 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
134 0xFF,0xFF,0xFF,0xFF,0x16,0xA2,0xE0,0xB8,0xF0,0x3E, 133 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
135 0x13,0xDD,0x29,0x45,0x5C,0x5C,0x2A,0x3D } 134 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
136 }; 135 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
137 136 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, /* b */
138static const struct { EC_CURVE_DATA h; unsigned char data[20+48*6]; } 137 0x32, 0x56, 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA,
139 _EC_NIST_PRIME_384 = { 138 0x27, 0x0B, 0x39, 0x43, 0x23, 0x55, 0xFF, 0xB4,
140 { NID_X9_62_prime_field,20,48,1 }, 139 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, /* x */
141 { 0xA3,0x35,0x92,0x6A,0xA3,0x19,0xA2,0x7A,0x1D,0x00, /* seed */ 140 0x90, 0xB9, 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22,
142 0x89,0x6A,0x67,0x73,0xA4,0x82,0x7A,0xCD,0xAC,0x73, 141 0x34, 0x32, 0x80, 0xD6, 0x11, 0x5C, 0x1D, 0x21,
143 142 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, /* y */
144 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 143 0xdf, 0xe6, 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64,
145 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 144 0x44, 0xd5, 0x81, 0x99, 0x85, 0x00, 0x7e, 0x34,
146 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 145 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
147 0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00, 146 0xFF, 0xFF, 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E,
148 0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF, 147 0x13, 0xDD, 0x29, 0x45, 0x5C, 0x5C, 0x2A, 0x3D
149 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 148 }
150 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 149};
151 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 150
152 0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00, 151static const struct {
153 0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFC, 152 EC_CURVE_DATA h;
154 0xB3,0x31,0x2F,0xA7,0xE2,0x3E,0xE7,0xE4,0x98,0x8E, /* b */ 153 unsigned char data[20 + 48 * 6];
155 0x05,0x6B,0xE3,0xF8,0x2D,0x19,0x18,0x1D,0x9C,0x6E, 154}
156 0xFE,0x81,0x41,0x12,0x03,0x14,0x08,0x8F,0x50,0x13, 155 _EC_NIST_PRIME_384 = {
157 0x87,0x5A,0xC6,0x56,0x39,0x8D,0x8A,0x2E,0xD1,0x9D, 156 {
158 0x2A,0x85,0xC8,0xED,0xD3,0xEC,0x2A,0xEF, 157 NID_X9_62_prime_field, 20, 48, 1
159 0xAA,0x87,0xCA,0x22,0xBE,0x8B,0x05,0x37,0x8E,0xB1, /* x */ 158 },
160 0xC7,0x1E,0xF3,0x20,0xAD,0x74,0x6E,0x1D,0x3B,0x62, 159 {
161 0x8B,0xA7,0x9B,0x98,0x59,0xF7,0x41,0xE0,0x82,0x54, 160 0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, /* seed */
162 0x2A,0x38,0x55,0x02,0xF2,0x5D,0xBF,0x55,0x29,0x6C, 161 0x89, 0x6A, 0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
163 0x3A,0x54,0x5E,0x38,0x72,0x76,0x0A,0xB7, 162
164 0x36,0x17,0xde,0x4a,0x96,0x26,0x2c,0x6f,0x5d,0x9e, /* y */ 163 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
165 0x98,0xbf,0x92,0x92,0xdc,0x29,0xf8,0xf4,0x1d,0xbd, 164 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
166 0x28,0x9a,0x14,0x7c,0xe9,0xda,0x31,0x13,0xb5,0xf0, 165 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
167 0xb8,0xc0,0x0a,0x60,0xb1,0xce,0x1d,0x7e,0x81,0x9d, 166 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00,
168 0x7a,0x43,0x1d,0x7c,0x90,0xea,0x0e,0x5f, 167 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
169 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 168 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
170 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 169 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
171 0xFF,0xFF,0xFF,0xFF,0xC7,0x63,0x4D,0x81,0xF4,0x37, 170 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
172 0x2D,0xDF,0x58,0x1A,0x0D,0xB2,0x48,0xB0,0xA7,0x7A, 171 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00,
173 0xEC,0xEC,0x19,0x6A,0xCC,0xC5,0x29,0x73 } 172 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
174 }; 173 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, /* b */
175 174 0x05, 0x6B, 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E,
176static const struct { EC_CURVE_DATA h; unsigned char data[20+66*6]; } 175 0xFE, 0x81, 0x41, 0x12, 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13,
177 _EC_NIST_PRIME_521 = { 176 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, 0x8A, 0x2E, 0xD1, 0x9D,
178 { NID_X9_62_prime_field,20,66,1 }, 177 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
179 { 0xD0,0x9E,0x88,0x00,0x29,0x1C,0xB8,0x53,0x96,0xCC, /* seed */ 178 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, /* x */
180 0x67,0x17,0x39,0x32,0x84,0xAA,0xA0,0xDA,0x64,0xBA, 179 0xC7, 0x1E, 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62,
181 180 0x8B, 0xA7, 0x9B, 0x98, 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54,
182 0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 181 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, 0xBF, 0x55, 0x29, 0x6C,
183 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 182 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
184 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 183 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, /* y */
185 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 184 0x98, 0xbf, 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd,
186 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 185 0x28, 0x9a, 0x14, 0x7c, 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0,
187 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 186 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce, 0x1d, 0x7e, 0x81, 0x9d,
188 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 187 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
189 0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 188 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
190 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 189 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
191 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 190 0xFF, 0xFF, 0xFF, 0xFF, 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37,
192 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 191 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2, 0x48, 0xB0, 0xA7, 0x7A,
193 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 192 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
194 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 193 }
195 0xFF,0xFF,0xFF,0xFF,0xFF,0xFC, 194};
196 0x00,0x51,0x95,0x3E,0xB9,0x61,0x8E,0x1C,0x9A,0x1F, /* b */ 195
197 0x92,0x9A,0x21,0xA0,0xB6,0x85,0x40,0xEE,0xA2,0xDA, 196static const struct {
198 0x72,0x5B,0x99,0xB3,0x15,0xF3,0xB8,0xB4,0x89,0x91, 197 EC_CURVE_DATA h;
199 0x8E,0xF1,0x09,0xE1,0x56,0x19,0x39,0x51,0xEC,0x7E, 198 unsigned char data[20 + 66 * 6];
200 0x93,0x7B,0x16,0x52,0xC0,0xBD,0x3B,0xB1,0xBF,0x07, 199}
201 0x35,0x73,0xDF,0x88,0x3D,0x2C,0x34,0xF1,0xEF,0x45, 200 _EC_NIST_PRIME_521 = {
202 0x1F,0xD4,0x6B,0x50,0x3F,0x00, 201 {
203 0x00,0xC6,0x85,0x8E,0x06,0xB7,0x04,0x04,0xE9,0xCD, /* x */ 202 NID_X9_62_prime_field, 20, 66, 1
204 0x9E,0x3E,0xCB,0x66,0x23,0x95,0xB4,0x42,0x9C,0x64, 203 },
205 0x81,0x39,0x05,0x3F,0xB5,0x21,0xF8,0x28,0xAF,0x60, 204 {
206 0x6B,0x4D,0x3D,0xBA,0xA1,0x4B,0x5E,0x77,0xEF,0xE7, 205 0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, /* seed */
207 0x59,0x28,0xFE,0x1D,0xC1,0x27,0xA2,0xFF,0xA8,0xDE, 206 0x67, 0x17, 0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
208 0x33,0x48,0xB3,0xC1,0x85,0x6A,0x42,0x9B,0xF9,0x7E, 207
209 0x7E,0x31,0xC2,0xE5,0xBD,0x66, 208 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
210 0x01,0x18,0x39,0x29,0x6a,0x78,0x9a,0x3b,0xc0,0x04, /* y */ 209 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
211 0x5c,0x8a,0x5f,0xb4,0x2c,0x7d,0x1b,0xd9,0x98,0xf5, 210 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
212 0x44,0x49,0x57,0x9b,0x44,0x68,0x17,0xaf,0xbd,0x17, 211 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
213 0x27,0x3e,0x66,0x2c,0x97,0xee,0x72,0x99,0x5e,0xf4, 212 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
214 0x26,0x40,0xc5,0x50,0xb9,0x01,0x3f,0xad,0x07,0x61, 213 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
215 0x35,0x3c,0x70,0x86,0xa2,0x72,0xc2,0x40,0x88,0xbe, 214 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
216 0x94,0x76,0x9f,0xd1,0x66,0x50, 215 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
217 0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 216 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
218 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 217 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
219 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 218 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
220 0xFF,0xFF,0xFF,0xFA,0x51,0x86,0x87,0x83,0xBF,0x2F, 219 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
221 0x96,0x6B,0x7F,0xCC,0x01,0x48,0xF7,0x09,0xA5,0xD0, 220 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
222 0x3B,0xB5,0xC9,0xB8,0x89,0x9C,0x47,0xAE,0xBB,0x6F, 221 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
223 0xB7,0x1E,0x91,0x38,0x64,0x09 } 222 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, /* b */
224 }; 223 0x92, 0x9A, 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA,
224 0x72, 0x5B, 0x99, 0xB3, 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91,
225 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19, 0x39, 0x51, 0xEC, 0x7E,
226 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1, 0xBF, 0x07,
227 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
228 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
229 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, /* x */
230 0x9E, 0x3E, 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64,
231 0x81, 0x39, 0x05, 0x3F, 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60,
232 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B, 0x5E, 0x77, 0xEF, 0xE7,
233 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF, 0xA8, 0xDE,
234 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
235 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
236 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, /* y */
237 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5,
238 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17,
239 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4,
240 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61,
241 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
242 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
243 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
244 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
245 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
246 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86, 0x87, 0x83, 0xBF, 0x2F,
247 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09, 0xA5, 0xD0,
248 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
249 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
250 }
251};
225 252
226/* the x9.62 prime curves (minus the nist prime curves) */ 253/* the x9.62 prime curves (minus the nist prime curves) */
227static const struct { EC_CURVE_DATA h; unsigned char data[20+24*6]; } 254static const struct {
228 _EC_X9_62_PRIME_192V2 = { 255 EC_CURVE_DATA h;
229 { NID_X9_62_prime_field,20,24,1 }, 256 unsigned char data[20 + 24 * 6];
230 { 0x31,0xA9,0x2E,0xE2,0x02,0x9F,0xD1,0x0D,0x90,0x1B, /* seed */ 257}
231 0x11,0x3E,0x99,0x07,0x10,0xF0,0xD2,0x1A,0xC6,0xB6, 258 _EC_X9_62_PRIME_192V2 = {
232 259 {
233 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 260 NID_X9_62_prime_field, 20, 24, 1
234 0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0xFF, 261 },
235 0xFF,0xFF,0xFF,0xFF, 262 {
236 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 263 0x31, 0xA9, 0x2E, 0xE2, 0x02, 0x9F, 0xD1, 0x0D, 0x90, 0x1B, /* seed */
237 0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0xFF, 264 0x11, 0x3E, 0x99, 0x07, 0x10, 0xF0, 0xD2, 0x1A, 0xC6, 0xB6,
238 0xFF,0xFF,0xFF,0xFC, 265
239 0xCC,0x22,0xD6,0xDF,0xB9,0x5C,0x6B,0x25,0xE4,0x9C, /* b */ 266 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
240 0x0D,0x63,0x64,0xA4,0xE5,0x98,0x0C,0x39,0x3A,0xA2, 267 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
241 0x16,0x68,0xD9,0x53, 268 0xFF, 0xFF, 0xFF, 0xFF,
242 0xEE,0xA2,0xBA,0xE7,0xE1,0x49,0x78,0x42,0xF2,0xDE, /* x */ 269 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
243 0x77,0x69,0xCF,0xE9,0xC9,0x89,0xC0,0x72,0xAD,0x69, 270 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
244 0x6F,0x48,0x03,0x4A, 271 0xFF, 0xFF, 0xFF, 0xFC,
245 0x65,0x74,0xd1,0x1d,0x69,0xb6,0xec,0x7a,0x67,0x2b, /* y */ 272 0xCC, 0x22, 0xD6, 0xDF, 0xB9, 0x5C, 0x6B, 0x25, 0xE4, 0x9C, /* b */
246 0xb8,0x2a,0x08,0x3d,0xf2,0xf2,0xb0,0x84,0x7d,0xe9, 273 0x0D, 0x63, 0x64, 0xA4, 0xE5, 0x98, 0x0C, 0x39, 0x3A, 0xA2,
247 0x70,0xb2,0xde,0x15, 274 0x16, 0x68, 0xD9, 0x53,
248 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 275 0xEE, 0xA2, 0xBA, 0xE7, 0xE1, 0x49, 0x78, 0x42, 0xF2, 0xDE, /* x */
249 0xFF,0xFE,0x5F,0xB1,0xA7,0x24,0xDC,0x80,0x41,0x86, 276 0x77, 0x69, 0xCF, 0xE9, 0xC9, 0x89, 0xC0, 0x72, 0xAD, 0x69,
250 0x48,0xD8,0xDD,0x31 } 277 0x6F, 0x48, 0x03, 0x4A,
251 }; 278 0x65, 0x74, 0xd1, 0x1d, 0x69, 0xb6, 0xec, 0x7a, 0x67, 0x2b, /* y */
252 279 0xb8, 0x2a, 0x08, 0x3d, 0xf2, 0xf2, 0xb0, 0x84, 0x7d, 0xe9,
253static const struct { EC_CURVE_DATA h; unsigned char data[20+24*6]; } 280 0x70, 0xb2, 0xde, 0x15,
254 _EC_X9_62_PRIME_192V3 = { 281 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
255 { NID_X9_62_prime_field,20,24,1 }, 282 0xFF, 0xFE, 0x5F, 0xB1, 0xA7, 0x24, 0xDC, 0x80, 0x41, 0x86,
256 { 0xC4,0x69,0x68,0x44,0x35,0xDE,0xB3,0x78,0xC4,0xB6, /* seed */ 283 0x48, 0xD8, 0xDD, 0x31
257 0x5C,0xA9,0x59,0x1E,0x2A,0x57,0x63,0x05,0x9A,0x2E, 284 }
258 285};
259 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 286
260 0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0xFF, 287static const struct {
261 0xFF,0xFF,0xFF,0xFF, 288 EC_CURVE_DATA h;
262 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 289 unsigned char data[20 + 24 * 6];
263 0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0xFF, 290}
264 0xFF,0xFF,0xFF,0xFC, 291 _EC_X9_62_PRIME_192V3 = {
265 0x22,0x12,0x3D,0xC2,0x39,0x5A,0x05,0xCA,0xA7,0x42, /* b */ 292 {
266 0x3D,0xAE,0xCC,0xC9,0x47,0x60,0xA7,0xD4,0x62,0x25, 293 NID_X9_62_prime_field, 20, 24, 1
267 0x6B,0xD5,0x69,0x16, 294 },
268 0x7D,0x29,0x77,0x81,0x00,0xC6,0x5A,0x1D,0xA1,0x78, /* x */ 295 {
269 0x37,0x16,0x58,0x8D,0xCE,0x2B,0x8B,0x4A,0xEE,0x8E, 296 0xC4, 0x69, 0x68, 0x44, 0x35, 0xDE, 0xB3, 0x78, 0xC4, 0xB6, /* seed */
270 0x22,0x8F,0x18,0x96, 297 0x5C, 0xA9, 0x59, 0x1E, 0x2A, 0x57, 0x63, 0x05, 0x9A, 0x2E,
271 0x38,0xa9,0x0f,0x22,0x63,0x73,0x37,0x33,0x4b,0x49, /* y */ 298
272 0xdc,0xb6,0x6a,0x6d,0xc8,0xf9,0x97,0x8a,0xca,0x76, 299 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
273 0x48,0xa9,0x43,0xb0, 300 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
274 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 301 0xFF, 0xFF, 0xFF, 0xFF,
275 0xFF,0xFF,0x7A,0x62,0xD0,0x31,0xC8,0x3F,0x42,0x94, 302 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
276 0xF6,0x40,0xEC,0x13 } 303 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
277 }; 304 0xFF, 0xFF, 0xFF, 0xFC,
278 305 0x22, 0x12, 0x3D, 0xC2, 0x39, 0x5A, 0x05, 0xCA, 0xA7, 0x42, /* b */
279static const struct { EC_CURVE_DATA h; unsigned char data[20+30*6]; } 306 0x3D, 0xAE, 0xCC, 0xC9, 0x47, 0x60, 0xA7, 0xD4, 0x62, 0x25,
280 _EC_X9_62_PRIME_239V1 = { 307 0x6B, 0xD5, 0x69, 0x16,
281 { NID_X9_62_prime_field,20,30,1 }, 308 0x7D, 0x29, 0x77, 0x81, 0x00, 0xC6, 0x5A, 0x1D, 0xA1, 0x78, /* x */
282 { 0xE4,0x3B,0xB4,0x60,0xF0,0xB8,0x0C,0xC0,0xC0,0xB0, /* seed */ 309 0x37, 0x16, 0x58, 0x8D, 0xCE, 0x2B, 0x8B, 0x4A, 0xEE, 0x8E,
283 0x75,0x79,0x8E,0x94,0x80,0x60,0xF8,0x32,0x1B,0x7D, 310 0x22, 0x8F, 0x18, 0x96,
284 311 0x38, 0xa9, 0x0f, 0x22, 0x63, 0x73, 0x37, 0x33, 0x4b, 0x49, /* y */
285 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 312 0xdc, 0xb6, 0x6a, 0x6d, 0xc8, 0xf9, 0x97, 0x8a, 0xca, 0x76,
286 0xFF,0xFF,0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0x80,0x00, 313 0x48, 0xa9, 0x43, 0xb0,
287 0x00,0x00,0x00,0x00,0x7F,0xFF,0xFF,0xFF,0xFF,0xFF, 314 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
288 315 0xFF, 0xFF, 0x7A, 0x62, 0xD0, 0x31, 0xC8, 0x3F, 0x42, 0x94,
289 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 316 0xF6, 0x40, 0xEC, 0x13
290 0xFF,0xFF,0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0x80,0x00, 317 }
291 0x00,0x00,0x00,0x00,0x7F,0xFF,0xFF,0xFF,0xFF,0xFC, 318};
292 319
293 0x6B,0x01,0x6C,0x3B,0xDC,0xF1,0x89,0x41,0xD0,0xD6, /* b */ 320static const struct {
294 0x54,0x92,0x14,0x75,0xCA,0x71,0xA9,0xDB,0x2F,0xB2, 321 EC_CURVE_DATA h;
295 0x7D,0x1D,0x37,0x79,0x61,0x85,0xC2,0x94,0x2C,0x0A, 322 unsigned char data[20 + 30 * 6];
296 323}
297 0x0F,0xFA,0x96,0x3C,0xDC,0xA8,0x81,0x6C,0xCC,0x33, /* x */ 324 _EC_X9_62_PRIME_239V1 = {
298 0xB8,0x64,0x2B,0xED,0xF9,0x05,0xC3,0xD3,0x58,0x57, 325 {
299 0x3D,0x3F,0x27,0xFB,0xBD,0x3B,0x3C,0xB9,0xAA,0xAF, 326 NID_X9_62_prime_field, 20, 30, 1
300 327 },
301 0x7d,0xeb,0xe8,0xe4,0xe9,0x0a,0x5d,0xae,0x6e,0x40, /* y */ 328 {
302 0x54,0xca,0x53,0x0b,0xa0,0x46,0x54,0xb3,0x68,0x18, 329 0xE4, 0x3B, 0xB4, 0x60, 0xF0, 0xB8, 0x0C, 0xC0, 0xC0, 0xB0, /* seed */
303 0xce,0x22,0x6b,0x39,0xfc,0xcb,0x7b,0x02,0xf1,0xae, 330 0x75, 0x79, 0x8E, 0x94, 0x80, 0x60, 0xF8, 0x32, 0x1B, 0x7D,
304 331
305 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 332 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
306 0xFF,0xFF,0x7F,0xFF,0xFF,0x9E,0x5E,0x9A,0x9F,0x5D, 333 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00,
307 0x90,0x71,0xFB,0xD1,0x52,0x26,0x88,0x90,0x9D,0x0B } 334 0x00, 0x00, 0x00, 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
308 }; 335
309 336 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
310static const struct { EC_CURVE_DATA h; unsigned char data[20+30*6]; } 337 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00,
311 _EC_X9_62_PRIME_239V2 = { 338 0x00, 0x00, 0x00, 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
312 { NID_X9_62_prime_field,20,30,1 }, 339
313 { 0xE8,0xB4,0x01,0x16,0x04,0x09,0x53,0x03,0xCA,0x3B, /* seed */ 340 0x6B, 0x01, 0x6C, 0x3B, 0xDC, 0xF1, 0x89, 0x41, 0xD0, 0xD6, /* b */
314 0x80,0x99,0x98,0x2B,0xE0,0x9F,0xCB,0x9A,0xE6,0x16, 341 0x54, 0x92, 0x14, 0x75, 0xCA, 0x71, 0xA9, 0xDB, 0x2F, 0xB2,
315 342 0x7D, 0x1D, 0x37, 0x79, 0x61, 0x85, 0xC2, 0x94, 0x2C, 0x0A,
316 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 343
317 0xFF,0xFF,0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0x80,0x00, 344 0x0F, 0xFA, 0x96, 0x3C, 0xDC, 0xA8, 0x81, 0x6C, 0xCC, 0x33, /* x */
318 0x00,0x00,0x00,0x00,0x7F,0xFF,0xFF,0xFF,0xFF,0xFF, 345 0xB8, 0x64, 0x2B, 0xED, 0xF9, 0x05, 0xC3, 0xD3, 0x58, 0x57,
319 346 0x3D, 0x3F, 0x27, 0xFB, 0xBD, 0x3B, 0x3C, 0xB9, 0xAA, 0xAF,
320 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 347
321 0xFF,0xFF,0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0x80,0x00, 348 0x7d, 0xeb, 0xe8, 0xe4, 0xe9, 0x0a, 0x5d, 0xae, 0x6e, 0x40, /* y */
322 0x00,0x00,0x00,0x00,0x7F,0xFF,0xFF,0xFF,0xFF,0xFC, 349 0x54, 0xca, 0x53, 0x0b, 0xa0, 0x46, 0x54, 0xb3, 0x68, 0x18,
323 350 0xce, 0x22, 0x6b, 0x39, 0xfc, 0xcb, 0x7b, 0x02, 0xf1, 0xae,
324 0x61,0x7F,0xAB,0x68,0x32,0x57,0x6C,0xBB,0xFE,0xD5, /* b */ 351
325 0x0D,0x99,0xF0,0x24,0x9C,0x3F,0xEE,0x58,0xB9,0x4B, 352 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
326 0xA0,0x03,0x8C,0x7A,0xE8,0x4C,0x8C,0x83,0x2F,0x2C, 353 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0x9E, 0x5E, 0x9A, 0x9F, 0x5D,
327 354 0x90, 0x71, 0xFB, 0xD1, 0x52, 0x26, 0x88, 0x90, 0x9D, 0x0B
328 0x38,0xAF,0x09,0xD9,0x87,0x27,0x70,0x51,0x20,0xC9, /* x */ 355 }
329 0x21,0xBB,0x5E,0x9E,0x26,0x29,0x6A,0x3C,0xDC,0xF2, 356};
330 0xF3,0x57,0x57,0xA0,0xEA,0xFD,0x87,0xB8,0x30,0xE7, 357
331 358static const struct {
332 0x5b,0x01,0x25,0xe4,0xdb,0xea,0x0e,0xc7,0x20,0x6d, /* y */ 359 EC_CURVE_DATA h;
333 0xa0,0xfc,0x01,0xd9,0xb0,0x81,0x32,0x9f,0xb5,0x55, 360 unsigned char data[20 + 30 * 6];
334 0xde,0x6e,0xf4,0x60,0x23,0x7d,0xff,0x8b,0xe4,0xba, 361}
335 362 _EC_X9_62_PRIME_239V2 = {
336 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 363 {
337 0xFF,0xFF,0x80,0x00,0x00,0xCF,0xA7,0xE8,0x59,0x43, 364 NID_X9_62_prime_field, 20, 30, 1
338 0x77,0xD4,0x14,0xC0,0x38,0x21,0xBC,0x58,0x20,0x63 } 365 },
339 }; 366 {
340 367 0xE8, 0xB4, 0x01, 0x16, 0x04, 0x09, 0x53, 0x03, 0xCA, 0x3B, /* seed */
341static const struct { EC_CURVE_DATA h; unsigned char data[20+30*6]; } 368 0x80, 0x99, 0x98, 0x2B, 0xE0, 0x9F, 0xCB, 0x9A, 0xE6, 0x16,
342 _EC_X9_62_PRIME_239V3 = { 369
343 { NID_X9_62_prime_field,20,30,1 }, 370 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
344 { 0x7D,0x73,0x74,0x16,0x8F,0xFE,0x34,0x71,0xB6,0x0A, /* seed */ 371 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00,
345 0x85,0x76,0x86,0xA1,0x94,0x75,0xD3,0xBF,0xA2,0xFF, 372 0x00, 0x00, 0x00, 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
346 373
347 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 374 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
348 0xFF,0xFF,0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0x80,0x00, 375 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00,
349 0x00,0x00,0x00,0x00,0x7F,0xFF,0xFF,0xFF,0xFF,0xFF, 376 0x00, 0x00, 0x00, 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
350 377
351 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 378 0x61, 0x7F, 0xAB, 0x68, 0x32, 0x57, 0x6C, 0xBB, 0xFE, 0xD5, /* b */
352 0xFF,0xFF,0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0x80,0x00, 379 0x0D, 0x99, 0xF0, 0x24, 0x9C, 0x3F, 0xEE, 0x58, 0xB9, 0x4B,
353 0x00,0x00,0x00,0x00,0x7F,0xFF,0xFF,0xFF,0xFF,0xFC, 380 0xA0, 0x03, 0x8C, 0x7A, 0xE8, 0x4C, 0x8C, 0x83, 0x2F, 0x2C,
354 381
355 0x25,0x57,0x05,0xFA,0x2A,0x30,0x66,0x54,0xB1,0xF4, /* b */ 382 0x38, 0xAF, 0x09, 0xD9, 0x87, 0x27, 0x70, 0x51, 0x20, 0xC9, /* x */
356 0xCB,0x03,0xD6,0xA7,0x50,0xA3,0x0C,0x25,0x01,0x02, 383 0x21, 0xBB, 0x5E, 0x9E, 0x26, 0x29, 0x6A, 0x3C, 0xDC, 0xF2,
357 0xD4,0x98,0x87,0x17,0xD9,0xBA,0x15,0xAB,0x6D,0x3E, 384 0xF3, 0x57, 0x57, 0xA0, 0xEA, 0xFD, 0x87, 0xB8, 0x30, 0xE7,
358 385
359 0x67,0x68,0xAE,0x8E,0x18,0xBB,0x92,0xCF,0xCF,0x00, /* x */ 386 0x5b, 0x01, 0x25, 0xe4, 0xdb, 0xea, 0x0e, 0xc7, 0x20, 0x6d, /* y */
360 0x5C,0x94,0x9A,0xA2,0xC6,0xD9,0x48,0x53,0xD0,0xE6, 387 0xa0, 0xfc, 0x01, 0xd9, 0xb0, 0x81, 0x32, 0x9f, 0xb5, 0x55,
361 0x60,0xBB,0xF8,0x54,0xB1,0xC9,0x50,0x5F,0xE9,0x5A, 388 0xde, 0x6e, 0xf4, 0x60, 0x23, 0x7d, 0xff, 0x8b, 0xe4, 0xba,
362 389
363 0x16,0x07,0xe6,0x89,0x8f,0x39,0x0c,0x06,0xbc,0x1d, /* y */ 390 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
364 0x55,0x2b,0xad,0x22,0x6f,0x3b,0x6f,0xcf,0xe4,0x8b, 391 0xFF, 0xFF, 0x80, 0x00, 0x00, 0xCF, 0xA7, 0xE8, 0x59, 0x43,
365 0x6e,0x81,0x84,0x99,0xaf,0x18,0xe3,0xed,0x6c,0xf3, 392 0x77, 0xD4, 0x14, 0xC0, 0x38, 0x21, 0xBC, 0x58, 0x20, 0x63
366 393 }
367 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 394};
368 0xFF,0xFF,0x7F,0xFF,0xFF,0x97,0x5D,0xEB,0x41,0xB3, 395
369 0xA6,0x05,0x7C,0x3C,0x43,0x21,0x46,0x52,0x65,0x51 } 396static const struct {
370 }; 397 EC_CURVE_DATA h;
371 398 unsigned char data[20 + 30 * 6];
372 399}
373static const struct { EC_CURVE_DATA h; unsigned char data[20+32*6]; } 400 _EC_X9_62_PRIME_239V3 = {
374 _EC_X9_62_PRIME_256V1 = { 401 {
375 { NID_X9_62_prime_field,20,32,1 }, 402 NID_X9_62_prime_field, 20, 30, 1
376 { 0xC4,0x9D,0x36,0x08,0x86,0xE7,0x04,0x93,0x6A,0x66, /* seed */ 403 },
377 0x78,0xE1,0x13,0x9D,0x26,0xB7,0x81,0x9F,0x7E,0x90, 404 {
378 405 0x7D, 0x73, 0x74, 0x16, 0x8F, 0xFE, 0x34, 0x71, 0xB6, 0x0A, /* seed */
379 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01,0x00,0x00, /* p */ 406 0x85, 0x76, 0x86, 0xA1, 0x94, 0x75, 0xD3, 0xBF, 0xA2, 0xFF,
380 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 407
381 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 408 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
382 0xFF,0xFF, 409 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00,
383 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01,0x00,0x00, /* a */ 410 0x00, 0x00, 0x00, 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
384 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 411
385 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 412 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
386 0xFF,0xFC, 413 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00,
387 0x5A,0xC6,0x35,0xD8,0xAA,0x3A,0x93,0xE7,0xB3,0xEB, /* b */ 414 0x00, 0x00, 0x00, 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
388 0xBD,0x55,0x76,0x98,0x86,0xBC,0x65,0x1D,0x06,0xB0, 415
389 0xCC,0x53,0xB0,0xF6,0x3B,0xCE,0x3C,0x3E,0x27,0xD2, 416 0x25, 0x57, 0x05, 0xFA, 0x2A, 0x30, 0x66, 0x54, 0xB1, 0xF4, /* b */
390 0x60,0x4B, 417 0xCB, 0x03, 0xD6, 0xA7, 0x50, 0xA3, 0x0C, 0x25, 0x01, 0x02,
391 0x6B,0x17,0xD1,0xF2,0xE1,0x2C,0x42,0x47,0xF8,0xBC, /* x */ 418 0xD4, 0x98, 0x87, 0x17, 0xD9, 0xBA, 0x15, 0xAB, 0x6D, 0x3E,
392 0xE6,0xE5,0x63,0xA4,0x40,0xF2,0x77,0x03,0x7D,0x81, 419
393 0x2D,0xEB,0x33,0xA0,0xF4,0xA1,0x39,0x45,0xD8,0x98, 420 0x67, 0x68, 0xAE, 0x8E, 0x18, 0xBB, 0x92, 0xCF, 0xCF, 0x00, /* x */
394 0xC2,0x96, 421 0x5C, 0x94, 0x9A, 0xA2, 0xC6, 0xD9, 0x48, 0x53, 0xD0, 0xE6,
395 0x4f,0xe3,0x42,0xe2,0xfe,0x1a,0x7f,0x9b,0x8e,0xe7, /* y */ 422 0x60, 0xBB, 0xF8, 0x54, 0xB1, 0xC9, 0x50, 0x5F, 0xE9, 0x5A,
396 0xeb,0x4a,0x7c,0x0f,0x9e,0x16,0x2b,0xce,0x33,0x57, 423
397 0x6b,0x31,0x5e,0xce,0xcb,0xb6,0x40,0x68,0x37,0xbf, 424 0x16, 0x07, 0xe6, 0x89, 0x8f, 0x39, 0x0c, 0x06, 0xbc, 0x1d, /* y */
398 0x51,0xf5, 425 0x55, 0x2b, 0xad, 0x22, 0x6f, 0x3b, 0x6f, 0xcf, 0xe4, 0x8b,
399 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xFF,0xFF, /* order */ 426 0x6e, 0x81, 0x84, 0x99, 0xaf, 0x18, 0xe3, 0xed, 0x6c, 0xf3,
400 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xBC,0xE6,0xFA,0xAD, 427
401 0xA7,0x17,0x9E,0x84,0xF3,0xB9,0xCA,0xC2,0xFC,0x63, 428 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
402 0x25,0x51 } 429 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0x97, 0x5D, 0xEB, 0x41, 0xB3,
403 }; 430 0xA6, 0x05, 0x7C, 0x3C, 0x43, 0x21, 0x46, 0x52, 0x65, 0x51
431 }
432};
433
434
435static const struct {
436 EC_CURVE_DATA h;
437 unsigned char data[20 + 32 * 6];
438}
439 _EC_X9_62_PRIME_256V1 = {
440 {
441 NID_X9_62_prime_field, 20, 32, 1
442 },
443 {
444 0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, /* seed */
445 0x78, 0xE1, 0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
446
447 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, /* p */
448 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
449 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
450 0xFF, 0xFF,
451 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, /* a */
452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
453 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
454 0xFF, 0xFC,
455 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, /* b */
456 0xBD, 0x55, 0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0,
457 0xCC, 0x53, 0xB0, 0xF6, 0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2,
458 0x60, 0x4B,
459 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, /* x */
460 0xE6, 0xE5, 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81,
461 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98,
462 0xC2, 0x96,
463 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, /* y */
464 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57,
465 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf,
466 0x51, 0xf5,
467 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, /* order */
468 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD,
469 0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63,
470 0x25, 0x51
471 }
472};
404 473
405/* the secg prime curves (minus the nist and x9.62 prime curves) */ 474/* the secg prime curves (minus the nist and x9.62 prime curves) */
406static const struct { EC_CURVE_DATA h; unsigned char data[20+14*6]; } 475static const struct {
407 _EC_SECG_PRIME_112R1 = { 476 EC_CURVE_DATA h;
408 { NID_X9_62_prime_field,20,14,1 }, 477 unsigned char data[20 + 14 * 6];
409 { 0x00,0xF5,0x0B,0x02,0x8E,0x4D,0x69,0x6E,0x67,0x68, /* seed */ 478}
410 0x75,0x61,0x51,0x75,0x29,0x04,0x72,0x78,0x3F,0xB1, 479 _EC_SECG_PRIME_112R1 = {
411 480 {
412 0xDB,0x7C,0x2A,0xBF,0x62,0xE3,0x5E,0x66,0x80,0x76, /* p */ 481 NID_X9_62_prime_field, 20, 14, 1
413 0xBE,0xAD,0x20,0x8B, 482 },
414 0xDB,0x7C,0x2A,0xBF,0x62,0xE3,0x5E,0x66,0x80,0x76, /* a */ 483 {
415 0xBE,0xAD,0x20,0x88, 484 0x00, 0xF5, 0x0B, 0x02, 0x8E, 0x4D, 0x69, 0x6E, 0x67, 0x68, /* seed */
416 0x65,0x9E,0xF8,0xBA,0x04,0x39,0x16,0xEE,0xDE,0x89, /* b */ 485 0x75, 0x61, 0x51, 0x75, 0x29, 0x04, 0x72, 0x78, 0x3F, 0xB1,
417 0x11,0x70,0x2B,0x22, 486
418 0x09,0x48,0x72,0x39,0x99,0x5A,0x5E,0xE7,0x6B,0x55, /* x */ 487 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, /* p */
419 0xF9,0xC2,0xF0,0x98, 488 0xBE, 0xAD, 0x20, 0x8B,
420 0xa8,0x9c,0xe5,0xaf,0x87,0x24,0xc0,0xa2,0x3e,0x0e, /* y */ 489 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, /* a */
421 0x0f,0xf7,0x75,0x00, 490 0xBE, 0xAD, 0x20, 0x88,
422 0xDB,0x7C,0x2A,0xBF,0x62,0xE3,0x5E,0x76,0x28,0xDF, /* order */ 491 0x65, 0x9E, 0xF8, 0xBA, 0x04, 0x39, 0x16, 0xEE, 0xDE, 0x89, /* b */
423 0xAC,0x65,0x61,0xC5 } 492 0x11, 0x70, 0x2B, 0x22,
424 }; 493 0x09, 0x48, 0x72, 0x39, 0x99, 0x5A, 0x5E, 0xE7, 0x6B, 0x55, /* x */
425 494 0xF9, 0xC2, 0xF0, 0x98,
426static const struct { EC_CURVE_DATA h; unsigned char data[20+14*6]; } 495 0xa8, 0x9c, 0xe5, 0xaf, 0x87, 0x24, 0xc0, 0xa2, 0x3e, 0x0e, /* y */
427 _EC_SECG_PRIME_112R2 = { 496 0x0f, 0xf7, 0x75, 0x00,
428 { NID_X9_62_prime_field,20,14,4 }, 497 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x76, 0x28, 0xDF, /* order */
429 { 0x00,0x27,0x57,0xA1,0x11,0x4D,0x69,0x6E,0x67,0x68, /* seed */ 498 0xAC, 0x65, 0x61, 0xC5
430 0x75,0x61,0x51,0x75,0x53,0x16,0xC0,0x5E,0x0B,0xD4, 499 }
431 500};
432 0xDB,0x7C,0x2A,0xBF,0x62,0xE3,0x5E,0x66,0x80,0x76, /* p */ 501
433 0xBE,0xAD,0x20,0x8B, 502static const struct {
434 0x61,0x27,0xC2,0x4C,0x05,0xF3,0x8A,0x0A,0xAA,0xF6, /* a */ 503 EC_CURVE_DATA h;
435 0x5C,0x0E,0xF0,0x2C, 504 unsigned char data[20 + 14 * 6];
436 0x51,0xDE,0xF1,0x81,0x5D,0xB5,0xED,0x74,0xFC,0xC3, /* b */ 505}
437 0x4C,0x85,0xD7,0x09, 506 _EC_SECG_PRIME_112R2 = {
438 0x4B,0xA3,0x0A,0xB5,0xE8,0x92,0xB4,0xE1,0x64,0x9D, /* x */ 507 {
439 0xD0,0x92,0x86,0x43, 508 NID_X9_62_prime_field, 20, 14, 4
440 0xad,0xcd,0x46,0xf5,0x88,0x2e,0x37,0x47,0xde,0xf3, /* y */ 509 },
441 0x6e,0x95,0x6e,0x97, 510 {
442 0x36,0xDF,0x0A,0xAF,0xD8,0xB8,0xD7,0x59,0x7C,0xA1, /* order */ 511 0x00, 0x27, 0x57, 0xA1, 0x11, 0x4D, 0x69, 0x6E, 0x67, 0x68, /* seed */
443 0x05,0x20,0xD0,0x4B } 512 0x75, 0x61, 0x51, 0x75, 0x53, 0x16, 0xC0, 0x5E, 0x0B, 0xD4,
444 }; 513
445 514 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, /* p */
446static const struct { EC_CURVE_DATA h; unsigned char data[20+16*6]; } 515 0xBE, 0xAD, 0x20, 0x8B,
447 _EC_SECG_PRIME_128R1 = { 516 0x61, 0x27, 0xC2, 0x4C, 0x05, 0xF3, 0x8A, 0x0A, 0xAA, 0xF6, /* a */
448 { NID_X9_62_prime_field,20,16,1 }, 517 0x5C, 0x0E, 0xF0, 0x2C,
449 { 0x00,0x0E,0x0D,0x4D,0x69,0x6E,0x67,0x68,0x75,0x61, /* seed */ 518 0x51, 0xDE, 0xF1, 0x81, 0x5D, 0xB5, 0xED, 0x74, 0xFC, 0xC3, /* b */
450 0x51,0x75,0x0C,0xC0,0x3A,0x44,0x73,0xD0,0x36,0x79, 519 0x4C, 0x85, 0xD7, 0x09,
451 520 0x4B, 0xA3, 0x0A, 0xB5, 0xE8, 0x92, 0xB4, 0xE1, 0x64, 0x9D, /* x */
452 0xFF,0xFF,0xFF,0xFD,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 521 0xD0, 0x92, 0x86, 0x43,
453 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 522 0xad, 0xcd, 0x46, 0xf5, 0x88, 0x2e, 0x37, 0x47, 0xde, 0xf3, /* y */
454 0xFF,0xFF,0xFF,0xFD,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 523 0x6e, 0x95, 0x6e, 0x97,
455 0xFF,0xFF,0xFF,0xFF,0xFF,0xFC, 524 0x36, 0xDF, 0x0A, 0xAF, 0xD8, 0xB8, 0xD7, 0x59, 0x7C, 0xA1, /* order */
456 0xE8,0x75,0x79,0xC1,0x10,0x79,0xF4,0x3D,0xD8,0x24, /* b */ 525 0x05, 0x20, 0xD0, 0x4B
457 0x99,0x3C,0x2C,0xEE,0x5E,0xD3, 526 }
458 0x16,0x1F,0xF7,0x52,0x8B,0x89,0x9B,0x2D,0x0C,0x28, /* x */ 527};
459 0x60,0x7C,0xA5,0x2C,0x5B,0x86, 528
460 0xcf,0x5a,0xc8,0x39,0x5b,0xaf,0xeb,0x13,0xc0,0x2d, /* y */ 529static const struct {
461 0xa2,0x92,0xdd,0xed,0x7a,0x83, 530 EC_CURVE_DATA h;
462 0xFF,0xFF,0xFF,0xFE,0x00,0x00,0x00,0x00,0x75,0xA3, /* order */ 531 unsigned char data[20 + 16 * 6];
463 0x0D,0x1B,0x90,0x38,0xA1,0x15 } 532}
464 }; 533 _EC_SECG_PRIME_128R1 = {
465 534 {
466static const struct { EC_CURVE_DATA h; unsigned char data[20+16*6]; } 535 NID_X9_62_prime_field, 20, 16, 1
467 _EC_SECG_PRIME_128R2 = { 536 },
468 { NID_X9_62_prime_field,20,16,4 }, 537 {
469 { 0x00,0x4D,0x69,0x6E,0x67,0x68,0x75,0x61,0x51,0x75, /* seed */ 538 0x00, 0x0E, 0x0D, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, /* seed */
470 0x12,0xD8,0xF0,0x34,0x31,0xFC,0xE6,0x3B,0x88,0xF4, 539 0x51, 0x75, 0x0C, 0xC0, 0x3A, 0x44, 0x73, 0xD0, 0x36, 0x79,
471 540
472 0xFF,0xFF,0xFF,0xFD,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 541 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
473 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 542 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
474 0xD6,0x03,0x19,0x98,0xD1,0xB3,0xBB,0xFE,0xBF,0x59, /* a */ 543 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
475 0xCC,0x9B,0xBF,0xF9,0xAE,0xE1, 544 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
476 0x5E,0xEE,0xFC,0xA3,0x80,0xD0,0x29,0x19,0xDC,0x2C, /* b */ 545 0xE8, 0x75, 0x79, 0xC1, 0x10, 0x79, 0xF4, 0x3D, 0xD8, 0x24, /* b */
477 0x65,0x58,0xBB,0x6D,0x8A,0x5D, 546 0x99, 0x3C, 0x2C, 0xEE, 0x5E, 0xD3,
478 0x7B,0x6A,0xA5,0xD8,0x5E,0x57,0x29,0x83,0xE6,0xFB, /* x */ 547 0x16, 0x1F, 0xF7, 0x52, 0x8B, 0x89, 0x9B, 0x2D, 0x0C, 0x28, /* x */
479 0x32,0xA7,0xCD,0xEB,0xC1,0x40, 548 0x60, 0x7C, 0xA5, 0x2C, 0x5B, 0x86,
480 0x27,0xb6,0x91,0x6a,0x89,0x4d,0x3a,0xee,0x71,0x06, /* y */ 549 0xcf, 0x5a, 0xc8, 0x39, 0x5b, 0xaf, 0xeb, 0x13, 0xc0, 0x2d, /* y */
481 0xfe,0x80,0x5f,0xc3,0x4b,0x44, 550 0xa2, 0x92, 0xdd, 0xed, 0x7a, 0x83,
482 0x3F,0xFF,0xFF,0xFF,0x7F,0xFF,0xFF,0xFF,0xBE,0x00, /* order */ 551 0xFF, 0xFF, 0xFF, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x75, 0xA3, /* order */
483 0x24,0x72,0x06,0x13,0xB5,0xA3 } 552 0x0D, 0x1B, 0x90, 0x38, 0xA1, 0x15
484 }; 553 }
485 554};
486static const struct { EC_CURVE_DATA h; unsigned char data[0+21*6]; } 555
487 _EC_SECG_PRIME_160K1 = { 556static const struct {
488 { NID_X9_62_prime_field,0,21,1 }, 557 EC_CURVE_DATA h;
489 { /* no seed */ 558 unsigned char data[20 + 16 * 6];
490 0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 559}
491 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xAC, 560 _EC_SECG_PRIME_128R2 = {
492 0x73, 561 {
493 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 562 NID_X9_62_prime_field, 20, 16, 4
494 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 563 },
495 0x00, 564 {
496 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 565 0x00, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, /* seed */
497 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 566 0x12, 0xD8, 0xF0, 0x34, 0x31, 0xFC, 0xE6, 0x3B, 0x88, 0xF4,
498 0x07, 567
499 0x00,0x3B,0x4C,0x38,0x2C,0xE3,0x7A,0xA1,0x92,0xA4, /* x */ 568 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
500 0x01,0x9E,0x76,0x30,0x36,0xF4,0xF5,0xDD,0x4D,0x7E, 569 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
501 0xBB, 570 0xD6, 0x03, 0x19, 0x98, 0xD1, 0xB3, 0xBB, 0xFE, 0xBF, 0x59, /* a */
502 0x00,0x93,0x8c,0xf9,0x35,0x31,0x8f,0xdc,0xed,0x6b, /* y */ 571 0xCC, 0x9B, 0xBF, 0xF9, 0xAE, 0xE1,
503 0xc2,0x82,0x86,0x53,0x17,0x33,0xc3,0xf0,0x3c,0x4f, 572 0x5E, 0xEE, 0xFC, 0xA3, 0x80, 0xD0, 0x29, 0x19, 0xDC, 0x2C, /* b */
504 0xee, 573 0x65, 0x58, 0xBB, 0x6D, 0x8A, 0x5D,
505 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 574 0x7B, 0x6A, 0xA5, 0xD8, 0x5E, 0x57, 0x29, 0x83, 0xE6, 0xFB, /* x */
506 0x01,0xB8,0xFA,0x16,0xDF,0xAB,0x9A,0xCA,0x16,0xB6, 575 0x32, 0xA7, 0xCD, 0xEB, 0xC1, 0x40,
507 0xB3 } 576 0x27, 0xb6, 0x91, 0x6a, 0x89, 0x4d, 0x3a, 0xee, 0x71, 0x06, /* y */
508 }; 577 0xfe, 0x80, 0x5f, 0xc3, 0x4b, 0x44,
509 578 0x3F, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xBE, 0x00, /* order */
510static const struct { EC_CURVE_DATA h; unsigned char data[20+21*6]; } 579 0x24, 0x72, 0x06, 0x13, 0xB5, 0xA3
511 _EC_SECG_PRIME_160R1 = { 580 }
512 { NID_X9_62_prime_field,20,21,1 }, 581};
513 { 0x10,0x53,0xCD,0xE4,0x2C,0x14,0xD6,0x96,0xE6,0x76, /* seed */ 582
514 0x87,0x56,0x15,0x17,0x53,0x3B,0xF3,0xF8,0x33,0x45, 583static const struct {
515 584 EC_CURVE_DATA h;
516 0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 585 unsigned char data[0 + 21 * 6];
517 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x7F,0xFF,0xFF, 586}
518 0xFF, 587 _EC_SECG_PRIME_160K1 = {
519 0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 588 {
520 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x7F,0xFF,0xFF, 589 NID_X9_62_prime_field, 0, 21, 1
521 0xFC, 590 },
522 0x00,0x1C,0x97,0xBE,0xFC,0x54,0xBD,0x7A,0x8B,0x65, /* b */ 591 { /* no seed */
523 0xAC,0xF8,0x9F,0x81,0xD4,0xD4,0xAD,0xC5,0x65,0xFA, 592 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
524 0x45, 593 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC,
525 0x00,0x4A,0x96,0xB5,0x68,0x8E,0xF5,0x73,0x28,0x46, /* x */ 594 0x73,
526 0x64,0x69,0x89,0x68,0xC3,0x8B,0xB9,0x13,0xCB,0xFC, 595 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
527 0x82, 596 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
528 0x00,0x23,0xa6,0x28,0x55,0x31,0x68,0x94,0x7d,0x59, /* y */ 597 0x00,
529 0xdc,0xc9,0x12,0x04,0x23,0x51,0x37,0x7a,0xc5,0xfb, 598 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
530 0x32, 599 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
531 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 600 0x07,
532 0x01,0xF4,0xC8,0xF9,0x27,0xAE,0xD3,0xCA,0x75,0x22, 601 0x00, 0x3B, 0x4C, 0x38, 0x2C, 0xE3, 0x7A, 0xA1, 0x92, 0xA4, /* x */
533 0x57 } 602 0x01, 0x9E, 0x76, 0x30, 0x36, 0xF4, 0xF5, 0xDD, 0x4D, 0x7E,
534 }; 603 0xBB,
535 604 0x00, 0x93, 0x8c, 0xf9, 0x35, 0x31, 0x8f, 0xdc, 0xed, 0x6b, /* y */
536static const struct { EC_CURVE_DATA h; unsigned char data[20+21*6]; } 605 0xc2, 0x82, 0x86, 0x53, 0x17, 0x33, 0xc3, 0xf0, 0x3c, 0x4f,
537 _EC_SECG_PRIME_160R2 = { 606 0xee,
538 { NID_X9_62_prime_field,20,21,1 }, 607 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
539 { 0xB9,0x9B,0x99,0xB0,0x99,0xB3,0x23,0xE0,0x27,0x09, /* seed */ 608 0x01, 0xB8, 0xFA, 0x16, 0xDF, 0xAB, 0x9A, 0xCA, 0x16, 0xB6,
540 0xA4,0xD6,0x96,0xE6,0x76,0x87,0x56,0x15,0x17,0x51, 609 0xB3
541 610 }
542 0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 611};
543 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xAC, 612
544 0x73, 613static const struct {
545 0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 614 EC_CURVE_DATA h;
546 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xAC, 615 unsigned char data[20 + 21 * 6];
547 0x70, 616}
548 0x00,0xB4,0xE1,0x34,0xD3,0xFB,0x59,0xEB,0x8B,0xAB, /* b */ 617 _EC_SECG_PRIME_160R1 = {
549 0x57,0x27,0x49,0x04,0x66,0x4D,0x5A,0xF5,0x03,0x88, 618 {
550 0xBA, 619 NID_X9_62_prime_field, 20, 21, 1
551 0x00,0x52,0xDC,0xB0,0x34,0x29,0x3A,0x11,0x7E,0x1F, /* x */ 620 },
552 0x4F,0xF1,0x1B,0x30,0xF7,0x19,0x9D,0x31,0x44,0xCE, 621 {
553 0x6D, 622 0x10, 0x53, 0xCD, 0xE4, 0x2C, 0x14, 0xD6, 0x96, 0xE6, 0x76, /* seed */
554 0x00,0xfe,0xaf,0xfe,0xf2,0xe3,0x31,0xf2,0x96,0xe0, /* y */ 623 0x87, 0x56, 0x15, 0x17, 0x53, 0x3B, 0xF3, 0xF8, 0x33, 0x45,
555 0x71,0xfa,0x0d,0xf9,0x98,0x2c,0xfe,0xa7,0xd4,0x3f, 624
556 0x2e, 625 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
557 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 626 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF,
558 0x00,0x35,0x1E,0xE7,0x86,0xA8,0x18,0xF3,0xA1,0xA1, 627 0xFF,
559 0x6B } 628 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
560 }; 629 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF,
561 630 0xFC,
562static const struct { EC_CURVE_DATA h; unsigned char data[0+24*6]; } 631 0x00, 0x1C, 0x97, 0xBE, 0xFC, 0x54, 0xBD, 0x7A, 0x8B, 0x65, /* b */
563 _EC_SECG_PRIME_192K1 = { 632 0xAC, 0xF8, 0x9F, 0x81, 0xD4, 0xD4, 0xAD, 0xC5, 0x65, 0xFA,
564 { NID_X9_62_prime_field,0,24,1 }, 633 0x45,
565 { /* no seed */ 634 0x00, 0x4A, 0x96, 0xB5, 0x68, 0x8E, 0xF5, 0x73, 0x28, 0x46, /* x */
566 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 635 0x64, 0x69, 0x89, 0x68, 0xC3, 0x8B, 0xB9, 0x13, 0xCB, 0xFC,
567 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, 636 0x82,
568 0xFF,0xFF,0xEE,0x37, 637 0x00, 0x23, 0xa6, 0x28, 0x55, 0x31, 0x68, 0x94, 0x7d, 0x59, /* y */
569 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 638 0xdc, 0xc9, 0x12, 0x04, 0x23, 0x51, 0x37, 0x7a, 0xc5, 0xfb,
570 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 639 0x32,
571 0x00,0x00,0x00,0x00, 640 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
572 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 641 0x01, 0xF4, 0xC8, 0xF9, 0x27, 0xAE, 0xD3, 0xCA, 0x75, 0x22,
573 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 642 0x57
574 0x00,0x00,0x00,0x03, 643 }
575 0xDB,0x4F,0xF1,0x0E,0xC0,0x57,0xE9,0xAE,0x26,0xB0, /* x */ 644};
576 0x7D,0x02,0x80,0xB7,0xF4,0x34,0x1D,0xA5,0xD1,0xB1, 645
577 0xEA,0xE0,0x6C,0x7D, 646static const struct {
578 0x9b,0x2f,0x2f,0x6d,0x9c,0x56,0x28,0xa7,0x84,0x41, /* y */ 647 EC_CURVE_DATA h;
579 0x63,0xd0,0x15,0xbe,0x86,0x34,0x40,0x82,0xaa,0x88, 648 unsigned char data[20 + 21 * 6];
580 0xd9,0x5e,0x2f,0x9d, 649}
581 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 650 _EC_SECG_PRIME_160R2 = {
582 0xFF,0xFE,0x26,0xF2,0xFC,0x17,0x0F,0x69,0x46,0x6A, 651 {
583 0x74,0xDE,0xFD,0x8D } 652 NID_X9_62_prime_field, 20, 21, 1
584 }; 653 },
585 654 {
586static const struct { EC_CURVE_DATA h; unsigned char data[0+29*6]; } 655 0xB9, 0x9B, 0x99, 0xB0, 0x99, 0xB3, 0x23, 0xE0, 0x27, 0x09, /* seed */
587 _EC_SECG_PRIME_224K1 = { 656 0xA4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x51,
588 { NID_X9_62_prime_field,0,29,1 }, 657
589 { /* no seed */ 658 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
590 0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 659 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC,
591 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 660 0x73,
592 0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xE5,0x6D, 661 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
593 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 662 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC,
594 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 663 0x70,
595 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 664 0x00, 0xB4, 0xE1, 0x34, 0xD3, 0xFB, 0x59, 0xEB, 0x8B, 0xAB, /* b */
596 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 665 0x57, 0x27, 0x49, 0x04, 0x66, 0x4D, 0x5A, 0xF5, 0x03, 0x88,
597 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 666 0xBA,
598 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x05, 667 0x00, 0x52, 0xDC, 0xB0, 0x34, 0x29, 0x3A, 0x11, 0x7E, 0x1F, /* x */
599 0x00,0xA1,0x45,0x5B,0x33,0x4D,0xF0,0x99,0xDF,0x30, /* x */ 668 0x4F, 0xF1, 0x1B, 0x30, 0xF7, 0x19, 0x9D, 0x31, 0x44, 0xCE,
600 0xFC,0x28,0xA1,0x69,0xA4,0x67,0xE9,0xE4,0x70,0x75, 669 0x6D,
601 0xA9,0x0F,0x7E,0x65,0x0E,0xB6,0xB7,0xA4,0x5C, 670 0x00, 0xfe, 0xaf, 0xfe, 0xf2, 0xe3, 0x31, 0xf2, 0x96, 0xe0, /* y */
602 0x00,0x7e,0x08,0x9f,0xed,0x7f,0xba,0x34,0x42,0x82, /* y */ 671 0x71, 0xfa, 0x0d, 0xf9, 0x98, 0x2c, 0xfe, 0xa7, 0xd4, 0x3f,
603 0xca,0xfb,0xd6,0xf7,0xe3,0x19,0xf7,0xc0,0xb0,0xbd, 672 0x2e,
604 0x59,0xe2,0xca,0x4b,0xdb,0x55,0x6d,0x61,0xa5, 673 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
605 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 674 0x00, 0x35, 0x1E, 0xE7, 0x86, 0xA8, 0x18, 0xF3, 0xA1, 0xA1,
606 0x00,0x00,0x00,0x00,0x01,0xDC,0xE8,0xD2,0xEC,0x61, 675 0x6B
607 0x84,0xCA,0xF0,0xA9,0x71,0x76,0x9F,0xB1,0xF7 } 676 }
608 }; 677};
609 678
610static const struct { EC_CURVE_DATA h; unsigned char data[0+32*6]; } 679static const struct {
611 _EC_SECG_PRIME_256K1 = { 680 EC_CURVE_DATA h;
612 { NID_X9_62_prime_field,0,32,1 }, 681 unsigned char data[0 + 24 * 6];
613 { /* no seed */ 682}
614 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 683 _EC_SECG_PRIME_192K1 = {
615 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 684 {
616 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF, 685 NID_X9_62_prime_field, 0, 24, 1
617 0xFC,0x2F, 686 },
618 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 687 { /* no seed */
619 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 688 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
620 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 689 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
621 0x00,0x00, 690 0xFF, 0xFF, 0xEE, 0x37,
622 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 691 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
623 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
624 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 693 0x00, 0x00, 0x00, 0x00,
625 0x00,0x07, 694 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
626 0x79,0xBE,0x66,0x7E,0xF9,0xDC,0xBB,0xAC,0x55,0xA0, /* x */ 695 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
627 0x62,0x95,0xCE,0x87,0x0B,0x07,0x02,0x9B,0xFC,0xDB, 696 0x00, 0x00, 0x00, 0x03,
628 0x2D,0xCE,0x28,0xD9,0x59,0xF2,0x81,0x5B,0x16,0xF8, 697 0xDB, 0x4F, 0xF1, 0x0E, 0xC0, 0x57, 0xE9, 0xAE, 0x26, 0xB0, /* x */
629 0x17,0x98, 698 0x7D, 0x02, 0x80, 0xB7, 0xF4, 0x34, 0x1D, 0xA5, 0xD1, 0xB1,
630 0x48,0x3a,0xda,0x77,0x26,0xa3,0xc4,0x65,0x5d,0xa4, /* y */ 699 0xEA, 0xE0, 0x6C, 0x7D,
631 0xfb,0xfc,0x0e,0x11,0x08,0xa8,0xfd,0x17,0xb4,0x48, 700 0x9b, 0x2f, 0x2f, 0x6d, 0x9c, 0x56, 0x28, 0xa7, 0x84, 0x41, /* y */
632 0xa6,0x85,0x54,0x19,0x9c,0x47,0xd0,0x8f,0xfb,0x10, 701 0x63, 0xd0, 0x15, 0xbe, 0x86, 0x34, 0x40, 0x82, 0xaa, 0x88,
633 0xd4,0xb8, 702 0xd9, 0x5e, 0x2f, 0x9d,
634 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 703 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
635 0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xBA,0xAE,0xDC,0xE6, 704 0xFF, 0xFE, 0x26, 0xF2, 0xFC, 0x17, 0x0F, 0x69, 0x46, 0x6A,
636 0xAF,0x48,0xA0,0x3B,0xBF,0xD2,0x5E,0x8C,0xD0,0x36, 705 0x74, 0xDE, 0xFD, 0x8D
637 0x41,0x41 } 706 }
638 }; 707};
708
709static const struct {
710 EC_CURVE_DATA h;
711 unsigned char data[0 + 29 * 6];
712}
713 _EC_SECG_PRIME_224K1 = {
714 {
715 NID_X9_62_prime_field, 0, 29, 1
716 },
717 { /* no seed */
718 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
719 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
720 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xE5, 0x6D,
721 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
722 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
723 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
724 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
725 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
726 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
727 0x00, 0xA1, 0x45, 0x5B, 0x33, 0x4D, 0xF0, 0x99, 0xDF, 0x30, /* x */
728 0xFC, 0x28, 0xA1, 0x69, 0xA4, 0x67, 0xE9, 0xE4, 0x70, 0x75,
729 0xA9, 0x0F, 0x7E, 0x65, 0x0E, 0xB6, 0xB7, 0xA4, 0x5C,
730 0x00, 0x7e, 0x08, 0x9f, 0xed, 0x7f, 0xba, 0x34, 0x42, 0x82, /* y */
731 0xca, 0xfb, 0xd6, 0xf7, 0xe3, 0x19, 0xf7, 0xc0, 0xb0, 0xbd,
732 0x59, 0xe2, 0xca, 0x4b, 0xdb, 0x55, 0x6d, 0x61, 0xa5,
733 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
734 0x00, 0x00, 0x00, 0x00, 0x01, 0xDC, 0xE8, 0xD2, 0xEC, 0x61,
735 0x84, 0xCA, 0xF0, 0xA9, 0x71, 0x76, 0x9F, 0xB1, 0xF7
736 }
737};
738
739static const struct {
740 EC_CURVE_DATA h;
741 unsigned char data[0 + 32 * 6];
742}
743 _EC_SECG_PRIME_256K1 = {
744 {
745 NID_X9_62_prime_field, 0, 32, 1
746 },
747 { /* no seed */
748 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
749 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
750 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF,
751 0xFC, 0x2F,
752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
753 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
754 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
755 0x00, 0x00,
756 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
757 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
758 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
759 0x00, 0x07,
760 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, /* x */
761 0x62, 0x95, 0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB,
762 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8,
763 0x17, 0x98,
764 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, /* y */
765 0xfb, 0xfc, 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48,
766 0xa6, 0x85, 0x54, 0x19, 0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10,
767 0xd4, 0xb8,
768 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
769 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6,
770 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36,
771 0x41, 0x41
772 }
773};
639 774
640/* some wap/wtls curves */ 775/* some wap/wtls curves */
641static const struct { EC_CURVE_DATA h; unsigned char data[0+15*6]; } 776static const struct {
642 _EC_WTLS_8 = { 777 EC_CURVE_DATA h;
643 { NID_X9_62_prime_field,0,15,1 }, 778 unsigned char data[0 + 15 * 6];
644 { /* no seed */ 779}
645 0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 780 _EC_WTLS_8 = {
646 0xFF,0xFF,0xFF,0xFD,0xE7, 781 {
647 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 782 NID_X9_62_prime_field, 0, 15, 1
648 0x00,0x00,0x00,0x00,0x00, 783 },
649 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 784 { /* no seed */
650 0x00,0x00,0x00,0x00,0x03, 785 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
651 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* x */ 786 0xFF, 0xFF, 0xFF, 0xFD, 0xE7,
652 0x00,0x00,0x00,0x00,0x01, 787 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
653 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* y */ 788 0x00, 0x00, 0x00, 0x00, 0x00,
654 0x00,0x00,0x00,0x00,0x02, 789 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
655 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0xEC,0xEA, /* order */ 790 0x00, 0x00, 0x00, 0x00, 0x03,
656 0x55,0x1A,0xD8,0x37,0xE9 } 791 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */
657 }; 792 0x00, 0x00, 0x00, 0x00, 0x01,
658 793 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* y */
659static const struct { EC_CURVE_DATA h; unsigned char data[0+21*6]; } 794 0x00, 0x00, 0x00, 0x00, 0x02,
660 _EC_WTLS_9 = { 795 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xEC, 0xEA, /* order */
661 { NID_X9_62_prime_field,0,21,1 }, 796 0x55, 0x1A, 0xD8, 0x37, 0xE9
662 { /* no seed */ 797 }
663 0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 798};
664 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFC,0x80, 799
665 0x8F, 800static const struct {
666 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 801 EC_CURVE_DATA h;
667 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 802 unsigned char data[0 + 21 * 6];
668 0x00, 803}
669 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 804 _EC_WTLS_9 = {
670 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 805 {
671 0x03, 806 NID_X9_62_prime_field, 0, 21, 1
672 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* x */ 807 },
673 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 808 { /* no seed */
674 0x01, 809 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
675 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* y */ 810 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, 0x80,
676 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 811 0x8F,
677 0x02, 812 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
678 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 813 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
679 0x01,0xCD,0xC9,0x8A,0xE0,0xE2,0xDE,0x57,0x4A,0xBF, 814 0x00,
680 0x33 } 815 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
681 }; 816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
682 817 0x03,
683static const struct { EC_CURVE_DATA h; unsigned char data[0+28*6]; } 818 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */
684 _EC_WTLS_12 = { 819 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
685 { NID_X9_62_prime_field,0,28,1 }, 820 0x01,
686 { /* no seed */ 821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* y */
687 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ 822 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
688 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00, 823 0x02,
689 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, 824 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
690 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */ 825 0x01, 0xCD, 0xC9, 0x8A, 0xE0, 0xE2, 0xDE, 0x57, 0x4A, 0xBF,
691 0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0xFF, 826 0x33
692 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, 827 }
693 0xB4,0x05,0x0A,0x85,0x0C,0x04,0xB3,0xAB,0xF5,0x41, /* b */ 828};
694 0x32,0x56,0x50,0x44,0xB0,0xB7,0xD7,0xBF,0xD8,0xBA, 829
695 0x27,0x0B,0x39,0x43,0x23,0x55,0xFF,0xB4, 830static const struct {
696 0xB7,0x0E,0x0C,0xBD,0x6B,0xB4,0xBF,0x7F,0x32,0x13, /* x */ 831 EC_CURVE_DATA h;
697 0x90,0xB9,0x4A,0x03,0xC1,0xD3,0x56,0xC2,0x11,0x22, 832 unsigned char data[0 + 28 * 6];
698 0x34,0x32,0x80,0xD6,0x11,0x5C,0x1D,0x21, 833}
699 0xbd,0x37,0x63,0x88,0xb5,0xf7,0x23,0xfb,0x4c,0x22, /* y */ 834 _EC_WTLS_12 = {
700 0xdf,0xe6,0xcd,0x43,0x75,0xa0,0x5a,0x07,0x47,0x64, 835 {
701 0x44,0xd5,0x81,0x99,0x85,0x00,0x7e,0x34, 836 NID_X9_62_prime_field, 0, 28, 1
702 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 837 },
703 0xFF,0xFF,0xFF,0xFF,0x16,0xA2,0xE0,0xB8,0xF0,0x3E, 838 { /* no seed */
704 0x13,0xDD,0x29,0x45,0x5C,0x5C,0x2A,0x3D } 839 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
705 }; 840 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00,
841 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
842 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
843 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
844 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
845 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, /* b */
846 0x32, 0x56, 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA,
847 0x27, 0x0B, 0x39, 0x43, 0x23, 0x55, 0xFF, 0xB4,
848 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, /* x */
849 0x90, 0xB9, 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22,
850 0x34, 0x32, 0x80, 0xD6, 0x11, 0x5C, 0x1D, 0x21,
851 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, /* y */
852 0xdf, 0xe6, 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64,
853 0x44, 0xd5, 0x81, 0x99, 0x85, 0x00, 0x7e, 0x34,
854 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
855 0xFF, 0xFF, 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E,
856 0x13, 0xDD, 0x29, 0x45, 0x5C, 0x5C, 0x2A, 0x3D
857 }
858};
706 859
707#ifndef OPENSSL_NO_EC2M 860#ifndef OPENSSL_NO_EC2M
708 861
709/* characteristic two curves */ 862/* characteristic two curves */
710static const struct { EC_CURVE_DATA h; unsigned char data[20+15*6]; } 863static const struct {
711 _EC_SECG_CHAR2_113R1 = { 864 EC_CURVE_DATA h;
712 { NID_X9_62_characteristic_two_field,20,15,2 }, 865 unsigned char data[20 + 15 * 6];
713 { 0x10,0xE7,0x23,0xAB,0x14,0xD6,0x96,0xE6,0x76,0x87, /* seed */ 866}
714 0x56,0x15,0x17,0x56,0xFE,0xBF,0x8F,0xCB,0x49,0xA9, 867 _EC_SECG_CHAR2_113R1 = {
715 868 {
716 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 869 NID_X9_62_characteristic_two_field, 20, 15, 2
717 0x00,0x00,0x00,0x02,0x01, 870 },
718 0x00,0x30,0x88,0x25,0x0C,0xA6,0xE7,0xC7,0xFE,0x64, /* a */ 871 {
719 0x9C,0xE8,0x58,0x20,0xF7, 872 0x10, 0xE7, 0x23, 0xAB, 0x14, 0xD6, 0x96, 0xE6, 0x76, 0x87, /* seed */
720 0x00,0xE8,0xBE,0xE4,0xD3,0xE2,0x26,0x07,0x44,0x18, /* b */ 873 0x56, 0x15, 0x17, 0x56, 0xFE, 0xBF, 0x8F, 0xCB, 0x49, 0xA9,
721 0x8B,0xE0,0xE9,0xC7,0x23, 874
722 0x00,0x9D,0x73,0x61,0x6F,0x35,0xF4,0xAB,0x14,0x07, /* x */ 875 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
723 0xD7,0x35,0x62,0xC1,0x0F, 876 0x00, 0x00, 0x00, 0x02, 0x01,
724 0x00,0xA5,0x28,0x30,0x27,0x79,0x58,0xEE,0x84,0xD1, /* y */ 877 0x00, 0x30, 0x88, 0x25, 0x0C, 0xA6, 0xE7, 0xC7, 0xFE, 0x64, /* a */
725 0x31,0x5E,0xD3,0x18,0x86, 878 0x9C, 0xE8, 0x58, 0x20, 0xF7,
726 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xD9,0xCC, /* order */ 879 0x00, 0xE8, 0xBE, 0xE4, 0xD3, 0xE2, 0x26, 0x07, 0x44, 0x18, /* b */
727 0xEC,0x8A,0x39,0xE5,0x6F } 880 0x8B, 0xE0, 0xE9, 0xC7, 0x23,
728 }; 881 0x00, 0x9D, 0x73, 0x61, 0x6F, 0x35, 0xF4, 0xAB, 0x14, 0x07, /* x */
729 882 0xD7, 0x35, 0x62, 0xC1, 0x0F,
730static const struct { EC_CURVE_DATA h; unsigned char data[20+15*6]; } 883 0x00, 0xA5, 0x28, 0x30, 0x27, 0x79, 0x58, 0xEE, 0x84, 0xD1, /* y */
731 _EC_SECG_CHAR2_113R2 = { 884 0x31, 0x5E, 0xD3, 0x18, 0x86,
732 { NID_X9_62_characteristic_two_field,20,15,2 }, 885 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD9, 0xCC, /* order */
733 { 0x10,0xC0,0xFB,0x15,0x76,0x08,0x60,0xDE,0xF1,0xEE, /* seed */ 886 0xEC, 0x8A, 0x39, 0xE5, 0x6F
734 0xF4,0xD6,0x96,0xE6,0x76,0x87,0x56,0x15,0x17,0x5D, 887 }
735 888};
736 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 889
737 0x00,0x00,0x00,0x02,0x01, 890static const struct {
738 0x00,0x68,0x99,0x18,0xDB,0xEC,0x7E,0x5A,0x0D,0xD6, /* a */ 891 EC_CURVE_DATA h;
739 0xDF,0xC0,0xAA,0x55,0xC7, 892 unsigned char data[20 + 15 * 6];
740 0x00,0x95,0xE9,0xA9,0xEC,0x9B,0x29,0x7B,0xD4,0xBF, /* b */ 893}
741 0x36,0xE0,0x59,0x18,0x4F, 894 _EC_SECG_CHAR2_113R2 = {
742 0x01,0xA5,0x7A,0x6A,0x7B,0x26,0xCA,0x5E,0xF5,0x2F, /* x */ 895 {
743 0xCD,0xB8,0x16,0x47,0x97, 896 NID_X9_62_characteristic_two_field, 20, 15, 2
744 0x00,0xB3,0xAD,0xC9,0x4E,0xD1,0xFE,0x67,0x4C,0x06, /* y */ 897 },
745 0xE6,0x95,0xBA,0xBA,0x1D, 898 {
746 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x08,0x78, /* order */ 899 0x10, 0xC0, 0xFB, 0x15, 0x76, 0x08, 0x60, 0xDE, 0xF1, 0xEE, /* seed */
747 0x9B,0x24,0x96,0xAF,0x93 } 900 0xF4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x5D,
748 }; 901
749 902 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
750static const struct { EC_CURVE_DATA h; unsigned char data[20+17*6]; } 903 0x00, 0x00, 0x00, 0x02, 0x01,
751 _EC_SECG_CHAR2_131R1 = { 904 0x00, 0x68, 0x99, 0x18, 0xDB, 0xEC, 0x7E, 0x5A, 0x0D, 0xD6, /* a */
752 { NID_X9_62_characteristic_two_field,20,17,2 }, 905 0xDF, 0xC0, 0xAA, 0x55, 0xC7,
753 { 0x4D,0x69,0x6E,0x67,0x68,0x75,0x61,0x51,0x75,0x98, /* seed */ 906 0x00, 0x95, 0xE9, 0xA9, 0xEC, 0x9B, 0x29, 0x7B, 0xD4, 0xBF, /* b */
754 0x5B,0xD3,0xAD,0xBA,0xDA,0x21,0xB4,0x3A,0x97,0xE2, 907 0x36, 0xE0, 0x59, 0x18, 0x4F,
755 908 0x01, 0xA5, 0x7A, 0x6A, 0x7B, 0x26, 0xCA, 0x5E, 0xF5, 0x2F, /* x */
756 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 909 0xCD, 0xB8, 0x16, 0x47, 0x97,
757 0x00,0x00,0x00,0x00,0x00,0x01,0x0D, 910 0x00, 0xB3, 0xAD, 0xC9, 0x4E, 0xD1, 0xFE, 0x67, 0x4C, 0x06, /* y */
758 0x07,0xA1,0x1B,0x09,0xA7,0x6B,0x56,0x21,0x44,0x41, /* a */ 911 0xE6, 0x95, 0xBA, 0xBA, 0x1D,
759 0x8F,0xF3,0xFF,0x8C,0x25,0x70,0xB8, 912 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x08, 0x78, /* order */
760 0x02,0x17,0xC0,0x56,0x10,0x88,0x4B,0x63,0xB9,0xC6, /* b */ 913 0x9B, 0x24, 0x96, 0xAF, 0x93
761 0xC7,0x29,0x16,0x78,0xF9,0xD3,0x41, 914 }
762 0x00,0x81,0xBA,0xF9,0x1F,0xDF,0x98,0x33,0xC4,0x0F, /* x */ 915};
763 0x9C,0x18,0x13,0x43,0x63,0x83,0x99, 916
764 0x07,0x8C,0x6E,0x7E,0xA3,0x8C,0x00,0x1F,0x73,0xC8, /* y */ 917static const struct {
765 0x13,0x4B,0x1B,0x4E,0xF9,0xE1,0x50, 918 EC_CURVE_DATA h;
766 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x31, /* order */ 919 unsigned char data[20 + 17 * 6];
767 0x23,0x95,0x3A,0x94,0x64,0xB5,0x4D } 920}
768 }; 921 _EC_SECG_CHAR2_131R1 = {
769 922 {
770static const struct { EC_CURVE_DATA h; unsigned char data[20+17*6]; } 923 NID_X9_62_characteristic_two_field, 20, 17, 2
771 _EC_SECG_CHAR2_131R2 = { 924 },
772 { NID_X9_62_characteristic_two_field,20,17,2 }, 925 {
773 { 0x98,0x5B,0xD3,0xAD,0xBA,0xD4,0xD6,0x96,0xE6,0x76, /* seed */ 926 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, 0x98, /* seed */
774 0x87,0x56,0x15,0x17,0x5A,0x21,0xB4,0x3A,0x97,0xE3, 927 0x5B, 0xD3, 0xAD, 0xBA, 0xDA, 0x21, 0xB4, 0x3A, 0x97, 0xE2,
775 928
776 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 929 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
777 0x00,0x00,0x00,0x00,0x00,0x01,0x0D, 930 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x0D,
778 0x03,0xE5,0xA8,0x89,0x19,0xD7,0xCA,0xFC,0xBF,0x41, /* a */ 931 0x07, 0xA1, 0x1B, 0x09, 0xA7, 0x6B, 0x56, 0x21, 0x44, 0x41, /* a */
779 0x5F,0x07,0xC2,0x17,0x65,0x73,0xB2, 932 0x8F, 0xF3, 0xFF, 0x8C, 0x25, 0x70, 0xB8,
780 0x04,0xB8,0x26,0x6A,0x46,0xC5,0x56,0x57,0xAC,0x73, /* b */ 933 0x02, 0x17, 0xC0, 0x56, 0x10, 0x88, 0x4B, 0x63, 0xB9, 0xC6, /* b */
781 0x4C,0xE3,0x8F,0x01,0x8F,0x21,0x92, 934 0xC7, 0x29, 0x16, 0x78, 0xF9, 0xD3, 0x41,
782 0x03,0x56,0xDC,0xD8,0xF2,0xF9,0x50,0x31,0xAD,0x65, /* x */ 935 0x00, 0x81, 0xBA, 0xF9, 0x1F, 0xDF, 0x98, 0x33, 0xC4, 0x0F, /* x */
783 0x2D,0x23,0x95,0x1B,0xB3,0x66,0xA8, 936 0x9C, 0x18, 0x13, 0x43, 0x63, 0x83, 0x99,
784 0x06,0x48,0xF0,0x6D,0x86,0x79,0x40,0xA5,0x36,0x6D, /* y */ 937 0x07, 0x8C, 0x6E, 0x7E, 0xA3, 0x8C, 0x00, 0x1F, 0x73, 0xC8, /* y */
785 0x9E,0x26,0x5D,0xE9,0xEB,0x24,0x0F, 938 0x13, 0x4B, 0x1B, 0x4E, 0xF9, 0xE1, 0x50,
786 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x69, /* order */ 939 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x31, /* order */
787 0x54,0xA2,0x33,0x04,0x9B,0xA9,0x8F } 940 0x23, 0x95, 0x3A, 0x94, 0x64, 0xB5, 0x4D
788 }; 941 }
789 942};
790static const struct { EC_CURVE_DATA h; unsigned char data[0+21*6]; } 943
791 _EC_NIST_CHAR2_163K = { 944static const struct {
792 { NID_X9_62_characteristic_two_field,0,21,2 }, 945 EC_CURVE_DATA h;
793 { /* no seed */ 946 unsigned char data[20 + 17 * 6];
794 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 947}
795 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 948 _EC_SECG_CHAR2_131R2 = {
796 0xC9, 949 {
797 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 950 NID_X9_62_characteristic_two_field, 20, 17, 2
798 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 951 },
799 0x01, 952 {
800 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 953 0x98, 0x5B, 0xD3, 0xAD, 0xBA, 0xD4, 0xD6, 0x96, 0xE6, 0x76, /* seed */
801 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 954 0x87, 0x56, 0x15, 0x17, 0x5A, 0x21, 0xB4, 0x3A, 0x97, 0xE3,
802 0x01, 955
803 0x02,0xFE,0x13,0xC0,0x53,0x7B,0xBC,0x11,0xAC,0xAA, /* x */ 956 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
804 0x07,0xD7,0x93,0xDE,0x4E,0x6D,0x5E,0x5C,0x94,0xEE, 957 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x0D,
805 0xE8, 958 0x03, 0xE5, 0xA8, 0x89, 0x19, 0xD7, 0xCA, 0xFC, 0xBF, 0x41, /* a */
806 0x02,0x89,0x07,0x0F,0xB0,0x5D,0x38,0xFF,0x58,0x32, /* y */ 959 0x5F, 0x07, 0xC2, 0x17, 0x65, 0x73, 0xB2,
807 0x1F,0x2E,0x80,0x05,0x36,0xD5,0x38,0xCC,0xDA,0xA3, 960 0x04, 0xB8, 0x26, 0x6A, 0x46, 0xC5, 0x56, 0x57, 0xAC, 0x73, /* b */
808 0xD9, 961 0x4C, 0xE3, 0x8F, 0x01, 0x8F, 0x21, 0x92,
809 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 962 0x03, 0x56, 0xDC, 0xD8, 0xF2, 0xF9, 0x50, 0x31, 0xAD, 0x65, /* x */
810 0x02,0x01,0x08,0xA2,0xE0,0xCC,0x0D,0x99,0xF8,0xA5, 963 0x2D, 0x23, 0x95, 0x1B, 0xB3, 0x66, 0xA8,
811 0xEF } 964 0x06, 0x48, 0xF0, 0x6D, 0x86, 0x79, 0x40, 0xA5, 0x36, 0x6D, /* y */
812 }; 965 0x9E, 0x26, 0x5D, 0xE9, 0xEB, 0x24, 0x0F,
813 966 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x69, /* order */
814static const struct { EC_CURVE_DATA h; unsigned char data[0+21*6]; } 967 0x54, 0xA2, 0x33, 0x04, 0x9B, 0xA9, 0x8F
815 _EC_SECG_CHAR2_163R1 = { 968 }
816 { NID_X9_62_characteristic_two_field,0,21,2 }, 969};
817 { /* no seed */ 970
971static const struct {
972 EC_CURVE_DATA h;
973 unsigned char data[0 + 21 * 6];
974}
975 _EC_NIST_CHAR2_163K = {
976 {
977 NID_X9_62_characteristic_two_field, 0, 21, 2
978 },
979 { /* no seed */
980 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
981 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
982 0xC9,
983 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
984 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
985 0x01,
986 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
987 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
988 0x01,
989 0x02, 0xFE, 0x13, 0xC0, 0x53, 0x7B, 0xBC, 0x11, 0xAC, 0xAA, /* x */
990 0x07, 0xD7, 0x93, 0xDE, 0x4E, 0x6D, 0x5E, 0x5C, 0x94, 0xEE,
991 0xE8,
992 0x02, 0x89, 0x07, 0x0F, 0xB0, 0x5D, 0x38, 0xFF, 0x58, 0x32, /* y */
993 0x1F, 0x2E, 0x80, 0x05, 0x36, 0xD5, 0x38, 0xCC, 0xDA, 0xA3,
994 0xD9,
995 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
996 0x02, 0x01, 0x08, 0xA2, 0xE0, 0xCC, 0x0D, 0x99, 0xF8, 0xA5,
997 0xEF
998 }
999};
1000
1001static const struct {
1002 EC_CURVE_DATA h;
1003 unsigned char data[0 + 21 * 6];
1004}
1005 _EC_SECG_CHAR2_163R1 = {
1006 {
1007 NID_X9_62_characteristic_two_field, 0, 21, 2
1008 },
1009 { /* no seed */
818#if 0 1010#if 0
819/* The algorithm used to derive the curve parameters from 1011/* The algorithm used to derive the curve parameters from
820 * the seed used here is slightly different than the 1012 * the seed used here is slightly different than the
821 * algorithm described in X9.62 . */ 1013 * algorithm described in X9.62 . */
822 0x24,0xB7,0xB1,0x37,0xC8,0xA1,0x4D,0x69,0x6E,0x67, 1014 0x24, 0xB7, 0xB1, 0x37, 0xC8, 0xA1, 0x4D, 0x69, 0x6E, 0x67,
823 0x68,0x75,0x61,0x51,0x75,0x6F,0xD0,0xDA,0x2E,0x5C, 1015 0x68, 0x75, 0x61, 0x51, 0x75, 0x6F, 0xD0, 0xDA, 0x2E, 0x5C,
824#endif 1016#endif
825 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1017 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
826 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1018 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
827 0xC9, 1019 0xC9,
828 0x07,0xB6,0x88,0x2C,0xAA,0xEF,0xA8,0x4F,0x95,0x54, /* a */ 1020 0x07, 0xB6, 0x88, 0x2C, 0xAA, 0xEF, 0xA8, 0x4F, 0x95, 0x54, /* a */
829 0xFF,0x84,0x28,0xBD,0x88,0xE2,0x46,0xD2,0x78,0x2A, 1021 0xFF, 0x84, 0x28, 0xBD, 0x88, 0xE2, 0x46, 0xD2, 0x78, 0x2A,
830 0xE2, 1022 0xE2,
831 0x07,0x13,0x61,0x2D,0xCD,0xDC,0xB4,0x0A,0xAB,0x94, /* b */ 1023 0x07, 0x13, 0x61, 0x2D, 0xCD, 0xDC, 0xB4, 0x0A, 0xAB, 0x94, /* b */
832 0x6B,0xDA,0x29,0xCA,0x91,0xF7,0x3A,0xF9,0x58,0xAF, 1024 0x6B, 0xDA, 0x29, 0xCA, 0x91, 0xF7, 0x3A, 0xF9, 0x58, 0xAF,
833 0xD9, 1025 0xD9,
834 0x03,0x69,0x97,0x96,0x97,0xAB,0x43,0x89,0x77,0x89, /* x */ 1026 0x03, 0x69, 0x97, 0x96, 0x97, 0xAB, 0x43, 0x89, 0x77, 0x89, /* x */
835 0x56,0x67,0x89,0x56,0x7F,0x78,0x7A,0x78,0x76,0xA6, 1027 0x56, 0x67, 0x89, 0x56, 0x7F, 0x78, 0x7A, 0x78, 0x76, 0xA6,
836 0x54, 1028 0x54,
837 0x00,0x43,0x5E,0xDB,0x42,0xEF,0xAF,0xB2,0x98,0x9D, /* y */ 1029 0x00, 0x43, 0x5E, 0xDB, 0x42, 0xEF, 0xAF, 0xB2, 0x98, 0x9D, /* y */
838 0x51,0xFE,0xFC,0xE3,0xC8,0x09,0x88,0xF4,0x1F,0xF8, 1030 0x51, 0xFE, 0xFC, 0xE3, 0xC8, 0x09, 0x88, 0xF4, 0x1F, 0xF8,
839 0x83, 1031 0x83,
840 0x03,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 1032 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
841 0xFF,0x48,0xAA,0xB6,0x89,0xC2,0x9C,0xA7,0x10,0x27, 1033 0xFF, 0x48, 0xAA, 0xB6, 0x89, 0xC2, 0x9C, 0xA7, 0x10, 0x27,
842 0x9B } 1034 0x9B
843 }; 1035 }
844 1036};
845static const struct { EC_CURVE_DATA h; unsigned char data[0+21*6]; } 1037
846 _EC_NIST_CHAR2_163B = { 1038static const struct {
847 { NID_X9_62_characteristic_two_field,0,21,2 }, 1039 EC_CURVE_DATA h;
848 { /* no seed */ 1040 unsigned char data[0 + 21 * 6];
1041}
1042 _EC_NIST_CHAR2_163B = {
1043 {
1044 NID_X9_62_characteristic_two_field, 0, 21, 2
1045 },
1046 { /* no seed */
849#if 0 1047#if 0
850/* The seed here was used to created the curve parameters in normal 1048/* The seed here was used to created the curve parameters in normal
851 * basis representation (and not the polynomial representation used here) */ 1049 * basis representation (and not the polynomial representation used here) */
852 0x85,0xE2,0x5B,0xFE,0x5C,0x86,0x22,0x6C,0xDB,0x12, 1050 0x85, 0xE2, 0x5B, 0xFE, 0x5C, 0x86, 0x22, 0x6C, 0xDB, 0x12,
853 0x01,0x6F,0x75,0x53,0xF9,0xD0,0xE6,0x93,0xA2,0x68, 1051 0x01, 0x6F, 0x75, 0x53, 0xF9, 0xD0, 0xE6, 0x93, 0xA2, 0x68,
854#endif 1052#endif
855 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1053 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
856 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1054 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
857 0xC9, 1055 0xC9,
858 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 1056 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
859 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1057 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
860 0x01, 1058 0x01,
861 0x02,0x0A,0x60,0x19,0x07,0xB8,0xC9,0x53,0xCA,0x14, /* b */ 1059 0x02, 0x0A, 0x60, 0x19, 0x07, 0xB8, 0xC9, 0x53, 0xCA, 0x14, /* b */
862 0x81,0xEB,0x10,0x51,0x2F,0x78,0x74,0x4A,0x32,0x05, 1060 0x81, 0xEB, 0x10, 0x51, 0x2F, 0x78, 0x74, 0x4A, 0x32, 0x05,
863 0xFD, 1061 0xFD,
864 0x03,0xF0,0xEB,0xA1,0x62,0x86,0xA2,0xD5,0x7E,0xA0, /* x */ 1062 0x03, 0xF0, 0xEB, 0xA1, 0x62, 0x86, 0xA2, 0xD5, 0x7E, 0xA0, /* x */
865 0x99,0x11,0x68,0xD4,0x99,0x46,0x37,0xE8,0x34,0x3E, 1063 0x99, 0x11, 0x68, 0xD4, 0x99, 0x46, 0x37, 0xE8, 0x34, 0x3E,
866 0x36, 1064 0x36,
867 0x00,0xD5,0x1F,0xBC,0x6C,0x71,0xA0,0x09,0x4F,0xA2, /* y */ 1065 0x00, 0xD5, 0x1F, 0xBC, 0x6C, 0x71, 0xA0, 0x09, 0x4F, 0xA2, /* y */
868 0xCD,0xD5,0x45,0xB1,0x1C,0x5C,0x0C,0x79,0x73,0x24, 1066 0xCD, 0xD5, 0x45, 0xB1, 0x1C, 0x5C, 0x0C, 0x79, 0x73, 0x24,
869 0xF1, 1067 0xF1,
870 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 1068 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
871 0x02,0x92,0xFE,0x77,0xE7,0x0C,0x12,0xA4,0x23,0x4C, 1069 0x02, 0x92, 0xFE, 0x77, 0xE7, 0x0C, 0x12, 0xA4, 0x23, 0x4C,
872 0x33 } 1070 0x33
873 }; 1071 }
874 1072};
875static const struct { EC_CURVE_DATA h; unsigned char data[20+25*6]; } 1073
876 _EC_SECG_CHAR2_193R1 = { 1074static const struct {
877 { NID_X9_62_characteristic_two_field,20,25,2 }, 1075 EC_CURVE_DATA h;
878 { 0x10,0x3F,0xAE,0xC7,0x4D,0x69,0x6E,0x67,0x68,0x75, /* seed */ 1076 unsigned char data[20 + 25 * 6];
879 0x61,0x51,0x75,0x77,0x7F,0xC5,0xB1,0x91,0xEF,0x30, 1077}
880 1078 _EC_SECG_CHAR2_193R1 = {
881 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1079 {
882 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1080 NID_X9_62_characteristic_two_field, 20, 25, 2
883 0x00,0x00,0x00,0x80,0x01, 1081 },
884 0x00,0x17,0x85,0x8F,0xEB,0x7A,0x98,0x97,0x51,0x69, /* a */ 1082 {
885 0xE1,0x71,0xF7,0x7B,0x40,0x87,0xDE,0x09,0x8A,0xC8, 1083 0x10, 0x3F, 0xAE, 0xC7, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, /* seed */
886 0xA9,0x11,0xDF,0x7B,0x01, 1084 0x61, 0x51, 0x75, 0x77, 0x7F, 0xC5, 0xB1, 0x91, 0xEF, 0x30,
887 0x00,0xFD,0xFB,0x49,0xBF,0xE6,0xC3,0xA8,0x9F,0xAC, /* b */ 1085
888 0xAD,0xAA,0x7A,0x1E,0x5B,0xBC,0x7C,0xC1,0xC2,0xE5, 1086 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
889 0xD8,0x31,0x47,0x88,0x14, 1087 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
890 0x01,0xF4,0x81,0xBC,0x5F,0x0F,0xF8,0x4A,0x74,0xAD, /* x */ 1088 0x00, 0x00, 0x00, 0x80, 0x01,
891 0x6C,0xDF,0x6F,0xDE,0xF4,0xBF,0x61,0x79,0x62,0x53, 1089 0x00, 0x17, 0x85, 0x8F, 0xEB, 0x7A, 0x98, 0x97, 0x51, 0x69, /* a */
892 0x72,0xD8,0xC0,0xC5,0xE1, 1090 0xE1, 0x71, 0xF7, 0x7B, 0x40, 0x87, 0xDE, 0x09, 0x8A, 0xC8,
893 0x00,0x25,0xE3,0x99,0xF2,0x90,0x37,0x12,0xCC,0xF3, /* y */ 1091 0xA9, 0x11, 0xDF, 0x7B, 0x01,
894 0xEA,0x9E,0x3A,0x1A,0xD1,0x7F,0xB0,0xB3,0x20,0x1B, 1092 0x00, 0xFD, 0xFB, 0x49, 0xBF, 0xE6, 0xC3, 0xA8, 0x9F, 0xAC, /* b */
895 0x6A,0xF7,0xCE,0x1B,0x05, 1093 0xAD, 0xAA, 0x7A, 0x1E, 0x5B, 0xBC, 0x7C, 0xC1, 0xC2, 0xE5,
896 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 1094 0xD8, 0x31, 0x47, 0x88, 0x14,
897 0x00,0x00,0x00,0xC7,0xF3,0x4A,0x77,0x8F,0x44,0x3A, 1095 0x01, 0xF4, 0x81, 0xBC, 0x5F, 0x0F, 0xF8, 0x4A, 0x74, 0xAD, /* x */
898 0xCC,0x92,0x0E,0xBA,0x49 } 1096 0x6C, 0xDF, 0x6F, 0xDE, 0xF4, 0xBF, 0x61, 0x79, 0x62, 0x53,
899 }; 1097 0x72, 0xD8, 0xC0, 0xC5, 0xE1,
900 1098 0x00, 0x25, 0xE3, 0x99, 0xF2, 0x90, 0x37, 0x12, 0xCC, 0xF3, /* y */
901static const struct { EC_CURVE_DATA h; unsigned char data[20+25*6]; } 1099 0xEA, 0x9E, 0x3A, 0x1A, 0xD1, 0x7F, 0xB0, 0xB3, 0x20, 0x1B,
902 _EC_SECG_CHAR2_193R2 = { 1100 0x6A, 0xF7, 0xCE, 0x1B, 0x05,
903 { NID_X9_62_characteristic_two_field,20,25,2 }, 1101 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
904 { 0x10,0xB7,0xB4,0xD6,0x96,0xE6,0x76,0x87,0x56,0x15, /* seed */ 1102 0x00, 0x00, 0x00, 0xC7, 0xF3, 0x4A, 0x77, 0x8F, 0x44, 0x3A,
905 0x17,0x51,0x37,0xC8,0xA1,0x6F,0xD0,0xDA,0x22,0x11, 1103 0xCC, 0x92, 0x0E, 0xBA, 0x49
906 1104 }
907 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1105};
908 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1106
909 0x00,0x00,0x00,0x80,0x01, 1107static const struct {
910 0x01,0x63,0xF3,0x5A,0x51,0x37,0xC2,0xCE,0x3E,0xA6, /* a */ 1108 EC_CURVE_DATA h;
911 0xED,0x86,0x67,0x19,0x0B,0x0B,0xC4,0x3E,0xCD,0x69, 1109 unsigned char data[20 + 25 * 6];
912 0x97,0x77,0x02,0x70,0x9B, 1110}
913 0x00,0xC9,0xBB,0x9E,0x89,0x27,0xD4,0xD6,0x4C,0x37, /* b */ 1111 _EC_SECG_CHAR2_193R2 = {
914 0x7E,0x2A,0xB2,0x85,0x6A,0x5B,0x16,0xE3,0xEF,0xB7, 1112 {
915 0xF6,0x1D,0x43,0x16,0xAE, 1113 NID_X9_62_characteristic_two_field, 20, 25, 2
916 0x00,0xD9,0xB6,0x7D,0x19,0x2E,0x03,0x67,0xC8,0x03, /* x */ 1114 },
917 0xF3,0x9E,0x1A,0x7E,0x82,0xCA,0x14,0xA6,0x51,0x35, 1115 {
918 0x0A,0xAE,0x61,0x7E,0x8F, 1116 0x10, 0xB7, 0xB4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, /* seed */
919 0x01,0xCE,0x94,0x33,0x56,0x07,0xC3,0x04,0xAC,0x29, /* y */ 1117 0x17, 0x51, 0x37, 0xC8, 0xA1, 0x6F, 0xD0, 0xDA, 0x22, 0x11,
920 0xE7,0xDE,0xFB,0xD9,0xCA,0x01,0xF5,0x96,0xF9,0x27, 1118
921 0x22,0x4C,0xDE,0xCF,0x6C, 1119 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
922 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 1120 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
923 0x00,0x00,0x01,0x5A,0xAB,0x56,0x1B,0x00,0x54,0x13, 1121 0x00, 0x00, 0x00, 0x80, 0x01,
924 0xCC,0xD4,0xEE,0x99,0xD5 } 1122 0x01, 0x63, 0xF3, 0x5A, 0x51, 0x37, 0xC2, 0xCE, 0x3E, 0xA6, /* a */
925 }; 1123 0xED, 0x86, 0x67, 0x19, 0x0B, 0x0B, 0xC4, 0x3E, 0xCD, 0x69,
926 1124 0x97, 0x77, 0x02, 0x70, 0x9B,
927static const struct { EC_CURVE_DATA h; unsigned char data[0+30*6]; } 1125 0x00, 0xC9, 0xBB, 0x9E, 0x89, 0x27, 0xD4, 0xD6, 0x4C, 0x37, /* b */
928 _EC_NIST_CHAR2_233K = { 1126 0x7E, 0x2A, 0xB2, 0x85, 0x6A, 0x5B, 0x16, 0xE3, 0xEF, 0xB7,
929 { NID_X9_62_characteristic_two_field,0,30,4 }, 1127 0xF6, 0x1D, 0x43, 0x16, 0xAE,
930 { /* no seed */ 1128 0x00, 0xD9, 0xB6, 0x7D, 0x19, 0x2E, 0x03, 0x67, 0xC8, 0x03, /* x */
931 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1129 0xF3, 0x9E, 0x1A, 0x7E, 0x82, 0xCA, 0x14, 0xA6, 0x51, 0x35,
932 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1130 0x0A, 0xAE, 0x61, 0x7E, 0x8F,
933 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, 1131 0x01, 0xCE, 0x94, 0x33, 0x56, 0x07, 0xC3, 0x04, 0xAC, 0x29, /* y */
934 1132 0xE7, 0xDE, 0xFB, 0xD9, 0xCA, 0x01, 0xF5, 0x96, 0xF9, 0x27,
935 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 1133 0x22, 0x4C, 0xDE, 0xCF, 0x6C,
936 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1134 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
937 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1135 0x00, 0x00, 0x01, 0x5A, 0xAB, 0x56, 0x1B, 0x00, 0x54, 0x13,
938 1136 0xCC, 0xD4, 0xEE, 0x99, 0xD5
939 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 1137 }
940 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1138};
941 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, 1139
942 1140static const struct {
943 0x01,0x72,0x32,0xBA,0x85,0x3A,0x7E,0x73,0x1A,0xF1, /* x */ 1141 EC_CURVE_DATA h;
944 0x29,0xF2,0x2F,0xF4,0x14,0x95,0x63,0xA4,0x19,0xC2, 1142 unsigned char data[0 + 30 * 6];
945 0x6B,0xF5,0x0A,0x4C,0x9D,0x6E,0xEF,0xAD,0x61,0x26, 1143}
946 1144 _EC_NIST_CHAR2_233K = {
947 0x01,0xDB,0x53,0x7D,0xEC,0xE8,0x19,0xB7,0xF7,0x0F, /* y */ 1145 {
948 0x55,0x5A,0x67,0xC4,0x27,0xA8,0xCD,0x9B,0xF1,0x8A, 1146 NID_X9_62_characteristic_two_field, 0, 30, 4
949 0xEB,0x9B,0x56,0xE0,0xC1,0x10,0x56,0xFA,0xE6,0xA3, 1147 },
950 1148 { /* no seed */
951 0x00,0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 1149 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
952 0x00,0x00,0x00,0x00,0x00,0x06,0x9D,0x5B,0xB9,0x15, 1150 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
953 0xBC,0xD4,0x6E,0xFB,0x1A,0xD5,0xF1,0x73,0xAB,0xDF } 1151 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
954 }; 1152
955 1153 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
956static const struct { EC_CURVE_DATA h; unsigned char data[20+30*6]; } 1154 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
957 _EC_NIST_CHAR2_233B = { 1155 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
958 { NID_X9_62_characteristic_two_field,20,30,2 }, 1156
959 { 0x74,0xD5,0x9F,0xF0,0x7F,0x6B,0x41,0x3D,0x0E,0xA1, /* seed */ 1157 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
960 0x4B,0x34,0x4B,0x20,0xA2,0xDB,0x04,0x9B,0x50,0xC3, 1158 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
961 1159 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
962 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1160
963 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1161 0x01, 0x72, 0x32, 0xBA, 0x85, 0x3A, 0x7E, 0x73, 0x1A, 0xF1, /* x */
964 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, 1162 0x29, 0xF2, 0x2F, 0xF4, 0x14, 0x95, 0x63, 0xA4, 0x19, 0xC2,
965 1163 0x6B, 0xF5, 0x0A, 0x4C, 0x9D, 0x6E, 0xEF, 0xAD, 0x61, 0x26,
966 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 1164
967 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1165 0x01, 0xDB, 0x53, 0x7D, 0xEC, 0xE8, 0x19, 0xB7, 0xF7, 0x0F, /* y */
968 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, 1166 0x55, 0x5A, 0x67, 0xC4, 0x27, 0xA8, 0xCD, 0x9B, 0xF1, 0x8A,
969 1167 0xEB, 0x9B, 0x56, 0xE0, 0xC1, 0x10, 0x56, 0xFA, 0xE6, 0xA3,
970 0x00,0x66,0x64,0x7E,0xDE,0x6C,0x33,0x2C,0x7F,0x8C, /* b */ 1168
971 0x09,0x23,0xBB,0x58,0x21,0x3B,0x33,0x3B,0x20,0xE9, 1169 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
972 0xCE,0x42,0x81,0xFE,0x11,0x5F,0x7D,0x8F,0x90,0xAD, 1170 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x9D, 0x5B, 0xB9, 0x15,
973 1171 0xBC, 0xD4, 0x6E, 0xFB, 0x1A, 0xD5, 0xF1, 0x73, 0xAB, 0xDF
974 0x00,0xFA,0xC9,0xDF,0xCB,0xAC,0x83,0x13,0xBB,0x21, /* x */ 1172 }
975 0x39,0xF1,0xBB,0x75,0x5F,0xEF,0x65,0xBC,0x39,0x1F, 1173};
976 0x8B,0x36,0xF8,0xF8,0xEB,0x73,0x71,0xFD,0x55,0x8B, 1174
977 1175static const struct {
978 0x01,0x00,0x6A,0x08,0xA4,0x19,0x03,0x35,0x06,0x78, /* y */ 1176 EC_CURVE_DATA h;
979 0xE5,0x85,0x28,0xBE,0xBF,0x8A,0x0B,0xEF,0xF8,0x67, 1177 unsigned char data[20 + 30 * 6];
980 0xA7,0xCA,0x36,0x71,0x6F,0x7E,0x01,0xF8,0x10,0x52, 1178}
981 1179 _EC_NIST_CHAR2_233B = {
982 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 1180 {
983 0x00,0x00,0x00,0x00,0x00,0x13,0xE9,0x74,0xE7,0x2F, 1181 NID_X9_62_characteristic_two_field, 20, 30, 2
984 0x8A,0x69,0x22,0x03,0x1D,0x26,0x03,0xCF,0xE0,0xD7 } 1182 },
985 }; 1183 {
986 1184 0x74, 0xD5, 0x9F, 0xF0, 0x7F, 0x6B, 0x41, 0x3D, 0x0E, 0xA1, /* seed */
987static const struct { EC_CURVE_DATA h; unsigned char data[0+30*6]; } 1185 0x4B, 0x34, 0x4B, 0x20, 0xA2, 0xDB, 0x04, 0x9B, 0x50, 0xC3,
988 _EC_SECG_CHAR2_239K1 = { 1186
989 { NID_X9_62_characteristic_two_field,0,30,4 }, 1187 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
990 { /* no seed */ 1188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
991 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1189 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
992 0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1190
993 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, 1191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
994 1192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
995 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 1193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
996 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1194
997 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1195 0x00, 0x66, 0x64, 0x7E, 0xDE, 0x6C, 0x33, 0x2C, 0x7F, 0x8C, /* b */
998 1196 0x09, 0x23, 0xBB, 0x58, 0x21, 0x3B, 0x33, 0x3B, 0x20, 0xE9,
999 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 1197 0xCE, 0x42, 0x81, 0xFE, 0x11, 0x5F, 0x7D, 0x8F, 0x90, 0xAD,
1000 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1198
1001 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, 1199 0x00, 0xFA, 0xC9, 0xDF, 0xCB, 0xAC, 0x83, 0x13, 0xBB, 0x21, /* x */
1002 1200 0x39, 0xF1, 0xBB, 0x75, 0x5F, 0xEF, 0x65, 0xBC, 0x39, 0x1F,
1003 0x29,0xA0,0xB6,0xA8,0x87,0xA9,0x83,0xE9,0x73,0x09, /* x */ 1201 0x8B, 0x36, 0xF8, 0xF8, 0xEB, 0x73, 0x71, 0xFD, 0x55, 0x8B,
1004 0x88,0xA6,0x87,0x27,0xA8,0xB2,0xD1,0x26,0xC4,0x4C, 1202
1005 0xC2,0xCC,0x7B,0x2A,0x65,0x55,0x19,0x30,0x35,0xDC, 1203 0x01, 0x00, 0x6A, 0x08, 0xA4, 0x19, 0x03, 0x35, 0x06, 0x78, /* y */
1006 1204 0xE5, 0x85, 0x28, 0xBE, 0xBF, 0x8A, 0x0B, 0xEF, 0xF8, 0x67,
1007 0x76,0x31,0x08,0x04,0xF1,0x2E,0x54,0x9B,0xDB,0x01, /* y */ 1205 0xA7, 0xCA, 0x36, 0x71, 0x6F, 0x7E, 0x01, 0xF8, 0x10, 0x52,
1008 0x1C,0x10,0x30,0x89,0xE7,0x35,0x10,0xAC,0xB2,0x75, 1206
1009 0xFC,0x31,0x2A,0x5D,0xC6,0xB7,0x65,0x53,0xF0,0xCA, 1207 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1010 1208 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0xE9, 0x74, 0xE7, 0x2F,
1011 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 1209 0x8A, 0x69, 0x22, 0x03, 0x1D, 0x26, 0x03, 0xCF, 0xE0, 0xD7
1012 0x00,0x00,0x00,0x00,0x00,0x5A,0x79,0xFE,0xC6,0x7C, 1210 }
1013 0xB6,0xE9,0x1F,0x1C,0x1D,0xA8,0x00,0xE4,0x78,0xA5 } 1211};
1014 }; 1212
1015 1213static const struct {
1016static const struct { EC_CURVE_DATA h; unsigned char data[0+36*6]; } 1214 EC_CURVE_DATA h;
1017 _EC_NIST_CHAR2_283K = { 1215 unsigned char data[0 + 30 * 6];
1018 { NID_X9_62_characteristic_two_field,0,36,4 }, 1216}
1019 { /* no seed */ 1217 _EC_SECG_CHAR2_239K1 = {
1020 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1218 {
1021 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1219 NID_X9_62_characteristic_two_field, 0, 30, 4
1022 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1220 },
1023 0x00,0x00,0x00,0x00,0x10,0xA1, 1221 { /* no seed */
1024 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 1222 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1025 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1223 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1026 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1224 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1027 0x00,0x00,0x00,0x00,0x00,0x00, 1225
1028 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 1226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1029 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1227 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1030 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1228 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1031 0x00,0x00,0x00,0x00,0x00,0x01, 1229
1032 0x05,0x03,0x21,0x3F,0x78,0xCA,0x44,0x88,0x3F,0x1A, /* x */ 1230 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1033 0x3B,0x81,0x62,0xF1,0x88,0xE5,0x53,0xCD,0x26,0x5F, 1231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1034 0x23,0xC1,0x56,0x7A,0x16,0x87,0x69,0x13,0xB0,0xC2, 1232 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1035 0xAC,0x24,0x58,0x49,0x28,0x36, 1233
1036 0x01,0xCC,0xDA,0x38,0x0F,0x1C,0x9E,0x31,0x8D,0x90, /* y */ 1234 0x29, 0xA0, 0xB6, 0xA8, 0x87, 0xA9, 0x83, 0xE9, 0x73, 0x09, /* x */
1037 0xF9,0x5D,0x07,0xE5,0x42,0x6F,0xE8,0x7E,0x45,0xC0, 1235 0x88, 0xA6, 0x87, 0x27, 0xA8, 0xB2, 0xD1, 0x26, 0xC4, 0x4C,
1038 0xE8,0x18,0x46,0x98,0xE4,0x59,0x62,0x36,0x4E,0x34, 1236 0xC2, 0xCC, 0x7B, 0x2A, 0x65, 0x55, 0x19, 0x30, 0x35, 0xDC,
1039 0x11,0x61,0x77,0xDD,0x22,0x59, 1237
1040 0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 1238 0x76, 0x31, 0x08, 0x04, 0xF1, 0x2E, 0x54, 0x9B, 0xDB, 0x01, /* y */
1041 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xE9,0xAE, 1239 0x1C, 0x10, 0x30, 0x89, 0xE7, 0x35, 0x10, 0xAC, 0xB2, 0x75,
1042 0x2E,0xD0,0x75,0x77,0x26,0x5D,0xFF,0x7F,0x94,0x45, 1240 0xFC, 0x31, 0x2A, 0x5D, 0xC6, 0xB7, 0x65, 0x53, 0xF0, 0xCA,
1043 0x1E,0x06,0x1E,0x16,0x3C,0x61 } 1241
1044 }; 1242 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1045 1243 0x00, 0x00, 0x00, 0x00, 0x00, 0x5A, 0x79, 0xFE, 0xC6, 0x7C,
1046static const struct { EC_CURVE_DATA h; unsigned char data[20+36*6]; } 1244 0xB6, 0xE9, 0x1F, 0x1C, 0x1D, 0xA8, 0x00, 0xE4, 0x78, 0xA5
1047 _EC_NIST_CHAR2_283B = { 1245 }
1048 { NID_X9_62_characteristic_two_field,20,36,2 }, 1246};
1049 { 0x77,0xE2,0xB0,0x73,0x70,0xEB,0x0F,0x83,0x2A,0x6D, /* no seed */ 1247
1050 0xD5,0xB6,0x2D,0xFC,0x88,0xCD,0x06,0xBB,0x84,0xBE, 1248static const struct {
1051 1249 EC_CURVE_DATA h;
1052 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1250 unsigned char data[0 + 36 * 6];
1053 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1251}
1054 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1252 _EC_NIST_CHAR2_283K = {
1055 0x00,0x00,0x00,0x00,0x10,0xA1, 1253 {
1056 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 1254 NID_X9_62_characteristic_two_field, 0, 36, 4
1057 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1255 },
1058 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1256 { /* no seed */
1059 0x00,0x00,0x00,0x00,0x00,0x01, 1257 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1060 0x02,0x7B,0x68,0x0A,0xC8,0xB8,0x59,0x6D,0xA5,0xA4, /* b */ 1258 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1061 0xAF,0x8A,0x19,0xA0,0x30,0x3F,0xCA,0x97,0xFD,0x76, 1259 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1062 0x45,0x30,0x9F,0xA2,0xA5,0x81,0x48,0x5A,0xF6,0x26, 1260 0x00, 0x00, 0x00, 0x00, 0x10, 0xA1,
1063 0x3E,0x31,0x3B,0x79,0xA2,0xF5, 1261 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1064 0x05,0xF9,0x39,0x25,0x8D,0xB7,0xDD,0x90,0xE1,0x93, /* x */ 1262 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1065 0x4F,0x8C,0x70,0xB0,0xDF,0xEC,0x2E,0xED,0x25,0xB8, 1263 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1066 0x55,0x7E,0xAC,0x9C,0x80,0xE2,0xE1,0x98,0xF8,0xCD, 1264 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1067 0xBE,0xCD,0x86,0xB1,0x20,0x53, 1265 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1068 0x03,0x67,0x68,0x54,0xFE,0x24,0x14,0x1C,0xB9,0x8F, /* y */ 1266 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1069 0xE6,0xD4,0xB2,0x0D,0x02,0xB4,0x51,0x6F,0xF7,0x02, 1267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1070 0x35,0x0E,0xDD,0xB0,0x82,0x67,0x79,0xC8,0x13,0xF0, 1268 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1071 0xDF,0x45,0xBE,0x81,0x12,0xF4, 1269 0x05, 0x03, 0x21, 0x3F, 0x78, 0xCA, 0x44, 0x88, 0x3F, 0x1A, /* x */
1072 0x03,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 1270 0x3B, 0x81, 0x62, 0xF1, 0x88, 0xE5, 0x53, 0xCD, 0x26, 0x5F,
1073 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xEF,0x90, 1271 0x23, 0xC1, 0x56, 0x7A, 0x16, 0x87, 0x69, 0x13, 0xB0, 0xC2,
1074 0x39,0x96,0x60,0xFC,0x93,0x8A,0x90,0x16,0x5B,0x04, 1272 0xAC, 0x24, 0x58, 0x49, 0x28, 0x36,
1075 0x2A,0x7C,0xEF,0xAD,0xB3,0x07 } 1273 0x01, 0xCC, 0xDA, 0x38, 0x0F, 0x1C, 0x9E, 0x31, 0x8D, 0x90, /* y */
1076 }; 1274 0xF9, 0x5D, 0x07, 0xE5, 0x42, 0x6F, 0xE8, 0x7E, 0x45, 0xC0,
1077 1275 0xE8, 0x18, 0x46, 0x98, 0xE4, 0x59, 0x62, 0x36, 0x4E, 0x34,
1078static const struct { EC_CURVE_DATA h; unsigned char data[0+52*6]; } 1276 0x11, 0x61, 0x77, 0xDD, 0x22, 0x59,
1079 _EC_NIST_CHAR2_409K = { 1277 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1080 { NID_X9_62_characteristic_two_field,0,52,4 }, 1278 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xE9, 0xAE,
1081 { /* no seed */ 1279 0x2E, 0xD0, 0x75, 0x77, 0x26, 0x5D, 0xFF, 0x7F, 0x94, 0x45,
1082 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1280 0x1E, 0x06, 0x1E, 0x16, 0x3C, 0x61
1083 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1281 }
1084 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1282};
1085 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1283
1086 0x00,0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1284static const struct {
1087 0x00,0x01, 1285 EC_CURVE_DATA h;
1088 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 1286 unsigned char data[20 + 36 * 6];
1089 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1287}
1090 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1288 _EC_NIST_CHAR2_283B = {
1091 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1289 {
1092 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1290 NID_X9_62_characteristic_two_field, 20, 36, 2
1093 0x00,0x00, 1291 },
1094 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 1292 {
1095 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1293 0x77, 0xE2, 0xB0, 0x73, 0x70, 0xEB, 0x0F, 0x83, 0x2A, 0x6D, /* no seed */
1096 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1294 0xD5, 0xB6, 0x2D, 0xFC, 0x88, 0xCD, 0x06, 0xBB, 0x84, 0xBE,
1097 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1295
1098 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1296 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1099 0x00,0x01, 1297 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1100 0x00,0x60,0xF0,0x5F,0x65,0x8F,0x49,0xC1,0xAD,0x3A, /* x */ 1298 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1101 0xB1,0x89,0x0F,0x71,0x84,0x21,0x0E,0xFD,0x09,0x87, 1299 0x00, 0x00, 0x00, 0x00, 0x10, 0xA1,
1102 0xE3,0x07,0xC8,0x4C,0x27,0xAC,0xCF,0xB8,0xF9,0xF6, 1300 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1103 0x7C,0xC2,0xC4,0x60,0x18,0x9E,0xB5,0xAA,0xAA,0x62, 1301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1104 0xEE,0x22,0x2E,0xB1,0xB3,0x55,0x40,0xCF,0xE9,0x02, 1302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1105 0x37,0x46, 1303 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1106 0x01,0xE3,0x69,0x05,0x0B,0x7C,0x4E,0x42,0xAC,0xBA, /* y */ 1304 0x02, 0x7B, 0x68, 0x0A, 0xC8, 0xB8, 0x59, 0x6D, 0xA5, 0xA4, /* b */
1107 0x1D,0xAC,0xBF,0x04,0x29,0x9C,0x34,0x60,0x78,0x2F, 1305 0xAF, 0x8A, 0x19, 0xA0, 0x30, 0x3F, 0xCA, 0x97, 0xFD, 0x76,
1108 0x91,0x8E,0xA4,0x27,0xE6,0x32,0x51,0x65,0xE9,0xEA, 1306 0x45, 0x30, 0x9F, 0xA2, 0xA5, 0x81, 0x48, 0x5A, 0xF6, 0x26,
1109 0x10,0xE3,0xDA,0x5F,0x6C,0x42,0xE9,0xC5,0x52,0x15, 1307 0x3E, 0x31, 0x3B, 0x79, 0xA2, 0xF5,
1110 0xAA,0x9C,0xA2,0x7A,0x58,0x63,0xEC,0x48,0xD8,0xE0, 1308 0x05, 0xF9, 0x39, 0x25, 0x8D, 0xB7, 0xDD, 0x90, 0xE1, 0x93, /* x */
1111 0x28,0x6B, 1309 0x4F, 0x8C, 0x70, 0xB0, 0xDF, 0xEC, 0x2E, 0xED, 0x25, 0xB8,
1112 0x00,0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 1310 0x55, 0x7E, 0xAC, 0x9C, 0x80, 0xE2, 0xE1, 0x98, 0xF8, 0xCD,
1113 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 1311 0xBE, 0xCD, 0x86, 0xB1, 0x20, 0x53,
1114 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0x5F,0x83,0xB2, 1312 0x03, 0x67, 0x68, 0x54, 0xFE, 0x24, 0x14, 0x1C, 0xB9, 0x8F, /* y */
1115 0xD4,0xEA,0x20,0x40,0x0E,0xC4,0x55,0x7D,0x5E,0xD3, 1313 0xE6, 0xD4, 0xB2, 0x0D, 0x02, 0xB4, 0x51, 0x6F, 0xF7, 0x02,
1116 0xE3,0xE7,0xCA,0x5B,0x4B,0x5C,0x83,0xB8,0xE0,0x1E, 1314 0x35, 0x0E, 0xDD, 0xB0, 0x82, 0x67, 0x79, 0xC8, 0x13, 0xF0,
1117 0x5F,0xCF } 1315 0xDF, 0x45, 0xBE, 0x81, 0x12, 0xF4,
1118 }; 1316 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1119 1317 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xEF, 0x90,
1120static const struct { EC_CURVE_DATA h; unsigned char data[20+52*6]; } 1318 0x39, 0x96, 0x60, 0xFC, 0x93, 0x8A, 0x90, 0x16, 0x5B, 0x04,
1121 _EC_NIST_CHAR2_409B = { 1319 0x2A, 0x7C, 0xEF, 0xAD, 0xB3, 0x07
1122 { NID_X9_62_characteristic_two_field,20,52,2 }, 1320 }
1123 { 0x40,0x99,0xB5,0xA4,0x57,0xF9,0xD6,0x9F,0x79,0x21, /* seed */ 1321};
1124 0x3D,0x09,0x4C,0x4B,0xCD,0x4D,0x42,0x62,0x21,0x0B, 1322
1125 1323static const struct {
1126 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1324 EC_CURVE_DATA h;
1127 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1325 unsigned char data[0 + 52 * 6];
1128 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1326}
1129 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1327 _EC_NIST_CHAR2_409K = {
1130 0x00,0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1328 {
1131 0x00,0x01, 1329 NID_X9_62_characteristic_two_field, 0, 52, 4
1132 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 1330 },
1133 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1331 { /* no seed */
1134 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1332 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1135 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1333 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1136 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1334 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1137 0x00,0x01, 1335 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1138 0x00,0x21,0xA5,0xC2,0xC8,0xEE,0x9F,0xEB,0x5C,0x4B, /* b */ 1336 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1139 0x9A,0x75,0x3B,0x7B,0x47,0x6B,0x7F,0xD6,0x42,0x2E, 1337 0x00, 0x01,
1140 0xF1,0xF3,0xDD,0x67,0x47,0x61,0xFA,0x99,0xD6,0xAC, 1338 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1141 0x27,0xC8,0xA9,0xA1,0x97,0xB2,0x72,0x82,0x2F,0x6C, 1339 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1142 0xD5,0x7A,0x55,0xAA,0x4F,0x50,0xAE,0x31,0x7B,0x13, 1340 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1143 0x54,0x5F, 1341 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1144 0x01,0x5D,0x48,0x60,0xD0,0x88,0xDD,0xB3,0x49,0x6B, /* x */ 1342 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1145 0x0C,0x60,0x64,0x75,0x62,0x60,0x44,0x1C,0xDE,0x4A, 1343 0x00, 0x00,
1146 0xF1,0x77,0x1D,0x4D,0xB0,0x1F,0xFE,0x5B,0x34,0xE5, 1344 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1147 0x97,0x03,0xDC,0x25,0x5A,0x86,0x8A,0x11,0x80,0x51, 1345 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1148 0x56,0x03,0xAE,0xAB,0x60,0x79,0x4E,0x54,0xBB,0x79, 1346 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1149 0x96,0xA7, 1347 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1150 0x00,0x61,0xB1,0xCF,0xAB,0x6B,0xE5,0xF3,0x2B,0xBF, /* y */ 1348 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1151 0xA7,0x83,0x24,0xED,0x10,0x6A,0x76,0x36,0xB9,0xC5, 1349 0x00, 0x01,
1152 0xA7,0xBD,0x19,0x8D,0x01,0x58,0xAA,0x4F,0x54,0x88, 1350 0x00, 0x60, 0xF0, 0x5F, 0x65, 0x8F, 0x49, 0xC1, 0xAD, 0x3A, /* x */
1153 0xD0,0x8F,0x38,0x51,0x4F,0x1F,0xDF,0x4B,0x4F,0x40, 1351 0xB1, 0x89, 0x0F, 0x71, 0x84, 0x21, 0x0E, 0xFD, 0x09, 0x87,
1154 0xD2,0x18,0x1B,0x36,0x81,0xC3,0x64,0xBA,0x02,0x73, 1352 0xE3, 0x07, 0xC8, 0x4C, 0x27, 0xAC, 0xCF, 0xB8, 0xF9, 0xF6,
1155 0xC7,0x06, 1353 0x7C, 0xC2, 0xC4, 0x60, 0x18, 0x9E, 0xB5, 0xAA, 0xAA, 0x62,
1156 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 1354 0xEE, 0x22, 0x2E, 0xB1, 0xB3, 0x55, 0x40, 0xCF, 0xE9, 0x02,
1157 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1355 0x37, 0x46,
1158 0x00,0x00,0x00,0x00,0x00,0x00,0x01,0xE2,0xAA,0xD6, 1356 0x01, 0xE3, 0x69, 0x05, 0x0B, 0x7C, 0x4E, 0x42, 0xAC, 0xBA, /* y */
1159 0xA6,0x12,0xF3,0x33,0x07,0xBE,0x5F,0xA4,0x7C,0x3C, 1357 0x1D, 0xAC, 0xBF, 0x04, 0x29, 0x9C, 0x34, 0x60, 0x78, 0x2F,
1160 0x9E,0x05,0x2F,0x83,0x81,0x64,0xCD,0x37,0xD9,0xA2, 1358 0x91, 0x8E, 0xA4, 0x27, 0xE6, 0x32, 0x51, 0x65, 0xE9, 0xEA,
1161 0x11,0x73 } 1359 0x10, 0xE3, 0xDA, 0x5F, 0x6C, 0x42, 0xE9, 0xC5, 0x52, 0x15,
1162 }; 1360 0xAA, 0x9C, 0xA2, 0x7A, 0x58, 0x63, 0xEC, 0x48, 0xD8, 0xE0,
1163 1361 0x28, 0x6B,
1164static const struct { EC_CURVE_DATA h; unsigned char data[0+72*6]; } 1362 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1165 _EC_NIST_CHAR2_571K = { 1363 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1166 { NID_X9_62_characteristic_two_field,0,72,4 }, 1364 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0x5F, 0x83, 0xB2,
1167 { /* no seed */ 1365 0xD4, 0xEA, 0x20, 0x40, 0x0E, 0xC4, 0x55, 0x7D, 0x5E, 0xD3,
1168 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1366 0xE3, 0xE7, 0xCA, 0x5B, 0x4B, 0x5C, 0x83, 0xB8, 0xE0, 0x1E,
1169 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1367 0x5F, 0xCF
1170 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1368 }
1171 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1369};
1172 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1370
1173 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1371static const struct {
1174 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1372 EC_CURVE_DATA h;
1175 0x04,0x25, 1373 unsigned char data[20 + 52 * 6];
1176 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 1374}
1177 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1375 _EC_NIST_CHAR2_409B = {
1178 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1376 {
1179 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1377 NID_X9_62_characteristic_two_field, 20, 52, 2
1180 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1378 },
1181 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1379 {
1182 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1380 0x40, 0x99, 0xB5, 0xA4, 0x57, 0xF9, 0xD6, 0x9F, 0x79, 0x21, /* seed */
1183 0x00,0x00, 1381 0x3D, 0x09, 0x4C, 0x4B, 0xCD, 0x4D, 0x42, 0x62, 0x21, 0x0B,
1184 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 1382
1185 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1383 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1186 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1187 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1385 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1188 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1386 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1189 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1387 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1190 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1388 0x00, 0x01,
1191 0x00,0x01, 1389 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1192 0x02,0x6E,0xB7,0xA8,0x59,0x92,0x3F,0xBC,0x82,0x18, /* x */ 1390 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1193 0x96,0x31,0xF8,0x10,0x3F,0xE4,0xAC,0x9C,0xA2,0x97, 1391 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1194 0x00,0x12,0xD5,0xD4,0x60,0x24,0x80,0x48,0x01,0x84, 1392 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1195 0x1C,0xA4,0x43,0x70,0x95,0x84,0x93,0xB2,0x05,0xE6, 1393 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1196 0x47,0xDA,0x30,0x4D,0xB4,0xCE,0xB0,0x8C,0xBB,0xD1, 1394 0x00, 0x01,
1197 0xBA,0x39,0x49,0x47,0x76,0xFB,0x98,0x8B,0x47,0x17, 1395 0x00, 0x21, 0xA5, 0xC2, 0xC8, 0xEE, 0x9F, 0xEB, 0x5C, 0x4B, /* b */
1198 0x4D,0xCA,0x88,0xC7,0xE2,0x94,0x52,0x83,0xA0,0x1C, 1396 0x9A, 0x75, 0x3B, 0x7B, 0x47, 0x6B, 0x7F, 0xD6, 0x42, 0x2E,
1199 0x89,0x72, 1397 0xF1, 0xF3, 0xDD, 0x67, 0x47, 0x61, 0xFA, 0x99, 0xD6, 0xAC,
1200 0x03,0x49,0xDC,0x80,0x7F,0x4F,0xBF,0x37,0x4F,0x4A, /* y */ 1398 0x27, 0xC8, 0xA9, 0xA1, 0x97, 0xB2, 0x72, 0x82, 0x2F, 0x6C,
1201 0xEA,0xDE,0x3B,0xCA,0x95,0x31,0x4D,0xD5,0x8C,0xEC, 1399 0xD5, 0x7A, 0x55, 0xAA, 0x4F, 0x50, 0xAE, 0x31, 0x7B, 0x13,
1202 0x9F,0x30,0x7A,0x54,0xFF,0xC6,0x1E,0xFC,0x00,0x6D, 1400 0x54, 0x5F,
1203 0x8A,0x2C,0x9D,0x49,0x79,0xC0,0xAC,0x44,0xAE,0xA7, 1401 0x01, 0x5D, 0x48, 0x60, 0xD0, 0x88, 0xDD, 0xB3, 0x49, 0x6B, /* x */
1204 0x4F,0xBE,0xBB,0xB9,0xF7,0x72,0xAE,0xDC,0xB6,0x20, 1402 0x0C, 0x60, 0x64, 0x75, 0x62, 0x60, 0x44, 0x1C, 0xDE, 0x4A,
1205 0xB0,0x1A,0x7B,0xA7,0xAF,0x1B,0x32,0x04,0x30,0xC8, 1403 0xF1, 0x77, 0x1D, 0x4D, 0xB0, 0x1F, 0xFE, 0x5B, 0x34, 0xE5,
1206 0x59,0x19,0x84,0xF6,0x01,0xCD,0x4C,0x14,0x3E,0xF1, 1404 0x97, 0x03, 0xDC, 0x25, 0x5A, 0x86, 0x8A, 0x11, 0x80, 0x51,
1207 0xC7,0xA3, 1405 0x56, 0x03, 0xAE, 0xAB, 0x60, 0x79, 0x4E, 0x54, 0xBB, 0x79,
1208 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 1406 0x96, 0xA7,
1209 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1407 0x00, 0x61, 0xB1, 0xCF, 0xAB, 0x6B, 0xE5, 0xF3, 0x2B, 0xBF, /* y */
1210 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1408 0xA7, 0x83, 0x24, 0xED, 0x10, 0x6A, 0x76, 0x36, 0xB9, 0xC5,
1211 0x00,0x00,0x00,0x00,0x00,0x00,0x13,0x18,0x50,0xE1, 1409 0xA7, 0xBD, 0x19, 0x8D, 0x01, 0x58, 0xAA, 0x4F, 0x54, 0x88,
1212 0xF1,0x9A,0x63,0xE4,0xB3,0x91,0xA8,0xDB,0x91,0x7F, 1410 0xD0, 0x8F, 0x38, 0x51, 0x4F, 0x1F, 0xDF, 0x4B, 0x4F, 0x40,
1213 0x41,0x38,0xB6,0x30,0xD8,0x4B,0xE5,0xD6,0x39,0x38, 1411 0xD2, 0x18, 0x1B, 0x36, 0x81, 0xC3, 0x64, 0xBA, 0x02, 0x73,
1214 0x1E,0x91,0xDE,0xB4,0x5C,0xFE,0x77,0x8F,0x63,0x7C, 1412 0xC7, 0x06,
1215 0x10,0x01 } 1413 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1216 }; 1414 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1217 1415 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xE2, 0xAA, 0xD6,
1218static const struct { EC_CURVE_DATA h; unsigned char data[20+72*6]; } 1416 0xA6, 0x12, 0xF3, 0x33, 0x07, 0xBE, 0x5F, 0xA4, 0x7C, 0x3C,
1219 _EC_NIST_CHAR2_571B = { 1417 0x9E, 0x05, 0x2F, 0x83, 0x81, 0x64, 0xCD, 0x37, 0xD9, 0xA2,
1220 { NID_X9_62_characteristic_two_field,20,72,2 }, 1418 0x11, 0x73
1221 { 0x2A,0xA0,0x58,0xF7,0x3A,0x0E,0x33,0xAB,0x48,0x6B, /* seed */ 1419 }
1222 0x0F,0x61,0x04,0x10,0xC5,0x3A,0x7F,0x13,0x23,0x10, 1420};
1223 1421
1224 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1422static const struct {
1225 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1423 EC_CURVE_DATA h;
1226 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1424 unsigned char data[0 + 72 * 6];
1227 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1425}
1228 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1426 _EC_NIST_CHAR2_571K = {
1229 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1427 {
1230 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1428 NID_X9_62_characteristic_two_field, 0, 72, 4
1231 0x04,0x25, 1429 },
1232 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 1430 { /* no seed */
1233 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1431 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1234 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1432 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1235 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1433 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1236 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1434 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1237 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1435 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1238 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1436 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1239 0x00,0x01, 1437 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1240 0x02,0xF4,0x0E,0x7E,0x22,0x21,0xF2,0x95,0xDE,0x29, /* b */ 1438 0x04, 0x25,
1241 0x71,0x17,0xB7,0xF3,0xD6,0x2F,0x5C,0x6A,0x97,0xFF, 1439 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1242 0xCB,0x8C,0xEF,0xF1,0xCD,0x6B,0xA8,0xCE,0x4A,0x9A, 1440 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1243 0x18,0xAD,0x84,0xFF,0xAB,0xBD,0x8E,0xFA,0x59,0x33, 1441 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1244 0x2B,0xE7,0xAD,0x67,0x56,0xA6,0x6E,0x29,0x4A,0xFD, 1442 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1245 0x18,0x5A,0x78,0xFF,0x12,0xAA,0x52,0x0E,0x4D,0xE7, 1443 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1246 0x39,0xBA,0xCA,0x0C,0x7F,0xFE,0xFF,0x7F,0x29,0x55, 1444 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1247 0x72,0x7A, 1445 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1248 0x03,0x03,0x00,0x1D,0x34,0xB8,0x56,0x29,0x6C,0x16, /* x */ 1446 0x00, 0x00,
1249 0xC0,0xD4,0x0D,0x3C,0xD7,0x75,0x0A,0x93,0xD1,0xD2, 1447 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1250 0x95,0x5F,0xA8,0x0A,0xA5,0xF4,0x0F,0xC8,0xDB,0x7B, 1448 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1251 0x2A,0xBD,0xBD,0xE5,0x39,0x50,0xF4,0xC0,0xD2,0x93, 1449 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1252 0xCD,0xD7,0x11,0xA3,0x5B,0x67,0xFB,0x14,0x99,0xAE, 1450 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1253 0x60,0x03,0x86,0x14,0xF1,0x39,0x4A,0xBF,0xA3,0xB4, 1451 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1254 0xC8,0x50,0xD9,0x27,0xE1,0xE7,0x76,0x9C,0x8E,0xEC, 1452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1255 0x2D,0x19, 1453 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1256 0x03,0x7B,0xF2,0x73,0x42,0xDA,0x63,0x9B,0x6D,0xCC, /* y */ 1454 0x00, 0x01,
1257 0xFF,0xFE,0xB7,0x3D,0x69,0xD7,0x8C,0x6C,0x27,0xA6, 1455 0x02, 0x6E, 0xB7, 0xA8, 0x59, 0x92, 0x3F, 0xBC, 0x82, 0x18, /* x */
1258 0x00,0x9C,0xBB,0xCA,0x19,0x80,0xF8,0x53,0x39,0x21, 1456 0x96, 0x31, 0xF8, 0x10, 0x3F, 0xE4, 0xAC, 0x9C, 0xA2, 0x97,
1259 0xE8,0xA6,0x84,0x42,0x3E,0x43,0xBA,0xB0,0x8A,0x57, 1457 0x00, 0x12, 0xD5, 0xD4, 0x60, 0x24, 0x80, 0x48, 0x01, 0x84,
1260 0x62,0x91,0xAF,0x8F,0x46,0x1B,0xB2,0xA8,0xB3,0x53, 1458 0x1C, 0xA4, 0x43, 0x70, 0x95, 0x84, 0x93, 0xB2, 0x05, 0xE6,
1261 0x1D,0x2F,0x04,0x85,0xC1,0x9B,0x16,0xE2,0xF1,0x51, 1459 0x47, 0xDA, 0x30, 0x4D, 0xB4, 0xCE, 0xB0, 0x8C, 0xBB, 0xD1,
1262 0x6E,0x23,0xDD,0x3C,0x1A,0x48,0x27,0xAF,0x1B,0x8A, 1460 0xBA, 0x39, 0x49, 0x47, 0x76, 0xFB, 0x98, 0x8B, 0x47, 0x17,
1263 0xC1,0x5B, 1461 0x4D, 0xCA, 0x88, 0xC7, 0xE2, 0x94, 0x52, 0x83, 0xA0, 0x1C,
1264 0x03,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 1462 0x89, 0x72,
1265 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 1463 0x03, 0x49, 0xDC, 0x80, 0x7F, 0x4F, 0xBF, 0x37, 0x4F, 0x4A, /* y */
1266 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 1464 0xEA, 0xDE, 0x3B, 0xCA, 0x95, 0x31, 0x4D, 0xD5, 0x8C, 0xEC,
1267 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xE6,0x61,0xCE,0x18, 1465 0x9F, 0x30, 0x7A, 0x54, 0xFF, 0xC6, 0x1E, 0xFC, 0x00, 0x6D,
1268 0xFF,0x55,0x98,0x73,0x08,0x05,0x9B,0x18,0x68,0x23, 1466 0x8A, 0x2C, 0x9D, 0x49, 0x79, 0xC0, 0xAC, 0x44, 0xAE, 0xA7,
1269 0x85,0x1E,0xC7,0xDD,0x9C,0xA1,0x16,0x1D,0xE9,0x3D, 1467 0x4F, 0xBE, 0xBB, 0xB9, 0xF7, 0x72, 0xAE, 0xDC, 0xB6, 0x20,
1270 0x51,0x74,0xD6,0x6E,0x83,0x82,0xE9,0xBB,0x2F,0xE8, 1468 0xB0, 0x1A, 0x7B, 0xA7, 0xAF, 0x1B, 0x32, 0x04, 0x30, 0xC8,
1271 0x4E,0x47 } 1469 0x59, 0x19, 0x84, 0xF6, 0x01, 0xCD, 0x4C, 0x14, 0x3E, 0xF1,
1272 }; 1470 0xC7, 0xA3,
1273 1471 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1274static const struct { EC_CURVE_DATA h; unsigned char data[20+21*6]; } 1472 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1275 _EC_X9_62_CHAR2_163V1 = { 1473 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1276 { NID_X9_62_characteristic_two_field,20,21,2 }, 1474 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x18, 0x50, 0xE1,
1277 { 0xD2,0xC0,0xFB,0x15,0x76,0x08,0x60,0xDE,0xF1,0xEE, 1475 0xF1, 0x9A, 0x63, 0xE4, 0xB3, 0x91, 0xA8, 0xDB, 0x91, 0x7F,
1278 0xF4,0xD6,0x96,0xE6,0x76,0x87,0x56,0x15,0x17,0x54, /* seed */ 1476 0x41, 0x38, 0xB6, 0x30, 0xD8, 0x4B, 0xE5, 0xD6, 0x39, 0x38,
1279 1477 0x1E, 0x91, 0xDE, 0xB4, 0x5C, 0xFE, 0x77, 0x8F, 0x63, 0x7C,
1280 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1478 0x10, 0x01
1281 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, 1479 }
1282 0x07, 1480};
1283 0x07,0x25,0x46,0xB5,0x43,0x52,0x34,0xA4,0x22,0xE0, /* a */ 1481
1284 0x78,0x96,0x75,0xF4,0x32,0xC8,0x94,0x35,0xDE,0x52, 1482static const struct {
1285 0x42, 1483 EC_CURVE_DATA h;
1286 0x00,0xC9,0x51,0x7D,0x06,0xD5,0x24,0x0D,0x3C,0xFF, /* b */ 1484 unsigned char data[20 + 72 * 6];
1287 0x38,0xC7,0x4B,0x20,0xB6,0xCD,0x4D,0x6F,0x9D,0xD4, 1485}
1288 0xD9, 1486 _EC_NIST_CHAR2_571B = {
1289 0x07,0xAF,0x69,0x98,0x95,0x46,0x10,0x3D,0x79,0x32, /* x */ 1487 {
1290 0x9F,0xCC,0x3D,0x74,0x88,0x0F,0x33,0xBB,0xE8,0x03, 1488 NID_X9_62_characteristic_two_field, 20, 72, 2
1291 0xCB, 1489 },
1292 0x01,0xEC,0x23,0x21,0x1B,0x59,0x66,0xAD,0xEA,0x1D, /* y */ 1490 {
1293 0x3F,0x87,0xF7,0xEA,0x58,0x48,0xAE,0xF0,0xB7,0xCA, 1491 0x2A, 0xA0, 0x58, 0xF7, 0x3A, 0x0E, 0x33, 0xAB, 0x48, 0x6B, /* seed */
1294 0x9F, 1492 0x0F, 0x61, 0x04, 0x10, 0xC5, 0x3A, 0x7F, 0x13, 0x23, 0x10,
1295 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 1493
1296 0x01,0xE6,0x0F,0xC8,0x82,0x1C,0xC7,0x4D,0xAE,0xAF, 1494 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1297 0xC1 } 1495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1298 }; 1496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1299 1497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1300static const struct { EC_CURVE_DATA h; unsigned char data[20+21*6]; } 1498 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1301 _EC_X9_62_CHAR2_163V2 = { 1499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1302 { NID_X9_62_characteristic_two_field,20,21,2 }, 1500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1303 { 0x53,0x81,0x4C,0x05,0x0D,0x44,0xD6,0x96,0xE6,0x76, /* seed */ 1501 0x04, 0x25,
1304 0x87,0x56,0x15,0x17,0x58,0x0C,0xA4,0xE2,0x9F,0xFD, 1502 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1305 1503 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1306 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1504 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1307 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, 1505 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1308 0x07, 1506 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1309 0x01,0x08,0xB3,0x9E,0x77,0xC4,0xB1,0x08,0xBE,0xD9, /* a */ 1507 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1310 0x81,0xED,0x0E,0x89,0x0E,0x11,0x7C,0x51,0x1C,0xF0, 1508 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1311 0x72, 1509 0x00, 0x01,
1312 0x06,0x67,0xAC,0xEB,0x38,0xAF,0x4E,0x48,0x8C,0x40, /* b */ 1510 0x02, 0xF4, 0x0E, 0x7E, 0x22, 0x21, 0xF2, 0x95, 0xDE, 0x29, /* b */
1313 0x74,0x33,0xFF,0xAE,0x4F,0x1C,0x81,0x16,0x38,0xDF, 1511 0x71, 0x17, 0xB7, 0xF3, 0xD6, 0x2F, 0x5C, 0x6A, 0x97, 0xFF,
1314 0x20, 1512 0xCB, 0x8C, 0xEF, 0xF1, 0xCD, 0x6B, 0xA8, 0xCE, 0x4A, 0x9A,
1315 0x00,0x24,0x26,0x6E,0x4E,0xB5,0x10,0x6D,0x0A,0x96, /* x */ 1513 0x18, 0xAD, 0x84, 0xFF, 0xAB, 0xBD, 0x8E, 0xFA, 0x59, 0x33,
1316 0x4D,0x92,0xC4,0x86,0x0E,0x26,0x71,0xDB,0x9B,0x6C, 1514 0x2B, 0xE7, 0xAD, 0x67, 0x56, 0xA6, 0x6E, 0x29, 0x4A, 0xFD,
1317 0xC5, 1515 0x18, 0x5A, 0x78, 0xFF, 0x12, 0xAA, 0x52, 0x0E, 0x4D, 0xE7,
1318 0x07,0x9F,0x68,0x4D,0xDF,0x66,0x84,0xC5,0xCD,0x25, /* y */ 1516 0x39, 0xBA, 0xCA, 0x0C, 0x7F, 0xFE, 0xFF, 0x7F, 0x29, 0x55,
1319 0x8B,0x38,0x90,0x02,0x1B,0x23,0x86,0xDF,0xD1,0x9F, 1517 0x72, 0x7A,
1320 0xC5, 1518 0x03, 0x03, 0x00, 0x1D, 0x34, 0xB8, 0x56, 0x29, 0x6C, 0x16, /* x */
1321 0x03,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 1519 0xC0, 0xD4, 0x0D, 0x3C, 0xD7, 0x75, 0x0A, 0x93, 0xD1, 0xD2,
1322 0xFD,0xF6,0x4D,0xE1,0x15,0x1A,0xDB,0xB7,0x8F,0x10, 1520 0x95, 0x5F, 0xA8, 0x0A, 0xA5, 0xF4, 0x0F, 0xC8, 0xDB, 0x7B,
1323 0xA7 } 1521 0x2A, 0xBD, 0xBD, 0xE5, 0x39, 0x50, 0xF4, 0xC0, 0xD2, 0x93,
1324 }; 1522 0xCD, 0xD7, 0x11, 0xA3, 0x5B, 0x67, 0xFB, 0x14, 0x99, 0xAE,
1325 1523 0x60, 0x03, 0x86, 0x14, 0xF1, 0x39, 0x4A, 0xBF, 0xA3, 0xB4,
1326static const struct { EC_CURVE_DATA h; unsigned char data[20+21*6]; } 1524 0xC8, 0x50, 0xD9, 0x27, 0xE1, 0xE7, 0x76, 0x9C, 0x8E, 0xEC,
1327 _EC_X9_62_CHAR2_163V3 = { 1525 0x2D, 0x19,
1328 { NID_X9_62_characteristic_two_field,20,21,2 }, 1526 0x03, 0x7B, 0xF2, 0x73, 0x42, 0xDA, 0x63, 0x9B, 0x6D, 0xCC, /* y */
1329 { 0x50,0xCB,0xF1,0xD9,0x5C,0xA9,0x4D,0x69,0x6E,0x67, /* seed */ 1527 0xFF, 0xFE, 0xB7, 0x3D, 0x69, 0xD7, 0x8C, 0x6C, 0x27, 0xA6,
1330 0x68,0x75,0x61,0x51,0x75,0xF1,0x6A,0x36,0xA3,0xB8, 1528 0x00, 0x9C, 0xBB, 0xCA, 0x19, 0x80, 0xF8, 0x53, 0x39, 0x21,
1331 1529 0xE8, 0xA6, 0x84, 0x42, 0x3E, 0x43, 0xBA, 0xB0, 0x8A, 0x57,
1332 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1530 0x62, 0x91, 0xAF, 0x8F, 0x46, 0x1B, 0xB2, 0xA8, 0xB3, 0x53,
1333 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, 1531 0x1D, 0x2F, 0x04, 0x85, 0xC1, 0x9B, 0x16, 0xE2, 0xF1, 0x51,
1334 0x07, 1532 0x6E, 0x23, 0xDD, 0x3C, 0x1A, 0x48, 0x27, 0xAF, 0x1B, 0x8A,
1335 0x07,0xA5,0x26,0xC6,0x3D,0x3E,0x25,0xA2,0x56,0xA0, /* a */ 1533 0xC1, 0x5B,
1336 0x07,0x69,0x9F,0x54,0x47,0xE3,0x2A,0xE4,0x56,0xB5, 1534 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1337 0x0E, 1535 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1338 0x03,0xF7,0x06,0x17,0x98,0xEB,0x99,0xE2,0x38,0xFD, /* b */ 1536 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1339 0x6F,0x1B,0xF9,0x5B,0x48,0xFE,0xEB,0x48,0x54,0x25, 1537 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xE6, 0x61, 0xCE, 0x18,
1340 0x2B, 1538 0xFF, 0x55, 0x98, 0x73, 0x08, 0x05, 0x9B, 0x18, 0x68, 0x23,
1341 0x02,0xF9,0xF8,0x7B,0x7C,0x57,0x4D,0x0B,0xDE,0xCF, /* x */ 1539 0x85, 0x1E, 0xC7, 0xDD, 0x9C, 0xA1, 0x16, 0x1D, 0xE9, 0x3D,
1342 0x8A,0x22,0xE6,0x52,0x47,0x75,0xF9,0x8C,0xDE,0xBD, 1540 0x51, 0x74, 0xD6, 0x6E, 0x83, 0x82, 0xE9, 0xBB, 0x2F, 0xE8,
1343 0xCB, 1541 0x4E, 0x47
1344 0x05,0xB9,0x35,0x59,0x0C,0x15,0x5E,0x17,0xEA,0x48, /* y */ 1542 }
1345 0xEB,0x3F,0xF3,0x71,0x8B,0x89,0x3D,0xF5,0x9A,0x05, 1543};
1346 0xD0, 1544
1347 0x03,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 1545static const struct {
1348 0xFE,0x1A,0xEE,0x14,0x0F,0x11,0x0A,0xFF,0x96,0x13, 1546 EC_CURVE_DATA h;
1349 0x09 } 1547 unsigned char data[20 + 21 * 6];
1350 }; 1548}
1351 1549 _EC_X9_62_CHAR2_163V1 = {
1352static const struct { EC_CURVE_DATA h; unsigned char data[0+23*6]; } 1550 {
1353 _EC_X9_62_CHAR2_176V1 = { 1551 NID_X9_62_characteristic_two_field, 20, 21, 2
1354 { NID_X9_62_characteristic_two_field,0,23,0xFF6E }, 1552 },
1355 { /* no seed */ 1553 {
1356 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1554 0xD2, 0xC0, 0xFB, 0x15, 0x76, 0x08, 0x60, 0xDE, 0xF1, 0xEE,
1357 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x00, 1555 0xF4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x54, /* seed */
1358 0x00,0x00,0x07, 1556
1359 0x00,0xE4,0xE6,0xDB,0x29,0x95,0x06,0x5C,0x40,0x7D, /* a */ 1557 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1360 0x9D,0x39,0xB8,0xD0,0x96,0x7B,0x96,0x70,0x4B,0xA8, 1558 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1361 0xE9,0xC9,0x0B, 1559 0x07,
1362 0x00,0x5D,0xDA,0x47,0x0A,0xBE,0x64,0x14,0xDE,0x8E, /* b */ 1560 0x07, 0x25, 0x46, 0xB5, 0x43, 0x52, 0x34, 0xA4, 0x22, 0xE0, /* a */
1363 0xC1,0x33,0xAE,0x28,0xE9,0xBB,0xD7,0xFC,0xEC,0x0A, 1561 0x78, 0x96, 0x75, 0xF4, 0x32, 0xC8, 0x94, 0x35, 0xDE, 0x52,
1364 0xE0,0xFF,0xF2, 1562 0x42,
1365 0x00,0x8D,0x16,0xC2,0x86,0x67,0x98,0xB6,0x00,0xF9, /* x */ 1563 0x00, 0xC9, 0x51, 0x7D, 0x06, 0xD5, 0x24, 0x0D, 0x3C, 0xFF, /* b */
1366 0xF0,0x8B,0xB4,0xA8,0xE8,0x60,0xF3,0x29,0x8C,0xE0, 1564 0x38, 0xC7, 0x4B, 0x20, 0xB6, 0xCD, 0x4D, 0x6F, 0x9D, 0xD4,
1367 0x4A,0x57,0x98, 1565 0xD9,
1368 0x00,0x6F,0xA4,0x53,0x9C,0x2D,0xAD,0xDD,0xD6,0xBA, /* y */ 1566 0x07, 0xAF, 0x69, 0x98, 0x95, 0x46, 0x10, 0x3D, 0x79, 0x32, /* x */
1369 0xB5,0x16,0x7D,0x61,0xB4,0x36,0xE1,0xD9,0x2B,0xB1, 1567 0x9F, 0xCC, 0x3D, 0x74, 0x88, 0x0F, 0x33, 0xBB, 0xE8, 0x03,
1370 0x6A,0x56,0x2C, 1568 0xCB,
1371 0x00,0x00,0x01,0x00,0x92,0x53,0x73,0x97,0xEC,0xA4, /* order */ 1569 0x01, 0xEC, 0x23, 0x21, 0x1B, 0x59, 0x66, 0xAD, 0xEA, 0x1D, /* y */
1372 0xF6,0x14,0x57,0x99,0xD6,0x2B,0x0A,0x19,0xCE,0x06, 1570 0x3F, 0x87, 0xF7, 0xEA, 0x58, 0x48, 0xAE, 0xF0, 0xB7, 0xCA,
1373 0xFE,0x26,0xAD } 1571 0x9F,
1374 }; 1572 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1375 1573 0x01, 0xE6, 0x0F, 0xC8, 0x82, 0x1C, 0xC7, 0x4D, 0xAE, 0xAF,
1376static const struct { EC_CURVE_DATA h; unsigned char data[20+24*6]; } 1574 0xC1
1377 _EC_X9_62_CHAR2_191V1 = { 1575 }
1378 { NID_X9_62_characteristic_two_field,20,24,2 }, 1576};
1379 { 0x4E,0x13,0xCA,0x54,0x27,0x44,0xD6,0x96,0xE6,0x76, /* seed */ 1577
1380 0x87,0x56,0x15,0x17,0x55,0x2F,0x27,0x9A,0x8C,0x84, 1578static const struct {
1381 1579 EC_CURVE_DATA h;
1382 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1580 unsigned char data[20 + 21 * 6];
1383 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1581}
1384 0x00,0x00,0x02,0x01, 1582 _EC_X9_62_CHAR2_163V2 = {
1385 0x28,0x66,0x53,0x7B,0x67,0x67,0x52,0x63,0x6A,0x68, /* a */ 1583 {
1386 0xF5,0x65,0x54,0xE1,0x26,0x40,0x27,0x6B,0x64,0x9E, 1584 NID_X9_62_characteristic_two_field, 20, 21, 2
1387 0xF7,0x52,0x62,0x67, 1585 },
1388 0x2E,0x45,0xEF,0x57,0x1F,0x00,0x78,0x6F,0x67,0xB0, /* b */ 1586 {
1389 0x08,0x1B,0x94,0x95,0xA3,0xD9,0x54,0x62,0xF5,0xDE, 1587 0x53, 0x81, 0x4C, 0x05, 0x0D, 0x44, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1390 0x0A,0xA1,0x85,0xEC, 1588 0x87, 0x56, 0x15, 0x17, 0x58, 0x0C, 0xA4, 0xE2, 0x9F, 0xFD,
1391 0x36,0xB3,0xDA,0xF8,0xA2,0x32,0x06,0xF9,0xC4,0xF2, /* x */ 1589
1392 0x99,0xD7,0xB2,0x1A,0x9C,0x36,0x91,0x37,0xF2,0xC8, 1590 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1393 0x4A,0xE1,0xAA,0x0D, 1591 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1394 0x76,0x5B,0xE7,0x34,0x33,0xB3,0xF9,0x5E,0x33,0x29, /* y */ 1592 0x07,
1395 0x32,0xE7,0x0E,0xA2,0x45,0xCA,0x24,0x18,0xEA,0x0E, 1593 0x01, 0x08, 0xB3, 0x9E, 0x77, 0xC4, 0xB1, 0x08, 0xBE, 0xD9, /* a */
1396 0xF9,0x80,0x18,0xFB, 1594 0x81, 0xED, 0x0E, 0x89, 0x0E, 0x11, 0x7C, 0x51, 0x1C, 0xF0,
1397 0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 1595 0x72,
1398 0x00,0x00,0x04,0xA2,0x0E,0x90,0xC3,0x90,0x67,0xC8, 1596 0x06, 0x67, 0xAC, 0xEB, 0x38, 0xAF, 0x4E, 0x48, 0x8C, 0x40, /* b */
1399 0x93,0xBB,0xB9,0xA5 } 1597 0x74, 0x33, 0xFF, 0xAE, 0x4F, 0x1C, 0x81, 0x16, 0x38, 0xDF,
1400 }; 1598 0x20,
1401 1599 0x00, 0x24, 0x26, 0x6E, 0x4E, 0xB5, 0x10, 0x6D, 0x0A, 0x96, /* x */
1402static const struct { EC_CURVE_DATA h; unsigned char data[20+24*6]; } 1600 0x4D, 0x92, 0xC4, 0x86, 0x0E, 0x26, 0x71, 0xDB, 0x9B, 0x6C,
1403 _EC_X9_62_CHAR2_191V2 = { 1601 0xC5,
1404 { NID_X9_62_characteristic_two_field,20,24,4 }, 1602 0x07, 0x9F, 0x68, 0x4D, 0xDF, 0x66, 0x84, 0xC5, 0xCD, 0x25, /* y */
1405 { 0x08,0x71,0xEF,0x2F,0xEF,0x24,0xD6,0x96,0xE6,0x76, /* seed */ 1603 0x8B, 0x38, 0x90, 0x02, 0x1B, 0x23, 0x86, 0xDF, 0xD1, 0x9F,
1406 0x87,0x56,0x15,0x17,0x58,0xBE,0xE0,0xD9,0x5C,0x15, 1604 0xC5,
1407 1605 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1408 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1606 0xFD, 0xF6, 0x4D, 0xE1, 0x15, 0x1A, 0xDB, 0xB7, 0x8F, 0x10,
1409 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1607 0xA7
1410 0x00,0x00,0x02,0x01, 1608 }
1411 0x40,0x10,0x28,0x77,0x4D,0x77,0x77,0xC7,0xB7,0x66, /* a */ 1609};
1412 0x6D,0x13,0x66,0xEA,0x43,0x20,0x71,0x27,0x4F,0x89, 1610
1413 0xFF,0x01,0xE7,0x18, 1611static const struct {
1414 0x06,0x20,0x04,0x8D,0x28,0xBC,0xBD,0x03,0xB6,0x24, /* b */ 1612 EC_CURVE_DATA h;
1415 0x9C,0x99,0x18,0x2B,0x7C,0x8C,0xD1,0x97,0x00,0xC3, 1613 unsigned char data[20 + 21 * 6];
1416 0x62,0xC4,0x6A,0x01, 1614}
1417 0x38,0x09,0xB2,0xB7,0xCC,0x1B,0x28,0xCC,0x5A,0x87, /* x */ 1615 _EC_X9_62_CHAR2_163V3 = {
1418 0x92,0x6A,0xAD,0x83,0xFD,0x28,0x78,0x9E,0x81,0xE2, 1616 {
1419 0xC9,0xE3,0xBF,0x10, 1617 NID_X9_62_characteristic_two_field, 20, 21, 2
1420 0x17,0x43,0x43,0x86,0x62,0x6D,0x14,0xF3,0xDB,0xF0, /* y */ 1618 },
1421 0x17,0x60,0xD9,0x21,0x3A,0x3E,0x1C,0xF3,0x7A,0xEC, 1619 {
1422 0x43,0x7D,0x66,0x8A, 1620 0x50, 0xCB, 0xF1, 0xD9, 0x5C, 0xA9, 0x4D, 0x69, 0x6E, 0x67, /* seed */
1423 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 1621 0x68, 0x75, 0x61, 0x51, 0x75, 0xF1, 0x6A, 0x36, 0xA3, 0xB8,
1424 0x00,0x00,0x50,0x50,0x8C,0xB8,0x9F,0x65,0x28,0x24, 1622
1425 0xE0,0x6B,0x81,0x73 } 1623 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1426 }; 1624 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1427 1625 0x07,
1428static const struct { EC_CURVE_DATA h; unsigned char data[20+24*6]; } 1626 0x07, 0xA5, 0x26, 0xC6, 0x3D, 0x3E, 0x25, 0xA2, 0x56, 0xA0, /* a */
1429 _EC_X9_62_CHAR2_191V3 = { 1627 0x07, 0x69, 0x9F, 0x54, 0x47, 0xE3, 0x2A, 0xE4, 0x56, 0xB5,
1430 { NID_X9_62_characteristic_two_field,20,24,6 }, 1628 0x0E,
1431 { 0xE0,0x53,0x51,0x2D,0xC6,0x84,0xD6,0x96,0xE6,0x76, /* seed */ 1629 0x03, 0xF7, 0x06, 0x17, 0x98, 0xEB, 0x99, 0xE2, 0x38, 0xFD, /* b */
1432 0x87,0x56,0x15,0x17,0x50,0x67,0xAE,0x78,0x6D,0x1F, 1630 0x6F, 0x1B, 0xF9, 0x5B, 0x48, 0xFE, 0xEB, 0x48, 0x54, 0x25,
1433 1631 0x2B,
1434 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1632 0x02, 0xF9, 0xF8, 0x7B, 0x7C, 0x57, 0x4D, 0x0B, 0xDE, 0xCF, /* x */
1435 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1633 0x8A, 0x22, 0xE6, 0x52, 0x47, 0x75, 0xF9, 0x8C, 0xDE, 0xBD,
1436 0x00,0x00,0x02,0x01, 1634 0xCB,
1437 0x6C,0x01,0x07,0x47,0x56,0x09,0x91,0x22,0x22,0x10, /* a */ 1635 0x05, 0xB9, 0x35, 0x59, 0x0C, 0x15, 0x5E, 0x17, 0xEA, 0x48, /* y */
1438 0x56,0x91,0x1C,0x77,0xD7,0x7E,0x77,0xA7,0x77,0xE7, 1636 0xEB, 0x3F, 0xF3, 0x71, 0x8B, 0x89, 0x3D, 0xF5, 0x9A, 0x05,
1439 0xE7,0xE7,0x7F,0xCB, 1637 0xD0,
1440 0x71,0xFE,0x1A,0xF9,0x26,0xCF,0x84,0x79,0x89,0xEF, /* b */ 1638 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
1441 0xEF,0x8D,0xB4,0x59,0xF6,0x63,0x94,0xD9,0x0F,0x32, 1639 0xFE, 0x1A, 0xEE, 0x14, 0x0F, 0x11, 0x0A, 0xFF, 0x96, 0x13,
1442 0xAD,0x3F,0x15,0xE8, 1640 0x09
1443 0x37,0x5D,0x4C,0xE2,0x4F,0xDE,0x43,0x44,0x89,0xDE, /* x */ 1641 }
1444 0x87,0x46,0xE7,0x17,0x86,0x01,0x50,0x09,0xE6,0x6E, 1642};
1445 0x38,0xA9,0x26,0xDD, 1643
1446 0x54,0x5A,0x39,0x17,0x61,0x96,0x57,0x5D,0x98,0x59, /* y */ 1644static const struct {
1447 0x99,0x36,0x6E,0x6A,0xD3,0x4C,0xE0,0xA7,0x7C,0xD7, 1645 EC_CURVE_DATA h;
1448 0x12,0x7B,0x06,0xBE, 1646 unsigned char data[0 + 23 * 6];
1449 0x15,0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55, /* order */ 1647}
1450 0x55,0x55,0x61,0x0C,0x0B,0x19,0x68,0x12,0xBF,0xB6, 1648 _EC_X9_62_CHAR2_176V1 = {
1451 0x28,0x8A,0x3E,0xA3 } 1649 {
1452 }; 1650 NID_X9_62_characteristic_two_field, 0, 23, 0xFF6E
1453 1651 },
1454static const struct { EC_CURVE_DATA h; unsigned char data[0+27*6]; } 1652 { /* no seed */
1455 _EC_X9_62_CHAR2_208W1 = { 1653 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1456 { NID_X9_62_characteristic_two_field,0,27,0xFE48 }, 1654 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00,
1457 { /* no seed */ 1655 0x00, 0x00, 0x07,
1458 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1656 0x00, 0xE4, 0xE6, 0xDB, 0x29, 0x95, 0x06, 0x5C, 0x40, 0x7D, /* a */
1459 0x00,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00, 1657 0x9D, 0x39, 0xB8, 0xD0, 0x96, 0x7B, 0x96, 0x70, 0x4B, 0xA8,
1460 0x00,0x00,0x00,0x00,0x00,0x00,0x07, 1658 0xE9, 0xC9, 0x0B,
1461 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 1659 0x00, 0x5D, 0xDA, 0x47, 0x0A, 0xBE, 0x64, 0x14, 0xDE, 0x8E, /* b */
1462 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1660 0xC1, 0x33, 0xAE, 0x28, 0xE9, 0xBB, 0xD7, 0xFC, 0xEC, 0x0A,
1463 0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1661 0xE0, 0xFF, 0xF2,
1464 0x00,0xC8,0x61,0x9E,0xD4,0x5A,0x62,0xE6,0x21,0x2E, /* b */ 1662 0x00, 0x8D, 0x16, 0xC2, 0x86, 0x67, 0x98, 0xB6, 0x00, 0xF9, /* x */
1465 0x11,0x60,0x34,0x9E,0x2B,0xFA,0x84,0x44,0x39,0xFA, 1663 0xF0, 0x8B, 0xB4, 0xA8, 0xE8, 0x60, 0xF3, 0x29, 0x8C, 0xE0,
1466 0xFC,0x2A,0x3F,0xD1,0x63,0x8F,0x9E, 1664 0x4A, 0x57, 0x98,
1467 0x00,0x89,0xFD,0xFB,0xE4,0xAB,0xE1,0x93,0xDF,0x95, /* x */ 1665 0x00, 0x6F, 0xA4, 0x53, 0x9C, 0x2D, 0xAD, 0xDD, 0xD6, 0xBA, /* y */
1468 0x59,0xEC,0xF0,0x7A,0xC0,0xCE,0x78,0x55,0x4E,0x27, 1666 0xB5, 0x16, 0x7D, 0x61, 0xB4, 0x36, 0xE1, 0xD9, 0x2B, 0xB1,
1469 0x84,0xEB,0x8C,0x1E,0xD1,0xA5,0x7A, 1667 0x6A, 0x56, 0x2C,
1470 0x00,0x0F,0x55,0xB5,0x1A,0x06,0xE7,0x8E,0x9A,0xC3, /* y */ 1668 0x00, 0x00, 0x01, 0x00, 0x92, 0x53, 0x73, 0x97, 0xEC, 0xA4, /* order */
1471 0x8A,0x03,0x5F,0xF5,0x20,0xD8,0xB0,0x17,0x81,0xBE, 1669 0xF6, 0x14, 0x57, 0x99, 0xD6, 0x2B, 0x0A, 0x19, 0xCE, 0x06,
1472 0xB1,0xA6,0xBB,0x08,0x61,0x7D,0xE3, 1670 0xFE, 0x26, 0xAD
1473 0x00,0x00,0x01,0x01,0xBA,0xF9,0x5C,0x97,0x23,0xC5, /* order */ 1671 }
1474 0x7B,0x6C,0x21,0xDA,0x2E,0xFF,0x2D,0x5E,0xD5,0x88, 1672};
1475 0xBD,0xD5,0x71,0x7E,0x21,0x2F,0x9D } 1673
1476 }; 1674static const struct {
1477 1675 EC_CURVE_DATA h;
1478static const struct { EC_CURVE_DATA h; unsigned char data[20+30*6]; } 1676 unsigned char data[20 + 24 * 6];
1479 _EC_X9_62_CHAR2_239V1 = { 1677}
1480 { NID_X9_62_characteristic_two_field,20,30,4 }, 1678 _EC_X9_62_CHAR2_191V1 = {
1481 { 0xD3,0x4B,0x9A,0x4D,0x69,0x6E,0x67,0x68,0x75,0x61, /* seed */ 1679 {
1482 0x51,0x75,0xCA,0x71,0xB9,0x20,0xBF,0xEF,0xB0,0x5D, 1680 NID_X9_62_characteristic_two_field, 20, 24, 2
1483 1681 },
1484 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1682 {
1485 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1683 0x4E, 0x13, 0xCA, 0x54, 0x27, 0x44, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1486 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x01, 1684 0x87, 0x56, 0x15, 0x17, 0x55, 0x2F, 0x27, 0x9A, 0x8C, 0x84,
1487 1685
1488 0x32,0x01,0x08,0x57,0x07,0x7C,0x54,0x31,0x12,0x3A, /* a */ 1686 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1489 0x46,0xB8,0x08,0x90,0x67,0x56,0xF5,0x43,0x42,0x3E, 1687 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1490 0x8D,0x27,0x87,0x75,0x78,0x12,0x57,0x78,0xAC,0x76, 1688 0x00, 0x00, 0x02, 0x01,
1491 1689 0x28, 0x66, 0x53, 0x7B, 0x67, 0x67, 0x52, 0x63, 0x6A, 0x68, /* a */
1492 0x79,0x04,0x08,0xF2,0xEE,0xDA,0xF3,0x92,0xB0,0x12, /* b */ 1690 0xF5, 0x65, 0x54, 0xE1, 0x26, 0x40, 0x27, 0x6B, 0x64, 0x9E,
1493 0xED,0xEF,0xB3,0x39,0x2F,0x30,0xF4,0x32,0x7C,0x0C, 1691 0xF7, 0x52, 0x62, 0x67,
1494 0xA3,0xF3,0x1F,0xC3,0x83,0xC4,0x22,0xAA,0x8C,0x16, 1692 0x2E, 0x45, 0xEF, 0x57, 0x1F, 0x00, 0x78, 0x6F, 0x67, 0xB0, /* b */
1495 1693 0x08, 0x1B, 0x94, 0x95, 0xA3, 0xD9, 0x54, 0x62, 0xF5, 0xDE,
1496 0x57,0x92,0x70,0x98,0xFA,0x93,0x2E,0x7C,0x0A,0x96, /* x */ 1694 0x0A, 0xA1, 0x85, 0xEC,
1497 0xD3,0xFD,0x5B,0x70,0x6E,0xF7,0xE5,0xF5,0xC1,0x56, 1695 0x36, 0xB3, 0xDA, 0xF8, 0xA2, 0x32, 0x06, 0xF9, 0xC4, 0xF2, /* x */
1498 0xE1,0x6B,0x7E,0x7C,0x86,0x03,0x85,0x52,0xE9,0x1D, 1696 0x99, 0xD7, 0xB2, 0x1A, 0x9C, 0x36, 0x91, 0x37, 0xF2, 0xC8,
1499 1697 0x4A, 0xE1, 0xAA, 0x0D,
1500 0x61,0xD8,0xEE,0x50,0x77,0xC3,0x3F,0xEC,0xF6,0xF1, /* y */ 1698 0x76, 0x5B, 0xE7, 0x34, 0x33, 0xB3, 0xF9, 0x5E, 0x33, 0x29, /* y */
1501 0xA1,0x6B,0x26,0x8D,0xE4,0x69,0xC3,0xC7,0x74,0x4E, 1699 0x32, 0xE7, 0x0E, 0xA2, 0x45, 0xCA, 0x24, 0x18, 0xEA, 0x0E,
1502 0xA9,0xA9,0x71,0x64,0x9F,0xC7,0xA9,0x61,0x63,0x05, 1700 0xF9, 0x80, 0x18, 0xFB,
1503 1701 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1504 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* order */ 1702 0x00, 0x00, 0x04, 0xA2, 0x0E, 0x90, 0xC3, 0x90, 0x67, 0xC8,
1505 0x00,0x00,0x00,0x00,0x00,0x0F,0x4D,0x42,0xFF,0xE1, 1703 0x93, 0xBB, 0xB9, 0xA5
1506 0x49,0x2A,0x49,0x93,0xF1,0xCA,0xD6,0x66,0xE4,0x47 } 1704 }
1507 }; 1705};
1508 1706
1509static const struct { EC_CURVE_DATA h; unsigned char data[20+30*6]; } 1707static const struct {
1510 _EC_X9_62_CHAR2_239V2 = { 1708 EC_CURVE_DATA h;
1511 { NID_X9_62_characteristic_two_field,20,30,6 }, 1709 unsigned char data[20 + 24 * 6];
1512 { 0x2A,0xA6,0x98,0x2F,0xDF,0xA4,0xD6,0x96,0xE6,0x76, /* seed */ 1710}
1513 0x87,0x56,0x15,0x17,0x5D,0x26,0x67,0x27,0x27,0x7D, 1711 _EC_X9_62_CHAR2_191V2 = {
1514 1712 {
1515 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1713 NID_X9_62_characteristic_two_field, 20, 24, 4
1516 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1714 },
1517 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x01, 1715 {
1518 1716 0x08, 0x71, 0xEF, 0x2F, 0xEF, 0x24, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1519 0x42,0x30,0x01,0x77,0x57,0xA7,0x67,0xFA,0xE4,0x23, /* a */ 1717 0x87, 0x56, 0x15, 0x17, 0x58, 0xBE, 0xE0, 0xD9, 0x5C, 0x15,
1520 0x98,0x56,0x9B,0x74,0x63,0x25,0xD4,0x53,0x13,0xAF, 1718
1521 0x07,0x66,0x26,0x64,0x79,0xB7,0x56,0x54,0xE6,0x5F, 1719 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1522 1720 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1523 0x50,0x37,0xEA,0x65,0x41,0x96,0xCF,0xF0,0xCD,0x82, /* b */ 1721 0x00, 0x00, 0x02, 0x01,
1524 0xB2,0xC1,0x4A,0x2F,0xCF,0x2E,0x3F,0xF8,0x77,0x52, 1722 0x40, 0x10, 0x28, 0x77, 0x4D, 0x77, 0x77, 0xC7, 0xB7, 0x66, /* a */
1525 0x85,0xB5,0x45,0x72,0x2F,0x03,0xEA,0xCD,0xB7,0x4B, 1723 0x6D, 0x13, 0x66, 0xEA, 0x43, 0x20, 0x71, 0x27, 0x4F, 0x89,
1526 1724 0xFF, 0x01, 0xE7, 0x18,
1527 0x28,0xF9,0xD0,0x4E,0x90,0x00,0x69,0xC8,0xDC,0x47, /* x */ 1725 0x06, 0x20, 0x04, 0x8D, 0x28, 0xBC, 0xBD, 0x03, 0xB6, 0x24, /* b */
1528 0xA0,0x85,0x34,0xFE,0x76,0xD2,0xB9,0x00,0xB7,0xD7, 1726 0x9C, 0x99, 0x18, 0x2B, 0x7C, 0x8C, 0xD1, 0x97, 0x00, 0xC3,
1529 0xEF,0x31,0xF5,0x70,0x9F,0x20,0x0C,0x4C,0xA2,0x05, 1727 0x62, 0xC4, 0x6A, 0x01,
1530 1728 0x38, 0x09, 0xB2, 0xB7, 0xCC, 0x1B, 0x28, 0xCC, 0x5A, 0x87, /* x */
1531 0x56,0x67,0x33,0x4C,0x45,0xAF,0xF3,0xB5,0xA0,0x3B, /* y */ 1729 0x92, 0x6A, 0xAD, 0x83, 0xFD, 0x28, 0x78, 0x9E, 0x81, 0xE2,
1532 0xAD,0x9D,0xD7,0x5E,0x2C,0x71,0xA9,0x93,0x62,0x56, 1730 0xC9, 0xE3, 0xBF, 0x10,
1533 0x7D,0x54,0x53,0xF7,0xFA,0x6E,0x22,0x7E,0xC8,0x33, 1731 0x17, 0x43, 0x43, 0x86, 0x62, 0x6D, 0x14, 0xF3, 0xDB, 0xF0, /* y */
1534 1732 0x17, 0x60, 0xD9, 0x21, 0x3A, 0x3E, 0x1C, 0xF3, 0x7A, 0xEC,
1535 0x15,0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55, /* order */ 1733 0x43, 0x7D, 0x66, 0x8A,
1536 0x55,0x55,0x55,0x55,0x55,0x3C,0x6F,0x28,0x85,0x25, 1734 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1537 0x9C,0x31,0xE3,0xFC,0xDF,0x15,0x46,0x24,0x52,0x2D } 1735 0x00, 0x00, 0x50, 0x50, 0x8C, 0xB8, 0x9F, 0x65, 0x28, 0x24,
1538 }; 1736 0xE0, 0x6B, 0x81, 0x73
1539 1737 }
1540static const struct { EC_CURVE_DATA h; unsigned char data[20+30*6]; } 1738};
1541 _EC_X9_62_CHAR2_239V3 = { 1739
1542 { NID_X9_62_characteristic_two_field,20,30,0xA }, 1740static const struct {
1543 { 0x9E,0x07,0x6F,0x4D,0x69,0x6E,0x67,0x68,0x75,0x61, /* seed */ 1741 EC_CURVE_DATA h;
1544 0x51,0x75,0xE1,0x1E,0x9F,0xDD,0x77,0xF9,0x20,0x41, 1742 unsigned char data[20 + 24 * 6];
1545 1743}
1546 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1744 _EC_X9_62_CHAR2_191V3 = {
1547 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1745 {
1548 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x01, 1746 NID_X9_62_characteristic_two_field, 20, 24, 6
1549 1747 },
1550 0x01,0x23,0x87,0x74,0x66,0x6A,0x67,0x76,0x6D,0x66, /* a */ 1748 {
1551 0x76,0xF7,0x78,0xE6,0x76,0xB6,0x69,0x99,0x17,0x66, 1749 0xE0, 0x53, 0x51, 0x2D, 0xC6, 0x84, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1552 0x66,0xE6,0x87,0x66,0x6D,0x87,0x66,0xC6,0x6A,0x9F, 1750 0x87, 0x56, 0x15, 0x17, 0x50, 0x67, 0xAE, 0x78, 0x6D, 0x1F,
1553 1751
1554 0x6A,0x94,0x19,0x77,0xBA,0x9F,0x6A,0x43,0x51,0x99, /* b */ 1752 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1555 0xAC,0xFC,0x51,0x06,0x7E,0xD5,0x87,0xF5,0x19,0xC5, 1753 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1556 0xEC,0xB5,0x41,0xB8,0xE4,0x41,0x11,0xDE,0x1D,0x40, 1754 0x00, 0x00, 0x02, 0x01,
1557 1755 0x6C, 0x01, 0x07, 0x47, 0x56, 0x09, 0x91, 0x22, 0x22, 0x10, /* a */
1558 0x70,0xF6,0xE9,0xD0,0x4D,0x28,0x9C,0x4E,0x89,0x91, /* x */ 1756 0x56, 0x91, 0x1C, 0x77, 0xD7, 0x7E, 0x77, 0xA7, 0x77, 0xE7,
1559 0x3C,0xE3,0x53,0x0B,0xFD,0xE9,0x03,0x97,0x7D,0x42, 1757 0xE7, 0xE7, 0x7F, 0xCB,
1560 0xB1,0x46,0xD5,0x39,0xBF,0x1B,0xDE,0x4E,0x9C,0x92, 1758 0x71, 0xFE, 0x1A, 0xF9, 0x26, 0xCF, 0x84, 0x79, 0x89, 0xEF, /* b */
1561 1759 0xEF, 0x8D, 0xB4, 0x59, 0xF6, 0x63, 0x94, 0xD9, 0x0F, 0x32,
1562 0x2E,0x5A,0x0E,0xAF,0x6E,0x5E,0x13,0x05,0xB9,0x00, /* y */ 1760 0xAD, 0x3F, 0x15, 0xE8,
1563 0x4D,0xCE,0x5C,0x0E,0xD7,0xFE,0x59,0xA3,0x56,0x08, 1761 0x37, 0x5D, 0x4C, 0xE2, 0x4F, 0xDE, 0x43, 0x44, 0x89, 0xDE, /* x */
1564 0xF3,0x38,0x37,0xC8,0x16,0xD8,0x0B,0x79,0xF4,0x61, 1762 0x87, 0x46, 0xE7, 0x17, 0x86, 0x01, 0x50, 0x09, 0xE6, 0x6E,
1565 1763 0x38, 0xA9, 0x26, 0xDD,
1566 0x0C,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, /* order */ 1764 0x54, 0x5A, 0x39, 0x17, 0x61, 0x96, 0x57, 0x5D, 0x98, 0x59, /* y */
1567 0xCC,0xCC,0xCC,0xCC,0xCC,0xAC,0x49,0x12,0xD2,0xD9, 1765 0x99, 0x36, 0x6E, 0x6A, 0xD3, 0x4C, 0xE0, 0xA7, 0x7C, 0xD7,
1568 0xDF,0x90,0x3E,0xF9,0x88,0x8B,0x8A,0x0E,0x4C,0xFF } 1766 0x12, 0x7B, 0x06, 0xBE,
1569 }; 1767 0x15, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, /* order */
1570 1768 0x55, 0x55, 0x61, 0x0C, 0x0B, 0x19, 0x68, 0x12, 0xBF, 0xB6,
1571static const struct { EC_CURVE_DATA h; unsigned char data[0+35*6]; } 1769 0x28, 0x8A, 0x3E, 0xA3
1572 _EC_X9_62_CHAR2_272W1 = { 1770 }
1573 { NID_X9_62_characteristic_two_field,0,35,0xFF06 }, 1771};
1574 { /* no seed */ 1772
1575 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1773static const struct {
1576 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1774 EC_CURVE_DATA h;
1577 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00, 1775 unsigned char data[0 + 27 * 6];
1578 0x00,0x00,0x00,0x00,0x0B, 1776}
1579 0x00,0x91,0xA0,0x91,0xF0,0x3B,0x5F,0xBA,0x4A,0xB2, /* a */ 1777 _EC_X9_62_CHAR2_208W1 = {
1580 0xCC,0xF4,0x9C,0x4E,0xDD,0x22,0x0F,0xB0,0x28,0x71, 1778 {
1581 0x2D,0x42,0xBE,0x75,0x2B,0x2C,0x40,0x09,0x4D,0xBA, 1779 NID_X9_62_characteristic_two_field, 0, 27, 0xFE48
1582 0xCD,0xB5,0x86,0xFB,0x20, 1780 },
1583 0x00,0x71,0x67,0xEF,0xC9,0x2B,0xB2,0xE3,0xCE,0x7C, /* b */ 1781 { /* no seed */
1584 0x8A,0xAA,0xFF,0x34,0xE1,0x2A,0x9C,0x55,0x70,0x03, 1782 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1585 0xD7,0xC7,0x3A,0x6F,0xAF,0x00,0x3F,0x99,0xF6,0xCC, 1783 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
1586 0x84,0x82,0xE5,0x40,0xF7, 1784 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
1587 0x00,0x61,0x08,0xBA,0xBB,0x2C,0xEE,0xBC,0xF7,0x87, /* x */ 1785 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1588 0x05,0x8A,0x05,0x6C,0xBE,0x0C,0xFE,0x62,0x2D,0x77, 1786 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1589 0x23,0xA2,0x89,0xE0,0x8A,0x07,0xAE,0x13,0xEF,0x0D, 1787 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1590 0x10,0xD1,0x71,0xDD,0x8D, 1788 0x00, 0xC8, 0x61, 0x9E, 0xD4, 0x5A, 0x62, 0xE6, 0x21, 0x2E, /* b */
1591 0x00,0x10,0xC7,0x69,0x57,0x16,0x85,0x1E,0xEF,0x6B, /* y */ 1789 0x11, 0x60, 0x34, 0x9E, 0x2B, 0xFA, 0x84, 0x44, 0x39, 0xFA,
1592 0xA7,0xF6,0x87,0x2E,0x61,0x42,0xFB,0xD2,0x41,0xB8, 1790 0xFC, 0x2A, 0x3F, 0xD1, 0x63, 0x8F, 0x9E,
1593 0x30,0xFF,0x5E,0xFC,0xAC,0xEC,0xCA,0xB0,0x5E,0x02, 1791 0x00, 0x89, 0xFD, 0xFB, 0xE4, 0xAB, 0xE1, 0x93, 0xDF, 0x95, /* x */
1594 0x00,0x5D,0xDE,0x9D,0x23, 1792 0x59, 0xEC, 0xF0, 0x7A, 0xC0, 0xCE, 0x78, 0x55, 0x4E, 0x27,
1595 0x00,0x00,0x01,0x00,0xFA,0xF5,0x13,0x54,0xE0,0xE3, /* order */ 1793 0x84, 0xEB, 0x8C, 0x1E, 0xD1, 0xA5, 0x7A,
1596 0x9E,0x48,0x92,0xDF,0x6E,0x31,0x9C,0x72,0xC8,0x16, 1794 0x00, 0x0F, 0x55, 0xB5, 0x1A, 0x06, 0xE7, 0x8E, 0x9A, 0xC3, /* y */
1597 0x16,0x03,0xFA,0x45,0xAA,0x7B,0x99,0x8A,0x16,0x7B, 1795 0x8A, 0x03, 0x5F, 0xF5, 0x20, 0xD8, 0xB0, 0x17, 0x81, 0xBE,
1598 0x8F,0x1E,0x62,0x95,0x21 } 1796 0xB1, 0xA6, 0xBB, 0x08, 0x61, 0x7D, 0xE3,
1599 }; 1797 0x00, 0x00, 0x01, 0x01, 0xBA, 0xF9, 0x5C, 0x97, 0x23, 0xC5, /* order */
1600 1798 0x7B, 0x6C, 0x21, 0xDA, 0x2E, 0xFF, 0x2D, 0x5E, 0xD5, 0x88,
1601static const struct { EC_CURVE_DATA h; unsigned char data[0+39*6]; } 1799 0xBD, 0xD5, 0x71, 0x7E, 0x21, 0x2F, 0x9D
1602 _EC_X9_62_CHAR2_304W1 = { 1800 }
1603 { NID_X9_62_characteristic_two_field,0,39,0xFE2E }, 1801};
1604 { /* no seed */ 1802
1605 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1803static const struct {
1606 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1804 EC_CURVE_DATA h;
1607 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1805 unsigned char data[20 + 30 * 6];
1608 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08,0x07, 1806}
1609 0x00,0xFD,0x0D,0x69,0x31,0x49,0xA1,0x18,0xF6,0x51, /* a */ 1807 _EC_X9_62_CHAR2_239V1 = {
1610 0xE6,0xDC,0xE6,0x80,0x20,0x85,0x37,0x7E,0x5F,0x88, 1808 {
1611 0x2D,0x1B,0x51,0x0B,0x44,0x16,0x00,0x74,0xC1,0x28, 1809 NID_X9_62_characteristic_two_field, 20, 30, 4
1612 0x80,0x78,0x36,0x5A,0x03,0x96,0xC8,0xE6,0x81, 1810 },
1613 0x00,0xBD,0xDB,0x97,0xE5,0x55,0xA5,0x0A,0x90,0x8E, /* b */ 1811 {
1614 0x43,0xB0,0x1C,0x79,0x8E,0xA5,0xDA,0xA6,0x78,0x8F, 1812 0xD3, 0x4B, 0x9A, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, /* seed */
1615 0x1E,0xA2,0x79,0x4E,0xFC,0xF5,0x71,0x66,0xB8,0xC1, 1813 0x51, 0x75, 0xCA, 0x71, 0xB9, 0x20, 0xBF, 0xEF, 0xB0, 0x5D,
1616 0x40,0x39,0x60,0x1E,0x55,0x82,0x73,0x40,0xBE, 1814
1617 0x00,0x19,0x7B,0x07,0x84,0x5E,0x9B,0xE2,0xD9,0x6A, /* x */ 1815 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1618 0xDB,0x0F,0x5F,0x3C,0x7F,0x2C,0xFF,0xBD,0x7A,0x3E, 1816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1619 0xB8,0xB6,0xFE,0xC3,0x5C,0x7F,0xD6,0x7F,0x26,0xDD, 1817 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01,
1620 0xF6,0x28,0x5A,0x64,0x4F,0x74,0x0A,0x26,0x14, 1818
1621 0x00,0xE1,0x9F,0xBE,0xB7,0x6E,0x0D,0xA1,0x71,0x51, /* y */ 1819 0x32, 0x01, 0x08, 0x57, 0x07, 0x7C, 0x54, 0x31, 0x12, 0x3A, /* a */
1622 0x7E,0xCF,0x40,0x1B,0x50,0x28,0x9B,0xF0,0x14,0x10, 1820 0x46, 0xB8, 0x08, 0x90, 0x67, 0x56, 0xF5, 0x43, 0x42, 0x3E,
1623 0x32,0x88,0x52,0x7A,0x9B,0x41,0x6A,0x10,0x5E,0x80, 1821 0x8D, 0x27, 0x87, 0x75, 0x78, 0x12, 0x57, 0x78, 0xAC, 0x76,
1624 0x26,0x0B,0x54,0x9F,0xDC,0x1B,0x92,0xC0,0x3B, 1822
1625 0x00,0x00,0x01,0x01,0xD5,0x56,0x57,0x2A,0xAB,0xAC, /* order */ 1823 0x79, 0x04, 0x08, 0xF2, 0xEE, 0xDA, 0xF3, 0x92, 0xB0, 0x12, /* b */
1626 0x80,0x01,0x01,0xD5,0x56,0x57,0x2A,0xAB,0xAC,0x80, 1824 0xED, 0xEF, 0xB3, 0x39, 0x2F, 0x30, 0xF4, 0x32, 0x7C, 0x0C,
1627 0x01,0x02,0x2D,0x5C,0x91,0xDD,0x17,0x3F,0x8F,0xB5, 1825 0xA3, 0xF3, 0x1F, 0xC3, 0x83, 0xC4, 0x22, 0xAA, 0x8C, 0x16,
1628 0x61,0xDA,0x68,0x99,0x16,0x44,0x43,0x05,0x1D } 1826
1629 }; 1827 0x57, 0x92, 0x70, 0x98, 0xFA, 0x93, 0x2E, 0x7C, 0x0A, 0x96, /* x */
1630 1828 0xD3, 0xFD, 0x5B, 0x70, 0x6E, 0xF7, 0xE5, 0xF5, 0xC1, 0x56,
1631static const struct { EC_CURVE_DATA h; unsigned char data[20+45*6]; } 1829 0xE1, 0x6B, 0x7E, 0x7C, 0x86, 0x03, 0x85, 0x52, 0xE9, 0x1D,
1632 _EC_X9_62_CHAR2_359V1 = { 1830
1633 { NID_X9_62_characteristic_two_field,20,45,0x4C }, 1831 0x61, 0xD8, 0xEE, 0x50, 0x77, 0xC3, 0x3F, 0xEC, 0xF6, 0xF1, /* y */
1634 { 0x2B,0x35,0x49,0x20,0xB7,0x24,0xD6,0x96,0xE6,0x76, /* seed */ 1832 0xA1, 0x6B, 0x26, 0x8D, 0xE4, 0x69, 0xC3, 0xC7, 0x74, 0x4E,
1635 0x87,0x56,0x15,0x17,0x58,0x5B,0xA1,0x33,0x2D,0xC6, 1833 0xA9, 0xA9, 0x71, 0x64, 0x9F, 0xC7, 0xA9, 0x61, 0x63, 0x05,
1636 1834
1637 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1835 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */
1638 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1836 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x4D, 0x42, 0xFF, 0xE1,
1639 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1837 0x49, 0x2A, 0x49, 0x93, 0xF1, 0xCA, 0xD6, 0x66, 0xE4, 0x47
1640 0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00, 1838 }
1641 0x00,0x00,0x00,0x00,0x01, 1839};
1642 0x56,0x67,0x67,0x6A,0x65,0x4B,0x20,0x75,0x4F,0x35, /* a */ 1840
1643 0x6E,0xA9,0x20,0x17,0xD9,0x46,0x56,0x7C,0x46,0x67, 1841static const struct {
1644 0x55,0x56,0xF1,0x95,0x56,0xA0,0x46,0x16,0xB5,0x67, 1842 EC_CURVE_DATA h;
1645 0xD2,0x23,0xA5,0xE0,0x56,0x56,0xFB,0x54,0x90,0x16, 1843 unsigned char data[20 + 30 * 6];
1646 0xA9,0x66,0x56,0xA5,0x57, 1844}
1647 0x24,0x72,0xE2,0xD0,0x19,0x7C,0x49,0x36,0x3F,0x1F, /* b */ 1845 _EC_X9_62_CHAR2_239V2 = {
1648 0xE7,0xF5,0xB6,0xDB,0x07,0x5D,0x52,0xB6,0x94,0x7D, 1846 {
1649 0x13,0x5D,0x8C,0xA4,0x45,0x80,0x5D,0x39,0xBC,0x34, 1847 NID_X9_62_characteristic_two_field, 20, 30, 6
1650 0x56,0x26,0x08,0x96,0x87,0x74,0x2B,0x63,0x29,0xE7, 1848 },
1651 0x06,0x80,0x23,0x19,0x88, 1849 {
1652 0x3C,0x25,0x8E,0xF3,0x04,0x77,0x67,0xE7,0xED,0xE0, /* x */ 1850 0x2A, 0xA6, 0x98, 0x2F, 0xDF, 0xA4, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1653 0xF1,0xFD,0xAA,0x79,0xDA,0xEE,0x38,0x41,0x36,0x6A, 1851 0x87, 0x56, 0x15, 0x17, 0x5D, 0x26, 0x67, 0x27, 0x27, 0x7D,
1654 0x13,0x2E,0x16,0x3A,0xCE,0xD4,0xED,0x24,0x01,0xDF, 1852
1655 0x9C,0x6B,0xDC,0xDE,0x98,0xE8,0xE7,0x07,0xC0,0x7A, 1853 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1656 0x22,0x39,0xB1,0xB0,0x97, 1854 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1657 0x53,0xD7,0xE0,0x85,0x29,0x54,0x70,0x48,0x12,0x1E, /* y */ 1855 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01,
1658 0x9C,0x95,0xF3,0x79,0x1D,0xD8,0x04,0x96,0x39,0x48, 1856
1659 0xF3,0x4F,0xAE,0x7B,0xF4,0x4E,0xA8,0x23,0x65,0xDC, 1857 0x42, 0x30, 0x01, 0x77, 0x57, 0xA7, 0x67, 0xFA, 0xE4, 0x23, /* a */
1660 0x78,0x68,0xFE,0x57,0xE4,0xAE,0x2D,0xE2,0x11,0x30, 1858 0x98, 0x56, 0x9B, 0x74, 0x63, 0x25, 0xD4, 0x53, 0x13, 0xAF,
1661 0x5A,0x40,0x71,0x04,0xBD, 1859 0x07, 0x66, 0x26, 0x64, 0x79, 0xB7, 0x56, 0x54, 0xE6, 0x5F,
1662 0x01,0xAF,0x28,0x6B,0xCA,0x1A,0xF2,0x86,0xBC,0xA1, /* order */ 1860
1663 0xAF,0x28,0x6B,0xCA,0x1A,0xF2,0x86,0xBC,0xA1,0xAF, 1861 0x50, 0x37, 0xEA, 0x65, 0x41, 0x96, 0xCF, 0xF0, 0xCD, 0x82, /* b */
1664 0x28,0x6B,0xC9,0xFB,0x8F,0x6B,0x85,0xC5,0x56,0x89, 1862 0xB2, 0xC1, 0x4A, 0x2F, 0xCF, 0x2E, 0x3F, 0xF8, 0x77, 0x52,
1665 0x2C,0x20,0xA7,0xEB,0x96,0x4F,0xE7,0x71,0x9E,0x74, 1863 0x85, 0xB5, 0x45, 0x72, 0x2F, 0x03, 0xEA, 0xCD, 0xB7, 0x4B,
1666 0xF4,0x90,0x75,0x8D,0x3B } 1864
1667 }; 1865 0x28, 0xF9, 0xD0, 0x4E, 0x90, 0x00, 0x69, 0xC8, 0xDC, 0x47, /* x */
1668 1866 0xA0, 0x85, 0x34, 0xFE, 0x76, 0xD2, 0xB9, 0x00, 0xB7, 0xD7,
1669static const struct { EC_CURVE_DATA h; unsigned char data[0+47*6]; } 1867 0xEF, 0x31, 0xF5, 0x70, 0x9F, 0x20, 0x0C, 0x4C, 0xA2, 0x05,
1670 _EC_X9_62_CHAR2_368W1 = { 1868
1671 { NID_X9_62_characteristic_two_field,0,47,0xFF70 }, 1869 0x56, 0x67, 0x33, 0x4C, 0x45, 0xAF, 0xF3, 0xB5, 0xA0, 0x3B, /* y */
1672 { /* no seed */ 1870 0xAD, 0x9D, 0xD7, 0x5E, 0x2C, 0x71, 0xA9, 0x93, 0x62, 0x56,
1673 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1871 0x7D, 0x54, 0x53, 0xF7, 0xFA, 0x6E, 0x22, 0x7E, 0xC8, 0x33,
1674 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1872
1675 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1873 0x15, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, /* order */
1676 0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00, 1874 0x55, 0x55, 0x55, 0x55, 0x55, 0x3C, 0x6F, 0x28, 0x85, 0x25,
1677 0x00,0x00,0x00,0x00,0x00,0x00,0x07, 1875 0x9C, 0x31, 0xE3, 0xFC, 0xDF, 0x15, 0x46, 0x24, 0x52, 0x2D
1678 0x00,0xE0,0xD2,0xEE,0x25,0x09,0x52,0x06,0xF5,0xE2, /* a */ 1876 }
1679 0xA4,0xF9,0xED,0x22,0x9F,0x1F,0x25,0x6E,0x79,0xA0, 1877};
1680 0xE2,0xB4,0x55,0x97,0x0D,0x8D,0x0D,0x86,0x5B,0xD9, 1878
1681 0x47,0x78,0xC5,0x76,0xD6,0x2F,0x0A,0xB7,0x51,0x9C, 1879static const struct {
1682 0xCD,0x2A,0x1A,0x90,0x6A,0xE3,0x0D, 1880 EC_CURVE_DATA h;
1683 0x00,0xFC,0x12,0x17,0xD4,0x32,0x0A,0x90,0x45,0x2C, /* b */ 1881 unsigned char data[20 + 30 * 6];
1684 0x76,0x0A,0x58,0xED,0xCD,0x30,0xC8,0xDD,0x06,0x9B, 1882}
1685 0x3C,0x34,0x45,0x38,0x37,0xA3,0x4E,0xD5,0x0C,0xB5, 1883 _EC_X9_62_CHAR2_239V3 = {
1686 0x49,0x17,0xE1,0xC2,0x11,0x2D,0x84,0xD1,0x64,0xF4, 1884 {
1687 0x44,0xF8,0xF7,0x47,0x86,0x04,0x6A, 1885 NID_X9_62_characteristic_two_field, 20, 30, 0xA
1688 0x00,0x10,0x85,0xE2,0x75,0x53,0x81,0xDC,0xCC,0xE3, /* x */ 1886 },
1689 0xC1,0x55,0x7A,0xFA,0x10,0xC2,0xF0,0xC0,0xC2,0x82, 1887 {
1690 0x56,0x46,0xC5,0xB3,0x4A,0x39,0x4C,0xBC,0xFA,0x8B, 1888 0x9E, 0x07, 0x6F, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, /* seed */
1691 0xC1,0x6B,0x22,0xE7,0xE7,0x89,0xE9,0x27,0xBE,0x21, 1889 0x51, 0x75, 0xE1, 0x1E, 0x9F, 0xDD, 0x77, 0xF9, 0x20, 0x41,
1692 0x6F,0x02,0xE1,0xFB,0x13,0x6A,0x5F, 1890
1693 0x00,0x7B,0x3E,0xB1,0xBD,0xDC,0xBA,0x62,0xD5,0xD8, /* y */ 1891 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1694 0xB2,0x05,0x9B,0x52,0x57,0x97,0xFC,0x73,0x82,0x2C, 1892 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1695 0x59,0x05,0x9C,0x62,0x3A,0x45,0xFF,0x38,0x43,0xCE, 1893 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01,
1696 0xE8,0xF8,0x7C,0xD1,0x85,0x5A,0xDA,0xA8,0x1E,0x2A, 1894
1697 0x07,0x50,0xB8,0x0F,0xDA,0x23,0x10, 1895 0x01, 0x23, 0x87, 0x74, 0x66, 0x6A, 0x67, 0x76, 0x6D, 0x66, /* a */
1698 0x00,0x00,0x01,0x00,0x90,0x51,0x2D,0xA9,0xAF,0x72, /* order */ 1896 0x76, 0xF7, 0x78, 0xE6, 0x76, 0xB6, 0x69, 0x99, 0x17, 0x66,
1699 0xB0,0x83,0x49,0xD9,0x8A,0x5D,0xD4,0xC7,0xB0,0x53, 1897 0x66, 0xE6, 0x87, 0x66, 0x6D, 0x87, 0x66, 0xC6, 0x6A, 0x9F,
1700 0x2E,0xCA,0x51,0xCE,0x03,0xE2,0xD1,0x0F,0x3B,0x7A, 1898
1701 0xC5,0x79,0xBD,0x87,0xE9,0x09,0xAE,0x40,0xA6,0xF1, 1899 0x6A, 0x94, 0x19, 0x77, 0xBA, 0x9F, 0x6A, 0x43, 0x51, 0x99, /* b */
1702 0x31,0xE9,0xCF,0xCE,0x5B,0xD9,0x67 } 1900 0xAC, 0xFC, 0x51, 0x06, 0x7E, 0xD5, 0x87, 0xF5, 0x19, 0xC5,
1703 }; 1901 0xEC, 0xB5, 0x41, 0xB8, 0xE4, 0x41, 0x11, 0xDE, 0x1D, 0x40,
1704 1902
1705static const struct { EC_CURVE_DATA h; unsigned char data[0+54*6]; } 1903 0x70, 0xF6, 0xE9, 0xD0, 0x4D, 0x28, 0x9C, 0x4E, 0x89, 0x91, /* x */
1706 _EC_X9_62_CHAR2_431R1 = { 1904 0x3C, 0xE3, 0x53, 0x0B, 0xFD, 0xE9, 0x03, 0x97, 0x7D, 0x42,
1707 { NID_X9_62_characteristic_two_field,0,54,0x2760 }, 1905 0xB1, 0x46, 0xD5, 0x39, 0xBF, 0x1B, 0xDE, 0x4E, 0x9C, 0x92,
1708 { /* no seed */ 1906
1709 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1907 0x2E, 0x5A, 0x0E, 0xAF, 0x6E, 0x5E, 0x13, 0x05, 0xB9, 0x00, /* y */
1710 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1908 0x4D, 0xCE, 0x5C, 0x0E, 0xD7, 0xFE, 0x59, 0xA3, 0x56, 0x08,
1711 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1909 0xF3, 0x38, 0x37, 0xC8, 0x16, 0xD8, 0x0B, 0x79, 0xF4, 0x61,
1712 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00, 1910
1713 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 1911 0x0C, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, /* order */
1714 0x00,0x00,0x00,0x01, 1912 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xAC, 0x49, 0x12, 0xD2, 0xD9,
1715 0x1A,0x82,0x7E,0xF0,0x0D,0xD6,0xFC,0x0E,0x23,0x4C, /* a */ 1913 0xDF, 0x90, 0x3E, 0xF9, 0x88, 0x8B, 0x8A, 0x0E, 0x4C, 0xFF
1716 0xAF,0x04,0x6C,0x6A,0x5D,0x8A,0x85,0x39,0x5B,0x23, 1914 }
1717 0x6C,0xC4,0xAD,0x2C,0xF3,0x2A,0x0C,0xAD,0xBD,0xC9, 1915};
1718 0xDD,0xF6,0x20,0xB0,0xEB,0x99,0x06,0xD0,0x95,0x7F, 1916
1719 0x6C,0x6F,0xEA,0xCD,0x61,0x54,0x68,0xDF,0x10,0x4D, 1917static const struct {
1720 0xE2,0x96,0xCD,0x8F, 1918 EC_CURVE_DATA h;
1721 0x10,0xD9,0xB4,0xA3,0xD9,0x04,0x7D,0x8B,0x15,0x43, /* b */ 1919 unsigned char data[0 + 35 * 6];
1722 0x59,0xAB,0xFB,0x1B,0x7F,0x54,0x85,0xB0,0x4C,0xEB, 1920}
1723 0x86,0x82,0x37,0xDD,0xC9,0xDE,0xDA,0x98,0x2A,0x67, 1921 _EC_X9_62_CHAR2_272W1 = {
1724 0x9A,0x5A,0x91,0x9B,0x62,0x6D,0x4E,0x50,0xA8,0xDD, 1922 {
1725 0x73,0x1B,0x10,0x7A,0x99,0x62,0x38,0x1F,0xB5,0xD8, 1923 NID_X9_62_characteristic_two_field, 0, 35, 0xFF06
1726 0x07,0xBF,0x26,0x18, 1924 },
1727 0x12,0x0F,0xC0,0x5D,0x3C,0x67,0xA9,0x9D,0xE1,0x61, /* x */ 1925 { /* no seed */
1728 0xD2,0xF4,0x09,0x26,0x22,0xFE,0xCA,0x70,0x1B,0xE4, 1926 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1729 0xF5,0x0F,0x47,0x58,0x71,0x4E,0x8A,0x87,0xBB,0xF2, 1927 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1730 0xA6,0x58,0xEF,0x8C,0x21,0xE7,0xC5,0xEF,0xE9,0x65, 1928 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
1731 0x36,0x1F,0x6C,0x29,0x99,0xC0,0xC2,0x47,0xB0,0xDB, 1929 0x00, 0x00, 0x00, 0x00, 0x0B,
1732 0xD7,0x0C,0xE6,0xB7, 1930 0x00, 0x91, 0xA0, 0x91, 0xF0, 0x3B, 0x5F, 0xBA, 0x4A, 0xB2, /* a */
1733 0x20,0xD0,0xAF,0x89,0x03,0xA9,0x6F,0x8D,0x5F,0xA2, /* y */ 1931 0xCC, 0xF4, 0x9C, 0x4E, 0xDD, 0x22, 0x0F, 0xB0, 0x28, 0x71,
1734 0xC2,0x55,0x74,0x5D,0x3C,0x45,0x1B,0x30,0x2C,0x93, 1932 0x2D, 0x42, 0xBE, 0x75, 0x2B, 0x2C, 0x40, 0x09, 0x4D, 0xBA,
1735 0x46,0xD9,0xB7,0xE4,0x85,0xE7,0xBC,0xE4,0x1F,0x6B, 1933 0xCD, 0xB5, 0x86, 0xFB, 0x20,
1736 0x59,0x1F,0x3E,0x8F,0x6A,0xDD,0xCB,0xB0,0xBC,0x4C, 1934 0x00, 0x71, 0x67, 0xEF, 0xC9, 0x2B, 0xB2, 0xE3, 0xCE, 0x7C, /* b */
1737 0x2F,0x94,0x7A,0x7D,0xE1,0xA8,0x9B,0x62,0x5D,0x6A, 1935 0x8A, 0xAA, 0xFF, 0x34, 0xE1, 0x2A, 0x9C, 0x55, 0x70, 0x03,
1738 0x59,0x8B,0x37,0x60, 1936 0xD7, 0xC7, 0x3A, 0x6F, 0xAF, 0x00, 0x3F, 0x99, 0xF6, 0xCC,
1739 0x00,0x03,0x40,0x34,0x03,0x40,0x34,0x03,0x40,0x34, /* order */ 1937 0x84, 0x82, 0xE5, 0x40, 0xF7,
1740 0x03,0x40,0x34,0x03,0x40,0x34,0x03,0x40,0x34,0x03, 1938 0x00, 0x61, 0x08, 0xBA, 0xBB, 0x2C, 0xEE, 0xBC, 0xF7, 0x87, /* x */
1741 0x40,0x34,0x03,0x40,0x34,0x03,0x40,0x34,0x03,0x23, 1939 0x05, 0x8A, 0x05, 0x6C, 0xBE, 0x0C, 0xFE, 0x62, 0x2D, 0x77,
1742 0xC3,0x13,0xFA,0xB5,0x05,0x89,0x70,0x3B,0x5E,0xC6, 1940 0x23, 0xA2, 0x89, 0xE0, 0x8A, 0x07, 0xAE, 0x13, 0xEF, 0x0D,
1743 0x8D,0x35,0x87,0xFE,0xC6,0x0D,0x16,0x1C,0xC1,0x49, 1941 0x10, 0xD1, 0x71, 0xDD, 0x8D,
1744 0xC1,0xAD,0x4A,0x91 } 1942 0x00, 0x10, 0xC7, 0x69, 0x57, 0x16, 0x85, 0x1E, 0xEF, 0x6B, /* y */
1745 }; 1943 0xA7, 0xF6, 0x87, 0x2E, 0x61, 0x42, 0xFB, 0xD2, 0x41, 0xB8,
1746 1944 0x30, 0xFF, 0x5E, 0xFC, 0xAC, 0xEC, 0xCA, 0xB0, 0x5E, 0x02,
1747static const struct { EC_CURVE_DATA h; unsigned char data[0+15*6]; } 1945 0x00, 0x5D, 0xDE, 0x9D, 0x23,
1748 _EC_WTLS_1 = { 1946 0x00, 0x00, 0x01, 0x00, 0xFA, 0xF5, 0x13, 0x54, 0xE0, 0xE3, /* order */
1749 { NID_X9_62_characteristic_two_field,0,15,2 }, 1947 0x9E, 0x48, 0x92, 0xDF, 0x6E, 0x31, 0x9C, 0x72, 0xC8, 0x16,
1750 { /* no seed */ 1948 0x16, 0x03, 0xFA, 0x45, 0xAA, 0x7B, 0x99, 0x8A, 0x16, 0x7B,
1751 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 1949 0x8F, 0x1E, 0x62, 0x95, 0x21
1752 0x00,0x00,0x00,0x02,0x01, 1950 }
1753 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 1951};
1754 0x00,0x00,0x00,0x00,0x01, 1952
1755 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 1953static const struct {
1756 0x00,0x00,0x00,0x00,0x01, 1954 EC_CURVE_DATA h;
1757 0x01,0x66,0x79,0x79,0xA4,0x0B,0xA4,0x97,0xE5,0xD5, /* x */ 1955 unsigned char data[0 + 39 * 6];
1758 0xC2,0x70,0x78,0x06,0x17, 1956}
1759 0x00,0xF4,0x4B,0x4A,0xF1,0xEC,0xC2,0x63,0x0E,0x08, /* y */ 1957 _EC_X9_62_CHAR2_304W1 = {
1760 0x78,0x5C,0xEB,0xCC,0x15, 1958 {
1761 0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFD,0xBF, /* order */ 1959 NID_X9_62_characteristic_two_field, 0, 39, 0xFE2E
1762 0x91,0xAF,0x6D,0xEA,0x73 } 1960 },
1763 }; 1961 { /* no seed */
1962 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1963 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1964 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1965 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x07,
1966 0x00, 0xFD, 0x0D, 0x69, 0x31, 0x49, 0xA1, 0x18, 0xF6, 0x51, /* a */
1967 0xE6, 0xDC, 0xE6, 0x80, 0x20, 0x85, 0x37, 0x7E, 0x5F, 0x88,
1968 0x2D, 0x1B, 0x51, 0x0B, 0x44, 0x16, 0x00, 0x74, 0xC1, 0x28,
1969 0x80, 0x78, 0x36, 0x5A, 0x03, 0x96, 0xC8, 0xE6, 0x81,
1970 0x00, 0xBD, 0xDB, 0x97, 0xE5, 0x55, 0xA5, 0x0A, 0x90, 0x8E, /* b */
1971 0x43, 0xB0, 0x1C, 0x79, 0x8E, 0xA5, 0xDA, 0xA6, 0x78, 0x8F,
1972 0x1E, 0xA2, 0x79, 0x4E, 0xFC, 0xF5, 0x71, 0x66, 0xB8, 0xC1,
1973 0x40, 0x39, 0x60, 0x1E, 0x55, 0x82, 0x73, 0x40, 0xBE,
1974 0x00, 0x19, 0x7B, 0x07, 0x84, 0x5E, 0x9B, 0xE2, 0xD9, 0x6A, /* x */
1975 0xDB, 0x0F, 0x5F, 0x3C, 0x7F, 0x2C, 0xFF, 0xBD, 0x7A, 0x3E,
1976 0xB8, 0xB6, 0xFE, 0xC3, 0x5C, 0x7F, 0xD6, 0x7F, 0x26, 0xDD,
1977 0xF6, 0x28, 0x5A, 0x64, 0x4F, 0x74, 0x0A, 0x26, 0x14,
1978 0x00, 0xE1, 0x9F, 0xBE, 0xB7, 0x6E, 0x0D, 0xA1, 0x71, 0x51, /* y */
1979 0x7E, 0xCF, 0x40, 0x1B, 0x50, 0x28, 0x9B, 0xF0, 0x14, 0x10,
1980 0x32, 0x88, 0x52, 0x7A, 0x9B, 0x41, 0x6A, 0x10, 0x5E, 0x80,
1981 0x26, 0x0B, 0x54, 0x9F, 0xDC, 0x1B, 0x92, 0xC0, 0x3B,
1982 0x00, 0x00, 0x01, 0x01, 0xD5, 0x56, 0x57, 0x2A, 0xAB, 0xAC, /* order */
1983 0x80, 0x01, 0x01, 0xD5, 0x56, 0x57, 0x2A, 0xAB, 0xAC, 0x80,
1984 0x01, 0x02, 0x2D, 0x5C, 0x91, 0xDD, 0x17, 0x3F, 0x8F, 0xB5,
1985 0x61, 0xDA, 0x68, 0x99, 0x16, 0x44, 0x43, 0x05, 0x1D
1986 }
1987};
1988
1989static const struct {
1990 EC_CURVE_DATA h;
1991 unsigned char data[20 + 45 * 6];
1992}
1993 _EC_X9_62_CHAR2_359V1 = {
1994 {
1995 NID_X9_62_characteristic_two_field, 20, 45, 0x4C
1996 },
1997 {
1998 0x2B, 0x35, 0x49, 0x20, 0xB7, 0x24, 0xD6, 0x96, 0xE6, 0x76, /* seed */
1999 0x87, 0x56, 0x15, 0x17, 0x58, 0x5B, 0xA1, 0x33, 0x2D, 0xC6,
2000
2001 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2002 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2003 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2004 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
2005 0x00, 0x00, 0x00, 0x00, 0x01,
2006 0x56, 0x67, 0x67, 0x6A, 0x65, 0x4B, 0x20, 0x75, 0x4F, 0x35, /* a */
2007 0x6E, 0xA9, 0x20, 0x17, 0xD9, 0x46, 0x56, 0x7C, 0x46, 0x67,
2008 0x55, 0x56, 0xF1, 0x95, 0x56, 0xA0, 0x46, 0x16, 0xB5, 0x67,
2009 0xD2, 0x23, 0xA5, 0xE0, 0x56, 0x56, 0xFB, 0x54, 0x90, 0x16,
2010 0xA9, 0x66, 0x56, 0xA5, 0x57,
2011 0x24, 0x72, 0xE2, 0xD0, 0x19, 0x7C, 0x49, 0x36, 0x3F, 0x1F, /* b */
2012 0xE7, 0xF5, 0xB6, 0xDB, 0x07, 0x5D, 0x52, 0xB6, 0x94, 0x7D,
2013 0x13, 0x5D, 0x8C, 0xA4, 0x45, 0x80, 0x5D, 0x39, 0xBC, 0x34,
2014 0x56, 0x26, 0x08, 0x96, 0x87, 0x74, 0x2B, 0x63, 0x29, 0xE7,
2015 0x06, 0x80, 0x23, 0x19, 0x88,
2016 0x3C, 0x25, 0x8E, 0xF3, 0x04, 0x77, 0x67, 0xE7, 0xED, 0xE0, /* x */
2017 0xF1, 0xFD, 0xAA, 0x79, 0xDA, 0xEE, 0x38, 0x41, 0x36, 0x6A,
2018 0x13, 0x2E, 0x16, 0x3A, 0xCE, 0xD4, 0xED, 0x24, 0x01, 0xDF,
2019 0x9C, 0x6B, 0xDC, 0xDE, 0x98, 0xE8, 0xE7, 0x07, 0xC0, 0x7A,
2020 0x22, 0x39, 0xB1, 0xB0, 0x97,
2021 0x53, 0xD7, 0xE0, 0x85, 0x29, 0x54, 0x70, 0x48, 0x12, 0x1E, /* y */
2022 0x9C, 0x95, 0xF3, 0x79, 0x1D, 0xD8, 0x04, 0x96, 0x39, 0x48,
2023 0xF3, 0x4F, 0xAE, 0x7B, 0xF4, 0x4E, 0xA8, 0x23, 0x65, 0xDC,
2024 0x78, 0x68, 0xFE, 0x57, 0xE4, 0xAE, 0x2D, 0xE2, 0x11, 0x30,
2025 0x5A, 0x40, 0x71, 0x04, 0xBD,
2026 0x01, 0xAF, 0x28, 0x6B, 0xCA, 0x1A, 0xF2, 0x86, 0xBC, 0xA1, /* order */
2027 0xAF, 0x28, 0x6B, 0xCA, 0x1A, 0xF2, 0x86, 0xBC, 0xA1, 0xAF,
2028 0x28, 0x6B, 0xC9, 0xFB, 0x8F, 0x6B, 0x85, 0xC5, 0x56, 0x89,
2029 0x2C, 0x20, 0xA7, 0xEB, 0x96, 0x4F, 0xE7, 0x71, 0x9E, 0x74,
2030 0xF4, 0x90, 0x75, 0x8D, 0x3B
2031 }
2032};
2033
2034static const struct {
2035 EC_CURVE_DATA h;
2036 unsigned char data[0 + 47 * 6];
2037}
2038 _EC_X9_62_CHAR2_368W1 = {
2039 {
2040 NID_X9_62_characteristic_two_field, 0, 47, 0xFF70
2041 },
2042 { /* no seed */
2043 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2044 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2045 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2046 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
2047 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
2048 0x00, 0xE0, 0xD2, 0xEE, 0x25, 0x09, 0x52, 0x06, 0xF5, 0xE2, /* a */
2049 0xA4, 0xF9, 0xED, 0x22, 0x9F, 0x1F, 0x25, 0x6E, 0x79, 0xA0,
2050 0xE2, 0xB4, 0x55, 0x97, 0x0D, 0x8D, 0x0D, 0x86, 0x5B, 0xD9,
2051 0x47, 0x78, 0xC5, 0x76, 0xD6, 0x2F, 0x0A, 0xB7, 0x51, 0x9C,
2052 0xCD, 0x2A, 0x1A, 0x90, 0x6A, 0xE3, 0x0D,
2053 0x00, 0xFC, 0x12, 0x17, 0xD4, 0x32, 0x0A, 0x90, 0x45, 0x2C, /* b */
2054 0x76, 0x0A, 0x58, 0xED, 0xCD, 0x30, 0xC8, 0xDD, 0x06, 0x9B,
2055 0x3C, 0x34, 0x45, 0x38, 0x37, 0xA3, 0x4E, 0xD5, 0x0C, 0xB5,
2056 0x49, 0x17, 0xE1, 0xC2, 0x11, 0x2D, 0x84, 0xD1, 0x64, 0xF4,
2057 0x44, 0xF8, 0xF7, 0x47, 0x86, 0x04, 0x6A,
2058 0x00, 0x10, 0x85, 0xE2, 0x75, 0x53, 0x81, 0xDC, 0xCC, 0xE3, /* x */
2059 0xC1, 0x55, 0x7A, 0xFA, 0x10, 0xC2, 0xF0, 0xC0, 0xC2, 0x82,
2060 0x56, 0x46, 0xC5, 0xB3, 0x4A, 0x39, 0x4C, 0xBC, 0xFA, 0x8B,
2061 0xC1, 0x6B, 0x22, 0xE7, 0xE7, 0x89, 0xE9, 0x27, 0xBE, 0x21,
2062 0x6F, 0x02, 0xE1, 0xFB, 0x13, 0x6A, 0x5F,
2063 0x00, 0x7B, 0x3E, 0xB1, 0xBD, 0xDC, 0xBA, 0x62, 0xD5, 0xD8, /* y */
2064 0xB2, 0x05, 0x9B, 0x52, 0x57, 0x97, 0xFC, 0x73, 0x82, 0x2C,
2065 0x59, 0x05, 0x9C, 0x62, 0x3A, 0x45, 0xFF, 0x38, 0x43, 0xCE,
2066 0xE8, 0xF8, 0x7C, 0xD1, 0x85, 0x5A, 0xDA, 0xA8, 0x1E, 0x2A,
2067 0x07, 0x50, 0xB8, 0x0F, 0xDA, 0x23, 0x10,
2068 0x00, 0x00, 0x01, 0x00, 0x90, 0x51, 0x2D, 0xA9, 0xAF, 0x72, /* order */
2069 0xB0, 0x83, 0x49, 0xD9, 0x8A, 0x5D, 0xD4, 0xC7, 0xB0, 0x53,
2070 0x2E, 0xCA, 0x51, 0xCE, 0x03, 0xE2, 0xD1, 0x0F, 0x3B, 0x7A,
2071 0xC5, 0x79, 0xBD, 0x87, 0xE9, 0x09, 0xAE, 0x40, 0xA6, 0xF1,
2072 0x31, 0xE9, 0xCF, 0xCE, 0x5B, 0xD9, 0x67
2073 }
2074};
2075
2076static const struct {
2077 EC_CURVE_DATA h;
2078 unsigned char data[0 + 54 * 6];
2079}
2080 _EC_X9_62_CHAR2_431R1 = {
2081 {
2082 NID_X9_62_characteristic_two_field, 0, 54, 0x2760
2083 },
2084 { /* no seed */
2085 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2086 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2087 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2088 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2089 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2090 0x00, 0x00, 0x00, 0x01,
2091 0x1A, 0x82, 0x7E, 0xF0, 0x0D, 0xD6, 0xFC, 0x0E, 0x23, 0x4C, /* a */
2092 0xAF, 0x04, 0x6C, 0x6A, 0x5D, 0x8A, 0x85, 0x39, 0x5B, 0x23,
2093 0x6C, 0xC4, 0xAD, 0x2C, 0xF3, 0x2A, 0x0C, 0xAD, 0xBD, 0xC9,
2094 0xDD, 0xF6, 0x20, 0xB0, 0xEB, 0x99, 0x06, 0xD0, 0x95, 0x7F,
2095 0x6C, 0x6F, 0xEA, 0xCD, 0x61, 0x54, 0x68, 0xDF, 0x10, 0x4D,
2096 0xE2, 0x96, 0xCD, 0x8F,
2097 0x10, 0xD9, 0xB4, 0xA3, 0xD9, 0x04, 0x7D, 0x8B, 0x15, 0x43, /* b */
2098 0x59, 0xAB, 0xFB, 0x1B, 0x7F, 0x54, 0x85, 0xB0, 0x4C, 0xEB,
2099 0x86, 0x82, 0x37, 0xDD, 0xC9, 0xDE, 0xDA, 0x98, 0x2A, 0x67,
2100 0x9A, 0x5A, 0x91, 0x9B, 0x62, 0x6D, 0x4E, 0x50, 0xA8, 0xDD,
2101 0x73, 0x1B, 0x10, 0x7A, 0x99, 0x62, 0x38, 0x1F, 0xB5, 0xD8,
2102 0x07, 0xBF, 0x26, 0x18,
2103 0x12, 0x0F, 0xC0, 0x5D, 0x3C, 0x67, 0xA9, 0x9D, 0xE1, 0x61, /* x */
2104 0xD2, 0xF4, 0x09, 0x26, 0x22, 0xFE, 0xCA, 0x70, 0x1B, 0xE4,
2105 0xF5, 0x0F, 0x47, 0x58, 0x71, 0x4E, 0x8A, 0x87, 0xBB, 0xF2,
2106 0xA6, 0x58, 0xEF, 0x8C, 0x21, 0xE7, 0xC5, 0xEF, 0xE9, 0x65,
2107 0x36, 0x1F, 0x6C, 0x29, 0x99, 0xC0, 0xC2, 0x47, 0xB0, 0xDB,
2108 0xD7, 0x0C, 0xE6, 0xB7,
2109 0x20, 0xD0, 0xAF, 0x89, 0x03, 0xA9, 0x6F, 0x8D, 0x5F, 0xA2, /* y */
2110 0xC2, 0x55, 0x74, 0x5D, 0x3C, 0x45, 0x1B, 0x30, 0x2C, 0x93,
2111 0x46, 0xD9, 0xB7, 0xE4, 0x85, 0xE7, 0xBC, 0xE4, 0x1F, 0x6B,
2112 0x59, 0x1F, 0x3E, 0x8F, 0x6A, 0xDD, 0xCB, 0xB0, 0xBC, 0x4C,
2113 0x2F, 0x94, 0x7A, 0x7D, 0xE1, 0xA8, 0x9B, 0x62, 0x5D, 0x6A,
2114 0x59, 0x8B, 0x37, 0x60,
2115 0x00, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, /* order */
2116 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03,
2117 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x23,
2118 0xC3, 0x13, 0xFA, 0xB5, 0x05, 0x89, 0x70, 0x3B, 0x5E, 0xC6,
2119 0x8D, 0x35, 0x87, 0xFE, 0xC6, 0x0D, 0x16, 0x1C, 0xC1, 0x49,
2120 0xC1, 0xAD, 0x4A, 0x91
2121 }
2122};
2123
2124static const struct {
2125 EC_CURVE_DATA h;
2126 unsigned char data[0 + 15 * 6];
2127}
2128 _EC_WTLS_1 = {
2129 {
2130 NID_X9_62_characteristic_two_field, 0, 15, 2
2131 },
2132 { /* no seed */
2133 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2134 0x00, 0x00, 0x00, 0x02, 0x01,
2135 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
2136 0x00, 0x00, 0x00, 0x00, 0x01,
2137 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
2138 0x00, 0x00, 0x00, 0x00, 0x01,
2139 0x01, 0x66, 0x79, 0x79, 0xA4, 0x0B, 0xA4, 0x97, 0xE5, 0xD5, /* x */
2140 0xC2, 0x70, 0x78, 0x06, 0x17,
2141 0x00, 0xF4, 0x4B, 0x4A, 0xF1, 0xEC, 0xC2, 0x63, 0x0E, 0x08, /* y */
2142 0x78, 0x5C, 0xEB, 0xCC, 0x15,
2143 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFD, 0xBF, /* order */
2144 0x91, 0xAF, 0x6D, 0xEA, 0x73
2145 }
2146};
1764 2147
1765/* IPSec curves */ 2148/* IPSec curves */
1766/* NOTE: The of curves over a extension field of non prime degree 2149/* NOTE: The of curves over a extension field of non prime degree
@@ -1768,57 +2151,69 @@ static const struct { EC_CURVE_DATA h; unsigned char data[0+15*6]; }
1768 * As the group order is not a prime this curve is not suitable 2151 * As the group order is not a prime this curve is not suitable
1769 * for ECDSA. 2152 * for ECDSA.
1770 */ 2153 */
1771static const struct { EC_CURVE_DATA h; unsigned char data[0+20*6]; } 2154static const struct {
1772 _EC_IPSEC_155_ID3 = { 2155 EC_CURVE_DATA h;
1773 { NID_X9_62_characteristic_two_field,0,20,3 }, 2156 unsigned char data[0 + 20 * 6];
1774 { /* no seed */ 2157}
1775 0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 2158 _EC_IPSEC_155_ID3 = {
1776 0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x01, 2159 {
2160 NID_X9_62_characteristic_two_field, 0, 20, 3
2161 },
2162 { /* no seed */
2163 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
2164 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1777 2165
1778 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 2166 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1779 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 2167 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1780 2168
1781 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 2169 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1782 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x07,0x33,0x8f, 2170 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x33, 0x8f,
1783 2171
1784 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* x */ 2172 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */
1785 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x7b, 2173 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
1786 2174
1787 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* y */ 2175 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* y */
1788 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0xc8, 2176 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc8,
1789 2177
1790 0x02,0xAA,0xAA,0xAA,0xAA,0xAA,0xAA,0xAA,0xAA,0xAA, /* order */ 2178 0x02, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, /* order */
1791 0xC7,0xF3,0xC7,0x88,0x1B,0xD0,0x86,0x8F,0xA8,0x6C } 2179 0xC7, 0xF3, 0xC7, 0x88, 0x1B, 0xD0, 0x86, 0x8F, 0xA8, 0x6C
1792 }; 2180 }
2181};
1793 2182
1794/* NOTE: The of curves over a extension field of non prime degree 2183/* NOTE: The of curves over a extension field of non prime degree
1795 * is not recommended (Weil-descent). 2184 * is not recommended (Weil-descent).
1796 * As the group order is not a prime this curve is not suitable 2185 * As the group order is not a prime this curve is not suitable
1797 * for ECDSA. 2186 * for ECDSA.
1798 */ 2187 */
1799static const struct { EC_CURVE_DATA h; unsigned char data[0+24*6]; } 2188static const struct {
1800 _EC_IPSEC_185_ID4 = { 2189 EC_CURVE_DATA h;
1801 { NID_X9_62_characteristic_two_field,0,24,2 }, 2190 unsigned char data[0 + 24 * 6];
1802 { /* no seed */ 2191}
1803 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* p */ 2192 _EC_IPSEC_185_ID4 = {
1804 0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x00, 2193 {
1805 0x00,0x00,0x00,0x01, 2194 NID_X9_62_characteristic_two_field, 0, 24, 2
1806 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ 2195 },
1807 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 2196 { /* no seed */
1808 0x00,0x00,0x00,0x00, 2197 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */
1809 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ 2198 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
1810 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 2199 0x00, 0x00, 0x00, 0x01,
1811 0x00,0x00,0x1e,0xe9, 2200 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */
1812 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* x */ 2201 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1813 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 2202 0x00, 0x00, 0x00, 0x00,
1814 0x00,0x00,0x00,0x18, 2203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */
1815 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* y */ 2204 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1816 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 2205 0x00, 0x00, 0x1e, 0xe9,
1817 0x00,0x00,0x00,0x0d, 2206 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */
1818 0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ 2207 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1819 0xFF,0xFF,0xED,0xF9,0x7C,0x44,0xDB,0x9F,0x24,0x20, 2208 0x00, 0x00, 0x00, 0x18,
1820 0xBA,0xFC,0xA7,0x5E } 2209 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* y */
1821 }; 2210 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2211 0x00, 0x00, 0x00, 0x0d,
2212 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */
2213 0xFF, 0xFF, 0xED, 0xF9, 0x7C, 0x44, 0xDB, 0x9F, 0x24, 0x20,
2214 0xBA, 0xFC, 0xA7, 0x5E
2215 }
2216};
1822 2217
1823#endif 2218#endif
1824 2219
@@ -1830,687 +2225,761 @@ static const struct { EC_CURVE_DATA h; unsigned char data[0+24*6]; }
1830 * those defined in ANSI X9.62. 2225 * those defined in ANSI X9.62.
1831 */ 2226 */
1832 2227
1833static const struct { EC_CURVE_DATA h; unsigned char data[0+20*6]; } 2228static const struct {
1834 _EC_brainpoolP160r1 = { 2229 EC_CURVE_DATA h;
1835 { NID_X9_62_prime_field, 0,20,1 }, 2230 unsigned char data[0 + 20 * 6];
1836 { /* no seed */ 2231}
1837 0xE9,0x5E,0x4A,0x5F,0x73,0x70,0x59,0xDC,0x60,0xDF, /* p */ 2232 _EC_brainpoolP160r1 = {
1838 0xC7,0xAD,0x95,0xB3,0xD8,0x13,0x95,0x15,0x62,0x0F, 2233 {
1839 0x34,0x0E,0x7B,0xE2,0xA2,0x80,0xEB,0x74,0xE2,0xBE, /* a */ 2234 NID_X9_62_prime_field, 0, 20, 1
1840 0x61,0xBA,0xDA,0x74,0x5D,0x97,0xE8,0xF7,0xC3,0x00, 2235 },
1841 0x1E,0x58,0x9A,0x85,0x95,0x42,0x34,0x12,0x13,0x4F, /* b */ 2236 { /* no seed */
1842 0xAA,0x2D,0xBD,0xEC,0x95,0xC8,0xD8,0x67,0x5E,0x58, 2237 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, /* p */
1843 0xBE,0xD5,0xAF,0x16,0xEA,0x3F,0x6A,0x4F,0x62,0x93, /* x */ 2238 0xC7, 0xAD, 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F,
1844 0x8C,0x46,0x31,0xEB,0x5A,0xF7,0xBD,0xBC,0xDB,0xC3, 2239 0x34, 0x0E, 0x7B, 0xE2, 0xA2, 0x80, 0xEB, 0x74, 0xE2, 0xBE, /* a */
1845 0x16,0x67,0xCB,0x47,0x7A,0x1A,0x8E,0xC3,0x38,0xF9, /* y */ 2240 0x61, 0xBA, 0xDA, 0x74, 0x5D, 0x97, 0xE8, 0xF7, 0xC3, 0x00,
1846 0x47,0x41,0x66,0x9C,0x97,0x63,0x16,0xDA,0x63,0x21, 2241 0x1E, 0x58, 0x9A, 0x85, 0x95, 0x42, 0x34, 0x12, 0x13, 0x4F, /* b */
1847 0xE9,0x5E,0x4A,0x5F,0x73,0x70,0x59,0xDC,0x60,0xDF, /* order */ 2242 0xAA, 0x2D, 0xBD, 0xEC, 0x95, 0xC8, 0xD8, 0x67, 0x5E, 0x58,
1848 0x59,0x91,0xD4,0x50,0x29,0x40,0x9E,0x60,0xFC,0x09 } 2243 0xBE, 0xD5, 0xAF, 0x16, 0xEA, 0x3F, 0x6A, 0x4F, 0x62, 0x93, /* x */
1849 }; 2244 0x8C, 0x46, 0x31, 0xEB, 0x5A, 0xF7, 0xBD, 0xBC, 0xDB, 0xC3,
1850 2245 0x16, 0x67, 0xCB, 0x47, 0x7A, 0x1A, 0x8E, 0xC3, 0x38, 0xF9, /* y */
1851static const struct { EC_CURVE_DATA h; unsigned char data[0+20*6]; } 2246 0x47, 0x41, 0x66, 0x9C, 0x97, 0x63, 0x16, 0xDA, 0x63, 0x21,
1852 _EC_brainpoolP160t1 = { 2247 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, /* order */
1853 { NID_X9_62_prime_field, 0,20,1 }, 2248 0x59, 0x91, 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09
1854 { /* no seed */ 2249 }
1855 0xE9,0x5E,0x4A,0x5F,0x73,0x70,0x59,0xDC,0x60,0xDF, /* p */ 2250};
1856 0xC7,0xAD,0x95,0xB3,0xD8,0x13,0x95,0x15,0x62,0x0F, 2251
1857 0xE9,0x5E,0x4A,0x5F,0x73,0x70,0x59,0xDC,0x60,0xDF, /* a */ 2252static const struct {
1858 0xC7,0xAD,0x95,0xB3,0xD8,0x13,0x95,0x15,0x62,0x0C, 2253 EC_CURVE_DATA h;
1859 0x7A,0x55,0x6B,0x6D,0xAE,0x53,0x5B,0x7B,0x51,0xED, /* b */ 2254 unsigned char data[0 + 20 * 6];
1860 0x2C,0x4D,0x7D,0xAA,0x7A,0x0B,0x5C,0x55,0xF3,0x80, 2255}
1861 0xB1,0x99,0xB1,0x3B,0x9B,0x34,0xEF,0xC1,0x39,0x7E, /* x */ 2256 _EC_brainpoolP160t1 = {
1862 0x64,0xBA,0xEB,0x05,0xAC,0xC2,0x65,0xFF,0x23,0x78, 2257 {
1863 0xAD,0xD6,0x71,0x8B,0x7C,0x7C,0x19,0x61,0xF0,0x99, /* y */ 2258 NID_X9_62_prime_field, 0, 20, 1
1864 0x1B,0x84,0x24,0x43,0x77,0x21,0x52,0xC9,0xE0,0xAD, 2259 },
1865 0xE9,0x5E,0x4A,0x5F,0x73,0x70,0x59,0xDC,0x60,0xDF, /* order */ 2260 { /* no seed */
1866 0x59,0x91,0xD4,0x50,0x29,0x40,0x9E,0x60,0xFC,0x09 } 2261 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, /* p */
1867 }; 2262 0xC7, 0xAD, 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F,
1868 2263 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, /* a */
1869static const struct { EC_CURVE_DATA h; unsigned char data[0+24*6]; } 2264 0xC7, 0xAD, 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0C,
1870 _EC_brainpoolP192r1 = { 2265 0x7A, 0x55, 0x6B, 0x6D, 0xAE, 0x53, 0x5B, 0x7B, 0x51, 0xED, /* b */
1871 { NID_X9_62_prime_field, 0,24,1 }, 2266 0x2C, 0x4D, 0x7D, 0xAA, 0x7A, 0x0B, 0x5C, 0x55, 0xF3, 0x80,
1872 { /* no seed */ 2267 0xB1, 0x99, 0xB1, 0x3B, 0x9B, 0x34, 0xEF, 0xC1, 0x39, 0x7E, /* x */
1873 0xC3,0x02,0xF4,0x1D,0x93,0x2A,0x36,0xCD,0xA7,0xA3, /* p */ 2268 0x64, 0xBA, 0xEB, 0x05, 0xAC, 0xC2, 0x65, 0xFF, 0x23, 0x78,
1874 0x46,0x30,0x93,0xD1,0x8D,0xB7,0x8F,0xCE,0x47,0x6D, 2269 0xAD, 0xD6, 0x71, 0x8B, 0x7C, 0x7C, 0x19, 0x61, 0xF0, 0x99, /* y */
1875 0xE1,0xA8,0x62,0x97, 2270 0x1B, 0x84, 0x24, 0x43, 0x77, 0x21, 0x52, 0xC9, 0xE0, 0xAD,
1876 0x6A,0x91,0x17,0x40,0x76,0xB1,0xE0,0xE1,0x9C,0x39, /* a */ 2271 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, /* order */
1877 0xC0,0x31,0xFE,0x86,0x85,0xC1,0xCA,0xE0,0x40,0xE5, 2272 0x59, 0x91, 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09
1878 0xC6,0x9A,0x28,0xEF, 2273 }
1879 0x46,0x9A,0x28,0xEF,0x7C,0x28,0xCC,0xA3,0xDC,0x72, /* b */ 2274};
1880 0x1D,0x04,0x4F,0x44,0x96,0xBC,0xCA,0x7E,0xF4,0x14, 2275
1881 0x6F,0xBF,0x25,0xC9, 2276static const struct {
1882 0xC0,0xA0,0x64,0x7E,0xAA,0xB6,0xA4,0x87,0x53,0xB0, /* x */ 2277 EC_CURVE_DATA h;
1883 0x33,0xC5,0x6C,0xB0,0xF0,0x90,0x0A,0x2F,0x5C,0x48, 2278 unsigned char data[0 + 24 * 6];
1884 0x53,0x37,0x5F,0xD6, 2279}
1885 0x14,0xB6,0x90,0x86,0x6A,0xBD,0x5B,0xB8,0x8B,0x5F, /* y */ 2280 _EC_brainpoolP192r1 = {
1886 0x48,0x28,0xC1,0x49,0x00,0x02,0xE6,0x77,0x3F,0xA2, 2281 {
1887 0xFA,0x29,0x9B,0x8F, 2282 NID_X9_62_prime_field, 0, 24, 1
1888 0xC3,0x02,0xF4,0x1D,0x93,0x2A,0x36,0xCD,0xA7,0xA3, /* order */ 2283 },
1889 0x46,0x2F,0x9E,0x9E,0x91,0x6B,0x5B,0xE8,0xF1,0x02, 2284 { /* no seed */
1890 0x9A,0xC4,0xAC,0xC1 } 2285 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, /* p */
1891 }; 2286 0x46, 0x30, 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D,
1892 2287 0xE1, 0xA8, 0x62, 0x97,
1893static const struct { EC_CURVE_DATA h; unsigned char data[0+24*6]; } 2288 0x6A, 0x91, 0x17, 0x40, 0x76, 0xB1, 0xE0, 0xE1, 0x9C, 0x39, /* a */
1894 _EC_brainpoolP192t1 = { 2289 0xC0, 0x31, 0xFE, 0x86, 0x85, 0xC1, 0xCA, 0xE0, 0x40, 0xE5,
1895 { NID_X9_62_prime_field, 0,24,1 }, 2290 0xC6, 0x9A, 0x28, 0xEF,
1896 { /* no seed */ 2291 0x46, 0x9A, 0x28, 0xEF, 0x7C, 0x28, 0xCC, 0xA3, 0xDC, 0x72, /* b */
1897 0xC3,0x02,0xF4,0x1D,0x93,0x2A,0x36,0xCD,0xA7,0xA3, /* p */ 2292 0x1D, 0x04, 0x4F, 0x44, 0x96, 0xBC, 0xCA, 0x7E, 0xF4, 0x14,
1898 0x46,0x30,0x93,0xD1,0x8D,0xB7,0x8F,0xCE,0x47,0x6D, 2293 0x6F, 0xBF, 0x25, 0xC9,
1899 0xE1,0xA8,0x62,0x97, 2294 0xC0, 0xA0, 0x64, 0x7E, 0xAA, 0xB6, 0xA4, 0x87, 0x53, 0xB0, /* x */
1900 0xC3,0x02,0xF4,0x1D,0x93,0x2A,0x36,0xCD,0xA7,0xA3, /* a */ 2295 0x33, 0xC5, 0x6C, 0xB0, 0xF0, 0x90, 0x0A, 0x2F, 0x5C, 0x48,
1901 0x46,0x30,0x93,0xD1,0x8D,0xB7,0x8F,0xCE,0x47,0x6D, 2296 0x53, 0x37, 0x5F, 0xD6,
1902 0xE1,0xA8,0x62,0x94, 2297 0x14, 0xB6, 0x90, 0x86, 0x6A, 0xBD, 0x5B, 0xB8, 0x8B, 0x5F, /* y */
1903 0x13,0xD5,0x6F,0xFA,0xEC,0x78,0x68,0x1E,0x68,0xF9, /* b */ 2298 0x48, 0x28, 0xC1, 0x49, 0x00, 0x02, 0xE6, 0x77, 0x3F, 0xA2,
1904 0xDE,0xB4,0x3B,0x35,0xBE,0xC2,0xFB,0x68,0x54,0x2E, 2299 0xFA, 0x29, 0x9B, 0x8F,
1905 0x27,0x89,0x7B,0x79, 2300 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, /* order */
1906 0x3A,0xE9,0xE5,0x8C,0x82,0xF6,0x3C,0x30,0x28,0x2E, /* x */ 2301 0x46, 0x2F, 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02,
1907 0x1F,0xE7,0xBB,0xF4,0x3F,0xA7,0x2C,0x44,0x6A,0xF6, 2302 0x9A, 0xC4, 0xAC, 0xC1
1908 0xF4,0x61,0x81,0x29, 2303 }
1909 0x09,0x7E,0x2C,0x56,0x67,0xC2,0x22,0x3A,0x90,0x2A, /* y */ 2304};
1910 0xB5,0xCA,0x44,0x9D,0x00,0x84,0xB7,0xE5,0xB3,0xDE, 2305
1911 0x7C,0xCC,0x01,0xC9, 2306static const struct {
1912 0xC3,0x02,0xF4,0x1D,0x93,0x2A,0x36,0xCD,0xA7,0xA3, /* order */ 2307 EC_CURVE_DATA h;
1913 0x46,0x2F,0x9E,0x9E,0x91,0x6B,0x5B,0xE8,0xF1,0x02, 2308 unsigned char data[0 + 24 * 6];
1914 0x9A,0xC4,0xAC,0xC1 } 2309}
1915 }; 2310 _EC_brainpoolP192t1 = {
1916 2311 {
1917static const struct { EC_CURVE_DATA h; unsigned char data[0+28*6]; } 2312 NID_X9_62_prime_field, 0, 24, 1
1918 _EC_brainpoolP224r1 = { 2313 },
1919 { NID_X9_62_prime_field, 0,28,1 }, 2314 { /* no seed */
1920 { /* no seed */ 2315 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, /* p */
1921 0xD7,0xC1,0x34,0xAA,0x26,0x43,0x66,0x86,0x2A,0x18, /* p */ 2316 0x46, 0x30, 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D,
1922 0x30,0x25,0x75,0xD1,0xD7,0x87,0xB0,0x9F,0x07,0x57, 2317 0xE1, 0xA8, 0x62, 0x97,
1923 0x97,0xDA,0x89,0xF5,0x7E,0xC8,0xC0,0xFF, 2318 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, /* a */
1924 0x68,0xA5,0xE6,0x2C,0xA9,0xCE,0x6C,0x1C,0x29,0x98, /* a */ 2319 0x46, 0x30, 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D,
1925 0x03,0xA6,0xC1,0x53,0x0B,0x51,0x4E,0x18,0x2A,0xD8, 2320 0xE1, 0xA8, 0x62, 0x94,
1926 0xB0,0x04,0x2A,0x59,0xCA,0xD2,0x9F,0x43, 2321 0x13, 0xD5, 0x6F, 0xFA, 0xEC, 0x78, 0x68, 0x1E, 0x68, 0xF9, /* b */
1927 0x25,0x80,0xF6,0x3C,0xCF,0xE4,0x41,0x38,0x87,0x07, /* b */ 2322 0xDE, 0xB4, 0x3B, 0x35, 0xBE, 0xC2, 0xFB, 0x68, 0x54, 0x2E,
1928 0x13,0xB1,0xA9,0x23,0x69,0xE3,0x3E,0x21,0x35,0xD2, 2323 0x27, 0x89, 0x7B, 0x79,
1929 0x66,0xDB,0xB3,0x72,0x38,0x6C,0x40,0x0B, 2324 0x3A, 0xE9, 0xE5, 0x8C, 0x82, 0xF6, 0x3C, 0x30, 0x28, 0x2E, /* x */
1930 0x0D,0x90,0x29,0xAD,0x2C,0x7E,0x5C,0xF4,0x34,0x08, /* x */ 2325 0x1F, 0xE7, 0xBB, 0xF4, 0x3F, 0xA7, 0x2C, 0x44, 0x6A, 0xF6,
1931 0x23,0xB2,0xA8,0x7D,0xC6,0x8C,0x9E,0x4C,0xE3,0x17, 2326 0xF4, 0x61, 0x81, 0x29,
1932 0x4C,0x1E,0x6E,0xFD,0xEE,0x12,0xC0,0x7D, 2327 0x09, 0x7E, 0x2C, 0x56, 0x67, 0xC2, 0x22, 0x3A, 0x90, 0x2A, /* y */
1933 0x58,0xAA,0x56,0xF7,0x72,0xC0,0x72,0x6F,0x24,0xC6, /* y */ 2328 0xB5, 0xCA, 0x44, 0x9D, 0x00, 0x84, 0xB7, 0xE5, 0xB3, 0xDE,
1934 0xB8,0x9E,0x4E,0xCD,0xAC,0x24,0x35,0x4B,0x9E,0x99, 2329 0x7C, 0xCC, 0x01, 0xC9,
1935 0xCA,0xA3,0xF6,0xD3,0x76,0x14,0x02,0xCD, 2330 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, /* order */
1936 0xD7,0xC1,0x34,0xAA,0x26,0x43,0x66,0x86,0x2A,0x18, /* order */ 2331 0x46, 0x2F, 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02,
1937 0x30,0x25,0x75,0xD0,0xFB,0x98,0xD1,0x16,0xBC,0x4B, 2332 0x9A, 0xC4, 0xAC, 0xC1
1938 0x6D,0xDE,0xBC,0xA3,0xA5,0xA7,0x93,0x9F } 2333 }
1939 }; 2334};
1940 2335
1941static const struct { EC_CURVE_DATA h; unsigned char data[0+28*6]; } 2336static const struct {
1942 _EC_brainpoolP224t1 = { 2337 EC_CURVE_DATA h;
1943 { NID_X9_62_prime_field, 0,28,1 }, 2338 unsigned char data[0 + 28 * 6];
1944 { /* no seed */ 2339}
1945 0xD7,0xC1,0x34,0xAA,0x26,0x43,0x66,0x86,0x2A,0x18, /* p */ 2340 _EC_brainpoolP224r1 = {
1946 0x30,0x25,0x75,0xD1,0xD7,0x87,0xB0,0x9F,0x07,0x57, 2341 {
1947 0x97,0xDA,0x89,0xF5,0x7E,0xC8,0xC0,0xFF, 2342 NID_X9_62_prime_field, 0, 28, 1
1948 0xD7,0xC1,0x34,0xAA,0x26,0x43,0x66,0x86,0x2A,0x18, /* a */ 2343 },
1949 0x30,0x25,0x75,0xD1,0xD7,0x87,0xB0,0x9F,0x07,0x57, 2344 { /* no seed */
1950 0x97,0xDA,0x89,0xF5,0x7E,0xC8,0xC0,0xFC, 2345 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, /* p */
1951 0x4B,0x33,0x7D,0x93,0x41,0x04,0xCD,0x7B,0xEF,0x27, /* b */ 2346 0x30, 0x25, 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57,
1952 0x1B,0xF6,0x0C,0xED,0x1E,0xD2,0x0D,0xA1,0x4C,0x08, 2347 0x97, 0xDA, 0x89, 0xF5, 0x7E, 0xC8, 0xC0, 0xFF,
1953 0xB3,0xBB,0x64,0xF1,0x8A,0x60,0x88,0x8D, 2348 0x68, 0xA5, 0xE6, 0x2C, 0xA9, 0xCE, 0x6C, 0x1C, 0x29, 0x98, /* a */
1954 0x6A,0xB1,0xE3,0x44,0xCE,0x25,0xFF,0x38,0x96,0x42, /* x */ 2349 0x03, 0xA6, 0xC1, 0x53, 0x0B, 0x51, 0x4E, 0x18, 0x2A, 0xD8,
1955 0x4E,0x7F,0xFE,0x14,0x76,0x2E,0xCB,0x49,0xF8,0x92, 2350 0xB0, 0x04, 0x2A, 0x59, 0xCA, 0xD2, 0x9F, 0x43,
1956 0x8A,0xC0,0xC7,0x60,0x29,0xB4,0xD5,0x80, 2351 0x25, 0x80, 0xF6, 0x3C, 0xCF, 0xE4, 0x41, 0x38, 0x87, 0x07, /* b */
1957 0x03,0x74,0xE9,0xF5,0x14,0x3E,0x56,0x8C,0xD2,0x3F, /* y */ 2352 0x13, 0xB1, 0xA9, 0x23, 0x69, 0xE3, 0x3E, 0x21, 0x35, 0xD2,
1958 0x3F,0x4D,0x7C,0x0D,0x4B,0x1E,0x41,0xC8,0xCC,0x0D, 2353 0x66, 0xDB, 0xB3, 0x72, 0x38, 0x6C, 0x40, 0x0B,
1959 0x1C,0x6A,0xBD,0x5F,0x1A,0x46,0xDB,0x4C, 2354 0x0D, 0x90, 0x29, 0xAD, 0x2C, 0x7E, 0x5C, 0xF4, 0x34, 0x08, /* x */
1960 0xD7,0xC1,0x34,0xAA,0x26,0x43,0x66,0x86,0x2A,0x18, /* order */ 2355 0x23, 0xB2, 0xA8, 0x7D, 0xC6, 0x8C, 0x9E, 0x4C, 0xE3, 0x17,
1961 0x30,0x25,0x75,0xD0,0xFB,0x98,0xD1,0x16,0xBC,0x4B, 2356 0x4C, 0x1E, 0x6E, 0xFD, 0xEE, 0x12, 0xC0, 0x7D,
1962 0x6D,0xDE,0xBC,0xA3,0xA5,0xA7,0x93,0x9F } 2357 0x58, 0xAA, 0x56, 0xF7, 0x72, 0xC0, 0x72, 0x6F, 0x24, 0xC6, /* y */
1963 }; 2358 0xB8, 0x9E, 0x4E, 0xCD, 0xAC, 0x24, 0x35, 0x4B, 0x9E, 0x99,
1964 2359 0xCA, 0xA3, 0xF6, 0xD3, 0x76, 0x14, 0x02, 0xCD,
1965static const struct { EC_CURVE_DATA h; unsigned char data[0+32*6]; } 2360 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, /* order */
1966 _EC_brainpoolP256r1 = { 2361 0x30, 0x25, 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B,
1967 { NID_X9_62_prime_field, 0,32,1 }, 2362 0x6D, 0xDE, 0xBC, 0xA3, 0xA5, 0xA7, 0x93, 0x9F
1968 { /* no seed */ 2363 }
1969 0xA9,0xFB,0x57,0xDB,0xA1,0xEE,0xA9,0xBC,0x3E,0x66, /* p */ 2364};
1970 0x0A,0x90,0x9D,0x83,0x8D,0x72,0x6E,0x3B,0xF6,0x23, 2365
1971 0xD5,0x26,0x20,0x28,0x20,0x13,0x48,0x1D,0x1F,0x6E, 2366static const struct {
1972 0x53,0x77, 2367 EC_CURVE_DATA h;
1973 0x7D,0x5A,0x09,0x75,0xFC,0x2C,0x30,0x57,0xEE,0xF6, /* a */ 2368 unsigned char data[0 + 28 * 6];
1974 0x75,0x30,0x41,0x7A,0xFF,0xE7,0xFB,0x80,0x55,0xC1, 2369}
1975 0x26,0xDC,0x5C,0x6C,0xE9,0x4A,0x4B,0x44,0xF3,0x30, 2370 _EC_brainpoolP224t1 = {
1976 0xB5,0xD9, 2371 {
1977 0x26,0xDC,0x5C,0x6C,0xE9,0x4A,0x4B,0x44,0xF3,0x30, /* b */ 2372 NID_X9_62_prime_field, 0, 28, 1
1978 0xB5,0xD9,0xBB,0xD7,0x7C,0xBF,0x95,0x84,0x16,0x29, 2373 },
1979 0x5C,0xF7,0xE1,0xCE,0x6B,0xCC,0xDC,0x18,0xFF,0x8C, 2374 { /* no seed */
1980 0x07,0xB6, 2375 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, /* p */
1981 0x8B,0xD2,0xAE,0xB9,0xCB,0x7E,0x57,0xCB,0x2C,0x4B, /* x */ 2376 0x30, 0x25, 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57,
1982 0x48,0x2F,0xFC,0x81,0xB7,0xAF,0xB9,0xDE,0x27,0xE1, 2377 0x97, 0xDA, 0x89, 0xF5, 0x7E, 0xC8, 0xC0, 0xFF,
1983 0xE3,0xBD,0x23,0xC2,0x3A,0x44,0x53,0xBD,0x9A,0xCE, 2378 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, /* a */
1984 0x32,0x62, 2379 0x30, 0x25, 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57,
1985 0x54,0x7E,0xF8,0x35,0xC3,0xDA,0xC4,0xFD,0x97,0xF8, /* y */ 2380 0x97, 0xDA, 0x89, 0xF5, 0x7E, 0xC8, 0xC0, 0xFC,
1986 0x46,0x1A,0x14,0x61,0x1D,0xC9,0xC2,0x77,0x45,0x13, 2381 0x4B, 0x33, 0x7D, 0x93, 0x41, 0x04, 0xCD, 0x7B, 0xEF, 0x27, /* b */
1987 0x2D,0xED,0x8E,0x54,0x5C,0x1D,0x54,0xC7,0x2F,0x04, 2382 0x1B, 0xF6, 0x0C, 0xED, 0x1E, 0xD2, 0x0D, 0xA1, 0x4C, 0x08,
1988 0x69,0x97, 2383 0xB3, 0xBB, 0x64, 0xF1, 0x8A, 0x60, 0x88, 0x8D,
1989 0xA9,0xFB,0x57,0xDB,0xA1,0xEE,0xA9,0xBC,0x3E,0x66, /* order */ 2384 0x6A, 0xB1, 0xE3, 0x44, 0xCE, 0x25, 0xFF, 0x38, 0x96, 0x42, /* x */
1990 0x0A,0x90,0x9D,0x83,0x8D,0x71,0x8C,0x39,0x7A,0xA3, 2385 0x4E, 0x7F, 0xFE, 0x14, 0x76, 0x2E, 0xCB, 0x49, 0xF8, 0x92,
1991 0xB5,0x61,0xA6,0xF7,0x90,0x1E,0x0E,0x82,0x97,0x48, 2386 0x8A, 0xC0, 0xC7, 0x60, 0x29, 0xB4, 0xD5, 0x80,
1992 0x56,0xA7 } 2387 0x03, 0x74, 0xE9, 0xF5, 0x14, 0x3E, 0x56, 0x8C, 0xD2, 0x3F, /* y */
1993 }; 2388 0x3F, 0x4D, 0x7C, 0x0D, 0x4B, 0x1E, 0x41, 0xC8, 0xCC, 0x0D,
1994 2389 0x1C, 0x6A, 0xBD, 0x5F, 0x1A, 0x46, 0xDB, 0x4C,
1995static const struct { EC_CURVE_DATA h; unsigned char data[0+32*6]; } 2390 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, /* order */
1996 _EC_brainpoolP256t1 = { 2391 0x30, 0x25, 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B,
1997 { NID_X9_62_prime_field, 0,32,1 }, 2392 0x6D, 0xDE, 0xBC, 0xA3, 0xA5, 0xA7, 0x93, 0x9F
1998 { /* no seed */ 2393 }
1999 0xA9,0xFB,0x57,0xDB,0xA1,0xEE,0xA9,0xBC,0x3E,0x66, /* p */ 2394};
2000 0x0A,0x90,0x9D,0x83,0x8D,0x72,0x6E,0x3B,0xF6,0x23, 2395
2001 0xD5,0x26,0x20,0x28,0x20,0x13,0x48,0x1D,0x1F,0x6E, 2396static const struct {
2002 0x53,0x77, 2397 EC_CURVE_DATA h;
2003 0xA9,0xFB,0x57,0xDB,0xA1,0xEE,0xA9,0xBC,0x3E,0x66, /* a */ 2398 unsigned char data[0 + 32 * 6];
2004 0x0A,0x90,0x9D,0x83,0x8D,0x72,0x6E,0x3B,0xF6,0x23, 2399}
2005 0xD5,0x26,0x20,0x28,0x20,0x13,0x48,0x1D,0x1F,0x6E, 2400 _EC_brainpoolP256r1 = {
2006 0x53,0x74, 2401 {
2007 0x66,0x2C,0x61,0xC4,0x30,0xD8,0x4E,0xA4,0xFE,0x66, /* b */ 2402 NID_X9_62_prime_field, 0, 32, 1
2008 0xA7,0x73,0x3D,0x0B,0x76,0xB7,0xBF,0x93,0xEB,0xC4, 2403 },
2009 0xAF,0x2F,0x49,0x25,0x6A,0xE5,0x81,0x01,0xFE,0xE9, 2404 { /* no seed */
2010 0x2B,0x04, 2405 0xA9, 0xFB, 0x57, 0xDB, 0xA1, 0xEE, 0xA9, 0xBC, 0x3E, 0x66, /* p */
2011 0xA3,0xE8,0xEB,0x3C,0xC1,0xCF,0xE7,0xB7,0x73,0x22, /* x */ 2406 0x0A, 0x90, 0x9D, 0x83, 0x8D, 0x72, 0x6E, 0x3B, 0xF6, 0x23,
2012 0x13,0xB2,0x3A,0x65,0x61,0x49,0xAF,0xA1,0x42,0xC4, 2407 0xD5, 0x26, 0x20, 0x28, 0x20, 0x13, 0x48, 0x1D, 0x1F, 0x6E,
2013 0x7A,0xAF,0xBC,0x2B,0x79,0xA1,0x91,0x56,0x2E,0x13, 2408 0x53, 0x77,
2014 0x05,0xF4, 2409 0x7D, 0x5A, 0x09, 0x75, 0xFC, 0x2C, 0x30, 0x57, 0xEE, 0xF6, /* a */
2015 0x2D,0x99,0x6C,0x82,0x34,0x39,0xC5,0x6D,0x7F,0x7B, /* y */ 2410 0x75, 0x30, 0x41, 0x7A, 0xFF, 0xE7, 0xFB, 0x80, 0x55, 0xC1,
2016 0x22,0xE1,0x46,0x44,0x41,0x7E,0x69,0xBC,0xB6,0xDE, 2411 0x26, 0xDC, 0x5C, 0x6C, 0xE9, 0x4A, 0x4B, 0x44, 0xF3, 0x30,
2017 0x39,0xD0,0x27,0x00,0x1D,0xAB,0xE8,0xF3,0x5B,0x25, 2412 0xB5, 0xD9,
2018 0xC9,0xBE, 2413 0x26, 0xDC, 0x5C, 0x6C, 0xE9, 0x4A, 0x4B, 0x44, 0xF3, 0x30, /* b */
2019 0xA9,0xFB,0x57,0xDB,0xA1,0xEE,0xA9,0xBC,0x3E,0x66, /* order */ 2414 0xB5, 0xD9, 0xBB, 0xD7, 0x7C, 0xBF, 0x95, 0x84, 0x16, 0x29,
2020 0x0A,0x90,0x9D,0x83,0x8D,0x71,0x8C,0x39,0x7A,0xA3, 2415 0x5C, 0xF7, 0xE1, 0xCE, 0x6B, 0xCC, 0xDC, 0x18, 0xFF, 0x8C,
2021 0xB5,0x61,0xA6,0xF7,0x90,0x1E,0x0E,0x82,0x97,0x48, 2416 0x07, 0xB6,
2022 0x56,0xA7 } 2417 0x8B, 0xD2, 0xAE, 0xB9, 0xCB, 0x7E, 0x57, 0xCB, 0x2C, 0x4B, /* x */
2023 }; 2418 0x48, 0x2F, 0xFC, 0x81, 0xB7, 0xAF, 0xB9, 0xDE, 0x27, 0xE1,
2024 2419 0xE3, 0xBD, 0x23, 0xC2, 0x3A, 0x44, 0x53, 0xBD, 0x9A, 0xCE,
2025static const struct { EC_CURVE_DATA h; unsigned char data[0+40*6]; } 2420 0x32, 0x62,
2026 _EC_brainpoolP320r1 = { 2421 0x54, 0x7E, 0xF8, 0x35, 0xC3, 0xDA, 0xC4, 0xFD, 0x97, 0xF8, /* y */
2027 { NID_X9_62_prime_field, 0,40,1 }, 2422 0x46, 0x1A, 0x14, 0x61, 0x1D, 0xC9, 0xC2, 0x77, 0x45, 0x13,
2028 { /* no seed */ 2423 0x2D, 0xED, 0x8E, 0x54, 0x5C, 0x1D, 0x54, 0xC7, 0x2F, 0x04,
2029 0xD3,0x5E,0x47,0x20,0x36,0xBC,0x4F,0xB7,0xE1,0x3C, /* p */ 2424 0x69, 0x97,
2030 0x78,0x5E,0xD2,0x01,0xE0,0x65,0xF9,0x8F,0xCF,0xA6, 2425 0xA9, 0xFB, 0x57, 0xDB, 0xA1, 0xEE, 0xA9, 0xBC, 0x3E, 0x66, /* order */
2031 0xF6,0xF4,0x0D,0xEF,0x4F,0x92,0xB9,0xEC,0x78,0x93, 2426 0x0A, 0x90, 0x9D, 0x83, 0x8D, 0x71, 0x8C, 0x39, 0x7A, 0xA3,
2032 0xEC,0x28,0xFC,0xD4,0x12,0xB1,0xF1,0xB3,0x2E,0x27, 2427 0xB5, 0x61, 0xA6, 0xF7, 0x90, 0x1E, 0x0E, 0x82, 0x97, 0x48,
2033 0x3E,0xE3,0x0B,0x56,0x8F,0xBA,0xB0,0xF8,0x83,0xCC, /* a */ 2428 0x56, 0xA7
2034 0xEB,0xD4,0x6D,0x3F,0x3B,0xB8,0xA2,0xA7,0x35,0x13, 2429 }
2035 0xF5,0xEB,0x79,0xDA,0x66,0x19,0x0E,0xB0,0x85,0xFF, 2430};
2036 0xA9,0xF4,0x92,0xF3,0x75,0xA9,0x7D,0x86,0x0E,0xB4, 2431
2037 0x52,0x08,0x83,0x94,0x9D,0xFD,0xBC,0x42,0xD3,0xAD, /* b */ 2432static const struct {
2038 0x19,0x86,0x40,0x68,0x8A,0x6F,0xE1,0x3F,0x41,0x34, 2433 EC_CURVE_DATA h;
2039 0x95,0x54,0xB4,0x9A,0xCC,0x31,0xDC,0xCD,0x88,0x45, 2434 unsigned char data[0 + 32 * 6];
2040 0x39,0x81,0x6F,0x5E,0xB4,0xAC,0x8F,0xB1,0xF1,0xA6, 2435}
2041 0x43,0xBD,0x7E,0x9A,0xFB,0x53,0xD8,0xB8,0x52,0x89, /* x */ 2436 _EC_brainpoolP256t1 = {
2042 0xBC,0xC4,0x8E,0xE5,0xBF,0xE6,0xF2,0x01,0x37,0xD1, 2437 {
2043 0x0A,0x08,0x7E,0xB6,0xE7,0x87,0x1E,0x2A,0x10,0xA5, 2438 NID_X9_62_prime_field, 0, 32, 1
2044 0x99,0xC7,0x10,0xAF,0x8D,0x0D,0x39,0xE2,0x06,0x11, 2439 },
2045 0x14,0xFD,0xD0,0x55,0x45,0xEC,0x1C,0xC8,0xAB,0x40, /* y */ 2440 { /* no seed */
2046 0x93,0x24,0x7F,0x77,0x27,0x5E,0x07,0x43,0xFF,0xED, 2441 0xA9, 0xFB, 0x57, 0xDB, 0xA1, 0xEE, 0xA9, 0xBC, 0x3E, 0x66, /* p */
2047 0x11,0x71,0x82,0xEA,0xA9,0xC7,0x78,0x77,0xAA,0xAC, 2442 0x0A, 0x90, 0x9D, 0x83, 0x8D, 0x72, 0x6E, 0x3B, 0xF6, 0x23,
2048 0x6A,0xC7,0xD3,0x52,0x45,0xD1,0x69,0x2E,0x8E,0xE1, 2443 0xD5, 0x26, 0x20, 0x28, 0x20, 0x13, 0x48, 0x1D, 0x1F, 0x6E,
2049 0xD3,0x5E,0x47,0x20,0x36,0xBC,0x4F,0xB7,0xE1,0x3C, /* order */ 2444 0x53, 0x77,
2050 0x78,0x5E,0xD2,0x01,0xE0,0x65,0xF9,0x8F,0xCF,0xA5, 2445 0xA9, 0xFB, 0x57, 0xDB, 0xA1, 0xEE, 0xA9, 0xBC, 0x3E, 0x66, /* a */
2051 0xB6,0x8F,0x12,0xA3,0x2D,0x48,0x2E,0xC7,0xEE,0x86, 2446 0x0A, 0x90, 0x9D, 0x83, 0x8D, 0x72, 0x6E, 0x3B, 0xF6, 0x23,
2052 0x58,0xE9,0x86,0x91,0x55,0x5B,0x44,0xC5,0x93,0x11 } 2447 0xD5, 0x26, 0x20, 0x28, 0x20, 0x13, 0x48, 0x1D, 0x1F, 0x6E,
2053 }; 2448 0x53, 0x74,
2054 2449 0x66, 0x2C, 0x61, 0xC4, 0x30, 0xD8, 0x4E, 0xA4, 0xFE, 0x66, /* b */
2055static const struct { EC_CURVE_DATA h; unsigned char data[0+40*6]; } 2450 0xA7, 0x73, 0x3D, 0x0B, 0x76, 0xB7, 0xBF, 0x93, 0xEB, 0xC4,
2056 _EC_brainpoolP320t1 = { 2451 0xAF, 0x2F, 0x49, 0x25, 0x6A, 0xE5, 0x81, 0x01, 0xFE, 0xE9,
2057 { NID_X9_62_prime_field, 0,40,1 }, 2452 0x2B, 0x04,
2058 { /* no seed */ 2453 0xA3, 0xE8, 0xEB, 0x3C, 0xC1, 0xCF, 0xE7, 0xB7, 0x73, 0x22, /* x */
2059 0xD3,0x5E,0x47,0x20,0x36,0xBC,0x4F,0xB7,0xE1,0x3C, /* p */ 2454 0x13, 0xB2, 0x3A, 0x65, 0x61, 0x49, 0xAF, 0xA1, 0x42, 0xC4,
2060 0x78,0x5E,0xD2,0x01,0xE0,0x65,0xF9,0x8F,0xCF,0xA6, 2455 0x7A, 0xAF, 0xBC, 0x2B, 0x79, 0xA1, 0x91, 0x56, 0x2E, 0x13,
2061 0xF6,0xF4,0x0D,0xEF,0x4F,0x92,0xB9,0xEC,0x78,0x93, 2456 0x05, 0xF4,
2062 0xEC,0x28,0xFC,0xD4,0x12,0xB1,0xF1,0xB3,0x2E,0x27, 2457 0x2D, 0x99, 0x6C, 0x82, 0x34, 0x39, 0xC5, 0x6D, 0x7F, 0x7B, /* y */
2063 0xD3,0x5E,0x47,0x20,0x36,0xBC,0x4F,0xB7,0xE1,0x3C, /* a */ 2458 0x22, 0xE1, 0x46, 0x44, 0x41, 0x7E, 0x69, 0xBC, 0xB6, 0xDE,
2064 0x78,0x5E,0xD2,0x01,0xE0,0x65,0xF9,0x8F,0xCF,0xA6, 2459 0x39, 0xD0, 0x27, 0x00, 0x1D, 0xAB, 0xE8, 0xF3, 0x5B, 0x25,
2065 0xF6,0xF4,0x0D,0xEF,0x4F,0x92,0xB9,0xEC,0x78,0x93, 2460 0xC9, 0xBE,
2066 0xEC,0x28,0xFC,0xD4,0x12,0xB1,0xF1,0xB3,0x2E,0x24, 2461 0xA9, 0xFB, 0x57, 0xDB, 0xA1, 0xEE, 0xA9, 0xBC, 0x3E, 0x66, /* order */
2067 0xA7,0xF5,0x61,0xE0,0x38,0xEB,0x1E,0xD5,0x60,0xB3, /* b */ 2462 0x0A, 0x90, 0x9D, 0x83, 0x8D, 0x71, 0x8C, 0x39, 0x7A, 0xA3,
2068 0xD1,0x47,0xDB,0x78,0x20,0x13,0x06,0x4C,0x19,0xF2, 2463 0xB5, 0x61, 0xA6, 0xF7, 0x90, 0x1E, 0x0E, 0x82, 0x97, 0x48,
2069 0x7E,0xD2,0x7C,0x67,0x80,0xAA,0xF7,0x7F,0xB8,0xA5, 2464 0x56, 0xA7
2070 0x47,0xCE,0xB5,0xB4,0xFE,0xF4,0x22,0x34,0x03,0x53, 2465 }
2071 0x92,0x5B,0xE9,0xFB,0x01,0xAF,0xC6,0xFB,0x4D,0x3E, /* x */ 2466};
2072 0x7D,0x49,0x90,0x01,0x0F,0x81,0x34,0x08,0xAB,0x10, 2467
2073 0x6C,0x4F,0x09,0xCB,0x7E,0xE0,0x78,0x68,0xCC,0x13, 2468static const struct {
2074 0x6F,0xFF,0x33,0x57,0xF6,0x24,0xA2,0x1B,0xED,0x52, 2469 EC_CURVE_DATA h;
2075 0x63,0xBA,0x3A,0x7A,0x27,0x48,0x3E,0xBF,0x66,0x71, /* y */ 2470 unsigned char data[0 + 40 * 6];
2076 0xDB,0xEF,0x7A,0xBB,0x30,0xEB,0xEE,0x08,0x4E,0x58, 2471}
2077 0xA0,0xB0,0x77,0xAD,0x42,0xA5,0xA0,0x98,0x9D,0x1E, 2472 _EC_brainpoolP320r1 = {
2078 0xE7,0x1B,0x1B,0x9B,0xC0,0x45,0x5F,0xB0,0xD2,0xC3, 2473 {
2079 0xD3,0x5E,0x47,0x20,0x36,0xBC,0x4F,0xB7,0xE1,0x3C, /* order */ 2474 NID_X9_62_prime_field, 0, 40, 1
2080 0x78,0x5E,0xD2,0x01,0xE0,0x65,0xF9,0x8F,0xCF,0xA5, 2475 },
2081 0xB6,0x8F,0x12,0xA3,0x2D,0x48,0x2E,0xC7,0xEE,0x86, 2476 { /* no seed */
2082 0x58,0xE9,0x86,0x91,0x55,0x5B,0x44,0xC5,0x93,0x11 } 2477 0xD3, 0x5E, 0x47, 0x20, 0x36, 0xBC, 0x4F, 0xB7, 0xE1, 0x3C, /* p */
2083 }; 2478 0x78, 0x5E, 0xD2, 0x01, 0xE0, 0x65, 0xF9, 0x8F, 0xCF, 0xA6,
2084 2479 0xF6, 0xF4, 0x0D, 0xEF, 0x4F, 0x92, 0xB9, 0xEC, 0x78, 0x93,
2085static const struct { EC_CURVE_DATA h; unsigned char data[0+48*6]; } 2480 0xEC, 0x28, 0xFC, 0xD4, 0x12, 0xB1, 0xF1, 0xB3, 0x2E, 0x27,
2086 _EC_brainpoolP384r1 = { 2481 0x3E, 0xE3, 0x0B, 0x56, 0x8F, 0xBA, 0xB0, 0xF8, 0x83, 0xCC, /* a */
2087 { NID_X9_62_prime_field, 0,48,1 }, 2482 0xEB, 0xD4, 0x6D, 0x3F, 0x3B, 0xB8, 0xA2, 0xA7, 0x35, 0x13,
2088 { /* no seed */ 2483 0xF5, 0xEB, 0x79, 0xDA, 0x66, 0x19, 0x0E, 0xB0, 0x85, 0xFF,
2089 0x8C,0xB9,0x1E,0x82,0xA3,0x38,0x6D,0x28,0x0F,0x5D, /* p */ 2484 0xA9, 0xF4, 0x92, 0xF3, 0x75, 0xA9, 0x7D, 0x86, 0x0E, 0xB4,
2090 0x6F,0x7E,0x50,0xE6,0x41,0xDF,0x15,0x2F,0x71,0x09, 2485 0x52, 0x08, 0x83, 0x94, 0x9D, 0xFD, 0xBC, 0x42, 0xD3, 0xAD, /* b */
2091 0xED,0x54,0x56,0xB4,0x12,0xB1,0xDA,0x19,0x7F,0xB7, 2486 0x19, 0x86, 0x40, 0x68, 0x8A, 0x6F, 0xE1, 0x3F, 0x41, 0x34,
2092 0x11,0x23,0xAC,0xD3,0xA7,0x29,0x90,0x1D,0x1A,0x71, 2487 0x95, 0x54, 0xB4, 0x9A, 0xCC, 0x31, 0xDC, 0xCD, 0x88, 0x45,
2093 0x87,0x47,0x00,0x13,0x31,0x07,0xEC,0x53, 2488 0x39, 0x81, 0x6F, 0x5E, 0xB4, 0xAC, 0x8F, 0xB1, 0xF1, 0xA6,
2094 0x7B,0xC3,0x82,0xC6,0x3D,0x8C,0x15,0x0C,0x3C,0x72, /* a */ 2489 0x43, 0xBD, 0x7E, 0x9A, 0xFB, 0x53, 0xD8, 0xB8, 0x52, 0x89, /* x */
2095 0x08,0x0A,0xCE,0x05,0xAF,0xA0,0xC2,0xBE,0xA2,0x8E, 2490 0xBC, 0xC4, 0x8E, 0xE5, 0xBF, 0xE6, 0xF2, 0x01, 0x37, 0xD1,
2096 0x4F,0xB2,0x27,0x87,0x13,0x91,0x65,0xEF,0xBA,0x91, 2491 0x0A, 0x08, 0x7E, 0xB6, 0xE7, 0x87, 0x1E, 0x2A, 0x10, 0xA5,
2097 0xF9,0x0F,0x8A,0xA5,0x81,0x4A,0x50,0x3A,0xD4,0xEB, 2492 0x99, 0xC7, 0x10, 0xAF, 0x8D, 0x0D, 0x39, 0xE2, 0x06, 0x11,
2098 0x04,0xA8,0xC7,0xDD,0x22,0xCE,0x28,0x26, 2493 0x14, 0xFD, 0xD0, 0x55, 0x45, 0xEC, 0x1C, 0xC8, 0xAB, 0x40, /* y */
2099 0x04,0xA8,0xC7,0xDD,0x22,0xCE,0x28,0x26,0x8B,0x39, /* b */ 2494 0x93, 0x24, 0x7F, 0x77, 0x27, 0x5E, 0x07, 0x43, 0xFF, 0xED,
2100 0xB5,0x54,0x16,0xF0,0x44,0x7C,0x2F,0xB7,0x7D,0xE1, 2495 0x11, 0x71, 0x82, 0xEA, 0xA9, 0xC7, 0x78, 0x77, 0xAA, 0xAC,
2101 0x07,0xDC,0xD2,0xA6,0x2E,0x88,0x0E,0xA5,0x3E,0xEB, 2496 0x6A, 0xC7, 0xD3, 0x52, 0x45, 0xD1, 0x69, 0x2E, 0x8E, 0xE1,
2102 0x62,0xD5,0x7C,0xB4,0x39,0x02,0x95,0xDB,0xC9,0x94, 2497 0xD3, 0x5E, 0x47, 0x20, 0x36, 0xBC, 0x4F, 0xB7, 0xE1, 0x3C, /* order */
2103 0x3A,0xB7,0x86,0x96,0xFA,0x50,0x4C,0x11, 2498 0x78, 0x5E, 0xD2, 0x01, 0xE0, 0x65, 0xF9, 0x8F, 0xCF, 0xA5,
2104 0x1D,0x1C,0x64,0xF0,0x68,0xCF,0x45,0xFF,0xA2,0xA6, /* x */ 2499 0xB6, 0x8F, 0x12, 0xA3, 0x2D, 0x48, 0x2E, 0xC7, 0xEE, 0x86,
2105 0x3A,0x81,0xB7,0xC1,0x3F,0x6B,0x88,0x47,0xA3,0xE7, 2500 0x58, 0xE9, 0x86, 0x91, 0x55, 0x5B, 0x44, 0xC5, 0x93, 0x11
2106 0x7E,0xF1,0x4F,0xE3,0xDB,0x7F,0xCA,0xFE,0x0C,0xBD, 2501 }
2107 0x10,0xE8,0xE8,0x26,0xE0,0x34,0x36,0xD6,0x46,0xAA, 2502};
2108 0xEF,0x87,0xB2,0xE2,0x47,0xD4,0xAF,0x1E, 2503
2109 0x8A,0xBE,0x1D,0x75,0x20,0xF9,0xC2,0xA4,0x5C,0xB1, /* y */ 2504static const struct {
2110 0xEB,0x8E,0x95,0xCF,0xD5,0x52,0x62,0xB7,0x0B,0x29, 2505 EC_CURVE_DATA h;
2111 0xFE,0xEC,0x58,0x64,0xE1,0x9C,0x05,0x4F,0xF9,0x91, 2506 unsigned char data[0 + 40 * 6];
2112 0x29,0x28,0x0E,0x46,0x46,0x21,0x77,0x91,0x81,0x11, 2507}
2113 0x42,0x82,0x03,0x41,0x26,0x3C,0x53,0x15, 2508 _EC_brainpoolP320t1 = {
2114 0x8C,0xB9,0x1E,0x82,0xA3,0x38,0x6D,0x28,0x0F,0x5D, /* order */ 2509 {
2115 0x6F,0x7E,0x50,0xE6,0x41,0xDF,0x15,0x2F,0x71,0x09, 2510 NID_X9_62_prime_field, 0, 40, 1
2116 0xED,0x54,0x56,0xB3,0x1F,0x16,0x6E,0x6C,0xAC,0x04, 2511 },
2117 0x25,0xA7,0xCF,0x3A,0xB6,0xAF,0x6B,0x7F,0xC3,0x10, 2512 { /* no seed */
2118 0x3B,0x88,0x32,0x02,0xE9,0x04,0x65,0x65 } 2513 0xD3, 0x5E, 0x47, 0x20, 0x36, 0xBC, 0x4F, 0xB7, 0xE1, 0x3C, /* p */
2119 }; 2514 0x78, 0x5E, 0xD2, 0x01, 0xE0, 0x65, 0xF9, 0x8F, 0xCF, 0xA6,
2120 2515 0xF6, 0xF4, 0x0D, 0xEF, 0x4F, 0x92, 0xB9, 0xEC, 0x78, 0x93,
2121static const struct { EC_CURVE_DATA h; unsigned char data[0+48*6]; } 2516 0xEC, 0x28, 0xFC, 0xD4, 0x12, 0xB1, 0xF1, 0xB3, 0x2E, 0x27,
2122 _EC_brainpoolP384t1 = { 2517 0xD3, 0x5E, 0x47, 0x20, 0x36, 0xBC, 0x4F, 0xB7, 0xE1, 0x3C, /* a */
2123 { NID_X9_62_prime_field, 0,48,1 }, 2518 0x78, 0x5E, 0xD2, 0x01, 0xE0, 0x65, 0xF9, 0x8F, 0xCF, 0xA6,
2124 { /* no seed */ 2519 0xF6, 0xF4, 0x0D, 0xEF, 0x4F, 0x92, 0xB9, 0xEC, 0x78, 0x93,
2125 0x8C,0xB9,0x1E,0x82,0xA3,0x38,0x6D,0x28,0x0F,0x5D, /* p */ 2520 0xEC, 0x28, 0xFC, 0xD4, 0x12, 0xB1, 0xF1, 0xB3, 0x2E, 0x24,
2126 0x6F,0x7E,0x50,0xE6,0x41,0xDF,0x15,0x2F,0x71,0x09, 2521 0xA7, 0xF5, 0x61, 0xE0, 0x38, 0xEB, 0x1E, 0xD5, 0x60, 0xB3, /* b */
2127 0xED,0x54,0x56,0xB4,0x12,0xB1,0xDA,0x19,0x7F,0xB7, 2522 0xD1, 0x47, 0xDB, 0x78, 0x20, 0x13, 0x06, 0x4C, 0x19, 0xF2,
2128 0x11,0x23,0xAC,0xD3,0xA7,0x29,0x90,0x1D,0x1A,0x71, 2523 0x7E, 0xD2, 0x7C, 0x67, 0x80, 0xAA, 0xF7, 0x7F, 0xB8, 0xA5,
2129 0x87,0x47,0x00,0x13,0x31,0x07,0xEC,0x53, 2524 0x47, 0xCE, 0xB5, 0xB4, 0xFE, 0xF4, 0x22, 0x34, 0x03, 0x53,
2130 0x8C,0xB9,0x1E,0x82,0xA3,0x38,0x6D,0x28,0x0F,0x5D, /* a */ 2525 0x92, 0x5B, 0xE9, 0xFB, 0x01, 0xAF, 0xC6, 0xFB, 0x4D, 0x3E, /* x */
2131 0x6F,0x7E,0x50,0xE6,0x41,0xDF,0x15,0x2F,0x71,0x09, 2526 0x7D, 0x49, 0x90, 0x01, 0x0F, 0x81, 0x34, 0x08, 0xAB, 0x10,
2132 0xED,0x54,0x56,0xB4,0x12,0xB1,0xDA,0x19,0x7F,0xB7, 2527 0x6C, 0x4F, 0x09, 0xCB, 0x7E, 0xE0, 0x78, 0x68, 0xCC, 0x13,
2133 0x11,0x23,0xAC,0xD3,0xA7,0x29,0x90,0x1D,0x1A,0x71, 2528 0x6F, 0xFF, 0x33, 0x57, 0xF6, 0x24, 0xA2, 0x1B, 0xED, 0x52,
2134 0x87,0x47,0x00,0x13,0x31,0x07,0xEC,0x50, 2529 0x63, 0xBA, 0x3A, 0x7A, 0x27, 0x48, 0x3E, 0xBF, 0x66, 0x71, /* y */
2135 0x7F,0x51,0x9E,0xAD,0xA7,0xBD,0xA8,0x1B,0xD8,0x26, /* b */ 2530 0xDB, 0xEF, 0x7A, 0xBB, 0x30, 0xEB, 0xEE, 0x08, 0x4E, 0x58,
2136 0xDB,0xA6,0x47,0x91,0x0F,0x8C,0x4B,0x93,0x46,0xED, 2531 0xA0, 0xB0, 0x77, 0xAD, 0x42, 0xA5, 0xA0, 0x98, 0x9D, 0x1E,
2137 0x8C,0xCD,0xC6,0x4E,0x4B,0x1A,0xBD,0x11,0x75,0x6D, 2532 0xE7, 0x1B, 0x1B, 0x9B, 0xC0, 0x45, 0x5F, 0xB0, 0xD2, 0xC3,
2138 0xCE,0x1D,0x20,0x74,0xAA,0x26,0x3B,0x88,0x80,0x5C, 2533 0xD3, 0x5E, 0x47, 0x20, 0x36, 0xBC, 0x4F, 0xB7, 0xE1, 0x3C, /* order */
2139 0xED,0x70,0x35,0x5A,0x33,0xB4,0x71,0xEE, 2534 0x78, 0x5E, 0xD2, 0x01, 0xE0, 0x65, 0xF9, 0x8F, 0xCF, 0xA5,
2140 0x18,0xDE,0x98,0xB0,0x2D,0xB9,0xA3,0x06,0xF2,0xAF, /* x */ 2535 0xB6, 0x8F, 0x12, 0xA3, 0x2D, 0x48, 0x2E, 0xC7, 0xEE, 0x86,
2141 0xCD,0x72,0x35,0xF7,0x2A,0x81,0x9B,0x80,0xAB,0x12, 2536 0x58, 0xE9, 0x86, 0x91, 0x55, 0x5B, 0x44, 0xC5, 0x93, 0x11
2142 0xEB,0xD6,0x53,0x17,0x24,0x76,0xFE,0xCD,0x46,0x2A, 2537 }
2143 0xAB,0xFF,0xC4,0xFF,0x19,0x1B,0x94,0x6A,0x5F,0x54, 2538};
2144 0xD8,0xD0,0xAA,0x2F,0x41,0x88,0x08,0xCC, 2539
2145 0x25,0xAB,0x05,0x69,0x62,0xD3,0x06,0x51,0xA1,0x14, /* y */ 2540static const struct {
2146 0xAF,0xD2,0x75,0x5A,0xD3,0x36,0x74,0x7F,0x93,0x47, 2541 EC_CURVE_DATA h;
2147 0x5B,0x7A,0x1F,0xCA,0x3B,0x88,0xF2,0xB6,0xA2,0x08, 2542 unsigned char data[0 + 48 * 6];
2148 0xCC,0xFE,0x46,0x94,0x08,0x58,0x4D,0xC2,0xB2,0x91, 2543}
2149 0x26,0x75,0xBF,0x5B,0x9E,0x58,0x29,0x28, 2544 _EC_brainpoolP384r1 = {
2150 0x8C,0xB9,0x1E,0x82,0xA3,0x38,0x6D,0x28,0x0F,0x5D, /* order */ 2545 {
2151 0x6F,0x7E,0x50,0xE6,0x41,0xDF,0x15,0x2F,0x71,0x09, 2546 NID_X9_62_prime_field, 0, 48, 1
2152 0xED,0x54,0x56,0xB3,0x1F,0x16,0x6E,0x6C,0xAC,0x04, 2547 },
2153 0x25,0xA7,0xCF,0x3A,0xB6,0xAF,0x6B,0x7F,0xC3,0x10, 2548 { /* no seed */
2154 0x3B,0x88,0x32,0x02,0xE9,0x04,0x65,0x65 } 2549 0x8C, 0xB9, 0x1E, 0x82, 0xA3, 0x38, 0x6D, 0x28, 0x0F, 0x5D, /* p */
2155 }; 2550 0x6F, 0x7E, 0x50, 0xE6, 0x41, 0xDF, 0x15, 0x2F, 0x71, 0x09,
2156 2551 0xED, 0x54, 0x56, 0xB4, 0x12, 0xB1, 0xDA, 0x19, 0x7F, 0xB7,
2157static const struct { EC_CURVE_DATA h; unsigned char data[0+64*6]; } 2552 0x11, 0x23, 0xAC, 0xD3, 0xA7, 0x29, 0x90, 0x1D, 0x1A, 0x71,
2158 _EC_brainpoolP512r1 = { 2553 0x87, 0x47, 0x00, 0x13, 0x31, 0x07, 0xEC, 0x53,
2159 { NID_X9_62_prime_field, 0,64,1 }, 2554 0x7B, 0xC3, 0x82, 0xC6, 0x3D, 0x8C, 0x15, 0x0C, 0x3C, 0x72, /* a */
2160 { /* no seed */ 2555 0x08, 0x0A, 0xCE, 0x05, 0xAF, 0xA0, 0xC2, 0xBE, 0xA2, 0x8E,
2161 0xAA,0xDD,0x9D,0xB8,0xDB,0xE9,0xC4,0x8B,0x3F,0xD4, /* p */ 2556 0x4F, 0xB2, 0x27, 0x87, 0x13, 0x91, 0x65, 0xEF, 0xBA, 0x91,
2162 0xE6,0xAE,0x33,0xC9,0xFC,0x07,0xCB,0x30,0x8D,0xB3, 2557 0xF9, 0x0F, 0x8A, 0xA5, 0x81, 0x4A, 0x50, 0x3A, 0xD4, 0xEB,
2163 0xB3,0xC9,0xD2,0x0E,0xD6,0x63,0x9C,0xCA,0x70,0x33, 2558 0x04, 0xA8, 0xC7, 0xDD, 0x22, 0xCE, 0x28, 0x26,
2164 0x08,0x71,0x7D,0x4D,0x9B,0x00,0x9B,0xC6,0x68,0x42, 2559 0x04, 0xA8, 0xC7, 0xDD, 0x22, 0xCE, 0x28, 0x26, 0x8B, 0x39, /* b */
2165 0xAE,0xCD,0xA1,0x2A,0xE6,0xA3,0x80,0xE6,0x28,0x81, 2560 0xB5, 0x54, 0x16, 0xF0, 0x44, 0x7C, 0x2F, 0xB7, 0x7D, 0xE1,
2166 0xFF,0x2F,0x2D,0x82,0xC6,0x85,0x28,0xAA,0x60,0x56, 2561 0x07, 0xDC, 0xD2, 0xA6, 0x2E, 0x88, 0x0E, 0xA5, 0x3E, 0xEB,
2167 0x58,0x3A,0x48,0xF3, 2562 0x62, 0xD5, 0x7C, 0xB4, 0x39, 0x02, 0x95, 0xDB, 0xC9, 0x94,
2168 0x78,0x30,0xA3,0x31,0x8B,0x60,0x3B,0x89,0xE2,0x32, /* a */ 2563 0x3A, 0xB7, 0x86, 0x96, 0xFA, 0x50, 0x4C, 0x11,
2169 0x71,0x45,0xAC,0x23,0x4C,0xC5,0x94,0xCB,0xDD,0x8D, 2564 0x1D, 0x1C, 0x64, 0xF0, 0x68, 0xCF, 0x45, 0xFF, 0xA2, 0xA6, /* x */
2170 0x3D,0xF9,0x16,0x10,0xA8,0x34,0x41,0xCA,0xEA,0x98, 2565 0x3A, 0x81, 0xB7, 0xC1, 0x3F, 0x6B, 0x88, 0x47, 0xA3, 0xE7,
2171 0x63,0xBC,0x2D,0xED,0x5D,0x5A,0xA8,0x25,0x3A,0xA1, 2566 0x7E, 0xF1, 0x4F, 0xE3, 0xDB, 0x7F, 0xCA, 0xFE, 0x0C, 0xBD,
2172 0x0A,0x2E,0xF1,0xC9,0x8B,0x9A,0xC8,0xB5,0x7F,0x11, 2567 0x10, 0xE8, 0xE8, 0x26, 0xE0, 0x34, 0x36, 0xD6, 0x46, 0xAA,
2173 0x17,0xA7,0x2B,0xF2,0xC7,0xB9,0xE7,0xC1,0xAC,0x4D, 2568 0xEF, 0x87, 0xB2, 0xE2, 0x47, 0xD4, 0xAF, 0x1E,
2174 0x77,0xFC,0x94,0xCA, 2569 0x8A, 0xBE, 0x1D, 0x75, 0x20, 0xF9, 0xC2, 0xA4, 0x5C, 0xB1, /* y */
2175 0x3D,0xF9,0x16,0x10,0xA8,0x34,0x41,0xCA,0xEA,0x98, /* b */ 2570 0xEB, 0x8E, 0x95, 0xCF, 0xD5, 0x52, 0x62, 0xB7, 0x0B, 0x29,
2176 0x63,0xBC,0x2D,0xED,0x5D,0x5A,0xA8,0x25,0x3A,0xA1, 2571 0xFE, 0xEC, 0x58, 0x64, 0xE1, 0x9C, 0x05, 0x4F, 0xF9, 0x91,
2177 0x0A,0x2E,0xF1,0xC9,0x8B,0x9A,0xC8,0xB5,0x7F,0x11, 2572 0x29, 0x28, 0x0E, 0x46, 0x46, 0x21, 0x77, 0x91, 0x81, 0x11,
2178 0x17,0xA7,0x2B,0xF2,0xC7,0xB9,0xE7,0xC1,0xAC,0x4D, 2573 0x42, 0x82, 0x03, 0x41, 0x26, 0x3C, 0x53, 0x15,
2179 0x77,0xFC,0x94,0xCA,0xDC,0x08,0x3E,0x67,0x98,0x40, 2574 0x8C, 0xB9, 0x1E, 0x82, 0xA3, 0x38, 0x6D, 0x28, 0x0F, 0x5D, /* order */
2180 0x50,0xB7,0x5E,0xBA,0xE5,0xDD,0x28,0x09,0xBD,0x63, 2575 0x6F, 0x7E, 0x50, 0xE6, 0x41, 0xDF, 0x15, 0x2F, 0x71, 0x09,
2181 0x80,0x16,0xF7,0x23, 2576 0xED, 0x54, 0x56, 0xB3, 0x1F, 0x16, 0x6E, 0x6C, 0xAC, 0x04,
2182 0x81,0xAE,0xE4,0xBD,0xD8,0x2E,0xD9,0x64,0x5A,0x21, /* x */ 2577 0x25, 0xA7, 0xCF, 0x3A, 0xB6, 0xAF, 0x6B, 0x7F, 0xC3, 0x10,
2183 0x32,0x2E,0x9C,0x4C,0x6A,0x93,0x85,0xED,0x9F,0x70, 2578 0x3B, 0x88, 0x32, 0x02, 0xE9, 0x04, 0x65, 0x65
2184 0xB5,0xD9,0x16,0xC1,0xB4,0x3B,0x62,0xEE,0xF4,0xD0, 2579 }
2185 0x09,0x8E,0xFF,0x3B,0x1F,0x78,0xE2,0xD0,0xD4,0x8D, 2580};
2186 0x50,0xD1,0x68,0x7B,0x93,0xB9,0x7D,0x5F,0x7C,0x6D, 2581
2187 0x50,0x47,0x40,0x6A,0x5E,0x68,0x8B,0x35,0x22,0x09, 2582static const struct {
2188 0xBC,0xB9,0xF8,0x22, 2583 EC_CURVE_DATA h;
2189 0x7D,0xDE,0x38,0x5D,0x56,0x63,0x32,0xEC,0xC0,0xEA, /* y */ 2584 unsigned char data[0 + 48 * 6];
2190 0xBF,0xA9,0xCF,0x78,0x22,0xFD,0xF2,0x09,0xF7,0x00, 2585}
2191 0x24,0xA5,0x7B,0x1A,0xA0,0x00,0xC5,0x5B,0x88,0x1F, 2586 _EC_brainpoolP384t1 = {
2192 0x81,0x11,0xB2,0xDC,0xDE,0x49,0x4A,0x5F,0x48,0x5E, 2587 {
2193 0x5B,0xCA,0x4B,0xD8,0x8A,0x27,0x63,0xAE,0xD1,0xCA, 2588 NID_X9_62_prime_field, 0, 48, 1
2194 0x2B,0x2F,0xA8,0xF0,0x54,0x06,0x78,0xCD,0x1E,0x0F, 2589 },
2195 0x3A,0xD8,0x08,0x92, 2590 { /* no seed */
2196 0xAA,0xDD,0x9D,0xB8,0xDB,0xE9,0xC4,0x8B,0x3F,0xD4, /* order */ 2591 0x8C, 0xB9, 0x1E, 0x82, 0xA3, 0x38, 0x6D, 0x28, 0x0F, 0x5D, /* p */
2197 0xE6,0xAE,0x33,0xC9,0xFC,0x07,0xCB,0x30,0x8D,0xB3, 2592 0x6F, 0x7E, 0x50, 0xE6, 0x41, 0xDF, 0x15, 0x2F, 0x71, 0x09,
2198 0xB3,0xC9,0xD2,0x0E,0xD6,0x63,0x9C,0xCA,0x70,0x33, 2593 0xED, 0x54, 0x56, 0xB4, 0x12, 0xB1, 0xDA, 0x19, 0x7F, 0xB7,
2199 0x08,0x70,0x55,0x3E,0x5C,0x41,0x4C,0xA9,0x26,0x19, 2594 0x11, 0x23, 0xAC, 0xD3, 0xA7, 0x29, 0x90, 0x1D, 0x1A, 0x71,
2200 0x41,0x86,0x61,0x19,0x7F,0xAC,0x10,0x47,0x1D,0xB1, 2595 0x87, 0x47, 0x00, 0x13, 0x31, 0x07, 0xEC, 0x53,
2201 0xD3,0x81,0x08,0x5D,0xDA,0xDD,0xB5,0x87,0x96,0x82, 2596 0x8C, 0xB9, 0x1E, 0x82, 0xA3, 0x38, 0x6D, 0x28, 0x0F, 0x5D, /* a */
2202 0x9C,0xA9,0x00,0x69 } 2597 0x6F, 0x7E, 0x50, 0xE6, 0x41, 0xDF, 0x15, 0x2F, 0x71, 0x09,
2203 }; 2598 0xED, 0x54, 0x56, 0xB4, 0x12, 0xB1, 0xDA, 0x19, 0x7F, 0xB7,
2204 2599 0x11, 0x23, 0xAC, 0xD3, 0xA7, 0x29, 0x90, 0x1D, 0x1A, 0x71,
2205static const struct { EC_CURVE_DATA h; unsigned char data[0+64*6]; } 2600 0x87, 0x47, 0x00, 0x13, 0x31, 0x07, 0xEC, 0x50,
2206 _EC_brainpoolP512t1 = { 2601 0x7F, 0x51, 0x9E, 0xAD, 0xA7, 0xBD, 0xA8, 0x1B, 0xD8, 0x26, /* b */
2207 { NID_X9_62_prime_field, 0,64,1 }, 2602 0xDB, 0xA6, 0x47, 0x91, 0x0F, 0x8C, 0x4B, 0x93, 0x46, 0xED,
2208 { /* no seed */ 2603 0x8C, 0xCD, 0xC6, 0x4E, 0x4B, 0x1A, 0xBD, 0x11, 0x75, 0x6D,
2209 0xAA,0xDD,0x9D,0xB8,0xDB,0xE9,0xC4,0x8B,0x3F,0xD4, /* p */ 2604 0xCE, 0x1D, 0x20, 0x74, 0xAA, 0x26, 0x3B, 0x88, 0x80, 0x5C,
2210 0xE6,0xAE,0x33,0xC9,0xFC,0x07,0xCB,0x30,0x8D,0xB3, 2605 0xED, 0x70, 0x35, 0x5A, 0x33, 0xB4, 0x71, 0xEE,
2211 0xB3,0xC9,0xD2,0x0E,0xD6,0x63,0x9C,0xCA,0x70,0x33, 2606 0x18, 0xDE, 0x98, 0xB0, 0x2D, 0xB9, 0xA3, 0x06, 0xF2, 0xAF, /* x */
2212 0x08,0x71,0x7D,0x4D,0x9B,0x00,0x9B,0xC6,0x68,0x42, 2607 0xCD, 0x72, 0x35, 0xF7, 0x2A, 0x81, 0x9B, 0x80, 0xAB, 0x12,
2213 0xAE,0xCD,0xA1,0x2A,0xE6,0xA3,0x80,0xE6,0x28,0x81, 2608 0xEB, 0xD6, 0x53, 0x17, 0x24, 0x76, 0xFE, 0xCD, 0x46, 0x2A,
2214 0xFF,0x2F,0x2D,0x82,0xC6,0x85,0x28,0xAA,0x60,0x56, 2609 0xAB, 0xFF, 0xC4, 0xFF, 0x19, 0x1B, 0x94, 0x6A, 0x5F, 0x54,
2215 0x58,0x3A,0x48,0xF3, 2610 0xD8, 0xD0, 0xAA, 0x2F, 0x41, 0x88, 0x08, 0xCC,
2216 0xAA,0xDD,0x9D,0xB8,0xDB,0xE9,0xC4,0x8B,0x3F,0xD4, /* a */ 2611 0x25, 0xAB, 0x05, 0x69, 0x62, 0xD3, 0x06, 0x51, 0xA1, 0x14, /* y */
2217 0xE6,0xAE,0x33,0xC9,0xFC,0x07,0xCB,0x30,0x8D,0xB3, 2612 0xAF, 0xD2, 0x75, 0x5A, 0xD3, 0x36, 0x74, 0x7F, 0x93, 0x47,
2218 0xB3,0xC9,0xD2,0x0E,0xD6,0x63,0x9C,0xCA,0x70,0x33, 2613 0x5B, 0x7A, 0x1F, 0xCA, 0x3B, 0x88, 0xF2, 0xB6, 0xA2, 0x08,
2219 0x08,0x71,0x7D,0x4D,0x9B,0x00,0x9B,0xC6,0x68,0x42, 2614 0xCC, 0xFE, 0x46, 0x94, 0x08, 0x58, 0x4D, 0xC2, 0xB2, 0x91,
2220 0xAE,0xCD,0xA1,0x2A,0xE6,0xA3,0x80,0xE6,0x28,0x81, 2615 0x26, 0x75, 0xBF, 0x5B, 0x9E, 0x58, 0x29, 0x28,
2221 0xFF,0x2F,0x2D,0x82,0xC6,0x85,0x28,0xAA,0x60,0x56, 2616 0x8C, 0xB9, 0x1E, 0x82, 0xA3, 0x38, 0x6D, 0x28, 0x0F, 0x5D, /* order */
2222 0x58,0x3A,0x48,0xF0, 2617 0x6F, 0x7E, 0x50, 0xE6, 0x41, 0xDF, 0x15, 0x2F, 0x71, 0x09,
2223 0x7C,0xBB,0xBC,0xF9,0x44,0x1C,0xFA,0xB7,0x6E,0x18, /* b */ 2618 0xED, 0x54, 0x56, 0xB3, 0x1F, 0x16, 0x6E, 0x6C, 0xAC, 0x04,
2224 0x90,0xE4,0x68,0x84,0xEA,0xE3,0x21,0xF7,0x0C,0x0B, 2619 0x25, 0xA7, 0xCF, 0x3A, 0xB6, 0xAF, 0x6B, 0x7F, 0xC3, 0x10,
2225 0xCB,0x49,0x81,0x52,0x78,0x97,0x50,0x4B,0xEC,0x3E, 2620 0x3B, 0x88, 0x32, 0x02, 0xE9, 0x04, 0x65, 0x65
2226 0x36,0xA6,0x2B,0xCD,0xFA,0x23,0x04,0x97,0x65,0x40, 2621 }
2227 0xF6,0x45,0x00,0x85,0xF2,0xDA,0xE1,0x45,0xC2,0x25, 2622};
2228 0x53,0xB4,0x65,0x76,0x36,0x89,0x18,0x0E,0xA2,0x57, 2623
2229 0x18,0x67,0x42,0x3E, 2624static const struct {
2230 0x64,0x0E,0xCE,0x5C,0x12,0x78,0x87,0x17,0xB9,0xC1, /* x */ 2625 EC_CURVE_DATA h;
2231 0xBA,0x06,0xCB,0xC2,0xA6,0xFE,0xBA,0x85,0x84,0x24, 2626 unsigned char data[0 + 64 * 6];
2232 0x58,0xC5,0x6D,0xDE,0x9D,0xB1,0x75,0x8D,0x39,0xC0, 2627}
2233 0x31,0x3D,0x82,0xBA,0x51,0x73,0x5C,0xDB,0x3E,0xA4, 2628 _EC_brainpoolP512r1 = {
2234 0x99,0xAA,0x77,0xA7,0xD6,0x94,0x3A,0x64,0xF7,0xA3, 2629 {
2235 0xF2,0x5F,0xE2,0x6F,0x06,0xB5,0x1B,0xAA,0x26,0x96, 2630 NID_X9_62_prime_field, 0, 64, 1
2236 0xFA,0x90,0x35,0xDA, 2631 },
2237 0x5B,0x53,0x4B,0xD5,0x95,0xF5,0xAF,0x0F,0xA2,0xC8, /* y */ 2632 { /* no seed */
2238 0x92,0x37,0x6C,0x84,0xAC,0xE1,0xBB,0x4E,0x30,0x19, 2633 0xAA, 0xDD, 0x9D, 0xB8, 0xDB, 0xE9, 0xC4, 0x8B, 0x3F, 0xD4, /* p */
2239 0xB7,0x16,0x34,0xC0,0x11,0x31,0x15,0x9C,0xAE,0x03, 2634 0xE6, 0xAE, 0x33, 0xC9, 0xFC, 0x07, 0xCB, 0x30, 0x8D, 0xB3,
2240 0xCE,0xE9,0xD9,0x93,0x21,0x84,0xBE,0xEF,0x21,0x6B, 2635 0xB3, 0xC9, 0xD2, 0x0E, 0xD6, 0x63, 0x9C, 0xCA, 0x70, 0x33,
2241 0xD7,0x1D,0xF2,0xDA,0xDF,0x86,0xA6,0x27,0x30,0x6E, 2636 0x08, 0x71, 0x7D, 0x4D, 0x9B, 0x00, 0x9B, 0xC6, 0x68, 0x42,
2242 0xCF,0xF9,0x6D,0xBB,0x8B,0xAC,0xE1,0x98,0xB6,0x1E, 2637 0xAE, 0xCD, 0xA1, 0x2A, 0xE6, 0xA3, 0x80, 0xE6, 0x28, 0x81,
2243 0x00,0xF8,0xB3,0x32, 2638 0xFF, 0x2F, 0x2D, 0x82, 0xC6, 0x85, 0x28, 0xAA, 0x60, 0x56,
2244 0xAA,0xDD,0x9D,0xB8,0xDB,0xE9,0xC4,0x8B,0x3F,0xD4, /* order */ 2639 0x58, 0x3A, 0x48, 0xF3,
2245 0xE6,0xAE,0x33,0xC9,0xFC,0x07,0xCB,0x30,0x8D,0xB3, 2640 0x78, 0x30, 0xA3, 0x31, 0x8B, 0x60, 0x3B, 0x89, 0xE2, 0x32, /* a */
2246 0xB3,0xC9,0xD2,0x0E,0xD6,0x63,0x9C,0xCA,0x70,0x33, 2641 0x71, 0x45, 0xAC, 0x23, 0x4C, 0xC5, 0x94, 0xCB, 0xDD, 0x8D,
2247 0x08,0x70,0x55,0x3E,0x5C,0x41,0x4C,0xA9,0x26,0x19, 2642 0x3D, 0xF9, 0x16, 0x10, 0xA8, 0x34, 0x41, 0xCA, 0xEA, 0x98,
2248 0x41,0x86,0x61,0x19,0x7F,0xAC,0x10,0x47,0x1D,0xB1, 2643 0x63, 0xBC, 0x2D, 0xED, 0x5D, 0x5A, 0xA8, 0x25, 0x3A, 0xA1,
2249 0xD3,0x81,0x08,0x5D,0xDA,0xDD,0xB5,0x87,0x96,0x82, 2644 0x0A, 0x2E, 0xF1, 0xC9, 0x8B, 0x9A, 0xC8, 0xB5, 0x7F, 0x11,
2250 0x9C,0xA9,0x00,0x69 } 2645 0x17, 0xA7, 0x2B, 0xF2, 0xC7, 0xB9, 0xE7, 0xC1, 0xAC, 0x4D,
2251 }; 2646 0x77, 0xFC, 0x94, 0xCA,
2252 2647 0x3D, 0xF9, 0x16, 0x10, 0xA8, 0x34, 0x41, 0xCA, 0xEA, 0x98, /* b */
2253static const struct { EC_CURVE_DATA h; unsigned char data[0+32*6]; } 2648 0x63, 0xBC, 0x2D, 0xED, 0x5D, 0x5A, 0xA8, 0x25, 0x3A, 0xA1,
2254 _EC_FRP256v1 = { 2649 0x0A, 0x2E, 0xF1, 0xC9, 0x8B, 0x9A, 0xC8, 0xB5, 0x7F, 0x11,
2255 { NID_X9_62_prime_field, 0,32,1 }, 2650 0x17, 0xA7, 0x2B, 0xF2, 0xC7, 0xB9, 0xE7, 0xC1, 0xAC, 0x4D,
2256 { /* no seed */ 2651 0x77, 0xFC, 0x94, 0xCA, 0xDC, 0x08, 0x3E, 0x67, 0x98, 0x40,
2257 0xF1,0xFD,0x17,0x8C,0x0B,0x3A,0xD5,0x8F,0x10,0x12, /* p */ 2652 0x50, 0xB7, 0x5E, 0xBA, 0xE5, 0xDD, 0x28, 0x09, 0xBD, 0x63,
2258 0x6D,0xE8,0xCE,0x42,0x43,0x5B,0x39,0x61,0xAD,0xBC, 2653 0x80, 0x16, 0xF7, 0x23,
2259 0xAB,0xC8,0xCA,0x6D,0xE8,0xFC,0xF3,0x53,0xD8,0x6E, 2654 0x81, 0xAE, 0xE4, 0xBD, 0xD8, 0x2E, 0xD9, 0x64, 0x5A, 0x21, /* x */
2260 0x9C,0x03, 2655 0x32, 0x2E, 0x9C, 0x4C, 0x6A, 0x93, 0x85, 0xED, 0x9F, 0x70,
2261 0xF1,0xFD,0x17,0x8C,0x0B,0x3A,0xD5,0x8F,0x10,0x12, /* a */ 2656 0xB5, 0xD9, 0x16, 0xC1, 0xB4, 0x3B, 0x62, 0xEE, 0xF4, 0xD0,
2262 0x6D,0xE8,0xCE,0x42,0x43,0x5B,0x39,0x61,0xAD,0xBC, 2657 0x09, 0x8E, 0xFF, 0x3B, 0x1F, 0x78, 0xE2, 0xD0, 0xD4, 0x8D,
2263 0xAB,0xC8,0xCA,0x6D,0xE8,0xFC,0xF3,0x53,0xD8,0x6E, 2658 0x50, 0xD1, 0x68, 0x7B, 0x93, 0xB9, 0x7D, 0x5F, 0x7C, 0x6D,
2264 0x9C,0x00, 2659 0x50, 0x47, 0x40, 0x6A, 0x5E, 0x68, 0x8B, 0x35, 0x22, 0x09,
2265 0xEE,0x35,0x3F,0xCA,0x54,0x28,0xA9,0x30,0x0D,0x4A, /* b */ 2660 0xBC, 0xB9, 0xF8, 0x22,
2266 0xBA,0x75,0x4A,0x44,0xC0,0x0F,0xDF,0xEC,0x0C,0x9A, 2661 0x7D, 0xDE, 0x38, 0x5D, 0x56, 0x63, 0x32, 0xEC, 0xC0, 0xEA, /* y */
2267 0xE4,0xB1,0xA1,0x80,0x30,0x75,0xED,0x96,0x7B,0x7B, 2662 0xBF, 0xA9, 0xCF, 0x78, 0x22, 0xFD, 0xF2, 0x09, 0xF7, 0x00,
2268 0xB7,0x3F, 2663 0x24, 0xA5, 0x7B, 0x1A, 0xA0, 0x00, 0xC5, 0x5B, 0x88, 0x1F,
2269 0xB6,0xB3,0xD4,0xC3,0x56,0xC1,0x39,0xEB,0x31,0x18, /* x */ 2664 0x81, 0x11, 0xB2, 0xDC, 0xDE, 0x49, 0x4A, 0x5F, 0x48, 0x5E,
2270 0x3D,0x47,0x49,0xD4,0x23,0x95,0x8C,0x27,0xD2,0xDC, 2665 0x5B, 0xCA, 0x4B, 0xD8, 0x8A, 0x27, 0x63, 0xAE, 0xD1, 0xCA,
2271 0xAF,0x98,0xB7,0x01,0x64,0xC9,0x7A,0x2D,0xD9,0x8F, 2666 0x2B, 0x2F, 0xA8, 0xF0, 0x54, 0x06, 0x78, 0xCD, 0x1E, 0x0F,
2272 0x5C,0xFF, 2667 0x3A, 0xD8, 0x08, 0x92,
2273 0x61,0x42,0xE0,0xF7,0xC8,0xB2,0x04,0x91,0x1F,0x92, /* y */ 2668 0xAA, 0xDD, 0x9D, 0xB8, 0xDB, 0xE9, 0xC4, 0x8B, 0x3F, 0xD4, /* order */
2274 0x71,0xF0,0xF3,0xEC,0xEF,0x8C,0x27,0x01,0xC3,0x07, 2669 0xE6, 0xAE, 0x33, 0xC9, 0xFC, 0x07, 0xCB, 0x30, 0x8D, 0xB3,
2275 0xE8,0xE4,0xC9,0xE1,0x83,0x11,0x5A,0x15,0x54,0x06, 2670 0xB3, 0xC9, 0xD2, 0x0E, 0xD6, 0x63, 0x9C, 0xCA, 0x70, 0x33,
2276 0x2C,0xFB, 2671 0x08, 0x70, 0x55, 0x3E, 0x5C, 0x41, 0x4C, 0xA9, 0x26, 0x19,
2277 0xF1,0xFD,0x17,0x8C,0x0B,0x3A,0xD5,0x8F,0x10,0x12, /* order */ 2672 0x41, 0x86, 0x61, 0x19, 0x7F, 0xAC, 0x10, 0x47, 0x1D, 0xB1,
2278 0x6D,0xE8,0xCE,0x42,0x43,0x5B,0x53,0xDC,0x67,0xE1, 2673 0xD3, 0x81, 0x08, 0x5D, 0xDA, 0xDD, 0xB5, 0x87, 0x96, 0x82,
2279 0x40,0xD2,0xBF,0x94,0x1F,0xFD,0xD4,0x59,0xC6,0xD6, 2674 0x9C, 0xA9, 0x00, 0x69
2280 0x55,0xE1 } 2675 }
2281 }; 2676};
2677
2678static const struct {
2679 EC_CURVE_DATA h;
2680 unsigned char data[0 + 64 * 6];
2681}
2682 _EC_brainpoolP512t1 = {
2683 {
2684 NID_X9_62_prime_field, 0, 64, 1
2685 },
2686 { /* no seed */
2687 0xAA, 0xDD, 0x9D, 0xB8, 0xDB, 0xE9, 0xC4, 0x8B, 0x3F, 0xD4, /* p */
2688 0xE6, 0xAE, 0x33, 0xC9, 0xFC, 0x07, 0xCB, 0x30, 0x8D, 0xB3,
2689 0xB3, 0xC9, 0xD2, 0x0E, 0xD6, 0x63, 0x9C, 0xCA, 0x70, 0x33,
2690 0x08, 0x71, 0x7D, 0x4D, 0x9B, 0x00, 0x9B, 0xC6, 0x68, 0x42,
2691 0xAE, 0xCD, 0xA1, 0x2A, 0xE6, 0xA3, 0x80, 0xE6, 0x28, 0x81,
2692 0xFF, 0x2F, 0x2D, 0x82, 0xC6, 0x85, 0x28, 0xAA, 0x60, 0x56,
2693 0x58, 0x3A, 0x48, 0xF3,
2694 0xAA, 0xDD, 0x9D, 0xB8, 0xDB, 0xE9, 0xC4, 0x8B, 0x3F, 0xD4, /* a */
2695 0xE6, 0xAE, 0x33, 0xC9, 0xFC, 0x07, 0xCB, 0x30, 0x8D, 0xB3,
2696 0xB3, 0xC9, 0xD2, 0x0E, 0xD6, 0x63, 0x9C, 0xCA, 0x70, 0x33,
2697 0x08, 0x71, 0x7D, 0x4D, 0x9B, 0x00, 0x9B, 0xC6, 0x68, 0x42,
2698 0xAE, 0xCD, 0xA1, 0x2A, 0xE6, 0xA3, 0x80, 0xE6, 0x28, 0x81,
2699 0xFF, 0x2F, 0x2D, 0x82, 0xC6, 0x85, 0x28, 0xAA, 0x60, 0x56,
2700 0x58, 0x3A, 0x48, 0xF0,
2701 0x7C, 0xBB, 0xBC, 0xF9, 0x44, 0x1C, 0xFA, 0xB7, 0x6E, 0x18, /* b */
2702 0x90, 0xE4, 0x68, 0x84, 0xEA, 0xE3, 0x21, 0xF7, 0x0C, 0x0B,
2703 0xCB, 0x49, 0x81, 0x52, 0x78, 0x97, 0x50, 0x4B, 0xEC, 0x3E,
2704 0x36, 0xA6, 0x2B, 0xCD, 0xFA, 0x23, 0x04, 0x97, 0x65, 0x40,
2705 0xF6, 0x45, 0x00, 0x85, 0xF2, 0xDA, 0xE1, 0x45, 0xC2, 0x25,
2706 0x53, 0xB4, 0x65, 0x76, 0x36, 0x89, 0x18, 0x0E, 0xA2, 0x57,
2707 0x18, 0x67, 0x42, 0x3E,
2708 0x64, 0x0E, 0xCE, 0x5C, 0x12, 0x78, 0x87, 0x17, 0xB9, 0xC1, /* x */
2709 0xBA, 0x06, 0xCB, 0xC2, 0xA6, 0xFE, 0xBA, 0x85, 0x84, 0x24,
2710 0x58, 0xC5, 0x6D, 0xDE, 0x9D, 0xB1, 0x75, 0x8D, 0x39, 0xC0,
2711 0x31, 0x3D, 0x82, 0xBA, 0x51, 0x73, 0x5C, 0xDB, 0x3E, 0xA4,
2712 0x99, 0xAA, 0x77, 0xA7, 0xD6, 0x94, 0x3A, 0x64, 0xF7, 0xA3,
2713 0xF2, 0x5F, 0xE2, 0x6F, 0x06, 0xB5, 0x1B, 0xAA, 0x26, 0x96,
2714 0xFA, 0x90, 0x35, 0xDA,
2715 0x5B, 0x53, 0x4B, 0xD5, 0x95, 0xF5, 0xAF, 0x0F, 0xA2, 0xC8, /* y */
2716 0x92, 0x37, 0x6C, 0x84, 0xAC, 0xE1, 0xBB, 0x4E, 0x30, 0x19,
2717 0xB7, 0x16, 0x34, 0xC0, 0x11, 0x31, 0x15, 0x9C, 0xAE, 0x03,
2718 0xCE, 0xE9, 0xD9, 0x93, 0x21, 0x84, 0xBE, 0xEF, 0x21, 0x6B,
2719 0xD7, 0x1D, 0xF2, 0xDA, 0xDF, 0x86, 0xA6, 0x27, 0x30, 0x6E,
2720 0xCF, 0xF9, 0x6D, 0xBB, 0x8B, 0xAC, 0xE1, 0x98, 0xB6, 0x1E,
2721 0x00, 0xF8, 0xB3, 0x32,
2722 0xAA, 0xDD, 0x9D, 0xB8, 0xDB, 0xE9, 0xC4, 0x8B, 0x3F, 0xD4, /* order */
2723 0xE6, 0xAE, 0x33, 0xC9, 0xFC, 0x07, 0xCB, 0x30, 0x8D, 0xB3,
2724 0xB3, 0xC9, 0xD2, 0x0E, 0xD6, 0x63, 0x9C, 0xCA, 0x70, 0x33,
2725 0x08, 0x70, 0x55, 0x3E, 0x5C, 0x41, 0x4C, 0xA9, 0x26, 0x19,
2726 0x41, 0x86, 0x61, 0x19, 0x7F, 0xAC, 0x10, 0x47, 0x1D, 0xB1,
2727 0xD3, 0x81, 0x08, 0x5D, 0xDA, 0xDD, 0xB5, 0x87, 0x96, 0x82,
2728 0x9C, 0xA9, 0x00, 0x69
2729 }
2730};
2731
2732static const struct {
2733 EC_CURVE_DATA h;
2734 unsigned char data[0 + 32 * 6];
2735}
2736 _EC_FRP256v1 = {
2737 {
2738 NID_X9_62_prime_field, 0, 32, 1
2739 },
2740 { /* no seed */
2741 0xF1, 0xFD, 0x17, 0x8C, 0x0B, 0x3A, 0xD5, 0x8F, 0x10, 0x12, /* p */
2742 0x6D, 0xE8, 0xCE, 0x42, 0x43, 0x5B, 0x39, 0x61, 0xAD, 0xBC,
2743 0xAB, 0xC8, 0xCA, 0x6D, 0xE8, 0xFC, 0xF3, 0x53, 0xD8, 0x6E,
2744 0x9C, 0x03,
2745 0xF1, 0xFD, 0x17, 0x8C, 0x0B, 0x3A, 0xD5, 0x8F, 0x10, 0x12, /* a */
2746 0x6D, 0xE8, 0xCE, 0x42, 0x43, 0x5B, 0x39, 0x61, 0xAD, 0xBC,
2747 0xAB, 0xC8, 0xCA, 0x6D, 0xE8, 0xFC, 0xF3, 0x53, 0xD8, 0x6E,
2748 0x9C, 0x00,
2749 0xEE, 0x35, 0x3F, 0xCA, 0x54, 0x28, 0xA9, 0x30, 0x0D, 0x4A, /* b */
2750 0xBA, 0x75, 0x4A, 0x44, 0xC0, 0x0F, 0xDF, 0xEC, 0x0C, 0x9A,
2751 0xE4, 0xB1, 0xA1, 0x80, 0x30, 0x75, 0xED, 0x96, 0x7B, 0x7B,
2752 0xB7, 0x3F,
2753 0xB6, 0xB3, 0xD4, 0xC3, 0x56, 0xC1, 0x39, 0xEB, 0x31, 0x18, /* x */
2754 0x3D, 0x47, 0x49, 0xD4, 0x23, 0x95, 0x8C, 0x27, 0xD2, 0xDC,
2755 0xAF, 0x98, 0xB7, 0x01, 0x64, 0xC9, 0x7A, 0x2D, 0xD9, 0x8F,
2756 0x5C, 0xFF,
2757 0x61, 0x42, 0xE0, 0xF7, 0xC8, 0xB2, 0x04, 0x91, 0x1F, 0x92, /* y */
2758 0x71, 0xF0, 0xF3, 0xEC, 0xEF, 0x8C, 0x27, 0x01, 0xC3, 0x07,
2759 0xE8, 0xE4, 0xC9, 0xE1, 0x83, 0x11, 0x5A, 0x15, 0x54, 0x06,
2760 0x2C, 0xFB,
2761 0xF1, 0xFD, 0x17, 0x8C, 0x0B, 0x3A, 0xD5, 0x8F, 0x10, 0x12, /* order */
2762 0x6D, 0xE8, 0xCE, 0x42, 0x43, 0x5B, 0x53, 0xDC, 0x67, 0xE1,
2763 0x40, 0xD2, 0xBF, 0x94, 0x1F, 0xFD, 0xD4, 0x59, 0xC6, 0xD6,
2764 0x55, 0xE1
2765 }
2766};
2282 2767
2283typedef struct _ec_list_element_st { 2768typedef struct _ec_list_element_st {
2284 int nid; 2769 int nid;
2285 const EC_CURVE_DATA *data; 2770 const EC_CURVE_DATA *data;
2286 const EC_METHOD *(*meth)(void); 2771 const EC_METHOD *(*meth) (void);
2287 const char *comment; 2772 const char *comment;
2288 } ec_list_element; 2773} ec_list_element;
2289 2774
2290static const ec_list_element curve_list[] = { 2775static const ec_list_element curve_list[] = {
2291 /* prime field curves */ 2776 /* prime field curves */
2292 /* secg curves */ 2777 /* secg curves */
2293 { NID_secp112r1, &_EC_SECG_PRIME_112R1.h, 0, "SECG/WTLS curve over a 112 bit prime field" }, 2778 {NID_secp112r1, &_EC_SECG_PRIME_112R1.h, 0, "SECG/WTLS curve over a 112 bit prime field"},
2294 { NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0, "SECG curve over a 112 bit prime field" }, 2779 {NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0, "SECG curve over a 112 bit prime field"},
2295 { NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0, "SECG curve over a 128 bit prime field" }, 2780 {NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0, "SECG curve over a 128 bit prime field"},
2296 { NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0, "SECG curve over a 128 bit prime field" }, 2781 {NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0, "SECG curve over a 128 bit prime field"},
2297 { NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0, "SECG curve over a 160 bit prime field" }, 2782 {NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0, "SECG curve over a 160 bit prime field"},
2298 { NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0, "SECG curve over a 160 bit prime field" }, 2783 {NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0, "SECG curve over a 160 bit prime field"},
2299 { NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0, "SECG/WTLS curve over a 160 bit prime field" }, 2784 {NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0, "SECG/WTLS curve over a 160 bit prime field"},
2300 /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */ 2785 /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */
2301 { NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, "SECG curve over a 192 bit prime field" }, 2786 {NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, "SECG curve over a 192 bit prime field"},
2302 { NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, "SECG curve over a 224 bit prime field" }, 2787 {NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, "SECG curve over a 224 bit prime field"},
2303#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 2788#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
2304 { NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field" }, 2789 {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field"},
2305#else 2790#else
2306 { NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, "NIST/SECG curve over a 224 bit prime field" }, 2791 {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, "NIST/SECG curve over a 224 bit prime field"},
2307#endif 2792#endif
2308 { NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, "SECG curve over a 256 bit prime field" }, 2793 {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, "SECG curve over a 256 bit prime field"},
2309 /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ 2794 /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
2310 { NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field" }, 2795 {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field"},
2311#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 2796#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
2312 { NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, "NIST/SECG curve over a 521 bit prime field" }, 2797 {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, "NIST/SECG curve over a 521 bit prime field"},
2313#else 2798#else
2314 { NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, "NIST/SECG curve over a 521 bit prime field" }, 2799 {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, "NIST/SECG curve over a 521 bit prime field"},
2315#endif 2800#endif
2316 /* X9.62 curves */ 2801 /* X9.62 curves */
2317 { NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, "NIST/X9.62/SECG curve over a 192 bit prime field" }, 2802 {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, "NIST/X9.62/SECG curve over a 192 bit prime field"},
2318 { NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0, "X9.62 curve over a 192 bit prime field" }, 2803 {NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0, "X9.62 curve over a 192 bit prime field"},
2319 { NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3.h, 0, "X9.62 curve over a 192 bit prime field" }, 2804 {NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3.h, 0, "X9.62 curve over a 192 bit prime field"},
2320 { NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0, "X9.62 curve over a 239 bit prime field" }, 2805 {NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0, "X9.62 curve over a 239 bit prime field"},
2321 { NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, "X9.62 curve over a 239 bit prime field" }, 2806 {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, "X9.62 curve over a 239 bit prime field"},
2322 { NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, "X9.62 curve over a 239 bit prime field" }, 2807 {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, "X9.62 curve over a 239 bit prime field"},
2323#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 2808#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
2324 { NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, EC_GFp_nistp256_method, "X9.62/SECG curve over a 256 bit prime field" }, 2809 {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, EC_GFp_nistp256_method, "X9.62/SECG curve over a 256 bit prime field"},
2325#else 2810#else
2326 { NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field" }, 2811 {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field"},
2327#endif 2812#endif
2328#ifndef OPENSSL_NO_EC2M 2813#ifndef OPENSSL_NO_EC2M
2329 /* characteristic two field curves */ 2814 /* characteristic two field curves */
2330 /* NIST/SECG curves */ 2815 /* NIST/SECG curves */
2331 { NID_sect113r1, &_EC_SECG_CHAR2_113R1.h, 0, "SECG curve over a 113 bit binary field" }, 2816 {NID_sect113r1, &_EC_SECG_CHAR2_113R1.h, 0, "SECG curve over a 113 bit binary field"},
2332 { NID_sect113r2, &_EC_SECG_CHAR2_113R2.h, 0, "SECG curve over a 113 bit binary field" }, 2817 {NID_sect113r2, &_EC_SECG_CHAR2_113R2.h, 0, "SECG curve over a 113 bit binary field"},
2333 { NID_sect131r1, &_EC_SECG_CHAR2_131R1.h, 0, "SECG/WTLS curve over a 131 bit binary field" }, 2818 {NID_sect131r1, &_EC_SECG_CHAR2_131R1.h, 0, "SECG/WTLS curve over a 131 bit binary field"},
2334 { NID_sect131r2, &_EC_SECG_CHAR2_131R2.h, 0, "SECG curve over a 131 bit binary field" }, 2819 {NID_sect131r2, &_EC_SECG_CHAR2_131R2.h, 0, "SECG curve over a 131 bit binary field"},
2335 { NID_sect163k1, &_EC_NIST_CHAR2_163K.h, 0, "NIST/SECG/WTLS curve over a 163 bit binary field" }, 2820 {NID_sect163k1, &_EC_NIST_CHAR2_163K.h, 0, "NIST/SECG/WTLS curve over a 163 bit binary field"},
2336 { NID_sect163r1, &_EC_SECG_CHAR2_163R1.h, 0, "SECG curve over a 163 bit binary field" }, 2821 {NID_sect163r1, &_EC_SECG_CHAR2_163R1.h, 0, "SECG curve over a 163 bit binary field"},
2337 { NID_sect163r2, &_EC_NIST_CHAR2_163B.h, 0, "NIST/SECG curve over a 163 bit binary field" }, 2822 {NID_sect163r2, &_EC_NIST_CHAR2_163B.h, 0, "NIST/SECG curve over a 163 bit binary field"},
2338 { NID_sect193r1, &_EC_SECG_CHAR2_193R1.h, 0, "SECG curve over a 193 bit binary field" }, 2823 {NID_sect193r1, &_EC_SECG_CHAR2_193R1.h, 0, "SECG curve over a 193 bit binary field"},
2339 { NID_sect193r2, &_EC_SECG_CHAR2_193R2.h, 0, "SECG curve over a 193 bit binary field" }, 2824 {NID_sect193r2, &_EC_SECG_CHAR2_193R2.h, 0, "SECG curve over a 193 bit binary field"},
2340 { NID_sect233k1, &_EC_NIST_CHAR2_233K.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field" }, 2825 {NID_sect233k1, &_EC_NIST_CHAR2_233K.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"},
2341 { NID_sect233r1, &_EC_NIST_CHAR2_233B.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field" }, 2826 {NID_sect233r1, &_EC_NIST_CHAR2_233B.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"},
2342 { NID_sect239k1, &_EC_SECG_CHAR2_239K1.h, 0, "SECG curve over a 239 bit binary field" }, 2827 {NID_sect239k1, &_EC_SECG_CHAR2_239K1.h, 0, "SECG curve over a 239 bit binary field"},
2343 { NID_sect283k1, &_EC_NIST_CHAR2_283K.h, 0, "NIST/SECG curve over a 283 bit binary field" }, 2828 {NID_sect283k1, &_EC_NIST_CHAR2_283K.h, 0, "NIST/SECG curve over a 283 bit binary field"},
2344 { NID_sect283r1, &_EC_NIST_CHAR2_283B.h, 0, "NIST/SECG curve over a 283 bit binary field" }, 2829 {NID_sect283r1, &_EC_NIST_CHAR2_283B.h, 0, "NIST/SECG curve over a 283 bit binary field"},
2345 { NID_sect409k1, &_EC_NIST_CHAR2_409K.h, 0, "NIST/SECG curve over a 409 bit binary field" }, 2830 {NID_sect409k1, &_EC_NIST_CHAR2_409K.h, 0, "NIST/SECG curve over a 409 bit binary field"},
2346 { NID_sect409r1, &_EC_NIST_CHAR2_409B.h, 0, "NIST/SECG curve over a 409 bit binary field" }, 2831 {NID_sect409r1, &_EC_NIST_CHAR2_409B.h, 0, "NIST/SECG curve over a 409 bit binary field"},
2347 { NID_sect571k1, &_EC_NIST_CHAR2_571K.h, 0, "NIST/SECG curve over a 571 bit binary field" }, 2832 {NID_sect571k1, &_EC_NIST_CHAR2_571K.h, 0, "NIST/SECG curve over a 571 bit binary field"},
2348 { NID_sect571r1, &_EC_NIST_CHAR2_571B.h, 0, "NIST/SECG curve over a 571 bit binary field" }, 2833 {NID_sect571r1, &_EC_NIST_CHAR2_571B.h, 0, "NIST/SECG curve over a 571 bit binary field"},
2349 /* X9.62 curves */ 2834 /* X9.62 curves */
2350 { NID_X9_62_c2pnb163v1, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field" }, 2835 {NID_X9_62_c2pnb163v1, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field"},
2351 { NID_X9_62_c2pnb163v2, &_EC_X9_62_CHAR2_163V2.h, 0, "X9.62 curve over a 163 bit binary field" }, 2836 {NID_X9_62_c2pnb163v2, &_EC_X9_62_CHAR2_163V2.h, 0, "X9.62 curve over a 163 bit binary field"},
2352 { NID_X9_62_c2pnb163v3, &_EC_X9_62_CHAR2_163V3.h, 0, "X9.62 curve over a 163 bit binary field" }, 2837 {NID_X9_62_c2pnb163v3, &_EC_X9_62_CHAR2_163V3.h, 0, "X9.62 curve over a 163 bit binary field"},
2353 { NID_X9_62_c2pnb176v1, &_EC_X9_62_CHAR2_176V1.h, 0, "X9.62 curve over a 176 bit binary field" }, 2838 {NID_X9_62_c2pnb176v1, &_EC_X9_62_CHAR2_176V1.h, 0, "X9.62 curve over a 176 bit binary field"},
2354 { NID_X9_62_c2tnb191v1, &_EC_X9_62_CHAR2_191V1.h, 0, "X9.62 curve over a 191 bit binary field" }, 2839 {NID_X9_62_c2tnb191v1, &_EC_X9_62_CHAR2_191V1.h, 0, "X9.62 curve over a 191 bit binary field"},
2355 { NID_X9_62_c2tnb191v2, &_EC_X9_62_CHAR2_191V2.h, 0, "X9.62 curve over a 191 bit binary field" }, 2840 {NID_X9_62_c2tnb191v2, &_EC_X9_62_CHAR2_191V2.h, 0, "X9.62 curve over a 191 bit binary field"},
2356 { NID_X9_62_c2tnb191v3, &_EC_X9_62_CHAR2_191V3.h, 0, "X9.62 curve over a 191 bit binary field" }, 2841 {NID_X9_62_c2tnb191v3, &_EC_X9_62_CHAR2_191V3.h, 0, "X9.62 curve over a 191 bit binary field"},
2357 { NID_X9_62_c2pnb208w1, &_EC_X9_62_CHAR2_208W1.h, 0, "X9.62 curve over a 208 bit binary field" }, 2842 {NID_X9_62_c2pnb208w1, &_EC_X9_62_CHAR2_208W1.h, 0, "X9.62 curve over a 208 bit binary field"},
2358 { NID_X9_62_c2tnb239v1, &_EC_X9_62_CHAR2_239V1.h, 0, "X9.62 curve over a 239 bit binary field" }, 2843 {NID_X9_62_c2tnb239v1, &_EC_X9_62_CHAR2_239V1.h, 0, "X9.62 curve over a 239 bit binary field"},
2359 { NID_X9_62_c2tnb239v2, &_EC_X9_62_CHAR2_239V2.h, 0, "X9.62 curve over a 239 bit binary field" }, 2844 {NID_X9_62_c2tnb239v2, &_EC_X9_62_CHAR2_239V2.h, 0, "X9.62 curve over a 239 bit binary field"},
2360 { NID_X9_62_c2tnb239v3, &_EC_X9_62_CHAR2_239V3.h, 0, "X9.62 curve over a 239 bit binary field" }, 2845 {NID_X9_62_c2tnb239v3, &_EC_X9_62_CHAR2_239V3.h, 0, "X9.62 curve over a 239 bit binary field"},
2361 { NID_X9_62_c2pnb272w1, &_EC_X9_62_CHAR2_272W1.h, 0, "X9.62 curve over a 272 bit binary field" }, 2846 {NID_X9_62_c2pnb272w1, &_EC_X9_62_CHAR2_272W1.h, 0, "X9.62 curve over a 272 bit binary field"},
2362 { NID_X9_62_c2pnb304w1, &_EC_X9_62_CHAR2_304W1.h, 0, "X9.62 curve over a 304 bit binary field" }, 2847 {NID_X9_62_c2pnb304w1, &_EC_X9_62_CHAR2_304W1.h, 0, "X9.62 curve over a 304 bit binary field"},
2363 { NID_X9_62_c2tnb359v1, &_EC_X9_62_CHAR2_359V1.h, 0, "X9.62 curve over a 359 bit binary field" }, 2848 {NID_X9_62_c2tnb359v1, &_EC_X9_62_CHAR2_359V1.h, 0, "X9.62 curve over a 359 bit binary field"},
2364 { NID_X9_62_c2pnb368w1, &_EC_X9_62_CHAR2_368W1.h, 0, "X9.62 curve over a 368 bit binary field" }, 2849 {NID_X9_62_c2pnb368w1, &_EC_X9_62_CHAR2_368W1.h, 0, "X9.62 curve over a 368 bit binary field"},
2365 { NID_X9_62_c2tnb431r1, &_EC_X9_62_CHAR2_431R1.h, 0, "X9.62 curve over a 431 bit binary field" }, 2850 {NID_X9_62_c2tnb431r1, &_EC_X9_62_CHAR2_431R1.h, 0, "X9.62 curve over a 431 bit binary field"},
2366 /* the WAP/WTLS curves 2851 /*
2367 * [unlike SECG, spec has its own OIDs for curves from X9.62] */ 2852 * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
2368 { NID_wap_wsg_idm_ecid_wtls1, &_EC_WTLS_1.h, 0, "WTLS curve over a 113 bit binary field" }, 2853 * from X9.62]
2369 { NID_wap_wsg_idm_ecid_wtls3, &_EC_NIST_CHAR2_163K.h, 0, "NIST/SECG/WTLS curve over a 163 bit binary field" }, 2854 */
2370 { NID_wap_wsg_idm_ecid_wtls4, &_EC_SECG_CHAR2_113R1.h, 0, "SECG curve over a 113 bit binary field" }, 2855 {NID_wap_wsg_idm_ecid_wtls1, &_EC_WTLS_1.h, 0, "WTLS curve over a 113 bit binary field"},
2371 { NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field" }, 2856 {NID_wap_wsg_idm_ecid_wtls3, &_EC_NIST_CHAR2_163K.h, 0, "NIST/SECG/WTLS curve over a 163 bit binary field"},
2857 {NID_wap_wsg_idm_ecid_wtls4, &_EC_SECG_CHAR2_113R1.h, 0, "SECG curve over a 113 bit binary field"},
2858 {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field"},
2372#endif 2859#endif
2373 { NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, "SECG/WTLS curve over a 112 bit prime field" }, 2860 {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, "SECG/WTLS curve over a 112 bit prime field"},
2374 { NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, "SECG/WTLS curve over a 160 bit prime field" }, 2861 {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, "SECG/WTLS curve over a 160 bit prime field"},
2375 { NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, "WTLS curve over a 112 bit prime field" }, 2862 {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, "WTLS curve over a 112 bit prime field"},
2376 { NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, "WTLS curve over a 160 bit prime field" }, 2863 {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, "WTLS curve over a 160 bit prime field"},
2377#ifndef OPENSSL_NO_EC2M 2864#ifndef OPENSSL_NO_EC2M
2378 { NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field" }, 2865 {NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"},
2379 { NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field" }, 2866 {NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"},
2380#endif 2867#endif
2381 { NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224 bit prime field" }, 2868 {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224 bit prime field"},
2382#ifndef OPENSSL_NO_EC2M 2869#ifndef OPENSSL_NO_EC2M
2383 /* IPSec curves */ 2870 /* IPSec curves */
2384 { NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPSec/IKE/Oakley curve #3 over a 155 bit binary field.\n" 2871 {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPSec/IKE/Oakley curve #3 over a 155 bit binary field.\n"
2385 "\tNot suitable for ECDSA.\n\tQuestionable extension field!" }, 2872 "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
2386 { NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPSec/IKE/Oakley curve #4 over a 185 bit binary field.\n" 2873 {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPSec/IKE/Oakley curve #4 over a 185 bit binary field.\n"
2387 "\tNot suitable for ECDSA.\n\tQuestionable extension field!" }, 2874 "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
2388#endif 2875#endif
2389 /* RFC 5639 curves */ 2876 /* RFC 5639 curves */
2390 { NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, "RFC 5639 curve over a 160 bit prime field"}, 2877 {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, "RFC 5639 curve over a 160 bit prime field"},
2391 { NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, "RFC 5639 curve over a 160 bit prime field"}, 2878 {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, "RFC 5639 curve over a 160 bit prime field"},
2392 { NID_brainpoolP192r1, &_EC_brainpoolP192r1.h, 0, "RFC 5639 curve over a 192 bit prime field"}, 2879 {NID_brainpoolP192r1, &_EC_brainpoolP192r1.h, 0, "RFC 5639 curve over a 192 bit prime field"},
2393 { NID_brainpoolP192t1, &_EC_brainpoolP192t1.h, 0, "RFC 5639 curve over a 192 bit prime field"}, 2880 {NID_brainpoolP192t1, &_EC_brainpoolP192t1.h, 0, "RFC 5639 curve over a 192 bit prime field"},
2394 { NID_brainpoolP224r1, &_EC_brainpoolP224r1.h, 0, "RFC 5639 curve over a 224 bit prime field"}, 2881 {NID_brainpoolP224r1, &_EC_brainpoolP224r1.h, 0, "RFC 5639 curve over a 224 bit prime field"},
2395 { NID_brainpoolP224t1, &_EC_brainpoolP224t1.h, 0, "RFC 5639 curve over a 224 bit prime field"}, 2882 {NID_brainpoolP224t1, &_EC_brainpoolP224t1.h, 0, "RFC 5639 curve over a 224 bit prime field"},
2396 { NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, "RFC 5639 curve over a 256 bit prime field"}, 2883 {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, "RFC 5639 curve over a 256 bit prime field"},
2397 { NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, "RFC 5639 curve over a 256 bit prime field"}, 2884 {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, "RFC 5639 curve over a 256 bit prime field"},
2398 { NID_brainpoolP320r1, &_EC_brainpoolP320r1.h, 0, "RFC 5639 curve over a 320 bit prime field"}, 2885 {NID_brainpoolP320r1, &_EC_brainpoolP320r1.h, 0, "RFC 5639 curve over a 320 bit prime field"},
2399 { NID_brainpoolP320t1, &_EC_brainpoolP320t1.h, 0, "RFC 5639 curve over a 320 bit prime field"}, 2886 {NID_brainpoolP320t1, &_EC_brainpoolP320t1.h, 0, "RFC 5639 curve over a 320 bit prime field"},
2400 { NID_brainpoolP384r1, &_EC_brainpoolP384r1.h, 0, "RFC 5639 curve over a 384 bit prime field"}, 2887 {NID_brainpoolP384r1, &_EC_brainpoolP384r1.h, 0, "RFC 5639 curve over a 384 bit prime field"},
2401 { NID_brainpoolP384t1, &_EC_brainpoolP384t1.h, 0, "RFC 5639 curve over a 384 bit prime field"}, 2888 {NID_brainpoolP384t1, &_EC_brainpoolP384t1.h, 0, "RFC 5639 curve over a 384 bit prime field"},
2402 { NID_brainpoolP512r1, &_EC_brainpoolP512r1.h, 0, "RFC 5639 curve over a 512 bit prime field"}, 2889 {NID_brainpoolP512r1, &_EC_brainpoolP512r1.h, 0, "RFC 5639 curve over a 512 bit prime field"},
2403 { NID_brainpoolP512t1, &_EC_brainpoolP512t1.h, 0, "RFC 5639 curve over a 512 bit prime field"}, 2890 {NID_brainpoolP512t1, &_EC_brainpoolP512t1.h, 0, "RFC 5639 curve over a 512 bit prime field"},
2404 /* ANSSI */ 2891 /* ANSSI */
2405 { NID_FRP256v1, &_EC_FRP256v1.h, 0, "FRP256v1"} 2892 {NID_FRP256v1, &_EC_FRP256v1.h, 0, "FRP256v1"}
2406}; 2893};
2407 2894
2408#define curve_list_length (sizeof(curve_list)/sizeof(ec_list_element)) 2895#define curve_list_length (sizeof(curve_list)/sizeof(ec_list_element))
2409 2896
2410static EC_GROUP *ec_group_new_from_data(const ec_list_element curve) 2897static EC_GROUP *
2411 { 2898ec_group_new_from_data(const ec_list_element curve)
2412 EC_GROUP *group=NULL; 2899{
2413 EC_POINT *P=NULL; 2900 EC_GROUP *group = NULL;
2414 BN_CTX *ctx=NULL; 2901 EC_POINT *P = NULL;
2415 BIGNUM *p=NULL, *a=NULL, *b=NULL, *x=NULL, *y=NULL, *order=NULL; 2902 BN_CTX *ctx = NULL;
2416 int ok=0; 2903 BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order = NULL;
2417 int seed_len,param_len; 2904 int ok = 0;
2905 int seed_len, param_len;
2418 const EC_METHOD *meth; 2906 const EC_METHOD *meth;
2419 const EC_CURVE_DATA *data; 2907 const EC_CURVE_DATA *data;
2420 const unsigned char *params; 2908 const unsigned char *params;
2421 2909
2422 if ((ctx = BN_CTX_new()) == NULL) 2910 if ((ctx = BN_CTX_new()) == NULL) {
2423 {
2424 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE); 2911 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
2425 goto err; 2912 goto err;
2426 } 2913 }
2427
2428 data = curve.data; 2914 data = curve.data;
2429 seed_len = data->seed_len; 2915 seed_len = data->seed_len;
2430 param_len = data->param_len; 2916 param_len = data->param_len;
2431 params = (const unsigned char *)(data+1); /* skip header */ 2917 params = (const unsigned char *) (data + 1); /* skip header */
2432 params += seed_len; /* skip seed */ 2918 params += seed_len; /* skip seed */
2433 2919
2434 if (!(p = BN_bin2bn(params+0*param_len, param_len, NULL)) 2920 if (!(p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) ||
2435 || !(a = BN_bin2bn(params+1*param_len, param_len, NULL)) 2921 !(a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) ||
2436 || !(b = BN_bin2bn(params+2*param_len, param_len, NULL))) 2922 !(b = BN_bin2bn(params + 2 * param_len, param_len, NULL))) {
2437 {
2438 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB); 2923 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
2439 goto err; 2924 goto err;
2440 } 2925 }
2441 2926 if (curve.meth != 0) {
2442 if (curve.meth != 0)
2443 {
2444 meth = curve.meth(); 2927 meth = curve.meth();
2445 if (((group = EC_GROUP_new(meth)) == NULL) || 2928 if (((group = EC_GROUP_new(meth)) == NULL) ||
2446 (!(group->meth->group_set_curve(group, p, a, b, ctx)))) 2929 (!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
2447 {
2448 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); 2930 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
2449 goto err; 2931 goto err;
2450 }
2451 } 2932 }
2452 else if (data->field_type == NID_X9_62_prime_field) 2933 } else if (data->field_type == NID_X9_62_prime_field) {
2453 { 2934 if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
2454 if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL)
2455 {
2456 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); 2935 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
2457 goto err; 2936 goto err;
2458 }
2459 } 2937 }
2938 }
2460#ifndef OPENSSL_NO_EC2M 2939#ifndef OPENSSL_NO_EC2M
2461 else /* field_type == NID_X9_62_characteristic_two_field */ 2940 else { /* field_type ==
2462 { 2941 * NID_X9_62_characteristic_two_field */
2463 if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) 2942 if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
2464 {
2465 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); 2943 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
2466 goto err; 2944 goto err;
2467 }
2468 } 2945 }
2946 }
2469#endif 2947#endif
2470 2948
2471 if ((P = EC_POINT_new(group)) == NULL) 2949 if ((P = EC_POINT_new(group)) == NULL) {
2472 {
2473 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); 2950 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
2474 goto err; 2951 goto err;
2475 } 2952 }
2476 2953 if (!(x = BN_bin2bn(params + 3 * param_len, param_len, NULL))
2477 if (!(x = BN_bin2bn(params+3*param_len, param_len, NULL)) 2954 || !(y = BN_bin2bn(params + 4 * param_len, param_len, NULL))) {
2478 || !(y = BN_bin2bn(params+4*param_len, param_len, NULL)))
2479 {
2480 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB); 2955 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
2481 goto err; 2956 goto err;
2482 } 2957 }
2483 if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) 2958 if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) {
2484 {
2485 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); 2959 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
2486 goto err; 2960 goto err;
2487 } 2961 }
2488 if (!(order = BN_bin2bn(params+5*param_len, param_len, NULL)) 2962 if (!(order = BN_bin2bn(params + 5 * param_len, param_len, NULL))
2489 || !BN_set_word(x, (BN_ULONG)data->cofactor)) 2963 || !BN_set_word(x, (BN_ULONG) data->cofactor)) {
2490 {
2491 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB); 2964 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
2492 goto err; 2965 goto err;
2493 } 2966 }
2494 if (!EC_GROUP_set_generator(group, P, order, x)) 2967 if (!EC_GROUP_set_generator(group, P, order, x)) {
2495 {
2496 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); 2968 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
2497 goto err; 2969 goto err;
2498 } 2970 }
2499 if (seed_len) 2971 if (seed_len) {
2500 { 2972 if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
2501 if (!EC_GROUP_set_seed(group, params-seed_len, seed_len))
2502 {
2503 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); 2973 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
2504 goto err; 2974 goto err;
2505 }
2506 } 2975 }
2507 ok=1; 2976 }
2977 ok = 1;
2508err: 2978err:
2509 if (!ok) 2979 if (!ok) {
2510 {
2511 EC_GROUP_free(group); 2980 EC_GROUP_free(group);
2512 group = NULL; 2981 group = NULL;
2513 } 2982 }
2514 if (P) 2983 if (P)
2515 EC_POINT_free(P); 2984 EC_POINT_free(P);
2516 if (ctx) 2985 if (ctx)
@@ -2528,48 +2997,45 @@ err:
2528 if (y) 2997 if (y)
2529 BN_free(y); 2998 BN_free(y);
2530 return group; 2999 return group;
2531 } 3000}
2532 3001
2533EC_GROUP *EC_GROUP_new_by_curve_name(int nid) 3002EC_GROUP *
2534 { 3003EC_GROUP_new_by_curve_name(int nid)
3004{
2535 size_t i; 3005 size_t i;
2536 EC_GROUP *ret = NULL; 3006 EC_GROUP *ret = NULL;
2537 3007
2538 if (nid <= 0) 3008 if (nid <= 0)
2539 return NULL; 3009 return NULL;
2540 3010
2541 for (i=0; i<curve_list_length; i++) 3011 for (i = 0; i < curve_list_length; i++)
2542 if (curve_list[i].nid == nid) 3012 if (curve_list[i].nid == nid) {
2543 {
2544 ret = ec_group_new_from_data(curve_list[i]); 3013 ret = ec_group_new_from_data(curve_list[i]);
2545 break; 3014 break;
2546 } 3015 }
2547 3016 if (ret == NULL) {
2548 if (ret == NULL)
2549 {
2550 ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP); 3017 ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
2551 return NULL; 3018 return NULL;
2552 } 3019 }
2553
2554 EC_GROUP_set_curve_name(ret, nid); 3020 EC_GROUP_set_curve_name(ret, nid);
2555 3021
2556 return ret; 3022 return ret;
2557 } 3023}
2558 3024
2559size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems) 3025size_t
2560 { 3026EC_get_builtin_curves(EC_builtin_curve * r, size_t nitems)
2561 size_t i, min; 3027{
3028 size_t i, min;
2562 3029
2563 if (r == NULL || nitems == 0) 3030 if (r == NULL || nitems == 0)
2564 return curve_list_length; 3031 return curve_list_length;
2565 3032
2566 min = nitems < curve_list_length ? nitems : curve_list_length; 3033 min = nitems < curve_list_length ? nitems : curve_list_length;
2567 3034
2568 for (i = 0; i < min; i++) 3035 for (i = 0; i < min; i++) {
2569 {
2570 r[i].nid = curve_list[i].nid; 3036 r[i].nid = curve_list[i].nid;
2571 r[i].comment = curve_list[i].comment; 3037 r[i].comment = curve_list[i].comment;
2572 } 3038 }
2573 3039
2574 return curve_list_length; 3040 return curve_list_length;
2575 } 3041}
diff --git a/src/lib/libcrypto/ec/ec_cvt.c b/src/lib/libcrypto/ec/ec_cvt.c
index bfcbab35fe..2f755fefaf 100644
--- a/src/lib/libcrypto/ec/ec_cvt.c
+++ b/src/lib/libcrypto/ec/ec_cvt.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -58,7 +58,7 @@
58/* ==================================================================== 58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * 60 *
61 * Portions of the attached software ("Contribution") are developed by 61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
63 * 63 *
64 * The Contribution is licensed pursuant to the OpenSSL open source 64 * The Contribution is licensed pursuant to the OpenSSL open source
@@ -73,8 +73,10 @@
73#include "ec_lcl.h" 73#include "ec_lcl.h"
74 74
75 75
76EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 76EC_GROUP *
77 { 77EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b,
78 BN_CTX *ctx)
79{
78 const EC_METHOD *meth; 80 const EC_METHOD *meth;
79 EC_GROUP *ret; 81 EC_GROUP *ret;
80 82
@@ -104,28 +106,24 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM
104#else 106#else
105 meth = EC_GFp_nist_method(); 107 meth = EC_GFp_nist_method();
106#endif 108#endif
107 109
108 ret = EC_GROUP_new(meth); 110 ret = EC_GROUP_new(meth);
109 if (ret == NULL) 111 if (ret == NULL)
110 return NULL; 112 return NULL;
111 113
112 if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx)) 114 if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx)) {
113 {
114 unsigned long err; 115 unsigned long err;
115 116
116 err = ERR_peek_last_error(); 117 err = ERR_peek_last_error();
117 118
118 if (!(ERR_GET_LIB(err) == ERR_LIB_EC && 119 if (!(ERR_GET_LIB(err) == ERR_LIB_EC &&
119 ((ERR_GET_REASON(err) == EC_R_NOT_A_NIST_PRIME) || 120 ((ERR_GET_REASON(err) == EC_R_NOT_A_NIST_PRIME) ||
120 (ERR_GET_REASON(err) == EC_R_NOT_A_SUPPORTED_NIST_PRIME)))) 121 (ERR_GET_REASON(err) == EC_R_NOT_A_SUPPORTED_NIST_PRIME)))) {
121 {
122 /* real error */ 122 /* real error */
123 123
124 EC_GROUP_clear_free(ret); 124 EC_GROUP_clear_free(ret);
125 return NULL; 125 return NULL;
126 } 126 }
127
128
129 /* not an actual error, we just cannot use EC_GFp_nist_method */ 127 /* not an actual error, we just cannot use EC_GFp_nist_method */
130 128
131 ERR_clear_error(); 129 ERR_clear_error();
@@ -137,34 +135,32 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM
137 if (ret == NULL) 135 if (ret == NULL)
138 return NULL; 136 return NULL;
139 137
140 if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx)) 138 if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx)) {
141 {
142 EC_GROUP_clear_free(ret); 139 EC_GROUP_clear_free(ret);
143 return NULL; 140 return NULL;
144 }
145 } 141 }
146
147 return ret;
148 } 142 }
143 return ret;
144}
149 145
150#ifndef OPENSSL_NO_EC2M 146#ifndef OPENSSL_NO_EC2M
151EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 147EC_GROUP *
152 { 148EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b,
149 BN_CTX *ctx)
150{
153 const EC_METHOD *meth; 151 const EC_METHOD *meth;
154 EC_GROUP *ret; 152 EC_GROUP *ret;
155 153
156 meth = EC_GF2m_simple_method(); 154 meth = EC_GF2m_simple_method();
157 155
158 ret = EC_GROUP_new(meth); 156 ret = EC_GROUP_new(meth);
159 if (ret == NULL) 157 if (ret == NULL)
160 return NULL; 158 return NULL;
161 159
162 if (!EC_GROUP_set_curve_GF2m(ret, p, a, b, ctx)) 160 if (!EC_GROUP_set_curve_GF2m(ret, p, a, b, ctx)) {
163 {
164 EC_GROUP_clear_free(ret); 161 EC_GROUP_clear_free(ret);
165 return NULL; 162 return NULL;
166 }
167
168 return ret;
169 } 163 }
164 return ret;
165}
170#endif 166#endif
diff --git a/src/lib/libcrypto/ec/ec_err.c b/src/lib/libcrypto/ec/ec_err.c
index 0d19398731..0e70dcdc75 100644
--- a/src/lib/libcrypto/ec/ec_err.c
+++ b/src/lib/libcrypto/ec/ec_err.c
@@ -7,7 +7,7 @@
7 * are met: 7 * are met:
8 * 8 *
9 * 1. Redistributions of source code must retain the above copyright 9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
11 * 11 *
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in 13 * notice, this list of conditions and the following disclaimer in
@@ -68,209 +68,209 @@
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_EC,func,0) 68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_EC,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_EC,0,reason) 69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_EC,0,reason)
70 70
71static ERR_STRING_DATA EC_str_functs[]= 71static ERR_STRING_DATA EC_str_functs[] =
72 { 72{
73{ERR_FUNC(EC_F_BN_TO_FELEM), "BN_TO_FELEM"}, 73 {ERR_FUNC(EC_F_BN_TO_FELEM), "BN_TO_FELEM"},
74{ERR_FUNC(EC_F_COMPUTE_WNAF), "COMPUTE_WNAF"}, 74 {ERR_FUNC(EC_F_COMPUTE_WNAF), "COMPUTE_WNAF"},
75{ERR_FUNC(EC_F_D2I_ECPARAMETERS), "d2i_ECParameters"}, 75 {ERR_FUNC(EC_F_D2I_ECPARAMETERS), "d2i_ECParameters"},
76{ERR_FUNC(EC_F_D2I_ECPKPARAMETERS), "d2i_ECPKParameters"}, 76 {ERR_FUNC(EC_F_D2I_ECPKPARAMETERS), "d2i_ECPKParameters"},
77{ERR_FUNC(EC_F_D2I_ECPRIVATEKEY), "d2i_ECPrivateKey"}, 77 {ERR_FUNC(EC_F_D2I_ECPRIVATEKEY), "d2i_ECPrivateKey"},
78{ERR_FUNC(EC_F_DO_EC_KEY_PRINT), "DO_EC_KEY_PRINT"}, 78 {ERR_FUNC(EC_F_DO_EC_KEY_PRINT), "DO_EC_KEY_PRINT"},
79{ERR_FUNC(EC_F_ECKEY_PARAM2TYPE), "ECKEY_PARAM2TYPE"}, 79 {ERR_FUNC(EC_F_ECKEY_PARAM2TYPE), "ECKEY_PARAM2TYPE"},
80{ERR_FUNC(EC_F_ECKEY_PARAM_DECODE), "ECKEY_PARAM_DECODE"}, 80 {ERR_FUNC(EC_F_ECKEY_PARAM_DECODE), "ECKEY_PARAM_DECODE"},
81{ERR_FUNC(EC_F_ECKEY_PRIV_DECODE), "ECKEY_PRIV_DECODE"}, 81 {ERR_FUNC(EC_F_ECKEY_PRIV_DECODE), "ECKEY_PRIV_DECODE"},
82{ERR_FUNC(EC_F_ECKEY_PRIV_ENCODE), "ECKEY_PRIV_ENCODE"}, 82 {ERR_FUNC(EC_F_ECKEY_PRIV_ENCODE), "ECKEY_PRIV_ENCODE"},
83{ERR_FUNC(EC_F_ECKEY_PUB_DECODE), "ECKEY_PUB_DECODE"}, 83 {ERR_FUNC(EC_F_ECKEY_PUB_DECODE), "ECKEY_PUB_DECODE"},
84{ERR_FUNC(EC_F_ECKEY_PUB_ENCODE), "ECKEY_PUB_ENCODE"}, 84 {ERR_FUNC(EC_F_ECKEY_PUB_ENCODE), "ECKEY_PUB_ENCODE"},
85{ERR_FUNC(EC_F_ECKEY_TYPE2PARAM), "ECKEY_TYPE2PARAM"}, 85 {ERR_FUNC(EC_F_ECKEY_TYPE2PARAM), "ECKEY_TYPE2PARAM"},
86{ERR_FUNC(EC_F_ECPARAMETERS_PRINT), "ECParameters_print"}, 86 {ERR_FUNC(EC_F_ECPARAMETERS_PRINT), "ECParameters_print"},
87{ERR_FUNC(EC_F_ECPARAMETERS_PRINT_FP), "ECParameters_print_fp"}, 87 {ERR_FUNC(EC_F_ECPARAMETERS_PRINT_FP), "ECParameters_print_fp"},
88{ERR_FUNC(EC_F_ECPKPARAMETERS_PRINT), "ECPKParameters_print"}, 88 {ERR_FUNC(EC_F_ECPKPARAMETERS_PRINT), "ECPKParameters_print"},
89{ERR_FUNC(EC_F_ECPKPARAMETERS_PRINT_FP), "ECPKParameters_print_fp"}, 89 {ERR_FUNC(EC_F_ECPKPARAMETERS_PRINT_FP), "ECPKParameters_print_fp"},
90{ERR_FUNC(EC_F_ECP_NIST_MOD_192), "ECP_NIST_MOD_192"}, 90 {ERR_FUNC(EC_F_ECP_NIST_MOD_192), "ECP_NIST_MOD_192"},
91{ERR_FUNC(EC_F_ECP_NIST_MOD_224), "ECP_NIST_MOD_224"}, 91 {ERR_FUNC(EC_F_ECP_NIST_MOD_224), "ECP_NIST_MOD_224"},
92{ERR_FUNC(EC_F_ECP_NIST_MOD_256), "ECP_NIST_MOD_256"}, 92 {ERR_FUNC(EC_F_ECP_NIST_MOD_256), "ECP_NIST_MOD_256"},
93{ERR_FUNC(EC_F_ECP_NIST_MOD_521), "ECP_NIST_MOD_521"}, 93 {ERR_FUNC(EC_F_ECP_NIST_MOD_521), "ECP_NIST_MOD_521"},
94{ERR_FUNC(EC_F_EC_ASN1_GROUP2CURVE), "EC_ASN1_GROUP2CURVE"}, 94 {ERR_FUNC(EC_F_EC_ASN1_GROUP2CURVE), "EC_ASN1_GROUP2CURVE"},
95{ERR_FUNC(EC_F_EC_ASN1_GROUP2FIELDID), "EC_ASN1_GROUP2FIELDID"}, 95 {ERR_FUNC(EC_F_EC_ASN1_GROUP2FIELDID), "EC_ASN1_GROUP2FIELDID"},
96{ERR_FUNC(EC_F_EC_ASN1_GROUP2PARAMETERS), "EC_ASN1_GROUP2PARAMETERS"}, 96 {ERR_FUNC(EC_F_EC_ASN1_GROUP2PARAMETERS), "EC_ASN1_GROUP2PARAMETERS"},
97{ERR_FUNC(EC_F_EC_ASN1_GROUP2PKPARAMETERS), "EC_ASN1_GROUP2PKPARAMETERS"}, 97 {ERR_FUNC(EC_F_EC_ASN1_GROUP2PKPARAMETERS), "EC_ASN1_GROUP2PKPARAMETERS"},
98{ERR_FUNC(EC_F_EC_ASN1_PARAMETERS2GROUP), "EC_ASN1_PARAMETERS2GROUP"}, 98 {ERR_FUNC(EC_F_EC_ASN1_PARAMETERS2GROUP), "EC_ASN1_PARAMETERS2GROUP"},
99{ERR_FUNC(EC_F_EC_ASN1_PKPARAMETERS2GROUP), "EC_ASN1_PKPARAMETERS2GROUP"}, 99 {ERR_FUNC(EC_F_EC_ASN1_PKPARAMETERS2GROUP), "EC_ASN1_PKPARAMETERS2GROUP"},
100{ERR_FUNC(EC_F_EC_EX_DATA_SET_DATA), "EC_EX_DATA_set_data"}, 100 {ERR_FUNC(EC_F_EC_EX_DATA_SET_DATA), "EC_EX_DATA_set_data"},
101{ERR_FUNC(EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY), "EC_GF2M_MONTGOMERY_POINT_MULTIPLY"}, 101 {ERR_FUNC(EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY), "EC_GF2M_MONTGOMERY_POINT_MULTIPLY"},
102{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT), "ec_GF2m_simple_group_check_discriminant"}, 102 {ERR_FUNC(EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT), "ec_GF2m_simple_group_check_discriminant"},
103{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE), "ec_GF2m_simple_group_set_curve"}, 103 {ERR_FUNC(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE), "ec_GF2m_simple_group_set_curve"},
104{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_OCT2POINT), "ec_GF2m_simple_oct2point"}, 104 {ERR_FUNC(EC_F_EC_GF2M_SIMPLE_OCT2POINT), "ec_GF2m_simple_oct2point"},
105{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_POINT2OCT), "ec_GF2m_simple_point2oct"}, 105 {ERR_FUNC(EC_F_EC_GF2M_SIMPLE_POINT2OCT), "ec_GF2m_simple_point2oct"},
106{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES), "ec_GF2m_simple_point_get_affine_coordinates"}, 106 {ERR_FUNC(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES), "ec_GF2m_simple_point_get_affine_coordinates"},
107{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES), "ec_GF2m_simple_point_set_affine_coordinates"}, 107 {ERR_FUNC(EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES), "ec_GF2m_simple_point_set_affine_coordinates"},
108{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES), "ec_GF2m_simple_set_compressed_coordinates"}, 108 {ERR_FUNC(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES), "ec_GF2m_simple_set_compressed_coordinates"},
109{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_DECODE), "ec_GFp_mont_field_decode"}, 109 {ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_DECODE), "ec_GFp_mont_field_decode"},
110{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_ENCODE), "ec_GFp_mont_field_encode"}, 110 {ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_ENCODE), "ec_GFp_mont_field_encode"},
111{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_MUL), "ec_GFp_mont_field_mul"}, 111 {ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_MUL), "ec_GFp_mont_field_mul"},
112{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE), "ec_GFp_mont_field_set_to_one"}, 112 {ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE), "ec_GFp_mont_field_set_to_one"},
113{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SQR), "ec_GFp_mont_field_sqr"}, 113 {ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SQR), "ec_GFp_mont_field_sqr"},
114{ERR_FUNC(EC_F_EC_GFP_MONT_GROUP_SET_CURVE), "ec_GFp_mont_group_set_curve"}, 114 {ERR_FUNC(EC_F_EC_GFP_MONT_GROUP_SET_CURVE), "ec_GFp_mont_group_set_curve"},
115{ERR_FUNC(EC_F_EC_GFP_MONT_GROUP_SET_CURVE_GFP), "EC_GFP_MONT_GROUP_SET_CURVE_GFP"}, 115 {ERR_FUNC(EC_F_EC_GFP_MONT_GROUP_SET_CURVE_GFP), "EC_GFP_MONT_GROUP_SET_CURVE_GFP"},
116{ERR_FUNC(EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE), "ec_GFp_nistp224_group_set_curve"}, 116 {ERR_FUNC(EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE), "ec_GFp_nistp224_group_set_curve"},
117{ERR_FUNC(EC_F_EC_GFP_NISTP224_POINTS_MUL), "ec_GFp_nistp224_points_mul"}, 117 {ERR_FUNC(EC_F_EC_GFP_NISTP224_POINTS_MUL), "ec_GFp_nistp224_points_mul"},
118{ERR_FUNC(EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES), "ec_GFp_nistp224_point_get_affine_coordinates"}, 118 {ERR_FUNC(EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES), "ec_GFp_nistp224_point_get_affine_coordinates"},
119{ERR_FUNC(EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE), "ec_GFp_nistp256_group_set_curve"}, 119 {ERR_FUNC(EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE), "ec_GFp_nistp256_group_set_curve"},
120{ERR_FUNC(EC_F_EC_GFP_NISTP256_POINTS_MUL), "ec_GFp_nistp256_points_mul"}, 120 {ERR_FUNC(EC_F_EC_GFP_NISTP256_POINTS_MUL), "ec_GFp_nistp256_points_mul"},
121{ERR_FUNC(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES), "ec_GFp_nistp256_point_get_affine_coordinates"}, 121 {ERR_FUNC(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES), "ec_GFp_nistp256_point_get_affine_coordinates"},
122{ERR_FUNC(EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE), "ec_GFp_nistp521_group_set_curve"}, 122 {ERR_FUNC(EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE), "ec_GFp_nistp521_group_set_curve"},
123{ERR_FUNC(EC_F_EC_GFP_NISTP521_POINTS_MUL), "ec_GFp_nistp521_points_mul"}, 123 {ERR_FUNC(EC_F_EC_GFP_NISTP521_POINTS_MUL), "ec_GFp_nistp521_points_mul"},
124{ERR_FUNC(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES), "ec_GFp_nistp521_point_get_affine_coordinates"}, 124 {ERR_FUNC(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES), "ec_GFp_nistp521_point_get_affine_coordinates"},
125{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_MUL), "ec_GFp_nist_field_mul"}, 125 {ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_MUL), "ec_GFp_nist_field_mul"},
126{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_SQR), "ec_GFp_nist_field_sqr"}, 126 {ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_SQR), "ec_GFp_nist_field_sqr"},
127{ERR_FUNC(EC_F_EC_GFP_NIST_GROUP_SET_CURVE), "ec_GFp_nist_group_set_curve"}, 127 {ERR_FUNC(EC_F_EC_GFP_NIST_GROUP_SET_CURVE), "ec_GFp_nist_group_set_curve"},
128{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT), "ec_GFp_simple_group_check_discriminant"}, 128 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT), "ec_GFp_simple_group_check_discriminant"},
129{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE), "ec_GFp_simple_group_set_curve"}, 129 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE), "ec_GFp_simple_group_set_curve"},
130{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP), "EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP"}, 130 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP), "EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP"},
131{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR), "EC_GFP_SIMPLE_GROUP_SET_GENERATOR"}, 131 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR), "EC_GFP_SIMPLE_GROUP_SET_GENERATOR"},
132{ERR_FUNC(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE), "ec_GFp_simple_make_affine"}, 132 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE), "ec_GFp_simple_make_affine"},
133{ERR_FUNC(EC_F_EC_GFP_SIMPLE_OCT2POINT), "ec_GFp_simple_oct2point"}, 133 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_OCT2POINT), "ec_GFp_simple_oct2point"},
134{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT2OCT), "ec_GFp_simple_point2oct"}, 134 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT2OCT), "ec_GFp_simple_point2oct"},
135{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE), "ec_GFp_simple_points_make_affine"}, 135 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE), "ec_GFp_simple_points_make_affine"},
136{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES), "ec_GFp_simple_point_get_affine_coordinates"}, 136 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES), "ec_GFp_simple_point_get_affine_coordinates"},
137{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP), "EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP"}, 137 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP), "EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP"},
138{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES), "ec_GFp_simple_point_set_affine_coordinates"}, 138 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES), "ec_GFp_simple_point_set_affine_coordinates"},
139{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP), "EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP"}, 139 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP), "EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP"},
140{ERR_FUNC(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES), "ec_GFp_simple_set_compressed_coordinates"}, 140 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES), "ec_GFp_simple_set_compressed_coordinates"},
141{ERR_FUNC(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP), "EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP"}, 141 {ERR_FUNC(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP), "EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP"},
142{ERR_FUNC(EC_F_EC_GROUP_CHECK), "EC_GROUP_check"}, 142 {ERR_FUNC(EC_F_EC_GROUP_CHECK), "EC_GROUP_check"},
143{ERR_FUNC(EC_F_EC_GROUP_CHECK_DISCRIMINANT), "EC_GROUP_check_discriminant"}, 143 {ERR_FUNC(EC_F_EC_GROUP_CHECK_DISCRIMINANT), "EC_GROUP_check_discriminant"},
144{ERR_FUNC(EC_F_EC_GROUP_COPY), "EC_GROUP_copy"}, 144 {ERR_FUNC(EC_F_EC_GROUP_COPY), "EC_GROUP_copy"},
145{ERR_FUNC(EC_F_EC_GROUP_GET0_GENERATOR), "EC_GROUP_get0_generator"}, 145 {ERR_FUNC(EC_F_EC_GROUP_GET0_GENERATOR), "EC_GROUP_get0_generator"},
146{ERR_FUNC(EC_F_EC_GROUP_GET_COFACTOR), "EC_GROUP_get_cofactor"}, 146 {ERR_FUNC(EC_F_EC_GROUP_GET_COFACTOR), "EC_GROUP_get_cofactor"},
147{ERR_FUNC(EC_F_EC_GROUP_GET_CURVE_GF2M), "EC_GROUP_get_curve_GF2m"}, 147 {ERR_FUNC(EC_F_EC_GROUP_GET_CURVE_GF2M), "EC_GROUP_get_curve_GF2m"},
148{ERR_FUNC(EC_F_EC_GROUP_GET_CURVE_GFP), "EC_GROUP_get_curve_GFp"}, 148 {ERR_FUNC(EC_F_EC_GROUP_GET_CURVE_GFP), "EC_GROUP_get_curve_GFp"},
149{ERR_FUNC(EC_F_EC_GROUP_GET_DEGREE), "EC_GROUP_get_degree"}, 149 {ERR_FUNC(EC_F_EC_GROUP_GET_DEGREE), "EC_GROUP_get_degree"},
150{ERR_FUNC(EC_F_EC_GROUP_GET_ORDER), "EC_GROUP_get_order"}, 150 {ERR_FUNC(EC_F_EC_GROUP_GET_ORDER), "EC_GROUP_get_order"},
151{ERR_FUNC(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS), "EC_GROUP_get_pentanomial_basis"}, 151 {ERR_FUNC(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS), "EC_GROUP_get_pentanomial_basis"},
152{ERR_FUNC(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS), "EC_GROUP_get_trinomial_basis"}, 152 {ERR_FUNC(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS), "EC_GROUP_get_trinomial_basis"},
153{ERR_FUNC(EC_F_EC_GROUP_NEW), "EC_GROUP_new"}, 153 {ERR_FUNC(EC_F_EC_GROUP_NEW), "EC_GROUP_new"},
154{ERR_FUNC(EC_F_EC_GROUP_NEW_BY_CURVE_NAME), "EC_GROUP_new_by_curve_name"}, 154 {ERR_FUNC(EC_F_EC_GROUP_NEW_BY_CURVE_NAME), "EC_GROUP_new_by_curve_name"},
155{ERR_FUNC(EC_F_EC_GROUP_NEW_FROM_DATA), "EC_GROUP_NEW_FROM_DATA"}, 155 {ERR_FUNC(EC_F_EC_GROUP_NEW_FROM_DATA), "EC_GROUP_NEW_FROM_DATA"},
156{ERR_FUNC(EC_F_EC_GROUP_PRECOMPUTE_MULT), "EC_GROUP_precompute_mult"}, 156 {ERR_FUNC(EC_F_EC_GROUP_PRECOMPUTE_MULT), "EC_GROUP_precompute_mult"},
157{ERR_FUNC(EC_F_EC_GROUP_SET_CURVE_GF2M), "EC_GROUP_set_curve_GF2m"}, 157 {ERR_FUNC(EC_F_EC_GROUP_SET_CURVE_GF2M), "EC_GROUP_set_curve_GF2m"},
158{ERR_FUNC(EC_F_EC_GROUP_SET_CURVE_GFP), "EC_GROUP_set_curve_GFp"}, 158 {ERR_FUNC(EC_F_EC_GROUP_SET_CURVE_GFP), "EC_GROUP_set_curve_GFp"},
159{ERR_FUNC(EC_F_EC_GROUP_SET_EXTRA_DATA), "EC_GROUP_SET_EXTRA_DATA"}, 159 {ERR_FUNC(EC_F_EC_GROUP_SET_EXTRA_DATA), "EC_GROUP_SET_EXTRA_DATA"},
160{ERR_FUNC(EC_F_EC_GROUP_SET_GENERATOR), "EC_GROUP_set_generator"}, 160 {ERR_FUNC(EC_F_EC_GROUP_SET_GENERATOR), "EC_GROUP_set_generator"},
161{ERR_FUNC(EC_F_EC_KEY_CHECK_KEY), "EC_KEY_check_key"}, 161 {ERR_FUNC(EC_F_EC_KEY_CHECK_KEY), "EC_KEY_check_key"},
162{ERR_FUNC(EC_F_EC_KEY_COPY), "EC_KEY_copy"}, 162 {ERR_FUNC(EC_F_EC_KEY_COPY), "EC_KEY_copy"},
163{ERR_FUNC(EC_F_EC_KEY_GENERATE_KEY), "EC_KEY_generate_key"}, 163 {ERR_FUNC(EC_F_EC_KEY_GENERATE_KEY), "EC_KEY_generate_key"},
164{ERR_FUNC(EC_F_EC_KEY_NEW), "EC_KEY_new"}, 164 {ERR_FUNC(EC_F_EC_KEY_NEW), "EC_KEY_new"},
165{ERR_FUNC(EC_F_EC_KEY_PRINT), "EC_KEY_print"}, 165 {ERR_FUNC(EC_F_EC_KEY_PRINT), "EC_KEY_print"},
166{ERR_FUNC(EC_F_EC_KEY_PRINT_FP), "EC_KEY_print_fp"}, 166 {ERR_FUNC(EC_F_EC_KEY_PRINT_FP), "EC_KEY_print_fp"},
167{ERR_FUNC(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES), "EC_KEY_set_public_key_affine_coordinates"}, 167 {ERR_FUNC(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES), "EC_KEY_set_public_key_affine_coordinates"},
168{ERR_FUNC(EC_F_EC_POINTS_MAKE_AFFINE), "EC_POINTs_make_affine"}, 168 {ERR_FUNC(EC_F_EC_POINTS_MAKE_AFFINE), "EC_POINTs_make_affine"},
169{ERR_FUNC(EC_F_EC_POINT_ADD), "EC_POINT_add"}, 169 {ERR_FUNC(EC_F_EC_POINT_ADD), "EC_POINT_add"},
170{ERR_FUNC(EC_F_EC_POINT_CMP), "EC_POINT_cmp"}, 170 {ERR_FUNC(EC_F_EC_POINT_CMP), "EC_POINT_cmp"},
171{ERR_FUNC(EC_F_EC_POINT_COPY), "EC_POINT_copy"}, 171 {ERR_FUNC(EC_F_EC_POINT_COPY), "EC_POINT_copy"},
172{ERR_FUNC(EC_F_EC_POINT_DBL), "EC_POINT_dbl"}, 172 {ERR_FUNC(EC_F_EC_POINT_DBL), "EC_POINT_dbl"},
173{ERR_FUNC(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M), "EC_POINT_get_affine_coordinates_GF2m"}, 173 {ERR_FUNC(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M), "EC_POINT_get_affine_coordinates_GF2m"},
174{ERR_FUNC(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP), "EC_POINT_get_affine_coordinates_GFp"}, 174 {ERR_FUNC(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP), "EC_POINT_get_affine_coordinates_GFp"},
175{ERR_FUNC(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP), "EC_POINT_get_Jprojective_coordinates_GFp"}, 175 {ERR_FUNC(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP), "EC_POINT_get_Jprojective_coordinates_GFp"},
176{ERR_FUNC(EC_F_EC_POINT_INVERT), "EC_POINT_invert"}, 176 {ERR_FUNC(EC_F_EC_POINT_INVERT), "EC_POINT_invert"},
177{ERR_FUNC(EC_F_EC_POINT_IS_AT_INFINITY), "EC_POINT_is_at_infinity"}, 177 {ERR_FUNC(EC_F_EC_POINT_IS_AT_INFINITY), "EC_POINT_is_at_infinity"},
178{ERR_FUNC(EC_F_EC_POINT_IS_ON_CURVE), "EC_POINT_is_on_curve"}, 178 {ERR_FUNC(EC_F_EC_POINT_IS_ON_CURVE), "EC_POINT_is_on_curve"},
179{ERR_FUNC(EC_F_EC_POINT_MAKE_AFFINE), "EC_POINT_make_affine"}, 179 {ERR_FUNC(EC_F_EC_POINT_MAKE_AFFINE), "EC_POINT_make_affine"},
180{ERR_FUNC(EC_F_EC_POINT_MUL), "EC_POINT_mul"}, 180 {ERR_FUNC(EC_F_EC_POINT_MUL), "EC_POINT_mul"},
181{ERR_FUNC(EC_F_EC_POINT_NEW), "EC_POINT_new"}, 181 {ERR_FUNC(EC_F_EC_POINT_NEW), "EC_POINT_new"},
182{ERR_FUNC(EC_F_EC_POINT_OCT2POINT), "EC_POINT_oct2point"}, 182 {ERR_FUNC(EC_F_EC_POINT_OCT2POINT), "EC_POINT_oct2point"},
183{ERR_FUNC(EC_F_EC_POINT_POINT2OCT), "EC_POINT_point2oct"}, 183 {ERR_FUNC(EC_F_EC_POINT_POINT2OCT), "EC_POINT_point2oct"},
184{ERR_FUNC(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M), "EC_POINT_set_affine_coordinates_GF2m"}, 184 {ERR_FUNC(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M), "EC_POINT_set_affine_coordinates_GF2m"},
185{ERR_FUNC(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP), "EC_POINT_set_affine_coordinates_GFp"}, 185 {ERR_FUNC(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP), "EC_POINT_set_affine_coordinates_GFp"},
186{ERR_FUNC(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M), "EC_POINT_set_compressed_coordinates_GF2m"}, 186 {ERR_FUNC(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M), "EC_POINT_set_compressed_coordinates_GF2m"},
187{ERR_FUNC(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP), "EC_POINT_set_compressed_coordinates_GFp"}, 187 {ERR_FUNC(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP), "EC_POINT_set_compressed_coordinates_GFp"},
188{ERR_FUNC(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP), "EC_POINT_set_Jprojective_coordinates_GFp"}, 188 {ERR_FUNC(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP), "EC_POINT_set_Jprojective_coordinates_GFp"},
189{ERR_FUNC(EC_F_EC_POINT_SET_TO_INFINITY), "EC_POINT_set_to_infinity"}, 189 {ERR_FUNC(EC_F_EC_POINT_SET_TO_INFINITY), "EC_POINT_set_to_infinity"},
190{ERR_FUNC(EC_F_EC_PRE_COMP_DUP), "EC_PRE_COMP_DUP"}, 190 {ERR_FUNC(EC_F_EC_PRE_COMP_DUP), "EC_PRE_COMP_DUP"},
191{ERR_FUNC(EC_F_EC_PRE_COMP_NEW), "EC_PRE_COMP_NEW"}, 191 {ERR_FUNC(EC_F_EC_PRE_COMP_NEW), "EC_PRE_COMP_NEW"},
192{ERR_FUNC(EC_F_EC_WNAF_MUL), "ec_wNAF_mul"}, 192 {ERR_FUNC(EC_F_EC_WNAF_MUL), "ec_wNAF_mul"},
193{ERR_FUNC(EC_F_EC_WNAF_PRECOMPUTE_MULT), "ec_wNAF_precompute_mult"}, 193 {ERR_FUNC(EC_F_EC_WNAF_PRECOMPUTE_MULT), "ec_wNAF_precompute_mult"},
194{ERR_FUNC(EC_F_I2D_ECPARAMETERS), "i2d_ECParameters"}, 194 {ERR_FUNC(EC_F_I2D_ECPARAMETERS), "i2d_ECParameters"},
195{ERR_FUNC(EC_F_I2D_ECPKPARAMETERS), "i2d_ECPKParameters"}, 195 {ERR_FUNC(EC_F_I2D_ECPKPARAMETERS), "i2d_ECPKParameters"},
196{ERR_FUNC(EC_F_I2D_ECPRIVATEKEY), "i2d_ECPrivateKey"}, 196 {ERR_FUNC(EC_F_I2D_ECPRIVATEKEY), "i2d_ECPrivateKey"},
197{ERR_FUNC(EC_F_I2O_ECPUBLICKEY), "i2o_ECPublicKey"}, 197 {ERR_FUNC(EC_F_I2O_ECPUBLICKEY), "i2o_ECPublicKey"},
198{ERR_FUNC(EC_F_NISTP224_PRE_COMP_NEW), "NISTP224_PRE_COMP_NEW"}, 198 {ERR_FUNC(EC_F_NISTP224_PRE_COMP_NEW), "NISTP224_PRE_COMP_NEW"},
199{ERR_FUNC(EC_F_NISTP256_PRE_COMP_NEW), "NISTP256_PRE_COMP_NEW"}, 199 {ERR_FUNC(EC_F_NISTP256_PRE_COMP_NEW), "NISTP256_PRE_COMP_NEW"},
200{ERR_FUNC(EC_F_NISTP521_PRE_COMP_NEW), "NISTP521_PRE_COMP_NEW"}, 200 {ERR_FUNC(EC_F_NISTP521_PRE_COMP_NEW), "NISTP521_PRE_COMP_NEW"},
201{ERR_FUNC(EC_F_O2I_ECPUBLICKEY), "o2i_ECPublicKey"}, 201 {ERR_FUNC(EC_F_O2I_ECPUBLICKEY), "o2i_ECPublicKey"},
202{ERR_FUNC(EC_F_OLD_EC_PRIV_DECODE), "OLD_EC_PRIV_DECODE"}, 202 {ERR_FUNC(EC_F_OLD_EC_PRIV_DECODE), "OLD_EC_PRIV_DECODE"},
203{ERR_FUNC(EC_F_PKEY_EC_CTRL), "PKEY_EC_CTRL"}, 203 {ERR_FUNC(EC_F_PKEY_EC_CTRL), "PKEY_EC_CTRL"},
204{ERR_FUNC(EC_F_PKEY_EC_CTRL_STR), "PKEY_EC_CTRL_STR"}, 204 {ERR_FUNC(EC_F_PKEY_EC_CTRL_STR), "PKEY_EC_CTRL_STR"},
205{ERR_FUNC(EC_F_PKEY_EC_DERIVE), "PKEY_EC_DERIVE"}, 205 {ERR_FUNC(EC_F_PKEY_EC_DERIVE), "PKEY_EC_DERIVE"},
206{ERR_FUNC(EC_F_PKEY_EC_KEYGEN), "PKEY_EC_KEYGEN"}, 206 {ERR_FUNC(EC_F_PKEY_EC_KEYGEN), "PKEY_EC_KEYGEN"},
207{ERR_FUNC(EC_F_PKEY_EC_PARAMGEN), "PKEY_EC_PARAMGEN"}, 207 {ERR_FUNC(EC_F_PKEY_EC_PARAMGEN), "PKEY_EC_PARAMGEN"},
208{ERR_FUNC(EC_F_PKEY_EC_SIGN), "PKEY_EC_SIGN"}, 208 {ERR_FUNC(EC_F_PKEY_EC_SIGN), "PKEY_EC_SIGN"},
209{0,NULL} 209 {0, NULL}
210 }; 210};
211 211
212static ERR_STRING_DATA EC_str_reasons[]= 212static ERR_STRING_DATA EC_str_reasons[] =
213 { 213{
214{ERR_REASON(EC_R_ASN1_ERROR) ,"asn1 error"}, 214 {ERR_REASON(EC_R_ASN1_ERROR), "asn1 error"},
215{ERR_REASON(EC_R_ASN1_UNKNOWN_FIELD) ,"asn1 unknown field"}, 215 {ERR_REASON(EC_R_ASN1_UNKNOWN_FIELD), "asn1 unknown field"},
216{ERR_REASON(EC_R_BIGNUM_OUT_OF_RANGE) ,"bignum out of range"}, 216 {ERR_REASON(EC_R_BIGNUM_OUT_OF_RANGE), "bignum out of range"},
217{ERR_REASON(EC_R_BUFFER_TOO_SMALL) ,"buffer too small"}, 217 {ERR_REASON(EC_R_BUFFER_TOO_SMALL), "buffer too small"},
218{ERR_REASON(EC_R_COORDINATES_OUT_OF_RANGE),"coordinates out of range"}, 218 {ERR_REASON(EC_R_COORDINATES_OUT_OF_RANGE), "coordinates out of range"},
219{ERR_REASON(EC_R_D2I_ECPKPARAMETERS_FAILURE),"d2i ecpkparameters failure"}, 219 {ERR_REASON(EC_R_D2I_ECPKPARAMETERS_FAILURE), "d2i ecpkparameters failure"},
220{ERR_REASON(EC_R_DECODE_ERROR) ,"decode error"}, 220 {ERR_REASON(EC_R_DECODE_ERROR), "decode error"},
221{ERR_REASON(EC_R_DISCRIMINANT_IS_ZERO) ,"discriminant is zero"}, 221 {ERR_REASON(EC_R_DISCRIMINANT_IS_ZERO), "discriminant is zero"},
222{ERR_REASON(EC_R_EC_GROUP_NEW_BY_NAME_FAILURE),"ec group new by name failure"}, 222 {ERR_REASON(EC_R_EC_GROUP_NEW_BY_NAME_FAILURE), "ec group new by name failure"},
223{ERR_REASON(EC_R_FIELD_TOO_LARGE) ,"field too large"}, 223 {ERR_REASON(EC_R_FIELD_TOO_LARGE), "field too large"},
224{ERR_REASON(EC_R_GF2M_NOT_SUPPORTED) ,"gf2m not supported"}, 224 {ERR_REASON(EC_R_GF2M_NOT_SUPPORTED), "gf2m not supported"},
225{ERR_REASON(EC_R_GROUP2PKPARAMETERS_FAILURE),"group2pkparameters failure"}, 225 {ERR_REASON(EC_R_GROUP2PKPARAMETERS_FAILURE), "group2pkparameters failure"},
226{ERR_REASON(EC_R_I2D_ECPKPARAMETERS_FAILURE),"i2d ecpkparameters failure"}, 226 {ERR_REASON(EC_R_I2D_ECPKPARAMETERS_FAILURE), "i2d ecpkparameters failure"},
227{ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS) ,"incompatible objects"}, 227 {ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS), "incompatible objects"},
228{ERR_REASON(EC_R_INVALID_ARGUMENT) ,"invalid argument"}, 228 {ERR_REASON(EC_R_INVALID_ARGUMENT), "invalid argument"},
229{ERR_REASON(EC_R_INVALID_COMPRESSED_POINT),"invalid compressed point"}, 229 {ERR_REASON(EC_R_INVALID_COMPRESSED_POINT), "invalid compressed point"},
230{ERR_REASON(EC_R_INVALID_COMPRESSION_BIT),"invalid compression bit"}, 230 {ERR_REASON(EC_R_INVALID_COMPRESSION_BIT), "invalid compression bit"},
231{ERR_REASON(EC_R_INVALID_CURVE) ,"invalid curve"}, 231 {ERR_REASON(EC_R_INVALID_CURVE), "invalid curve"},
232{ERR_REASON(EC_R_INVALID_DIGEST_TYPE) ,"invalid digest type"}, 232 {ERR_REASON(EC_R_INVALID_DIGEST_TYPE), "invalid digest type"},
233{ERR_REASON(EC_R_INVALID_ENCODING) ,"invalid encoding"}, 233 {ERR_REASON(EC_R_INVALID_ENCODING), "invalid encoding"},
234{ERR_REASON(EC_R_INVALID_FIELD) ,"invalid field"}, 234 {ERR_REASON(EC_R_INVALID_FIELD), "invalid field"},
235{ERR_REASON(EC_R_INVALID_FORM) ,"invalid form"}, 235 {ERR_REASON(EC_R_INVALID_FORM), "invalid form"},
236{ERR_REASON(EC_R_INVALID_GROUP_ORDER) ,"invalid group order"}, 236 {ERR_REASON(EC_R_INVALID_GROUP_ORDER), "invalid group order"},
237{ERR_REASON(EC_R_INVALID_PENTANOMIAL_BASIS),"invalid pentanomial basis"}, 237 {ERR_REASON(EC_R_INVALID_PENTANOMIAL_BASIS), "invalid pentanomial basis"},
238{ERR_REASON(EC_R_INVALID_PRIVATE_KEY) ,"invalid private key"}, 238 {ERR_REASON(EC_R_INVALID_PRIVATE_KEY), "invalid private key"},
239{ERR_REASON(EC_R_INVALID_TRINOMIAL_BASIS),"invalid trinomial basis"}, 239 {ERR_REASON(EC_R_INVALID_TRINOMIAL_BASIS), "invalid trinomial basis"},
240{ERR_REASON(EC_R_KEYS_NOT_SET) ,"keys not set"}, 240 {ERR_REASON(EC_R_KEYS_NOT_SET), "keys not set"},
241{ERR_REASON(EC_R_MISSING_PARAMETERS) ,"missing parameters"}, 241 {ERR_REASON(EC_R_MISSING_PARAMETERS), "missing parameters"},
242{ERR_REASON(EC_R_MISSING_PRIVATE_KEY) ,"missing private key"}, 242 {ERR_REASON(EC_R_MISSING_PRIVATE_KEY), "missing private key"},
243{ERR_REASON(EC_R_NOT_A_NIST_PRIME) ,"not a NIST prime"}, 243 {ERR_REASON(EC_R_NOT_A_NIST_PRIME), "not a NIST prime"},
244{ERR_REASON(EC_R_NOT_A_SUPPORTED_NIST_PRIME),"not a supported NIST prime"}, 244 {ERR_REASON(EC_R_NOT_A_SUPPORTED_NIST_PRIME), "not a supported NIST prime"},
245{ERR_REASON(EC_R_NOT_IMPLEMENTED) ,"not implemented"}, 245 {ERR_REASON(EC_R_NOT_IMPLEMENTED), "not implemented"},
246{ERR_REASON(EC_R_NOT_INITIALIZED) ,"not initialized"}, 246 {ERR_REASON(EC_R_NOT_INITIALIZED), "not initialized"},
247{ERR_REASON(EC_R_NO_FIELD_MOD) ,"no field mod"}, 247 {ERR_REASON(EC_R_NO_FIELD_MOD), "no field mod"},
248{ERR_REASON(EC_R_NO_PARAMETERS_SET) ,"no parameters set"}, 248 {ERR_REASON(EC_R_NO_PARAMETERS_SET), "no parameters set"},
249{ERR_REASON(EC_R_PASSED_NULL_PARAMETER) ,"passed null parameter"}, 249 {ERR_REASON(EC_R_PASSED_NULL_PARAMETER), "passed null parameter"},
250{ERR_REASON(EC_R_PKPARAMETERS2GROUP_FAILURE),"pkparameters2group failure"}, 250 {ERR_REASON(EC_R_PKPARAMETERS2GROUP_FAILURE), "pkparameters2group failure"},
251{ERR_REASON(EC_R_POINT_AT_INFINITY) ,"point at infinity"}, 251 {ERR_REASON(EC_R_POINT_AT_INFINITY), "point at infinity"},
252{ERR_REASON(EC_R_POINT_IS_NOT_ON_CURVE) ,"point is not on curve"}, 252 {ERR_REASON(EC_R_POINT_IS_NOT_ON_CURVE), "point is not on curve"},
253{ERR_REASON(EC_R_SLOT_FULL) ,"slot full"}, 253 {ERR_REASON(EC_R_SLOT_FULL), "slot full"},
254{ERR_REASON(EC_R_UNDEFINED_GENERATOR) ,"undefined generator"}, 254 {ERR_REASON(EC_R_UNDEFINED_GENERATOR), "undefined generator"},
255{ERR_REASON(EC_R_UNDEFINED_ORDER) ,"undefined order"}, 255 {ERR_REASON(EC_R_UNDEFINED_ORDER), "undefined order"},
256{ERR_REASON(EC_R_UNKNOWN_GROUP) ,"unknown group"}, 256 {ERR_REASON(EC_R_UNKNOWN_GROUP), "unknown group"},
257{ERR_REASON(EC_R_UNKNOWN_ORDER) ,"unknown order"}, 257 {ERR_REASON(EC_R_UNKNOWN_ORDER), "unknown order"},
258{ERR_REASON(EC_R_UNSUPPORTED_FIELD) ,"unsupported field"}, 258 {ERR_REASON(EC_R_UNSUPPORTED_FIELD), "unsupported field"},
259{ERR_REASON(EC_R_WRONG_CURVE_PARAMETERS) ,"wrong curve parameters"}, 259 {ERR_REASON(EC_R_WRONG_CURVE_PARAMETERS), "wrong curve parameters"},
260{ERR_REASON(EC_R_WRONG_ORDER) ,"wrong order"}, 260 {ERR_REASON(EC_R_WRONG_ORDER), "wrong order"},
261{0,NULL} 261 {0, NULL}
262 }; 262};
263 263
264#endif 264#endif
265 265
266void ERR_load_EC_strings(void) 266void
267 { 267ERR_load_EC_strings(void)
268{
268#ifndef OPENSSL_NO_ERR 269#ifndef OPENSSL_NO_ERR
269 270
270 if (ERR_func_error_string(EC_str_functs[0].error) == NULL) 271 if (ERR_func_error_string(EC_str_functs[0].error) == NULL) {
271 { 272 ERR_load_strings(0, EC_str_functs);
272 ERR_load_strings(0,EC_str_functs); 273 ERR_load_strings(0, EC_str_reasons);
273 ERR_load_strings(0,EC_str_reasons);
274 }
275#endif
276 } 274 }
275#endif
276}
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
index 4f0559591e..1d727ec77d 100644
--- a/src/lib/libcrypto/ec/ec_key.c
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -57,7 +57,7 @@
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Portions originally developed by SUN MICROSYSTEMS, INC., and 60 * Portions originally developed by SUN MICROSYSTEMS, INC., and
61 * contributed to the OpenSSL project. 61 * contributed to the OpenSSL project.
62 */ 62 */
63 63
@@ -65,78 +65,79 @@
65#include "ec_lcl.h" 65#include "ec_lcl.h"
66#include <openssl/err.h> 66#include <openssl/err.h>
67 67
68EC_KEY *EC_KEY_new(void) 68EC_KEY *
69 { 69EC_KEY_new(void)
70{
70 EC_KEY *ret; 71 EC_KEY *ret;
71 72
72 ret=(EC_KEY *)malloc(sizeof(EC_KEY)); 73 ret = (EC_KEY *) malloc(sizeof(EC_KEY));
73 if (ret == NULL) 74 if (ret == NULL) {
74 {
75 ECerr(EC_F_EC_KEY_NEW, ERR_R_MALLOC_FAILURE); 75 ECerr(EC_F_EC_KEY_NEW, ERR_R_MALLOC_FAILURE);
76 return(NULL); 76 return (NULL);
77 } 77 }
78 78 ret->version = 1;
79 ret->version = 1;
80 ret->flags = 0; 79 ret->flags = 0;
81 ret->group = NULL; 80 ret->group = NULL;
82 ret->pub_key = NULL; 81 ret->pub_key = NULL;
83 ret->priv_key= NULL; 82 ret->priv_key = NULL;
84 ret->enc_flag= 0; 83 ret->enc_flag = 0;
85 ret->conv_form = POINT_CONVERSION_UNCOMPRESSED; 84 ret->conv_form = POINT_CONVERSION_UNCOMPRESSED;
86 ret->references= 1; 85 ret->references = 1;
87 ret->method_data = NULL; 86 ret->method_data = NULL;
88 return(ret); 87 return (ret);
89 } 88}
90 89
91EC_KEY *EC_KEY_new_by_curve_name(int nid) 90EC_KEY *
92 { 91EC_KEY_new_by_curve_name(int nid)
92{
93 EC_KEY *ret = EC_KEY_new(); 93 EC_KEY *ret = EC_KEY_new();
94 if (ret == NULL) 94 if (ret == NULL)
95 return NULL; 95 return NULL;
96 ret->group = EC_GROUP_new_by_curve_name(nid); 96 ret->group = EC_GROUP_new_by_curve_name(nid);
97 if (ret->group == NULL) 97 if (ret->group == NULL) {
98 {
99 EC_KEY_free(ret); 98 EC_KEY_free(ret);
100 return NULL; 99 return NULL;
101 }
102 return ret;
103 } 100 }
101 return ret;
102}
104 103
105void EC_KEY_free(EC_KEY *r) 104void
106 { 105EC_KEY_free(EC_KEY * r)
106{
107 int i; 107 int i;
108 108
109 if (r == NULL) return; 109 if (r == NULL)
110 return;
110 111
111 i=CRYPTO_add(&r->references,-1,CRYPTO_LOCK_EC); 112 i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_EC);
112 if (i > 0) return; 113 if (i > 0)
114 return;
113 115
114 if (r->group != NULL) 116 if (r->group != NULL)
115 EC_GROUP_free(r->group); 117 EC_GROUP_free(r->group);
116 if (r->pub_key != NULL) 118 if (r->pub_key != NULL)
117 EC_POINT_free(r->pub_key); 119 EC_POINT_free(r->pub_key);
118 if (r->priv_key != NULL) 120 if (r->priv_key != NULL)
119 BN_clear_free(r->priv_key); 121 BN_clear_free(r->priv_key);
120 122
121 EC_EX_DATA_free_all_data(&r->method_data); 123 EC_EX_DATA_free_all_data(&r->method_data);
122 124
123 OPENSSL_cleanse((void *)r, sizeof(EC_KEY)); 125 OPENSSL_cleanse((void *) r, sizeof(EC_KEY));
124 126
125 free(r); 127 free(r);
126 } 128}
127 129
128EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) 130EC_KEY *
129 { 131EC_KEY_copy(EC_KEY * dest, const EC_KEY * src)
132{
130 EC_EXTRA_DATA *d; 133 EC_EXTRA_DATA *d;
131 134
132 if (dest == NULL || src == NULL) 135 if (dest == NULL || src == NULL) {
133 {
134 ECerr(EC_F_EC_KEY_COPY, ERR_R_PASSED_NULL_PARAMETER); 136 ECerr(EC_F_EC_KEY_COPY, ERR_R_PASSED_NULL_PARAMETER);
135 return NULL; 137 return NULL;
136 } 138 }
137 /* copy the parameters */ 139 /* copy the parameters */
138 if (src->group) 140 if (src->group) {
139 {
140 const EC_METHOD *meth = EC_GROUP_method_of(src->group); 141 const EC_METHOD *meth = EC_GROUP_method_of(src->group);
141 /* clear the old group */ 142 /* clear the old group */
142 if (dest->group) 143 if (dest->group)
@@ -146,10 +147,9 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
146 return NULL; 147 return NULL;
147 if (!EC_GROUP_copy(dest->group, src->group)) 148 if (!EC_GROUP_copy(dest->group, src->group))
148 return NULL; 149 return NULL;
149 } 150 }
150 /* copy the public key */ 151 /* copy the public key */
151 if (src->pub_key && src->group) 152 if (src->pub_key && src->group) {
152 {
153 if (dest->pub_key) 153 if (dest->pub_key)
154 EC_POINT_free(dest->pub_key); 154 EC_POINT_free(dest->pub_key);
155 dest->pub_key = EC_POINT_new(src->group); 155 dest->pub_key = EC_POINT_new(src->group);
@@ -157,83 +157,81 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
157 return NULL; 157 return NULL;
158 if (!EC_POINT_copy(dest->pub_key, src->pub_key)) 158 if (!EC_POINT_copy(dest->pub_key, src->pub_key))
159 return NULL; 159 return NULL;
160 } 160 }
161 /* copy the private key */ 161 /* copy the private key */
162 if (src->priv_key) 162 if (src->priv_key) {
163 { 163 if (dest->priv_key == NULL) {
164 if (dest->priv_key == NULL)
165 {
166 dest->priv_key = BN_new(); 164 dest->priv_key = BN_new();
167 if (dest->priv_key == NULL) 165 if (dest->priv_key == NULL)
168 return NULL; 166 return NULL;
169 } 167 }
170 if (!BN_copy(dest->priv_key, src->priv_key)) 168 if (!BN_copy(dest->priv_key, src->priv_key))
171 return NULL; 169 return NULL;
172 } 170 }
173 /* copy method/extra data */ 171 /* copy method/extra data */
174 EC_EX_DATA_free_all_data(&dest->method_data); 172 EC_EX_DATA_free_all_data(&dest->method_data);
175 173
176 for (d = src->method_data; d != NULL; d = d->next) 174 for (d = src->method_data; d != NULL; d = d->next) {
177 {
178 void *t = d->dup_func(d->data); 175 void *t = d->dup_func(d->data);
179 176
180 if (t == NULL) 177 if (t == NULL)
181 return 0; 178 return 0;
182 if (!EC_EX_DATA_set_data(&dest->method_data, t, d->dup_func, d->free_func, d->clear_free_func)) 179 if (!EC_EX_DATA_set_data(&dest->method_data, t, d->dup_func,
180 d->free_func, d->clear_free_func))
183 return 0; 181 return 0;
184 } 182 }
185 183
186 /* copy the rest */ 184 /* copy the rest */
187 dest->enc_flag = src->enc_flag; 185 dest->enc_flag = src->enc_flag;
188 dest->conv_form = src->conv_form; 186 dest->conv_form = src->conv_form;
189 dest->version = src->version; 187 dest->version = src->version;
190 dest->flags = src->flags; 188 dest->flags = src->flags;
191 189
192 return dest; 190 return dest;
193 } 191}
194 192
195EC_KEY *EC_KEY_dup(const EC_KEY *ec_key) 193EC_KEY *
196 { 194EC_KEY_dup(const EC_KEY * ec_key)
195{
197 EC_KEY *ret = EC_KEY_new(); 196 EC_KEY *ret = EC_KEY_new();
198 if (ret == NULL) 197 if (ret == NULL)
199 return NULL; 198 return NULL;
200 if (EC_KEY_copy(ret, ec_key) == NULL) 199 if (EC_KEY_copy(ret, ec_key) == NULL) {
201 {
202 EC_KEY_free(ret); 200 EC_KEY_free(ret);
203 return NULL; 201 return NULL;
204 }
205 return ret;
206 } 202 }
203 return ret;
204}
207 205
208int EC_KEY_up_ref(EC_KEY *r) 206int
209 { 207EC_KEY_up_ref(EC_KEY * r)
208{
210 int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_EC); 209 int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_EC);
211 return ((i > 1) ? 1 : 0); 210 return ((i > 1) ? 1 : 0);
212 } 211}
213 212
214int EC_KEY_generate_key(EC_KEY *eckey) 213int
215 { 214EC_KEY_generate_key(EC_KEY * eckey)
216 int ok = 0; 215{
217 BN_CTX *ctx = NULL; 216 int ok = 0;
218 BIGNUM *priv_key = NULL, *order = NULL; 217 BN_CTX *ctx = NULL;
218 BIGNUM *priv_key = NULL, *order = NULL;
219 EC_POINT *pub_key = NULL; 219 EC_POINT *pub_key = NULL;
220 220
221 if (!eckey || !eckey->group) 221 if (!eckey || !eckey->group) {
222 {
223 ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); 222 ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
224 return 0; 223 return 0;
225 } 224 }
226 225 if ((order = BN_new()) == NULL)
227 if ((order = BN_new()) == NULL) goto err; 226 goto err;
228 if ((ctx = BN_CTX_new()) == NULL) goto err; 227 if ((ctx = BN_CTX_new()) == NULL)
228 goto err;
229 229
230 if (eckey->priv_key == NULL) 230 if (eckey->priv_key == NULL) {
231 {
232 priv_key = BN_new(); 231 priv_key = BN_new();
233 if (priv_key == NULL) 232 if (priv_key == NULL)
234 goto err; 233 goto err;
235 } 234 } else
236 else
237 priv_key = eckey->priv_key; 235 priv_key = eckey->priv_key;
238 236
239 if (!EC_GROUP_get_order(eckey->group, order, ctx)) 237 if (!EC_GROUP_get_order(eckey->group, order, ctx))
@@ -244,127 +242,115 @@ int EC_KEY_generate_key(EC_KEY *eckey)
244 goto err; 242 goto err;
245 while (BN_is_zero(priv_key)); 243 while (BN_is_zero(priv_key));
246 244
247 if (eckey->pub_key == NULL) 245 if (eckey->pub_key == NULL) {
248 {
249 pub_key = EC_POINT_new(eckey->group); 246 pub_key = EC_POINT_new(eckey->group);
250 if (pub_key == NULL) 247 if (pub_key == NULL)
251 goto err; 248 goto err;
252 } 249 } else
253 else
254 pub_key = eckey->pub_key; 250 pub_key = eckey->pub_key;
255 251
256 if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) 252 if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
257 goto err; 253 goto err;
258 254
259 eckey->priv_key = priv_key; 255 eckey->priv_key = priv_key;
260 eckey->pub_key = pub_key; 256 eckey->pub_key = pub_key;
261 257
262 ok=1; 258 ok = 1;
263 259
264err: 260err:
265 if (order) 261 if (order)
266 BN_free(order); 262 BN_free(order);
267 if (pub_key != NULL && eckey->pub_key == NULL) 263 if (pub_key != NULL && eckey->pub_key == NULL)
268 EC_POINT_free(pub_key); 264 EC_POINT_free(pub_key);
269 if (priv_key != NULL && eckey->priv_key == NULL) 265 if (priv_key != NULL && eckey->priv_key == NULL)
270 BN_free(priv_key); 266 BN_free(priv_key);
271 if (ctx != NULL) 267 if (ctx != NULL)
272 BN_CTX_free(ctx); 268 BN_CTX_free(ctx);
273 return(ok); 269 return (ok);
274 } 270}
275 271
276int EC_KEY_check_key(const EC_KEY *eckey) 272int
277 { 273EC_KEY_check_key(const EC_KEY * eckey)
278 int ok = 0; 274{
279 BN_CTX *ctx = NULL; 275 int ok = 0;
280 const BIGNUM *order = NULL; 276 BN_CTX *ctx = NULL;
277 const BIGNUM *order = NULL;
281 EC_POINT *point = NULL; 278 EC_POINT *point = NULL;
282 279
283 if (!eckey || !eckey->group || !eckey->pub_key) 280 if (!eckey || !eckey->group || !eckey->pub_key) {
284 {
285 ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER); 281 ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER);
286 return 0; 282 return 0;
287 } 283 }
288 284 if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key)) {
289 if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key))
290 {
291 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_AT_INFINITY); 285 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_AT_INFINITY);
292 goto err; 286 goto err;
293 } 287 }
294
295 if ((ctx = BN_CTX_new()) == NULL) 288 if ((ctx = BN_CTX_new()) == NULL)
296 goto err; 289 goto err;
297 if ((point = EC_POINT_new(eckey->group)) == NULL) 290 if ((point = EC_POINT_new(eckey->group)) == NULL)
298 goto err; 291 goto err;
299 292
300 /* testing whether the pub_key is on the elliptic curve */ 293 /* testing whether the pub_key is on the elliptic curve */
301 if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx)) 294 if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx)) {
302 {
303 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE); 295 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE);
304 goto err; 296 goto err;
305 } 297 }
306 /* testing whether pub_key * order is the point at infinity */ 298 /* testing whether pub_key * order is the point at infinity */
307 order = &eckey->group->order; 299 order = &eckey->group->order;
308 if (BN_is_zero(order)) 300 if (BN_is_zero(order)) {
309 {
310 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_GROUP_ORDER); 301 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_GROUP_ORDER);
311 goto err; 302 goto err;
312 } 303 }
313 if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) 304 if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) {
314 {
315 ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB); 305 ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);
316 goto err; 306 goto err;
317 } 307 }
318 if (!EC_POINT_is_at_infinity(eckey->group, point)) 308 if (!EC_POINT_is_at_infinity(eckey->group, point)) {
319 {
320 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER); 309 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER);
321 goto err; 310 goto err;
322 } 311 }
323 /* in case the priv_key is present : 312 /*
324 * check if generator * priv_key == pub_key 313 * in case the priv_key is present : check if generator * priv_key ==
314 * pub_key
325 */ 315 */
326 if (eckey->priv_key) 316 if (eckey->priv_key) {
327 { 317 if (BN_cmp(eckey->priv_key, order) >= 0) {
328 if (BN_cmp(eckey->priv_key, order) >= 0)
329 {
330 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER); 318 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER);
331 goto err; 319 goto err;
332 } 320 }
333 if (!EC_POINT_mul(eckey->group, point, eckey->priv_key, 321 if (!EC_POINT_mul(eckey->group, point, eckey->priv_key,
334 NULL, NULL, ctx)) 322 NULL, NULL, ctx)) {
335 {
336 ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB); 323 ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);
337 goto err; 324 goto err;
338 } 325 }
339 if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, 326 if (EC_POINT_cmp(eckey->group, point, eckey->pub_key,
340 ctx) != 0) 327 ctx) != 0) {
341 {
342 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY); 328 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY);
343 goto err; 329 goto err;
344 }
345 } 330 }
331 }
346 ok = 1; 332 ok = 1;
347err: 333err:
348 if (ctx != NULL) 334 if (ctx != NULL)
349 BN_CTX_free(ctx); 335 BN_CTX_free(ctx);
350 if (point != NULL) 336 if (point != NULL)
351 EC_POINT_free(point); 337 EC_POINT_free(point);
352 return(ok); 338 return (ok);
353 } 339}
354 340
355int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y) 341int
356 { 342EC_KEY_set_public_key_affine_coordinates(EC_KEY * key, BIGNUM * x, BIGNUM * y)
343{
357 BN_CTX *ctx = NULL; 344 BN_CTX *ctx = NULL;
358 BIGNUM *tx, *ty; 345 BIGNUM *tx, *ty;
359 EC_POINT *point = NULL; 346 EC_POINT *point = NULL;
360 int ok = 0, tmp_nid, is_char_two = 0; 347 int ok = 0, tmp_nid, is_char_two = 0;
361 348
362 if (!key || !key->group || !x || !y) 349 if (!key || !key->group || !x || !y) {
363 {
364 ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, 350 ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
365 ERR_R_PASSED_NULL_PARAMETER); 351 ERR_R_PASSED_NULL_PARAMETER);
366 return 0; 352 return 0;
367 } 353 }
368 ctx = BN_CTX_new(); 354 ctx = BN_CTX_new();
369 if (!ctx) 355 if (!ctx)
370 goto err; 356 goto err;
@@ -376,41 +362,38 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y)
376 362
377 tmp_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(key->group)); 363 tmp_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(key->group));
378 364
379 if (tmp_nid == NID_X9_62_characteristic_two_field) 365 if (tmp_nid == NID_X9_62_characteristic_two_field)
380 is_char_two = 1; 366 is_char_two = 1;
381 367
382 tx = BN_CTX_get(ctx); 368 tx = BN_CTX_get(ctx);
383 ty = BN_CTX_get(ctx); 369 ty = BN_CTX_get(ctx);
384#ifndef OPENSSL_NO_EC2M 370#ifndef OPENSSL_NO_EC2M
385 if (is_char_two) 371 if (is_char_two) {
386 {
387 if (!EC_POINT_set_affine_coordinates_GF2m(key->group, point, 372 if (!EC_POINT_set_affine_coordinates_GF2m(key->group, point,
388 x, y, ctx)) 373 x, y, ctx))
389 goto err; 374 goto err;
390 if (!EC_POINT_get_affine_coordinates_GF2m(key->group, point, 375 if (!EC_POINT_get_affine_coordinates_GF2m(key->group, point,
391 tx, ty, ctx)) 376 tx, ty, ctx))
392 goto err; 377 goto err;
393 } 378 } else
394 else
395#endif 379#endif
396 { 380 {
397 if (!EC_POINT_set_affine_coordinates_GFp(key->group, point, 381 if (!EC_POINT_set_affine_coordinates_GFp(key->group, point,
398 x, y, ctx)) 382 x, y, ctx))
399 goto err; 383 goto err;
400 if (!EC_POINT_get_affine_coordinates_GFp(key->group, point, 384 if (!EC_POINT_get_affine_coordinates_GFp(key->group, point,
401 tx, ty, ctx)) 385 tx, ty, ctx))
402 goto err; 386 goto err;
403 } 387 }
404 /* Check if retrieved coordinates match originals: if not values 388 /*
405 * are out of range. 389 * Check if retrieved coordinates match originals: if not values are
390 * out of range.
406 */ 391 */
407 if (BN_cmp(x, tx) || BN_cmp(y, ty)) 392 if (BN_cmp(x, tx) || BN_cmp(y, ty)) {
408 {
409 ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, 393 ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
410 EC_R_COORDINATES_OUT_OF_RANGE); 394 EC_R_COORDINATES_OUT_OF_RANGE);
411 goto err; 395 goto err;
412 } 396 }
413
414 if (!EC_KEY_set_public_key(key, point)) 397 if (!EC_KEY_set_public_key(key, point))
415 goto err; 398 goto err;
416 399
@@ -419,79 +402,92 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y)
419 402
420 ok = 1; 403 ok = 1;
421 404
422 err: 405err:
423 if (ctx) 406 if (ctx)
424 BN_CTX_free(ctx); 407 BN_CTX_free(ctx);
425 if (point) 408 if (point)
426 EC_POINT_free(point); 409 EC_POINT_free(point);
427 return ok; 410 return ok;
428 411
429 } 412}
430 413
431const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key) 414const EC_GROUP *
432 { 415EC_KEY_get0_group(const EC_KEY * key)
416{
433 return key->group; 417 return key->group;
434 } 418}
435 419
436int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group) 420int
437 { 421EC_KEY_set_group(EC_KEY * key, const EC_GROUP * group)
422{
438 if (key->group != NULL) 423 if (key->group != NULL)
439 EC_GROUP_free(key->group); 424 EC_GROUP_free(key->group);
440 key->group = EC_GROUP_dup(group); 425 key->group = EC_GROUP_dup(group);
441 return (key->group == NULL) ? 0 : 1; 426 return (key->group == NULL) ? 0 : 1;
442 } 427}
443 428
444const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key) 429const BIGNUM *
445 { 430EC_KEY_get0_private_key(const EC_KEY * key)
431{
446 return key->priv_key; 432 return key->priv_key;
447 } 433}
448 434
449int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) 435int
450 { 436EC_KEY_set_private_key(EC_KEY * key, const BIGNUM * priv_key)
437{
451 if (key->priv_key) 438 if (key->priv_key)
452 BN_clear_free(key->priv_key); 439 BN_clear_free(key->priv_key);
453 key->priv_key = BN_dup(priv_key); 440 key->priv_key = BN_dup(priv_key);
454 return (key->priv_key == NULL) ? 0 : 1; 441 return (key->priv_key == NULL) ? 0 : 1;
455 } 442}
456 443
457const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key) 444const EC_POINT *
458 { 445EC_KEY_get0_public_key(const EC_KEY * key)
446{
459 return key->pub_key; 447 return key->pub_key;
460 } 448}
461 449
462int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key) 450int
463 { 451EC_KEY_set_public_key(EC_KEY * key, const EC_POINT * pub_key)
452{
464 if (key->pub_key != NULL) 453 if (key->pub_key != NULL)
465 EC_POINT_free(key->pub_key); 454 EC_POINT_free(key->pub_key);
466 key->pub_key = EC_POINT_dup(pub_key, key->group); 455 key->pub_key = EC_POINT_dup(pub_key, key->group);
467 return (key->pub_key == NULL) ? 0 : 1; 456 return (key->pub_key == NULL) ? 0 : 1;
468 } 457}
469 458
470unsigned int EC_KEY_get_enc_flags(const EC_KEY *key) 459unsigned int
471 { 460EC_KEY_get_enc_flags(const EC_KEY * key)
461{
472 return key->enc_flag; 462 return key->enc_flag;
473 } 463}
474 464
475void EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags) 465void
476 { 466EC_KEY_set_enc_flags(EC_KEY * key, unsigned int flags)
467{
477 key->enc_flag = flags; 468 key->enc_flag = flags;
478 } 469}
479 470
480point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key) 471point_conversion_form_t
481 { 472EC_KEY_get_conv_form(const EC_KEY * key)
473{
482 return key->conv_form; 474 return key->conv_form;
483 } 475}
484 476
485void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform) 477void
486 { 478EC_KEY_set_conv_form(EC_KEY * key, point_conversion_form_t cform)
479{
487 key->conv_form = cform; 480 key->conv_form = cform;
488 if (key->group != NULL) 481 if (key->group != NULL)
489 EC_GROUP_set_point_conversion_form(key->group, cform); 482 EC_GROUP_set_point_conversion_form(key->group, cform);
490 } 483}
491 484
492void *EC_KEY_get_key_method_data(EC_KEY *key, 485void *
493 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) 486EC_KEY_get_key_method_data(EC_KEY *key,
494 { 487 void *(*dup_func) (void *),
488 void (*free_func) (void *),
489 void (*clear_free_func) (void *))
490{
495 void *ret; 491 void *ret;
496 492
497 CRYPTO_r_lock(CRYPTO_LOCK_EC); 493 CRYPTO_r_lock(CRYPTO_LOCK_EC);
@@ -499,11 +495,14 @@ void *EC_KEY_get_key_method_data(EC_KEY *key,
499 CRYPTO_r_unlock(CRYPTO_LOCK_EC); 495 CRYPTO_r_unlock(CRYPTO_LOCK_EC);
500 496
501 return ret; 497 return ret;
502 } 498}
503 499
504void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, 500void *
505 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) 501EC_KEY_insert_key_method_data(EC_KEY * key, void *data,
506 { 502 void *(*dup_func) (void *),
503 void (*free_func) (void *),
504 void (*clear_free_func) (void *))
505{
507 EC_EXTRA_DATA *ex_data; 506 EC_EXTRA_DATA *ex_data;
508 507
509 CRYPTO_w_lock(CRYPTO_LOCK_EC); 508 CRYPTO_w_lock(CRYPTO_LOCK_EC);
@@ -513,32 +512,37 @@ void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
513 CRYPTO_w_unlock(CRYPTO_LOCK_EC); 512 CRYPTO_w_unlock(CRYPTO_LOCK_EC);
514 513
515 return ex_data; 514 return ex_data;
516 } 515}
517 516
518void EC_KEY_set_asn1_flag(EC_KEY *key, int flag) 517void
519 { 518EC_KEY_set_asn1_flag(EC_KEY * key, int flag)
519{
520 if (key->group != NULL) 520 if (key->group != NULL)
521 EC_GROUP_set_asn1_flag(key->group, flag); 521 EC_GROUP_set_asn1_flag(key->group, flag);
522 } 522}
523 523
524int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx) 524int
525 { 525EC_KEY_precompute_mult(EC_KEY * key, BN_CTX * ctx)
526{
526 if (key->group == NULL) 527 if (key->group == NULL)
527 return 0; 528 return 0;
528 return EC_GROUP_precompute_mult(key->group, ctx); 529 return EC_GROUP_precompute_mult(key->group, ctx);
529 } 530}
530 531
531int EC_KEY_get_flags(const EC_KEY *key) 532int
532 { 533EC_KEY_get_flags(const EC_KEY * key)
534{
533 return key->flags; 535 return key->flags;
534 } 536}
535 537
536void EC_KEY_set_flags(EC_KEY *key, int flags) 538void
537 { 539EC_KEY_set_flags(EC_KEY * key, int flags)
540{
538 key->flags |= flags; 541 key->flags |= flags;
539 } 542}
540 543
541void EC_KEY_clear_flags(EC_KEY *key, int flags) 544void
542 { 545EC_KEY_clear_flags(EC_KEY * key, int flags)
546{
543 key->flags &= ~flags; 547 key->flags &= ~flags;
544 } 548}
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 546fd08e38..b37efac246 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -57,7 +57,7 @@
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Binary polynomial ECC support in OpenSSL originally developed by 60 * Binary polynomial ECC support in OpenSSL originally developed by
61 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 61 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
62 */ 62 */
63 63
@@ -73,28 +73,24 @@ static const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
73 73
74/* functions for EC_GROUP objects */ 74/* functions for EC_GROUP objects */
75 75
76EC_GROUP *EC_GROUP_new(const EC_METHOD *meth) 76EC_GROUP *
77 { 77EC_GROUP_new(const EC_METHOD * meth)
78{
78 EC_GROUP *ret; 79 EC_GROUP *ret;
79 80
80 if (meth == NULL) 81 if (meth == NULL) {
81 {
82 ECerr(EC_F_EC_GROUP_NEW, EC_R_SLOT_FULL); 82 ECerr(EC_F_EC_GROUP_NEW, EC_R_SLOT_FULL);
83 return NULL; 83 return NULL;
84 } 84 }
85 if (meth->group_init == 0) 85 if (meth->group_init == 0) {
86 {
87 ECerr(EC_F_EC_GROUP_NEW, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 86 ECerr(EC_F_EC_GROUP_NEW, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
88 return NULL; 87 return NULL;
89 } 88 }
90
91 ret = malloc(sizeof *ret); 89 ret = malloc(sizeof *ret);
92 if (ret == NULL) 90 if (ret == NULL) {
93 {
94 ECerr(EC_F_EC_GROUP_NEW, ERR_R_MALLOC_FAILURE); 91 ECerr(EC_F_EC_GROUP_NEW, ERR_R_MALLOC_FAILURE);
95 return NULL; 92 return NULL;
96 } 93 }
97
98 ret->meth = meth; 94 ret->meth = meth;
99 95
100 ret->extra_data = NULL; 96 ret->extra_data = NULL;
@@ -103,26 +99,26 @@ EC_GROUP *EC_GROUP_new(const EC_METHOD *meth)
103 BN_init(&ret->order); 99 BN_init(&ret->order);
104 BN_init(&ret->cofactor); 100 BN_init(&ret->cofactor);
105 101
106 ret->curve_name = 0; 102 ret->curve_name = 0;
107 ret->asn1_flag = 0; 103 ret->asn1_flag = 0;
108 ret->asn1_form = POINT_CONVERSION_UNCOMPRESSED; 104 ret->asn1_form = POINT_CONVERSION_UNCOMPRESSED;
109 105
110 ret->seed = NULL; 106 ret->seed = NULL;
111 ret->seed_len = 0; 107 ret->seed_len = 0;
112 108
113 if (!meth->group_init(ret)) 109 if (!meth->group_init(ret)) {
114 {
115 free(ret); 110 free(ret);
116 return NULL; 111 return NULL;
117 }
118
119 return ret;
120 } 112 }
113 return ret;
114}
121 115
122 116
123void EC_GROUP_free(EC_GROUP *group) 117void
124 { 118EC_GROUP_free(EC_GROUP * group)
125 if (!group) return; 119{
120 if (!group)
121 return;
126 122
127 if (group->meth->group_finish != 0) 123 if (group->meth->group_finish != 0)
128 group->meth->group_finish(group); 124 group->meth->group_finish(group);
@@ -138,12 +134,14 @@ void EC_GROUP_free(EC_GROUP *group)
138 free(group->seed); 134 free(group->seed);
139 135
140 free(group); 136 free(group);
141 } 137}
142 138
143 139
144void EC_GROUP_clear_free(EC_GROUP *group) 140void
145 { 141EC_GROUP_clear_free(EC_GROUP * group)
146 if (!group) return; 142{
143 if (!group)
144 return;
147 145
148 if (group->meth->group_clear_finish != 0) 146 if (group->meth->group_clear_finish != 0)
149 group->meth->group_clear_finish(group); 147 group->meth->group_clear_finish(group);
@@ -157,74 +155,69 @@ void EC_GROUP_clear_free(EC_GROUP *group)
157 BN_clear_free(&group->order); 155 BN_clear_free(&group->order);
158 BN_clear_free(&group->cofactor); 156 BN_clear_free(&group->cofactor);
159 157
160 if (group->seed) 158 if (group->seed) {
161 {
162 OPENSSL_cleanse(group->seed, group->seed_len); 159 OPENSSL_cleanse(group->seed, group->seed_len);
163 free(group->seed); 160 free(group->seed);
164 } 161 }
165
166 OPENSSL_cleanse(group, sizeof *group); 162 OPENSSL_cleanse(group, sizeof *group);
167 free(group); 163 free(group);
168 } 164}
169 165
170 166
171int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) 167int
172 { 168EC_GROUP_copy(EC_GROUP * dest, const EC_GROUP * src)
169{
173 EC_EXTRA_DATA *d; 170 EC_EXTRA_DATA *d;
174 171
175 if (dest->meth->group_copy == 0) 172 if (dest->meth->group_copy == 0) {
176 {
177 ECerr(EC_F_EC_GROUP_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 173 ECerr(EC_F_EC_GROUP_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
178 return 0; 174 return 0;
179 } 175 }
180 if (dest->meth != src->meth) 176 if (dest->meth != src->meth) {
181 {
182 ECerr(EC_F_EC_GROUP_COPY, EC_R_INCOMPATIBLE_OBJECTS); 177 ECerr(EC_F_EC_GROUP_COPY, EC_R_INCOMPATIBLE_OBJECTS);
183 return 0; 178 return 0;
184 } 179 }
185 if (dest == src) 180 if (dest == src)
186 return 1; 181 return 1;
187 182
188 EC_EX_DATA_free_all_data(&dest->extra_data); 183 EC_EX_DATA_free_all_data(&dest->extra_data);
189 184
190 for (d = src->extra_data; d != NULL; d = d->next) 185 for (d = src->extra_data; d != NULL; d = d->next) {
191 {
192 void *t = d->dup_func(d->data); 186 void *t = d->dup_func(d->data);
193 187
194 if (t == NULL) 188 if (t == NULL)
195 return 0; 189 return 0;
196 if (!EC_EX_DATA_set_data(&dest->extra_data, t, d->dup_func, d->free_func, d->clear_free_func)) 190 if (!EC_EX_DATA_set_data(&dest->extra_data, t, d->dup_func,
191 d->free_func, d->clear_free_func))
197 return 0; 192 return 0;
198 } 193 }
199 194
200 if (src->generator != NULL) 195 if (src->generator != NULL) {
201 { 196 if (dest->generator == NULL) {
202 if (dest->generator == NULL)
203 {
204 dest->generator = EC_POINT_new(dest); 197 dest->generator = EC_POINT_new(dest);
205 if (dest->generator == NULL) return 0; 198 if (dest->generator == NULL)
206 } 199 return 0;
207 if (!EC_POINT_copy(dest->generator, src->generator)) return 0;
208 } 200 }
209 else 201 if (!EC_POINT_copy(dest->generator, src->generator))
210 { 202 return 0;
203 } else {
211 /* src->generator == NULL */ 204 /* src->generator == NULL */
212 if (dest->generator != NULL) 205 if (dest->generator != NULL) {
213 {
214 EC_POINT_clear_free(dest->generator); 206 EC_POINT_clear_free(dest->generator);
215 dest->generator = NULL; 207 dest->generator = NULL;
216 }
217 } 208 }
209 }
218 210
219 if (!BN_copy(&dest->order, &src->order)) return 0; 211 if (!BN_copy(&dest->order, &src->order))
220 if (!BN_copy(&dest->cofactor, &src->cofactor)) return 0; 212 return 0;
213 if (!BN_copy(&dest->cofactor, &src->cofactor))
214 return 0;
221 215
222 dest->curve_name = src->curve_name; 216 dest->curve_name = src->curve_name;
223 dest->asn1_flag = src->asn1_flag; 217 dest->asn1_flag = src->asn1_flag;
224 dest->asn1_form = src->asn1_form; 218 dest->asn1_form = src->asn1_form;
225 219
226 if (src->seed) 220 if (src->seed) {
227 {
228 if (dest->seed) 221 if (dest->seed)
229 free(dest->seed); 222 free(dest->seed);
230 dest->seed = malloc(src->seed_len); 223 dest->seed = malloc(src->seed_len);
@@ -233,153 +226,168 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
233 if (!memcpy(dest->seed, src->seed, src->seed_len)) 226 if (!memcpy(dest->seed, src->seed, src->seed_len))
234 return 0; 227 return 0;
235 dest->seed_len = src->seed_len; 228 dest->seed_len = src->seed_len;
236 } 229 } else {
237 else
238 {
239 if (dest->seed) 230 if (dest->seed)
240 free(dest->seed); 231 free(dest->seed);
241 dest->seed = NULL; 232 dest->seed = NULL;
242 dest->seed_len = 0; 233 dest->seed_len = 0;
243 } 234 }
244 235
245 236
246 return dest->meth->group_copy(dest, src); 237 return dest->meth->group_copy(dest, src);
247 } 238}
248 239
249 240
250EC_GROUP *EC_GROUP_dup(const EC_GROUP *a) 241EC_GROUP *
251 { 242EC_GROUP_dup(const EC_GROUP * a)
243{
252 EC_GROUP *t = NULL; 244 EC_GROUP *t = NULL;
253 int ok = 0; 245 int ok = 0;
254 246
255 if (a == NULL) return NULL; 247 if (a == NULL)
248 return NULL;
256 249
257 if ((t = EC_GROUP_new(a->meth)) == NULL) return(NULL); 250 if ((t = EC_GROUP_new(a->meth)) == NULL)
258 if (!EC_GROUP_copy(t, a)) goto err; 251 return (NULL);
252 if (!EC_GROUP_copy(t, a))
253 goto err;
259 254
260 ok = 1; 255 ok = 1;
261 256
262 err: 257err:
263 if (!ok) 258 if (!ok) {
264 { 259 if (t)
265 if (t) EC_GROUP_free(t); 260 EC_GROUP_free(t);
266 return NULL; 261 return NULL;
267 } 262 } else
268 else return t; 263 return t;
269 } 264}
270 265
271 266
272const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group) 267const EC_METHOD *
273 { 268EC_GROUP_method_of(const EC_GROUP *group)
269{
274 return group->meth; 270 return group->meth;
275 } 271}
276 272
277 273
278int EC_METHOD_get_field_type(const EC_METHOD *meth) 274int
279 { 275EC_METHOD_get_field_type(const EC_METHOD *meth)
280 return meth->field_type; 276{
281 } 277 return meth->field_type;
278}
282 279
283 280
284int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor) 281int
285 { 282EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
286 if (generator == NULL) 283 const BIGNUM *order, const BIGNUM *cofactor)
287 { 284{
285 if (generator == NULL) {
288 ECerr(EC_F_EC_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER); 286 ECerr(EC_F_EC_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER);
289 return 0 ; 287 return 0;
290 } 288 }
291 289 if (group->generator == NULL) {
292 if (group->generator == NULL)
293 {
294 group->generator = EC_POINT_new(group); 290 group->generator = EC_POINT_new(group);
295 if (group->generator == NULL) return 0; 291 if (group->generator == NULL)
296 } 292 return 0;
297 if (!EC_POINT_copy(group->generator, generator)) return 0; 293 }
294 if (!EC_POINT_copy(group->generator, generator))
295 return 0;
298 296
299 if (order != NULL) 297 if (order != NULL) {
300 { if (!BN_copy(&group->order, order)) return 0; } 298 if (!BN_copy(&group->order, order))
301 else 299 return 0;
300 } else
302 BN_zero(&group->order); 301 BN_zero(&group->order);
303 302
304 if (cofactor != NULL) 303 if (cofactor != NULL) {
305 { if (!BN_copy(&group->cofactor, cofactor)) return 0; } 304 if (!BN_copy(&group->cofactor, cofactor))
306 else 305 return 0;
306 } else
307 BN_zero(&group->cofactor); 307 BN_zero(&group->cofactor);
308 308
309 return 1; 309 return 1;
310 } 310}
311 311
312 312
313const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) 313const EC_POINT *
314 { 314EC_GROUP_get0_generator(const EC_GROUP *group)
315{
315 return group->generator; 316 return group->generator;
316 } 317}
317 318
318 319
319int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) 320int
320 { 321EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
322{
321 if (!BN_copy(order, &group->order)) 323 if (!BN_copy(order, &group->order))
322 return 0; 324 return 0;
323 325
324 return !BN_is_zero(order); 326 return !BN_is_zero(order);
325 } 327}
326 328
327 329
328int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx) 330int
329 { 331EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
332{
330 if (!BN_copy(cofactor, &group->cofactor)) 333 if (!BN_copy(cofactor, &group->cofactor))
331 return 0; 334 return 0;
332 335
333 return !BN_is_zero(&group->cofactor); 336 return !BN_is_zero(&group->cofactor);
334 } 337}
335 338
336 339
337void EC_GROUP_set_curve_name(EC_GROUP *group, int nid) 340void
338 { 341EC_GROUP_set_curve_name(EC_GROUP * group, int nid)
342{
339 group->curve_name = nid; 343 group->curve_name = nid;
340 } 344}
341 345
342 346
343int EC_GROUP_get_curve_name(const EC_GROUP *group) 347int
344 { 348EC_GROUP_get_curve_name(const EC_GROUP * group)
349{
345 return group->curve_name; 350 return group->curve_name;
346 } 351}
347 352
348 353
349void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) 354void
350 { 355EC_GROUP_set_asn1_flag(EC_GROUP * group, int flag)
356{
351 group->asn1_flag = flag; 357 group->asn1_flag = flag;
352 } 358}
353 359
354 360
355int EC_GROUP_get_asn1_flag(const EC_GROUP *group) 361int
356 { 362EC_GROUP_get_asn1_flag(const EC_GROUP * group)
363{
357 return group->asn1_flag; 364 return group->asn1_flag;
358 } 365}
359 366
360 367
361void EC_GROUP_set_point_conversion_form(EC_GROUP *group, 368void
362 point_conversion_form_t form) 369EC_GROUP_set_point_conversion_form(EC_GROUP * group,
363 { 370 point_conversion_form_t form)
371{
364 group->asn1_form = form; 372 group->asn1_form = form;
365 } 373}
366 374
367 375
368point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *group) 376point_conversion_form_t
369 { 377EC_GROUP_get_point_conversion_form(const EC_GROUP * group)
378{
370 return group->asn1_form; 379 return group->asn1_form;
371 } 380}
372 381
373 382
374size_t EC_GROUP_set_seed(EC_GROUP *group, const unsigned char *p, size_t len) 383size_t
375 { 384EC_GROUP_set_seed(EC_GROUP * group, const unsigned char *p, size_t len)
376 if (group->seed) 385{
377 { 386 if (group->seed) {
378 free(group->seed); 387 free(group->seed);
379 group->seed = NULL; 388 group->seed = NULL;
380 group->seed_len = 0; 389 group->seed_len = 0;
381 } 390 }
382
383 if (!len || !p) 391 if (!len || !p)
384 return 1; 392 return 1;
385 393
@@ -389,94 +397,101 @@ size_t EC_GROUP_set_seed(EC_GROUP *group, const unsigned char *p, size_t len)
389 group->seed_len = len; 397 group->seed_len = len;
390 398
391 return len; 399 return len;
392 } 400}
393 401
394 402
395unsigned char *EC_GROUP_get0_seed(const EC_GROUP *group) 403unsigned char *
396 { 404EC_GROUP_get0_seed(const EC_GROUP * group)
405{
397 return group->seed; 406 return group->seed;
398 } 407}
399 408
400 409
401size_t EC_GROUP_get_seed_len(const EC_GROUP *group) 410size_t
402 { 411EC_GROUP_get_seed_len(const EC_GROUP * group)
412{
403 return group->seed_len; 413 return group->seed_len;
404 } 414}
405 415
406 416
407int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 417int
408 { 418EC_GROUP_set_curve_GFp(EC_GROUP * group, const BIGNUM * p, const BIGNUM * a,
409 if (group->meth->group_set_curve == 0) 419 const BIGNUM * b, BN_CTX * ctx)
410 { 420{
421 if (group->meth->group_set_curve == 0) {
411 ECerr(EC_F_EC_GROUP_SET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 422 ECerr(EC_F_EC_GROUP_SET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
412 return 0; 423 return 0;
413 }
414 return group->meth->group_set_curve(group, p, a, b, ctx);
415 } 424 }
425 return group->meth->group_set_curve(group, p, a, b, ctx);
426}
416 427
417 428
418int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) 429int
419 { 430EC_GROUP_get_curve_GFp(const EC_GROUP * group, BIGNUM * p, BIGNUM * a,
420 if (group->meth->group_get_curve == 0) 431 BIGNUM * b, BN_CTX * ctx)
421 { 432{
433 if (group->meth->group_get_curve == 0) {
422 ECerr(EC_F_EC_GROUP_GET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 434 ECerr(EC_F_EC_GROUP_GET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
423 return 0; 435 return 0;
424 }
425 return group->meth->group_get_curve(group, p, a, b, ctx);
426 } 436 }
437 return group->meth->group_get_curve(group, p, a, b, ctx);
438}
427 439
428#ifndef OPENSSL_NO_EC2M 440#ifndef OPENSSL_NO_EC2M
429int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 441int
430 { 442EC_GROUP_set_curve_GF2m(EC_GROUP * group, const BIGNUM * p, const BIGNUM * a,
431 if (group->meth->group_set_curve == 0) 443 const BIGNUM * b, BN_CTX * ctx)
432 { 444{
445 if (group->meth->group_set_curve == 0) {
433 ECerr(EC_F_EC_GROUP_SET_CURVE_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 446 ECerr(EC_F_EC_GROUP_SET_CURVE_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
434 return 0; 447 return 0;
435 }
436 return group->meth->group_set_curve(group, p, a, b, ctx);
437 } 448 }
449 return group->meth->group_set_curve(group, p, a, b, ctx);
450}
438 451
439 452
440int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) 453int
441 { 454EC_GROUP_get_curve_GF2m(const EC_GROUP * group, BIGNUM * p, BIGNUM * a,
442 if (group->meth->group_get_curve == 0) 455 BIGNUM * b, BN_CTX * ctx)
443 { 456{
457 if (group->meth->group_get_curve == 0) {
444 ECerr(EC_F_EC_GROUP_GET_CURVE_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 458 ECerr(EC_F_EC_GROUP_GET_CURVE_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
445 return 0; 459 return 0;
446 }
447 return group->meth->group_get_curve(group, p, a, b, ctx);
448 } 460 }
461 return group->meth->group_get_curve(group, p, a, b, ctx);
462}
449#endif 463#endif
450 464
451int EC_GROUP_get_degree(const EC_GROUP *group) 465int
452 { 466EC_GROUP_get_degree(const EC_GROUP * group)
453 if (group->meth->group_get_degree == 0) 467{
454 { 468 if (group->meth->group_get_degree == 0) {
455 ECerr(EC_F_EC_GROUP_GET_DEGREE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 469 ECerr(EC_F_EC_GROUP_GET_DEGREE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
456 return 0; 470 return 0;
457 }
458 return group->meth->group_get_degree(group);
459 } 471 }
472 return group->meth->group_get_degree(group);
473}
460 474
461 475
462int EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx) 476int
463 { 477EC_GROUP_check_discriminant(const EC_GROUP * group, BN_CTX * ctx)
464 if (group->meth->group_check_discriminant == 0) 478{
465 { 479 if (group->meth->group_check_discriminant == 0) {
466 ECerr(EC_F_EC_GROUP_CHECK_DISCRIMINANT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 480 ECerr(EC_F_EC_GROUP_CHECK_DISCRIMINANT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
467 return 0; 481 return 0;
468 }
469 return group->meth->group_check_discriminant(group, ctx);
470 } 482 }
483 return group->meth->group_check_discriminant(group, ctx);
484}
471 485
472 486
473int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx) 487int
474 { 488EC_GROUP_cmp(const EC_GROUP * a, const EC_GROUP * b, BN_CTX * ctx)
475 int r = 0; 489{
490 int r = 0;
476 BIGNUM *a1, *a2, *a3, *b1, *b2, *b3; 491 BIGNUM *a1, *a2, *a3, *b1, *b2, *b3;
477 BN_CTX *ctx_new = NULL; 492 BN_CTX *ctx_new = NULL;
478 493
479 /* compare the field types*/ 494 /* compare the field types */
480 if (EC_METHOD_get_field_type(EC_GROUP_method_of(a)) != 495 if (EC_METHOD_get_field_type(EC_GROUP_method_of(a)) !=
481 EC_METHOD_get_field_type(EC_GROUP_method_of(b))) 496 EC_METHOD_get_field_type(EC_GROUP_method_of(b)))
482 return 1; 497 return 1;
@@ -489,7 +504,7 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx)
489 ctx_new = ctx = BN_CTX_new(); 504 ctx_new = ctx = BN_CTX_new();
490 if (!ctx) 505 if (!ctx)
491 return -1; 506 return -1;
492 507
493 BN_CTX_start(ctx); 508 BN_CTX_start(ctx);
494 a1 = BN_CTX_get(ctx); 509 a1 = BN_CTX_get(ctx);
495 a2 = BN_CTX_get(ctx); 510 a2 = BN_CTX_get(ctx);
@@ -497,16 +512,15 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx)
497 b1 = BN_CTX_get(ctx); 512 b1 = BN_CTX_get(ctx);
498 b2 = BN_CTX_get(ctx); 513 b2 = BN_CTX_get(ctx);
499 b3 = BN_CTX_get(ctx); 514 b3 = BN_CTX_get(ctx);
500 if (!b3) 515 if (!b3) {
501 {
502 BN_CTX_end(ctx); 516 BN_CTX_end(ctx);
503 if (ctx_new) 517 if (ctx_new)
504 BN_CTX_free(ctx); 518 BN_CTX_free(ctx);
505 return -1; 519 return -1;
506 } 520 }
507 521 /*
508 /* XXX This approach assumes that the external representation 522 * XXX This approach assumes that the external representation of
509 * of curves over the same field type is the same. 523 * curves over the same field type is the same.
510 */ 524 */
511 if (!a->meth->group_get_curve(a, a1, a2, a3, ctx) || 525 if (!a->meth->group_get_curve(a, a1, a2, a3, ctx) ||
512 !b->meth->group_get_curve(b, b1, b2, b3, ctx)) 526 !b->meth->group_get_curve(b, b1, b2, b3, ctx))
@@ -517,51 +531,50 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx)
517 531
518 /* XXX EC_POINT_cmp() assumes that the methods are equal */ 532 /* XXX EC_POINT_cmp() assumes that the methods are equal */
519 if (r || EC_POINT_cmp(a, EC_GROUP_get0_generator(a), 533 if (r || EC_POINT_cmp(a, EC_GROUP_get0_generator(a),
520 EC_GROUP_get0_generator(b), ctx)) 534 EC_GROUP_get0_generator(b), ctx))
521 r = 1; 535 r = 1;
522 536
523 if (!r) 537 if (!r) {
524 {
525 /* compare the order and cofactor */ 538 /* compare the order and cofactor */
526 if (!EC_GROUP_get_order(a, a1, ctx) || 539 if (!EC_GROUP_get_order(a, a1, ctx) ||
527 !EC_GROUP_get_order(b, b1, ctx) || 540 !EC_GROUP_get_order(b, b1, ctx) ||
528 !EC_GROUP_get_cofactor(a, a2, ctx) || 541 !EC_GROUP_get_cofactor(a, a2, ctx) ||
529 !EC_GROUP_get_cofactor(b, b2, ctx)) 542 !EC_GROUP_get_cofactor(b, b2, ctx)) {
530 {
531 BN_CTX_end(ctx); 543 BN_CTX_end(ctx);
532 if (ctx_new) 544 if (ctx_new)
533 BN_CTX_free(ctx); 545 BN_CTX_free(ctx);
534 return -1; 546 return -1;
535 } 547 }
536 if (BN_cmp(a1, b1) || BN_cmp(a2, b2)) 548 if (BN_cmp(a1, b1) || BN_cmp(a2, b2))
537 r = 1; 549 r = 1;
538 } 550 }
539
540 BN_CTX_end(ctx); 551 BN_CTX_end(ctx);
541 if (ctx_new) 552 if (ctx_new)
542 BN_CTX_free(ctx); 553 BN_CTX_free(ctx);
543 554
544 return r; 555 return r;
545 } 556}
546 557
547 558
548/* this has 'package' visibility */ 559/* this has 'package' visibility */
549int EC_EX_DATA_set_data(EC_EXTRA_DATA **ex_data, void *data, 560int
550 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) 561EC_EX_DATA_set_data(EC_EXTRA_DATA ** ex_data, void *data,
551 { 562 void *(*dup_func) (void *),
563 void (*free_func) (void *),
564 void (*clear_free_func) (void *))
565{
552 EC_EXTRA_DATA *d; 566 EC_EXTRA_DATA *d;
553 567
554 if (ex_data == NULL) 568 if (ex_data == NULL)
555 return 0; 569 return 0;
556 570
557 for (d = *ex_data; d != NULL; d = d->next) 571 for (d = *ex_data; d != NULL; d = d->next) {
558 { 572 if (d->dup_func == dup_func && d->free_func == free_func &&
559 if (d->dup_func == dup_func && d->free_func == free_func && d->clear_free_func == clear_free_func) 573 d->clear_free_func == clear_free_func) {
560 {
561 ECerr(EC_F_EC_EX_DATA_SET_DATA, EC_R_SLOT_FULL); 574 ECerr(EC_F_EC_EX_DATA_SET_DATA, EC_R_SLOT_FULL);
562 return 0; 575 return 0;
563 }
564 } 576 }
577 }
565 578
566 if (data == NULL) 579 if (data == NULL)
567 /* no explicit entry needed */ 580 /* no explicit entry needed */
@@ -580,163 +593,169 @@ int EC_EX_DATA_set_data(EC_EXTRA_DATA **ex_data, void *data,
580 *ex_data = d; 593 *ex_data = d;
581 594
582 return 1; 595 return 1;
583 } 596}
584 597
585/* this has 'package' visibility */ 598/* this has 'package' visibility */
586void *EC_EX_DATA_get_data(const EC_EXTRA_DATA *ex_data, 599void *
587 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) 600EC_EX_DATA_get_data(const EC_EXTRA_DATA * ex_data,
588 { 601 void *(*dup_func) (void *),
602 void (*free_func) (void *),
603 void (*clear_free_func) (void *))
604{
589 const EC_EXTRA_DATA *d; 605 const EC_EXTRA_DATA *d;
590 606
591 for (d = ex_data; d != NULL; d = d->next) 607 for (d = ex_data; d != NULL; d = d->next) {
592 {
593 if (d->dup_func == dup_func && d->free_func == free_func && d->clear_free_func == clear_free_func) 608 if (d->dup_func == dup_func && d->free_func == free_func && d->clear_free_func == clear_free_func)
594 return d->data; 609 return d->data;
595 }
596
597 return NULL;
598 } 610 }
599 611
612 return NULL;
613}
614
600/* this has 'package' visibility */ 615/* this has 'package' visibility */
601void EC_EX_DATA_free_data(EC_EXTRA_DATA **ex_data, 616void
602 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) 617EC_EX_DATA_free_data(EC_EXTRA_DATA ** ex_data,
603 { 618 void *(*dup_func) (void *),
619 void (*free_func) (void *),
620 void (*clear_free_func) (void *))
621{
604 EC_EXTRA_DATA **p; 622 EC_EXTRA_DATA **p;
605 623
606 if (ex_data == NULL) 624 if (ex_data == NULL)
607 return; 625 return;
608 626
609 for (p = ex_data; *p != NULL; p = &((*p)->next)) 627 for (p = ex_data; *p != NULL; p = &((*p)->next)) {
610 { 628 if ((*p)->dup_func == dup_func &&
611 if ((*p)->dup_func == dup_func && (*p)->free_func == free_func && (*p)->clear_free_func == clear_free_func) 629 (*p)->free_func == free_func &&
612 { 630 (*p)->clear_free_func == clear_free_func) {
613 EC_EXTRA_DATA *next = (*p)->next; 631 EC_EXTRA_DATA *next = (*p)->next;
614 632
615 (*p)->free_func((*p)->data); 633 (*p)->free_func((*p)->data);
616 free(*p); 634 free(*p);
617 635
618 *p = next; 636 *p = next;
619 return; 637 return;
620 }
621 } 638 }
622 } 639 }
640}
623 641
624/* this has 'package' visibility */ 642/* this has 'package' visibility */
625void EC_EX_DATA_clear_free_data(EC_EXTRA_DATA **ex_data, 643void
626 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) 644EC_EX_DATA_clear_free_data(EC_EXTRA_DATA ** ex_data,
627 { 645 void *(*dup_func) (void *),
646 void (*free_func) (void *),
647 void (*clear_free_func) (void *))
648{
628 EC_EXTRA_DATA **p; 649 EC_EXTRA_DATA **p;
629 650
630 if (ex_data == NULL) 651 if (ex_data == NULL)
631 return; 652 return;
632 653
633 for (p = ex_data; *p != NULL; p = &((*p)->next)) 654 for (p = ex_data; *p != NULL; p = &((*p)->next)) {
634 { 655 if ((*p)->dup_func == dup_func &&
635 if ((*p)->dup_func == dup_func && (*p)->free_func == free_func && (*p)->clear_free_func == clear_free_func) 656 (*p)->free_func == free_func &&
636 { 657 (*p)->clear_free_func == clear_free_func) {
637 EC_EXTRA_DATA *next = (*p)->next; 658 EC_EXTRA_DATA *next = (*p)->next;
638 659
639 (*p)->clear_free_func((*p)->data); 660 (*p)->clear_free_func((*p)->data);
640 free(*p); 661 free(*p);
641 662
642 *p = next; 663 *p = next;
643 return; 664 return;
644 }
645 } 665 }
646 } 666 }
667}
647 668
648/* this has 'package' visibility */ 669/* this has 'package' visibility */
649void EC_EX_DATA_free_all_data(EC_EXTRA_DATA **ex_data) 670void
650 { 671EC_EX_DATA_free_all_data(EC_EXTRA_DATA ** ex_data)
672{
651 EC_EXTRA_DATA *d; 673 EC_EXTRA_DATA *d;
652 674
653 if (ex_data == NULL) 675 if (ex_data == NULL)
654 return; 676 return;
655 677
656 d = *ex_data; 678 d = *ex_data;
657 while (d) 679 while (d) {
658 {
659 EC_EXTRA_DATA *next = d->next; 680 EC_EXTRA_DATA *next = d->next;
660 681
661 d->free_func(d->data); 682 d->free_func(d->data);
662 free(d); 683 free(d);
663 684
664 d = next; 685 d = next;
665 }
666 *ex_data = NULL;
667 } 686 }
687 *ex_data = NULL;
688}
668 689
669/* this has 'package' visibility */ 690/* this has 'package' visibility */
670void EC_EX_DATA_clear_free_all_data(EC_EXTRA_DATA **ex_data) 691void
671 { 692EC_EX_DATA_clear_free_all_data(EC_EXTRA_DATA ** ex_data)
693{
672 EC_EXTRA_DATA *d; 694 EC_EXTRA_DATA *d;
673 695
674 if (ex_data == NULL) 696 if (ex_data == NULL)
675 return; 697 return;
676 698
677 d = *ex_data; 699 d = *ex_data;
678 while (d) 700 while (d) {
679 {
680 EC_EXTRA_DATA *next = d->next; 701 EC_EXTRA_DATA *next = d->next;
681 702
682 d->clear_free_func(d->data); 703 d->clear_free_func(d->data);
683 free(d); 704 free(d);
684 705
685 d = next; 706 d = next;
686 }
687 *ex_data = NULL;
688 } 707 }
708 *ex_data = NULL;
709}
689 710
690 711
691/* functions for EC_POINT objects */ 712/* functions for EC_POINT objects */
692 713
693EC_POINT *EC_POINT_new(const EC_GROUP *group) 714EC_POINT *
694 { 715EC_POINT_new(const EC_GROUP * group)
716{
695 EC_POINT *ret; 717 EC_POINT *ret;
696 718
697 if (group == NULL) 719 if (group == NULL) {
698 {
699 ECerr(EC_F_EC_POINT_NEW, ERR_R_PASSED_NULL_PARAMETER); 720 ECerr(EC_F_EC_POINT_NEW, ERR_R_PASSED_NULL_PARAMETER);
700 return NULL; 721 return NULL;
701 } 722 }
702 if (group->meth->point_init == 0) 723 if (group->meth->point_init == 0) {
703 {
704 ECerr(EC_F_EC_POINT_NEW, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 724 ECerr(EC_F_EC_POINT_NEW, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
705 return NULL; 725 return NULL;
706 } 726 }
707
708 ret = malloc(sizeof *ret); 727 ret = malloc(sizeof *ret);
709 if (ret == NULL) 728 if (ret == NULL) {
710 {
711 ECerr(EC_F_EC_POINT_NEW, ERR_R_MALLOC_FAILURE); 729 ECerr(EC_F_EC_POINT_NEW, ERR_R_MALLOC_FAILURE);
712 return NULL; 730 return NULL;
713 } 731 }
714
715 ret->meth = group->meth; 732 ret->meth = group->meth;
716 733
717 if (!ret->meth->point_init(ret)) 734 if (!ret->meth->point_init(ret)) {
718 {
719 free(ret); 735 free(ret);
720 return NULL; 736 return NULL;
721 }
722
723 return ret;
724 } 737 }
738 return ret;
739}
725 740
726 741
727void EC_POINT_free(EC_POINT *point) 742void
728 { 743EC_POINT_free(EC_POINT * point)
729 if (!point) return; 744{
745 if (!point)
746 return;
730 747
731 if (point->meth->point_finish != 0) 748 if (point->meth->point_finish != 0)
732 point->meth->point_finish(point); 749 point->meth->point_finish(point);
733 free(point); 750 free(point);
734 } 751}
735
736 752
737void EC_POINT_clear_free(EC_POINT *point) 753
738 { 754void
739 if (!point) return; 755EC_POINT_clear_free(EC_POINT * point)
756{
757 if (!point)
758 return;
740 759
741 if (point->meth->point_clear_finish != 0) 760 if (point->meth->point_clear_finish != 0)
742 point->meth->point_clear_finish(point); 761 point->meth->point_clear_finish(point);
@@ -744,301 +763,290 @@ void EC_POINT_clear_free(EC_POINT *point)
744 point->meth->point_finish(point); 763 point->meth->point_finish(point);
745 OPENSSL_cleanse(point, sizeof *point); 764 OPENSSL_cleanse(point, sizeof *point);
746 free(point); 765 free(point);
747 } 766}
748 767
749 768
750int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) 769int
751 { 770EC_POINT_copy(EC_POINT * dest, const EC_POINT * src)
752 if (dest->meth->point_copy == 0) 771{
753 { 772 if (dest->meth->point_copy == 0) {
754 ECerr(EC_F_EC_POINT_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 773 ECerr(EC_F_EC_POINT_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
755 return 0; 774 return 0;
756 } 775 }
757 if (dest->meth != src->meth) 776 if (dest->meth != src->meth) {
758 {
759 ECerr(EC_F_EC_POINT_COPY, EC_R_INCOMPATIBLE_OBJECTS); 777 ECerr(EC_F_EC_POINT_COPY, EC_R_INCOMPATIBLE_OBJECTS);
760 return 0; 778 return 0;
761 } 779 }
762 if (dest == src) 780 if (dest == src)
763 return 1; 781 return 1;
764 return dest->meth->point_copy(dest, src); 782 return dest->meth->point_copy(dest, src);
765 } 783}
766 784
767 785
768EC_POINT *EC_POINT_dup(const EC_POINT *a, const EC_GROUP *group) 786EC_POINT *
769 { 787EC_POINT_dup(const EC_POINT * a, const EC_GROUP * group)
788{
770 EC_POINT *t; 789 EC_POINT *t;
771 int r; 790 int r;
772 791
773 if (a == NULL) return NULL; 792 if (a == NULL)
793 return NULL;
774 794
775 t = EC_POINT_new(group); 795 t = EC_POINT_new(group);
776 if (t == NULL) return(NULL); 796 if (t == NULL)
797 return (NULL);
777 r = EC_POINT_copy(t, a); 798 r = EC_POINT_copy(t, a);
778 if (!r) 799 if (!r) {
779 {
780 EC_POINT_free(t); 800 EC_POINT_free(t);
781 return NULL; 801 return NULL;
782 } 802 } else
783 else return t; 803 return t;
784 } 804}
785 805
786 806
787const EC_METHOD *EC_POINT_method_of(const EC_POINT *point) 807const EC_METHOD *
788 { 808EC_POINT_method_of(const EC_POINT * point)
809{
789 return point->meth; 810 return point->meth;
790 } 811}
791 812
792 813
793int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point) 814int
794 { 815EC_POINT_set_to_infinity(const EC_GROUP * group, EC_POINT * point)
795 if (group->meth->point_set_to_infinity == 0) 816{
796 { 817 if (group->meth->point_set_to_infinity == 0) {
797 ECerr(EC_F_EC_POINT_SET_TO_INFINITY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 818 ECerr(EC_F_EC_POINT_SET_TO_INFINITY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
798 return 0; 819 return 0;
799 } 820 }
800 if (group->meth != point->meth) 821 if (group->meth != point->meth) {
801 {
802 ECerr(EC_F_EC_POINT_SET_TO_INFINITY, EC_R_INCOMPATIBLE_OBJECTS); 822 ECerr(EC_F_EC_POINT_SET_TO_INFINITY, EC_R_INCOMPATIBLE_OBJECTS);
803 return 0; 823 return 0;
804 }
805 return group->meth->point_set_to_infinity(group, point);
806 } 824 }
825 return group->meth->point_set_to_infinity(group, point);
826}
807 827
808 828
809int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, 829int
810 const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx) 830EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
811 { 831 const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
812 if (group->meth->point_set_Jprojective_coordinates_GFp == 0) 832{
813 { 833 if (group->meth->point_set_Jprojective_coordinates_GFp == 0) {
814 ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 834 ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
815 return 0; 835 return 0;
816 } 836 }
817 if (group->meth != point->meth) 837 if (group->meth != point->meth) {
818 {
819 ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); 838 ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
820 return 0; 839 return 0;
821 }
822 return group->meth->point_set_Jprojective_coordinates_GFp(group, point, x, y, z, ctx);
823 } 840 }
841 return group->meth->point_set_Jprojective_coordinates_GFp(group, point, x, y, z, ctx);
842}
824 843
825 844
826int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point, 845int
827 BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx) 846EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
828 { 847 const EC_POINT *point, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
829 if (group->meth->point_get_Jprojective_coordinates_GFp == 0) 848{
830 { 849 if (group->meth->point_get_Jprojective_coordinates_GFp == 0) {
831 ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 850 ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
832 return 0; 851 return 0;
833 } 852 }
834 if (group->meth != point->meth) 853 if (group->meth != point->meth) {
835 {
836 ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); 854 ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
837 return 0; 855 return 0;
838 }
839 return group->meth->point_get_Jprojective_coordinates_GFp(group, point, x, y, z, ctx);
840 } 856 }
857 return group->meth->point_get_Jprojective_coordinates_GFp(group, point, x, y, z, ctx);
858}
841 859
842 860
843int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, 861int
844 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) 862EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
845 { 863 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
846 if (group->meth->point_set_affine_coordinates == 0) 864{
847 { 865 if (group->meth->point_set_affine_coordinates == 0) {
848 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 866 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
849 return 0; 867 return 0;
850 } 868 }
851 if (group->meth != point->meth) 869 if (group->meth != point->meth) {
852 {
853 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); 870 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
854 return 0; 871 return 0;
855 }
856 return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
857 } 872 }
873 return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
874}
858 875
859#ifndef OPENSSL_NO_EC2M 876#ifndef OPENSSL_NO_EC2M
860int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point, 877int
861 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) 878EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
862 { 879 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
863 if (group->meth->point_set_affine_coordinates == 0) 880{
864 { 881 if (group->meth->point_set_affine_coordinates == 0) {
865 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 882 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
866 return 0; 883 return 0;
867 } 884 }
868 if (group->meth != point->meth) 885 if (group->meth != point->meth) {
869 {
870 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS); 886 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS);
871 return 0; 887 return 0;
872 }
873 return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
874 } 888 }
889 return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
890}
875#endif 891#endif
876 892
877int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point, 893int
878 BIGNUM *x, BIGNUM *y, BN_CTX *ctx) 894EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
879 { 895 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
880 if (group->meth->point_get_affine_coordinates == 0) 896{
881 { 897 if (group->meth->point_get_affine_coordinates == 0) {
882 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 898 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
883 return 0; 899 return 0;
884 } 900 }
885 if (group->meth != point->meth) 901 if (group->meth != point->meth) {
886 {
887 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); 902 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
888 return 0; 903 return 0;
889 }
890 return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
891 } 904 }
905 return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
906}
892 907
893#ifndef OPENSSL_NO_EC2M 908#ifndef OPENSSL_NO_EC2M
894int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, const EC_POINT *point, 909int
895 BIGNUM *x, BIGNUM *y, BN_CTX *ctx) 910EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, const EC_POINT *point,
896 { 911 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
897 if (group->meth->point_get_affine_coordinates == 0) 912{
898 { 913 if (group->meth->point_get_affine_coordinates == 0) {
899 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 914 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
900 return 0; 915 return 0;
901 } 916 }
902 if (group->meth != point->meth) 917 if (group->meth != point->meth) {
903 {
904 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS); 918 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS);
905 return 0; 919 return 0;
906 }
907 return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
908 } 920 }
921 return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
922}
909#endif 923#endif
910 924
911int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) 925int
912 { 926EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
913 if (group->meth->add == 0) 927 const EC_POINT *b, BN_CTX *ctx)
914 { 928{
929 if (group->meth->add == 0) {
915 ECerr(EC_F_EC_POINT_ADD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 930 ECerr(EC_F_EC_POINT_ADD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
916 return 0; 931 return 0;
917 } 932 }
918 if ((group->meth != r->meth) || (r->meth != a->meth) || (a->meth != b->meth)) 933 if ((group->meth != r->meth) || (r->meth != a->meth) || (a->meth != b->meth)) {
919 {
920 ECerr(EC_F_EC_POINT_ADD, EC_R_INCOMPATIBLE_OBJECTS); 934 ECerr(EC_F_EC_POINT_ADD, EC_R_INCOMPATIBLE_OBJECTS);
921 return 0; 935 return 0;
922 }
923 return group->meth->add(group, r, a, b, ctx);
924 } 936 }
937 return group->meth->add(group, r, a, b, ctx);
938}
925 939
926 940
927int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) 941int
928 { 942EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
929 if (group->meth->dbl == 0) 943{
930 { 944 if (group->meth->dbl == 0) {
931 ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 945 ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
932 return 0; 946 return 0;
933 } 947 }
934 if ((group->meth != r->meth) || (r->meth != a->meth)) 948 if ((group->meth != r->meth) || (r->meth != a->meth)) {
935 {
936 ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS); 949 ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS);
937 return 0; 950 return 0;
938 }
939 return group->meth->dbl(group, r, a, ctx);
940 } 951 }
952 return group->meth->dbl(group, r, a, ctx);
953}
941 954
942 955
943int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) 956int
944 { 957EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx)
945 if (group->meth->invert == 0) 958{
946 { 959 if (group->meth->invert == 0) {
947 ECerr(EC_F_EC_POINT_INVERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 960 ECerr(EC_F_EC_POINT_INVERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
948 return 0; 961 return 0;
949 } 962 }
950 if (group->meth != a->meth) 963 if (group->meth != a->meth) {
951 {
952 ECerr(EC_F_EC_POINT_INVERT, EC_R_INCOMPATIBLE_OBJECTS); 964 ECerr(EC_F_EC_POINT_INVERT, EC_R_INCOMPATIBLE_OBJECTS);
953 return 0; 965 return 0;
954 }
955 return group->meth->invert(group, a, ctx);
956 } 966 }
967 return group->meth->invert(group, a, ctx);
968}
957 969
958 970
959int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) 971int
960 { 972EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
961 if (group->meth->is_at_infinity == 0) 973{
962 { 974 if (group->meth->is_at_infinity == 0) {
963 ECerr(EC_F_EC_POINT_IS_AT_INFINITY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 975 ECerr(EC_F_EC_POINT_IS_AT_INFINITY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
964 return 0; 976 return 0;
965 } 977 }
966 if (group->meth != point->meth) 978 if (group->meth != point->meth) {
967 {
968 ECerr(EC_F_EC_POINT_IS_AT_INFINITY, EC_R_INCOMPATIBLE_OBJECTS); 979 ECerr(EC_F_EC_POINT_IS_AT_INFINITY, EC_R_INCOMPATIBLE_OBJECTS);
969 return 0; 980 return 0;
970 }
971 return group->meth->is_at_infinity(group, point);
972 } 981 }
982 return group->meth->is_at_infinity(group, point);
983}
973 984
974 985
975int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx) 986int
976 { 987EC_POINT_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX * ctx)
977 if (group->meth->is_on_curve == 0) 988{
978 { 989 if (group->meth->is_on_curve == 0) {
979 ECerr(EC_F_EC_POINT_IS_ON_CURVE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 990 ECerr(EC_F_EC_POINT_IS_ON_CURVE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
980 return 0; 991 return 0;
981 } 992 }
982 if (group->meth != point->meth) 993 if (group->meth != point->meth) {
983 {
984 ECerr(EC_F_EC_POINT_IS_ON_CURVE, EC_R_INCOMPATIBLE_OBJECTS); 994 ECerr(EC_F_EC_POINT_IS_ON_CURVE, EC_R_INCOMPATIBLE_OBJECTS);
985 return 0; 995 return 0;
986 }
987 return group->meth->is_on_curve(group, point, ctx);
988 } 996 }
997 return group->meth->is_on_curve(group, point, ctx);
998}
989 999
990 1000
991int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) 1001int
992 { 1002EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b,
993 if (group->meth->point_cmp == 0) 1003 BN_CTX * ctx)
994 { 1004{
1005 if (group->meth->point_cmp == 0) {
995 ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1006 ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
996 return -1; 1007 return -1;
997 } 1008 }
998 if ((group->meth != a->meth) || (a->meth != b->meth)) 1009 if ((group->meth != a->meth) || (a->meth != b->meth)) {
999 {
1000 ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS); 1010 ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS);
1001 return -1; 1011 return -1;
1002 }
1003 return group->meth->point_cmp(group, a, b, ctx);
1004 } 1012 }
1013 return group->meth->point_cmp(group, a, b, ctx);
1014}
1005 1015
1006 1016
1007int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) 1017int
1008 { 1018EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1009 if (group->meth->make_affine == 0) 1019{
1010 { 1020 if (group->meth->make_affine == 0) {
1011 ECerr(EC_F_EC_POINT_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1021 ECerr(EC_F_EC_POINT_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1012 return 0; 1022 return 0;
1013 } 1023 }
1014 if (group->meth != point->meth) 1024 if (group->meth != point->meth) {
1015 {
1016 ECerr(EC_F_EC_POINT_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS); 1025 ECerr(EC_F_EC_POINT_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS);
1017 return 0; 1026 return 0;
1018 }
1019 return group->meth->make_affine(group, point, ctx);
1020 } 1027 }
1028 return group->meth->make_affine(group, point, ctx);
1029}
1021 1030
1022 1031
1023int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx) 1032int
1024 { 1033EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
1034 BN_CTX *ctx)
1035{
1025 size_t i; 1036 size_t i;
1026 1037
1027 if (group->meth->points_make_affine == 0) 1038 if (group->meth->points_make_affine == 0) {
1028 {
1029 ECerr(EC_F_EC_POINTS_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1039 ECerr(EC_F_EC_POINTS_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1030 return 0; 1040 return 0;
1031 } 1041 }
1032 for (i = 0; i < num; i++) 1042 for (i = 0; i < num; i++) {
1033 { 1043 if (group->meth != points[i]->meth) {
1034 if (group->meth != points[i]->meth)
1035 {
1036 ECerr(EC_F_EC_POINTS_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS); 1044 ECerr(EC_F_EC_POINTS_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS);
1037 return 0; 1045 return 0;
1038 }
1039 } 1046 }
1040 return group->meth->points_make_affine(group, num, points, ctx);
1041 } 1047 }
1048 return group->meth->points_make_affine(group, num, points, ctx);
1049}
1042 1050
1043 1051
1044/* Functions for point multiplication. 1052/* Functions for point multiplication.
@@ -1047,19 +1055,21 @@ int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
1047 * otherwise we dispatch through methods. 1055 * otherwise we dispatch through methods.
1048 */ 1056 */
1049 1057
1050int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, 1058int
1051 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) 1059EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
1052 { 1060 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
1061{
1053 if (group->meth->mul == 0) 1062 if (group->meth->mul == 0)
1054 /* use default */ 1063 /* use default */
1055 return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); 1064 return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
1056 1065
1057 return group->meth->mul(group, r, scalar, num, points, scalars, ctx); 1066 return group->meth->mul(group, r, scalar, num, points, scalars, ctx);
1058 } 1067}
1059 1068
1060int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, 1069int
1061 const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx) 1070EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
1062 { 1071 const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx)
1072{
1063 /* just a convenient interface to EC_POINTs_mul() */ 1073 /* just a convenient interface to EC_POINTs_mul() */
1064 1074
1065 const EC_POINT *points[1]; 1075 const EC_POINT *points[1];
@@ -1068,11 +1078,14 @@ int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
1068 points[0] = point; 1078 points[0] = point;
1069 scalars[0] = p_scalar; 1079 scalars[0] = p_scalar;
1070 1080
1071 return EC_POINTs_mul(group, r, g_scalar, (point != NULL && p_scalar != NULL), points, scalars, ctx); 1081 return EC_POINTs_mul(group, r, g_scalar,
1072 } 1082 (point != NULL && p_scalar != NULL),
1083 points, scalars, ctx);
1084}
1073 1085
1074int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx) 1086int
1075 { 1087EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
1088{
1076 if (group->meth->mul == 0) 1089 if (group->meth->mul == 0)
1077 /* use default */ 1090 /* use default */
1078 return ec_wNAF_precompute_mult(group, ctx); 1091 return ec_wNAF_precompute_mult(group, ctx);
@@ -1080,11 +1093,12 @@ int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
1080 if (group->meth->precompute_mult != 0) 1093 if (group->meth->precompute_mult != 0)
1081 return group->meth->precompute_mult(group, ctx); 1094 return group->meth->precompute_mult(group, ctx);
1082 else 1095 else
1083 return 1; /* nothing to do, so report success */ 1096 return 1; /* nothing to do, so report success */
1084 } 1097}
1085 1098
1086int EC_GROUP_have_precompute_mult(const EC_GROUP *group) 1099int
1087 { 1100EC_GROUP_have_precompute_mult(const EC_GROUP * group)
1101{
1088 if (group->meth->mul == 0) 1102 if (group->meth->mul == 0)
1089 /* use default */ 1103 /* use default */
1090 return ec_wNAF_have_precompute_mult(group); 1104 return ec_wNAF_have_precompute_mult(group);
@@ -1092,5 +1106,6 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *group)
1092 if (group->meth->have_precompute_mult != 0) 1106 if (group->meth->have_precompute_mult != 0)
1093 return group->meth->have_precompute_mult(group); 1107 return group->meth->have_precompute_mult(group);
1094 else 1108 else
1095 return 0; /* cannot tell whether precomputation has been performed */ 1109 return 0; /* cannot tell whether precomputation has
1096 } 1110 * been performed */
1111}
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index b48c888048..c0525c4940 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -80,46 +80,49 @@
80 80
81/* structure for precomputed multiples of the generator */ 81/* structure for precomputed multiples of the generator */
82typedef struct ec_pre_comp_st { 82typedef struct ec_pre_comp_st {
83 const EC_GROUP *group; /* parent EC_GROUP object */ 83 const EC_GROUP *group; /* parent EC_GROUP object */
84 size_t blocksize; /* block size for wNAF splitting */ 84 size_t blocksize; /* block size for wNAF splitting */
85 size_t numblocks; /* max. number of blocks for which we have precomputation */ 85 size_t numblocks; /* max. number of blocks for which we have
86 size_t w; /* window size */ 86 * precomputation */
87 EC_POINT **points; /* array with pre-calculated multiples of generator: 87 size_t w; /* window size */
88 * 'num' pointers to EC_POINT objects followed by a NULL */ 88 EC_POINT **points; /* array with pre-calculated multiples of
89 size_t num; /* numblocks * 2^(w-1) */ 89 * generator: 'num' pointers to EC_POINT
90 * objects followed by a NULL */
91 size_t num; /* numblocks * 2^(w-1) */
90 int references; 92 int references;
91} EC_PRE_COMP; 93} EC_PRE_COMP;
92 94
93/* functions to manage EC_PRE_COMP within the EC_GROUP extra_data framework */ 95/* functions to manage EC_PRE_COMP within the EC_GROUP extra_data framework */
94static void *ec_pre_comp_dup(void *); 96static void *ec_pre_comp_dup(void *);
95static void ec_pre_comp_free(void *); 97static void ec_pre_comp_free(void *);
96static void ec_pre_comp_clear_free(void *); 98static void ec_pre_comp_clear_free(void *);
97 99
98static EC_PRE_COMP *ec_pre_comp_new(const EC_GROUP *group) 100static EC_PRE_COMP *
99 { 101ec_pre_comp_new(const EC_GROUP * group)
102{
100 EC_PRE_COMP *ret = NULL; 103 EC_PRE_COMP *ret = NULL;
101 104
102 if (!group) 105 if (!group)
103 return NULL; 106 return NULL;
104 107
105 ret = (EC_PRE_COMP *)malloc(sizeof(EC_PRE_COMP)); 108 ret = (EC_PRE_COMP *) malloc(sizeof(EC_PRE_COMP));
106 if (!ret) 109 if (!ret) {
107 {
108 ECerr(EC_F_EC_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); 110 ECerr(EC_F_EC_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
109 return ret; 111 return ret;
110 } 112 }
111 ret->group = group; 113 ret->group = group;
112 ret->blocksize = 8; /* default */ 114 ret->blocksize = 8; /* default */
113 ret->numblocks = 0; 115 ret->numblocks = 0;
114 ret->w = 4; /* default */ 116 ret->w = 4; /* default */
115 ret->points = NULL; 117 ret->points = NULL;
116 ret->num = 0; 118 ret->num = 0;
117 ret->references = 1; 119 ret->references = 1;
118 return ret; 120 return ret;
119 } 121}
120 122
121static void *ec_pre_comp_dup(void *src_) 123static void *
122 { 124ec_pre_comp_dup(void *src_)
125{
123 EC_PRE_COMP *src = src_; 126 EC_PRE_COMP *src = src_;
124 127
125 /* no need to actually copy, these objects never change! */ 128 /* no need to actually copy, these objects never change! */
@@ -127,10 +130,11 @@ static void *ec_pre_comp_dup(void *src_)
127 CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP); 130 CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP);
128 131
129 return src_; 132 return src_;
130 } 133}
131 134
132static void ec_pre_comp_free(void *pre_) 135static void
133 { 136ec_pre_comp_free(void *pre_)
137{
134 int i; 138 int i;
135 EC_PRE_COMP *pre = pre_; 139 EC_PRE_COMP *pre = pre_;
136 140
@@ -141,19 +145,19 @@ static void ec_pre_comp_free(void *pre_)
141 if (i > 0) 145 if (i > 0)
142 return; 146 return;
143 147
144 if (pre->points) 148 if (pre->points) {
145 {
146 EC_POINT **p; 149 EC_POINT **p;
147 150
148 for (p = pre->points; *p != NULL; p++) 151 for (p = pre->points; *p != NULL; p++)
149 EC_POINT_free(*p); 152 EC_POINT_free(*p);
150 free(pre->points); 153 free(pre->points);
151 }
152 free(pre);
153 } 154 }
155 free(pre);
156}
154 157
155static void ec_pre_comp_clear_free(void *pre_) 158static void
156 { 159ec_pre_comp_clear_free(void *pre_)
160{
157 int i; 161 int i;
158 EC_PRE_COMP *pre = pre_; 162 EC_PRE_COMP *pre = pre_;
159 163
@@ -164,20 +168,18 @@ static void ec_pre_comp_clear_free(void *pre_)
164 if (i > 0) 168 if (i > 0)
165 return; 169 return;
166 170
167 if (pre->points) 171 if (pre->points) {
168 {
169 EC_POINT **p; 172 EC_POINT **p;
170 173
171 for (p = pre->points; *p != NULL; p++) 174 for (p = pre->points; *p != NULL; p++) {
172 {
173 EC_POINT_clear_free(*p); 175 EC_POINT_clear_free(*p);
174 OPENSSL_cleanse(p, sizeof *p); 176 OPENSSL_cleanse(p, sizeof *p);
175 }
176 free(pre->points);
177 } 177 }
178 free(pre->points);
179 }
178 OPENSSL_cleanse(pre, sizeof *pre); 180 OPENSSL_cleanse(pre, sizeof *pre);
179 free(pre); 181 free(pre);
180 } 182}
181 183
182 184
183 185
@@ -190,138 +192,125 @@ static void ec_pre_comp_clear_free(void *pre_)
190 * with the exception that the most significant digit may be only 192 * with the exception that the most significant digit may be only
191 * w-1 zeros away from that next non-zero digit. 193 * w-1 zeros away from that next non-zero digit.
192 */ 194 */
193static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len) 195static signed char *
194 { 196compute_wNAF(const BIGNUM * scalar, int w, size_t * ret_len)
197{
195 int window_val; 198 int window_val;
196 int ok = 0; 199 int ok = 0;
197 signed char *r = NULL; 200 signed char *r = NULL;
198 int sign = 1; 201 int sign = 1;
199 int bit, next_bit, mask; 202 int bit, next_bit, mask;
200 size_t len = 0, j; 203 size_t len = 0, j;
201 204
202 if (BN_is_zero(scalar)) 205 if (BN_is_zero(scalar)) {
203 {
204 r = malloc(1); 206 r = malloc(1);
205 if (!r) 207 if (!r) {
206 {
207 ECerr(EC_F_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE); 208 ECerr(EC_F_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE);
208 goto err; 209 goto err;
209 } 210 }
210 r[0] = 0; 211 r[0] = 0;
211 *ret_len = 1; 212 *ret_len = 1;
212 return r; 213 return r;
213 } 214 }
214 215 if (w <= 0 || w > 7) {
215 if (w <= 0 || w > 7) /* 'signed char' can represent integers with absolute values less than 2^7 */ 216 /* 'signed char' can represent integers with
216 { 217 * absolute values less than 2^7 */
217 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR); 218 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
218 goto err; 219 goto err;
219 } 220 }
220 bit = 1 << w; /* at most 128 */ 221 bit = 1 << w; /* at most 128 */
221 next_bit = bit << 1; /* at most 256 */ 222 next_bit = bit << 1; /* at most 256 */
222 mask = next_bit - 1; /* at most 255 */ 223 mask = next_bit - 1; /* at most 255 */
223 224
224 if (BN_is_negative(scalar)) 225 if (BN_is_negative(scalar)) {
225 {
226 sign = -1; 226 sign = -1;
227 } 227 }
228 228 if (scalar->d == NULL || scalar->top == 0) {
229 if (scalar->d == NULL || scalar->top == 0)
230 {
231 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR); 229 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
232 goto err; 230 goto err;
233 } 231 }
234
235 len = BN_num_bits(scalar); 232 len = BN_num_bits(scalar);
236 r = malloc(len + 1); /* modified wNAF may be one digit longer than binary representation 233 r = malloc(len + 1); /* modified wNAF may be one digit longer than
237 * (*ret_len will be set to the actual length, i.e. at most 234 * binary representation (*ret_len will be
238 * BN_num_bits(scalar) + 1) */ 235 * set to the actual length, i.e. at most
239 if (r == NULL) 236 * BN_num_bits(scalar) + 1) */
240 { 237 if (r == NULL) {
241 ECerr(EC_F_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE); 238 ECerr(EC_F_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE);
242 goto err; 239 goto err;
243 } 240 }
244 window_val = scalar->d[0] & mask; 241 window_val = scalar->d[0] & mask;
245 j = 0; 242 j = 0;
246 while ((window_val != 0) || (j + w + 1 < len)) /* if j+w+1 >= len, window_val will not increase */ 243 while ((window_val != 0) || (j + w + 1 < len)) {
247 { 244 /* if j+w+1 >= len, window_val will not increase */
248 int digit = 0; 245 int digit = 0;
249 246
250 /* 0 <= window_val <= 2^(w+1) */ 247 /* 0 <= window_val <= 2^(w+1) */
251 248 if (window_val & 1) {
252 if (window_val & 1)
253 {
254 /* 0 < window_val < 2^(w+1) */ 249 /* 0 < window_val < 2^(w+1) */
255 250 if (window_val & bit) {
256 if (window_val & bit) 251 digit = window_val - next_bit; /* -2^w < digit < 0 */
257 { 252
258 digit = window_val - next_bit; /* -2^w < digit < 0 */ 253#if 1 /* modified wNAF */
259 254 if (j + w + 1 >= len) {
260#if 1 /* modified wNAF */ 255 /*
261 if (j + w + 1 >= len) 256 * special case for generating
262 { 257 * modified wNAFs: no new bits will
263 /* special case for generating modified wNAFs: 258 * be added into window_val, so using
264 * no new bits will be added into window_val, 259 * a positive digit here will
265 * so using a positive digit here will decrease 260 * decrease the total length of the
266 * the total length of the representation */ 261 * representation
267 262 */
268 digit = window_val & (mask >> 1); /* 0 < digit < 2^w */ 263
269 } 264 digit = window_val & (mask >> 1); /* 0 < digit < 2^w */
270#endif
271 }
272 else
273 {
274 digit = window_val; /* 0 < digit < 2^w */
275 } 265 }
276 266#endif
277 if (digit <= -bit || digit >= bit || !(digit & 1)) 267 } else {
278 { 268 digit = window_val; /* 0 < digit < 2^w */
269 }
270
271 if (digit <= -bit || digit >= bit || !(digit & 1)) {
279 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR); 272 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
280 goto err; 273 goto err;
281 } 274 }
282
283 window_val -= digit; 275 window_val -= digit;
284 276
285 /* now window_val is 0 or 2^(w+1) in standard wNAF generation; 277 /*
286 * for modified window NAFs, it may also be 2^w 278 * now window_val is 0 or 2^(w+1) in standard wNAF
279 * generation; for modified window NAFs, it may also
280 * be 2^w
287 */ 281 */
288 if (window_val != 0 && window_val != next_bit && window_val != bit) 282 if (window_val != 0 && window_val != next_bit && window_val != bit) {
289 {
290 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR); 283 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
291 goto err; 284 goto err;
292 }
293 } 285 }
294 286 }
295 r[j++] = sign * digit; 287 r[j++] = sign * digit;
296 288
297 window_val >>= 1; 289 window_val >>= 1;
298 window_val += bit * BN_is_bit_set(scalar, j + w); 290 window_val += bit * BN_is_bit_set(scalar, j + w);
299 291
300 if (window_val > next_bit) 292 if (window_val > next_bit) {
301 {
302 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR); 293 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
303 goto err; 294 goto err;
304 }
305 } 295 }
296 }
306 297
307 if (j > len + 1) 298 if (j > len + 1) {
308 {
309 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR); 299 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
310 goto err; 300 goto err;
311 } 301 }
312 len = j; 302 len = j;
313 ok = 1; 303 ok = 1;
314 304
315 err: 305err:
316 if (!ok) 306 if (!ok) {
317 {
318 free(r); 307 free(r);
319 r = NULL; 308 r = NULL;
320 } 309 }
321 if (ok) 310 if (ok)
322 *ret_len = len; 311 *ret_len = len;
323 return r; 312 return r;
324 } 313}
325 314
326 315
327/* TODO: table should be optimised for the wNAF-based implementation, 316/* TODO: table should be optimised for the wNAF-based implementation,
@@ -343,374 +332,353 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
343 * scalar*generator 332 * scalar*generator
344 * in the addition if scalar != NULL 333 * in the addition if scalar != NULL
345 */ 334 */
346int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, 335int
347 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) 336ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
348 { 337 size_t num, const EC_POINT * points[], const BIGNUM * scalars[], BN_CTX * ctx)
338{
349 BN_CTX *new_ctx = NULL; 339 BN_CTX *new_ctx = NULL;
350 const EC_POINT *generator = NULL; 340 const EC_POINT *generator = NULL;
351 EC_POINT *tmp = NULL; 341 EC_POINT *tmp = NULL;
352 size_t totalnum; 342 size_t totalnum;
353 size_t blocksize = 0, numblocks = 0; /* for wNAF splitting */ 343 size_t blocksize = 0, numblocks = 0; /* for wNAF splitting */
354 size_t pre_points_per_block = 0; 344 size_t pre_points_per_block = 0;
355 size_t i, j; 345 size_t i, j;
356 int k; 346 int k;
357 int r_is_inverted = 0; 347 int r_is_inverted = 0;
358 int r_is_at_infinity = 1; 348 int r_is_at_infinity = 1;
359 size_t *wsize = NULL; /* individual window sizes */ 349 size_t *wsize = NULL; /* individual window sizes */
360 signed char **wNAF = NULL; /* individual wNAFs */ 350 signed char **wNAF = NULL; /* individual wNAFs */
361 size_t *wNAF_len = NULL; 351 size_t *wNAF_len = NULL;
362 size_t max_len = 0; 352 size_t max_len = 0;
363 size_t num_val; 353 size_t num_val;
364 EC_POINT **val = NULL; /* precomputation */ 354 EC_POINT **val = NULL; /* precomputation */
365 EC_POINT **v; 355 EC_POINT **v;
366 EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' or 'pre_comp->points' */ 356 EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' or
357 * 'pre_comp->points' */
367 const EC_PRE_COMP *pre_comp = NULL; 358 const EC_PRE_COMP *pre_comp = NULL;
368 int num_scalar = 0; /* flag: will be set to 1 if 'scalar' must be treated like other scalars, 359 int num_scalar = 0; /* flag: will be set to 1 if 'scalar' must be
369 * i.e. precomputation is not available */ 360 * treated like other scalars, i.e.
361 * precomputation is not available */
370 int ret = 0; 362 int ret = 0;
371 363
372 if (group->meth != r->meth) 364 if (group->meth != r->meth) {
373 {
374 ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); 365 ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
375 return 0; 366 return 0;
376 } 367 }
377 368 if ((scalar == NULL) && (num == 0)) {
378 if ((scalar == NULL) && (num == 0))
379 {
380 return EC_POINT_set_to_infinity(group, r); 369 return EC_POINT_set_to_infinity(group, r);
381 } 370 }
382 371 for (i = 0; i < num; i++) {
383 for (i = 0; i < num; i++) 372 if (group->meth != points[i]->meth) {
384 {
385 if (group->meth != points[i]->meth)
386 {
387 ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); 373 ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
388 return 0; 374 return 0;
389 }
390 } 375 }
376 }
391 377
392 if (ctx == NULL) 378 if (ctx == NULL) {
393 {
394 ctx = new_ctx = BN_CTX_new(); 379 ctx = new_ctx = BN_CTX_new();
395 if (ctx == NULL) 380 if (ctx == NULL)
396 goto err; 381 goto err;
397 } 382 }
398 383 if (scalar != NULL) {
399 if (scalar != NULL)
400 {
401 generator = EC_GROUP_get0_generator(group); 384 generator = EC_GROUP_get0_generator(group);
402 if (generator == NULL) 385 if (generator == NULL) {
403 {
404 ECerr(EC_F_EC_WNAF_MUL, EC_R_UNDEFINED_GENERATOR); 386 ECerr(EC_F_EC_WNAF_MUL, EC_R_UNDEFINED_GENERATOR);
405 goto err; 387 goto err;
406 } 388 }
407
408 /* look if we can use precomputed multiples of generator */ 389 /* look if we can use precomputed multiples of generator */
409 390
410 pre_comp = EC_EX_DATA_get_data(group->extra_data, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free); 391 pre_comp = EC_EX_DATA_get_data(group->extra_data, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free);
411 392
412 if (pre_comp && pre_comp->numblocks && (EC_POINT_cmp(group, generator, pre_comp->points[0], ctx) == 0)) 393 if (pre_comp && pre_comp->numblocks &&
413 { 394 (EC_POINT_cmp(group, generator, pre_comp->points[0], ctx) == 0)) {
414 blocksize = pre_comp->blocksize; 395 blocksize = pre_comp->blocksize;
415 396
416 /* determine maximum number of blocks that wNAF splitting may yield 397 /*
417 * (NB: maximum wNAF length is bit length plus one) */ 398 * determine maximum number of blocks that wNAF
399 * splitting may yield (NB: maximum wNAF length is
400 * bit length plus one)
401 */
418 numblocks = (BN_num_bits(scalar) / blocksize) + 1; 402 numblocks = (BN_num_bits(scalar) / blocksize) + 1;
419 403
420 /* we cannot use more blocks than we have precomputation for */ 404 /*
405 * we cannot use more blocks than we have
406 * precomputation for
407 */
421 if (numblocks > pre_comp->numblocks) 408 if (numblocks > pre_comp->numblocks)
422 numblocks = pre_comp->numblocks; 409 numblocks = pre_comp->numblocks;
423 410
424 pre_points_per_block = (size_t)1 << (pre_comp->w - 1); 411 pre_points_per_block = (size_t) 1 << (pre_comp->w - 1);
425 412
426 /* check that pre_comp looks sane */ 413 /* check that pre_comp looks sane */
427 if (pre_comp->num != (pre_comp->numblocks * pre_points_per_block)) 414 if (pre_comp->num != (pre_comp->numblocks * pre_points_per_block)) {
428 {
429 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); 415 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
430 goto err; 416 goto err;
431 }
432 } 417 }
433 else 418 } else {
434 {
435 /* can't use precomputation */ 419 /* can't use precomputation */
436 pre_comp = NULL; 420 pre_comp = NULL;
437 numblocks = 1; 421 numblocks = 1;
438 num_scalar = 1; /* treat 'scalar' like 'num'-th element of 'scalars' */ 422 num_scalar = 1; /* treat 'scalar' like 'num'-th
439 } 423 * element of 'scalars' */
440 } 424 }
441 425 }
442 totalnum = num + numblocks; 426 totalnum = num + numblocks;
443 427
444 wsize = malloc(totalnum * sizeof wsize[0]); 428 wsize = malloc(totalnum * sizeof wsize[0]);
445 wNAF_len = malloc(totalnum * sizeof wNAF_len[0]); 429 wNAF_len = malloc(totalnum * sizeof wNAF_len[0]);
446 wNAF = malloc((totalnum + 1) * sizeof wNAF[0]); /* includes space for pivot */ 430 wNAF = malloc((totalnum + 1) * sizeof wNAF[0]); /* includes space for
447 val_sub = malloc(totalnum * sizeof val_sub[0]); 431 * pivot */
448 432 val_sub = malloc(totalnum * sizeof val_sub[0]);
449 if (!wsize || !wNAF_len || !wNAF || !val_sub) 433
450 { 434 if (!wsize || !wNAF_len || !wNAF || !val_sub) {
451 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE); 435 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
452 goto err; 436 goto err;
453 } 437 }
454 438 wNAF[0] = NULL; /* preliminary pivot */
455 wNAF[0] = NULL; /* preliminary pivot */
456 439
457 /* num_val will be the total number of temporarily precomputed points */ 440 /* num_val will be the total number of temporarily precomputed points */
458 num_val = 0; 441 num_val = 0;
459 442
460 for (i = 0; i < num + num_scalar; i++) 443 for (i = 0; i < num + num_scalar; i++) {
461 {
462 size_t bits; 444 size_t bits;
463 445
464 bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar); 446 bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
465 wsize[i] = EC_window_bits_for_scalar_size(bits); 447 wsize[i] = EC_window_bits_for_scalar_size(bits);
466 num_val += (size_t)1 << (wsize[i] - 1); 448 num_val += (size_t) 1 << (wsize[i] - 1);
467 wNAF[i + 1] = NULL; /* make sure we always have a pivot */ 449 wNAF[i + 1] = NULL; /* make sure we always have a pivot */
468 wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]); 450 wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]);
469 if (wNAF[i] == NULL) 451 if (wNAF[i] == NULL)
470 goto err; 452 goto err;
471 if (wNAF_len[i] > max_len) 453 if (wNAF_len[i] > max_len)
472 max_len = wNAF_len[i]; 454 max_len = wNAF_len[i];
473 } 455 }
474 456
475 if (numblocks) 457 if (numblocks) {
476 {
477 /* we go here iff scalar != NULL */ 458 /* we go here iff scalar != NULL */
478 459
479 if (pre_comp == NULL) 460 if (pre_comp == NULL) {
480 { 461 if (num_scalar != 1) {
481 if (num_scalar != 1)
482 {
483 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); 462 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
484 goto err; 463 goto err;
485 }
486 /* we have already generated a wNAF for 'scalar' */
487 } 464 }
488 else 465 /* we have already generated a wNAF for 'scalar' */
489 { 466 } else {
490 signed char *tmp_wNAF = NULL; 467 signed char *tmp_wNAF = NULL;
491 size_t tmp_len = 0; 468 size_t tmp_len = 0;
492 469
493 if (num_scalar != 0) 470 if (num_scalar != 0) {
494 {
495 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); 471 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
496 goto err; 472 goto err;
497 } 473 }
498 474 /*
499 /* use the window size for which we have precomputation */ 475 * use the window size for which we have
476 * precomputation
477 */
500 wsize[num] = pre_comp->w; 478 wsize[num] = pre_comp->w;
501 tmp_wNAF = compute_wNAF(scalar, wsize[num], &tmp_len); 479 tmp_wNAF = compute_wNAF(scalar, wsize[num], &tmp_len);
502 if (!tmp_wNAF) 480 if (!tmp_wNAF)
503 goto err; 481 goto err;
504 482
505 if (tmp_len <= max_len) 483 if (tmp_len <= max_len) {
506 { 484 /*
507 /* One of the other wNAFs is at least as long 485 * One of the other wNAFs is at least as long
508 * as the wNAF belonging to the generator, 486 * as the wNAF belonging to the generator, so
509 * so wNAF splitting will not buy us anything. */ 487 * wNAF splitting will not buy us anything.
488 */
510 489
511 numblocks = 1; 490 numblocks = 1;
512 totalnum = num + 1; /* don't use wNAF splitting */ 491 totalnum = num + 1; /* don't use wNAF
492 * splitting */
513 wNAF[num] = tmp_wNAF; 493 wNAF[num] = tmp_wNAF;
514 wNAF[num + 1] = NULL; 494 wNAF[num + 1] = NULL;
515 wNAF_len[num] = tmp_len; 495 wNAF_len[num] = tmp_len;
516 if (tmp_len > max_len) 496 if (tmp_len > max_len)
517 max_len = tmp_len; 497 max_len = tmp_len;
518 /* pre_comp->points starts with the points that we need here: */ 498 /*
499 * pre_comp->points starts with the points
500 * that we need here:
501 */
519 val_sub[num] = pre_comp->points; 502 val_sub[num] = pre_comp->points;
520 } 503 } else {
521 else 504 /*
522 { 505 * don't include tmp_wNAF directly into wNAF
523 /* don't include tmp_wNAF directly into wNAF array 506 * array - use wNAF splitting and include the
524 * - use wNAF splitting and include the blocks */ 507 * blocks
508 */
525 509
526 signed char *pp; 510 signed char *pp;
527 EC_POINT **tmp_points; 511 EC_POINT **tmp_points;
528 512
529 if (tmp_len < numblocks * blocksize) 513 if (tmp_len < numblocks * blocksize) {
530 { 514 /*
531 /* possibly we can do with fewer blocks than estimated */ 515 * possibly we can do with fewer
516 * blocks than estimated
517 */
532 numblocks = (tmp_len + blocksize - 1) / blocksize; 518 numblocks = (tmp_len + blocksize - 1) / blocksize;
533 if (numblocks > pre_comp->numblocks) 519 if (numblocks > pre_comp->numblocks) {
534 {
535 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); 520 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
536 goto err; 521 goto err;
537 }
538 totalnum = num + numblocks;
539 } 522 }
540 523 totalnum = num + numblocks;
524 }
541 /* split wNAF in 'numblocks' parts */ 525 /* split wNAF in 'numblocks' parts */
542 pp = tmp_wNAF; 526 pp = tmp_wNAF;
543 tmp_points = pre_comp->points; 527 tmp_points = pre_comp->points;
544 528
545 for (i = num; i < totalnum; i++) 529 for (i = num; i < totalnum; i++) {
546 { 530 if (i < totalnum - 1) {
547 if (i < totalnum - 1)
548 {
549 wNAF_len[i] = blocksize; 531 wNAF_len[i] = blocksize;
550 if (tmp_len < blocksize) 532 if (tmp_len < blocksize) {
551 {
552 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); 533 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
553 goto err; 534 goto err;
554 }
555 tmp_len -= blocksize;
556 } 535 }
557 else 536 tmp_len -= blocksize;
558 /* last block gets whatever is left 537 } else
559 * (this could be more or less than 'blocksize'!) */ 538 /*
539 * last block gets whatever
540 * is left (this could be
541 * more or less than
542 * 'blocksize'!)
543 */
560 wNAF_len[i] = tmp_len; 544 wNAF_len[i] = tmp_len;
561 545
562 wNAF[i + 1] = NULL; 546 wNAF[i + 1] = NULL;
563 wNAF[i] = malloc(wNAF_len[i]); 547 wNAF[i] = malloc(wNAF_len[i]);
564 if (wNAF[i] == NULL) 548 if (wNAF[i] == NULL) {
565 {
566 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE); 549 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
567 free(tmp_wNAF); 550 free(tmp_wNAF);
568 goto err; 551 goto err;
569 } 552 }
570 memcpy(wNAF[i], pp, wNAF_len[i]); 553 memcpy(wNAF[i], pp, wNAF_len[i]);
571 if (wNAF_len[i] > max_len) 554 if (wNAF_len[i] > max_len)
572 max_len = wNAF_len[i]; 555 max_len = wNAF_len[i];
573 556
574 if (*tmp_points == NULL) 557 if (*tmp_points == NULL) {
575 {
576 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); 558 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
577 free(tmp_wNAF); 559 free(tmp_wNAF);
578 goto err; 560 goto err;
579 } 561 }
580 val_sub[i] = tmp_points; 562 val_sub[i] = tmp_points;
581 tmp_points += pre_points_per_block; 563 tmp_points += pre_points_per_block;
582 pp += blocksize; 564 pp += blocksize;
583 }
584 free(tmp_wNAF);
585 } 565 }
566 free(tmp_wNAF);
586 } 567 }
587 } 568 }
588 569 }
589 /* All points we precompute now go into a single array 'val'. 570 /*
590 * 'val_sub[i]' is a pointer to the subarray for the i-th point, 571 * All points we precompute now go into a single array 'val'.
591 * or to a subarray of 'pre_comp->points' if we already have precomputation. */ 572 * 'val_sub[i]' is a pointer to the subarray for the i-th point, or
573 * to a subarray of 'pre_comp->points' if we already have
574 * precomputation.
575 */
592 val = malloc((num_val + 1) * sizeof val[0]); 576 val = malloc((num_val + 1) * sizeof val[0]);
593 if (val == NULL) 577 if (val == NULL) {
594 {
595 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE); 578 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
596 goto err; 579 goto err;
597 } 580 }
598 val[num_val] = NULL; /* pivot element */ 581 val[num_val] = NULL; /* pivot element */
599 582
600 /* allocate points for precomputation */ 583 /* allocate points for precomputation */
601 v = val; 584 v = val;
602 for (i = 0; i < num + num_scalar; i++) 585 for (i = 0; i < num + num_scalar; i++) {
603 {
604 val_sub[i] = v; 586 val_sub[i] = v;
605 for (j = 0; j < ((size_t)1 << (wsize[i] - 1)); j++) 587 for (j = 0; j < ((size_t) 1 << (wsize[i] - 1)); j++) {
606 {
607 *v = EC_POINT_new(group); 588 *v = EC_POINT_new(group);
608 if (*v == NULL) goto err; 589 if (*v == NULL)
590 goto err;
609 v++; 591 v++;
610 }
611 } 592 }
612 if (!(v == val + num_val)) 593 }
613 { 594 if (!(v == val + num_val)) {
614 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); 595 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
615 goto err; 596 goto err;
616 } 597 }
617
618 if (!(tmp = EC_POINT_new(group))) 598 if (!(tmp = EC_POINT_new(group)))
619 goto err; 599 goto err;
620 600
621 /* prepare precomputed values: 601 /*
622 * val_sub[i][0] := points[i] 602 * prepare precomputed values: val_sub[i][0] := points[i]
623 * val_sub[i][1] := 3 * points[i] 603 * val_sub[i][1] := 3 * points[i] val_sub[i][2] := 5 * points[i] ...
624 * val_sub[i][2] := 5 * points[i]
625 * ...
626 */ 604 */
627 for (i = 0; i < num + num_scalar; i++) 605 for (i = 0; i < num + num_scalar; i++) {
628 { 606 if (i < num) {
629 if (i < num) 607 if (!EC_POINT_copy(val_sub[i][0], points[i]))
630 { 608 goto err;
631 if (!EC_POINT_copy(val_sub[i][0], points[i])) goto err; 609 } else {
632 } 610 if (!EC_POINT_copy(val_sub[i][0], generator))
633 else 611 goto err;
634 { 612 }
635 if (!EC_POINT_copy(val_sub[i][0], generator)) goto err;
636 }
637 613
638 if (wsize[i] > 1) 614 if (wsize[i] > 1) {
639 { 615 if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx))
640 if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx)) goto err; 616 goto err;
641 for (j = 1; j < ((size_t)1 << (wsize[i] - 1)); j++) 617 for (j = 1; j < ((size_t) 1 << (wsize[i] - 1)); j++) {
642 { 618 if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx))
643 if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) goto err; 619 goto err;
644 }
645 } 620 }
646 } 621 }
622 }
647 623
648#if 1 /* optional; EC_window_bits_for_scalar_size assumes we do this step */ 624#if 1 /* optional; EC_window_bits_for_scalar_size
625 * assumes we do this step */
649 if (!EC_POINTs_make_affine(group, num_val, val, ctx)) 626 if (!EC_POINTs_make_affine(group, num_val, val, ctx))
650 goto err; 627 goto err;
651#endif 628#endif
652 629
653 r_is_at_infinity = 1; 630 r_is_at_infinity = 1;
654 631
655 for (k = max_len - 1; k >= 0; k--) 632 for (k = max_len - 1; k >= 0; k--) {
656 { 633 if (!r_is_at_infinity) {
657 if (!r_is_at_infinity) 634 if (!EC_POINT_dbl(group, r, r, ctx))
658 { 635 goto err;
659 if (!EC_POINT_dbl(group, r, r, ctx)) goto err; 636 }
660 } 637 for (i = 0; i < totalnum; i++) {
661 638 if (wNAF_len[i] > (size_t) k) {
662 for (i = 0; i < totalnum; i++)
663 {
664 if (wNAF_len[i] > (size_t)k)
665 {
666 int digit = wNAF[i][k]; 639 int digit = wNAF[i][k];
667 int is_neg; 640 int is_neg;
668 641
669 if (digit) 642 if (digit) {
670 {
671 is_neg = digit < 0; 643 is_neg = digit < 0;
672 644
673 if (is_neg) 645 if (is_neg)
674 digit = -digit; 646 digit = -digit;
675 647
676 if (is_neg != r_is_inverted) 648 if (is_neg != r_is_inverted) {
677 { 649 if (!r_is_at_infinity) {
678 if (!r_is_at_infinity) 650 if (!EC_POINT_invert(group, r, ctx))
679 { 651 goto err;
680 if (!EC_POINT_invert(group, r, ctx)) goto err;
681 }
682 r_is_inverted = !r_is_inverted;
683 } 652 }
684 653 r_is_inverted = !r_is_inverted;
654 }
685 /* digit > 0 */ 655 /* digit > 0 */
686 656
687 if (r_is_at_infinity) 657 if (r_is_at_infinity) {
688 { 658 if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
689 if (!EC_POINT_copy(r, val_sub[i][digit >> 1])) goto err; 659 goto err;
690 r_is_at_infinity = 0; 660 r_is_at_infinity = 0;
691 } 661 } else {
692 else 662 if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
693 { 663 goto err;
694 if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx)) goto err;
695 }
696 } 664 }
697 } 665 }
698 } 666 }
699 } 667 }
668 }
700 669
701 if (r_is_at_infinity) 670 if (r_is_at_infinity) {
702 { 671 if (!EC_POINT_set_to_infinity(group, r))
703 if (!EC_POINT_set_to_infinity(group, r)) goto err; 672 goto err;
704 } 673 } else {
705 else
706 {
707 if (r_is_inverted) 674 if (r_is_inverted)
708 if (!EC_POINT_invert(group, r, ctx)) goto err; 675 if (!EC_POINT_invert(group, r, ctx))
709 } 676 goto err;
710 677 }
678
711 ret = 1; 679 ret = 1;
712 680
713 err: 681err:
714 if (new_ctx != NULL) 682 if (new_ctx != NULL)
715 BN_CTX_free(new_ctx); 683 BN_CTX_free(new_ctx);
716 if (tmp != NULL) 684 if (tmp != NULL)
@@ -719,34 +687,31 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
719 free(wsize); 687 free(wsize);
720 if (wNAF_len != NULL) 688 if (wNAF_len != NULL)
721 free(wNAF_len); 689 free(wNAF_len);
722 if (wNAF != NULL) 690 if (wNAF != NULL) {
723 {
724 signed char **w; 691 signed char **w;
725 692
726 for (w = wNAF; *w != NULL; w++) 693 for (w = wNAF; *w != NULL; w++)
727 free(*w); 694 free(*w);
728 695
729 free(wNAF); 696 free(wNAF);
730 } 697 }
731 if (val != NULL) 698 if (val != NULL) {
732 {
733 for (v = val; *v != NULL; v++) 699 for (v = val; *v != NULL; v++)
734 EC_POINT_clear_free(*v); 700 EC_POINT_clear_free(*v);
735 701
736 free(val); 702 free(val);
737 } 703 }
738 if (val_sub != NULL) 704 if (val_sub != NULL) {
739 {
740 free(val_sub); 705 free(val_sub);
741 }
742 return ret;
743 } 706 }
707 return ret;
708}
744 709
745 710
746/* ec_wNAF_precompute_mult() 711/* ec_wNAF_precompute_mult()
747 * creates an EC_PRE_COMP object with preprecomputed multiples of the generator 712 * creates an EC_PRE_COMP object with preprecomputed multiples of the generator
748 * for use with wNAF splitting as implemented in ec_wNAF_mul(). 713 * for use with wNAF splitting as implemented in ec_wNAF_mul().
749 * 714 *
750 * 'pre_comp->points' is an array of multiples of the generator 715 * 'pre_comp->points' is an array of multiples of the generator
751 * of the following form: 716 * of the following form:
752 * points[0] = generator; 717 * points[0] = generator;
@@ -762,13 +727,15 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
762 * points[2^(w-1)*numblocks-1] = (2^(w-1)) * 2^(blocksize*(numblocks-1)) * generator 727 * points[2^(w-1)*numblocks-1] = (2^(w-1)) * 2^(blocksize*(numblocks-1)) * generator
763 * points[2^(w-1)*numblocks] = NULL 728 * points[2^(w-1)*numblocks] = NULL
764 */ 729 */
765int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) 730int
766 { 731ec_wNAF_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
732{
767 const EC_POINT *generator; 733 const EC_POINT *generator;
768 EC_POINT *tmp_point = NULL, *base = NULL, **var; 734 EC_POINT *tmp_point = NULL, *base = NULL, **var;
769 BN_CTX *new_ctx = NULL; 735 BN_CTX *new_ctx = NULL;
770 BIGNUM *order; 736 BIGNUM *order;
771 size_t i, bits, w, pre_points_per_block, blocksize, numblocks, num; 737 size_t i, bits, w, pre_points_per_block, blocksize, numblocks,
738 num;
772 EC_POINT **points = NULL; 739 EC_POINT **points = NULL;
773 EC_PRE_COMP *pre_comp; 740 EC_PRE_COMP *pre_comp;
774 int ret = 0; 741 int ret = 0;
@@ -780,81 +747,72 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
780 return 0; 747 return 0;
781 748
782 generator = EC_GROUP_get0_generator(group); 749 generator = EC_GROUP_get0_generator(group);
783 if (generator == NULL) 750 if (generator == NULL) {
784 {
785 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR); 751 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR);
786 goto err; 752 goto err;
787 } 753 }
788 754 if (ctx == NULL) {
789 if (ctx == NULL)
790 {
791 ctx = new_ctx = BN_CTX_new(); 755 ctx = new_ctx = BN_CTX_new();
792 if (ctx == NULL) 756 if (ctx == NULL)
793 goto err; 757 goto err;
794 } 758 }
795
796 BN_CTX_start(ctx); 759 BN_CTX_start(ctx);
797 order = BN_CTX_get(ctx); 760 order = BN_CTX_get(ctx);
798 if (order == NULL) goto err; 761 if (order == NULL)
799
800 if (!EC_GROUP_get_order(group, order, ctx)) goto err;
801 if (BN_is_zero(order))
802 {
803 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER);
804 goto err; 762 goto err;
805 }
806 763
764 if (!EC_GROUP_get_order(group, order, ctx))
765 goto err;
766 if (BN_is_zero(order)) {
767 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER);
768 goto err;
769 }
807 bits = BN_num_bits(order); 770 bits = BN_num_bits(order);
808 /* The following parameters mean we precompute (approximately) 771 /*
809 * one point per bit. 772 * The following parameters mean we precompute (approximately) one
810 * 773 * point per bit.
811 * TBD: The combination 8, 4 is perfect for 160 bits; for other 774 *
812 * bit lengths, other parameter combinations might provide better 775 * TBD: The combination 8, 4 is perfect for 160 bits; for other bit
776 * lengths, other parameter combinations might provide better
813 * efficiency. 777 * efficiency.
814 */ 778 */
815 blocksize = 8; 779 blocksize = 8;
816 w = 4; 780 w = 4;
817 if (EC_window_bits_for_scalar_size(bits) > w) 781 if (EC_window_bits_for_scalar_size(bits) > w) {
818 {
819 /* let's not make the window too small ... */ 782 /* let's not make the window too small ... */
820 w = EC_window_bits_for_scalar_size(bits); 783 w = EC_window_bits_for_scalar_size(bits);
821 } 784 }
785 numblocks = (bits + blocksize - 1) / blocksize; /* max. number of blocks
786 * to use for wNAF
787 * splitting */
822 788
823 numblocks = (bits + blocksize - 1) / blocksize; /* max. number of blocks to use for wNAF splitting */ 789 pre_points_per_block = (size_t) 1 << (w - 1);
824 790 num = pre_points_per_block * numblocks; /* number of points to
825 pre_points_per_block = (size_t)1 << (w - 1); 791 * compute and store */
826 num = pre_points_per_block * numblocks; /* number of points to compute and store */
827 792
828 points = malloc(sizeof (EC_POINT*)*(num + 1)); 793 points = malloc(sizeof(EC_POINT *) * (num + 1));
829 if (!points) 794 if (!points) {
830 {
831 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE); 795 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE);
832 goto err; 796 goto err;
833 } 797 }
834
835 var = points; 798 var = points;
836 var[num] = NULL; /* pivot */ 799 var[num] = NULL; /* pivot */
837 for (i = 0; i < num; i++) 800 for (i = 0; i < num; i++) {
838 { 801 if ((var[i] = EC_POINT_new(group)) == NULL) {
839 if ((var[i] = EC_POINT_new(group)) == NULL)
840 {
841 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE); 802 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE);
842 goto err; 803 goto err;
843 }
844 } 804 }
805 }
845 806
846 if (!(tmp_point = EC_POINT_new(group)) || !(base = EC_POINT_new(group))) 807 if (!(tmp_point = EC_POINT_new(group)) || !(base = EC_POINT_new(group))) {
847 {
848 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE); 808 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE);
849 goto err; 809 goto err;
850 } 810 }
851
852 if (!EC_POINT_copy(base, generator)) 811 if (!EC_POINT_copy(base, generator))
853 goto err; 812 goto err;
854 813
855 /* do the precomputation */ 814 /* do the precomputation */
856 for (i = 0; i < numblocks; i++) 815 for (i = 0; i < numblocks; i++) {
857 {
858 size_t j; 816 size_t j;
859 817
860 if (!EC_POINT_dbl(group, tmp_point, base, ctx)) 818 if (!EC_POINT_dbl(group, tmp_point, base, ctx))
@@ -863,37 +821,35 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
863 if (!EC_POINT_copy(*var++, base)) 821 if (!EC_POINT_copy(*var++, base))
864 goto err; 822 goto err;
865 823
866 for (j = 1; j < pre_points_per_block; j++, var++) 824 for (j = 1; j < pre_points_per_block; j++, var++) {
867 {
868 /* calculate odd multiples of the current base point */ 825 /* calculate odd multiples of the current base point */
869 if (!EC_POINT_add(group, *var, tmp_point, *(var - 1), ctx)) 826 if (!EC_POINT_add(group, *var, tmp_point, *(var - 1), ctx))
870 goto err; 827 goto err;
871 } 828 }
872 829
873 if (i < numblocks - 1) 830 if (i < numblocks - 1) {
874 { 831 /*
875 /* get the next base (multiply current one by 2^blocksize) */ 832 * get the next base (multiply current one by
833 * 2^blocksize)
834 */
876 size_t k; 835 size_t k;
877 836
878 if (blocksize <= 2) 837 if (blocksize <= 2) {
879 {
880 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_INTERNAL_ERROR); 838 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_INTERNAL_ERROR);
881 goto err; 839 goto err;
882 } 840 }
883
884 if (!EC_POINT_dbl(group, base, tmp_point, ctx)) 841 if (!EC_POINT_dbl(group, base, tmp_point, ctx))
885 goto err; 842 goto err;
886 for (k = 2; k < blocksize; k++) 843 for (k = 2; k < blocksize; k++) {
887 { 844 if (!EC_POINT_dbl(group, base, base, ctx))
888 if (!EC_POINT_dbl(group,base,base,ctx))
889 goto err; 845 goto err;
890 }
891 } 846 }
892 } 847 }
848 }
893 849
894 if (!EC_POINTs_make_affine(group, num, points, ctx)) 850 if (!EC_POINTs_make_affine(group, num, points, ctx))
895 goto err; 851 goto err;
896 852
897 pre_comp->group = group; 853 pre_comp->group = group;
898 pre_comp->blocksize = blocksize; 854 pre_comp->blocksize = blocksize;
899 pre_comp->numblocks = numblocks; 855 pre_comp->numblocks = numblocks;
@@ -908,33 +864,33 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
908 pre_comp = NULL; 864 pre_comp = NULL;
909 865
910 ret = 1; 866 ret = 1;
911 err: 867err:
912 if (ctx != NULL) 868 if (ctx != NULL)
913 BN_CTX_end(ctx); 869 BN_CTX_end(ctx);
914 if (new_ctx != NULL) 870 if (new_ctx != NULL)
915 BN_CTX_free(new_ctx); 871 BN_CTX_free(new_ctx);
916 if (pre_comp) 872 if (pre_comp)
917 ec_pre_comp_free(pre_comp); 873 ec_pre_comp_free(pre_comp);
918 if (points) 874 if (points) {
919 {
920 EC_POINT **p; 875 EC_POINT **p;
921 876
922 for (p = points; *p != NULL; p++) 877 for (p = points; *p != NULL; p++)
923 EC_POINT_free(*p); 878 EC_POINT_free(*p);
924 free(points); 879 free(points);
925 } 880 }
926 if (tmp_point) 881 if (tmp_point)
927 EC_POINT_free(tmp_point); 882 EC_POINT_free(tmp_point);
928 if (base) 883 if (base)
929 EC_POINT_free(base); 884 EC_POINT_free(base);
930 return ret; 885 return ret;
931 } 886}
932 887
933 888
934int ec_wNAF_have_precompute_mult(const EC_GROUP *group) 889int
935 { 890ec_wNAF_have_precompute_mult(const EC_GROUP * group)
891{
936 if (EC_EX_DATA_get_data(group->extra_data, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free) != NULL) 892 if (EC_EX_DATA_get_data(group->extra_data, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free) != NULL)
937 return 1; 893 return 1;
938 else 894 else
939 return 0; 895 return 0;
940 } 896}
diff --git a/src/lib/libcrypto/ec/ec_oct.c b/src/lib/libcrypto/ec/ec_oct.c
index fd9db0798d..e0fb62fee2 100644
--- a/src/lib/libcrypto/ec/ec_oct.c
+++ b/src/lib/libcrypto/ec/ec_oct.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -57,7 +57,7 @@
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Binary polynomial ECC support in OpenSSL originally developed by 60 * Binary polynomial ECC support in OpenSSL originally developed by
61 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 61 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
62 */ 62 */
63 63
@@ -68,132 +68,123 @@
68 68
69#include "ec_lcl.h" 69#include "ec_lcl.h"
70 70
71int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, 71int
72 const BIGNUM *x, int y_bit, BN_CTX *ctx) 72EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP * group, EC_POINT * point,
73 { 73 const BIGNUM * x, int y_bit, BN_CTX * ctx)
74{
74 if (group->meth->point_set_compressed_coordinates == 0 75 if (group->meth->point_set_compressed_coordinates == 0
75 && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) 76 && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) {
76 {
77 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 77 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
78 return 0; 78 return 0;
79 } 79 }
80 if (group->meth != point->meth) 80 if (group->meth != point->meth) {
81 {
82 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); 81 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
83 return 0; 82 return 0;
84 } 83 }
85 if(group->meth->flags & EC_FLAGS_DEFAULT_OCT) 84 if (group->meth->flags & EC_FLAGS_DEFAULT_OCT) {
86 {
87 if (group->meth->field_type == NID_X9_62_prime_field) 85 if (group->meth->field_type == NID_X9_62_prime_field)
88 return ec_GFp_simple_set_compressed_coordinates( 86 return ec_GFp_simple_set_compressed_coordinates(
89 group, point, x, y_bit, ctx); 87 group, point, x, y_bit, ctx);
90 else 88 else
91#ifdef OPENSSL_NO_EC2M 89#ifdef OPENSSL_NO_EC2M
92 { 90 {
93 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_GF2M_NOT_SUPPORTED); 91 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_GF2M_NOT_SUPPORTED);
94 return 0; 92 return 0;
95 } 93 }
96#else 94#else
97 return ec_GF2m_simple_set_compressed_coordinates( 95 return ec_GF2m_simple_set_compressed_coordinates(
98 group, point, x, y_bit, ctx); 96 group, point, x, y_bit, ctx);
99#endif 97#endif
100 }
101 return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx);
102 } 98 }
99 return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx);
100}
103 101
104#ifndef OPENSSL_NO_EC2M 102#ifndef OPENSSL_NO_EC2M
105int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point, 103int
106 const BIGNUM *x, int y_bit, BN_CTX *ctx) 104EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP * group, EC_POINT * point,
107 { 105 const BIGNUM * x, int y_bit, BN_CTX * ctx)
106{
108 if (group->meth->point_set_compressed_coordinates == 0 107 if (group->meth->point_set_compressed_coordinates == 0
109 && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) 108 && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) {
110 {
111 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 109 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
112 return 0; 110 return 0;
113 } 111 }
114 if (group->meth != point->meth) 112 if (group->meth != point->meth) {
115 {
116 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS); 113 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS);
117 return 0; 114 return 0;
118 } 115 }
119 if(group->meth->flags & EC_FLAGS_DEFAULT_OCT) 116 if (group->meth->flags & EC_FLAGS_DEFAULT_OCT) {
120 {
121 if (group->meth->field_type == NID_X9_62_prime_field) 117 if (group->meth->field_type == NID_X9_62_prime_field)
122 return ec_GFp_simple_set_compressed_coordinates( 118 return ec_GFp_simple_set_compressed_coordinates(
123 group, point, x, y_bit, ctx); 119 group, point, x, y_bit, ctx);
124 else 120 else
125 return ec_GF2m_simple_set_compressed_coordinates( 121 return ec_GF2m_simple_set_compressed_coordinates(
126 group, point, x, y_bit, ctx); 122 group, point, x, y_bit, ctx);
127 }
128 return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx);
129 } 123 }
124 return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx);
125}
130#endif 126#endif
131 127
132size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form, 128size_t
133 unsigned char *buf, size_t len, BN_CTX *ctx) 129EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point,
134 { 130 point_conversion_form_t form,
131 unsigned char *buf, size_t len, BN_CTX *ctx)
132{
135 if (group->meth->point2oct == 0 133 if (group->meth->point2oct == 0
136 && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) 134 && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) {
137 {
138 ECerr(EC_F_EC_POINT_POINT2OCT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 135 ECerr(EC_F_EC_POINT_POINT2OCT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
139 return 0; 136 return 0;
140 } 137 }
141 if (group->meth != point->meth) 138 if (group->meth != point->meth) {
142 {
143 ECerr(EC_F_EC_POINT_POINT2OCT, EC_R_INCOMPATIBLE_OBJECTS); 139 ECerr(EC_F_EC_POINT_POINT2OCT, EC_R_INCOMPATIBLE_OBJECTS);
144 return 0; 140 return 0;
145 } 141 }
146 if(group->meth->flags & EC_FLAGS_DEFAULT_OCT) 142 if (group->meth->flags & EC_FLAGS_DEFAULT_OCT) {
147 {
148 if (group->meth->field_type == NID_X9_62_prime_field) 143 if (group->meth->field_type == NID_X9_62_prime_field)
149 return ec_GFp_simple_point2oct(group, point, 144 return ec_GFp_simple_point2oct(group, point,
150 form, buf, len, ctx); 145 form, buf, len, ctx);
151 else 146 else
152#ifdef OPENSSL_NO_EC2M 147#ifdef OPENSSL_NO_EC2M
153 { 148 {
154 ECerr(EC_F_EC_POINT_POINT2OCT, EC_R_GF2M_NOT_SUPPORTED); 149 ECerr(EC_F_EC_POINT_POINT2OCT, EC_R_GF2M_NOT_SUPPORTED);
155 return 0; 150 return 0;
156 } 151 }
157#else 152#else
158 return ec_GF2m_simple_point2oct(group, point, 153 return ec_GF2m_simple_point2oct(group, point,
159 form, buf, len, ctx); 154 form, buf, len, ctx);
160#endif 155#endif
161 }
162
163 return group->meth->point2oct(group, point, form, buf, len, ctx);
164 } 156 }
157 return group->meth->point2oct(group, point, form, buf, len, ctx);
158}
165 159
166 160
167int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point, 161int
168 const unsigned char *buf, size_t len, BN_CTX *ctx) 162EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,
169 { 163 const unsigned char *buf, size_t len, BN_CTX *ctx)
170 if (group->meth->oct2point == 0 164{
171 && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) 165 if (group->meth->oct2point == 0 &&
172 { 166 !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) {
173 ECerr(EC_F_EC_POINT_OCT2POINT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 167 ECerr(EC_F_EC_POINT_OCT2POINT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
174 return 0; 168 return 0;
175 } 169 }
176 if (group->meth != point->meth) 170 if (group->meth != point->meth) {
177 {
178 ECerr(EC_F_EC_POINT_OCT2POINT, EC_R_INCOMPATIBLE_OBJECTS); 171 ECerr(EC_F_EC_POINT_OCT2POINT, EC_R_INCOMPATIBLE_OBJECTS);
179 return 0; 172 return 0;
180 } 173 }
181 if(group->meth->flags & EC_FLAGS_DEFAULT_OCT) 174 if (group->meth->flags & EC_FLAGS_DEFAULT_OCT) {
182 {
183 if (group->meth->field_type == NID_X9_62_prime_field) 175 if (group->meth->field_type == NID_X9_62_prime_field)
184 return ec_GFp_simple_oct2point(group, point, 176 return ec_GFp_simple_oct2point(group, point,
185 buf, len, ctx); 177 buf, len, ctx);
186 else 178 else
187#ifdef OPENSSL_NO_EC2M 179#ifdef OPENSSL_NO_EC2M
188 { 180 {
189 ECerr(EC_F_EC_POINT_OCT2POINT, EC_R_GF2M_NOT_SUPPORTED); 181 ECerr(EC_F_EC_POINT_OCT2POINT, EC_R_GF2M_NOT_SUPPORTED);
190 return 0; 182 return 0;
191 } 183 }
192#else 184#else
193 return ec_GF2m_simple_oct2point(group, point, 185 return ec_GF2m_simple_oct2point(group, point,
194 buf, len, ctx); 186 buf, len, ctx);
195#endif 187#endif
196 }
197 return group->meth->oct2point(group, point, buf, len, ctx);
198 } 188 }
199 189 return group->meth->oct2point(group, point, buf, len, ctx);
190}
diff --git a/src/lib/libcrypto/ec/ec_pmeth.c b/src/lib/libcrypto/ec/ec_pmeth.c
index c970d8c9ca..28f501070c 100644
--- a/src/lib/libcrypto/ec/ec_pmeth.c
+++ b/src/lib/libcrypto/ec/ec_pmeth.c
@@ -9,7 +9,7 @@
9 * are met: 9 * are met:
10 * 10 *
11 * 1. Redistributions of source code must retain the above copyright 11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer. 12 * notice, this list of conditions and the following disclaimer.
13 * 13 *
14 * 2. Redistributions in binary form must reproduce the above copyright 14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in 15 * notice, this list of conditions and the following disclaimer in
@@ -66,16 +66,16 @@
66 66
67/* EC pkey context structure */ 67/* EC pkey context structure */
68 68
69typedef struct 69typedef struct {
70 {
71 /* Key and paramgen group */ 70 /* Key and paramgen group */
72 EC_GROUP *gen_group; 71 EC_GROUP *gen_group;
73 /* message digest */ 72 /* message digest */
74 const EVP_MD *md; 73 const EVP_MD *md;
75 } EC_PKEY_CTX; 74} EC_PKEY_CTX;
76 75
77static int pkey_ec_init(EVP_PKEY_CTX *ctx) 76static int
78 { 77pkey_ec_init(EVP_PKEY_CTX * ctx)
78{
79 EC_PKEY_CTX *dctx; 79 EC_PKEY_CTX *dctx;
80 dctx = malloc(sizeof(EC_PKEY_CTX)); 80 dctx = malloc(sizeof(EC_PKEY_CTX));
81 if (!dctx) 81 if (!dctx)
@@ -86,55 +86,52 @@ static int pkey_ec_init(EVP_PKEY_CTX *ctx)
86 ctx->data = dctx; 86 ctx->data = dctx;
87 87
88 return 1; 88 return 1;
89 } 89}
90 90
91static int pkey_ec_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) 91static int
92 { 92pkey_ec_copy(EVP_PKEY_CTX * dst, EVP_PKEY_CTX * src)
93{
93 EC_PKEY_CTX *dctx, *sctx; 94 EC_PKEY_CTX *dctx, *sctx;
94 if (!pkey_ec_init(dst)) 95 if (!pkey_ec_init(dst))
95 return 0; 96 return 0;
96 sctx = src->data; 97 sctx = src->data;
97 dctx = dst->data; 98 dctx = dst->data;
98 if (sctx->gen_group) 99 if (sctx->gen_group) {
99 {
100 dctx->gen_group = EC_GROUP_dup(sctx->gen_group); 100 dctx->gen_group = EC_GROUP_dup(sctx->gen_group);
101 if (!dctx->gen_group) 101 if (!dctx->gen_group)
102 return 0; 102 return 0;
103 } 103 }
104 dctx->md = sctx->md; 104 dctx->md = sctx->md;
105 return 1; 105 return 1;
106 } 106}
107 107
108static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx) 108static void
109 { 109pkey_ec_cleanup(EVP_PKEY_CTX * ctx)
110{
110 EC_PKEY_CTX *dctx = ctx->data; 111 EC_PKEY_CTX *dctx = ctx->data;
111 if (dctx) 112 if (dctx) {
112 {
113 if (dctx->gen_group) 113 if (dctx->gen_group)
114 EC_GROUP_free(dctx->gen_group); 114 EC_GROUP_free(dctx->gen_group);
115 free(dctx); 115 free(dctx);
116 }
117 } 116 }
117}
118 118
119static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, 119static int
120 const unsigned char *tbs, size_t tbslen) 120pkey_ec_sign(EVP_PKEY_CTX * ctx, unsigned char *sig, size_t * siglen,
121 { 121 const unsigned char *tbs, size_t tbslen)
122{
122 int ret, type; 123 int ret, type;
123 unsigned int sltmp; 124 unsigned int sltmp;
124 EC_PKEY_CTX *dctx = ctx->data; 125 EC_PKEY_CTX *dctx = ctx->data;
125 EC_KEY *ec = ctx->pkey->pkey.ec; 126 EC_KEY *ec = ctx->pkey->pkey.ec;
126 127
127 if (!sig) 128 if (!sig) {
128 {
129 *siglen = ECDSA_size(ec); 129 *siglen = ECDSA_size(ec);
130 return 1; 130 return 1;
131 } 131 } else if (*siglen < (size_t) ECDSA_size(ec)) {
132 else if(*siglen < (size_t)ECDSA_size(ec))
133 {
134 ECerr(EC_F_PKEY_EC_SIGN, EC_R_BUFFER_TOO_SMALL); 132 ECerr(EC_F_PKEY_EC_SIGN, EC_R_BUFFER_TOO_SMALL);
135 return 0; 133 return 0;
136 } 134 }
137
138 if (dctx->md) 135 if (dctx->md)
139 type = EVP_MD_type(dctx->md); 136 type = EVP_MD_type(dctx->md);
140 else 137 else
@@ -145,14 +142,15 @@ static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
145 142
146 if (ret <= 0) 143 if (ret <= 0)
147 return ret; 144 return ret;
148 *siglen = (size_t)sltmp; 145 *siglen = (size_t) sltmp;
149 return 1; 146 return 1;
150 } 147}
151 148
152static int pkey_ec_verify(EVP_PKEY_CTX *ctx, 149static int
153 const unsigned char *sig, size_t siglen, 150pkey_ec_verify(EVP_PKEY_CTX * ctx,
154 const unsigned char *tbs, size_t tbslen) 151 const unsigned char *sig, size_t siglen,
155 { 152 const unsigned char *tbs, size_t tbslen)
153{
156 int ret, type; 154 int ret, type;
157 EC_PKEY_CTX *dctx = ctx->data; 155 EC_PKEY_CTX *dctx = ctx->data;
158 EC_KEY *ec = ctx->pkey->pkey.ec; 156 EC_KEY *ec = ctx->pkey->pkey.ec;
@@ -165,116 +163,111 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
165 ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec); 163 ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec);
166 164
167 return ret; 165 return ret;
168 } 166}
169 167
170static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) 168static int
171 { 169pkey_ec_derive(EVP_PKEY_CTX * ctx, unsigned char *key, size_t * keylen)
170{
172 int ret; 171 int ret;
173 size_t outlen; 172 size_t outlen;
174 const EC_POINT *pubkey = NULL; 173 const EC_POINT *pubkey = NULL;
175 if (!ctx->pkey || !ctx->peerkey) 174 if (!ctx->pkey || !ctx->peerkey) {
176 {
177 ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET); 175 ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET);
178 return 0; 176 return 0;
179 } 177 }
180 178 if (!key) {
181 if (!key)
182 {
183 const EC_GROUP *group; 179 const EC_GROUP *group;
184 group = EC_KEY_get0_group(ctx->pkey->pkey.ec); 180 group = EC_KEY_get0_group(ctx->pkey->pkey.ec);
185 *keylen = (EC_GROUP_get_degree(group) + 7)/8; 181 *keylen = (EC_GROUP_get_degree(group) + 7) / 8;
186 return 1; 182 return 1;
187 } 183 }
188
189 pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec); 184 pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
190 185
191 /* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is 186 /*
187 * NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
192 * not an error, the result is truncated. 188 * not an error, the result is truncated.
193 */ 189 */
194 190
195 outlen = *keylen; 191 outlen = *keylen;
196 192
197 ret = ECDH_compute_key(key, outlen, pubkey, ctx->pkey->pkey.ec, 0); 193 ret = ECDH_compute_key(key, outlen, pubkey, ctx->pkey->pkey.ec, 0);
198 if (ret < 0) 194 if (ret < 0)
199 return ret; 195 return ret;
200 *keylen = ret; 196 *keylen = ret;
201 return 1; 197 return 1;
202 } 198}
203 199
204static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) 200static int
205 { 201pkey_ec_ctrl(EVP_PKEY_CTX * ctx, int type, int p1, void *p2)
202{
206 EC_PKEY_CTX *dctx = ctx->data; 203 EC_PKEY_CTX *dctx = ctx->data;
207 EC_GROUP *group; 204 EC_GROUP *group;
208 switch (type) 205 switch (type) {
209 { 206 case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID:
210 case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID:
211 group = EC_GROUP_new_by_curve_name(p1); 207 group = EC_GROUP_new_by_curve_name(p1);
212 if (group == NULL) 208 if (group == NULL) {
213 {
214 ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_CURVE); 209 ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_CURVE);
215 return 0; 210 return 0;
216 } 211 }
217 if (dctx->gen_group) 212 if (dctx->gen_group)
218 EC_GROUP_free(dctx->gen_group); 213 EC_GROUP_free(dctx->gen_group);
219 dctx->gen_group = group; 214 dctx->gen_group = group;
220 return 1; 215 return 1;
221 216
222 case EVP_PKEY_CTRL_MD: 217 case EVP_PKEY_CTRL_MD:
223 if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 && 218 if (EVP_MD_type((const EVP_MD *) p2) != NID_sha1 &&
224 EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 && 219 EVP_MD_type((const EVP_MD *) p2) != NID_ecdsa_with_SHA1 &&
225 EVP_MD_type((const EVP_MD *)p2) != NID_sha224 && 220 EVP_MD_type((const EVP_MD *) p2) != NID_sha224 &&
226 EVP_MD_type((const EVP_MD *)p2) != NID_sha256 && 221 EVP_MD_type((const EVP_MD *) p2) != NID_sha256 &&
227 EVP_MD_type((const EVP_MD *)p2) != NID_sha384 && 222 EVP_MD_type((const EVP_MD *) p2) != NID_sha384 &&
228 EVP_MD_type((const EVP_MD *)p2) != NID_sha512) 223 EVP_MD_type((const EVP_MD *) p2) != NID_sha512) {
229 {
230 ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE); 224 ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE);
231 return 0; 225 return 0;
232 } 226 }
233 dctx->md = p2; 227 dctx->md = p2;
234 return 1; 228 return 1;
235 229
236 case EVP_PKEY_CTRL_PEER_KEY: 230 case EVP_PKEY_CTRL_PEER_KEY:
237 /* Default behaviour is OK */ 231 /* Default behaviour is OK */
238 case EVP_PKEY_CTRL_DIGESTINIT: 232 case EVP_PKEY_CTRL_DIGESTINIT:
239 case EVP_PKEY_CTRL_PKCS7_SIGN: 233 case EVP_PKEY_CTRL_PKCS7_SIGN:
240 case EVP_PKEY_CTRL_CMS_SIGN: 234 case EVP_PKEY_CTRL_CMS_SIGN:
241 return 1; 235 return 1;
242 236
243 default: 237 default:
244 return -2; 238 return -2;
245 239
246 }
247 } 240 }
248 241}
249static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx, 242
250 const char *type, const char *value) 243static int
251 { 244pkey_ec_ctrl_str(EVP_PKEY_CTX * ctx,
252 if (!strcmp(type, "ec_paramgen_curve")) 245 const char *type, const char *value)
253 { 246{
247 if (!strcmp(type, "ec_paramgen_curve")) {
254 int nid; 248 int nid;
255 nid = OBJ_sn2nid(value); 249 nid = OBJ_sn2nid(value);
256 if (nid == NID_undef) 250 if (nid == NID_undef)
257 nid = OBJ_ln2nid(value); 251 nid = OBJ_ln2nid(value);
258 if (nid == NID_undef) 252 if (nid == NID_undef) {
259 {
260 ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_CURVE); 253 ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_CURVE);
261 return 0; 254 return 0;
262 }
263 return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
264 } 255 }
265 return -2; 256 return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
266 } 257 }
258 return -2;
259}
267 260
268static int pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 261static int
269 { 262pkey_ec_paramgen(EVP_PKEY_CTX * ctx, EVP_PKEY * pkey)
263{
270 EC_KEY *ec = NULL; 264 EC_KEY *ec = NULL;
271 EC_PKEY_CTX *dctx = ctx->data; 265 EC_PKEY_CTX *dctx = ctx->data;
272 int ret = 0; 266 int ret = 0;
273 if (dctx->gen_group == NULL) 267 if (dctx->gen_group == NULL) {
274 {
275 ECerr(EC_F_PKEY_EC_PARAMGEN, EC_R_NO_PARAMETERS_SET); 268 ECerr(EC_F_PKEY_EC_PARAMGEN, EC_R_NO_PARAMETERS_SET);
276 return 0; 269 return 0;
277 } 270 }
278 ec = EC_KEY_new(); 271 ec = EC_KEY_new();
279 if (!ec) 272 if (!ec)
280 return 0; 273 return 0;
@@ -284,16 +277,16 @@ static int pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
284 else 277 else
285 EC_KEY_free(ec); 278 EC_KEY_free(ec);
286 return ret; 279 return ret;
287 } 280}
288 281
289static int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 282static int
290 { 283pkey_ec_keygen(EVP_PKEY_CTX * ctx, EVP_PKEY * pkey)
284{
291 EC_KEY *ec = NULL; 285 EC_KEY *ec = NULL;
292 if (ctx->pkey == NULL) 286 if (ctx->pkey == NULL) {
293 {
294 ECerr(EC_F_PKEY_EC_KEYGEN, EC_R_NO_PARAMETERS_SET); 287 ECerr(EC_F_PKEY_EC_KEYGEN, EC_R_NO_PARAMETERS_SET);
295 return 0; 288 return 0;
296 } 289 }
297 ec = EC_KEY_new(); 290 ec = EC_KEY_new();
298 if (!ec) 291 if (!ec)
299 return 0; 292 return 0;
@@ -302,7 +295,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
302 if (!EVP_PKEY_copy_parameters(pkey, ctx->pkey)) 295 if (!EVP_PKEY_copy_parameters(pkey, ctx->pkey))
303 return 0; 296 return 0;
304 return EC_KEY_generate_key(pkey->pkey.ec); 297 return EC_KEY_generate_key(pkey->pkey.ec);
305 } 298}
306 299
307const EVP_PKEY_METHOD ec_pkey_meth = { 300const EVP_PKEY_METHOD ec_pkey_meth = {
308 .pkey_id = EVP_PKEY_EC, 301 .pkey_id = EVP_PKEY_EC,
diff --git a/src/lib/libcrypto/ec/ec_print.c b/src/lib/libcrypto/ec/ec_print.c
index 1655332c3c..84a78903b3 100644
--- a/src/lib/libcrypto/ec/ec_print.c
+++ b/src/lib/libcrypto/ec/ec_print.c
@@ -7,7 +7,7 @@
7 * are met: 7 * are met:
8 * 8 *
9 * 1. Redistributions of source code must retain the above copyright 9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
11 * 11 *
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in 13 * notice, this list of conditions and the following disclaimer in
@@ -56,29 +56,25 @@
56#include <openssl/crypto.h> 56#include <openssl/crypto.h>
57#include "ec_lcl.h" 57#include "ec_lcl.h"
58 58
59BIGNUM *EC_POINT_point2bn(const EC_GROUP *group, 59BIGNUM *
60 const EC_POINT *point, 60EC_POINT_point2bn(const EC_GROUP * group, const EC_POINT * point,
61 point_conversion_form_t form, 61 point_conversion_form_t form, BIGNUM * ret, BN_CTX * ctx)
62 BIGNUM *ret, 62{
63 BN_CTX *ctx) 63 size_t buf_len = 0;
64 {
65 size_t buf_len=0;
66 unsigned char *buf; 64 unsigned char *buf;
67 65
68 buf_len = EC_POINT_point2oct(group, point, form, 66 buf_len = EC_POINT_point2oct(group, point, form,
69 NULL, 0, ctx); 67 NULL, 0, ctx);
70 if (buf_len == 0) 68 if (buf_len == 0)
71 return NULL; 69 return NULL;
72 70
73 if ((buf = malloc(buf_len)) == NULL) 71 if ((buf = malloc(buf_len)) == NULL)
74 return NULL; 72 return NULL;
75 73
76 if (!EC_POINT_point2oct(group, point, form, buf, buf_len, ctx)) 74 if (!EC_POINT_point2oct(group, point, form, buf, buf_len, ctx)) {
77 {
78 free(buf); 75 free(buf);
79 return NULL; 76 return NULL;
80 } 77 }
81
82 ret = BN_bin2bn(buf, buf_len, ret); 78 ret = BN_bin2bn(buf, buf_len, ret);
83 79
84 free(buf); 80 free(buf);
@@ -86,103 +82,90 @@ BIGNUM *EC_POINT_point2bn(const EC_GROUP *group,
86 return ret; 82 return ret;
87} 83}
88 84
89EC_POINT *EC_POINT_bn2point(const EC_GROUP *group, 85EC_POINT *
90 const BIGNUM *bn, 86EC_POINT_bn2point(const EC_GROUP * group,
91 EC_POINT *point, 87 const BIGNUM * bn, EC_POINT * point, BN_CTX * ctx)
92 BN_CTX *ctx) 88{
93 { 89 size_t buf_len = 0;
94 size_t buf_len=0;
95 unsigned char *buf; 90 unsigned char *buf;
96 EC_POINT *ret; 91 EC_POINT *ret;
97 92
98 if ((buf_len = BN_num_bytes(bn)) == 0) return NULL; 93 if ((buf_len = BN_num_bytes(bn)) == 0)
94 return NULL;
99 buf = malloc(buf_len); 95 buf = malloc(buf_len);
100 if (buf == NULL) 96 if (buf == NULL)
101 return NULL; 97 return NULL;
102 98
103 if (!BN_bn2bin(bn, buf)) 99 if (!BN_bn2bin(bn, buf)) {
104 {
105 free(buf); 100 free(buf);
106 return NULL; 101 return NULL;
107 } 102 }
108 103 if (point == NULL) {
109 if (point == NULL) 104 if ((ret = EC_POINT_new(group)) == NULL) {
110 {
111 if ((ret = EC_POINT_new(group)) == NULL)
112 {
113 free(buf); 105 free(buf);
114 return NULL; 106 return NULL;
115 }
116 } 107 }
117 else 108 } else
118 ret = point; 109 ret = point;
119 110
120 if (!EC_POINT_oct2point(group, ret, buf, buf_len, ctx)) 111 if (!EC_POINT_oct2point(group, ret, buf, buf_len, ctx)) {
121 {
122 if (point == NULL) 112 if (point == NULL)
123 EC_POINT_clear_free(ret); 113 EC_POINT_clear_free(ret);
124 free(buf); 114 free(buf);
125 return NULL; 115 return NULL;
126 } 116 }
127
128 free(buf); 117 free(buf);
129 return ret; 118 return ret;
130 } 119}
131 120
132static const char *HEX_DIGITS = "0123456789ABCDEF"; 121static const char *HEX_DIGITS = "0123456789ABCDEF";
133 122
134/* the return value must be freed (using free()) */ 123/* the return value must be freed (using free()) */
135char *EC_POINT_point2hex(const EC_GROUP *group, 124char *
136 const EC_POINT *point, 125EC_POINT_point2hex(const EC_GROUP * group, const EC_POINT * point,
137 point_conversion_form_t form, 126 point_conversion_form_t form, BN_CTX * ctx)
138 BN_CTX *ctx) 127{
139 { 128 char *ret, *p;
140 char *ret, *p; 129 size_t buf_len = 0, i;
141 size_t buf_len=0,i;
142 unsigned char *buf, *pbuf; 130 unsigned char *buf, *pbuf;
143 131
144 buf_len = EC_POINT_point2oct(group, point, form, 132 buf_len = EC_POINT_point2oct(group, point, form,
145 NULL, 0, ctx); 133 NULL, 0, ctx);
146 if (buf_len == 0) 134 if (buf_len == 0)
147 return NULL; 135 return NULL;
148 136
149 if ((buf = malloc(buf_len)) == NULL) 137 if ((buf = malloc(buf_len)) == NULL)
150 return NULL; 138 return NULL;
151 139
152 if (!EC_POINT_point2oct(group, point, form, buf, buf_len, ctx)) 140 if (!EC_POINT_point2oct(group, point, form, buf, buf_len, ctx)) {
153 {
154 free(buf); 141 free(buf);
155 return NULL; 142 return NULL;
156 } 143 }
157 144 ret = (char *) malloc(buf_len * 2 + 2);
158 ret = (char *)malloc(buf_len*2+2); 145 if (ret == NULL) {
159 if (ret == NULL)
160 {
161 free(buf); 146 free(buf);
162 return NULL; 147 return NULL;
163 } 148 }
164 p = ret; 149 p = ret;
165 pbuf = buf; 150 pbuf = buf;
166 for (i=buf_len; i > 0; i--) 151 for (i = buf_len; i > 0; i--) {
167 { 152 int v = (int) *(pbuf++);
168 int v = (int) *(pbuf++); 153 *(p++) = HEX_DIGITS[v >> 4];
169 *(p++)=HEX_DIGITS[v>>4]; 154 *(p++) = HEX_DIGITS[v & 0x0F];
170 *(p++)=HEX_DIGITS[v&0x0F]; 155 }
171 } 156 *p = '\0';
172 *p='\0';
173 157
174 free(buf); 158 free(buf);
175 159
176 return ret; 160 return ret;
177 } 161}
178 162
179EC_POINT *EC_POINT_hex2point(const EC_GROUP *group, 163EC_POINT *
180 const char *buf, 164EC_POINT_hex2point(const EC_GROUP * group, const char *buf,
181 EC_POINT *point, 165 EC_POINT * point, BN_CTX * ctx)
182 BN_CTX *ctx) 166{
183 { 167 EC_POINT *ret = NULL;
184 EC_POINT *ret=NULL; 168 BIGNUM *tmp_bn = NULL;
185 BIGNUM *tmp_bn=NULL;
186 169
187 if (!BN_hex2bn(&tmp_bn, buf)) 170 if (!BN_hex2bn(&tmp_bn, buf))
188 return NULL; 171 return NULL;
@@ -192,4 +175,4 @@ EC_POINT *EC_POINT_hex2point(const EC_GROUP *group,
192 BN_clear_free(tmp_bn); 175 BN_clear_free(tmp_bn);
193 176
194 return ret; 177 return ret;
195 } 178}
diff --git a/src/lib/libcrypto/ec/eck_prn.c b/src/lib/libcrypto/ec/eck_prn.c
index 4e8c748bbc..86107d5142 100644
--- a/src/lib/libcrypto/ec/eck_prn.c
+++ b/src/lib/libcrypto/ec/eck_prn.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -57,7 +57,7 @@
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Portions originally developed by SUN MICROSYSTEMS, INC., and 60 * Portions originally developed by SUN MICROSYSTEMS, INC., and
61 * contributed to the OpenSSL project. 61 * contributed to the OpenSSL project.
62 */ 62 */
63 63
@@ -68,113 +68,112 @@
68#include <openssl/bn.h> 68#include <openssl/bn.h>
69 69
70#ifndef OPENSSL_NO_FP_API 70#ifndef OPENSSL_NO_FP_API
71int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off) 71int
72 { 72ECPKParameters_print_fp(FILE * fp, const EC_GROUP * x, int off)
73{
73 BIO *b; 74 BIO *b;
74 int ret; 75 int ret;
75 76
76 if ((b=BIO_new(BIO_s_file())) == NULL) 77 if ((b = BIO_new(BIO_s_file())) == NULL) {
77 { 78 ECerr(EC_F_ECPKPARAMETERS_PRINT_FP, ERR_R_BUF_LIB);
78 ECerr(EC_F_ECPKPARAMETERS_PRINT_FP,ERR_R_BUF_LIB); 79 return (0);
79 return(0); 80 }
80 }
81 BIO_set_fp(b, fp, BIO_NOCLOSE); 81 BIO_set_fp(b, fp, BIO_NOCLOSE);
82 ret = ECPKParameters_print(b, x, off); 82 ret = ECPKParameters_print(b, x, off);
83 BIO_free(b); 83 BIO_free(b);
84 return(ret); 84 return (ret);
85 } 85}
86 86
87int EC_KEY_print_fp(FILE *fp, const EC_KEY *x, int off) 87int
88 { 88EC_KEY_print_fp(FILE * fp, const EC_KEY * x, int off)
89{
89 BIO *b; 90 BIO *b;
90 int ret; 91 int ret;
91 92
92 if ((b=BIO_new(BIO_s_file())) == NULL) 93 if ((b = BIO_new(BIO_s_file())) == NULL) {
93 {
94 ECerr(EC_F_EC_KEY_PRINT_FP, ERR_R_BIO_LIB); 94 ECerr(EC_F_EC_KEY_PRINT_FP, ERR_R_BIO_LIB);
95 return(0); 95 return (0);
96 } 96 }
97 BIO_set_fp(b, fp, BIO_NOCLOSE); 97 BIO_set_fp(b, fp, BIO_NOCLOSE);
98 ret = EC_KEY_print(b, x, off); 98 ret = EC_KEY_print(b, x, off);
99 BIO_free(b); 99 BIO_free(b);
100 return(ret); 100 return (ret);
101 } 101}
102 102
103int ECParameters_print_fp(FILE *fp, const EC_KEY *x) 103int
104 { 104ECParameters_print_fp(FILE * fp, const EC_KEY * x)
105{
105 BIO *b; 106 BIO *b;
106 int ret; 107 int ret;
107 108
108 if ((b=BIO_new(BIO_s_file())) == NULL) 109 if ((b = BIO_new(BIO_s_file())) == NULL) {
109 {
110 ECerr(EC_F_ECPARAMETERS_PRINT_FP, ERR_R_BIO_LIB); 110 ECerr(EC_F_ECPARAMETERS_PRINT_FP, ERR_R_BIO_LIB);
111 return(0); 111 return (0);
112 } 112 }
113 BIO_set_fp(b, fp, BIO_NOCLOSE); 113 BIO_set_fp(b, fp, BIO_NOCLOSE);
114 ret = ECParameters_print(b, x); 114 ret = ECParameters_print(b, x);
115 BIO_free(b); 115 BIO_free(b);
116 return(ret); 116 return (ret);
117 } 117}
118#endif 118#endif
119 119
120int EC_KEY_print(BIO *bp, const EC_KEY *x, int off) 120int
121 { 121EC_KEY_print(BIO * bp, const EC_KEY * x, int off)
122{
122 EVP_PKEY *pk; 123 EVP_PKEY *pk;
123 int ret; 124 int ret;
124 pk = EVP_PKEY_new(); 125 pk = EVP_PKEY_new();
125 if (!pk || !EVP_PKEY_set1_EC_KEY(pk, (EC_KEY *)x)) 126 if (!pk || !EVP_PKEY_set1_EC_KEY(pk, (EC_KEY *) x))
126 return 0; 127 return 0;
127 ret = EVP_PKEY_print_private(bp, pk, off, NULL); 128 ret = EVP_PKEY_print_private(bp, pk, off, NULL);
128 EVP_PKEY_free(pk); 129 EVP_PKEY_free(pk);
129 return ret; 130 return ret;
130 } 131}
131 132
132int ECParameters_print(BIO *bp, const EC_KEY *x) 133int
133 { 134ECParameters_print(BIO * bp, const EC_KEY * x)
135{
134 EVP_PKEY *pk; 136 EVP_PKEY *pk;
135 int ret; 137 int ret;
136 pk = EVP_PKEY_new(); 138 pk = EVP_PKEY_new();
137 if (!pk || !EVP_PKEY_set1_EC_KEY(pk, (EC_KEY *)x)) 139 if (!pk || !EVP_PKEY_set1_EC_KEY(pk, (EC_KEY *) x))
138 return 0; 140 return 0;
139 ret = EVP_PKEY_print_params(bp, pk, 4, NULL); 141 ret = EVP_PKEY_print_params(bp, pk, 4, NULL);
140 EVP_PKEY_free(pk); 142 EVP_PKEY_free(pk);
141 return ret; 143 return ret;
142 } 144}
143 145
144static int print_bin(BIO *fp, const char *str, const unsigned char *num, 146static int
145 size_t len, int off); 147print_bin(BIO * fp, const char *str, const unsigned char *num,
146 148 size_t len, int off);
147int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off) 149
148 { 150int
149 unsigned char *buffer=NULL; 151ECPKParameters_print(BIO * bp, const EC_GROUP * x, int off)
150 size_t buf_len=0, i; 152{
151 int ret=0, reason=ERR_R_BIO_LIB; 153 unsigned char *buffer = NULL;
152 BN_CTX *ctx=NULL; 154 size_t buf_len = 0, i;
153 const EC_POINT *point=NULL; 155 int ret = 0, reason = ERR_R_BIO_LIB;
154 BIGNUM *p=NULL, *a=NULL, *b=NULL, *gen=NULL, 156 BN_CTX *ctx = NULL;
155 *order=NULL, *cofactor=NULL; 157 const EC_POINT *point = NULL;
158 BIGNUM *p = NULL, *a = NULL, *b = NULL, *gen = NULL, *order = NULL,
159 *cofactor = NULL;
156 const unsigned char *seed; 160 const unsigned char *seed;
157 size_t seed_len=0; 161 size_t seed_len = 0;
158 162
159 static const char *gen_compressed = "Generator (compressed):"; 163 static const char *gen_compressed = "Generator (compressed):";
160 static const char *gen_uncompressed = "Generator (uncompressed):"; 164 static const char *gen_uncompressed = "Generator (uncompressed):";
161 static const char *gen_hybrid = "Generator (hybrid):"; 165 static const char *gen_hybrid = "Generator (hybrid):";
162 166
163 if (!x) 167 if (!x) {
164 {
165 reason = ERR_R_PASSED_NULL_PARAMETER; 168 reason = ERR_R_PASSED_NULL_PARAMETER;
166 goto err; 169 goto err;
167 } 170 }
168
169 ctx = BN_CTX_new(); 171 ctx = BN_CTX_new();
170 if (ctx == NULL) 172 if (ctx == NULL) {
171 {
172 reason = ERR_R_MALLOC_FAILURE; 173 reason = ERR_R_MALLOC_FAILURE;
173 goto err; 174 goto err;
174 } 175 }
175 176 if (EC_GROUP_get_asn1_flag(x)) {
176 if (EC_GROUP_get_asn1_flag(x))
177 {
178 /* the curve parameter are given by an asn1 OID */ 177 /* the curve parameter are given by an asn1 OID */
179 int nid; 178 int nid;
180 179
@@ -189,9 +188,7 @@ int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off)
189 goto err; 188 goto err;
190 if (BIO_printf(bp, "\n") <= 0) 189 if (BIO_printf(bp, "\n") <= 0)
191 goto err; 190 goto err;
192 } 191 } else {
193 else
194 {
195 /* explicit parameters */ 192 /* explicit parameters */
196 int is_char_two = 0; 193 int is_char_two = 0;
197 point_conversion_form_t form; 194 point_conversion_form_t form;
@@ -201,84 +198,71 @@ int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off)
201 is_char_two = 1; 198 is_char_two = 1;
202 199
203 if ((p = BN_new()) == NULL || (a = BN_new()) == NULL || 200 if ((p = BN_new()) == NULL || (a = BN_new()) == NULL ||
204 (b = BN_new()) == NULL || (order = BN_new()) == NULL || 201 (b = BN_new()) == NULL || (order = BN_new()) == NULL ||
205 (cofactor = BN_new()) == NULL) 202 (cofactor = BN_new()) == NULL) {
206 {
207 reason = ERR_R_MALLOC_FAILURE; 203 reason = ERR_R_MALLOC_FAILURE;
208 goto err; 204 goto err;
209 } 205 }
210#ifndef OPENSSL_NO_EC2M 206#ifndef OPENSSL_NO_EC2M
211 if (is_char_two) 207 if (is_char_two) {
212 { 208 if (!EC_GROUP_get_curve_GF2m(x, p, a, b, ctx)) {
213 if (!EC_GROUP_get_curve_GF2m(x, p, a, b, ctx))
214 {
215 reason = ERR_R_EC_LIB; 209 reason = ERR_R_EC_LIB;
216 goto err; 210 goto err;
217 }
218 } 211 }
219 else /* prime field */ 212 } else /* prime field */
220#endif 213#endif
221 { 214 {
222 if (!EC_GROUP_get_curve_GFp(x, p, a, b, ctx)) 215 if (!EC_GROUP_get_curve_GFp(x, p, a, b, ctx)) {
223 {
224 reason = ERR_R_EC_LIB; 216 reason = ERR_R_EC_LIB;
225 goto err; 217 goto err;
226 }
227 } 218 }
219 }
228 220
229 if ((point = EC_GROUP_get0_generator(x)) == NULL) 221 if ((point = EC_GROUP_get0_generator(x)) == NULL) {
230 {
231 reason = ERR_R_EC_LIB; 222 reason = ERR_R_EC_LIB;
232 goto err; 223 goto err;
233 } 224 }
234 if (!EC_GROUP_get_order(x, order, NULL) || 225 if (!EC_GROUP_get_order(x, order, NULL) ||
235 !EC_GROUP_get_cofactor(x, cofactor, NULL)) 226 !EC_GROUP_get_cofactor(x, cofactor, NULL)) {
236 {
237 reason = ERR_R_EC_LIB; 227 reason = ERR_R_EC_LIB;
238 goto err; 228 goto err;
239 } 229 }
240
241 form = EC_GROUP_get_point_conversion_form(x); 230 form = EC_GROUP_get_point_conversion_form(x);
242 231
243 if ((gen = EC_POINT_point2bn(x, point, 232 if ((gen = EC_POINT_point2bn(x, point,
244 form, NULL, ctx)) == NULL) 233 form, NULL, ctx)) == NULL) {
245 {
246 reason = ERR_R_EC_LIB; 234 reason = ERR_R_EC_LIB;
247 goto err; 235 goto err;
248 } 236 }
249 237 buf_len = (size_t) BN_num_bytes(p);
250 buf_len = (size_t)BN_num_bytes(p); 238 if (buf_len < (i = (size_t) BN_num_bytes(a)))
251 if (buf_len < (i = (size_t)BN_num_bytes(a)))
252 buf_len = i; 239 buf_len = i;
253 if (buf_len < (i = (size_t)BN_num_bytes(b))) 240 if (buf_len < (i = (size_t) BN_num_bytes(b)))
254 buf_len = i; 241 buf_len = i;
255 if (buf_len < (i = (size_t)BN_num_bytes(gen))) 242 if (buf_len < (i = (size_t) BN_num_bytes(gen)))
256 buf_len = i; 243 buf_len = i;
257 if (buf_len < (i = (size_t)BN_num_bytes(order))) 244 if (buf_len < (i = (size_t) BN_num_bytes(order)))
258 buf_len = i; 245 buf_len = i;
259 if (buf_len < (i = (size_t)BN_num_bytes(cofactor))) 246 if (buf_len < (i = (size_t) BN_num_bytes(cofactor)))
260 buf_len = i; 247 buf_len = i;
261 248
262 if ((seed = EC_GROUP_get0_seed(x)) != NULL) 249 if ((seed = EC_GROUP_get0_seed(x)) != NULL)
263 seed_len = EC_GROUP_get_seed_len(x); 250 seed_len = EC_GROUP_get_seed_len(x);
264 251
265 buf_len += 10; 252 buf_len += 10;
266 if ((buffer = malloc(buf_len)) == NULL) 253 if ((buffer = malloc(buf_len)) == NULL) {
267 {
268 reason = ERR_R_MALLOC_FAILURE; 254 reason = ERR_R_MALLOC_FAILURE;
269 goto err; 255 goto err;
270 } 256 }
271
272 if (!BIO_indent(bp, off, 128)) 257 if (!BIO_indent(bp, off, 128))
273 goto err; 258 goto err;
274 259
275 /* print the 'short name' of the field type */ 260 /* print the 'short name' of the field type */
276 if (BIO_printf(bp, "Field Type: %s\n", OBJ_nid2sn(tmp_nid)) 261 if (BIO_printf(bp, "Field Type: %s\n", OBJ_nid2sn(tmp_nid))
277 <= 0) 262 <= 0)
278 goto err; 263 goto err;
279 264
280 if (is_char_two) 265 if (is_char_two) {
281 {
282 /* print the 'short name' of the base type OID */ 266 /* print the 'short name' of the base type OID */
283 int basis_type = EC_GROUP_get_basis_type(x); 267 int basis_type = EC_GROUP_get_basis_type(x);
284 if (basis_type == 0) 268 if (basis_type == 0)
@@ -287,7 +271,7 @@ int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off)
287 if (!BIO_indent(bp, off, 128)) 271 if (!BIO_indent(bp, off, 128))
288 goto err; 272 goto err;
289 273
290 if (BIO_printf(bp, "Basis Type: %s\n", 274 if (BIO_printf(bp, "Basis Type: %s\n",
291 OBJ_nid2sn(basis_type)) <= 0) 275 OBJ_nid2sn(basis_type)) <= 0)
292 goto err; 276 goto err;
293 277
@@ -295,48 +279,43 @@ int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off)
295 if ((p != NULL) && !ASN1_bn_print(bp, "Polynomial:", p, buffer, 279 if ((p != NULL) && !ASN1_bn_print(bp, "Polynomial:", p, buffer,
296 off)) 280 off))
297 goto err; 281 goto err;
298 } 282 } else {
299 else 283 if ((p != NULL) && !ASN1_bn_print(bp, "Prime:", p, buffer, off))
300 {
301 if ((p != NULL) && !ASN1_bn_print(bp, "Prime:", p, buffer,off))
302 goto err; 284 goto err;
303 } 285 }
304 if ((a != NULL) && !ASN1_bn_print(bp, "A: ", a, buffer, off)) 286 if ((a != NULL) && !ASN1_bn_print(bp, "A: ", a, buffer, off))
305 goto err; 287 goto err;
306 if ((b != NULL) && !ASN1_bn_print(bp, "B: ", b, buffer, off)) 288 if ((b != NULL) && !ASN1_bn_print(bp, "B: ", b, buffer, off))
307 goto err; 289 goto err;
308 if (form == POINT_CONVERSION_COMPRESSED) 290 if (form == POINT_CONVERSION_COMPRESSED) {
309 {
310 if ((gen != NULL) && !ASN1_bn_print(bp, gen_compressed, gen, 291 if ((gen != NULL) && !ASN1_bn_print(bp, gen_compressed, gen,
311 buffer, off)) 292 buffer, off))
312 goto err; 293 goto err;
313 } 294 } else if (form == POINT_CONVERSION_UNCOMPRESSED) {
314 else if (form == POINT_CONVERSION_UNCOMPRESSED)
315 {
316 if ((gen != NULL) && !ASN1_bn_print(bp, gen_uncompressed, gen, 295 if ((gen != NULL) && !ASN1_bn_print(bp, gen_uncompressed, gen,
317 buffer, off)) 296 buffer, off))
318 goto err; 297 goto err;
319 } 298 } else { /* form == POINT_CONVERSION_HYBRID */
320 else /* form == POINT_CONVERSION_HYBRID */
321 {
322 if ((gen != NULL) && !ASN1_bn_print(bp, gen_hybrid, gen, 299 if ((gen != NULL) && !ASN1_bn_print(bp, gen_hybrid, gen,
323 buffer, off)) 300 buffer, off))
324 goto err; 301 goto err;
325 } 302 }
326 if ((order != NULL) && !ASN1_bn_print(bp, "Order: ", order, 303 if ((order != NULL) && !ASN1_bn_print(bp, "Order: ", order,
327 buffer, off)) goto err; 304 buffer, off))
328 if ((cofactor != NULL) && !ASN1_bn_print(bp, "Cofactor: ", cofactor, 305 goto err;
329 buffer, off)) goto err; 306 if ((cofactor != NULL) && !ASN1_bn_print(bp, "Cofactor: ", cofactor,
307 buffer, off))
308 goto err;
330 if (seed && !print_bin(bp, "Seed:", seed, seed_len, off)) 309 if (seed && !print_bin(bp, "Seed:", seed, seed_len, off))
331 goto err; 310 goto err;
332 } 311 }
333 ret=1; 312 ret = 1;
334err: 313err:
335 if (!ret) 314 if (!ret)
336 ECerr(EC_F_ECPKPARAMETERS_PRINT, reason); 315 ECerr(EC_F_ECPKPARAMETERS_PRINT, reason);
337 if (p) 316 if (p)
338 BN_free(p); 317 BN_free(p);
339 if (a) 318 if (a)
340 BN_free(a); 319 BN_free(a);
341 if (b) 320 if (b)
342 BN_free(b); 321 BN_free(b);
@@ -348,45 +327,42 @@ err:
348 BN_free(cofactor); 327 BN_free(cofactor);
349 if (ctx) 328 if (ctx)
350 BN_CTX_free(ctx); 329 BN_CTX_free(ctx);
351 if (buffer != NULL) 330 if (buffer != NULL)
352 free(buffer); 331 free(buffer);
353 return(ret); 332 return (ret);
354 } 333}
355 334
356static int print_bin(BIO *fp, const char *name, const unsigned char *buf, 335static int
357 size_t len, int off) 336print_bin(BIO * fp, const char *name, const unsigned char *buf,
358 { 337 size_t len, int off)
338{
359 size_t i; 339 size_t i;
360 char str[128]; 340 char str[128];
361 341
362 if (buf == NULL) 342 if (buf == NULL)
363 return 1; 343 return 1;
364 if (off) 344 if (off) {
365 {
366 if (off > 128) 345 if (off > 128)
367 off=128; 346 off = 128;
368 memset(str,' ',off); 347 memset(str, ' ', off);
369 if (BIO_write(fp, str, off) <= 0) 348 if (BIO_write(fp, str, off) <= 0)
370 return 0; 349 return 0;
371 } 350 }
372 351 if (BIO_printf(fp, "%s", name) <= 0)
373 if (BIO_printf(fp,"%s", name) <= 0)
374 return 0; 352 return 0;
375 353
376 for (i=0; i<len; i++) 354 for (i = 0; i < len; i++) {
377 { 355 if ((i % 15) == 0) {
378 if ((i%15) == 0) 356 str[0] = '\n';
379 { 357 memset(&(str[1]), ' ', off + 4);
380 str[0]='\n'; 358 if (BIO_write(fp, str, off + 1 + 4) <= 0)
381 memset(&(str[1]),' ',off+4);
382 if (BIO_write(fp, str, off+1+4) <= 0)
383 return 0; 359 return 0;
384 }
385 if (BIO_printf(fp,"%02x%s",buf[i],((i+1) == len)?"":":") <= 0)
386 return 0;
387 } 360 }
388 if (BIO_write(fp,"\n",1) <= 0) 361 if (BIO_printf(fp, "%02x%s", buf[i], ((i + 1) == len) ? "" : ":") <= 0)
362 return 0;
363 }
364 if (BIO_write(fp, "\n", 1) <= 0)
389 return 0; 365 return 0;
390 366
391 return 1; 367 return 1;
392 } 368}
diff --git a/src/lib/libcrypto/ec/ecp_mont.c b/src/lib/libcrypto/ec/ecp_mont.c
index 6b5b856344..ececbe56dd 100644
--- a/src/lib/libcrypto/ec/ecp_mont.c
+++ b/src/lib/libcrypto/ec/ecp_mont.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -80,20 +80,20 @@ EC_GFp_mont_method(void)
80 .group_get_curve = ec_GFp_simple_group_get_curve, 80 .group_get_curve = ec_GFp_simple_group_get_curve,
81 .group_get_degree = ec_GFp_simple_group_get_degree, 81 .group_get_degree = ec_GFp_simple_group_get_degree,
82 .group_check_discriminant = 82 .group_check_discriminant =
83 ec_GFp_simple_group_check_discriminant, 83 ec_GFp_simple_group_check_discriminant,
84 .point_init = ec_GFp_simple_point_init, 84 .point_init = ec_GFp_simple_point_init,
85 .point_finish = ec_GFp_simple_point_finish, 85 .point_finish = ec_GFp_simple_point_finish,
86 .point_clear_finish = ec_GFp_simple_point_clear_finish, 86 .point_clear_finish = ec_GFp_simple_point_clear_finish,
87 .point_copy = ec_GFp_simple_point_copy, 87 .point_copy = ec_GFp_simple_point_copy,
88 .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, 88 .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
89 .point_set_Jprojective_coordinates_GFp = 89 .point_set_Jprojective_coordinates_GFp =
90 ec_GFp_simple_set_Jprojective_coordinates_GFp, 90 ec_GFp_simple_set_Jprojective_coordinates_GFp,
91 .point_get_Jprojective_coordinates_GFp = 91 .point_get_Jprojective_coordinates_GFp =
92 ec_GFp_simple_get_Jprojective_coordinates_GFp, 92 ec_GFp_simple_get_Jprojective_coordinates_GFp,
93 .point_set_affine_coordinates = 93 .point_set_affine_coordinates =
94 ec_GFp_simple_point_set_affine_coordinates, 94 ec_GFp_simple_point_set_affine_coordinates,
95 .point_get_affine_coordinates = 95 .point_get_affine_coordinates =
96 ec_GFp_simple_point_get_affine_coordinates, 96 ec_GFp_simple_point_get_affine_coordinates,
97 .add = ec_GFp_simple_add, 97 .add = ec_GFp_simple_add,
98 .dbl = ec_GFp_simple_dbl, 98 .dbl = ec_GFp_simple_dbl,
99 .invert = ec_GFp_simple_invert, 99 .invert = ec_GFp_simple_invert,
@@ -113,123 +113,119 @@ EC_GFp_mont_method(void)
113} 113}
114 114
115 115
116int ec_GFp_mont_group_init(EC_GROUP *group) 116int
117 { 117ec_GFp_mont_group_init(EC_GROUP * group)
118{
118 int ok; 119 int ok;
119 120
120 ok = ec_GFp_simple_group_init(group); 121 ok = ec_GFp_simple_group_init(group);
121 group->field_data1 = NULL; 122 group->field_data1 = NULL;
122 group->field_data2 = NULL; 123 group->field_data2 = NULL;
123 return ok; 124 return ok;
124 } 125}
125 126
126 127
127void ec_GFp_mont_group_finish(EC_GROUP *group) 128void
128 { 129ec_GFp_mont_group_finish(EC_GROUP * group)
129 if (group->field_data1 != NULL) 130{
130 { 131 if (group->field_data1 != NULL) {
131 BN_MONT_CTX_free(group->field_data1); 132 BN_MONT_CTX_free(group->field_data1);
132 group->field_data1 = NULL; 133 group->field_data1 = NULL;
133 } 134 }
134 if (group->field_data2 != NULL) 135 if (group->field_data2 != NULL) {
135 {
136 BN_free(group->field_data2); 136 BN_free(group->field_data2);
137 group->field_data2 = NULL; 137 group->field_data2 = NULL;
138 }
139 ec_GFp_simple_group_finish(group);
140 } 138 }
139 ec_GFp_simple_group_finish(group);
140}
141 141
142 142
143void ec_GFp_mont_group_clear_finish(EC_GROUP *group) 143void
144 { 144ec_GFp_mont_group_clear_finish(EC_GROUP * group)
145 if (group->field_data1 != NULL) 145{
146 { 146 if (group->field_data1 != NULL) {
147 BN_MONT_CTX_free(group->field_data1); 147 BN_MONT_CTX_free(group->field_data1);
148 group->field_data1 = NULL; 148 group->field_data1 = NULL;
149 } 149 }
150 if (group->field_data2 != NULL) 150 if (group->field_data2 != NULL) {
151 {
152 BN_clear_free(group->field_data2); 151 BN_clear_free(group->field_data2);
153 group->field_data2 = NULL; 152 group->field_data2 = NULL;
154 }
155 ec_GFp_simple_group_clear_finish(group);
156 } 153 }
154 ec_GFp_simple_group_clear_finish(group);
155}
157 156
158 157
159int ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src) 158int
160 { 159ec_GFp_mont_group_copy(EC_GROUP * dest, const EC_GROUP * src)
161 if (dest->field_data1 != NULL) 160{
162 { 161 if (dest->field_data1 != NULL) {
163 BN_MONT_CTX_free(dest->field_data1); 162 BN_MONT_CTX_free(dest->field_data1);
164 dest->field_data1 = NULL; 163 dest->field_data1 = NULL;
165 } 164 }
166 if (dest->field_data2 != NULL) 165 if (dest->field_data2 != NULL) {
167 {
168 BN_clear_free(dest->field_data2); 166 BN_clear_free(dest->field_data2);
169 dest->field_data2 = NULL; 167 dest->field_data2 = NULL;
170 } 168 }
171 169 if (!ec_GFp_simple_group_copy(dest, src))
172 if (!ec_GFp_simple_group_copy(dest, src)) return 0; 170 return 0;
173 171
174 if (src->field_data1 != NULL) 172 if (src->field_data1 != NULL) {
175 {
176 dest->field_data1 = BN_MONT_CTX_new(); 173 dest->field_data1 = BN_MONT_CTX_new();
177 if (dest->field_data1 == NULL) return 0; 174 if (dest->field_data1 == NULL)
178 if (!BN_MONT_CTX_copy(dest->field_data1, src->field_data1)) goto err; 175 return 0;
179 } 176 if (!BN_MONT_CTX_copy(dest->field_data1, src->field_data1))
180 if (src->field_data2 != NULL) 177 goto err;
181 { 178 }
179 if (src->field_data2 != NULL) {
182 dest->field_data2 = BN_dup(src->field_data2); 180 dest->field_data2 = BN_dup(src->field_data2);
183 if (dest->field_data2 == NULL) goto err; 181 if (dest->field_data2 == NULL)
184 } 182 goto err;
185 183 }
186 return 1; 184 return 1;
187 185
188 err: 186err:
189 if (dest->field_data1 != NULL) 187 if (dest->field_data1 != NULL) {
190 {
191 BN_MONT_CTX_free(dest->field_data1); 188 BN_MONT_CTX_free(dest->field_data1);
192 dest->field_data1 = NULL; 189 dest->field_data1 = NULL;
193 }
194 return 0;
195 } 190 }
191 return 0;
192}
196 193
197 194
198int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 195int
199 { 196ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
197 const BIGNUM *b, BN_CTX *ctx)
198{
200 BN_CTX *new_ctx = NULL; 199 BN_CTX *new_ctx = NULL;
201 BN_MONT_CTX *mont = NULL; 200 BN_MONT_CTX *mont = NULL;
202 BIGNUM *one = NULL; 201 BIGNUM *one = NULL;
203 int ret = 0; 202 int ret = 0;
204 203
205 if (group->field_data1 != NULL) 204 if (group->field_data1 != NULL) {
206 {
207 BN_MONT_CTX_free(group->field_data1); 205 BN_MONT_CTX_free(group->field_data1);
208 group->field_data1 = NULL; 206 group->field_data1 = NULL;
209 } 207 }
210 if (group->field_data2 != NULL) 208 if (group->field_data2 != NULL) {
211 {
212 BN_free(group->field_data2); 209 BN_free(group->field_data2);
213 group->field_data2 = NULL; 210 group->field_data2 = NULL;
214 } 211 }
215 212 if (ctx == NULL) {
216 if (ctx == NULL)
217 {
218 ctx = new_ctx = BN_CTX_new(); 213 ctx = new_ctx = BN_CTX_new();
219 if (ctx == NULL) 214 if (ctx == NULL)
220 return 0; 215 return 0;
221 } 216 }
222
223 mont = BN_MONT_CTX_new(); 217 mont = BN_MONT_CTX_new();
224 if (mont == NULL) goto err; 218 if (mont == NULL)
225 if (!BN_MONT_CTX_set(mont, p, ctx)) 219 goto err;
226 { 220 if (!BN_MONT_CTX_set(mont, p, ctx)) {
227 ECerr(EC_F_EC_GFP_MONT_GROUP_SET_CURVE, ERR_R_BN_LIB); 221 ECerr(EC_F_EC_GFP_MONT_GROUP_SET_CURVE, ERR_R_BN_LIB);
228 goto err; 222 goto err;
229 } 223 }
230 one = BN_new(); 224 one = BN_new();
231 if (one == NULL) goto err; 225 if (one == NULL)
232 if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) goto err; 226 goto err;
227 if (!BN_to_montgomery(one, BN_value_one(), mont, ctx))
228 goto err;
233 229
234 group->field_data1 = mont; 230 group->field_data1 = mont;
235 mont = NULL; 231 mont = NULL;
@@ -238,79 +234,77 @@ int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *
238 234
239 ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); 235 ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
240 236
241 if (!ret) 237 if (!ret) {
242 {
243 BN_MONT_CTX_free(group->field_data1); 238 BN_MONT_CTX_free(group->field_data1);
244 group->field_data1 = NULL; 239 group->field_data1 = NULL;
245 BN_free(group->field_data2); 240 BN_free(group->field_data2);
246 group->field_data2 = NULL; 241 group->field_data2 = NULL;
247 } 242 }
248 243err:
249 err:
250 if (new_ctx != NULL) 244 if (new_ctx != NULL)
251 BN_CTX_free(new_ctx); 245 BN_CTX_free(new_ctx);
252 if (mont != NULL) 246 if (mont != NULL)
253 BN_MONT_CTX_free(mont); 247 BN_MONT_CTX_free(mont);
254 return ret; 248 return ret;
255 } 249}
256 250
257 251
258int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 252int
259 { 253ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
260 if (group->field_data1 == NULL) 254 const BIGNUM *b, BN_CTX *ctx)
261 { 255{
256 if (group->field_data1 == NULL) {
262 ECerr(EC_F_EC_GFP_MONT_FIELD_MUL, EC_R_NOT_INITIALIZED); 257 ECerr(EC_F_EC_GFP_MONT_FIELD_MUL, EC_R_NOT_INITIALIZED);
263 return 0; 258 return 0;
264 }
265
266 return BN_mod_mul_montgomery(r, a, b, group->field_data1, ctx);
267 } 259 }
260 return BN_mod_mul_montgomery(r, a, b, group->field_data1, ctx);
261}
268 262
269 263
270int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) 264int
271 { 265ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
272 if (group->field_data1 == NULL) 266 BN_CTX *ctx)
273 { 267{
268 if (group->field_data1 == NULL) {
274 ECerr(EC_F_EC_GFP_MONT_FIELD_SQR, EC_R_NOT_INITIALIZED); 269 ECerr(EC_F_EC_GFP_MONT_FIELD_SQR, EC_R_NOT_INITIALIZED);
275 return 0; 270 return 0;
276 }
277
278 return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
279 } 271 }
272 return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
273}
280 274
281 275
282int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) 276int
283 { 277ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
284 if (group->field_data1 == NULL) 278 BN_CTX *ctx)
285 { 279{
280 if (group->field_data1 == NULL) {
286 ECerr(EC_F_EC_GFP_MONT_FIELD_ENCODE, EC_R_NOT_INITIALIZED); 281 ECerr(EC_F_EC_GFP_MONT_FIELD_ENCODE, EC_R_NOT_INITIALIZED);
287 return 0; 282 return 0;
288 }
289
290 return BN_to_montgomery(r, a, (BN_MONT_CTX *)group->field_data1, ctx);
291 } 283 }
284 return BN_to_montgomery(r, a, (BN_MONT_CTX *) group->field_data1, ctx);
285}
292 286
293 287
294int ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) 288int
295 { 289ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
296 if (group->field_data1 == NULL) 290 BN_CTX *ctx)
297 { 291{
292 if (group->field_data1 == NULL) {
298 ECerr(EC_F_EC_GFP_MONT_FIELD_DECODE, EC_R_NOT_INITIALIZED); 293 ECerr(EC_F_EC_GFP_MONT_FIELD_DECODE, EC_R_NOT_INITIALIZED);
299 return 0; 294 return 0;
300 }
301
302 return BN_from_montgomery(r, a, group->field_data1, ctx);
303 } 295 }
296 return BN_from_montgomery(r, a, group->field_data1, ctx);
297}
304 298
305 299
306int ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, BN_CTX *ctx) 300int
307 { 301ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, BN_CTX *ctx)
308 if (group->field_data2 == NULL) 302{
309 { 303 if (group->field_data2 == NULL) {
310 ECerr(EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE, EC_R_NOT_INITIALIZED); 304 ECerr(EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE, EC_R_NOT_INITIALIZED);
311 return 0; 305 return 0;
312 }
313
314 if (!BN_copy(r, group->field_data2)) return 0;
315 return 1;
316 } 306 }
307 if (!BN_copy(r, group->field_data2))
308 return 0;
309 return 1;
310}
diff --git a/src/lib/libcrypto/ec/ecp_nist.c b/src/lib/libcrypto/ec/ecp_nist.c
index 479cff8fc9..60c4a2d790 100644
--- a/src/lib/libcrypto/ec/ecp_nist.c
+++ b/src/lib/libcrypto/ec/ecp_nist.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -81,20 +81,20 @@ EC_GFp_nist_method(void)
81 .group_get_curve = ec_GFp_simple_group_get_curve, 81 .group_get_curve = ec_GFp_simple_group_get_curve,
82 .group_get_degree = ec_GFp_simple_group_get_degree, 82 .group_get_degree = ec_GFp_simple_group_get_degree,
83 .group_check_discriminant = 83 .group_check_discriminant =
84 ec_GFp_simple_group_check_discriminant, 84 ec_GFp_simple_group_check_discriminant,
85 .point_init = ec_GFp_simple_point_init, 85 .point_init = ec_GFp_simple_point_init,
86 .point_finish = ec_GFp_simple_point_finish, 86 .point_finish = ec_GFp_simple_point_finish,
87 .point_clear_finish = ec_GFp_simple_point_clear_finish, 87 .point_clear_finish = ec_GFp_simple_point_clear_finish,
88 .point_copy = ec_GFp_simple_point_copy, 88 .point_copy = ec_GFp_simple_point_copy,
89 .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, 89 .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
90 .point_set_Jprojective_coordinates_GFp = 90 .point_set_Jprojective_coordinates_GFp =
91 ec_GFp_simple_set_Jprojective_coordinates_GFp, 91 ec_GFp_simple_set_Jprojective_coordinates_GFp,
92 .point_get_Jprojective_coordinates_GFp = 92 .point_get_Jprojective_coordinates_GFp =
93 ec_GFp_simple_get_Jprojective_coordinates_GFp, 93 ec_GFp_simple_get_Jprojective_coordinates_GFp,
94 .point_set_affine_coordinates = 94 .point_set_affine_coordinates =
95 ec_GFp_simple_point_set_affine_coordinates, 95 ec_GFp_simple_point_set_affine_coordinates,
96 .point_get_affine_coordinates = 96 .point_get_affine_coordinates =
97 ec_GFp_simple_point_get_affine_coordinates, 97 ec_GFp_simple_point_get_affine_coordinates,
98 .add = ec_GFp_simple_add, 98 .add = ec_GFp_simple_add,
99 .dbl = ec_GFp_simple_dbl, 99 .dbl = ec_GFp_simple_dbl,
100 .invert = ec_GFp_simple_invert, 100 .invert = ec_GFp_simple_invert,
@@ -110,25 +110,29 @@ EC_GFp_nist_method(void)
110 return &ret; 110 return &ret;
111} 111}
112 112
113int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) 113int
114 { 114ec_GFp_nist_group_copy(EC_GROUP * dest, const EC_GROUP * src)
115{
115 dest->field_mod_func = src->field_mod_func; 116 dest->field_mod_func = src->field_mod_func;
116 117
117 return ec_GFp_simple_group_copy(dest, src); 118 return ec_GFp_simple_group_copy(dest, src);
118 } 119}
119 120
120int ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p, 121int
121 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 122ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p,
122 { 123 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
124{
123 int ret = 0; 125 int ret = 0;
124 BN_CTX *new_ctx = NULL; 126 BN_CTX *new_ctx = NULL;
125 BIGNUM *tmp_bn; 127 BIGNUM *tmp_bn;
126 128
127 if (ctx == NULL) 129 if (ctx == NULL)
128 if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0; 130 if ((ctx = new_ctx = BN_CTX_new()) == NULL)
131 return 0;
129 132
130 BN_CTX_start(ctx); 133 BN_CTX_start(ctx);
131 if ((tmp_bn = BN_CTX_get(ctx)) == NULL) goto err; 134 if ((tmp_bn = BN_CTX_get(ctx)) == NULL)
135 goto err;
132 136
133 if (BN_ucmp(BN_get0_nist_prime_192(), p) == 0) 137 if (BN_ucmp(BN_get0_nist_prime_192(), p) == 0)
134 group->field_mod_func = BN_nist_mod_192; 138 group->field_mod_func = BN_nist_mod_192;
@@ -140,69 +144,72 @@ int ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p,
140 group->field_mod_func = BN_nist_mod_384; 144 group->field_mod_func = BN_nist_mod_384;
141 else if (BN_ucmp(BN_get0_nist_prime_521(), p) == 0) 145 else if (BN_ucmp(BN_get0_nist_prime_521(), p) == 0)
142 group->field_mod_func = BN_nist_mod_521; 146 group->field_mod_func = BN_nist_mod_521;
143 else 147 else {
144 {
145 ECerr(EC_F_EC_GFP_NIST_GROUP_SET_CURVE, EC_R_NOT_A_NIST_PRIME); 148 ECerr(EC_F_EC_GFP_NIST_GROUP_SET_CURVE, EC_R_NOT_A_NIST_PRIME);
146 goto err; 149 goto err;
147 } 150 }
148 151
149 ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); 152 ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
150 153
151 err: 154err:
152 BN_CTX_end(ctx); 155 BN_CTX_end(ctx);
153 if (new_ctx != NULL) 156 if (new_ctx != NULL)
154 BN_CTX_free(new_ctx); 157 BN_CTX_free(new_ctx);
155 return ret; 158 return ret;
156 } 159}
157 160
158 161
159int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, 162int
160 const BIGNUM *b, BN_CTX *ctx) 163ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
161 { 164 const BIGNUM *b, BN_CTX *ctx)
162 int ret=0; 165{
163 BN_CTX *ctx_new=NULL; 166 int ret = 0;
167 BN_CTX *ctx_new = NULL;
164 168
165 if (!group || !r || !a || !b) 169 if (!group || !r || !a || !b) {
166 {
167 ECerr(EC_F_EC_GFP_NIST_FIELD_MUL, ERR_R_PASSED_NULL_PARAMETER); 170 ECerr(EC_F_EC_GFP_NIST_FIELD_MUL, ERR_R_PASSED_NULL_PARAMETER);
168 goto err; 171 goto err;
169 } 172 }
170 if (!ctx) 173 if (!ctx)
171 if ((ctx_new = ctx = BN_CTX_new()) == NULL) goto err; 174 if ((ctx_new = ctx = BN_CTX_new()) == NULL)
175 goto err;
172 176
173 if (!BN_mul(r, a, b, ctx)) goto err; 177 if (!BN_mul(r, a, b, ctx))
178 goto err;
174 if (!group->field_mod_func(r, r, &group->field, ctx)) 179 if (!group->field_mod_func(r, r, &group->field, ctx))
175 goto err; 180 goto err;
176 181
177 ret=1; 182 ret = 1;
178err: 183err:
179 if (ctx_new) 184 if (ctx_new)
180 BN_CTX_free(ctx_new); 185 BN_CTX_free(ctx_new);
181 return ret; 186 return ret;
182 } 187}
183 188
184 189
185int ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, 190int
186 BN_CTX *ctx) 191ec_GFp_nist_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a,
187 { 192 BN_CTX * ctx)
188 int ret=0; 193{
189 BN_CTX *ctx_new=NULL; 194 int ret = 0;
195 BN_CTX *ctx_new = NULL;
190 196
191 if (!group || !r || !a) 197 if (!group || !r || !a) {
192 {
193 ECerr(EC_F_EC_GFP_NIST_FIELD_SQR, EC_R_PASSED_NULL_PARAMETER); 198 ECerr(EC_F_EC_GFP_NIST_FIELD_SQR, EC_R_PASSED_NULL_PARAMETER);
194 goto err; 199 goto err;
195 } 200 }
196 if (!ctx) 201 if (!ctx)
197 if ((ctx_new = ctx = BN_CTX_new()) == NULL) goto err; 202 if ((ctx_new = ctx = BN_CTX_new()) == NULL)
203 goto err;
198 204
199 if (!BN_sqr(r, a, ctx)) goto err; 205 if (!BN_sqr(r, a, ctx))
206 goto err;
200 if (!group->field_mod_func(r, r, &group->field, ctx)) 207 if (!group->field_mod_func(r, r, &group->field, ctx))
201 goto err; 208 goto err;
202 209
203 ret=1; 210 ret = 1;
204err: 211err:
205 if (ctx_new) 212 if (ctx_new)
206 BN_CTX_free(ctx_new); 213 BN_CTX_free(ctx_new);
207 return ret; 214 return ret;
208 } 215}
diff --git a/src/lib/libcrypto/ec/ecp_nistp224.c b/src/lib/libcrypto/ec/ecp_nistp224.c
index 696024a549..057670cf04 100644
--- a/src/lib/libcrypto/ec/ecp_nistp224.c
+++ b/src/lib/libcrypto/ec/ecp_nistp224.c
@@ -280,37 +280,40 @@ EC_GFp_nistp224_method(void)
280} 280}
281 281
282/* Helper functions to convert field elements to/from internal representation */ 282/* Helper functions to convert field elements to/from internal representation */
283static void bin28_to_felem(felem out, const u8 in[28]) 283static void
284 { 284bin28_to_felem(felem out, const u8 in[28])
285 out[0] = *((const uint64_t *)(in)) & 0x00ffffffffffffff; 285{
286 out[1] = (*((const uint64_t *)(in+7))) & 0x00ffffffffffffff; 286 out[0] = *((const uint64_t *) (in)) & 0x00ffffffffffffff;
287 out[2] = (*((const uint64_t *)(in+14))) & 0x00ffffffffffffff; 287 out[1] = (*((const uint64_t *) (in + 7))) & 0x00ffffffffffffff;
288 out[3] = (*((const uint64_t *)(in+21))) & 0x00ffffffffffffff; 288 out[2] = (*((const uint64_t *) (in + 14))) & 0x00ffffffffffffff;
289 } 289 out[3] = (*((const uint64_t *) (in + 21))) & 0x00ffffffffffffff;
290}
290 291
291static void felem_to_bin28(u8 out[28], const felem in) 292static void
292 { 293felem_to_bin28(u8 out[28], const felem in)
294{
293 unsigned i; 295 unsigned i;
294 for (i = 0; i < 7; ++i) 296 for (i = 0; i < 7; ++i) {
295 { 297 out[i] = in[0] >> (8 * i);
296 out[i] = in[0]>>(8*i); 298 out[i + 7] = in[1] >> (8 * i);
297 out[i+7] = in[1]>>(8*i); 299 out[i + 14] = in[2] >> (8 * i);
298 out[i+14] = in[2]>>(8*i); 300 out[i + 21] = in[3] >> (8 * i);
299 out[i+21] = in[3]>>(8*i);
300 }
301 } 301 }
302}
302 303
303/* To preserve endianness when using BN_bn2bin and BN_bin2bn */ 304/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
304static void flip_endian(u8 *out, const u8 *in, unsigned len) 305static void
305 { 306flip_endian(u8 * out, const u8 * in, unsigned len)
307{
306 unsigned i; 308 unsigned i;
307 for (i = 0; i < len; ++i) 309 for (i = 0; i < len; ++i)
308 out[i] = in[len-1-i]; 310 out[i] = in[len - 1 - i];
309 } 311}
310 312
311/* From OpenSSL BIGNUM to internal representation */ 313/* From OpenSSL BIGNUM to internal representation */
312static int BN_to_felem(felem out, const BIGNUM *bn) 314static int
313 { 315BN_to_felem(felem out, const BIGNUM * bn)
316{
314 felem_bytearray b_in; 317 felem_bytearray b_in;
315 felem_bytearray b_out; 318 felem_bytearray b_out;
316 unsigned num_bytes; 319 unsigned num_bytes;
@@ -318,30 +321,29 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
318 /* BN_bn2bin eats leading zeroes */ 321 /* BN_bn2bin eats leading zeroes */
319 memset(b_out, 0, sizeof b_out); 322 memset(b_out, 0, sizeof b_out);
320 num_bytes = BN_num_bytes(bn); 323 num_bytes = BN_num_bytes(bn);
321 if (num_bytes > sizeof b_out) 324 if (num_bytes > sizeof b_out) {
322 {
323 ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); 325 ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
324 return 0; 326 return 0;
325 } 327 }
326 if (BN_is_negative(bn)) 328 if (BN_is_negative(bn)) {
327 {
328 ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); 329 ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
329 return 0; 330 return 0;
330 } 331 }
331 num_bytes = BN_bn2bin(bn, b_in); 332 num_bytes = BN_bn2bin(bn, b_in);
332 flip_endian(b_out, b_in, num_bytes); 333 flip_endian(b_out, b_in, num_bytes);
333 bin28_to_felem(out, b_out); 334 bin28_to_felem(out, b_out);
334 return 1; 335 return 1;
335 } 336}
336 337
337/* From internal representation to OpenSSL BIGNUM */ 338/* From internal representation to OpenSSL BIGNUM */
338static BIGNUM *felem_to_BN(BIGNUM *out, const felem in) 339static BIGNUM *
339 { 340felem_to_BN(BIGNUM * out, const felem in)
341{
340 felem_bytearray b_in, b_out; 342 felem_bytearray b_in, b_out;
341 felem_to_bin28(b_in, in); 343 felem_to_bin28(b_in, in);
342 flip_endian(b_out, b_in, sizeof b_out); 344 flip_endian(b_out, b_in, sizeof b_out);
343 return BN_bin2bn(b_out, sizeof b_out, out); 345 return BN_bin2bn(b_out, sizeof b_out, out);
344 } 346}
345 347
346/******************************************************************************/ 348/******************************************************************************/
347/* FIELD OPERATIONS 349/* FIELD OPERATIONS
@@ -353,55 +355,60 @@ static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
353 * 355 *
354 */ 356 */
355 357
356static void felem_one(felem out) 358static void
357 { 359felem_one(felem out)
360{
358 out[0] = 1; 361 out[0] = 1;
359 out[1] = 0; 362 out[1] = 0;
360 out[2] = 0; 363 out[2] = 0;
361 out[3] = 0; 364 out[3] = 0;
362 } 365}
363 366
364static void felem_assign(felem out, const felem in) 367static void
365 { 368felem_assign(felem out, const felem in)
369{
366 out[0] = in[0]; 370 out[0] = in[0];
367 out[1] = in[1]; 371 out[1] = in[1];
368 out[2] = in[2]; 372 out[2] = in[2];
369 out[3] = in[3]; 373 out[3] = in[3];
370 } 374}
371 375
372/* Sum two field elements: out += in */ 376/* Sum two field elements: out += in */
373static void felem_sum(felem out, const felem in) 377static void
374 { 378felem_sum(felem out, const felem in)
379{
375 out[0] += in[0]; 380 out[0] += in[0];
376 out[1] += in[1]; 381 out[1] += in[1];
377 out[2] += in[2]; 382 out[2] += in[2];
378 out[3] += in[3]; 383 out[3] += in[3];
379 } 384}
380 385
381/* Get negative value: out = -in */ 386/* Get negative value: out = -in */
382/* Assumes in[i] < 2^57 */ 387/* Assumes in[i] < 2^57 */
383static void felem_neg(felem out, const felem in) 388static void
384 { 389felem_neg(felem out, const felem in)
390{
385 static const limb two58p2 = (((limb) 1) << 58) + (((limb) 1) << 2); 391 static const limb two58p2 = (((limb) 1) << 58) + (((limb) 1) << 2);
386 static const limb two58m2 = (((limb) 1) << 58) - (((limb) 1) << 2); 392 static const limb two58m2 = (((limb) 1) << 58) - (((limb) 1) << 2);
387 static const limb two58m42m2 = (((limb) 1) << 58) - 393 static const limb two58m42m2 = (((limb) 1) << 58) -
388 (((limb) 1) << 42) - (((limb) 1) << 2); 394 (((limb) 1) << 42) - (((limb) 1) << 2);
389 395
390 /* Set to 0 mod 2^224-2^96+1 to ensure out > in */ 396 /* Set to 0 mod 2^224-2^96+1 to ensure out > in */
391 out[0] = two58p2 - in[0]; 397 out[0] = two58p2 - in[0];
392 out[1] = two58m42m2 - in[1]; 398 out[1] = two58m42m2 - in[1];
393 out[2] = two58m2 - in[2]; 399 out[2] = two58m2 - in[2];
394 out[3] = two58m2 - in[3]; 400 out[3] = two58m2 - in[3];
395 } 401}
396 402
397/* Subtract field elements: out -= in */ 403/* Subtract field elements: out -= in */
398/* Assumes in[i] < 2^57 */ 404/* Assumes in[i] < 2^57 */
399static void felem_diff(felem out, const felem in) 405static void
400 { 406felem_diff(felem out, const felem in)
407{
401 static const limb two58p2 = (((limb) 1) << 58) + (((limb) 1) << 2); 408 static const limb two58p2 = (((limb) 1) << 58) + (((limb) 1) << 2);
402 static const limb two58m2 = (((limb) 1) << 58) - (((limb) 1) << 2); 409 static const limb two58m2 = (((limb) 1) << 58) - (((limb) 1) << 2);
403 static const limb two58m42m2 = (((limb) 1) << 58) - 410 static const limb two58m42m2 = (((limb) 1) << 58) -
404 (((limb) 1) << 42) - (((limb) 1) << 2); 411 (((limb) 1) << 42) - (((limb) 1) << 2);
405 412
406 /* Add 0 mod 2^224-2^96+1 to ensure out > in */ 413 /* Add 0 mod 2^224-2^96+1 to ensure out > in */
407 out[0] += two58p2; 414 out[0] += two58p2;
@@ -413,17 +420,18 @@ static void felem_diff(felem out, const felem in)
413 out[1] -= in[1]; 420 out[1] -= in[1];
414 out[2] -= in[2]; 421 out[2] -= in[2];
415 out[3] -= in[3]; 422 out[3] -= in[3];
416 } 423}
417 424
418/* Subtract in unreduced 128-bit mode: out -= in */ 425/* Subtract in unreduced 128-bit mode: out -= in */
419/* Assumes in[i] < 2^119 */ 426/* Assumes in[i] < 2^119 */
420static void widefelem_diff(widefelem out, const widefelem in) 427static void
421 { 428widefelem_diff(widefelem out, const widefelem in)
429{
422 static const widelimb two120 = ((widelimb) 1) << 120; 430 static const widelimb two120 = ((widelimb) 1) << 120;
423 static const widelimb two120m64 = (((widelimb) 1) << 120) - 431 static const widelimb two120m64 = (((widelimb) 1) << 120) -
424 (((widelimb) 1) << 64); 432 (((widelimb) 1) << 64);
425 static const widelimb two120m104m64 = (((widelimb) 1) << 120) - 433 static const widelimb two120m104m64 = (((widelimb) 1) << 120) -
426 (((widelimb) 1) << 104) - (((widelimb) 1) << 64); 434 (((widelimb) 1) << 104) - (((widelimb) 1) << 64);
427 435
428 /* Add 0 mod 2^224-2^96+1 to ensure out > in */ 436 /* Add 0 mod 2^224-2^96+1 to ensure out > in */
429 out[0] += two120; 437 out[0] += two120;
@@ -441,18 +449,19 @@ static void widefelem_diff(widefelem out, const widefelem in)
441 out[4] -= in[4]; 449 out[4] -= in[4];
442 out[5] -= in[5]; 450 out[5] -= in[5];
443 out[6] -= in[6]; 451 out[6] -= in[6];
444 } 452}
445 453
446/* Subtract in mixed mode: out128 -= in64 */ 454/* Subtract in mixed mode: out128 -= in64 */
447/* in[i] < 2^63 */ 455/* in[i] < 2^63 */
448static void felem_diff_128_64(widefelem out, const felem in) 456static void
449 { 457felem_diff_128_64(widefelem out, const felem in)
458{
450 static const widelimb two64p8 = (((widelimb) 1) << 64) + 459 static const widelimb two64p8 = (((widelimb) 1) << 64) +
451 (((widelimb) 1) << 8); 460 (((widelimb) 1) << 8);
452 static const widelimb two64m8 = (((widelimb) 1) << 64) - 461 static const widelimb two64m8 = (((widelimb) 1) << 64) -
453 (((widelimb) 1) << 8); 462 (((widelimb) 1) << 8);
454 static const widelimb two64m48m8 = (((widelimb) 1) << 64) - 463 static const widelimb two64m48m8 = (((widelimb) 1) << 64) -
455 (((widelimb) 1) << 48) - (((widelimb) 1) << 8); 464 (((widelimb) 1) << 48) - (((widelimb) 1) << 8);
456 465
457 /* Add 0 mod 2^224-2^96+1 to ensure out > in */ 466 /* Add 0 mod 2^224-2^96+1 to ensure out > in */
458 out[0] += two64p8; 467 out[0] += two64p8;
@@ -464,22 +473,24 @@ static void felem_diff_128_64(widefelem out, const felem in)
464 out[1] -= in[1]; 473 out[1] -= in[1];
465 out[2] -= in[2]; 474 out[2] -= in[2];
466 out[3] -= in[3]; 475 out[3] -= in[3];
467 } 476}
468 477
469/* Multiply a field element by a scalar: out = out * scalar 478/* Multiply a field element by a scalar: out = out * scalar
470 * The scalars we actually use are small, so results fit without overflow */ 479 * The scalars we actually use are small, so results fit without overflow */
471static void felem_scalar(felem out, const limb scalar) 480static void
472 { 481felem_scalar(felem out, const limb scalar)
482{
473 out[0] *= scalar; 483 out[0] *= scalar;
474 out[1] *= scalar; 484 out[1] *= scalar;
475 out[2] *= scalar; 485 out[2] *= scalar;
476 out[3] *= scalar; 486 out[3] *= scalar;
477 } 487}
478 488
479/* Multiply an unreduced field element by a scalar: out = out * scalar 489/* Multiply an unreduced field element by a scalar: out = out * scalar
480 * The scalars we actually use are small, so results fit without overflow */ 490 * The scalars we actually use are small, so results fit without overflow */
481static void widefelem_scalar(widefelem out, const widelimb scalar) 491static void
482 { 492widefelem_scalar(widefelem out, const widelimb scalar)
493{
483 out[0] *= scalar; 494 out[0] *= scalar;
484 out[1] *= scalar; 495 out[1] *= scalar;
485 out[2] *= scalar; 496 out[2] *= scalar;
@@ -487,49 +498,54 @@ static void widefelem_scalar(widefelem out, const widelimb scalar)
487 out[4] *= scalar; 498 out[4] *= scalar;
488 out[5] *= scalar; 499 out[5] *= scalar;
489 out[6] *= scalar; 500 out[6] *= scalar;
490 } 501}
491 502
492/* Square a field element: out = in^2 */ 503/* Square a field element: out = in^2 */
493static void felem_square(widefelem out, const felem in) 504static void
494 { 505felem_square(widefelem out, const felem in)
506{
495 limb tmp0, tmp1, tmp2; 507 limb tmp0, tmp1, tmp2;
496 tmp0 = 2 * in[0]; tmp1 = 2 * in[1]; tmp2 = 2 * in[2]; 508 tmp0 = 2 * in[0];
509 tmp1 = 2 * in[1];
510 tmp2 = 2 * in[2];
497 out[0] = ((widelimb) in[0]) * in[0]; 511 out[0] = ((widelimb) in[0]) * in[0];
498 out[1] = ((widelimb) in[0]) * tmp1; 512 out[1] = ((widelimb) in[0]) * tmp1;
499 out[2] = ((widelimb) in[0]) * tmp2 + ((widelimb) in[1]) * in[1]; 513 out[2] = ((widelimb) in[0]) * tmp2 + ((widelimb) in[1]) * in[1];
500 out[3] = ((widelimb) in[3]) * tmp0 + 514 out[3] = ((widelimb) in[3]) * tmp0 +
501 ((widelimb) in[1]) * tmp2; 515 ((widelimb) in[1]) * tmp2;
502 out[4] = ((widelimb) in[3]) * tmp1 + ((widelimb) in[2]) * in[2]; 516 out[4] = ((widelimb) in[3]) * tmp1 + ((widelimb) in[2]) * in[2];
503 out[5] = ((widelimb) in[3]) * tmp2; 517 out[5] = ((widelimb) in[3]) * tmp2;
504 out[6] = ((widelimb) in[3]) * in[3]; 518 out[6] = ((widelimb) in[3]) * in[3];
505 } 519}
506 520
507/* Multiply two field elements: out = in1 * in2 */ 521/* Multiply two field elements: out = in1 * in2 */
508static void felem_mul(widefelem out, const felem in1, const felem in2) 522static void
509 { 523felem_mul(widefelem out, const felem in1, const felem in2)
524{
510 out[0] = ((widelimb) in1[0]) * in2[0]; 525 out[0] = ((widelimb) in1[0]) * in2[0];
511 out[1] = ((widelimb) in1[0]) * in2[1] + ((widelimb) in1[1]) * in2[0]; 526 out[1] = ((widelimb) in1[0]) * in2[1] + ((widelimb) in1[1]) * in2[0];
512 out[2] = ((widelimb) in1[0]) * in2[2] + ((widelimb) in1[1]) * in2[1] + 527 out[2] = ((widelimb) in1[0]) * in2[2] + ((widelimb) in1[1]) * in2[1] +
513 ((widelimb) in1[2]) * in2[0]; 528 ((widelimb) in1[2]) * in2[0];
514 out[3] = ((widelimb) in1[0]) * in2[3] + ((widelimb) in1[1]) * in2[2] + 529 out[3] = ((widelimb) in1[0]) * in2[3] + ((widelimb) in1[1]) * in2[2] +
515 ((widelimb) in1[2]) * in2[1] + ((widelimb) in1[3]) * in2[0]; 530 ((widelimb) in1[2]) * in2[1] + ((widelimb) in1[3]) * in2[0];
516 out[4] = ((widelimb) in1[1]) * in2[3] + ((widelimb) in1[2]) * in2[2] + 531 out[4] = ((widelimb) in1[1]) * in2[3] + ((widelimb) in1[2]) * in2[2] +
517 ((widelimb) in1[3]) * in2[1]; 532 ((widelimb) in1[3]) * in2[1];
518 out[5] = ((widelimb) in1[2]) * in2[3] + ((widelimb) in1[3]) * in2[2]; 533 out[5] = ((widelimb) in1[2]) * in2[3] + ((widelimb) in1[3]) * in2[2];
519 out[6] = ((widelimb) in1[3]) * in2[3]; 534 out[6] = ((widelimb) in1[3]) * in2[3];
520 } 535}
521 536
522/* Reduce seven 128-bit coefficients to four 64-bit coefficients. 537/* Reduce seven 128-bit coefficients to four 64-bit coefficients.
523 * Requires in[i] < 2^126, 538 * Requires in[i] < 2^126,
524 * ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16 */ 539 * ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16 */
525static void felem_reduce(felem out, const widefelem in) 540static void
526 { 541felem_reduce(felem out, const widefelem in)
542{
527 static const widelimb two127p15 = (((widelimb) 1) << 127) + 543 static const widelimb two127p15 = (((widelimb) 1) << 127) +
528 (((widelimb) 1) << 15); 544 (((widelimb) 1) << 15);
529 static const widelimb two127m71 = (((widelimb) 1) << 127) - 545 static const widelimb two127m71 = (((widelimb) 1) << 127) -
530 (((widelimb) 1) << 71); 546 (((widelimb) 1) << 71);
531 static const widelimb two127m71m55 = (((widelimb) 1) << 127) - 547 static const widelimb two127m71m55 = (((widelimb) 1) << 127) -
532 (((widelimb) 1) << 71) - (((widelimb) 1) << 55); 548 (((widelimb) 1) << 71) - (((widelimb) 1) << 55);
533 widelimb output[5]; 549 widelimb output[5];
534 550
535 /* Add 0 mod 2^224-2^96+1 to ensure all differences are positive */ 551 /* Add 0 mod 2^224-2^96+1 to ensure all differences are positive */
@@ -578,30 +594,34 @@ static void felem_reduce(felem out, const widefelem in)
578 /* output[3] <= 2^56 + 2^16 */ 594 /* output[3] <= 2^56 + 2^16 */
579 out[2] = output[2] & 0x00ffffffffffffff; 595 out[2] = output[2] & 0x00ffffffffffffff;
580 596
581 /* out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, 597 /*
582 * out[3] <= 2^56 + 2^16 (due to final carry), 598 * out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16
583 * so out < 2*p */ 599 * (due to final carry), so out < 2*p
600 */
584 out[3] = output[3]; 601 out[3] = output[3];
585 } 602}
586 603
587static void felem_square_reduce(felem out, const felem in) 604static void
588 { 605felem_square_reduce(felem out, const felem in)
606{
589 widefelem tmp; 607 widefelem tmp;
590 felem_square(tmp, in); 608 felem_square(tmp, in);
591 felem_reduce(out, tmp); 609 felem_reduce(out, tmp);
592 } 610}
593 611
594static void felem_mul_reduce(felem out, const felem in1, const felem in2) 612static void
595 { 613felem_mul_reduce(felem out, const felem in1, const felem in2)
614{
596 widefelem tmp; 615 widefelem tmp;
597 felem_mul(tmp, in1, in2); 616 felem_mul(tmp, in1, in2);
598 felem_reduce(out, tmp); 617 felem_reduce(out, tmp);
599 } 618}
600 619
601/* Reduce to unique minimal representation. 620/* Reduce to unique minimal representation.
602 * Requires 0 <= in < 2*p (always call felem_reduce first) */ 621 * Requires 0 <= in < 2*p (always call felem_reduce first) */
603static void felem_contract(felem out, const felem in) 622static void
604 { 623felem_contract(felem out, const felem in)
624{
605 static const int64_t two56 = ((limb) 1) << 56; 625 static const int64_t two56 = ((limb) 1) << 56;
606 /* 0 <= in < 2*p, p = 2^224 - 2^96 + 1 */ 626 /* 0 <= in < 2*p, p = 2^224 - 2^96 + 1 */
607 /* if in > p , reduce in = in - 2^224 + 2^96 - 1 */ 627 /* if in > p , reduce in = in - 2^224 + 2^96 - 1 */
@@ -615,21 +635,25 @@ static void felem_contract(felem out, const felem in)
615 tmp[0] -= a; 635 tmp[0] -= a;
616 tmp[1] += a << 40; 636 tmp[1] += a << 40;
617 tmp[3] &= 0x00ffffffffffffff; 637 tmp[3] &= 0x00ffffffffffffff;
618 /* Case 2: a = 0 iff p <= in < 2^224, i.e., 638 /*
619 * the high 128 bits are all 1 and the lower part is non-zero */ 639 * Case 2: a = 0 iff p <= in < 2^224, i.e., the high 128 bits are all
640 * 1 and the lower part is non-zero
641 */
620 a = ((in[3] & in[2] & (in[1] | 0x000000ffffffffff)) + 1) | 642 a = ((in[3] & in[2] & (in[1] | 0x000000ffffffffff)) + 1) |
621 (((int64_t)(in[0] + (in[1] & 0x000000ffffffffff)) - 1) >> 63); 643 (((int64_t) (in[0] + (in[1] & 0x000000ffffffffff)) - 1) >> 63);
622 a &= 0x00ffffffffffffff; 644 a &= 0x00ffffffffffffff;
623 /* turn a into an all-one mask (if a = 0) or an all-zero mask */ 645 /* turn a into an all-one mask (if a = 0) or an all-zero mask */
624 a = (a - 1) >> 63; 646 a = (a - 1) >> 63;
625 /* subtract 2^224 - 2^96 + 1 if a is all-one*/ 647 /* subtract 2^224 - 2^96 + 1 if a is all-one */
626 tmp[3] &= a ^ 0xffffffffffffffff; 648 tmp[3] &= a ^ 0xffffffffffffffff;
627 tmp[2] &= a ^ 0xffffffffffffffff; 649 tmp[2] &= a ^ 0xffffffffffffffff;
628 tmp[1] &= (a ^ 0xffffffffffffffff) | 0x000000ffffffffff; 650 tmp[1] &= (a ^ 0xffffffffffffffff) | 0x000000ffffffffff;
629 tmp[0] -= 1 & a; 651 tmp[0] -= 1 & a;
630 652
631 /* eliminate negative coefficients: if tmp[0] is negative, tmp[1] must 653 /*
632 * be non-zero, so we only need one step */ 654 * eliminate negative coefficients: if tmp[0] is negative, tmp[1]
655 * must be non-zero, so we only need one step
656 */
633 a = tmp[0] >> 63; 657 a = tmp[0] >> 63;
634 tmp[0] += two56 & a; 658 tmp[0] += two56 & a;
635 tmp[1] -= 1 & a; 659 tmp[1] -= 1 & a;
@@ -646,107 +670,131 @@ static void felem_contract(felem out, const felem in)
646 out[1] = tmp[1]; 670 out[1] = tmp[1];
647 out[2] = tmp[2]; 671 out[2] = tmp[2];
648 out[3] = tmp[3]; 672 out[3] = tmp[3];
649 } 673}
650 674
651/* Zero-check: returns 1 if input is 0, and 0 otherwise. 675/* Zero-check: returns 1 if input is 0, and 0 otherwise.
652 * We know that field elements are reduced to in < 2^225, 676 * We know that field elements are reduced to in < 2^225,
653 * so we only need to check three cases: 0, 2^224 - 2^96 + 1, 677 * so we only need to check three cases: 0, 2^224 - 2^96 + 1,
654 * and 2^225 - 2^97 + 2 */ 678 * and 2^225 - 2^97 + 2 */
655static limb felem_is_zero(const felem in) 679static limb
656 { 680felem_is_zero(const felem in)
681{
657 limb zero, two224m96p1, two225m97p2; 682 limb zero, two224m96p1, two225m97p2;
658 683
659 zero = in[0] | in[1] | in[2] | in[3]; 684 zero = in[0] | in[1] | in[2] | in[3];
660 zero = (((int64_t)(zero) - 1) >> 63) & 1; 685 zero = (((int64_t) (zero) - 1) >> 63) & 1;
661 two224m96p1 = (in[0] ^ 1) | (in[1] ^ 0x00ffff0000000000) 686 two224m96p1 = (in[0] ^ 1) | (in[1] ^ 0x00ffff0000000000)
662 | (in[2] ^ 0x00ffffffffffffff) | (in[3] ^ 0x00ffffffffffffff); 687 | (in[2] ^ 0x00ffffffffffffff) | (in[3] ^ 0x00ffffffffffffff);
663 two224m96p1 = (((int64_t)(two224m96p1) - 1) >> 63) & 1; 688 two224m96p1 = (((int64_t) (two224m96p1) - 1) >> 63) & 1;
664 two225m97p2 = (in[0] ^ 2) | (in[1] ^ 0x00fffe0000000000) 689 two225m97p2 = (in[0] ^ 2) | (in[1] ^ 0x00fffe0000000000)
665 | (in[2] ^ 0x00ffffffffffffff) | (in[3] ^ 0x01ffffffffffffff); 690 | (in[2] ^ 0x00ffffffffffffff) | (in[3] ^ 0x01ffffffffffffff);
666 two225m97p2 = (((int64_t)(two225m97p2) - 1) >> 63) & 1; 691 two225m97p2 = (((int64_t) (two225m97p2) - 1) >> 63) & 1;
667 return (zero | two224m96p1 | two225m97p2); 692 return (zero | two224m96p1 | two225m97p2);
668 } 693}
669 694
670static limb felem_is_zero_int(const felem in) 695static limb
671 { 696felem_is_zero_int(const felem in)
672 return (int) (felem_is_zero(in) & ((limb)1)); 697{
673 } 698 return (int) (felem_is_zero(in) & ((limb) 1));
699}
674 700
675/* Invert a field element */ 701/* Invert a field element */
676/* Computation chain copied from djb's code */ 702/* Computation chain copied from djb's code */
677static void felem_inv(felem out, const felem in) 703static void
678 { 704felem_inv(felem out, const felem in)
705{
679 felem ftmp, ftmp2, ftmp3, ftmp4; 706 felem ftmp, ftmp2, ftmp3, ftmp4;
680 widefelem tmp; 707 widefelem tmp;
681 unsigned i; 708 unsigned i;
682 709
683 felem_square(tmp, in); felem_reduce(ftmp, tmp); /* 2 */ 710 felem_square(tmp, in);
684 felem_mul(tmp, in, ftmp); felem_reduce(ftmp, tmp); /* 2^2 - 1 */ 711 felem_reduce(ftmp, tmp);/* 2 */
685 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); /* 2^3 - 2 */ 712 felem_mul(tmp, in, ftmp);
686 felem_mul(tmp, in, ftmp); felem_reduce(ftmp, tmp); /* 2^3 - 1 */ 713 felem_reduce(ftmp, tmp);/* 2^2 - 1 */
687 felem_square(tmp, ftmp); felem_reduce(ftmp2, tmp); /* 2^4 - 2 */ 714 felem_square(tmp, ftmp);
688 felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp); /* 2^5 - 4 */ 715 felem_reduce(ftmp, tmp);/* 2^3 - 2 */
689 felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp); /* 2^6 - 8 */ 716 felem_mul(tmp, in, ftmp);
690 felem_mul(tmp, ftmp2, ftmp); felem_reduce(ftmp, tmp); /* 2^6 - 1 */ 717 felem_reduce(ftmp, tmp);/* 2^3 - 1 */
691 felem_square(tmp, ftmp); felem_reduce(ftmp2, tmp); /* 2^7 - 2 */ 718 felem_square(tmp, ftmp);
692 for (i = 0; i < 5; ++i) /* 2^12 - 2^6 */ 719 felem_reduce(ftmp2, tmp); /* 2^4 - 2 */
693 { 720 felem_square(tmp, ftmp2);
694 felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp); 721 felem_reduce(ftmp2, tmp); /* 2^5 - 4 */
695 } 722 felem_square(tmp, ftmp2);
696 felem_mul(tmp, ftmp2, ftmp); felem_reduce(ftmp2, tmp); /* 2^12 - 1 */ 723 felem_reduce(ftmp2, tmp); /* 2^6 - 8 */
697 felem_square(tmp, ftmp2); felem_reduce(ftmp3, tmp); /* 2^13 - 2 */ 724 felem_mul(tmp, ftmp2, ftmp);
698 for (i = 0; i < 11; ++i) /* 2^24 - 2^12 */ 725 felem_reduce(ftmp, tmp);/* 2^6 - 1 */
699 { 726 felem_square(tmp, ftmp);
700 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); 727 felem_reduce(ftmp2, tmp); /* 2^7 - 2 */
701 } 728 for (i = 0; i < 5; ++i) { /* 2^12 - 2^6 */
702 felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp2, tmp); /* 2^24 - 1 */ 729 felem_square(tmp, ftmp2);
703 felem_square(tmp, ftmp2); felem_reduce(ftmp3, tmp); /* 2^25 - 2 */ 730 felem_reduce(ftmp2, tmp);
704 for (i = 0; i < 23; ++i) /* 2^48 - 2^24 */ 731 }
705 { 732 felem_mul(tmp, ftmp2, ftmp);
706 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); 733 felem_reduce(ftmp2, tmp); /* 2^12 - 1 */
707 } 734 felem_square(tmp, ftmp2);
708 felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^48 - 1 */ 735 felem_reduce(ftmp3, tmp); /* 2^13 - 2 */
709 felem_square(tmp, ftmp3); felem_reduce(ftmp4, tmp); /* 2^49 - 2 */ 736 for (i = 0; i < 11; ++i) { /* 2^24 - 2^12 */
710 for (i = 0; i < 47; ++i) /* 2^96 - 2^48 */ 737 felem_square(tmp, ftmp3);
711 { 738 felem_reduce(ftmp3, tmp);
712 felem_square(tmp, ftmp4); felem_reduce(ftmp4, tmp); 739 }
713 } 740 felem_mul(tmp, ftmp3, ftmp2);
714 felem_mul(tmp, ftmp3, ftmp4); felem_reduce(ftmp3, tmp); /* 2^96 - 1 */ 741 felem_reduce(ftmp2, tmp); /* 2^24 - 1 */
715 felem_square(tmp, ftmp3); felem_reduce(ftmp4, tmp); /* 2^97 - 2 */ 742 felem_square(tmp, ftmp2);
716 for (i = 0; i < 23; ++i) /* 2^120 - 2^24 */ 743 felem_reduce(ftmp3, tmp); /* 2^25 - 2 */
717 { 744 for (i = 0; i < 23; ++i) { /* 2^48 - 2^24 */
718 felem_square(tmp, ftmp4); felem_reduce(ftmp4, tmp); 745 felem_square(tmp, ftmp3);
719 } 746 felem_reduce(ftmp3, tmp);
720 felem_mul(tmp, ftmp2, ftmp4); felem_reduce(ftmp2, tmp); /* 2^120 - 1 */ 747 }
721 for (i = 0; i < 6; ++i) /* 2^126 - 2^6 */ 748 felem_mul(tmp, ftmp3, ftmp2);
722 { 749 felem_reduce(ftmp3, tmp); /* 2^48 - 1 */
723 felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp); 750 felem_square(tmp, ftmp3);
724 } 751 felem_reduce(ftmp4, tmp); /* 2^49 - 2 */
725 felem_mul(tmp, ftmp2, ftmp); felem_reduce(ftmp, tmp); /* 2^126 - 1 */ 752 for (i = 0; i < 47; ++i) { /* 2^96 - 2^48 */
726 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); /* 2^127 - 2 */ 753 felem_square(tmp, ftmp4);
727 felem_mul(tmp, ftmp, in); felem_reduce(ftmp, tmp); /* 2^127 - 1 */ 754 felem_reduce(ftmp4, tmp);
728 for (i = 0; i < 97; ++i) /* 2^224 - 2^97 */ 755 }
729 { 756 felem_mul(tmp, ftmp3, ftmp4);
730 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); 757 felem_reduce(ftmp3, tmp); /* 2^96 - 1 */
731 } 758 felem_square(tmp, ftmp3);
732 felem_mul(tmp, ftmp, ftmp3); felem_reduce(out, tmp); /* 2^224 - 2^96 - 1 */ 759 felem_reduce(ftmp4, tmp); /* 2^97 - 2 */
760 for (i = 0; i < 23; ++i) { /* 2^120 - 2^24 */
761 felem_square(tmp, ftmp4);
762 felem_reduce(ftmp4, tmp);
763 }
764 felem_mul(tmp, ftmp2, ftmp4);
765 felem_reduce(ftmp2, tmp); /* 2^120 - 1 */
766 for (i = 0; i < 6; ++i) { /* 2^126 - 2^6 */
767 felem_square(tmp, ftmp2);
768 felem_reduce(ftmp2, tmp);
769 }
770 felem_mul(tmp, ftmp2, ftmp);
771 felem_reduce(ftmp, tmp);/* 2^126 - 1 */
772 felem_square(tmp, ftmp);
773 felem_reduce(ftmp, tmp);/* 2^127 - 2 */
774 felem_mul(tmp, ftmp, in);
775 felem_reduce(ftmp, tmp);/* 2^127 - 1 */
776 for (i = 0; i < 97; ++i) { /* 2^224 - 2^97 */
777 felem_square(tmp, ftmp);
778 felem_reduce(ftmp, tmp);
733 } 779 }
780 felem_mul(tmp, ftmp, ftmp3);
781 felem_reduce(out, tmp); /* 2^224 - 2^96 - 1 */
782}
734 783
735/* Copy in constant time: 784/* Copy in constant time:
736 * if icopy == 1, copy in to out, 785 * if icopy == 1, copy in to out,
737 * if icopy == 0, copy out to itself. */ 786 * if icopy == 0, copy out to itself. */
738static void 787static void
739copy_conditional(felem out, const felem in, limb icopy) 788copy_conditional(felem out, const felem in, limb icopy)
740 { 789{
741 unsigned i; 790 unsigned i;
742 /* icopy is a (64-bit) 0 or 1, so copy is either all-zero or all-one */ 791 /* icopy is a (64-bit) 0 or 1, so copy is either all-zero or all-one */
743 const limb copy = -icopy; 792 const limb copy = -icopy;
744 for (i = 0; i < 4; ++i) 793 for (i = 0; i < 4; ++i) {
745 {
746 const limb tmp = copy & (in[i] ^ out[i]); 794 const limb tmp = copy & (in[i] ^ out[i]);
747 out[i] ^= tmp; 795 out[i] ^= tmp;
748 }
749 } 796 }
797}
750 798
751/******************************************************************************/ 799/******************************************************************************/
752/* ELLIPTIC CURVE POINT OPERATIONS 800/* ELLIPTIC CURVE POINT OPERATIONS
@@ -766,8 +814,8 @@ copy_conditional(felem out, const felem in, limb icopy)
766 * while x_out == y_in is not (maybe this works, but it's not tested). */ 814 * while x_out == y_in is not (maybe this works, but it's not tested). */
767static void 815static void
768point_double(felem x_out, felem y_out, felem z_out, 816point_double(felem x_out, felem y_out, felem z_out,
769 const felem x_in, const felem y_in, const felem z_in) 817 const felem x_in, const felem y_in, const felem z_in)
770 { 818{
771 widefelem tmp, tmp2; 819 widefelem tmp, tmp2;
772 felem delta, gamma, beta, alpha, ftmp, ftmp2; 820 felem delta, gamma, beta, alpha, ftmp, ftmp2;
773 821
@@ -833,7 +881,7 @@ point_double(felem x_out, felem y_out, felem z_out,
833 widefelem_diff(tmp, tmp2); 881 widefelem_diff(tmp, tmp2);
834 /* tmp[i] < 2^119 + 2^120 < 2^121 */ 882 /* tmp[i] < 2^119 + 2^120 < 2^121 */
835 felem_reduce(y_out, tmp); 883 felem_reduce(y_out, tmp);
836 } 884}
837 885
838/* Add two elliptic curve points: 886/* Add two elliptic curve points:
839 * (X_1, Y_1, Z_1) + (X_2, Y_2, Z_2) = (X_3, Y_3, Z_3), where 887 * (X_1, Y_1, Z_1) + (X_2, Y_2, Z_2) = (X_3, Y_3, Z_3), where
@@ -851,16 +899,16 @@ point_double(felem x_out, felem y_out, felem z_out,
851 * (while not equal to the point at infinity). 899 * (while not equal to the point at infinity).
852 * This case never happens during single point multiplication, 900 * This case never happens during single point multiplication,
853 * so there is no timing leak for ECDH or ECDSA signing. */ 901 * so there is no timing leak for ECDH or ECDSA signing. */
854static void point_add(felem x3, felem y3, felem z3, 902static void
855 const felem x1, const felem y1, const felem z1, 903point_add(felem x3, felem y3, felem z3,
856 const int mixed, const felem x2, const felem y2, const felem z2) 904 const felem x1, const felem y1, const felem z1,
857 { 905 const int mixed, const felem x2, const felem y2, const felem z2)
906{
858 felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, x_out, y_out, z_out; 907 felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, x_out, y_out, z_out;
859 widefelem tmp, tmp2; 908 widefelem tmp, tmp2;
860 limb z1_is_zero, z2_is_zero, x_equal, y_equal; 909 limb z1_is_zero, z2_is_zero, x_equal, y_equal;
861 910
862 if (!mixed) 911 if (!mixed) {
863 {
864 /* ftmp2 = z2^2 */ 912 /* ftmp2 = z2^2 */
865 felem_square(tmp, z2); 913 felem_square(tmp, z2);
866 felem_reduce(ftmp2, tmp); 914 felem_reduce(ftmp2, tmp);
@@ -876,9 +924,7 @@ static void point_add(felem x3, felem y3, felem z3,
876 /* ftmp2 = z2^2*x1 */ 924 /* ftmp2 = z2^2*x1 */
877 felem_mul(tmp2, ftmp2, x1); 925 felem_mul(tmp2, ftmp2, x1);
878 felem_reduce(ftmp2, tmp2); 926 felem_reduce(ftmp2, tmp2);
879 } 927 } else {
880 else
881 {
882 /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */ 928 /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */
883 929
884 /* ftmp4 = z2^3*y1 */ 930 /* ftmp4 = z2^3*y1 */
@@ -886,7 +932,7 @@ static void point_add(felem x3, felem y3, felem z3,
886 932
887 /* ftmp2 = z2^2*x1 */ 933 /* ftmp2 = z2^2*x1 */
888 felem_assign(ftmp2, x1); 934 felem_assign(ftmp2, x1);
889 } 935 }
890 936
891 /* ftmp = z1^2 */ 937 /* ftmp = z1^2 */
892 felem_square(tmp, z1); 938 felem_square(tmp, z1);
@@ -914,30 +960,27 @@ static void point_add(felem x3, felem y3, felem z3,
914 /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */ 960 /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
915 felem_reduce(ftmp, tmp); 961 felem_reduce(ftmp, tmp);
916 962
917 /* the formulae are incorrect if the points are equal 963 /*
918 * so we check for this and do doubling if this happens */ 964 * the formulae are incorrect if the points are equal so we check for
965 * this and do doubling if this happens
966 */
919 x_equal = felem_is_zero(ftmp); 967 x_equal = felem_is_zero(ftmp);
920 y_equal = felem_is_zero(ftmp3); 968 y_equal = felem_is_zero(ftmp3);
921 z1_is_zero = felem_is_zero(z1); 969 z1_is_zero = felem_is_zero(z1);
922 z2_is_zero = felem_is_zero(z2); 970 z2_is_zero = felem_is_zero(z2);
923 /* In affine coordinates, (X_1, Y_1) == (X_2, Y_2) */ 971 /* In affine coordinates, (X_1, Y_1) == (X_2, Y_2) */
924 if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) 972 if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) {
925 {
926 point_double(x3, y3, z3, x1, y1, z1); 973 point_double(x3, y3, z3, x1, y1, z1);
927 return; 974 return;
928 } 975 }
929
930 /* ftmp5 = z1*z2 */ 976 /* ftmp5 = z1*z2 */
931 if (!mixed) 977 if (!mixed) {
932 {
933 felem_mul(tmp, z1, z2); 978 felem_mul(tmp, z1, z2);
934 felem_reduce(ftmp5, tmp); 979 felem_reduce(ftmp5, tmp);
935 } 980 } else {
936 else
937 {
938 /* special case z2 = 0 is handled later */ 981 /* special case z2 = 0 is handled later */
939 felem_assign(ftmp5, z1); 982 felem_assign(ftmp5, z1);
940 } 983 }
941 984
942 /* z_out = (z1^2*x2 - z2^2*x1)*(z1*z2) */ 985 /* z_out = (z1^2*x2 - z2^2*x1)*(z1*z2) */
943 felem_mul(tmp, ftmp, ftmp5); 986 felem_mul(tmp, ftmp, ftmp5);
@@ -973,8 +1016,10 @@ static void point_add(felem x3, felem y3, felem z3,
973 felem_scalar(ftmp5, 2); 1016 felem_scalar(ftmp5, 2);
974 /* ftmp5[i] < 2 * 2^57 = 2^58 */ 1017 /* ftmp5[i] < 2 * 2^57 = 2^58 */
975 1018
976 /* x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 - 1019 /*
977 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */ 1020 * x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
1021 * 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2
1022 */
978 felem_diff_128_64(tmp2, ftmp5); 1023 felem_diff_128_64(tmp2, ftmp5);
979 /* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */ 1024 /* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */
980 felem_reduce(x_out, tmp2); 1025 felem_reduce(x_out, tmp2);
@@ -987,14 +1032,18 @@ static void point_add(felem x3, felem y3, felem z3,
987 felem_mul(tmp2, ftmp3, ftmp2); 1032 felem_mul(tmp2, ftmp3, ftmp2);
988 /* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */ 1033 /* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */
989 1034
990 /* y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) - 1035 /*
991 z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */ 1036 * y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 -
1037 * x_out) - z2^3*y1*(z1^2*x2 - z2^2*x1)^3
1038 */
992 widefelem_diff(tmp2, tmp); 1039 widefelem_diff(tmp2, tmp);
993 /* tmp2[i] < 2^118 + 2^120 < 2^121 */ 1040 /* tmp2[i] < 2^118 + 2^120 < 2^121 */
994 felem_reduce(y_out, tmp2); 1041 felem_reduce(y_out, tmp2);
995 1042
996 /* the result (x_out, y_out, z_out) is incorrect if one of the inputs is 1043 /*
997 * the point at infinity, so we need to check for this separately */ 1044 * the result (x_out, y_out, z_out) is incorrect if one of the inputs
1045 * is the point at infinity, so we need to check for this separately
1046 */
998 1047
999 /* if point 1 is at infinity, copy point 2 to output, and vice versa */ 1048 /* if point 1 is at infinity, copy point 2 to output, and vice versa */
1000 copy_conditional(x_out, x2, z1_is_zero); 1049 copy_conditional(x_out, x2, z1_is_zero);
@@ -1006,18 +1055,18 @@ static void point_add(felem x3, felem y3, felem z3,
1006 felem_assign(x3, x_out); 1055 felem_assign(x3, x_out);
1007 felem_assign(y3, y_out); 1056 felem_assign(y3, y_out);
1008 felem_assign(z3, z_out); 1057 felem_assign(z3, z_out);
1009 } 1058}
1010 1059
1011/* select_point selects the |idx|th point from a precomputation table and 1060/* select_point selects the |idx|th point from a precomputation table and
1012 * copies it to out. */ 1061 * copies it to out. */
1013static void select_point(const u64 idx, unsigned int size, const felem pre_comp[/*size*/][3], felem out[3]) 1062static void
1014 { 1063select_point(const u64 idx, unsigned int size, const felem pre_comp[ /* size */ ][3], felem out[3])
1064{
1015 unsigned i, j; 1065 unsigned i, j;
1016 limb *outlimbs = &out[0][0]; 1066 limb *outlimbs = &out[0][0];
1017 memset(outlimbs, 0, 3 * sizeof(felem)); 1067 memset(outlimbs, 0, 3 * sizeof(felem));
1018 1068
1019 for (i = 0; i < size; i++) 1069 for (i = 0; i < size; i++) {
1020 {
1021 const limb *inlimbs = &pre_comp[i][0][0]; 1070 const limb *inlimbs = &pre_comp[i][0][0];
1022 u64 mask = i ^ idx; 1071 u64 mask = i ^ idx;
1023 mask |= mask >> 4; 1072 mask |= mask >> 4;
@@ -1027,26 +1076,28 @@ static void select_point(const u64 idx, unsigned int size, const felem pre_comp[
1027 mask--; 1076 mask--;
1028 for (j = 0; j < 4 * 3; j++) 1077 for (j = 0; j < 4 * 3; j++)
1029 outlimbs[j] |= inlimbs[j] & mask; 1078 outlimbs[j] |= inlimbs[j] & mask;
1030 }
1031 } 1079 }
1080}
1032 1081
1033/* get_bit returns the |i|th bit in |in| */ 1082/* get_bit returns the |i|th bit in |in| */
1034static char get_bit(const felem_bytearray in, unsigned i) 1083static char
1035 { 1084get_bit(const felem_bytearray in, unsigned i)
1085{
1036 if (i >= 224) 1086 if (i >= 224)
1037 return 0; 1087 return 0;
1038 return (in[i >> 3] >> (i & 7)) & 1; 1088 return (in[i >> 3] >> (i & 7)) & 1;
1039 } 1089}
1040 1090
1041/* Interleaved point multiplication using precomputed point multiples: 1091/* Interleaved point multiplication using precomputed point multiples:
1042 * The small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[], 1092 * The small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[],
1043 * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple 1093 * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple
1044 * of the generator, using certain (large) precomputed multiples in g_pre_comp. 1094 * of the generator, using certain (large) precomputed multiples in g_pre_comp.
1045 * Output point (X, Y, Z) is stored in x_out, y_out, z_out */ 1095 * Output point (X, Y, Z) is stored in x_out, y_out, z_out */
1046static void batch_mul(felem x_out, felem y_out, felem z_out, 1096static void
1047 const felem_bytearray scalars[], const unsigned num_points, const u8 *g_scalar, 1097batch_mul(felem x_out, felem y_out, felem z_out,
1048 const int mixed, const felem pre_comp[][17][3], const felem g_pre_comp[2][16][3]) 1098 const felem_bytearray scalars[], const unsigned num_points, const u8 * g_scalar,
1049 { 1099 const int mixed, const felem pre_comp[][17][3], const felem g_pre_comp[2][16][3])
1100{
1050 int i, skip; 1101 int i, skip;
1051 unsigned num; 1102 unsigned num;
1052 unsigned gen_mul = (g_scalar != NULL); 1103 unsigned gen_mul = (g_scalar != NULL);
@@ -1057,20 +1108,20 @@ static void batch_mul(felem x_out, felem y_out, felem z_out,
1057 /* set nq to the point at infinity */ 1108 /* set nq to the point at infinity */
1058 memset(nq, 0, 3 * sizeof(felem)); 1109 memset(nq, 0, 3 * sizeof(felem));
1059 1110
1060 /* Loop over all scalars msb-to-lsb, interleaving additions 1111 /*
1061 * of multiples of the generator (two in each of the last 28 rounds) 1112 * Loop over all scalars msb-to-lsb, interleaving additions of
1062 * and additions of other points multiples (every 5th round). 1113 * multiples of the generator (two in each of the last 28 rounds) and
1114 * additions of other points multiples (every 5th round).
1063 */ 1115 */
1064 skip = 1; /* save two point operations in the first round */ 1116 skip = 1; /* save two point operations in the first
1065 for (i = (num_points ? 220 : 27); i >= 0; --i) 1117 * round */
1066 { 1118 for (i = (num_points ? 220 : 27); i >= 0; --i) {
1067 /* double */ 1119 /* double */
1068 if (!skip) 1120 if (!skip)
1069 point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]); 1121 point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
1070 1122
1071 /* add multiples of the generator */ 1123 /* add multiples of the generator */
1072 if (gen_mul && (i <= 27)) 1124 if (gen_mul && (i <= 27)) {
1073 {
1074 /* first, look 28 bits upwards */ 1125 /* first, look 28 bits upwards */
1075 bits = get_bit(g_scalar, i + 196) << 3; 1126 bits = get_bit(g_scalar, i + 196) << 3;
1076 bits |= get_bit(g_scalar, i + 140) << 2; 1127 bits |= get_bit(g_scalar, i + 140) << 2;
@@ -1079,17 +1130,14 @@ static void batch_mul(felem x_out, felem y_out, felem z_out,
1079 /* select the point to add, in constant time */ 1130 /* select the point to add, in constant time */
1080 select_point(bits, 16, g_pre_comp[1], tmp); 1131 select_point(bits, 16, g_pre_comp[1], tmp);
1081 1132
1082 if (!skip) 1133 if (!skip) {
1083 {
1084 point_add(nq[0], nq[1], nq[2], 1134 point_add(nq[0], nq[1], nq[2],
1085 nq[0], nq[1], nq[2], 1135 nq[0], nq[1], nq[2],
1086 1 /* mixed */, tmp[0], tmp[1], tmp[2]); 1136 1 /* mixed */ , tmp[0], tmp[1], tmp[2]);
1087 } 1137 } else {
1088 else
1089 {
1090 memcpy(nq, tmp, 3 * sizeof(felem)); 1138 memcpy(nq, tmp, 3 * sizeof(felem));
1091 skip = 0; 1139 skip = 0;
1092 } 1140 }
1093 1141
1094 /* second, look at the current position */ 1142 /* second, look at the current position */
1095 bits = get_bit(g_scalar, i + 168) << 3; 1143 bits = get_bit(g_scalar, i + 168) << 3;
@@ -1099,16 +1147,13 @@ static void batch_mul(felem x_out, felem y_out, felem z_out,
1099 /* select the point to add, in constant time */ 1147 /* select the point to add, in constant time */
1100 select_point(bits, 16, g_pre_comp[0], tmp); 1148 select_point(bits, 16, g_pre_comp[0], tmp);
1101 point_add(nq[0], nq[1], nq[2], 1149 point_add(nq[0], nq[1], nq[2],
1102 nq[0], nq[1], nq[2], 1150 nq[0], nq[1], nq[2],
1103 1 /* mixed */, tmp[0], tmp[1], tmp[2]); 1151 1 /* mixed */ , tmp[0], tmp[1], tmp[2]);
1104 } 1152 }
1105
1106 /* do other additions every 5 doublings */ 1153 /* do other additions every 5 doublings */
1107 if (num_points && (i % 5 == 0)) 1154 if (num_points && (i % 5 == 0)) {
1108 {
1109 /* loop over all scalars */ 1155 /* loop over all scalars */
1110 for (num = 0; num < num_points; ++num) 1156 for (num = 0; num < num_points; ++num) {
1111 {
1112 bits = get_bit(scalars[num], i + 4) << 5; 1157 bits = get_bit(scalars[num], i + 4) << 5;
1113 bits |= get_bit(scalars[num], i + 3) << 4; 1158 bits |= get_bit(scalars[num], i + 3) << 4;
1114 bits |= get_bit(scalars[num], i + 2) << 3; 1159 bits |= get_bit(scalars[num], i + 2) << 3;
@@ -1119,58 +1164,58 @@ static void batch_mul(felem x_out, felem y_out, felem z_out,
1119 1164
1120 /* select the point to add or subtract */ 1165 /* select the point to add or subtract */
1121 select_point(digit, 17, pre_comp[num], tmp); 1166 select_point(digit, 17, pre_comp[num], tmp);
1122 felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative point */ 1167 felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the
1168 * negative point */
1123 copy_conditional(tmp[1], tmp[3], sign); 1169 copy_conditional(tmp[1], tmp[3], sign);
1124 1170
1125 if (!skip) 1171 if (!skip) {
1126 {
1127 point_add(nq[0], nq[1], nq[2], 1172 point_add(nq[0], nq[1], nq[2],
1128 nq[0], nq[1], nq[2], 1173 nq[0], nq[1], nq[2],
1129 mixed, tmp[0], tmp[1], tmp[2]); 1174 mixed, tmp[0], tmp[1], tmp[2]);
1130 } 1175 } else {
1131 else
1132 {
1133 memcpy(nq, tmp, 3 * sizeof(felem)); 1176 memcpy(nq, tmp, 3 * sizeof(felem));
1134 skip = 0; 1177 skip = 0;
1135 }
1136 } 1178 }
1137 } 1179 }
1138 } 1180 }
1181 }
1139 felem_assign(x_out, nq[0]); 1182 felem_assign(x_out, nq[0]);
1140 felem_assign(y_out, nq[1]); 1183 felem_assign(y_out, nq[1]);
1141 felem_assign(z_out, nq[2]); 1184 felem_assign(z_out, nq[2]);
1142 } 1185}
1143 1186
1144/******************************************************************************/ 1187/******************************************************************************/
1145/* FUNCTIONS TO MANAGE PRECOMPUTATION 1188/* FUNCTIONS TO MANAGE PRECOMPUTATION
1146 */ 1189 */
1147 1190
1148static NISTP224_PRE_COMP *nistp224_pre_comp_new() 1191static NISTP224_PRE_COMP *
1149 { 1192nistp224_pre_comp_new()
1193{
1150 NISTP224_PRE_COMP *ret = NULL; 1194 NISTP224_PRE_COMP *ret = NULL;
1151 ret = (NISTP224_PRE_COMP *) malloc(sizeof *ret); 1195 ret = (NISTP224_PRE_COMP *) malloc(sizeof *ret);
1152 if (!ret) 1196 if (!ret) {
1153 {
1154 ECerr(EC_F_NISTP224_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); 1197 ECerr(EC_F_NISTP224_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
1155 return ret; 1198 return ret;
1156 } 1199 }
1157 memset(ret->g_pre_comp, 0, sizeof(ret->g_pre_comp)); 1200 memset(ret->g_pre_comp, 0, sizeof(ret->g_pre_comp));
1158 ret->references = 1; 1201 ret->references = 1;
1159 return ret; 1202 return ret;
1160 } 1203}
1161 1204
1162static void *nistp224_pre_comp_dup(void *src_) 1205static void *
1163 { 1206nistp224_pre_comp_dup(void *src_)
1207{
1164 NISTP224_PRE_COMP *src = src_; 1208 NISTP224_PRE_COMP *src = src_;
1165 1209
1166 /* no need to actually copy, these objects never change! */ 1210 /* no need to actually copy, these objects never change! */
1167 CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP); 1211 CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP);
1168 1212
1169 return src_; 1213 return src_;
1170 } 1214}
1171 1215
1172static void nistp224_pre_comp_free(void *pre_) 1216static void
1173 { 1217nistp224_pre_comp_free(void *pre_)
1218{
1174 int i; 1219 int i;
1175 NISTP224_PRE_COMP *pre = pre_; 1220 NISTP224_PRE_COMP *pre = pre_;
1176 1221
@@ -1182,10 +1227,11 @@ static void nistp224_pre_comp_free(void *pre_)
1182 return; 1227 return;
1183 1228
1184 free(pre); 1229 free(pre);
1185 } 1230}
1186 1231
1187static void nistp224_pre_comp_clear_free(void *pre_) 1232static void
1188 { 1233nistp224_pre_comp_clear_free(void *pre_)
1234{
1189 int i; 1235 int i;
1190 NISTP224_PRE_COMP *pre = pre_; 1236 NISTP224_PRE_COMP *pre = pre_;
1191 1237
@@ -1198,43 +1244,46 @@ static void nistp224_pre_comp_clear_free(void *pre_)
1198 1244
1199 OPENSSL_cleanse(pre, sizeof *pre); 1245 OPENSSL_cleanse(pre, sizeof *pre);
1200 free(pre); 1246 free(pre);
1201 } 1247}
1202 1248
1203/******************************************************************************/ 1249/******************************************************************************/
1204/* OPENSSL EC_METHOD FUNCTIONS 1250/* OPENSSL EC_METHOD FUNCTIONS
1205 */ 1251 */
1206 1252
1207int ec_GFp_nistp224_group_init(EC_GROUP *group) 1253int
1208 { 1254ec_GFp_nistp224_group_init(EC_GROUP * group)
1255{
1209 int ret; 1256 int ret;
1210 ret = ec_GFp_simple_group_init(group); 1257 ret = ec_GFp_simple_group_init(group);
1211 group->a_is_minus3 = 1; 1258 group->a_is_minus3 = 1;
1212 return ret; 1259 return ret;
1213 } 1260}
1214 1261
1215int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, 1262int
1216 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 1263ec_GFp_nistp224_group_set_curve(EC_GROUP * group, const BIGNUM * p,
1217 { 1264 const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx)
1265{
1218 int ret = 0; 1266 int ret = 0;
1219 BN_CTX *new_ctx = NULL; 1267 BN_CTX *new_ctx = NULL;
1220 BIGNUM *curve_p, *curve_a, *curve_b; 1268 BIGNUM *curve_p, *curve_a, *curve_b;
1221 1269
1222 if (ctx == NULL) 1270 if (ctx == NULL)
1223 if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0; 1271 if ((ctx = new_ctx = BN_CTX_new()) == NULL)
1272 return 0;
1224 BN_CTX_start(ctx); 1273 BN_CTX_start(ctx);
1225 if (((curve_p = BN_CTX_get(ctx)) == NULL) || 1274 if (((curve_p = BN_CTX_get(ctx)) == NULL) ||
1226 ((curve_a = BN_CTX_get(ctx)) == NULL) || 1275 ((curve_a = BN_CTX_get(ctx)) == NULL) ||
1227 ((curve_b = BN_CTX_get(ctx)) == NULL)) goto err; 1276 ((curve_b = BN_CTX_get(ctx)) == NULL))
1277 goto err;
1228 BN_bin2bn(nistp224_curve_params[0], sizeof(felem_bytearray), curve_p); 1278 BN_bin2bn(nistp224_curve_params[0], sizeof(felem_bytearray), curve_p);
1229 BN_bin2bn(nistp224_curve_params[1], sizeof(felem_bytearray), curve_a); 1279 BN_bin2bn(nistp224_curve_params[1], sizeof(felem_bytearray), curve_a);
1230 BN_bin2bn(nistp224_curve_params[2], sizeof(felem_bytearray), curve_b); 1280 BN_bin2bn(nistp224_curve_params[2], sizeof(felem_bytearray), curve_b);
1231 if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) || 1281 if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) ||
1232 (BN_cmp(curve_b, b))) 1282 (BN_cmp(curve_b, b))) {
1233 {
1234 ECerr(EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE, 1283 ECerr(EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE,
1235 EC_R_WRONG_CURVE_PARAMETERS); 1284 EC_R_WRONG_CURVE_PARAMETERS);
1236 goto err; 1285 goto err;
1237 } 1286 }
1238 group->field_mod_func = BN_nist_mod_224; 1287 group->field_mod_func = BN_nist_mod_224;
1239 ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); 1288 ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
1240err: 1289err:
@@ -1242,74 +1291,81 @@ err:
1242 if (new_ctx != NULL) 1291 if (new_ctx != NULL)
1243 BN_CTX_free(new_ctx); 1292 BN_CTX_free(new_ctx);
1244 return ret; 1293 return ret;
1245 } 1294}
1246 1295
1247/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns 1296/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns
1248 * (X', Y') = (X/Z^2, Y/Z^3) */ 1297 * (X', Y') = (X/Z^2, Y/Z^3) */
1249int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, 1298int
1250 const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx) 1299ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP * group,
1251 { 1300 const EC_POINT * point, BIGNUM * x, BIGNUM * y, BN_CTX * ctx)
1301{
1252 felem z1, z2, x_in, y_in, x_out, y_out; 1302 felem z1, z2, x_in, y_in, x_out, y_out;
1253 widefelem tmp; 1303 widefelem tmp;
1254 1304
1255 if (EC_POINT_is_at_infinity(group, point)) 1305 if (EC_POINT_is_at_infinity(group, point)) {
1256 {
1257 ECerr(EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES, 1306 ECerr(EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES,
1258 EC_R_POINT_AT_INFINITY); 1307 EC_R_POINT_AT_INFINITY);
1259 return 0; 1308 return 0;
1260 } 1309 }
1261 if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) || 1310 if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) ||
1262 (!BN_to_felem(z1, &point->Z))) return 0; 1311 (!BN_to_felem(z1, &point->Z)))
1312 return 0;
1263 felem_inv(z2, z1); 1313 felem_inv(z2, z1);
1264 felem_square(tmp, z2); felem_reduce(z1, tmp); 1314 felem_square(tmp, z2);
1265 felem_mul(tmp, x_in, z1); felem_reduce(x_in, tmp); 1315 felem_reduce(z1, tmp);
1316 felem_mul(tmp, x_in, z1);
1317 felem_reduce(x_in, tmp);
1266 felem_contract(x_out, x_in); 1318 felem_contract(x_out, x_in);
1267 if (x != NULL) 1319 if (x != NULL) {
1268 {
1269 if (!felem_to_BN(x, x_out)) { 1320 if (!felem_to_BN(x, x_out)) {
1270 ECerr(EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES, 1321 ECerr(EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES,
1271 ERR_R_BN_LIB); 1322 ERR_R_BN_LIB);
1272 return 0; 1323 return 0;
1273 }
1274 } 1324 }
1275 felem_mul(tmp, z1, z2); felem_reduce(z1, tmp); 1325 }
1276 felem_mul(tmp, y_in, z1); felem_reduce(y_in, tmp); 1326 felem_mul(tmp, z1, z2);
1327 felem_reduce(z1, tmp);
1328 felem_mul(tmp, y_in, z1);
1329 felem_reduce(y_in, tmp);
1277 felem_contract(y_out, y_in); 1330 felem_contract(y_out, y_in);
1278 if (y != NULL) 1331 if (y != NULL) {
1279 {
1280 if (!felem_to_BN(y, y_out)) { 1332 if (!felem_to_BN(y, y_out)) {
1281 ECerr(EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES, 1333 ECerr(EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES,
1282 ERR_R_BN_LIB); 1334 ERR_R_BN_LIB);
1283 return 0; 1335 return 0;
1284 }
1285 } 1336 }
1286 return 1;
1287 } 1337 }
1338 return 1;
1339}
1288 1340
1289static void make_points_affine(size_t num, felem points[/*num*/][3], felem tmp_felems[/*num+1*/]) 1341static void
1290 { 1342make_points_affine(size_t num, felem points[ /* num */ ][3], felem tmp_felems[ /* num+1 */ ])
1291 /* Runs in constant time, unless an input is the point at infinity 1343{
1292 * (which normally shouldn't happen). */ 1344 /*
1345 * Runs in constant time, unless an input is the point at infinity
1346 * (which normally shouldn't happen).
1347 */
1293 ec_GFp_nistp_points_make_affine_internal( 1348 ec_GFp_nistp_points_make_affine_internal(
1294 num, 1349 num,
1295 points, 1350 points,
1296 sizeof(felem), 1351 sizeof(felem),
1297 tmp_felems, 1352 tmp_felems,
1298 (void (*)(void *)) felem_one, 1353 (void (*) (void *)) felem_one,
1299 (int (*)(const void *)) felem_is_zero_int, 1354 (int (*) (const void *)) felem_is_zero_int,
1300 (void (*)(void *, const void *)) felem_assign, 1355 (void (*) (void *, const void *)) felem_assign,
1301 (void (*)(void *, const void *)) felem_square_reduce, 1356 (void (*) (void *, const void *)) felem_square_reduce,
1302 (void (*)(void *, const void *, const void *)) felem_mul_reduce, 1357 (void (*) (void *, const void *, const void *)) felem_mul_reduce,
1303 (void (*)(void *, const void *)) felem_inv, 1358 (void (*) (void *, const void *)) felem_inv,
1304 (void (*)(void *, const void *)) felem_contract); 1359 (void (*) (void *, const void *)) felem_contract);
1305 } 1360}
1306 1361
1307/* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values 1362/* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values
1308 * Result is stored in r (r can equal one of the inputs). */ 1363 * Result is stored in r (r can equal one of the inputs). */
1309int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, 1364int
1310 const BIGNUM *scalar, size_t num, const EC_POINT *points[], 1365ec_GFp_nistp224_points_mul(const EC_GROUP * group, EC_POINT * r,
1311 const BIGNUM *scalars[], BN_CTX *ctx) 1366 const BIGNUM * scalar, size_t num, const EC_POINT * points[],
1312 { 1367 const BIGNUM * scalars[], BN_CTX * ctx)
1368{
1313 int ret = 0; 1369 int ret = 0;
1314 int j; 1370 int j;
1315 unsigned i; 1371 unsigned i;
@@ -1318,7 +1374,7 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
1318 BIGNUM *x, *y, *z, *tmp_scalar; 1374 BIGNUM *x, *y, *z, *tmp_scalar;
1319 felem_bytearray g_secret; 1375 felem_bytearray g_secret;
1320 felem_bytearray *secrets = NULL; 1376 felem_bytearray *secrets = NULL;
1321 felem (*pre_comp)[17][3] = NULL; 1377 felem(*pre_comp)[17][3] = NULL;
1322 felem *tmp_felems = NULL; 1378 felem *tmp_felems = NULL;
1323 felem_bytearray tmp; 1379 felem_bytearray tmp;
1324 unsigned num_bytes; 1380 unsigned num_bytes;
@@ -1326,28 +1382,28 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
1326 size_t num_points = num; 1382 size_t num_points = num;
1327 felem x_in, y_in, z_in, x_out, y_out, z_out; 1383 felem x_in, y_in, z_in, x_out, y_out, z_out;
1328 NISTP224_PRE_COMP *pre = NULL; 1384 NISTP224_PRE_COMP *pre = NULL;
1329 const felem (*g_pre_comp)[16][3] = NULL; 1385 const felem(*g_pre_comp)[16][3] = NULL;
1330 EC_POINT *generator = NULL; 1386 EC_POINT *generator = NULL;
1331 const EC_POINT *p = NULL; 1387 const EC_POINT *p = NULL;
1332 const BIGNUM *p_scalar = NULL; 1388 const BIGNUM *p_scalar = NULL;
1333 1389
1334 if (ctx == NULL) 1390 if (ctx == NULL)
1335 if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0; 1391 if ((ctx = new_ctx = BN_CTX_new()) == NULL)
1392 return 0;
1336 BN_CTX_start(ctx); 1393 BN_CTX_start(ctx);
1337 if (((x = BN_CTX_get(ctx)) == NULL) || 1394 if (((x = BN_CTX_get(ctx)) == NULL) ||
1338 ((y = BN_CTX_get(ctx)) == NULL) || 1395 ((y = BN_CTX_get(ctx)) == NULL) ||
1339 ((z = BN_CTX_get(ctx)) == NULL) || 1396 ((z = BN_CTX_get(ctx)) == NULL) ||
1340 ((tmp_scalar = BN_CTX_get(ctx)) == NULL)) 1397 ((tmp_scalar = BN_CTX_get(ctx)) == NULL))
1341 goto err; 1398 goto err;
1342 1399
1343 if (scalar != NULL) 1400 if (scalar != NULL) {
1344 {
1345 pre = EC_EX_DATA_get_data(group->extra_data, 1401 pre = EC_EX_DATA_get_data(group->extra_data,
1346 nistp224_pre_comp_dup, nistp224_pre_comp_free, 1402 nistp224_pre_comp_dup, nistp224_pre_comp_free,
1347 nistp224_pre_comp_clear_free); 1403 nistp224_pre_comp_clear_free);
1348 if (pre) 1404 if (pre)
1349 /* we have precomputation, try to use it */ 1405 /* we have precomputation, try to use it */
1350 g_pre_comp = (const felem (*)[16][3]) pre->g_pre_comp; 1406 g_pre_comp = (const felem(*)[16][3]) pre->g_pre_comp;
1351 else 1407 else
1352 /* try to use the standard precomputation */ 1408 /* try to use the standard precomputation */
1353 g_pre_comp = &gmul[0]; 1409 g_pre_comp = &gmul[0];
@@ -1356,147 +1412,137 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
1356 goto err; 1412 goto err;
1357 /* get the generator from precomputation */ 1413 /* get the generator from precomputation */
1358 if (!felem_to_BN(x, g_pre_comp[0][1][0]) || 1414 if (!felem_to_BN(x, g_pre_comp[0][1][0]) ||
1359 !felem_to_BN(y, g_pre_comp[0][1][1]) || 1415 !felem_to_BN(y, g_pre_comp[0][1][1]) ||
1360 !felem_to_BN(z, g_pre_comp[0][1][2])) 1416 !felem_to_BN(z, g_pre_comp[0][1][2])) {
1361 {
1362 ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB); 1417 ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
1363 goto err; 1418 goto err;
1364 } 1419 }
1365 if (!EC_POINT_set_Jprojective_coordinates_GFp(group, 1420 if (!EC_POINT_set_Jprojective_coordinates_GFp(group,
1366 generator, x, y, z, ctx)) 1421 generator, x, y, z, ctx))
1367 goto err; 1422 goto err;
1368 if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) 1423 if (0 == EC_POINT_cmp(group, generator, group->generator, ctx))
1369 /* precomputation matches generator */ 1424 /* precomputation matches generator */
1370 have_pre_comp = 1; 1425 have_pre_comp = 1;
1371 else 1426 else
1372 /* we don't have valid precomputation: 1427 /*
1373 * treat the generator as a random point */ 1428 * we don't have valid precomputation: treat the
1429 * generator as a random point
1430 */
1374 num_points = num_points + 1; 1431 num_points = num_points + 1;
1375 } 1432 }
1376 1433 if (num_points > 0) {
1377 if (num_points > 0) 1434 if (num_points >= 3) {
1378 { 1435 /*
1379 if (num_points >= 3) 1436 * unless we precompute multiples for just one or two
1380 { 1437 * points, converting those into affine form is time
1381 /* unless we precompute multiples for just one or two points, 1438 * well spent
1382 * converting those into affine form is time well spent */ 1439 */
1383 mixed = 1; 1440 mixed = 1;
1384 } 1441 }
1385 secrets = malloc(num_points * sizeof(felem_bytearray)); 1442 secrets = malloc(num_points * sizeof(felem_bytearray));
1386 pre_comp = malloc(num_points * 17 * 3 * sizeof(felem)); 1443 pre_comp = malloc(num_points * 17 * 3 * sizeof(felem));
1387 if (mixed) 1444 if (mixed)
1388 tmp_felems = malloc((num_points * 17 + 1) * sizeof(felem)); 1445 tmp_felems = malloc((num_points * 17 + 1) * sizeof(felem));
1389 if ((secrets == NULL) || (pre_comp == NULL) || (mixed && (tmp_felems == NULL))) 1446 if ((secrets == NULL) || (pre_comp == NULL) || (mixed && (tmp_felems == NULL))) {
1390 {
1391 ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_MALLOC_FAILURE); 1447 ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_MALLOC_FAILURE);
1392 goto err; 1448 goto err;
1393 } 1449 }
1394 1450 /*
1395 /* we treat NULL scalars as 0, and NULL points as points at infinity, 1451 * we treat NULL scalars as 0, and NULL points as points at
1396 * i.e., they contribute nothing to the linear combination */ 1452 * infinity, i.e., they contribute nothing to the linear
1453 * combination
1454 */
1397 memset(secrets, 0, num_points * sizeof(felem_bytearray)); 1455 memset(secrets, 0, num_points * sizeof(felem_bytearray));
1398 memset(pre_comp, 0, num_points * 17 * 3 * sizeof(felem)); 1456 memset(pre_comp, 0, num_points * 17 * 3 * sizeof(felem));
1399 for (i = 0; i < num_points; ++i) 1457 for (i = 0; i < num_points; ++i) {
1400 {
1401 if (i == num) 1458 if (i == num)
1402 /* the generator */ 1459 /* the generator */
1403 { 1460 {
1404 p = EC_GROUP_get0_generator(group); 1461 p = EC_GROUP_get0_generator(group);
1405 p_scalar = scalar; 1462 p_scalar = scalar;
1406 } 1463 } else
1407 else
1408 /* the i^th point */ 1464 /* the i^th point */
1409 { 1465 {
1410 p = points[i]; 1466 p = points[i];
1411 p_scalar = scalars[i]; 1467 p_scalar = scalars[i];
1412 } 1468 }
1413 if ((p_scalar != NULL) && (p != NULL)) 1469 if ((p_scalar != NULL) && (p != NULL)) {
1414 {
1415 /* reduce scalar to 0 <= scalar < 2^224 */ 1470 /* reduce scalar to 0 <= scalar < 2^224 */
1416 if ((BN_num_bits(p_scalar) > 224) || (BN_is_negative(p_scalar))) 1471 if ((BN_num_bits(p_scalar) > 224) || (BN_is_negative(p_scalar))) {
1417 { 1472 /*
1418 /* this is an unusual input, and we don't guarantee 1473 * this is an unusual input, and we
1419 * constant-timeness */ 1474 * don't guarantee constant-timeness
1420 if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) 1475 */
1421 { 1476 if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) {
1422 ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB); 1477 ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
1423 goto err; 1478 goto err;
1424 }
1425 num_bytes = BN_bn2bin(tmp_scalar, tmp);
1426 } 1479 }
1427 else 1480 num_bytes = BN_bn2bin(tmp_scalar, tmp);
1481 } else
1428 num_bytes = BN_bn2bin(p_scalar, tmp); 1482 num_bytes = BN_bn2bin(p_scalar, tmp);
1429 flip_endian(secrets[i], tmp, num_bytes); 1483 flip_endian(secrets[i], tmp, num_bytes);
1430 /* precompute multiples */ 1484 /* precompute multiples */
1431 if ((!BN_to_felem(x_out, &p->X)) || 1485 if ((!BN_to_felem(x_out, &p->X)) ||
1432 (!BN_to_felem(y_out, &p->Y)) || 1486 (!BN_to_felem(y_out, &p->Y)) ||
1433 (!BN_to_felem(z_out, &p->Z))) goto err; 1487 (!BN_to_felem(z_out, &p->Z)))
1488 goto err;
1434 felem_assign(pre_comp[i][1][0], x_out); 1489 felem_assign(pre_comp[i][1][0], x_out);
1435 felem_assign(pre_comp[i][1][1], y_out); 1490 felem_assign(pre_comp[i][1][1], y_out);
1436 felem_assign(pre_comp[i][1][2], z_out); 1491 felem_assign(pre_comp[i][1][2], z_out);
1437 for (j = 2; j <= 16; ++j) 1492 for (j = 2; j <= 16; ++j) {
1438 { 1493 if (j & 1) {
1439 if (j & 1)
1440 {
1441 point_add( 1494 point_add(
1442 pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], 1495 pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2],
1443 pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2], 1496 pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2],
1444 0, pre_comp[i][j-1][0], pre_comp[i][j-1][1], pre_comp[i][j-1][2]); 1497 0, pre_comp[i][j - 1][0], pre_comp[i][j - 1][1], pre_comp[i][j - 1][2]);
1445 } 1498 } else {
1446 else
1447 {
1448 point_double( 1499 point_double(
1449 pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], 1500 pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2],
1450 pre_comp[i][j/2][0], pre_comp[i][j/2][1], pre_comp[i][j/2][2]); 1501 pre_comp[i][j / 2][0], pre_comp[i][j / 2][1], pre_comp[i][j / 2][2]);
1451 }
1452 } 1502 }
1453 } 1503 }
1454 } 1504 }
1505 }
1455 if (mixed) 1506 if (mixed)
1456 make_points_affine(num_points * 17, pre_comp[0], tmp_felems); 1507 make_points_affine(num_points * 17, pre_comp[0], tmp_felems);
1457 } 1508 }
1458
1459 /* the scalar for the generator */ 1509 /* the scalar for the generator */
1460 if ((scalar != NULL) && (have_pre_comp)) 1510 if ((scalar != NULL) && (have_pre_comp)) {
1461 {
1462 memset(g_secret, 0, sizeof g_secret); 1511 memset(g_secret, 0, sizeof g_secret);
1463 /* reduce scalar to 0 <= scalar < 2^224 */ 1512 /* reduce scalar to 0 <= scalar < 2^224 */
1464 if ((BN_num_bits(scalar) > 224) || (BN_is_negative(scalar))) 1513 if ((BN_num_bits(scalar) > 224) || (BN_is_negative(scalar))) {
1465 { 1514 /*
1466 /* this is an unusual input, and we don't guarantee 1515 * this is an unusual input, and we don't guarantee
1467 * constant-timeness */ 1516 * constant-timeness
1468 if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) 1517 */
1469 { 1518 if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) {
1470 ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB); 1519 ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
1471 goto err; 1520 goto err;
1472 }
1473 num_bytes = BN_bn2bin(tmp_scalar, tmp);
1474 } 1521 }
1475 else 1522 num_bytes = BN_bn2bin(tmp_scalar, tmp);
1523 } else
1476 num_bytes = BN_bn2bin(scalar, tmp); 1524 num_bytes = BN_bn2bin(scalar, tmp);
1477 flip_endian(g_secret, tmp, num_bytes); 1525 flip_endian(g_secret, tmp, num_bytes);
1478 /* do the multiplication with generator precomputation*/ 1526 /* do the multiplication with generator precomputation */
1479 batch_mul(x_out, y_out, z_out, 1527 batch_mul(x_out, y_out, z_out,
1480 (const felem_bytearray (*)) secrets, num_points, 1528 (const felem_bytearray(*)) secrets, num_points,
1481 g_secret, 1529 g_secret,
1482 mixed, (const felem (*)[17][3]) pre_comp, 1530 mixed, (const felem(*)[17][3]) pre_comp,
1483 g_pre_comp); 1531 g_pre_comp);
1484 } 1532 } else
1485 else
1486 /* do the multiplication without generator precomputation */ 1533 /* do the multiplication without generator precomputation */
1487 batch_mul(x_out, y_out, z_out, 1534 batch_mul(x_out, y_out, z_out,
1488 (const felem_bytearray (*)) secrets, num_points, 1535 (const felem_bytearray(*)) secrets, num_points,
1489 NULL, mixed, (const felem (*)[17][3]) pre_comp, NULL); 1536 NULL, mixed, (const felem(*)[17][3]) pre_comp, NULL);
1490 /* reduce the output to its unique minimal representation */ 1537 /* reduce the output to its unique minimal representation */
1491 felem_contract(x_in, x_out); 1538 felem_contract(x_in, x_out);
1492 felem_contract(y_in, y_out); 1539 felem_contract(y_in, y_out);
1493 felem_contract(z_in, z_out); 1540 felem_contract(z_in, z_out);
1494 if ((!felem_to_BN(x, x_in)) || (!felem_to_BN(y, y_in)) || 1541 if ((!felem_to_BN(x, x_in)) || (!felem_to_BN(y, y_in)) ||
1495 (!felem_to_BN(z, z_in))) 1542 (!felem_to_BN(z, z_in))) {
1496 {
1497 ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB); 1543 ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
1498 goto err; 1544 goto err;
1499 } 1545 }
1500 ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx); 1546 ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
1501 1547
1502err: 1548err:
@@ -1512,10 +1558,11 @@ err:
1512 if (tmp_felems != NULL) 1558 if (tmp_felems != NULL)
1513 free(tmp_felems); 1559 free(tmp_felems);
1514 return ret; 1560 return ret;
1515 } 1561}
1516 1562
1517int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx) 1563int
1518 { 1564ec_GFp_nistp224_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
1565{
1519 int ret = 0; 1566 int ret = 0;
1520 NISTP224_PRE_COMP *pre = NULL; 1567 NISTP224_PRE_COMP *pre = NULL;
1521 int i, j; 1568 int i, j;
@@ -1526,113 +1573,113 @@ int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
1526 1573
1527 /* throw away old precomputation */ 1574 /* throw away old precomputation */
1528 EC_EX_DATA_free_data(&group->extra_data, nistp224_pre_comp_dup, 1575 EC_EX_DATA_free_data(&group->extra_data, nistp224_pre_comp_dup,
1529 nistp224_pre_comp_free, nistp224_pre_comp_clear_free); 1576 nistp224_pre_comp_free, nistp224_pre_comp_clear_free);
1530 if (ctx == NULL) 1577 if (ctx == NULL)
1531 if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0; 1578 if ((ctx = new_ctx = BN_CTX_new()) == NULL)
1579 return 0;
1532 BN_CTX_start(ctx); 1580 BN_CTX_start(ctx);
1533 if (((x = BN_CTX_get(ctx)) == NULL) || 1581 if (((x = BN_CTX_get(ctx)) == NULL) ||
1534 ((y = BN_CTX_get(ctx)) == NULL)) 1582 ((y = BN_CTX_get(ctx)) == NULL))
1535 goto err; 1583 goto err;
1536 /* get the generator */ 1584 /* get the generator */
1537 if (group->generator == NULL) goto err; 1585 if (group->generator == NULL)
1586 goto err;
1538 generator = EC_POINT_new(group); 1587 generator = EC_POINT_new(group);
1539 if (generator == NULL) 1588 if (generator == NULL)
1540 goto err; 1589 goto err;
1541 BN_bin2bn(nistp224_curve_params[3], sizeof (felem_bytearray), x); 1590 BN_bin2bn(nistp224_curve_params[3], sizeof(felem_bytearray), x);
1542 BN_bin2bn(nistp224_curve_params[4], sizeof (felem_bytearray), y); 1591 BN_bin2bn(nistp224_curve_params[4], sizeof(felem_bytearray), y);
1543 if (!EC_POINT_set_affine_coordinates_GFp(group, generator, x, y, ctx)) 1592 if (!EC_POINT_set_affine_coordinates_GFp(group, generator, x, y, ctx))
1544 goto err; 1593 goto err;
1545 if ((pre = nistp224_pre_comp_new()) == NULL) 1594 if ((pre = nistp224_pre_comp_new()) == NULL)
1546 goto err; 1595 goto err;
1547 /* if the generator is the standard one, use built-in precomputation */ 1596 /* if the generator is the standard one, use built-in precomputation */
1548 if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) 1597 if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) {
1549 {
1550 memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp)); 1598 memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp));
1551 ret = 1; 1599 ret = 1;
1552 goto err; 1600 goto err;
1553 } 1601 }
1554 if ((!BN_to_felem(pre->g_pre_comp[0][1][0], &group->generator->X)) || 1602 if ((!BN_to_felem(pre->g_pre_comp[0][1][0], &group->generator->X)) ||
1555 (!BN_to_felem(pre->g_pre_comp[0][1][1], &group->generator->Y)) || 1603 (!BN_to_felem(pre->g_pre_comp[0][1][1], &group->generator->Y)) ||
1556 (!BN_to_felem(pre->g_pre_comp[0][1][2], &group->generator->Z))) 1604 (!BN_to_felem(pre->g_pre_comp[0][1][2], &group->generator->Z)))
1557 goto err; 1605 goto err;
1558 /* compute 2^56*G, 2^112*G, 2^168*G for the first table, 1606 /*
1559 * 2^28*G, 2^84*G, 2^140*G, 2^196*G for the second one 1607 * compute 2^56*G, 2^112*G, 2^168*G for the first table, 2^28*G,
1608 * 2^84*G, 2^140*G, 2^196*G for the second one
1560 */ 1609 */
1561 for (i = 1; i <= 8; i <<= 1) 1610 for (i = 1; i <= 8; i <<= 1) {
1562 {
1563 point_double( 1611 point_double(
1564 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2], 1612 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2],
1565 pre->g_pre_comp[0][i][0], pre->g_pre_comp[0][i][1], pre->g_pre_comp[0][i][2]); 1613 pre->g_pre_comp[0][i][0], pre->g_pre_comp[0][i][1], pre->g_pre_comp[0][i][2]);
1566 for (j = 0; j < 27; ++j) 1614 for (j = 0; j < 27; ++j) {
1567 {
1568 point_double( 1615 point_double(
1569 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2], 1616 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2],
1570 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]); 1617 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]);
1571 } 1618 }
1572 if (i == 8) 1619 if (i == 8)
1573 break; 1620 break;
1574 point_double( 1621 point_double(
1575 pre->g_pre_comp[0][2*i][0], pre->g_pre_comp[0][2*i][1], pre->g_pre_comp[0][2*i][2], 1622 pre->g_pre_comp[0][2 * i][0], pre->g_pre_comp[0][2 * i][1], pre->g_pre_comp[0][2 * i][2],
1576 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]); 1623 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]);
1577 for (j = 0; j < 27; ++j) 1624 for (j = 0; j < 27; ++j) {
1578 {
1579 point_double( 1625 point_double(
1580 pre->g_pre_comp[0][2*i][0], pre->g_pre_comp[0][2*i][1], pre->g_pre_comp[0][2*i][2], 1626 pre->g_pre_comp[0][2 * i][0], pre->g_pre_comp[0][2 * i][1], pre->g_pre_comp[0][2 * i][2],
1581 pre->g_pre_comp[0][2*i][0], pre->g_pre_comp[0][2*i][1], pre->g_pre_comp[0][2*i][2]); 1627 pre->g_pre_comp[0][2 * i][0], pre->g_pre_comp[0][2 * i][1], pre->g_pre_comp[0][2 * i][2]);
1582 }
1583 } 1628 }
1584 for (i = 0; i < 2; i++) 1629 }
1585 { 1630 for (i = 0; i < 2; i++) {
1586 /* g_pre_comp[i][0] is the point at infinity */ 1631 /* g_pre_comp[i][0] is the point at infinity */
1587 memset(pre->g_pre_comp[i][0], 0, sizeof(pre->g_pre_comp[i][0])); 1632 memset(pre->g_pre_comp[i][0], 0, sizeof(pre->g_pre_comp[i][0]));
1588 /* the remaining multiples */ 1633 /* the remaining multiples */
1589 /* 2^56*G + 2^112*G resp. 2^84*G + 2^140*G */ 1634 /* 2^56*G + 2^112*G resp. 2^84*G + 2^140*G */
1590 point_add( 1635 point_add(
1591 pre->g_pre_comp[i][6][0], pre->g_pre_comp[i][6][1], 1636 pre->g_pre_comp[i][6][0], pre->g_pre_comp[i][6][1],
1592 pre->g_pre_comp[i][6][2], pre->g_pre_comp[i][4][0], 1637 pre->g_pre_comp[i][6][2], pre->g_pre_comp[i][4][0],
1593 pre->g_pre_comp[i][4][1], pre->g_pre_comp[i][4][2], 1638 pre->g_pre_comp[i][4][1], pre->g_pre_comp[i][4][2],
1594 0, pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1], 1639 0, pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1],
1595 pre->g_pre_comp[i][2][2]); 1640 pre->g_pre_comp[i][2][2]);
1596 /* 2^56*G + 2^168*G resp. 2^84*G + 2^196*G */ 1641 /* 2^56*G + 2^168*G resp. 2^84*G + 2^196*G */
1597 point_add( 1642 point_add(
1598 pre->g_pre_comp[i][10][0], pre->g_pre_comp[i][10][1], 1643 pre->g_pre_comp[i][10][0], pre->g_pre_comp[i][10][1],
1599 pre->g_pre_comp[i][10][2], pre->g_pre_comp[i][8][0], 1644 pre->g_pre_comp[i][10][2], pre->g_pre_comp[i][8][0],
1600 pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2], 1645 pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2],
1601 0, pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1], 1646 0, pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1],
1602 pre->g_pre_comp[i][2][2]); 1647 pre->g_pre_comp[i][2][2]);
1603 /* 2^112*G + 2^168*G resp. 2^140*G + 2^196*G */ 1648 /* 2^112*G + 2^168*G resp. 2^140*G + 2^196*G */
1604 point_add( 1649 point_add(
1605 pre->g_pre_comp[i][12][0], pre->g_pre_comp[i][12][1], 1650 pre->g_pre_comp[i][12][0], pre->g_pre_comp[i][12][1],
1606 pre->g_pre_comp[i][12][2], pre->g_pre_comp[i][8][0], 1651 pre->g_pre_comp[i][12][2], pre->g_pre_comp[i][8][0],
1607 pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2], 1652 pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2],
1608 0, pre->g_pre_comp[i][4][0], pre->g_pre_comp[i][4][1], 1653 0, pre->g_pre_comp[i][4][0], pre->g_pre_comp[i][4][1],
1609 pre->g_pre_comp[i][4][2]); 1654 pre->g_pre_comp[i][4][2]);
1610 /* 2^56*G + 2^112*G + 2^168*G resp. 2^84*G + 2^140*G + 2^196*G */ 1655 /*
1656 * 2^56*G + 2^112*G + 2^168*G resp. 2^84*G + 2^140*G +
1657 * 2^196*G
1658 */
1611 point_add( 1659 point_add(
1612 pre->g_pre_comp[i][14][0], pre->g_pre_comp[i][14][1], 1660 pre->g_pre_comp[i][14][0], pre->g_pre_comp[i][14][1],
1613 pre->g_pre_comp[i][14][2], pre->g_pre_comp[i][12][0], 1661 pre->g_pre_comp[i][14][2], pre->g_pre_comp[i][12][0],
1614 pre->g_pre_comp[i][12][1], pre->g_pre_comp[i][12][2], 1662 pre->g_pre_comp[i][12][1], pre->g_pre_comp[i][12][2],
1615 0, pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1], 1663 0, pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1],
1616 pre->g_pre_comp[i][2][2]); 1664 pre->g_pre_comp[i][2][2]);
1617 for (j = 1; j < 8; ++j) 1665 for (j = 1; j < 8; ++j) {
1618 {
1619 /* odd multiples: add G resp. 2^28*G */ 1666 /* odd multiples: add G resp. 2^28*G */
1620 point_add( 1667 point_add(
1621 pre->g_pre_comp[i][2*j+1][0], pre->g_pre_comp[i][2*j+1][1], 1668 pre->g_pre_comp[i][2 * j + 1][0], pre->g_pre_comp[i][2 * j + 1][1],
1622 pre->g_pre_comp[i][2*j+1][2], pre->g_pre_comp[i][2*j][0], 1669 pre->g_pre_comp[i][2 * j + 1][2], pre->g_pre_comp[i][2 * j][0],
1623 pre->g_pre_comp[i][2*j][1], pre->g_pre_comp[i][2*j][2], 1670 pre->g_pre_comp[i][2 * j][1], pre->g_pre_comp[i][2 * j][2],
1624 0, pre->g_pre_comp[i][1][0], pre->g_pre_comp[i][1][1], 1671 0, pre->g_pre_comp[i][1][0], pre->g_pre_comp[i][1][1],
1625 pre->g_pre_comp[i][1][2]); 1672 pre->g_pre_comp[i][1][2]);
1626 }
1627 } 1673 }
1674 }
1628 make_points_affine(31, &(pre->g_pre_comp[0][1]), tmp_felems); 1675 make_points_affine(31, &(pre->g_pre_comp[0][1]), tmp_felems);
1629 1676
1630 if (!EC_EX_DATA_set_data(&group->extra_data, pre, nistp224_pre_comp_dup, 1677 if (!EC_EX_DATA_set_data(&group->extra_data, pre, nistp224_pre_comp_dup,
1631 nistp224_pre_comp_free, nistp224_pre_comp_clear_free)) 1678 nistp224_pre_comp_free, nistp224_pre_comp_clear_free))
1632 goto err; 1679 goto err;
1633 ret = 1; 1680 ret = 1;
1634 pre = NULL; 1681 pre = NULL;
1635 err: 1682err:
1636 BN_CTX_end(ctx); 1683 BN_CTX_end(ctx);
1637 if (generator != NULL) 1684 if (generator != NULL)
1638 EC_POINT_free(generator); 1685 EC_POINT_free(generator);
@@ -1641,18 +1688,19 @@ int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
1641 if (pre) 1688 if (pre)
1642 nistp224_pre_comp_free(pre); 1689 nistp224_pre_comp_free(pre);
1643 return ret; 1690 return ret;
1644 } 1691}
1645 1692
1646int ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group) 1693int
1647 { 1694ec_GFp_nistp224_have_precompute_mult(const EC_GROUP * group)
1695{
1648 if (EC_EX_DATA_get_data(group->extra_data, nistp224_pre_comp_dup, 1696 if (EC_EX_DATA_get_data(group->extra_data, nistp224_pre_comp_dup,
1649 nistp224_pre_comp_free, nistp224_pre_comp_clear_free) 1697 nistp224_pre_comp_free, nistp224_pre_comp_clear_free)
1650 != NULL) 1698 != NULL)
1651 return 1; 1699 return 1;
1652 else 1700 else
1653 return 0; 1701 return 0;
1654 } 1702}
1655 1703
1656#else 1704#else
1657static void *dummy=&dummy; 1705static void *dummy = &dummy;
1658#endif 1706#endif
diff --git a/src/lib/libcrypto/ec/ecp_nistp256.c b/src/lib/libcrypto/ec/ecp_nistp256.c
index 132ca0d250..345f67d520 100644
--- a/src/lib/libcrypto/ec/ecp_nistp256.c
+++ b/src/lib/libcrypto/ec/ecp_nistp256.c
@@ -112,41 +112,45 @@ typedef limb longfelem[NLIMBS * 2];
112typedef u64 smallfelem[NLIMBS]; 112typedef u64 smallfelem[NLIMBS];
113 113
114/* This is the value of the prime as four 64-bit words, little-endian. */ 114/* This is the value of the prime as four 64-bit words, little-endian. */
115static const u64 kPrime[4] = { 0xfffffffffffffffful, 0xffffffff, 0, 0xffffffff00000001ul }; 115static const u64 kPrime[4] = {0xfffffffffffffffful, 0xffffffff, 0, 0xffffffff00000001ul};
116static const limb bottom32bits = 0xffffffff; 116static const limb bottom32bits = 0xffffffff;
117static const u64 bottom63bits = 0x7ffffffffffffffful; 117static const u64 bottom63bits = 0x7ffffffffffffffful;
118 118
119/* bin32_to_felem takes a little-endian byte array and converts it into felem 119/* bin32_to_felem takes a little-endian byte array and converts it into felem
120 * form. This assumes that the CPU is little-endian. */ 120 * form. This assumes that the CPU is little-endian. */
121static void bin32_to_felem(felem out, const u8 in[32]) 121static void
122 { 122bin32_to_felem(felem out, const u8 in[32])
123 out[0] = *((u64*) &in[0]); 123{
124 out[1] = *((u64*) &in[8]); 124 out[0] = *((u64 *) & in[0]);
125 out[2] = *((u64*) &in[16]); 125 out[1] = *((u64 *) & in[8]);
126 out[3] = *((u64*) &in[24]); 126 out[2] = *((u64 *) & in[16]);
127 } 127 out[3] = *((u64 *) & in[24]);
128}
128 129
129/* smallfelem_to_bin32 takes a smallfelem and serialises into a little endian, 130/* smallfelem_to_bin32 takes a smallfelem and serialises into a little endian,
130 * 32 byte array. This assumes that the CPU is little-endian. */ 131 * 32 byte array. This assumes that the CPU is little-endian. */
131static void smallfelem_to_bin32(u8 out[32], const smallfelem in) 132static void
132 { 133smallfelem_to_bin32(u8 out[32], const smallfelem in)
133 *((u64*) &out[0]) = in[0]; 134{
134 *((u64*) &out[8]) = in[1]; 135 *((u64 *) & out[0]) = in[0];
135 *((u64*) &out[16]) = in[2]; 136 *((u64 *) & out[8]) = in[1];
136 *((u64*) &out[24]) = in[3]; 137 *((u64 *) & out[16]) = in[2];
137 } 138 *((u64 *) & out[24]) = in[3];
139}
138 140
139/* To preserve endianness when using BN_bn2bin and BN_bin2bn */ 141/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
140static void flip_endian(u8 *out, const u8 *in, unsigned len) 142static void
141 { 143flip_endian(u8 * out, const u8 * in, unsigned len)
144{
142 unsigned i; 145 unsigned i;
143 for (i = 0; i < len; ++i) 146 for (i = 0; i < len; ++i)
144 out[i] = in[len-1-i]; 147 out[i] = in[len - 1 - i];
145 } 148}
146 149
147/* BN_to_felem converts an OpenSSL BIGNUM into an felem */ 150/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
148static int BN_to_felem(felem out, const BIGNUM *bn) 151static int
149 { 152BN_to_felem(felem out, const BIGNUM * bn)
153{
150 felem_bytearray b_in; 154 felem_bytearray b_in;
151 felem_bytearray b_out; 155 felem_bytearray b_out;
152 unsigned num_bytes; 156 unsigned num_bytes;
@@ -154,89 +158,95 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
154 /* BN_bn2bin eats leading zeroes */ 158 /* BN_bn2bin eats leading zeroes */
155 memset(b_out, 0, sizeof b_out); 159 memset(b_out, 0, sizeof b_out);
156 num_bytes = BN_num_bytes(bn); 160 num_bytes = BN_num_bytes(bn);
157 if (num_bytes > sizeof b_out) 161 if (num_bytes > sizeof b_out) {
158 {
159 ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); 162 ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
160 return 0; 163 return 0;
161 } 164 }
162 if (BN_is_negative(bn)) 165 if (BN_is_negative(bn)) {
163 {
164 ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); 166 ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
165 return 0; 167 return 0;
166 } 168 }
167 num_bytes = BN_bn2bin(bn, b_in); 169 num_bytes = BN_bn2bin(bn, b_in);
168 flip_endian(b_out, b_in, num_bytes); 170 flip_endian(b_out, b_in, num_bytes);
169 bin32_to_felem(out, b_out); 171 bin32_to_felem(out, b_out);
170 return 1; 172 return 1;
171 } 173}
172 174
173/* felem_to_BN converts an felem into an OpenSSL BIGNUM */ 175/* felem_to_BN converts an felem into an OpenSSL BIGNUM */
174static BIGNUM *smallfelem_to_BN(BIGNUM *out, const smallfelem in) 176static BIGNUM *
175 { 177smallfelem_to_BN(BIGNUM * out, const smallfelem in)
178{
176 felem_bytearray b_in, b_out; 179 felem_bytearray b_in, b_out;
177 smallfelem_to_bin32(b_in, in); 180 smallfelem_to_bin32(b_in, in);
178 flip_endian(b_out, b_in, sizeof b_out); 181 flip_endian(b_out, b_in, sizeof b_out);
179 return BN_bin2bn(b_out, sizeof b_out, out); 182 return BN_bin2bn(b_out, sizeof b_out, out);
180 } 183}
181 184
182 185
183/* Field operations 186/* Field operations
184 * ---------------- */ 187 * ---------------- */
185 188
186static void smallfelem_one(smallfelem out) 189static void
187 { 190smallfelem_one(smallfelem out)
191{
188 out[0] = 1; 192 out[0] = 1;
189 out[1] = 0; 193 out[1] = 0;
190 out[2] = 0; 194 out[2] = 0;
191 out[3] = 0; 195 out[3] = 0;
192 } 196}
193 197
194static void smallfelem_assign(smallfelem out, const smallfelem in) 198static void
195 { 199smallfelem_assign(smallfelem out, const smallfelem in)
200{
196 out[0] = in[0]; 201 out[0] = in[0];
197 out[1] = in[1]; 202 out[1] = in[1];
198 out[2] = in[2]; 203 out[2] = in[2];
199 out[3] = in[3]; 204 out[3] = in[3];
200 } 205}
201 206
202static void felem_assign(felem out, const felem in) 207static void
203 { 208felem_assign(felem out, const felem in)
209{
204 out[0] = in[0]; 210 out[0] = in[0];
205 out[1] = in[1]; 211 out[1] = in[1];
206 out[2] = in[2]; 212 out[2] = in[2];
207 out[3] = in[3]; 213 out[3] = in[3];
208 } 214}
209 215
210/* felem_sum sets out = out + in. */ 216/* felem_sum sets out = out + in. */
211static void felem_sum(felem out, const felem in) 217static void
212 { 218felem_sum(felem out, const felem in)
219{
213 out[0] += in[0]; 220 out[0] += in[0];
214 out[1] += in[1]; 221 out[1] += in[1];
215 out[2] += in[2]; 222 out[2] += in[2];
216 out[3] += in[3]; 223 out[3] += in[3];
217 } 224}
218 225
219/* felem_small_sum sets out = out + in. */ 226/* felem_small_sum sets out = out + in. */
220static void felem_small_sum(felem out, const smallfelem in) 227static void
221 { 228felem_small_sum(felem out, const smallfelem in)
229{
222 out[0] += in[0]; 230 out[0] += in[0];
223 out[1] += in[1]; 231 out[1] += in[1];
224 out[2] += in[2]; 232 out[2] += in[2];
225 out[3] += in[3]; 233 out[3] += in[3];
226 } 234}
227 235
228/* felem_scalar sets out = out * scalar */ 236/* felem_scalar sets out = out * scalar */
229static void felem_scalar(felem out, const u64 scalar) 237static void
230 { 238felem_scalar(felem out, const u64 scalar)
239{
231 out[0] *= scalar; 240 out[0] *= scalar;
232 out[1] *= scalar; 241 out[1] *= scalar;
233 out[2] *= scalar; 242 out[2] *= scalar;
234 out[3] *= scalar; 243 out[3] *= scalar;
235 } 244}
236 245
237/* longfelem_scalar sets out = out * scalar */ 246/* longfelem_scalar sets out = out * scalar */
238static void longfelem_scalar(longfelem out, const u64 scalar) 247static void
239 { 248longfelem_scalar(longfelem out, const u64 scalar)
249{
240 out[0] *= scalar; 250 out[0] *= scalar;
241 out[1] *= scalar; 251 out[1] *= scalar;
242 out[2] *= scalar; 252 out[2] *= scalar;
@@ -245,27 +255,28 @@ static void longfelem_scalar(longfelem out, const u64 scalar)
245 out[5] *= scalar; 255 out[5] *= scalar;
246 out[6] *= scalar; 256 out[6] *= scalar;
247 out[7] *= scalar; 257 out[7] *= scalar;
248 } 258}
249 259
250#define two105m41m9 (((limb)1) << 105) - (((limb)1) << 41) - (((limb)1) << 9) 260#define two105m41m9 (((limb)1) << 105) - (((limb)1) << 41) - (((limb)1) << 9)
251#define two105 (((limb)1) << 105) 261#define two105 (((limb)1) << 105)
252#define two105m41p9 (((limb)1) << 105) - (((limb)1) << 41) + (((limb)1) << 9) 262#define two105m41p9 (((limb)1) << 105) - (((limb)1) << 41) + (((limb)1) << 9)
253 263
254/* zero105 is 0 mod p */ 264/* zero105 is 0 mod p */
255static const felem zero105 = { two105m41m9, two105, two105m41p9, two105m41p9 }; 265static const felem zero105 = {two105m41m9, two105, two105m41p9, two105m41p9};
256 266
257/* smallfelem_neg sets |out| to |-small| 267/* smallfelem_neg sets |out| to |-small|
258 * On exit: 268 * On exit:
259 * out[i] < out[i] + 2^105 269 * out[i] < out[i] + 2^105
260 */ 270 */
261static void smallfelem_neg(felem out, const smallfelem small) 271static void
262 { 272smallfelem_neg(felem out, const smallfelem small)
273{
263 /* In order to prevent underflow, we subtract from 0 mod p. */ 274 /* In order to prevent underflow, we subtract from 0 mod p. */
264 out[0] = zero105[0] - small[0]; 275 out[0] = zero105[0] - small[0];
265 out[1] = zero105[1] - small[1]; 276 out[1] = zero105[1] - small[1];
266 out[2] = zero105[2] - small[2]; 277 out[2] = zero105[2] - small[2];
267 out[3] = zero105[3] - small[3]; 278 out[3] = zero105[3] - small[3];
268 } 279}
269 280
270/* felem_diff subtracts |in| from |out| 281/* felem_diff subtracts |in| from |out|
271 * On entry: 282 * On entry:
@@ -273,8 +284,9 @@ static void smallfelem_neg(felem out, const smallfelem small)
273 * On exit: 284 * On exit:
274 * out[i] < out[i] + 2^105 285 * out[i] < out[i] + 2^105
275 */ 286 */
276static void felem_diff(felem out, const felem in) 287static void
277 { 288felem_diff(felem out, const felem in)
289{
278 /* In order to prevent underflow, we add 0 mod p before subtracting. */ 290 /* In order to prevent underflow, we add 0 mod p before subtracting. */
279 out[0] += zero105[0]; 291 out[0] += zero105[0];
280 out[1] += zero105[1]; 292 out[1] += zero105[1];
@@ -285,14 +297,14 @@ static void felem_diff(felem out, const felem in)
285 out[1] -= in[1]; 297 out[1] -= in[1];
286 out[2] -= in[2]; 298 out[2] -= in[2];
287 out[3] -= in[3]; 299 out[3] -= in[3];
288 } 300}
289 301
290#define two107m43m11 (((limb)1) << 107) - (((limb)1) << 43) - (((limb)1) << 11) 302#define two107m43m11 (((limb)1) << 107) - (((limb)1) << 43) - (((limb)1) << 11)
291#define two107 (((limb)1) << 107) 303#define two107 (((limb)1) << 107)
292#define two107m43p11 (((limb)1) << 107) - (((limb)1) << 43) + (((limb)1) << 11) 304#define two107m43p11 (((limb)1) << 107) - (((limb)1) << 43) + (((limb)1) << 11)
293 305
294/* zero107 is 0 mod p */ 306/* zero107 is 0 mod p */
295static const felem zero107 = { two107m43m11, two107, two107m43p11, two107m43p11 }; 307static const felem zero107 = {two107m43m11, two107, two107m43p11, two107m43p11};
296 308
297/* An alternative felem_diff for larger inputs |in| 309/* An alternative felem_diff for larger inputs |in|
298 * felem_diff_zero107 subtracts |in| from |out| 310 * felem_diff_zero107 subtracts |in| from |out|
@@ -301,8 +313,9 @@ static const felem zero107 = { two107m43m11, two107, two107m43p11, two107m43p11
301 * On exit: 313 * On exit:
302 * out[i] < out[i] + 2^107 314 * out[i] < out[i] + 2^107
303 */ 315 */
304static void felem_diff_zero107(felem out, const felem in) 316static void
305 { 317felem_diff_zero107(felem out, const felem in)
318{
306 /* In order to prevent underflow, we add 0 mod p before subtracting. */ 319 /* In order to prevent underflow, we add 0 mod p before subtracting. */
307 out[0] += zero107[0]; 320 out[0] += zero107[0];
308 out[1] += zero107[1]; 321 out[1] += zero107[1];
@@ -313,7 +326,7 @@ static void felem_diff_zero107(felem out, const felem in)
313 out[1] -= in[1]; 326 out[1] -= in[1];
314 out[2] -= in[2]; 327 out[2] -= in[2];
315 out[3] -= in[3]; 328 out[3] -= in[3];
316 } 329}
317 330
318/* longfelem_diff subtracts |in| from |out| 331/* longfelem_diff subtracts |in| from |out|
319 * On entry: 332 * On entry:
@@ -321,13 +334,14 @@ static void felem_diff_zero107(felem out, const felem in)
321 * On exit: 334 * On exit:
322 * out[i] < out[i] + 2^70 + 2^40 335 * out[i] < out[i] + 2^70 + 2^40
323 */ 336 */
324static void longfelem_diff(longfelem out, const longfelem in) 337static void
325 { 338longfelem_diff(longfelem out, const longfelem in)
326 static const limb two70m8p6 = (((limb)1) << 70) - (((limb)1) << 8) + (((limb)1) << 6); 339{
327 static const limb two70p40 = (((limb)1) << 70) + (((limb)1) << 40); 340 static const limb two70m8p6 = (((limb) 1) << 70) - (((limb) 1) << 8) + (((limb) 1) << 6);
328 static const limb two70 = (((limb)1) << 70); 341 static const limb two70p40 = (((limb) 1) << 70) + (((limb) 1) << 40);
329 static const limb two70m40m38p6 = (((limb)1) << 70) - (((limb)1) << 40) - (((limb)1) << 38) + (((limb)1) << 6); 342 static const limb two70 = (((limb) 1) << 70);
330 static const limb two70m6 = (((limb)1) << 70) - (((limb)1) << 6); 343 static const limb two70m40m38p6 = (((limb) 1) << 70) - (((limb) 1) << 40) - (((limb) 1) << 38) + (((limb) 1) << 6);
344 static const limb two70m6 = (((limb) 1) << 70) - (((limb) 1) << 6);
331 345
332 /* add 0 mod p to avoid underflow */ 346 /* add 0 mod p to avoid underflow */
333 out[0] += two70m8p6; 347 out[0] += two70m8p6;
@@ -348,7 +362,7 @@ static void longfelem_diff(longfelem out, const longfelem in)
348 out[5] -= in[5]; 362 out[5] -= in[5];
349 out[6] -= in[6]; 363 out[6] -= in[6];
350 out[7] -= in[7]; 364 out[7] -= in[7];
351 } 365}
352 366
353#define two64m0 (((limb)1) << 64) - 1 367#define two64m0 (((limb)1) << 64) - 1
354#define two110p32m0 (((limb)1) << 110) + (((limb)1) << 32) - 1 368#define two110p32m0 (((limb)1) << 110) + (((limb)1) << 32) - 1
@@ -356,7 +370,7 @@ static void longfelem_diff(longfelem out, const longfelem in)
356#define two64m32 (((limb)1) << 64) - (((limb)1) << 32) 370#define two64m32 (((limb)1) << 64) - (((limb)1) << 32)
357 371
358/* zero110 is 0 mod p */ 372/* zero110 is 0 mod p */
359static const felem zero110 = { two64m0, two110p32m0, two64m46, two64m32 }; 373static const felem zero110 = {two64m0, two110p32m0, two64m46, two64m32};
360 374
361/* felem_shrink converts an felem into a smallfelem. The result isn't quite 375/* felem_shrink converts an felem into a smallfelem. The result isn't quite
362 * minimal as the value may be greater than p. 376 * minimal as the value may be greater than p.
@@ -366,12 +380,13 @@ static const felem zero110 = { two64m0, two110p32m0, two64m46, two64m32 };
366 * On exit: 380 * On exit:
367 * out[i] < 2^64 381 * out[i] < 2^64
368 */ 382 */
369static void felem_shrink(smallfelem out, const felem in) 383static void
370 { 384felem_shrink(smallfelem out, const felem in)
385{
371 felem tmp; 386 felem tmp;
372 u64 a, b, mask; 387 u64 a, b, mask;
373 s64 high, low; 388 s64 high, low;
374 static const u64 kPrime3Test = 0x7fffffff00000001ul; /* 2^63 - 2^32 + 1 */ 389 static const u64 kPrime3Test = 0x7fffffff00000001ul; /* 2^63 - 2^32 + 1 */
375 390
376 /* Carry 2->3 */ 391 /* Carry 2->3 */
377 tmp[3] = zero110[3] + in[3] + ((u64) (in[2] >> 64)); 392 tmp[3] = zero110[3] + in[3] + ((u64) (in[2] >> 64));
@@ -382,50 +397,58 @@ static void felem_shrink(smallfelem out, const felem in)
382 tmp[1] = zero110[1] + in[1]; 397 tmp[1] = zero110[1] + in[1];
383 /* tmp[0] < 2**110, tmp[1] < 2^111, tmp[2] < 2**65 */ 398 /* tmp[0] < 2**110, tmp[1] < 2^111, tmp[2] < 2**65 */
384 399
385 /* We perform two partial reductions where we eliminate the 400 /*
386 * high-word of tmp[3]. We don't update the other words till the end. 401 * We perform two partial reductions where we eliminate the high-word
402 * of tmp[3]. We don't update the other words till the end.
387 */ 403 */
388 a = tmp[3] >> 64; /* a < 2^46 */ 404 a = tmp[3] >> 64; /* a < 2^46 */
389 tmp[3] = (u64) tmp[3]; 405 tmp[3] = (u64) tmp[3];
390 tmp[3] -= a; 406 tmp[3] -= a;
391 tmp[3] += ((limb)a) << 32; 407 tmp[3] += ((limb) a) << 32;
392 /* tmp[3] < 2^79 */ 408 /* tmp[3] < 2^79 */
393 409
394 b = a; 410 b = a;
395 a = tmp[3] >> 64; /* a < 2^15 */ 411 a = tmp[3] >> 64; /* a < 2^15 */
396 b += a; /* b < 2^46 + 2^15 < 2^47 */ 412 b += a; /* b < 2^46 + 2^15 < 2^47 */
397 tmp[3] = (u64) tmp[3]; 413 tmp[3] = (u64) tmp[3];
398 tmp[3] -= a; 414 tmp[3] -= a;
399 tmp[3] += ((limb)a) << 32; 415 tmp[3] += ((limb) a) << 32;
400 /* tmp[3] < 2^64 + 2^47 */ 416 /* tmp[3] < 2^64 + 2^47 */
401 417
402 /* This adjusts the other two words to complete the two partial 418 /*
403 * reductions. */ 419 * This adjusts the other two words to complete the two partial
420 * reductions.
421 */
404 tmp[0] += b; 422 tmp[0] += b;
405 tmp[1] -= (((limb)b) << 32); 423 tmp[1] -= (((limb) b) << 32);
406 424
407 /* In order to make space in tmp[3] for the carry from 2 -> 3, we 425 /*
408 * conditionally subtract kPrime if tmp[3] is large enough. */ 426 * In order to make space in tmp[3] for the carry from 2 -> 3, we
427 * conditionally subtract kPrime if tmp[3] is large enough.
428 */
409 high = tmp[3] >> 64; 429 high = tmp[3] >> 64;
410 /* As tmp[3] < 2^65, high is either 1 or 0 */ 430 /* As tmp[3] < 2^65, high is either 1 or 0 */
411 high <<= 63; 431 high <<= 63;
412 high >>= 63; 432 high >>= 63;
413 /* high is: 433 /*
414 * all ones if the high word of tmp[3] is 1 434 * high is: all ones if the high word of tmp[3] is 1 all zeros if
415 * all zeros if the high word of tmp[3] if 0 */ 435 * the high word of tmp[3] if 0
436 */
416 low = tmp[3]; 437 low = tmp[3];
417 mask = low >> 63; 438 mask = low >> 63;
418 /* mask is: 439 /*
419 * all ones if the MSB of low is 1 440 * mask is: all ones if the MSB of low is 1 all zeros if the MSB
420 * all zeros if the MSB of low if 0 */ 441 * of low if 0
442 */
421 low &= bottom63bits; 443 low &= bottom63bits;
422 low -= kPrime3Test; 444 low -= kPrime3Test;
423 /* if low was greater than kPrime3Test then the MSB is zero */ 445 /* if low was greater than kPrime3Test then the MSB is zero */
424 low = ~low; 446 low = ~low;
425 low >>= 63; 447 low >>= 63;
426 /* low is: 448 /*
427 * all ones if low was > kPrime3Test 449 * low is: all ones if low was > kPrime3Test all zeros if low was
428 * all zeros if low was <= kPrime3Test */ 450 * <= kPrime3Test
451 */
429 mask = (mask & low) | high; 452 mask = (mask & low) | high;
430 tmp[0] -= mask & kPrime[0]; 453 tmp[0] -= mask & kPrime[0];
431 tmp[1] -= mask & kPrime[1]; 454 tmp[1] -= mask & kPrime[1];
@@ -433,25 +456,29 @@ static void felem_shrink(smallfelem out, const felem in)
433 tmp[3] -= mask & kPrime[3]; 456 tmp[3] -= mask & kPrime[3];
434 /* tmp[3] < 2**64 - 2**32 + 1 */ 457 /* tmp[3] < 2**64 - 2**32 + 1 */
435 458
436 tmp[1] += ((u64) (tmp[0] >> 64)); tmp[0] = (u64) tmp[0]; 459 tmp[1] += ((u64) (tmp[0] >> 64));
437 tmp[2] += ((u64) (tmp[1] >> 64)); tmp[1] = (u64) tmp[1]; 460 tmp[0] = (u64) tmp[0];
438 tmp[3] += ((u64) (tmp[2] >> 64)); tmp[2] = (u64) tmp[2]; 461 tmp[2] += ((u64) (tmp[1] >> 64));
462 tmp[1] = (u64) tmp[1];
463 tmp[3] += ((u64) (tmp[2] >> 64));
464 tmp[2] = (u64) tmp[2];
439 /* tmp[i] < 2^64 */ 465 /* tmp[i] < 2^64 */
440 466
441 out[0] = tmp[0]; 467 out[0] = tmp[0];
442 out[1] = tmp[1]; 468 out[1] = tmp[1];
443 out[2] = tmp[2]; 469 out[2] = tmp[2];
444 out[3] = tmp[3]; 470 out[3] = tmp[3];
445 } 471}
446 472
447/* smallfelem_expand converts a smallfelem to an felem */ 473/* smallfelem_expand converts a smallfelem to an felem */
448static void smallfelem_expand(felem out, const smallfelem in) 474static void
449 { 475smallfelem_expand(felem out, const smallfelem in)
476{
450 out[0] = in[0]; 477 out[0] = in[0];
451 out[1] = in[1]; 478 out[1] = in[1];
452 out[2] = in[2]; 479 out[2] = in[2];
453 out[3] = in[3]; 480 out[3] = in[3];
454 } 481}
455 482
456/* smallfelem_square sets |out| = |small|^2 483/* smallfelem_square sets |out| = |small|^2
457 * On entry: 484 * On entry:
@@ -459,8 +486,9 @@ static void smallfelem_expand(felem out, const smallfelem in)
459 * On exit: 486 * On exit:
460 * out[i] < 7 * 2^64 < 2^67 487 * out[i] < 7 * 2^64 < 2^67
461 */ 488 */
462static void smallfelem_square(longfelem out, const smallfelem small) 489static void
463 { 490smallfelem_square(longfelem out, const smallfelem small)
491{
464 limb a; 492 limb a;
465 u64 high, low; 493 u64 high, low;
466 494
@@ -529,7 +557,7 @@ static void smallfelem_square(longfelem out, const smallfelem small)
529 high = a >> 64; 557 high = a >> 64;
530 out[6] += low; 558 out[6] += low;
531 out[7] = high; 559 out[7] = high;
532 } 560}
533 561
534/* felem_square sets |out| = |in|^2 562/* felem_square sets |out| = |in|^2
535 * On entry: 563 * On entry:
@@ -537,12 +565,13 @@ static void smallfelem_square(longfelem out, const smallfelem small)
537 * On exit: 565 * On exit:
538 * out[i] < 7 * 2^64 < 2^67 566 * out[i] < 7 * 2^64 < 2^67
539 */ 567 */
540static void felem_square(longfelem out, const felem in) 568static void
541 { 569felem_square(longfelem out, const felem in)
570{
542 u64 small[4]; 571 u64 small[4];
543 felem_shrink(small, in); 572 felem_shrink(small, in);
544 smallfelem_square(out, small); 573 smallfelem_square(out, small);
545 } 574}
546 575
547/* smallfelem_mul sets |out| = |small1| * |small2| 576/* smallfelem_mul sets |out| = |small1| * |small2|
548 * On entry: 577 * On entry:
@@ -551,8 +580,9 @@ static void felem_square(longfelem out, const felem in)
551 * On exit: 580 * On exit:
552 * out[i] < 7 * 2^64 < 2^67 581 * out[i] < 7 * 2^64 < 2^67
553 */ 582 */
554static void smallfelem_mul(longfelem out, const smallfelem small1, const smallfelem small2) 583static void
555 { 584smallfelem_mul(longfelem out, const smallfelem small1, const smallfelem small2)
585{
556 limb a; 586 limb a;
557 u64 high, low; 587 u64 high, low;
558 588
@@ -657,7 +687,7 @@ static void smallfelem_mul(longfelem out, const smallfelem small1, const smallfe
657 high = a >> 64; 687 high = a >> 64;
658 out[6] += low; 688 out[6] += low;
659 out[7] = high; 689 out[7] = high;
660 } 690}
661 691
662/* felem_mul sets |out| = |in1| * |in2| 692/* felem_mul sets |out| = |in1| * |in2|
663 * On entry: 693 * On entry:
@@ -666,13 +696,14 @@ static void smallfelem_mul(longfelem out, const smallfelem small1, const smallfe
666 * On exit: 696 * On exit:
667 * out[i] < 7 * 2^64 < 2^67 697 * out[i] < 7 * 2^64 < 2^67
668 */ 698 */
669static void felem_mul(longfelem out, const felem in1, const felem in2) 699static void
670 { 700felem_mul(longfelem out, const felem in1, const felem in2)
701{
671 smallfelem small1, small2; 702 smallfelem small1, small2;
672 felem_shrink(small1, in1); 703 felem_shrink(small1, in1);
673 felem_shrink(small2, in2); 704 felem_shrink(small2, in2);
674 smallfelem_mul(out, small1, small2); 705 smallfelem_mul(out, small1, small2);
675 } 706}
676 707
677/* felem_small_mul sets |out| = |small1| * |in2| 708/* felem_small_mul sets |out| = |small1| * |in2|
678 * On entry: 709 * On entry:
@@ -681,23 +712,24 @@ static void felem_mul(longfelem out, const felem in1, const felem in2)
681 * On exit: 712 * On exit:
682 * out[i] < 7 * 2^64 < 2^67 713 * out[i] < 7 * 2^64 < 2^67
683 */ 714 */
684static void felem_small_mul(longfelem out, const smallfelem small1, const felem in2) 715static void
685 { 716felem_small_mul(longfelem out, const smallfelem small1, const felem in2)
717{
686 smallfelem small2; 718 smallfelem small2;
687 felem_shrink(small2, in2); 719 felem_shrink(small2, in2);
688 smallfelem_mul(out, small1, small2); 720 smallfelem_mul(out, small1, small2);
689 } 721}
690 722
691#define two100m36m4 (((limb)1) << 100) - (((limb)1) << 36) - (((limb)1) << 4) 723#define two100m36m4 (((limb)1) << 100) - (((limb)1) << 36) - (((limb)1) << 4)
692#define two100 (((limb)1) << 100) 724#define two100 (((limb)1) << 100)
693#define two100m36p4 (((limb)1) << 100) - (((limb)1) << 36) + (((limb)1) << 4) 725#define two100m36p4 (((limb)1) << 100) - (((limb)1) << 36) + (((limb)1) << 4)
694/* zero100 is 0 mod p */ 726/* zero100 is 0 mod p */
695static const felem zero100 = { two100m36m4, two100, two100m36p4, two100m36p4 }; 727static const felem zero100 = {two100m36m4, two100, two100m36p4, two100m36p4};
696 728
697/* Internal function for the different flavours of felem_reduce. 729/* Internal function for the different flavours of felem_reduce.
698 * felem_reduce_ reduces the higher coefficients in[4]-in[7]. 730 * felem_reduce_ reduces the higher coefficients in[4]-in[7].
699 * On entry: 731 * On entry:
700 * out[0] >= in[6] + 2^32*in[6] + in[7] + 2^32*in[7] 732 * out[0] >= in[6] + 2^32*in[6] + in[7] + 2^32*in[7]
701 * out[1] >= in[7] + 2^32*in[4] 733 * out[1] >= in[7] + 2^32*in[4]
702 * out[2] >= in[5] + 2^32*in[5] 734 * out[2] >= in[5] + 2^32*in[5]
703 * out[3] >= in[4] + 2^32*in[5] + 2^32*in[6] 735 * out[3] >= in[4] + 2^32*in[5] + 2^32*in[6]
@@ -707,8 +739,9 @@ static const felem zero100 = { two100m36m4, two100, two100m36p4, two100m36p4 };
707 * out[2] <= out[2] + in[7] + 2*in[6] + 2^33*in[7] 739 * out[2] <= out[2] + in[7] + 2*in[6] + 2^33*in[7]
708 * out[3] <= out[3] + 2^32*in[4] + 3*in[7] 740 * out[3] <= out[3] + 2^32*in[4] + 3*in[7]
709 */ 741 */
710static void felem_reduce_(felem out, const longfelem in) 742static void
711 { 743felem_reduce_(felem out, const longfelem in)
744{
712 int128_t c; 745 int128_t c;
713 /* combine common terms from below */ 746 /* combine common terms from below */
714 c = in[4] + (in[5] << 32); 747 c = in[4] + (in[5] << 32);
@@ -739,7 +772,7 @@ static void felem_reduce_(felem out, const longfelem in)
739 out[0] -= (in[7] << 32); 772 out[0] -= (in[7] << 32);
740 out[2] += (in[7] << 33); 773 out[2] += (in[7] << 33);
741 out[3] += (in[7] * 3); 774 out[3] += (in[7] * 3);
742 } 775}
743 776
744/* felem_reduce converts a longfelem into an felem. 777/* felem_reduce converts a longfelem into an felem.
745 * To be called directly after felem_square or felem_mul. 778 * To be called directly after felem_square or felem_mul.
@@ -749,8 +782,9 @@ static void felem_reduce_(felem out, const longfelem in)
749 * On exit: 782 * On exit:
750 * out[i] < 2^101 783 * out[i] < 2^101
751 */ 784 */
752static void felem_reduce(felem out, const longfelem in) 785static void
753 { 786felem_reduce(felem out, const longfelem in)
787{
754 out[0] = zero100[0] + in[0]; 788 out[0] = zero100[0] + in[0];
755 out[1] = zero100[1] + in[1]; 789 out[1] = zero100[1] + in[1];
756 out[2] = zero100[2] + in[2]; 790 out[2] = zero100[2] + in[2];
@@ -758,17 +792,18 @@ static void felem_reduce(felem out, const longfelem in)
758 792
759 felem_reduce_(out, in); 793 felem_reduce_(out, in);
760 794
761 /* out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0 795 /*
762 * out[1] > 2^100 - 2^64 - 7*2^96 > 0 796 * out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
763 * out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0 797 * out[1] > 2^100 - 2^64 - 7*2^96 > 0 out[2] > 2^100 - 2^36 + 2^4 -
764 * out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0 798 * 5*2^64 - 5*2^96 > 0 out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96
765 * 799 * - 3*2^96 > 0
766 * out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101 800 *
767 * out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101 801 * out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101 out[1] < 2^100 +
768 * out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101 802 * 3*2^64 + 5*2^64 + 3*2^97 < 2^101 out[2] < 2^100 + 5*2^64 + 2^64 +
769 * out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101 803 * 3*2^65 + 2^97 < 2^101 out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 <
804 * 2^101
770 */ 805 */
771 } 806}
772 807
773/* felem_reduce_zero105 converts a larger longfelem into an felem. 808/* felem_reduce_zero105 converts a larger longfelem into an felem.
774 * On entry: 809 * On entry:
@@ -776,8 +811,9 @@ static void felem_reduce(felem out, const longfelem in)
776 * On exit: 811 * On exit:
777 * out[i] < 2^106 812 * out[i] < 2^106
778 */ 813 */
779static void felem_reduce_zero105(felem out, const longfelem in) 814static void
780 { 815felem_reduce_zero105(felem out, const longfelem in)
816{
781 out[0] = zero105[0] + in[0]; 817 out[0] = zero105[0] + in[0];
782 out[1] = zero105[1] + in[1]; 818 out[1] = zero105[1] + in[1];
783 out[2] = zero105[2] + in[2]; 819 out[2] = zero105[2] + in[2];
@@ -785,34 +821,36 @@ static void felem_reduce_zero105(felem out, const longfelem in)
785 821
786 felem_reduce_(out, in); 822 felem_reduce_(out, in);
787 823
788 /* out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0 824 /*
789 * out[1] > 2^105 - 2^71 - 2^103 > 0 825 * out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
790 * out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0 826 * out[1] > 2^105 - 2^71 - 2^103 > 0 out[2] > 2^105 - 2^41 + 2^9 -
791 * out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0 827 * 2^71 - 2^103 > 0 out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 -
792 * 828 * 2^103 > 0
793 * out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106 829 *
794 * out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106 830 * out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106 out[1] < 2^105 + 2^71 +
795 * out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106 831 * 2^71 + 2^103 < 2^106 out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 <
796 * out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106 832 * 2^106 out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106
797 */ 833 */
798 } 834}
799 835
800/* subtract_u64 sets *result = *result - v and *carry to one if the subtraction 836/* subtract_u64 sets *result = *result - v and *carry to one if the subtraction
801 * underflowed. */ 837 * underflowed. */
802static void subtract_u64(u64* result, u64* carry, u64 v) 838static void
803 { 839subtract_u64(u64 * result, u64 * carry, u64 v)
840{
804 uint128_t r = *result; 841 uint128_t r = *result;
805 r -= v; 842 r -= v;
806 *carry = (r >> 64) & 1; 843 *carry = (r >> 64) & 1;
807 *result = (u64) r; 844 *result = (u64) r;
808 } 845}
809 846
810/* felem_contract converts |in| to its unique, minimal representation. 847/* felem_contract converts |in| to its unique, minimal representation.
811 * On entry: 848 * On entry:
812 * in[i] < 2^109 849 * in[i] < 2^109
813 */ 850 */
814static void felem_contract(smallfelem out, const felem in) 851static void
815 { 852felem_contract(smallfelem out, const felem in)
853{
816 unsigned i; 854 unsigned i;
817 u64 all_equal_so_far = 0, result = 0, carry; 855 u64 all_equal_so_far = 0, result = 0, carry;
818 856
@@ -820,20 +858,25 @@ static void felem_contract(smallfelem out, const felem in)
820 /* small is minimal except that the value might be > p */ 858 /* small is minimal except that the value might be > p */
821 859
822 all_equal_so_far--; 860 all_equal_so_far--;
823 /* We are doing a constant time test if out >= kPrime. We need to 861 /*
862 * We are doing a constant time test if out >= kPrime. We need to
824 * compare each u64, from most-significant to least significant. For 863 * compare each u64, from most-significant to least significant. For
825 * each one, if all words so far have been equal (m is all ones) then a 864 * each one, if all words so far have been equal (m is all ones) then
826 * non-equal result is the answer. Otherwise we continue. */ 865 * a non-equal result is the answer. Otherwise we continue.
827 for (i = 3; i < 4; i--) 866 */
828 { 867 for (i = 3; i < 4; i--) {
829 u64 equal; 868 u64 equal;
830 uint128_t a = ((uint128_t) kPrime[i]) - out[i]; 869 uint128_t a = ((uint128_t) kPrime[i]) - out[i];
831 /* if out[i] > kPrime[i] then a will underflow and the high 870 /*
832 * 64-bits will all be set. */ 871 * if out[i] > kPrime[i] then a will underflow and the high
872 * 64-bits will all be set.
873 */
833 result |= all_equal_so_far & ((u64) (a >> 64)); 874 result |= all_equal_so_far & ((u64) (a >> 64));
834 875
835 /* if kPrime[i] == out[i] then |equal| will be all zeros and 876 /*
836 * the decrement will make it all ones. */ 877 * if kPrime[i] == out[i] then |equal| will be all zeros and
878 * the decrement will make it all ones.
879 */
837 equal = kPrime[i] ^ out[i]; 880 equal = kPrime[i] ^ out[i];
838 equal--; 881 equal--;
839 equal &= equal << 32; 882 equal &= equal << 32;
@@ -845,10 +888,12 @@ static void felem_contract(smallfelem out, const felem in)
845 equal = ((s64) equal) >> 63; 888 equal = ((s64) equal) >> 63;
846 889
847 all_equal_so_far &= equal; 890 all_equal_so_far &= equal;
848 } 891 }
849 892
850 /* if all_equal_so_far is still all ones then the two values are equal 893 /*
851 * and so out >= kPrime is true. */ 894 * if all_equal_so_far is still all ones then the two values are
895 * equal and so out >= kPrime is true.
896 */
852 result |= all_equal_so_far; 897 result |= all_equal_so_far;
853 898
854 /* if out >= kPrime then we subtract kPrime. */ 899 /* if out >= kPrime then we subtract kPrime. */
@@ -865,35 +910,38 @@ static void felem_contract(smallfelem out, const felem in)
865 subtract_u64(&out[3], &carry, carry); 910 subtract_u64(&out[3], &carry, carry);
866 911
867 subtract_u64(&out[3], &carry, result & kPrime[3]); 912 subtract_u64(&out[3], &carry, result & kPrime[3]);
868 } 913}
869 914
870static void smallfelem_square_contract(smallfelem out, const smallfelem in) 915static void
871 { 916smallfelem_square_contract(smallfelem out, const smallfelem in)
917{
872 longfelem longtmp; 918 longfelem longtmp;
873 felem tmp; 919 felem tmp;
874 920
875 smallfelem_square(longtmp, in); 921 smallfelem_square(longtmp, in);
876 felem_reduce(tmp, longtmp); 922 felem_reduce(tmp, longtmp);
877 felem_contract(out, tmp); 923 felem_contract(out, tmp);
878 } 924}
879 925
880static void smallfelem_mul_contract(smallfelem out, const smallfelem in1, const smallfelem in2) 926static void
881 { 927smallfelem_mul_contract(smallfelem out, const smallfelem in1, const smallfelem in2)
928{
882 longfelem longtmp; 929 longfelem longtmp;
883 felem tmp; 930 felem tmp;
884 931
885 smallfelem_mul(longtmp, in1, in2); 932 smallfelem_mul(longtmp, in1, in2);
886 felem_reduce(tmp, longtmp); 933 felem_reduce(tmp, longtmp);
887 felem_contract(out, tmp); 934 felem_contract(out, tmp);
888 } 935}
889 936
890/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0 937/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
891 * otherwise. 938 * otherwise.
892 * On entry: 939 * On entry:
893 * small[i] < 2^64 940 * small[i] < 2^64
894 */ 941 */
895static limb smallfelem_is_zero(const smallfelem small) 942static limb
896 { 943smallfelem_is_zero(const smallfelem small)
944{
897 limb result; 945 limb result;
898 u64 is_p; 946 u64 is_p;
899 947
@@ -908,9 +956,9 @@ static limb smallfelem_is_zero(const smallfelem small)
908 is_zero = ((s64) is_zero) >> 63; 956 is_zero = ((s64) is_zero) >> 63;
909 957
910 is_p = (small[0] ^ kPrime[0]) | 958 is_p = (small[0] ^ kPrime[0]) |
911 (small[1] ^ kPrime[1]) | 959 (small[1] ^ kPrime[1]) |
912 (small[2] ^ kPrime[2]) | 960 (small[2] ^ kPrime[2]) |
913 (small[3] ^ kPrime[3]); 961 (small[3] ^ kPrime[3]);
914 is_p--; 962 is_p--;
915 is_p &= is_p << 32; 963 is_p &= is_p << 32;
916 is_p &= is_p << 16; 964 is_p &= is_p << 16;
@@ -925,12 +973,13 @@ static limb smallfelem_is_zero(const smallfelem small)
925 result = is_zero; 973 result = is_zero;
926 result |= ((limb) is_zero) << 64; 974 result |= ((limb) is_zero) << 64;
927 return result; 975 return result;
928 } 976}
929 977
930static int smallfelem_is_zero_int(const smallfelem small) 978static int
931 { 979smallfelem_is_zero_int(const smallfelem small)
932 return (int) (smallfelem_is_zero(small) & ((limb)1)); 980{
933 } 981 return (int) (smallfelem_is_zero(small) & ((limb) 1));
982}
934 983
935/* felem_inv calculates |out| = |in|^{-1} 984/* felem_inv calculates |out| = |in|^{-1}
936 * 985 *
@@ -939,77 +988,110 @@ static int smallfelem_is_zero_int(const smallfelem small)
939 * a^{p-1} = 1 (mod p) 988 * a^{p-1} = 1 (mod p)
940 * a^{p-2} = a^{-1} (mod p) 989 * a^{p-2} = a^{-1} (mod p)
941 */ 990 */
942static void felem_inv(felem out, const felem in) 991static void
943 { 992felem_inv(felem out, const felem in)
993{
944 felem ftmp, ftmp2; 994 felem ftmp, ftmp2;
945 /* each e_I will hold |in|^{2^I - 1} */ 995 /* each e_I will hold |in|^{2^I - 1} */
946 felem e2, e4, e8, e16, e32, e64; 996 felem e2, e4, e8, e16, e32, e64;
947 longfelem tmp; 997 longfelem tmp;
948 unsigned i; 998 unsigned i;
949 999
950 felem_square(tmp, in); felem_reduce(ftmp, tmp); /* 2^1 */ 1000 felem_square(tmp, in);
951 felem_mul(tmp, in, ftmp); felem_reduce(ftmp, tmp); /* 2^2 - 2^0 */ 1001 felem_reduce(ftmp, tmp);/* 2^1 */
1002 felem_mul(tmp, in, ftmp);
1003 felem_reduce(ftmp, tmp);/* 2^2 - 2^0 */
952 felem_assign(e2, ftmp); 1004 felem_assign(e2, ftmp);
953 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); /* 2^3 - 2^1 */ 1005 felem_square(tmp, ftmp);
954 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); /* 2^4 - 2^2 */ 1006 felem_reduce(ftmp, tmp);/* 2^3 - 2^1 */
955 felem_mul(tmp, ftmp, e2); felem_reduce(ftmp, tmp); /* 2^4 - 2^0 */ 1007 felem_square(tmp, ftmp);
1008 felem_reduce(ftmp, tmp);/* 2^4 - 2^2 */
1009 felem_mul(tmp, ftmp, e2);
1010 felem_reduce(ftmp, tmp);/* 2^4 - 2^0 */
956 felem_assign(e4, ftmp); 1011 felem_assign(e4, ftmp);
957 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); /* 2^5 - 2^1 */ 1012 felem_square(tmp, ftmp);
958 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); /* 2^6 - 2^2 */ 1013 felem_reduce(ftmp, tmp);/* 2^5 - 2^1 */
959 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); /* 2^7 - 2^3 */ 1014 felem_square(tmp, ftmp);
960 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); /* 2^8 - 2^4 */ 1015 felem_reduce(ftmp, tmp);/* 2^6 - 2^2 */
961 felem_mul(tmp, ftmp, e4); felem_reduce(ftmp, tmp); /* 2^8 - 2^0 */ 1016 felem_square(tmp, ftmp);
1017 felem_reduce(ftmp, tmp);/* 2^7 - 2^3 */
1018 felem_square(tmp, ftmp);
1019 felem_reduce(ftmp, tmp);/* 2^8 - 2^4 */
1020 felem_mul(tmp, ftmp, e4);
1021 felem_reduce(ftmp, tmp);/* 2^8 - 2^0 */
962 felem_assign(e8, ftmp); 1022 felem_assign(e8, ftmp);
963 for (i = 0; i < 8; i++) { 1023 for (i = 0; i < 8; i++) {
964 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); 1024 felem_square(tmp, ftmp);
965 } /* 2^16 - 2^8 */ 1025 felem_reduce(ftmp, tmp);
966 felem_mul(tmp, ftmp, e8); felem_reduce(ftmp, tmp); /* 2^16 - 2^0 */ 1026 } /* 2^16 - 2^8 */
1027 felem_mul(tmp, ftmp, e8);
1028 felem_reduce(ftmp, tmp);/* 2^16 - 2^0 */
967 felem_assign(e16, ftmp); 1029 felem_assign(e16, ftmp);
968 for (i = 0; i < 16; i++) { 1030 for (i = 0; i < 16; i++) {
969 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); 1031 felem_square(tmp, ftmp);
970 } /* 2^32 - 2^16 */ 1032 felem_reduce(ftmp, tmp);
971 felem_mul(tmp, ftmp, e16); felem_reduce(ftmp, tmp); /* 2^32 - 2^0 */ 1033 } /* 2^32 - 2^16 */
1034 felem_mul(tmp, ftmp, e16);
1035 felem_reduce(ftmp, tmp);/* 2^32 - 2^0 */
972 felem_assign(e32, ftmp); 1036 felem_assign(e32, ftmp);
973 for (i = 0; i < 32; i++) { 1037 for (i = 0; i < 32; i++) {
974 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); 1038 felem_square(tmp, ftmp);
975 } /* 2^64 - 2^32 */ 1039 felem_reduce(ftmp, tmp);
1040 } /* 2^64 - 2^32 */
976 felem_assign(e64, ftmp); 1041 felem_assign(e64, ftmp);
977 felem_mul(tmp, ftmp, in); felem_reduce(ftmp, tmp); /* 2^64 - 2^32 + 2^0 */ 1042 felem_mul(tmp, ftmp, in);
1043 felem_reduce(ftmp, tmp);/* 2^64 - 2^32 + 2^0 */
978 for (i = 0; i < 192; i++) { 1044 for (i = 0; i < 192; i++) {
979 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); 1045 felem_square(tmp, ftmp);
980 } /* 2^256 - 2^224 + 2^192 */ 1046 felem_reduce(ftmp, tmp);
1047 } /* 2^256 - 2^224 + 2^192 */
981 1048
982 felem_mul(tmp, e64, e32); felem_reduce(ftmp2, tmp); /* 2^64 - 2^0 */ 1049 felem_mul(tmp, e64, e32);
1050 felem_reduce(ftmp2, tmp); /* 2^64 - 2^0 */
983 for (i = 0; i < 16; i++) { 1051 for (i = 0; i < 16; i++) {
984 felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp); 1052 felem_square(tmp, ftmp2);
985 } /* 2^80 - 2^16 */ 1053 felem_reduce(ftmp2, tmp);
986 felem_mul(tmp, ftmp2, e16); felem_reduce(ftmp2, tmp); /* 2^80 - 2^0 */ 1054 } /* 2^80 - 2^16 */
1055 felem_mul(tmp, ftmp2, e16);
1056 felem_reduce(ftmp2, tmp); /* 2^80 - 2^0 */
987 for (i = 0; i < 8; i++) { 1057 for (i = 0; i < 8; i++) {
988 felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp); 1058 felem_square(tmp, ftmp2);
989 } /* 2^88 - 2^8 */ 1059 felem_reduce(ftmp2, tmp);
990 felem_mul(tmp, ftmp2, e8); felem_reduce(ftmp2, tmp); /* 2^88 - 2^0 */ 1060 } /* 2^88 - 2^8 */
1061 felem_mul(tmp, ftmp2, e8);
1062 felem_reduce(ftmp2, tmp); /* 2^88 - 2^0 */
991 for (i = 0; i < 4; i++) { 1063 for (i = 0; i < 4; i++) {
992 felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp); 1064 felem_square(tmp, ftmp2);
993 } /* 2^92 - 2^4 */ 1065 felem_reduce(ftmp2, tmp);
994 felem_mul(tmp, ftmp2, e4); felem_reduce(ftmp2, tmp); /* 2^92 - 2^0 */ 1066 } /* 2^92 - 2^4 */
995 felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp); /* 2^93 - 2^1 */ 1067 felem_mul(tmp, ftmp2, e4);
996 felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp); /* 2^94 - 2^2 */ 1068 felem_reduce(ftmp2, tmp); /* 2^92 - 2^0 */
997 felem_mul(tmp, ftmp2, e2); felem_reduce(ftmp2, tmp); /* 2^94 - 2^0 */ 1069 felem_square(tmp, ftmp2);
998 felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp); /* 2^95 - 2^1 */ 1070 felem_reduce(ftmp2, tmp); /* 2^93 - 2^1 */
999 felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp); /* 2^96 - 2^2 */ 1071 felem_square(tmp, ftmp2);
1000 felem_mul(tmp, ftmp2, in); felem_reduce(ftmp2, tmp); /* 2^96 - 3 */ 1072 felem_reduce(ftmp2, tmp); /* 2^94 - 2^2 */
1001 1073 felem_mul(tmp, ftmp2, e2);
1002 felem_mul(tmp, ftmp2, ftmp); felem_reduce(out, tmp); /* 2^256 - 2^224 + 2^192 + 2^96 - 3 */ 1074 felem_reduce(ftmp2, tmp); /* 2^94 - 2^0 */
1003 } 1075 felem_square(tmp, ftmp2);
1076 felem_reduce(ftmp2, tmp); /* 2^95 - 2^1 */
1077 felem_square(tmp, ftmp2);
1078 felem_reduce(ftmp2, tmp); /* 2^96 - 2^2 */
1079 felem_mul(tmp, ftmp2, in);
1080 felem_reduce(ftmp2, tmp); /* 2^96 - 3 */
1081
1082 felem_mul(tmp, ftmp2, ftmp);
1083 felem_reduce(out, tmp); /* 2^256 - 2^224 + 2^192 + 2^96 - 3 */
1084}
1004 1085
1005static void smallfelem_inv_contract(smallfelem out, const smallfelem in) 1086static void
1006 { 1087smallfelem_inv_contract(smallfelem out, const smallfelem in)
1088{
1007 felem tmp; 1089 felem tmp;
1008 1090
1009 smallfelem_expand(tmp, in); 1091 smallfelem_expand(tmp, in);
1010 felem_inv(tmp, tmp); 1092 felem_inv(tmp, tmp);
1011 felem_contract(out, tmp); 1093 felem_contract(out, tmp);
1012 } 1094}
1013 1095
1014/* Group operations 1096/* Group operations
1015 * ---------------- 1097 * ----------------
@@ -1027,8 +1109,8 @@ static void smallfelem_inv_contract(smallfelem out, const smallfelem in)
1027 * while x_out == y_in is not (maybe this works, but it's not tested). */ 1109 * while x_out == y_in is not (maybe this works, but it's not tested). */
1028static void 1110static void
1029point_double(felem x_out, felem y_out, felem z_out, 1111point_double(felem x_out, felem y_out, felem z_out,
1030 const felem x_in, const felem y_in, const felem z_in) 1112 const felem x_in, const felem y_in, const felem z_in)
1031 { 1113{
1032 longfelem tmp, tmp2; 1114 longfelem tmp, tmp2;
1033 felem delta, gamma, beta, alpha, ftmp, ftmp2; 1115 felem delta, gamma, beta, alpha, ftmp, ftmp2;
1034 smallfelem small1, small2; 1116 smallfelem small1, small2;
@@ -1101,14 +1183,14 @@ point_double(felem x_out, felem y_out, felem z_out,
1101 /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */ 1183 /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
1102 felem_reduce_zero105(y_out, tmp); 1184 felem_reduce_zero105(y_out, tmp);
1103 /* y_out[i] < 2^106 */ 1185 /* y_out[i] < 2^106 */
1104 } 1186}
1105 1187
1106/* point_double_small is the same as point_double, except that it operates on 1188/* point_double_small is the same as point_double, except that it operates on
1107 * smallfelems */ 1189 * smallfelems */
1108static void 1190static void
1109point_double_small(smallfelem x_out, smallfelem y_out, smallfelem z_out, 1191point_double_small(smallfelem x_out, smallfelem y_out, smallfelem z_out,
1110 const smallfelem x_in, const smallfelem y_in, const smallfelem z_in) 1192 const smallfelem x_in, const smallfelem y_in, const smallfelem z_in)
1111 { 1193{
1112 felem felem_x_out, felem_y_out, felem_z_out; 1194 felem felem_x_out, felem_y_out, felem_z_out;
1113 felem felem_x_in, felem_y_in, felem_z_in; 1195 felem felem_x_in, felem_y_in, felem_z_in;
1114 1196
@@ -1116,35 +1198,33 @@ point_double_small(smallfelem x_out, smallfelem y_out, smallfelem z_out,
1116 smallfelem_expand(felem_y_in, y_in); 1198 smallfelem_expand(felem_y_in, y_in);
1117 smallfelem_expand(felem_z_in, z_in); 1199 smallfelem_expand(felem_z_in, z_in);
1118 point_double(felem_x_out, felem_y_out, felem_z_out, 1200 point_double(felem_x_out, felem_y_out, felem_z_out,
1119 felem_x_in, felem_y_in, felem_z_in); 1201 felem_x_in, felem_y_in, felem_z_in);
1120 felem_shrink(x_out, felem_x_out); 1202 felem_shrink(x_out, felem_x_out);
1121 felem_shrink(y_out, felem_y_out); 1203 felem_shrink(y_out, felem_y_out);
1122 felem_shrink(z_out, felem_z_out); 1204 felem_shrink(z_out, felem_z_out);
1123 } 1205}
1124 1206
1125/* copy_conditional copies in to out iff mask is all ones. */ 1207/* copy_conditional copies in to out iff mask is all ones. */
1126static void 1208static void
1127copy_conditional(felem out, const felem in, limb mask) 1209copy_conditional(felem out, const felem in, limb mask)
1128 { 1210{
1129 unsigned i; 1211 unsigned i;
1130 for (i = 0; i < NLIMBS; ++i) 1212 for (i = 0; i < NLIMBS; ++i) {
1131 {
1132 const limb tmp = mask & (in[i] ^ out[i]); 1213 const limb tmp = mask & (in[i] ^ out[i]);
1133 out[i] ^= tmp; 1214 out[i] ^= tmp;
1134 }
1135 } 1215 }
1216}
1136 1217
1137/* copy_small_conditional copies in to out iff mask is all ones. */ 1218/* copy_small_conditional copies in to out iff mask is all ones. */
1138static void 1219static void
1139copy_small_conditional(felem out, const smallfelem in, limb mask) 1220copy_small_conditional(felem out, const smallfelem in, limb mask)
1140 { 1221{
1141 unsigned i; 1222 unsigned i;
1142 const u64 mask64 = mask; 1223 const u64 mask64 = mask;
1143 for (i = 0; i < NLIMBS; ++i) 1224 for (i = 0; i < NLIMBS; ++i) {
1144 {
1145 out[i] = ((limb) (in[i] & mask64)) | (out[i] & ~mask); 1225 out[i] = ((limb) (in[i] & mask64)) | (out[i] & ~mask);
1146 }
1147 } 1226 }
1227}
1148 1228
1149/* point_add calcuates (x1, y1, z1) + (x2, y2, z2) 1229/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
1150 * 1230 *
@@ -1156,10 +1236,11 @@ copy_small_conditional(felem out, const smallfelem in, limb mask)
1156 * are equal, (while not equal to the point at infinity). This case never 1236 * are equal, (while not equal to the point at infinity). This case never
1157 * happens during single point multiplication, so there is no timing leak for 1237 * happens during single point multiplication, so there is no timing leak for
1158 * ECDH or ECDSA signing. */ 1238 * ECDH or ECDSA signing. */
1159static void point_add(felem x3, felem y3, felem z3, 1239static void
1160 const felem x1, const felem y1, const felem z1, 1240point_add(felem x3, felem y3, felem z3,
1161 const int mixed, const smallfelem x2, const smallfelem y2, const smallfelem z2) 1241 const felem x1, const felem y1, const felem z1,
1162 { 1242 const int mixed, const smallfelem x2, const smallfelem y2, const smallfelem z2)
1243{
1163 felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out; 1244 felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out;
1164 longfelem tmp, tmp2; 1245 longfelem tmp, tmp2;
1165 smallfelem small1, small2, small3, small4, small5; 1246 smallfelem small1, small2, small3, small4, small5;
@@ -1176,8 +1257,7 @@ static void point_add(felem x3, felem y3, felem z3,
1176 /* ftmp[i] < 2^101 */ 1257 /* ftmp[i] < 2^101 */
1177 felem_shrink(small1, ftmp); 1258 felem_shrink(small1, ftmp);
1178 1259
1179 if(!mixed) 1260 if (!mixed) {
1180 {
1181 /* ftmp2 = z2z2 = z2**2 */ 1261 /* ftmp2 = z2z2 = z2**2 */
1182 smallfelem_square(tmp, z2); 1262 smallfelem_square(tmp, z2);
1183 felem_reduce(ftmp2, tmp); 1263 felem_reduce(ftmp2, tmp);
@@ -1213,9 +1293,7 @@ static void point_add(felem x3, felem y3, felem z3,
1213 felem_mul(tmp, y1, ftmp2); 1293 felem_mul(tmp, y1, ftmp2);
1214 felem_reduce(ftmp6, tmp); 1294 felem_reduce(ftmp6, tmp);
1215 /* ftmp6[i] < 2^101 */ 1295 /* ftmp6[i] < 2^101 */
1216 } 1296 } else {
1217 else
1218 {
1219 /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */ 1297 /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */
1220 1298
1221 /* u1 = ftmp3 = x1*z2z2 */ 1299 /* u1 = ftmp3 = x1*z2z2 */
@@ -1230,7 +1308,7 @@ static void point_add(felem x3, felem y3, felem z3,
1230 /* s1 = ftmp2 = y1 * z2**3 */ 1308 /* s1 = ftmp2 = y1 * z2**3 */
1231 felem_assign(ftmp6, y1); 1309 felem_assign(ftmp6, y1);
1232 /* ftmp6[i] < 2^106 */ 1310 /* ftmp6[i] < 2^106 */
1233 } 1311 }
1234 1312
1235 /* u2 = x2*z1z1 */ 1313 /* u2 = x2*z1z1 */
1236 smallfelem_mul(tmp, x2, small1); 1314 smallfelem_mul(tmp, x2, small1);
@@ -1258,18 +1336,16 @@ static void point_add(felem x3, felem y3, felem z3,
1258 1336
1259 /* r = ftmp5 = (s2 - s1)*2 */ 1337 /* r = ftmp5 = (s2 - s1)*2 */
1260 felem_diff_zero107(ftmp5, ftmp6); 1338 felem_diff_zero107(ftmp5, ftmp6);
1261 /* ftmp5[i] < 2^107 + 2^107 = 2^108*/ 1339 /* ftmp5[i] < 2^107 + 2^107 = 2^108 */
1262 felem_scalar(ftmp5, 2); 1340 felem_scalar(ftmp5, 2);
1263 /* ftmp5[i] < 2^109 */ 1341 /* ftmp5[i] < 2^109 */
1264 felem_shrink(small1, ftmp5); 1342 felem_shrink(small1, ftmp5);
1265 y_equal = smallfelem_is_zero(small1); 1343 y_equal = smallfelem_is_zero(small1);
1266 1344
1267 if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) 1345 if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) {
1268 {
1269 point_double(x3, y3, z3, x1, y1, z1); 1346 point_double(x3, y3, z3, x1, y1, z1);
1270 return; 1347 return;
1271 } 1348 }
1272
1273 /* I = ftmp = (2h)**2 */ 1349 /* I = ftmp = (2h)**2 */
1274 felem_assign(ftmp, ftmp4); 1350 felem_assign(ftmp, ftmp4);
1275 felem_scalar(ftmp, 2); 1351 felem_scalar(ftmp, 2);
@@ -1316,14 +1392,15 @@ static void point_add(felem x3, felem y3, felem z3,
1316 felem_assign(x3, x_out); 1392 felem_assign(x3, x_out);
1317 felem_assign(y3, y_out); 1393 felem_assign(y3, y_out);
1318 felem_assign(z3, z_out); 1394 felem_assign(z3, z_out);
1319 } 1395}
1320 1396
1321/* point_add_small is the same as point_add, except that it operates on 1397/* point_add_small is the same as point_add, except that it operates on
1322 * smallfelems */ 1398 * smallfelems */
1323static void point_add_small(smallfelem x3, smallfelem y3, smallfelem z3, 1399static void
1324 smallfelem x1, smallfelem y1, smallfelem z1, 1400point_add_small(smallfelem x3, smallfelem y3, smallfelem z3,
1325 smallfelem x2, smallfelem y2, smallfelem z2) 1401 smallfelem x1, smallfelem y1, smallfelem z1,
1326 { 1402 smallfelem x2, smallfelem y2, smallfelem z2)
1403{
1327 felem felem_x3, felem_y3, felem_z3; 1404 felem felem_x3, felem_y3, felem_z3;
1328 felem felem_x1, felem_y1, felem_z1; 1405 felem felem_x1, felem_y1, felem_z1;
1329 smallfelem_expand(felem_x1, x1); 1406 smallfelem_expand(felem_x1, x1);
@@ -1333,7 +1410,7 @@ static void point_add_small(smallfelem x3, smallfelem y3, smallfelem z3,
1333 felem_shrink(x3, felem_x3); 1410 felem_shrink(x3, felem_x3);
1334 felem_shrink(y3, felem_y3); 1411 felem_shrink(y3, felem_y3);
1335 felem_shrink(z3, felem_z3); 1412 felem_shrink(z3, felem_z3);
1336 } 1413}
1337 1414
1338/* Base point pre computation 1415/* Base point pre computation
1339 * -------------------------- 1416 * --------------------------
@@ -1373,113 +1450,113 @@ static void point_add_small(smallfelem x3, smallfelem y3, smallfelem z3,
1373/* gmul is the table of precomputed base points */ 1450/* gmul is the table of precomputed base points */
1374static const smallfelem gmul[2][16][3] = 1451static const smallfelem gmul[2][16][3] =
1375{{{{0, 0, 0, 0}, 1452{{{{0, 0, 0, 0},
1376 {0, 0, 0, 0}, 1453{0, 0, 0, 0},
1377 {0, 0, 0, 0}}, 1454{0, 0, 0, 0}},
1378 {{0xf4a13945d898c296, 0x77037d812deb33a0, 0xf8bce6e563a440f2, 0x6b17d1f2e12c4247}, 1455{{0xf4a13945d898c296, 0x77037d812deb33a0, 0xf8bce6e563a440f2, 0x6b17d1f2e12c4247},
1379 {0xcbb6406837bf51f5, 0x2bce33576b315ece, 0x8ee7eb4a7c0f9e16, 0x4fe342e2fe1a7f9b}, 1456{0xcbb6406837bf51f5, 0x2bce33576b315ece, 0x8ee7eb4a7c0f9e16, 0x4fe342e2fe1a7f9b},
1380 {1, 0, 0, 0}}, 1457{1, 0, 0, 0}},
1381 {{0x90e75cb48e14db63, 0x29493baaad651f7e, 0x8492592e326e25de, 0x0fa822bc2811aaa5}, 1458{{0x90e75cb48e14db63, 0x29493baaad651f7e, 0x8492592e326e25de, 0x0fa822bc2811aaa5},
1382 {0xe41124545f462ee7, 0x34b1a65050fe82f5, 0x6f4ad4bcb3df188b, 0xbff44ae8f5dba80d}, 1459{0xe41124545f462ee7, 0x34b1a65050fe82f5, 0x6f4ad4bcb3df188b, 0xbff44ae8f5dba80d},
1383 {1, 0, 0, 0}}, 1460{1, 0, 0, 0}},
1384 {{0x93391ce2097992af, 0xe96c98fd0d35f1fa, 0xb257c0de95e02789, 0x300a4bbc89d6726f}, 1461{{0x93391ce2097992af, 0xe96c98fd0d35f1fa, 0xb257c0de95e02789, 0x300a4bbc89d6726f},
1385 {0xaa54a291c08127a0, 0x5bb1eeada9d806a5, 0x7f1ddb25ff1e3c6f, 0x72aac7e0d09b4644}, 1462{0xaa54a291c08127a0, 0x5bb1eeada9d806a5, 0x7f1ddb25ff1e3c6f, 0x72aac7e0d09b4644},
1386 {1, 0, 0, 0}}, 1463{1, 0, 0, 0}},
1387 {{0x57c84fc9d789bd85, 0xfc35ff7dc297eac3, 0xfb982fd588c6766e, 0x447d739beedb5e67}, 1464{{0x57c84fc9d789bd85, 0xfc35ff7dc297eac3, 0xfb982fd588c6766e, 0x447d739beedb5e67},
1388 {0x0c7e33c972e25b32, 0x3d349b95a7fae500, 0xe12e9d953a4aaff7, 0x2d4825ab834131ee}, 1465{0x0c7e33c972e25b32, 0x3d349b95a7fae500, 0xe12e9d953a4aaff7, 0x2d4825ab834131ee},
1389 {1, 0, 0, 0}}, 1466{1, 0, 0, 0}},
1390 {{0x13949c932a1d367f, 0xef7fbd2b1a0a11b7, 0xddc6068bb91dfc60, 0xef9519328a9c72ff}, 1467{{0x13949c932a1d367f, 0xef7fbd2b1a0a11b7, 0xddc6068bb91dfc60, 0xef9519328a9c72ff},
1391 {0x196035a77376d8a8, 0x23183b0895ca1740, 0xc1ee9807022c219c, 0x611e9fc37dbb2c9b}, 1468{0x196035a77376d8a8, 0x23183b0895ca1740, 0xc1ee9807022c219c, 0x611e9fc37dbb2c9b},
1392 {1, 0, 0, 0}}, 1469{1, 0, 0, 0}},
1393 {{0xcae2b1920b57f4bc, 0x2936df5ec6c9bc36, 0x7dea6482e11238bf, 0x550663797b51f5d8}, 1470{{0xcae2b1920b57f4bc, 0x2936df5ec6c9bc36, 0x7dea6482e11238bf, 0x550663797b51f5d8},
1394 {0x44ffe216348a964c, 0x9fb3d576dbdefbe1, 0x0afa40018d9d50e5, 0x157164848aecb851}, 1471{0x44ffe216348a964c, 0x9fb3d576dbdefbe1, 0x0afa40018d9d50e5, 0x157164848aecb851},
1395 {1, 0, 0, 0}}, 1472{1, 0, 0, 0}},
1396 {{0xe48ecafffc5cde01, 0x7ccd84e70d715f26, 0xa2e8f483f43e4391, 0xeb5d7745b21141ea}, 1473{{0xe48ecafffc5cde01, 0x7ccd84e70d715f26, 0xa2e8f483f43e4391, 0xeb5d7745b21141ea},
1397 {0xcac917e2731a3479, 0x85f22cfe2844b645, 0x0990e6a158006cee, 0xeafd72ebdbecc17b}, 1474{0xcac917e2731a3479, 0x85f22cfe2844b645, 0x0990e6a158006cee, 0xeafd72ebdbecc17b},
1398 {1, 0, 0, 0}}, 1475{1, 0, 0, 0}},
1399 {{0x6cf20ffb313728be, 0x96439591a3c6b94a, 0x2736ff8344315fc5, 0xa6d39677a7849276}, 1476{{0x6cf20ffb313728be, 0x96439591a3c6b94a, 0x2736ff8344315fc5, 0xa6d39677a7849276},
1400 {0xf2bab833c357f5f4, 0x824a920c2284059b, 0x66b8babd2d27ecdf, 0x674f84749b0b8816}, 1477{0xf2bab833c357f5f4, 0x824a920c2284059b, 0x66b8babd2d27ecdf, 0x674f84749b0b8816},
1401 {1, 0, 0, 0}}, 1478{1, 0, 0, 0}},
1402 {{0x2df48c04677c8a3e, 0x74e02f080203a56b, 0x31855f7db8c7fedb, 0x4e769e7672c9ddad}, 1479{{0x2df48c04677c8a3e, 0x74e02f080203a56b, 0x31855f7db8c7fedb, 0x4e769e7672c9ddad},
1403 {0xa4c36165b824bbb0, 0xfb9ae16f3b9122a5, 0x1ec0057206947281, 0x42b99082de830663}, 1480{0xa4c36165b824bbb0, 0xfb9ae16f3b9122a5, 0x1ec0057206947281, 0x42b99082de830663},
1404 {1, 0, 0, 0}}, 1481{1, 0, 0, 0}},
1405 {{0x6ef95150dda868b9, 0xd1f89e799c0ce131, 0x7fdc1ca008a1c478, 0x78878ef61c6ce04d}, 1482{{0x6ef95150dda868b9, 0xd1f89e799c0ce131, 0x7fdc1ca008a1c478, 0x78878ef61c6ce04d},
1406 {0x9c62b9121fe0d976, 0x6ace570ebde08d4f, 0xde53142c12309def, 0xb6cb3f5d7b72c321}, 1483{0x9c62b9121fe0d976, 0x6ace570ebde08d4f, 0xde53142c12309def, 0xb6cb3f5d7b72c321},
1407 {1, 0, 0, 0}}, 1484{1, 0, 0, 0}},
1408 {{0x7f991ed2c31a3573, 0x5b82dd5bd54fb496, 0x595c5220812ffcae, 0x0c88bc4d716b1287}, 1485{{0x7f991ed2c31a3573, 0x5b82dd5bd54fb496, 0x595c5220812ffcae, 0x0c88bc4d716b1287},
1409 {0x3a57bf635f48aca8, 0x7c8181f4df2564f3, 0x18d1b5b39c04e6aa, 0xdd5ddea3f3901dc6}, 1486{0x3a57bf635f48aca8, 0x7c8181f4df2564f3, 0x18d1b5b39c04e6aa, 0xdd5ddea3f3901dc6},
1410 {1, 0, 0, 0}}, 1487{1, 0, 0, 0}},
1411 {{0xe96a79fb3e72ad0c, 0x43a0a28c42ba792f, 0xefe0a423083e49f3, 0x68f344af6b317466}, 1488{{0xe96a79fb3e72ad0c, 0x43a0a28c42ba792f, 0xefe0a423083e49f3, 0x68f344af6b317466},
1412 {0xcdfe17db3fb24d4a, 0x668bfc2271f5c626, 0x604ed93c24d67ff3, 0x31b9c405f8540a20}, 1489{0xcdfe17db3fb24d4a, 0x668bfc2271f5c626, 0x604ed93c24d67ff3, 0x31b9c405f8540a20},
1413 {1, 0, 0, 0}}, 1490{1, 0, 0, 0}},
1414 {{0xd36b4789a2582e7f, 0x0d1a10144ec39c28, 0x663c62c3edbad7a0, 0x4052bf4b6f461db9}, 1491{{0xd36b4789a2582e7f, 0x0d1a10144ec39c28, 0x663c62c3edbad7a0, 0x4052bf4b6f461db9},
1415 {0x235a27c3188d25eb, 0xe724f33999bfcc5b, 0x862be6bd71d70cc8, 0xfecf4d5190b0fc61}, 1492{0x235a27c3188d25eb, 0xe724f33999bfcc5b, 0x862be6bd71d70cc8, 0xfecf4d5190b0fc61},
1416 {1, 0, 0, 0}}, 1493{1, 0, 0, 0}},
1417 {{0x74346c10a1d4cfac, 0xafdf5cc08526a7a4, 0x123202a8f62bff7a, 0x1eddbae2c802e41a}, 1494{{0x74346c10a1d4cfac, 0xafdf5cc08526a7a4, 0x123202a8f62bff7a, 0x1eddbae2c802e41a},
1418 {0x8fa0af2dd603f844, 0x36e06b7e4c701917, 0x0c45f45273db33a0, 0x43104d86560ebcfc}, 1495{0x8fa0af2dd603f844, 0x36e06b7e4c701917, 0x0c45f45273db33a0, 0x43104d86560ebcfc},
1419 {1, 0, 0, 0}}, 1496{1, 0, 0, 0}},
1420 {{0x9615b5110d1d78e5, 0x66b0de3225c4744b, 0x0a4a46fb6aaf363a, 0xb48e26b484f7a21c}, 1497{{0x9615b5110d1d78e5, 0x66b0de3225c4744b, 0x0a4a46fb6aaf363a, 0xb48e26b484f7a21c},
1421 {0x06ebb0f621a01b2d, 0xc004e4048b7b0f98, 0x64131bcdfed6f668, 0xfac015404d4d3dab}, 1498{0x06ebb0f621a01b2d, 0xc004e4048b7b0f98, 0x64131bcdfed6f668, 0xfac015404d4d3dab},
1422 {1, 0, 0, 0}}}, 1499{1, 0, 0, 0}}},
1423 {{{0, 0, 0, 0}, 1500{{{0, 0, 0, 0},
1424 {0, 0, 0, 0}, 1501{0, 0, 0, 0},
1425 {0, 0, 0, 0}}, 1502{0, 0, 0, 0}},
1426 {{0x3a5a9e22185a5943, 0x1ab919365c65dfb6, 0x21656b32262c71da, 0x7fe36b40af22af89}, 1503{{0x3a5a9e22185a5943, 0x1ab919365c65dfb6, 0x21656b32262c71da, 0x7fe36b40af22af89},
1427 {0xd50d152c699ca101, 0x74b3d5867b8af212, 0x9f09f40407dca6f1, 0xe697d45825b63624}, 1504{0xd50d152c699ca101, 0x74b3d5867b8af212, 0x9f09f40407dca6f1, 0xe697d45825b63624},
1428 {1, 0, 0, 0}}, 1505{1, 0, 0, 0}},
1429 {{0xa84aa9397512218e, 0xe9a521b074ca0141, 0x57880b3a18a2e902, 0x4a5b506612a677a6}, 1506{{0xa84aa9397512218e, 0xe9a521b074ca0141, 0x57880b3a18a2e902, 0x4a5b506612a677a6},
1430 {0x0beada7a4c4f3840, 0x626db15419e26d9d, 0xc42604fbe1627d40, 0xeb13461ceac089f1}, 1507{0x0beada7a4c4f3840, 0x626db15419e26d9d, 0xc42604fbe1627d40, 0xeb13461ceac089f1},
1431 {1, 0, 0, 0}}, 1508{1, 0, 0, 0}},
1432 {{0xf9faed0927a43281, 0x5e52c4144103ecbc, 0xc342967aa815c857, 0x0781b8291c6a220a}, 1509{{0xf9faed0927a43281, 0x5e52c4144103ecbc, 0xc342967aa815c857, 0x0781b8291c6a220a},
1433 {0x5a8343ceeac55f80, 0x88f80eeee54a05e3, 0x97b2a14f12916434, 0x690cde8df0151593}, 1510{0x5a8343ceeac55f80, 0x88f80eeee54a05e3, 0x97b2a14f12916434, 0x690cde8df0151593},
1434 {1, 0, 0, 0}}, 1511{1, 0, 0, 0}},
1435 {{0xaee9c75df7f82f2a, 0x9e4c35874afdf43a, 0xf5622df437371326, 0x8a535f566ec73617}, 1512{{0xaee9c75df7f82f2a, 0x9e4c35874afdf43a, 0xf5622df437371326, 0x8a535f566ec73617},
1436 {0xc5f9a0ac223094b7, 0xcde533864c8c7669, 0x37e02819085a92bf, 0x0455c08468b08bd7}, 1513{0xc5f9a0ac223094b7, 0xcde533864c8c7669, 0x37e02819085a92bf, 0x0455c08468b08bd7},
1437 {1, 0, 0, 0}}, 1514{1, 0, 0, 0}},
1438 {{0x0c0a6e2c9477b5d9, 0xf9a4bf62876dc444, 0x5050a949b6cdc279, 0x06bada7ab77f8276}, 1515{{0x0c0a6e2c9477b5d9, 0xf9a4bf62876dc444, 0x5050a949b6cdc279, 0x06bada7ab77f8276},
1439 {0xc8b4aed1ea48dac9, 0xdebd8a4b7ea1070f, 0x427d49101366eb70, 0x5b476dfd0e6cb18a}, 1516{0xc8b4aed1ea48dac9, 0xdebd8a4b7ea1070f, 0x427d49101366eb70, 0x5b476dfd0e6cb18a},
1440 {1, 0, 0, 0}}, 1517{1, 0, 0, 0}},
1441 {{0x7c5c3e44278c340a, 0x4d54606812d66f3b, 0x29a751b1ae23c5d8, 0x3e29864e8a2ec908}, 1518{{0x7c5c3e44278c340a, 0x4d54606812d66f3b, 0x29a751b1ae23c5d8, 0x3e29864e8a2ec908},
1442 {0x142d2a6626dbb850, 0xad1744c4765bd780, 0x1f150e68e322d1ed, 0x239b90ea3dc31e7e}, 1519{0x142d2a6626dbb850, 0xad1744c4765bd780, 0x1f150e68e322d1ed, 0x239b90ea3dc31e7e},
1443 {1, 0, 0, 0}}, 1520{1, 0, 0, 0}},
1444 {{0x78c416527a53322a, 0x305dde6709776f8e, 0xdbcab759f8862ed4, 0x820f4dd949f72ff7}, 1521{{0x78c416527a53322a, 0x305dde6709776f8e, 0xdbcab759f8862ed4, 0x820f4dd949f72ff7},
1445 {0x6cc544a62b5debd4, 0x75be5d937b4e8cc4, 0x1b481b1b215c14d3, 0x140406ec783a05ec}, 1522{0x6cc544a62b5debd4, 0x75be5d937b4e8cc4, 0x1b481b1b215c14d3, 0x140406ec783a05ec},
1446 {1, 0, 0, 0}}, 1523{1, 0, 0, 0}},
1447 {{0x6a703f10e895df07, 0xfd75f3fa01876bd8, 0xeb5b06e70ce08ffe, 0x68f6b8542783dfee}, 1524{{0x6a703f10e895df07, 0xfd75f3fa01876bd8, 0xeb5b06e70ce08ffe, 0x68f6b8542783dfee},
1448 {0x90c76f8a78712655, 0xcf5293d2f310bf7f, 0xfbc8044dfda45028, 0xcbe1feba92e40ce6}, 1525{0x90c76f8a78712655, 0xcf5293d2f310bf7f, 0xfbc8044dfda45028, 0xcbe1feba92e40ce6},
1449 {1, 0, 0, 0}}, 1526{1, 0, 0, 0}},
1450 {{0xe998ceea4396e4c1, 0xfc82ef0b6acea274, 0x230f729f2250e927, 0xd0b2f94d2f420109}, 1527{{0xe998ceea4396e4c1, 0xfc82ef0b6acea274, 0x230f729f2250e927, 0xd0b2f94d2f420109},
1451 {0x4305adddb38d4966, 0x10b838f8624c3b45, 0x7db2636658954e7a, 0x971459828b0719e5}, 1528{0x4305adddb38d4966, 0x10b838f8624c3b45, 0x7db2636658954e7a, 0x971459828b0719e5},
1452 {1, 0, 0, 0}}, 1529{1, 0, 0, 0}},
1453 {{0x4bd6b72623369fc9, 0x57f2929e53d0b876, 0xc2d5cba4f2340687, 0x961610004a866aba}, 1530{{0x4bd6b72623369fc9, 0x57f2929e53d0b876, 0xc2d5cba4f2340687, 0x961610004a866aba},
1454 {0x49997bcd2e407a5e, 0x69ab197d92ddcb24, 0x2cf1f2438fe5131c, 0x7acb9fadcee75e44}, 1531{0x49997bcd2e407a5e, 0x69ab197d92ddcb24, 0x2cf1f2438fe5131c, 0x7acb9fadcee75e44},
1455 {1, 0, 0, 0}}, 1532{1, 0, 0, 0}},
1456 {{0x254e839423d2d4c0, 0xf57f0c917aea685b, 0xa60d880f6f75aaea, 0x24eb9acca333bf5b}, 1533{{0x254e839423d2d4c0, 0xf57f0c917aea685b, 0xa60d880f6f75aaea, 0x24eb9acca333bf5b},
1457 {0xe3de4ccb1cda5dea, 0xfeef9341c51a6b4f, 0x743125f88bac4c4d, 0x69f891c5acd079cc}, 1534{0xe3de4ccb1cda5dea, 0xfeef9341c51a6b4f, 0x743125f88bac4c4d, 0x69f891c5acd079cc},
1458 {1, 0, 0, 0}}, 1535{1, 0, 0, 0}},
1459 {{0xeee44b35702476b5, 0x7ed031a0e45c2258, 0xb422d1e7bd6f8514, 0xe51f547c5972a107}, 1536{{0xeee44b35702476b5, 0x7ed031a0e45c2258, 0xb422d1e7bd6f8514, 0xe51f547c5972a107},
1460 {0xa25bcd6fc9cf343d, 0x8ca922ee097c184e, 0xa62f98b3a9fe9a06, 0x1c309a2b25bb1387}, 1537{0xa25bcd6fc9cf343d, 0x8ca922ee097c184e, 0xa62f98b3a9fe9a06, 0x1c309a2b25bb1387},
1461 {1, 0, 0, 0}}, 1538{1, 0, 0, 0}},
1462 {{0x9295dbeb1967c459, 0xb00148833472c98e, 0xc504977708011828, 0x20b87b8aa2c4e503}, 1539{{0x9295dbeb1967c459, 0xb00148833472c98e, 0xc504977708011828, 0x20b87b8aa2c4e503},
1463 {0x3063175de057c277, 0x1bd539338fe582dd, 0x0d11adef5f69a044, 0xf5c6fa49919776be}, 1540{0x3063175de057c277, 0x1bd539338fe582dd, 0x0d11adef5f69a044, 0xf5c6fa49919776be},
1464 {1, 0, 0, 0}}, 1541{1, 0, 0, 0}},
1465 {{0x8c944e760fd59e11, 0x3876cba1102fad5f, 0xa454c3fad83faa56, 0x1ed7d1b9332010b9}, 1542{{0x8c944e760fd59e11, 0x3876cba1102fad5f, 0xa454c3fad83faa56, 0x1ed7d1b9332010b9},
1466 {0xa1011a270024b889, 0x05e4d0dcac0cd344, 0x52b520f0eb6a2a24, 0x3a2b03f03217257a}, 1543{0xa1011a270024b889, 0x05e4d0dcac0cd344, 0x52b520f0eb6a2a24, 0x3a2b03f03217257a},
1467 {1, 0, 0, 0}}, 1544{1, 0, 0, 0}},
1468 {{0xf20fc2afdf1d043d, 0xf330240db58d5a62, 0xfc7d229ca0058c3b, 0x15fee545c78dd9f6}, 1545{{0xf20fc2afdf1d043d, 0xf330240db58d5a62, 0xfc7d229ca0058c3b, 0x15fee545c78dd9f6},
1469 {0x501e82885bc98cda, 0x41ef80e5d046ac04, 0x557d9f49461210fb, 0x4ab5b6b2b8753f81}, 1546{0x501e82885bc98cda, 0x41ef80e5d046ac04, 0x557d9f49461210fb, 0x4ab5b6b2b8753f81},
1470 {1, 0, 0, 0}}}}; 1547{1, 0, 0, 0}}}};
1471 1548
1472/* select_point selects the |idx|th point from a precomputation table and 1549/* select_point selects the |idx|th point from a precomputation table and
1473 * copies it to out. */ 1550 * copies it to out. */
1474static void select_point(const u64 idx, unsigned int size, const smallfelem pre_comp[16][3], smallfelem out[3]) 1551static void
1475 { 1552select_point(const u64 idx, unsigned int size, const smallfelem pre_comp[16][3], smallfelem out[3])
1553{
1476 unsigned i, j; 1554 unsigned i, j;
1477 u64 *outlimbs = &out[0][0]; 1555 u64 *outlimbs = &out[0][0];
1478 memset(outlimbs, 0, 3 * sizeof(smallfelem)); 1556 memset(outlimbs, 0, 3 * sizeof(smallfelem));
1479 1557
1480 for (i = 0; i < size; i++) 1558 for (i = 0; i < size; i++) {
1481 { 1559 const u64 *inlimbs = (u64 *) & pre_comp[i][0][0];
1482 const u64 *inlimbs = (u64*) &pre_comp[i][0][0];
1483 u64 mask = i ^ idx; 1560 u64 mask = i ^ idx;
1484 mask |= mask >> 4; 1561 mask |= mask >> 4;
1485 mask |= mask >> 2; 1562 mask |= mask >> 2;
@@ -1488,26 +1565,28 @@ static void select_point(const u64 idx, unsigned int size, const smallfelem pre_
1488 mask--; 1565 mask--;
1489 for (j = 0; j < NLIMBS * 3; j++) 1566 for (j = 0; j < NLIMBS * 3; j++)
1490 outlimbs[j] |= inlimbs[j] & mask; 1567 outlimbs[j] |= inlimbs[j] & mask;
1491 }
1492 } 1568 }
1569}
1493 1570
1494/* get_bit returns the |i|th bit in |in| */ 1571/* get_bit returns the |i|th bit in |in| */
1495static char get_bit(const felem_bytearray in, int i) 1572static char
1496 { 1573get_bit(const felem_bytearray in, int i)
1574{
1497 if ((i < 0) || (i >= 256)) 1575 if ((i < 0) || (i >= 256))
1498 return 0; 1576 return 0;
1499 return (in[i >> 3] >> (i & 7)) & 1; 1577 return (in[i >> 3] >> (i & 7)) & 1;
1500 } 1578}
1501 1579
1502/* Interleaved point multiplication using precomputed point multiples: 1580/* Interleaved point multiplication using precomputed point multiples:
1503 * The small point multiples 0*P, 1*P, ..., 17*P are in pre_comp[], 1581 * The small point multiples 0*P, 1*P, ..., 17*P are in pre_comp[],
1504 * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple 1582 * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple
1505 * of the generator, using certain (large) precomputed multiples in g_pre_comp. 1583 * of the generator, using certain (large) precomputed multiples in g_pre_comp.
1506 * Output point (X, Y, Z) is stored in x_out, y_out, z_out */ 1584 * Output point (X, Y, Z) is stored in x_out, y_out, z_out */
1507static void batch_mul(felem x_out, felem y_out, felem z_out, 1585static void
1508 const felem_bytearray scalars[], const unsigned num_points, const u8 *g_scalar, 1586batch_mul(felem x_out, felem y_out, felem z_out,
1509 const int mixed, const smallfelem pre_comp[][17][3], const smallfelem g_pre_comp[2][16][3]) 1587 const felem_bytearray scalars[], const unsigned num_points, const u8 * g_scalar,
1510 { 1588 const int mixed, const smallfelem pre_comp[][17][3], const smallfelem g_pre_comp[2][16][3])
1589{
1511 int i, skip; 1590 int i, skip;
1512 unsigned num, gen_mul = (g_scalar != NULL); 1591 unsigned num, gen_mul = (g_scalar != NULL);
1513 felem nq[3], ftmp; 1592 felem nq[3], ftmp;
@@ -1518,20 +1597,20 @@ static void batch_mul(felem x_out, felem y_out, felem z_out,
1518 /* set nq to the point at infinity */ 1597 /* set nq to the point at infinity */
1519 memset(nq, 0, 3 * sizeof(felem)); 1598 memset(nq, 0, 3 * sizeof(felem));
1520 1599
1521 /* Loop over all scalars msb-to-lsb, interleaving additions 1600 /*
1522 * of multiples of the generator (two in each of the last 32 rounds) 1601 * Loop over all scalars msb-to-lsb, interleaving additions of
1523 * and additions of other points multiples (every 5th round). 1602 * multiples of the generator (two in each of the last 32 rounds) and
1603 * additions of other points multiples (every 5th round).
1524 */ 1604 */
1525 skip = 1; /* save two point operations in the first round */ 1605 skip = 1; /* save two point operations in the first
1526 for (i = (num_points ? 255 : 31); i >= 0; --i) 1606 * round */
1527 { 1607 for (i = (num_points ? 255 : 31); i >= 0; --i) {
1528 /* double */ 1608 /* double */
1529 if (!skip) 1609 if (!skip)
1530 point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]); 1610 point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
1531 1611
1532 /* add multiples of the generator */ 1612 /* add multiples of the generator */
1533 if (gen_mul && (i <= 31)) 1613 if (gen_mul && (i <= 31)) {
1534 {
1535 /* first, look 32 bits upwards */ 1614 /* first, look 32 bits upwards */
1536 bits = get_bit(g_scalar, i + 224) << 3; 1615 bits = get_bit(g_scalar, i + 224) << 3;
1537 bits |= get_bit(g_scalar, i + 160) << 2; 1616 bits |= get_bit(g_scalar, i + 160) << 2;
@@ -1540,19 +1619,16 @@ static void batch_mul(felem x_out, felem y_out, felem z_out,
1540 /* select the point to add, in constant time */ 1619 /* select the point to add, in constant time */
1541 select_point(bits, 16, g_pre_comp[1], tmp); 1620 select_point(bits, 16, g_pre_comp[1], tmp);
1542 1621
1543 if (!skip) 1622 if (!skip) {
1544 {
1545 point_add(nq[0], nq[1], nq[2], 1623 point_add(nq[0], nq[1], nq[2],
1546 nq[0], nq[1], nq[2], 1624 nq[0], nq[1], nq[2],
1547 1 /* mixed */, tmp[0], tmp[1], tmp[2]); 1625 1 /* mixed */ , tmp[0], tmp[1], tmp[2]);
1548 } 1626 } else {
1549 else
1550 {
1551 smallfelem_expand(nq[0], tmp[0]); 1627 smallfelem_expand(nq[0], tmp[0]);
1552 smallfelem_expand(nq[1], tmp[1]); 1628 smallfelem_expand(nq[1], tmp[1]);
1553 smallfelem_expand(nq[2], tmp[2]); 1629 smallfelem_expand(nq[2], tmp[2]);
1554 skip = 0; 1630 skip = 0;
1555 } 1631 }
1556 1632
1557 /* second, look at the current position */ 1633 /* second, look at the current position */
1558 bits = get_bit(g_scalar, i + 192) << 3; 1634 bits = get_bit(g_scalar, i + 192) << 3;
@@ -1562,16 +1638,13 @@ static void batch_mul(felem x_out, felem y_out, felem z_out,
1562 /* select the point to add, in constant time */ 1638 /* select the point to add, in constant time */
1563 select_point(bits, 16, g_pre_comp[0], tmp); 1639 select_point(bits, 16, g_pre_comp[0], tmp);
1564 point_add(nq[0], nq[1], nq[2], 1640 point_add(nq[0], nq[1], nq[2],
1565 nq[0], nq[1], nq[2], 1641 nq[0], nq[1], nq[2],
1566 1 /* mixed */, tmp[0], tmp[1], tmp[2]); 1642 1 /* mixed */ , tmp[0], tmp[1], tmp[2]);
1567 } 1643 }
1568
1569 /* do other additions every 5 doublings */ 1644 /* do other additions every 5 doublings */
1570 if (num_points && (i % 5 == 0)) 1645 if (num_points && (i % 5 == 0)) {
1571 {
1572 /* loop over all scalars */ 1646 /* loop over all scalars */
1573 for (num = 0; num < num_points; ++num) 1647 for (num = 0; num < num_points; ++num) {
1574 {
1575 bits = get_bit(scalars[num], i + 4) << 5; 1648 bits = get_bit(scalars[num], i + 4) << 5;
1576 bits |= get_bit(scalars[num], i + 3) << 4; 1649 bits |= get_bit(scalars[num], i + 3) << 4;
1577 bits |= get_bit(scalars[num], i + 2) << 3; 1650 bits |= get_bit(scalars[num], i + 2) << 3;
@@ -1580,32 +1653,33 @@ static void batch_mul(felem x_out, felem y_out, felem z_out,
1580 bits |= get_bit(scalars[num], i - 1); 1653 bits |= get_bit(scalars[num], i - 1);
1581 ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); 1654 ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
1582 1655
1583 /* select the point to add or subtract, in constant time */ 1656 /*
1657 * select the point to add or subtract, in
1658 * constant time
1659 */
1584 select_point(digit, 17, pre_comp[num], tmp); 1660 select_point(digit, 17, pre_comp[num], tmp);
1585 smallfelem_neg(ftmp, tmp[1]); /* (X, -Y, Z) is the negative point */ 1661 smallfelem_neg(ftmp, tmp[1]); /* (X, -Y, Z) is the
1662 * negative point */
1586 copy_small_conditional(ftmp, tmp[1], (((limb) sign) - 1)); 1663 copy_small_conditional(ftmp, tmp[1], (((limb) sign) - 1));
1587 felem_contract(tmp[1], ftmp); 1664 felem_contract(tmp[1], ftmp);
1588 1665
1589 if (!skip) 1666 if (!skip) {
1590 {
1591 point_add(nq[0], nq[1], nq[2], 1667 point_add(nq[0], nq[1], nq[2],
1592 nq[0], nq[1], nq[2], 1668 nq[0], nq[1], nq[2],
1593 mixed, tmp[0], tmp[1], tmp[2]); 1669 mixed, tmp[0], tmp[1], tmp[2]);
1594 } 1670 } else {
1595 else
1596 {
1597 smallfelem_expand(nq[0], tmp[0]); 1671 smallfelem_expand(nq[0], tmp[0]);
1598 smallfelem_expand(nq[1], tmp[1]); 1672 smallfelem_expand(nq[1], tmp[1]);
1599 smallfelem_expand(nq[2], tmp[2]); 1673 smallfelem_expand(nq[2], tmp[2]);
1600 skip = 0; 1674 skip = 0;
1601 }
1602 } 1675 }
1603 } 1676 }
1604 } 1677 }
1678 }
1605 felem_assign(x_out, nq[0]); 1679 felem_assign(x_out, nq[0]);
1606 felem_assign(y_out, nq[1]); 1680 felem_assign(y_out, nq[1]);
1607 felem_assign(z_out, nq[2]); 1681 felem_assign(z_out, nq[2]);
1608 } 1682}
1609 1683
1610/* Precomputation for the group generator. */ 1684/* Precomputation for the group generator. */
1611typedef struct { 1685typedef struct {
@@ -1627,20 +1701,20 @@ EC_GFp_nistp256_method(void)
1627 .group_get_curve = ec_GFp_simple_group_get_curve, 1701 .group_get_curve = ec_GFp_simple_group_get_curve,
1628 .group_get_degree = ec_GFp_simple_group_get_degree, 1702 .group_get_degree = ec_GFp_simple_group_get_degree,
1629 .group_check_discriminant = 1703 .group_check_discriminant =
1630 ec_GFp_simple_group_check_discriminant, 1704 ec_GFp_simple_group_check_discriminant,
1631 .point_init = ec_GFp_simple_point_init, 1705 .point_init = ec_GFp_simple_point_init,
1632 .point_finish = ec_GFp_simple_point_finish, 1706 .point_finish = ec_GFp_simple_point_finish,
1633 .point_clear_finish = ec_GFp_simple_point_clear_finish, 1707 .point_clear_finish = ec_GFp_simple_point_clear_finish,
1634 .point_copy = ec_GFp_simple_point_copy, 1708 .point_copy = ec_GFp_simple_point_copy,
1635 .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, 1709 .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
1636 .point_set_Jprojective_coordinates_GFp = 1710 .point_set_Jprojective_coordinates_GFp =
1637 ec_GFp_simple_set_Jprojective_coordinates_GFp, 1711 ec_GFp_simple_set_Jprojective_coordinates_GFp,
1638 .point_get_Jprojective_coordinates_GFp = 1712 .point_get_Jprojective_coordinates_GFp =
1639 ec_GFp_simple_get_Jprojective_coordinates_GFp, 1713 ec_GFp_simple_get_Jprojective_coordinates_GFp,
1640 .point_set_affine_coordinates = 1714 .point_set_affine_coordinates =
1641 ec_GFp_simple_point_set_affine_coordinates, 1715 ec_GFp_simple_point_set_affine_coordinates,
1642 .point_get_affine_coordinates = 1716 .point_get_affine_coordinates =
1643 ec_GFp_nistp256_point_get_affine_coordinates, 1717 ec_GFp_nistp256_point_get_affine_coordinates,
1644 .add = ec_GFp_simple_add, 1718 .add = ec_GFp_simple_add,
1645 .dbl = ec_GFp_simple_dbl, 1719 .dbl = ec_GFp_simple_dbl,
1646 .invert = ec_GFp_simple_invert, 1720 .invert = ec_GFp_simple_invert,
@@ -1663,32 +1737,34 @@ EC_GFp_nistp256_method(void)
1663/* FUNCTIONS TO MANAGE PRECOMPUTATION 1737/* FUNCTIONS TO MANAGE PRECOMPUTATION
1664 */ 1738 */
1665 1739
1666static NISTP256_PRE_COMP *nistp256_pre_comp_new() 1740static NISTP256_PRE_COMP *
1667 { 1741nistp256_pre_comp_new()
1742{
1668 NISTP256_PRE_COMP *ret = NULL; 1743 NISTP256_PRE_COMP *ret = NULL;
1669 ret = (NISTP256_PRE_COMP *) malloc(sizeof *ret); 1744 ret = (NISTP256_PRE_COMP *) malloc(sizeof *ret);
1670 if (!ret) 1745 if (!ret) {
1671 {
1672 ECerr(EC_F_NISTP256_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); 1746 ECerr(EC_F_NISTP256_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
1673 return ret; 1747 return ret;
1674 } 1748 }
1675 memset(ret->g_pre_comp, 0, sizeof(ret->g_pre_comp)); 1749 memset(ret->g_pre_comp, 0, sizeof(ret->g_pre_comp));
1676 ret->references = 1; 1750 ret->references = 1;
1677 return ret; 1751 return ret;
1678 } 1752}
1679 1753
1680static void *nistp256_pre_comp_dup(void *src_) 1754static void *
1681 { 1755nistp256_pre_comp_dup(void *src_)
1756{
1682 NISTP256_PRE_COMP *src = src_; 1757 NISTP256_PRE_COMP *src = src_;
1683 1758
1684 /* no need to actually copy, these objects never change! */ 1759 /* no need to actually copy, these objects never change! */
1685 CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP); 1760 CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP);
1686 1761
1687 return src_; 1762 return src_;
1688 } 1763}
1689 1764
1690static void nistp256_pre_comp_free(void *pre_) 1765static void
1691 { 1766nistp256_pre_comp_free(void *pre_)
1767{
1692 int i; 1768 int i;
1693 NISTP256_PRE_COMP *pre = pre_; 1769 NISTP256_PRE_COMP *pre = pre_;
1694 1770
@@ -1700,10 +1776,11 @@ static void nistp256_pre_comp_free(void *pre_)
1700 return; 1776 return;
1701 1777
1702 free(pre); 1778 free(pre);
1703 } 1779}
1704 1780
1705static void nistp256_pre_comp_clear_free(void *pre_) 1781static void
1706 { 1782nistp256_pre_comp_clear_free(void *pre_)
1783{
1707 int i; 1784 int i;
1708 NISTP256_PRE_COMP *pre = pre_; 1785 NISTP256_PRE_COMP *pre = pre_;
1709 1786
@@ -1716,43 +1793,46 @@ static void nistp256_pre_comp_clear_free(void *pre_)
1716 1793
1717 OPENSSL_cleanse(pre, sizeof *pre); 1794 OPENSSL_cleanse(pre, sizeof *pre);
1718 free(pre); 1795 free(pre);
1719 } 1796}
1720 1797
1721/******************************************************************************/ 1798/******************************************************************************/
1722/* OPENSSL EC_METHOD FUNCTIONS 1799/* OPENSSL EC_METHOD FUNCTIONS
1723 */ 1800 */
1724 1801
1725int ec_GFp_nistp256_group_init(EC_GROUP *group) 1802int
1726 { 1803ec_GFp_nistp256_group_init(EC_GROUP * group)
1804{
1727 int ret; 1805 int ret;
1728 ret = ec_GFp_simple_group_init(group); 1806 ret = ec_GFp_simple_group_init(group);
1729 group->a_is_minus3 = 1; 1807 group->a_is_minus3 = 1;
1730 return ret; 1808 return ret;
1731 } 1809}
1732 1810
1733int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, 1811int
1734 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 1812ec_GFp_nistp256_group_set_curve(EC_GROUP * group, const BIGNUM * p,
1735 { 1813 const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx)
1814{
1736 int ret = 0; 1815 int ret = 0;
1737 BN_CTX *new_ctx = NULL; 1816 BN_CTX *new_ctx = NULL;
1738 BIGNUM *curve_p, *curve_a, *curve_b; 1817 BIGNUM *curve_p, *curve_a, *curve_b;
1739 1818
1740 if (ctx == NULL) 1819 if (ctx == NULL)
1741 if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0; 1820 if ((ctx = new_ctx = BN_CTX_new()) == NULL)
1821 return 0;
1742 BN_CTX_start(ctx); 1822 BN_CTX_start(ctx);
1743 if (((curve_p = BN_CTX_get(ctx)) == NULL) || 1823 if (((curve_p = BN_CTX_get(ctx)) == NULL) ||
1744 ((curve_a = BN_CTX_get(ctx)) == NULL) || 1824 ((curve_a = BN_CTX_get(ctx)) == NULL) ||
1745 ((curve_b = BN_CTX_get(ctx)) == NULL)) goto err; 1825 ((curve_b = BN_CTX_get(ctx)) == NULL))
1826 goto err;
1746 BN_bin2bn(nistp256_curve_params[0], sizeof(felem_bytearray), curve_p); 1827 BN_bin2bn(nistp256_curve_params[0], sizeof(felem_bytearray), curve_p);
1747 BN_bin2bn(nistp256_curve_params[1], sizeof(felem_bytearray), curve_a); 1828 BN_bin2bn(nistp256_curve_params[1], sizeof(felem_bytearray), curve_a);
1748 BN_bin2bn(nistp256_curve_params[2], sizeof(felem_bytearray), curve_b); 1829 BN_bin2bn(nistp256_curve_params[2], sizeof(felem_bytearray), curve_b);
1749 if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) || 1830 if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) ||
1750 (BN_cmp(curve_b, b))) 1831 (BN_cmp(curve_b, b))) {
1751 {
1752 ECerr(EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE, 1832 ECerr(EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE,
1753 EC_R_WRONG_CURVE_PARAMETERS); 1833 EC_R_WRONG_CURVE_PARAMETERS);
1754 goto err; 1834 goto err;
1755 } 1835 }
1756 group->field_mod_func = BN_nist_mod_256; 1836 group->field_mod_func = BN_nist_mod_256;
1757 ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); 1837 ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
1758err: 1838err:
@@ -1760,76 +1840,82 @@ err:
1760 if (new_ctx != NULL) 1840 if (new_ctx != NULL)
1761 BN_CTX_free(new_ctx); 1841 BN_CTX_free(new_ctx);
1762 return ret; 1842 return ret;
1763 } 1843}
1764 1844
1765/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns 1845/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns
1766 * (X', Y') = (X/Z^2, Y/Z^3) */ 1846 * (X', Y') = (X/Z^2, Y/Z^3) */
1767int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, 1847int
1768 const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx) 1848ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP * group,
1769 { 1849 const EC_POINT * point, BIGNUM * x, BIGNUM * y, BN_CTX * ctx)
1850{
1770 felem z1, z2, x_in, y_in; 1851 felem z1, z2, x_in, y_in;
1771 smallfelem x_out, y_out; 1852 smallfelem x_out, y_out;
1772 longfelem tmp; 1853 longfelem tmp;
1773 1854
1774 if (EC_POINT_is_at_infinity(group, point)) 1855 if (EC_POINT_is_at_infinity(group, point)) {
1775 {
1776 ECerr(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES, 1856 ECerr(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES,
1777 EC_R_POINT_AT_INFINITY); 1857 EC_R_POINT_AT_INFINITY);
1778 return 0; 1858 return 0;
1779 } 1859 }
1780 if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) || 1860 if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) ||
1781 (!BN_to_felem(z1, &point->Z))) return 0; 1861 (!BN_to_felem(z1, &point->Z)))
1862 return 0;
1782 felem_inv(z2, z1); 1863 felem_inv(z2, z1);
1783 felem_square(tmp, z2); felem_reduce(z1, tmp); 1864 felem_square(tmp, z2);
1784 felem_mul(tmp, x_in, z1); felem_reduce(x_in, tmp); 1865 felem_reduce(z1, tmp);
1866 felem_mul(tmp, x_in, z1);
1867 felem_reduce(x_in, tmp);
1785 felem_contract(x_out, x_in); 1868 felem_contract(x_out, x_in);
1786 if (x != NULL) 1869 if (x != NULL) {
1787 {
1788 if (!smallfelem_to_BN(x, x_out)) { 1870 if (!smallfelem_to_BN(x, x_out)) {
1789 ECerr(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES, 1871 ECerr(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES,
1790 ERR_R_BN_LIB); 1872 ERR_R_BN_LIB);
1791 return 0; 1873 return 0;
1792 }
1793 } 1874 }
1794 felem_mul(tmp, z1, z2); felem_reduce(z1, tmp); 1875 }
1795 felem_mul(tmp, y_in, z1); felem_reduce(y_in, tmp); 1876 felem_mul(tmp, z1, z2);
1877 felem_reduce(z1, tmp);
1878 felem_mul(tmp, y_in, z1);
1879 felem_reduce(y_in, tmp);
1796 felem_contract(y_out, y_in); 1880 felem_contract(y_out, y_in);
1797 if (y != NULL) 1881 if (y != NULL) {
1798 { 1882 if (!smallfelem_to_BN(y, y_out)) {
1799 if (!smallfelem_to_BN(y, y_out))
1800 {
1801 ECerr(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES, 1883 ECerr(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES,
1802 ERR_R_BN_LIB); 1884 ERR_R_BN_LIB);
1803 return 0; 1885 return 0;
1804 }
1805 } 1886 }
1806 return 1;
1807 } 1887 }
1888 return 1;
1889}
1808 1890
1809static void make_points_affine(size_t num, smallfelem points[/* num */][3], smallfelem tmp_smallfelems[/* num+1 */]) 1891static void
1810 { 1892make_points_affine(size_t num, smallfelem points[ /* num */ ][3], smallfelem tmp_smallfelems[ /* num+1 */ ])
1811 /* Runs in constant time, unless an input is the point at infinity 1893{
1812 * (which normally shouldn't happen). */ 1894 /*
1895 * Runs in constant time, unless an input is the point at infinity
1896 * (which normally shouldn't happen).
1897 */
1813 ec_GFp_nistp_points_make_affine_internal( 1898 ec_GFp_nistp_points_make_affine_internal(
1814 num, 1899 num,
1815 points, 1900 points,
1816 sizeof(smallfelem), 1901 sizeof(smallfelem),
1817 tmp_smallfelems, 1902 tmp_smallfelems,
1818 (void (*)(void *)) smallfelem_one, 1903 (void (*) (void *)) smallfelem_one,
1819 (int (*)(const void *)) smallfelem_is_zero_int, 1904 (int (*) (const void *)) smallfelem_is_zero_int,
1820 (void (*)(void *, const void *)) smallfelem_assign, 1905 (void (*) (void *, const void *)) smallfelem_assign,
1821 (void (*)(void *, const void *)) smallfelem_square_contract, 1906 (void (*) (void *, const void *)) smallfelem_square_contract,
1822 (void (*)(void *, const void *, const void *)) smallfelem_mul_contract, 1907 (void (*) (void *, const void *, const void *)) smallfelem_mul_contract,
1823 (void (*)(void *, const void *)) smallfelem_inv_contract, 1908 (void (*) (void *, const void *)) smallfelem_inv_contract,
1824 (void (*)(void *, const void *)) smallfelem_assign /* nothing to contract */); 1909 (void (*) (void *, const void *)) smallfelem_assign /* nothing to contract */ );
1825 } 1910}
1826 1911
1827/* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values 1912/* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values
1828 * Result is stored in r (r can equal one of the inputs). */ 1913 * Result is stored in r (r can equal one of the inputs). */
1829int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, 1914int
1830 const BIGNUM *scalar, size_t num, const EC_POINT *points[], 1915ec_GFp_nistp256_points_mul(const EC_GROUP * group, EC_POINT * r,
1831 const BIGNUM *scalars[], BN_CTX *ctx) 1916 const BIGNUM * scalar, size_t num, const EC_POINT * points[],
1832 { 1917 const BIGNUM * scalars[], BN_CTX * ctx)
1918{
1833 int ret = 0; 1919 int ret = 0;
1834 int j; 1920 int j;
1835 int mixed = 0; 1921 int mixed = 0;
@@ -1837,7 +1923,7 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
1837 BIGNUM *x, *y, *z, *tmp_scalar; 1923 BIGNUM *x, *y, *z, *tmp_scalar;
1838 felem_bytearray g_secret; 1924 felem_bytearray g_secret;
1839 felem_bytearray *secrets = NULL; 1925 felem_bytearray *secrets = NULL;
1840 smallfelem (*pre_comp)[17][3] = NULL; 1926 smallfelem(*pre_comp)[17][3] = NULL;
1841 smallfelem *tmp_smallfelems = NULL; 1927 smallfelem *tmp_smallfelems = NULL;
1842 felem_bytearray tmp; 1928 felem_bytearray tmp;
1843 unsigned i, num_bytes; 1929 unsigned i, num_bytes;
@@ -1846,28 +1932,28 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
1846 smallfelem x_in, y_in, z_in; 1932 smallfelem x_in, y_in, z_in;
1847 felem x_out, y_out, z_out; 1933 felem x_out, y_out, z_out;
1848 NISTP256_PRE_COMP *pre = NULL; 1934 NISTP256_PRE_COMP *pre = NULL;
1849 const smallfelem (*g_pre_comp)[16][3] = NULL; 1935 const smallfelem(*g_pre_comp)[16][3] = NULL;
1850 EC_POINT *generator = NULL; 1936 EC_POINT *generator = NULL;
1851 const EC_POINT *p = NULL; 1937 const EC_POINT *p = NULL;
1852 const BIGNUM *p_scalar = NULL; 1938 const BIGNUM *p_scalar = NULL;
1853 1939
1854 if (ctx == NULL) 1940 if (ctx == NULL)
1855 if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0; 1941 if ((ctx = new_ctx = BN_CTX_new()) == NULL)
1942 return 0;
1856 BN_CTX_start(ctx); 1943 BN_CTX_start(ctx);
1857 if (((x = BN_CTX_get(ctx)) == NULL) || 1944 if (((x = BN_CTX_get(ctx)) == NULL) ||
1858 ((y = BN_CTX_get(ctx)) == NULL) || 1945 ((y = BN_CTX_get(ctx)) == NULL) ||
1859 ((z = BN_CTX_get(ctx)) == NULL) || 1946 ((z = BN_CTX_get(ctx)) == NULL) ||
1860 ((tmp_scalar = BN_CTX_get(ctx)) == NULL)) 1947 ((tmp_scalar = BN_CTX_get(ctx)) == NULL))
1861 goto err; 1948 goto err;
1862 1949
1863 if (scalar != NULL) 1950 if (scalar != NULL) {
1864 {
1865 pre = EC_EX_DATA_get_data(group->extra_data, 1951 pre = EC_EX_DATA_get_data(group->extra_data,
1866 nistp256_pre_comp_dup, nistp256_pre_comp_free, 1952 nistp256_pre_comp_dup, nistp256_pre_comp_free,
1867 nistp256_pre_comp_clear_free); 1953 nistp256_pre_comp_clear_free);
1868 if (pre) 1954 if (pre)
1869 /* we have precomputation, try to use it */ 1955 /* we have precomputation, try to use it */
1870 g_pre_comp = (const smallfelem (*)[16][3]) pre->g_pre_comp; 1956 g_pre_comp = (const smallfelem(*)[16][3]) pre->g_pre_comp;
1871 else 1957 else
1872 /* try to use the standard precomputation */ 1958 /* try to use the standard precomputation */
1873 g_pre_comp = &gmul[0]; 1959 g_pre_comp = &gmul[0];
@@ -1876,147 +1962,140 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
1876 goto err; 1962 goto err;
1877 /* get the generator from precomputation */ 1963 /* get the generator from precomputation */
1878 if (!smallfelem_to_BN(x, g_pre_comp[0][1][0]) || 1964 if (!smallfelem_to_BN(x, g_pre_comp[0][1][0]) ||
1879 !smallfelem_to_BN(y, g_pre_comp[0][1][1]) || 1965 !smallfelem_to_BN(y, g_pre_comp[0][1][1]) ||
1880 !smallfelem_to_BN(z, g_pre_comp[0][1][2])) 1966 !smallfelem_to_BN(z, g_pre_comp[0][1][2])) {
1881 {
1882 ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB); 1967 ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
1883 goto err; 1968 goto err;
1884 } 1969 }
1885 if (!EC_POINT_set_Jprojective_coordinates_GFp(group, 1970 if (!EC_POINT_set_Jprojective_coordinates_GFp(group,
1886 generator, x, y, z, ctx)) 1971 generator, x, y, z, ctx))
1887 goto err; 1972 goto err;
1888 if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) 1973 if (0 == EC_POINT_cmp(group, generator, group->generator, ctx))
1889 /* precomputation matches generator */ 1974 /* precomputation matches generator */
1890 have_pre_comp = 1; 1975 have_pre_comp = 1;
1891 else 1976 else
1892 /* we don't have valid precomputation: 1977 /*
1893 * treat the generator as a random point */ 1978 * we don't have valid precomputation: treat the
1979 * generator as a random point
1980 */
1894 num_points++; 1981 num_points++;
1895 } 1982 }
1896 if (num_points > 0) 1983 if (num_points > 0) {
1897 { 1984 if (num_points >= 3) {
1898 if (num_points >= 3) 1985 /*
1899 { 1986 * unless we precompute multiples for just one or two
1900 /* unless we precompute multiples for just one or two points, 1987 * points, converting those into affine form is time
1901 * converting those into affine form is time well spent */ 1988 * well spent
1989 */
1902 mixed = 1; 1990 mixed = 1;
1903 } 1991 }
1904 secrets = malloc(num_points * sizeof(felem_bytearray)); 1992 secrets = malloc(num_points * sizeof(felem_bytearray));
1905 pre_comp = malloc(num_points * 17 * 3 * sizeof(smallfelem)); 1993 pre_comp = malloc(num_points * 17 * 3 * sizeof(smallfelem));
1906 if (mixed) 1994 if (mixed)
1907 tmp_smallfelems = malloc((num_points * 17 + 1) * sizeof(smallfelem)); 1995 tmp_smallfelems = malloc((num_points * 17 + 1) * sizeof(smallfelem));
1908 if ((secrets == NULL) || (pre_comp == NULL) || (mixed && (tmp_smallfelems == NULL))) 1996 if ((secrets == NULL) || (pre_comp == NULL) || (mixed && (tmp_smallfelems == NULL))) {
1909 {
1910 ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_MALLOC_FAILURE); 1997 ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_MALLOC_FAILURE);
1911 goto err; 1998 goto err;
1912 } 1999 }
1913 2000 /*
1914 /* we treat NULL scalars as 0, and NULL points as points at infinity, 2001 * we treat NULL scalars as 0, and NULL points as points at
1915 * i.e., they contribute nothing to the linear combination */ 2002 * infinity, i.e., they contribute nothing to the linear
2003 * combination
2004 */
1916 memset(secrets, 0, num_points * sizeof(felem_bytearray)); 2005 memset(secrets, 0, num_points * sizeof(felem_bytearray));
1917 memset(pre_comp, 0, num_points * 17 * 3 * sizeof(smallfelem)); 2006 memset(pre_comp, 0, num_points * 17 * 3 * sizeof(smallfelem));
1918 for (i = 0; i < num_points; ++i) 2007 for (i = 0; i < num_points; ++i) {
1919 {
1920 if (i == num) 2008 if (i == num)
1921 /* we didn't have a valid precomputation, so we pick 2009 /*
1922 * the generator */ 2010 * we didn't have a valid precomputation, so
1923 { 2011 * we pick the generator
2012 */
2013 {
1924 p = EC_GROUP_get0_generator(group); 2014 p = EC_GROUP_get0_generator(group);
1925 p_scalar = scalar; 2015 p_scalar = scalar;
1926 } 2016 } else
1927 else
1928 /* the i^th point */ 2017 /* the i^th point */
1929 { 2018 {
1930 p = points[i]; 2019 p = points[i];
1931 p_scalar = scalars[i]; 2020 p_scalar = scalars[i];
1932 } 2021 }
1933 if ((p_scalar != NULL) && (p != NULL)) 2022 if ((p_scalar != NULL) && (p != NULL)) {
1934 {
1935 /* reduce scalar to 0 <= scalar < 2^256 */ 2023 /* reduce scalar to 0 <= scalar < 2^256 */
1936 if ((BN_num_bits(p_scalar) > 256) || (BN_is_negative(p_scalar))) 2024 if ((BN_num_bits(p_scalar) > 256) || (BN_is_negative(p_scalar))) {
1937 { 2025 /*
1938 /* this is an unusual input, and we don't guarantee 2026 * this is an unusual input, and we
1939 * constant-timeness */ 2027 * don't guarantee constant-timeness
1940 if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) 2028 */
1941 { 2029 if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) {
1942 ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB); 2030 ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
1943 goto err; 2031 goto err;
1944 }
1945 num_bytes = BN_bn2bin(tmp_scalar, tmp);
1946 } 2032 }
1947 else 2033 num_bytes = BN_bn2bin(tmp_scalar, tmp);
2034 } else
1948 num_bytes = BN_bn2bin(p_scalar, tmp); 2035 num_bytes = BN_bn2bin(p_scalar, tmp);
1949 flip_endian(secrets[i], tmp, num_bytes); 2036 flip_endian(secrets[i], tmp, num_bytes);
1950 /* precompute multiples */ 2037 /* precompute multiples */
1951 if ((!BN_to_felem(x_out, &p->X)) || 2038 if ((!BN_to_felem(x_out, &p->X)) ||
1952 (!BN_to_felem(y_out, &p->Y)) || 2039 (!BN_to_felem(y_out, &p->Y)) ||
1953 (!BN_to_felem(z_out, &p->Z))) goto err; 2040 (!BN_to_felem(z_out, &p->Z)))
2041 goto err;
1954 felem_shrink(pre_comp[i][1][0], x_out); 2042 felem_shrink(pre_comp[i][1][0], x_out);
1955 felem_shrink(pre_comp[i][1][1], y_out); 2043 felem_shrink(pre_comp[i][1][1], y_out);
1956 felem_shrink(pre_comp[i][1][2], z_out); 2044 felem_shrink(pre_comp[i][1][2], z_out);
1957 for (j = 2; j <= 16; ++j) 2045 for (j = 2; j <= 16; ++j) {
1958 { 2046 if (j & 1) {
1959 if (j & 1)
1960 {
1961 point_add_small( 2047 point_add_small(
1962 pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], 2048 pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2],
1963 pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2], 2049 pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2],
1964 pre_comp[i][j-1][0], pre_comp[i][j-1][1], pre_comp[i][j-1][2]); 2050 pre_comp[i][j - 1][0], pre_comp[i][j - 1][1], pre_comp[i][j - 1][2]);
1965 } 2051 } else {
1966 else
1967 {
1968 point_double_small( 2052 point_double_small(
1969 pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], 2053 pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2],
1970 pre_comp[i][j/2][0], pre_comp[i][j/2][1], pre_comp[i][j/2][2]); 2054 pre_comp[i][j / 2][0], pre_comp[i][j / 2][1], pre_comp[i][j / 2][2]);
1971 }
1972 } 2055 }
1973 } 2056 }
1974 } 2057 }
2058 }
1975 if (mixed) 2059 if (mixed)
1976 make_points_affine(num_points * 17, pre_comp[0], tmp_smallfelems); 2060 make_points_affine(num_points * 17, pre_comp[0], tmp_smallfelems);
1977 } 2061 }
1978
1979 /* the scalar for the generator */ 2062 /* the scalar for the generator */
1980 if ((scalar != NULL) && (have_pre_comp)) 2063 if ((scalar != NULL) && (have_pre_comp)) {
1981 {
1982 memset(g_secret, 0, sizeof(g_secret)); 2064 memset(g_secret, 0, sizeof(g_secret));
1983 /* reduce scalar to 0 <= scalar < 2^256 */ 2065 /* reduce scalar to 0 <= scalar < 2^256 */
1984 if ((BN_num_bits(scalar) > 256) || (BN_is_negative(scalar))) 2066 if ((BN_num_bits(scalar) > 256) || (BN_is_negative(scalar))) {
1985 { 2067 /*
1986 /* this is an unusual input, and we don't guarantee 2068 * this is an unusual input, and we don't guarantee
1987 * constant-timeness */ 2069 * constant-timeness
1988 if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) 2070 */
1989 { 2071 if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) {
1990 ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB); 2072 ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
1991 goto err; 2073 goto err;
1992 }
1993 num_bytes = BN_bn2bin(tmp_scalar, tmp);
1994 } 2074 }
1995 else 2075 num_bytes = BN_bn2bin(tmp_scalar, tmp);
2076 } else
1996 num_bytes = BN_bn2bin(scalar, tmp); 2077 num_bytes = BN_bn2bin(scalar, tmp);
1997 flip_endian(g_secret, tmp, num_bytes); 2078 flip_endian(g_secret, tmp, num_bytes);
1998 /* do the multiplication with generator precomputation*/ 2079 /* do the multiplication with generator precomputation */
1999 batch_mul(x_out, y_out, z_out, 2080 batch_mul(x_out, y_out, z_out,
2000 (const felem_bytearray (*)) secrets, num_points, 2081 (const felem_bytearray(*)) secrets, num_points,
2001 g_secret, 2082 g_secret,
2002 mixed, (const smallfelem (*)[17][3]) pre_comp, 2083 mixed, (const smallfelem(*)[17][3]) pre_comp,
2003 g_pre_comp); 2084 g_pre_comp);
2004 } 2085 } else
2005 else
2006 /* do the multiplication without generator precomputation */ 2086 /* do the multiplication without generator precomputation */
2007 batch_mul(x_out, y_out, z_out, 2087 batch_mul(x_out, y_out, z_out,
2008 (const felem_bytearray (*)) secrets, num_points, 2088 (const felem_bytearray(*)) secrets, num_points,
2009 NULL, mixed, (const smallfelem (*)[17][3]) pre_comp, NULL); 2089 NULL, mixed, (const smallfelem(*)[17][3]) pre_comp, NULL);
2010 /* reduce the output to its unique minimal representation */ 2090 /* reduce the output to its unique minimal representation */
2011 felem_contract(x_in, x_out); 2091 felem_contract(x_in, x_out);
2012 felem_contract(y_in, y_out); 2092 felem_contract(y_in, y_out);
2013 felem_contract(z_in, z_out); 2093 felem_contract(z_in, z_out);
2014 if ((!smallfelem_to_BN(x, x_in)) || (!smallfelem_to_BN(y, y_in)) || 2094 if ((!smallfelem_to_BN(x, x_in)) || (!smallfelem_to_BN(y, y_in)) ||
2015 (!smallfelem_to_BN(z, z_in))) 2095 (!smallfelem_to_BN(z, z_in))) {
2016 {
2017 ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB); 2096 ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
2018 goto err; 2097 goto err;
2019 } 2098 }
2020 ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx); 2099 ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
2021 2100
2022err: 2101err:
@@ -2032,10 +2111,11 @@ err:
2032 if (tmp_smallfelems != NULL) 2111 if (tmp_smallfelems != NULL)
2033 free(tmp_smallfelems); 2112 free(tmp_smallfelems);
2034 return ret; 2113 return ret;
2035 } 2114}
2036 2115
2037int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx) 2116int
2038 { 2117ec_GFp_nistp256_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
2118{
2039 int ret = 0; 2119 int ret = 0;
2040 NISTP256_PRE_COMP *pre = NULL; 2120 NISTP256_PRE_COMP *pre = NULL;
2041 int i, j; 2121 int i, j;
@@ -2047,106 +2127,106 @@ int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
2047 2127
2048 /* throw away old precomputation */ 2128 /* throw away old precomputation */
2049 EC_EX_DATA_free_data(&group->extra_data, nistp256_pre_comp_dup, 2129 EC_EX_DATA_free_data(&group->extra_data, nistp256_pre_comp_dup,
2050 nistp256_pre_comp_free, nistp256_pre_comp_clear_free); 2130 nistp256_pre_comp_free, nistp256_pre_comp_clear_free);
2051 if (ctx == NULL) 2131 if (ctx == NULL)
2052 if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0; 2132 if ((ctx = new_ctx = BN_CTX_new()) == NULL)
2133 return 0;
2053 BN_CTX_start(ctx); 2134 BN_CTX_start(ctx);
2054 if (((x = BN_CTX_get(ctx)) == NULL) || 2135 if (((x = BN_CTX_get(ctx)) == NULL) ||
2055 ((y = BN_CTX_get(ctx)) == NULL)) 2136 ((y = BN_CTX_get(ctx)) == NULL))
2056 goto err; 2137 goto err;
2057 /* get the generator */ 2138 /* get the generator */
2058 if (group->generator == NULL) goto err; 2139 if (group->generator == NULL)
2140 goto err;
2059 generator = EC_POINT_new(group); 2141 generator = EC_POINT_new(group);
2060 if (generator == NULL) 2142 if (generator == NULL)
2061 goto err; 2143 goto err;
2062 BN_bin2bn(nistp256_curve_params[3], sizeof (felem_bytearray), x); 2144 BN_bin2bn(nistp256_curve_params[3], sizeof(felem_bytearray), x);
2063 BN_bin2bn(nistp256_curve_params[4], sizeof (felem_bytearray), y); 2145 BN_bin2bn(nistp256_curve_params[4], sizeof(felem_bytearray), y);
2064 if (!EC_POINT_set_affine_coordinates_GFp(group, generator, x, y, ctx)) 2146 if (!EC_POINT_set_affine_coordinates_GFp(group, generator, x, y, ctx))
2065 goto err; 2147 goto err;
2066 if ((pre = nistp256_pre_comp_new()) == NULL) 2148 if ((pre = nistp256_pre_comp_new()) == NULL)
2067 goto err; 2149 goto err;
2068 /* if the generator is the standard one, use built-in precomputation */ 2150 /* if the generator is the standard one, use built-in precomputation */
2069 if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) 2151 if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) {
2070 {
2071 memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp)); 2152 memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp));
2072 ret = 1; 2153 ret = 1;
2073 goto err; 2154 goto err;
2074 } 2155 }
2075 if ((!BN_to_felem(x_tmp, &group->generator->X)) || 2156 if ((!BN_to_felem(x_tmp, &group->generator->X)) ||
2076 (!BN_to_felem(y_tmp, &group->generator->Y)) || 2157 (!BN_to_felem(y_tmp, &group->generator->Y)) ||
2077 (!BN_to_felem(z_tmp, &group->generator->Z))) 2158 (!BN_to_felem(z_tmp, &group->generator->Z)))
2078 goto err; 2159 goto err;
2079 felem_shrink(pre->g_pre_comp[0][1][0], x_tmp); 2160 felem_shrink(pre->g_pre_comp[0][1][0], x_tmp);
2080 felem_shrink(pre->g_pre_comp[0][1][1], y_tmp); 2161 felem_shrink(pre->g_pre_comp[0][1][1], y_tmp);
2081 felem_shrink(pre->g_pre_comp[0][1][2], z_tmp); 2162 felem_shrink(pre->g_pre_comp[0][1][2], z_tmp);
2082 /* compute 2^64*G, 2^128*G, 2^192*G for the first table, 2163 /*
2083 * 2^32*G, 2^96*G, 2^160*G, 2^224*G for the second one 2164 * compute 2^64*G, 2^128*G, 2^192*G for the first table, 2^32*G,
2165 * 2^96*G, 2^160*G, 2^224*G for the second one
2084 */ 2166 */
2085 for (i = 1; i <= 8; i <<= 1) 2167 for (i = 1; i <= 8; i <<= 1) {
2086 {
2087 point_double_small( 2168 point_double_small(
2088 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2], 2169 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2],
2089 pre->g_pre_comp[0][i][0], pre->g_pre_comp[0][i][1], pre->g_pre_comp[0][i][2]); 2170 pre->g_pre_comp[0][i][0], pre->g_pre_comp[0][i][1], pre->g_pre_comp[0][i][2]);
2090 for (j = 0; j < 31; ++j) 2171 for (j = 0; j < 31; ++j) {
2091 {
2092 point_double_small( 2172 point_double_small(
2093 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2], 2173 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2],
2094 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]); 2174 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]);
2095 } 2175 }
2096 if (i == 8) 2176 if (i == 8)
2097 break; 2177 break;
2098 point_double_small( 2178 point_double_small(
2099 pre->g_pre_comp[0][2*i][0], pre->g_pre_comp[0][2*i][1], pre->g_pre_comp[0][2*i][2], 2179 pre->g_pre_comp[0][2 * i][0], pre->g_pre_comp[0][2 * i][1], pre->g_pre_comp[0][2 * i][2],
2100 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]); 2180 pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]);
2101 for (j = 0; j < 31; ++j) 2181 for (j = 0; j < 31; ++j) {
2102 {
2103 point_double_small( 2182 point_double_small(
2104 pre->g_pre_comp[0][2*i][0], pre->g_pre_comp[0][2*i][1], pre->g_pre_comp[0][2*i][2], 2183 pre->g_pre_comp[0][2 * i][0], pre->g_pre_comp[0][2 * i][1], pre->g_pre_comp[0][2 * i][2],
2105 pre->g_pre_comp[0][2*i][0], pre->g_pre_comp[0][2*i][1], pre->g_pre_comp[0][2*i][2]); 2184 pre->g_pre_comp[0][2 * i][0], pre->g_pre_comp[0][2 * i][1], pre->g_pre_comp[0][2 * i][2]);
2106 }
2107 } 2185 }
2108 for (i = 0; i < 2; i++) 2186 }
2109 { 2187 for (i = 0; i < 2; i++) {
2110 /* g_pre_comp[i][0] is the point at infinity */ 2188 /* g_pre_comp[i][0] is the point at infinity */
2111 memset(pre->g_pre_comp[i][0], 0, sizeof(pre->g_pre_comp[i][0])); 2189 memset(pre->g_pre_comp[i][0], 0, sizeof(pre->g_pre_comp[i][0]));
2112 /* the remaining multiples */ 2190 /* the remaining multiples */
2113 /* 2^64*G + 2^128*G resp. 2^96*G + 2^160*G */ 2191 /* 2^64*G + 2^128*G resp. 2^96*G + 2^160*G */
2114 point_add_small( 2192 point_add_small(
2115 pre->g_pre_comp[i][6][0], pre->g_pre_comp[i][6][1], pre->g_pre_comp[i][6][2], 2193 pre->g_pre_comp[i][6][0], pre->g_pre_comp[i][6][1], pre->g_pre_comp[i][6][2],
2116 pre->g_pre_comp[i][4][0], pre->g_pre_comp[i][4][1], pre->g_pre_comp[i][4][2], 2194 pre->g_pre_comp[i][4][0], pre->g_pre_comp[i][4][1], pre->g_pre_comp[i][4][2],
2117 pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1], pre->g_pre_comp[i][2][2]); 2195 pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1], pre->g_pre_comp[i][2][2]);
2118 /* 2^64*G + 2^192*G resp. 2^96*G + 2^224*G */ 2196 /* 2^64*G + 2^192*G resp. 2^96*G + 2^224*G */
2119 point_add_small( 2197 point_add_small(
2120 pre->g_pre_comp[i][10][0], pre->g_pre_comp[i][10][1], pre->g_pre_comp[i][10][2], 2198 pre->g_pre_comp[i][10][0], pre->g_pre_comp[i][10][1], pre->g_pre_comp[i][10][2],
2121 pre->g_pre_comp[i][8][0], pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2], 2199 pre->g_pre_comp[i][8][0], pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2],
2122 pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1], pre->g_pre_comp[i][2][2]); 2200 pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1], pre->g_pre_comp[i][2][2]);
2123 /* 2^128*G + 2^192*G resp. 2^160*G + 2^224*G */ 2201 /* 2^128*G + 2^192*G resp. 2^160*G + 2^224*G */
2124 point_add_small( 2202 point_add_small(
2125 pre->g_pre_comp[i][12][0], pre->g_pre_comp[i][12][1], pre->g_pre_comp[i][12][2], 2203 pre->g_pre_comp[i][12][0], pre->g_pre_comp[i][12][1], pre->g_pre_comp[i][12][2],
2126 pre->g_pre_comp[i][8][0], pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2], 2204 pre->g_pre_comp[i][8][0], pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2],
2127 pre->g_pre_comp[i][4][0], pre->g_pre_comp[i][4][1], pre->g_pre_comp[i][4][2]); 2205 pre->g_pre_comp[i][4][0], pre->g_pre_comp[i][4][1], pre->g_pre_comp[i][4][2]);
2128 /* 2^64*G + 2^128*G + 2^192*G resp. 2^96*G + 2^160*G + 2^224*G */ 2206 /*
2207 * 2^64*G + 2^128*G + 2^192*G resp. 2^96*G + 2^160*G +
2208 * 2^224*G
2209 */
2129 point_add_small( 2210 point_add_small(
2130 pre->g_pre_comp[i][14][0], pre->g_pre_comp[i][14][1], pre->g_pre_comp[i][14][2], 2211 pre->g_pre_comp[i][14][0], pre->g_pre_comp[i][14][1], pre->g_pre_comp[i][14][2],
2131 pre->g_pre_comp[i][12][0], pre->g_pre_comp[i][12][1], pre->g_pre_comp[i][12][2], 2212 pre->g_pre_comp[i][12][0], pre->g_pre_comp[i][12][1], pre->g_pre_comp[i][12][2],
2132 pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1], pre->g_pre_comp[i][2][2]); 2213 pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1], pre->g_pre_comp[i][2][2]);
2133 for (j = 1; j < 8; ++j) 2214 for (j = 1; j < 8; ++j) {
2134 {
2135 /* odd multiples: add G resp. 2^32*G */ 2215 /* odd multiples: add G resp. 2^32*G */
2136 point_add_small( 2216 point_add_small(
2137 pre->g_pre_comp[i][2*j+1][0], pre->g_pre_comp[i][2*j+1][1], pre->g_pre_comp[i][2*j+1][2], 2217 pre->g_pre_comp[i][2 * j + 1][0], pre->g_pre_comp[i][2 * j + 1][1], pre->g_pre_comp[i][2 * j + 1][2],
2138 pre->g_pre_comp[i][2*j][0], pre->g_pre_comp[i][2*j][1], pre->g_pre_comp[i][2*j][2], 2218 pre->g_pre_comp[i][2 * j][0], pre->g_pre_comp[i][2 * j][1], pre->g_pre_comp[i][2 * j][2],
2139 pre->g_pre_comp[i][1][0], pre->g_pre_comp[i][1][1], pre->g_pre_comp[i][1][2]); 2219 pre->g_pre_comp[i][1][0], pre->g_pre_comp[i][1][1], pre->g_pre_comp[i][1][2]);
2140 }
2141 } 2220 }
2221 }
2142 make_points_affine(31, &(pre->g_pre_comp[0][1]), tmp_smallfelems); 2222 make_points_affine(31, &(pre->g_pre_comp[0][1]), tmp_smallfelems);
2143 2223
2144 if (!EC_EX_DATA_set_data(&group->extra_data, pre, nistp256_pre_comp_dup, 2224 if (!EC_EX_DATA_set_data(&group->extra_data, pre, nistp256_pre_comp_dup,
2145 nistp256_pre_comp_free, nistp256_pre_comp_clear_free)) 2225 nistp256_pre_comp_free, nistp256_pre_comp_clear_free))
2146 goto err; 2226 goto err;
2147 ret = 1; 2227 ret = 1;
2148 pre = NULL; 2228 pre = NULL;
2149 err: 2229err:
2150 BN_CTX_end(ctx); 2230 BN_CTX_end(ctx);
2151 if (generator != NULL) 2231 if (generator != NULL)
2152 EC_POINT_free(generator); 2232 EC_POINT_free(generator);
@@ -2155,17 +2235,18 @@ int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
2155 if (pre) 2235 if (pre)
2156 nistp256_pre_comp_free(pre); 2236 nistp256_pre_comp_free(pre);
2157 return ret; 2237 return ret;
2158 } 2238}
2159 2239
2160int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group) 2240int
2161 { 2241ec_GFp_nistp256_have_precompute_mult(const EC_GROUP * group)
2242{
2162 if (EC_EX_DATA_get_data(group->extra_data, nistp256_pre_comp_dup, 2243 if (EC_EX_DATA_get_data(group->extra_data, nistp256_pre_comp_dup,
2163 nistp256_pre_comp_free, nistp256_pre_comp_clear_free) 2244 nistp256_pre_comp_free, nistp256_pre_comp_clear_free)
2164 != NULL) 2245 != NULL)
2165 return 1; 2246 return 1;
2166 else 2247 else
2167 return 0; 2248 return 0;
2168 } 2249}
2169#else 2250#else
2170static void *dummy=&dummy; 2251static void *dummy = &dummy;
2171#endif 2252#endif
diff --git a/src/lib/libcrypto/ec/ecp_nistp521.c b/src/lib/libcrypto/ec/ecp_nistp521.c
index c34c38b7e8..f5b72a4c0d 100644
--- a/src/lib/libcrypto/ec/ecp_nistp521.c
+++ b/src/lib/libcrypto/ec/ecp_nistp521.c
@@ -133,46 +133,50 @@ static const limb bottom58bits = 0x3ffffffffffffff;
133 133
134/* bin66_to_felem takes a little-endian byte array and converts it into felem 134/* bin66_to_felem takes a little-endian byte array and converts it into felem
135 * form. This assumes that the CPU is little-endian. */ 135 * form. This assumes that the CPU is little-endian. */
136static void bin66_to_felem(felem out, const u8 in[66]) 136static void
137 { 137bin66_to_felem(felem out, const u8 in[66])
138 out[0] = (*((limb*) &in[0])) & bottom58bits; 138{
139 out[1] = (*((limb*) &in[7]) >> 2) & bottom58bits; 139 out[0] = (*((limb *) & in[0])) & bottom58bits;
140 out[2] = (*((limb*) &in[14]) >> 4) & bottom58bits; 140 out[1] = (*((limb *) & in[7]) >> 2) & bottom58bits;
141 out[3] = (*((limb*) &in[21]) >> 6) & bottom58bits; 141 out[2] = (*((limb *) & in[14]) >> 4) & bottom58bits;
142 out[4] = (*((limb*) &in[29])) & bottom58bits; 142 out[3] = (*((limb *) & in[21]) >> 6) & bottom58bits;
143 out[5] = (*((limb*) &in[36]) >> 2) & bottom58bits; 143 out[4] = (*((limb *) & in[29])) & bottom58bits;
144 out[6] = (*((limb*) &in[43]) >> 4) & bottom58bits; 144 out[5] = (*((limb *) & in[36]) >> 2) & bottom58bits;
145 out[7] = (*((limb*) &in[50]) >> 6) & bottom58bits; 145 out[6] = (*((limb *) & in[43]) >> 4) & bottom58bits;
146 out[8] = (*((limb*) &in[58])) & bottom57bits; 146 out[7] = (*((limb *) & in[50]) >> 6) & bottom58bits;
147 } 147 out[8] = (*((limb *) & in[58])) & bottom57bits;
148}
148 149
149/* felem_to_bin66 takes an felem and serialises into a little endian, 66 byte 150/* felem_to_bin66 takes an felem and serialises into a little endian, 66 byte
150 * array. This assumes that the CPU is little-endian. */ 151 * array. This assumes that the CPU is little-endian. */
151static void felem_to_bin66(u8 out[66], const felem in) 152static void
152 { 153felem_to_bin66(u8 out[66], const felem in)
154{
153 memset(out, 0, 66); 155 memset(out, 0, 66);
154 (*((limb*) &out[0])) = in[0]; 156 (*((limb *) & out[0])) = in[0];
155 (*((limb*) &out[7])) |= in[1] << 2; 157 (*((limb *) & out[7])) |= in[1] << 2;
156 (*((limb*) &out[14])) |= in[2] << 4; 158 (*((limb *) & out[14])) |= in[2] << 4;
157 (*((limb*) &out[21])) |= in[3] << 6; 159 (*((limb *) & out[21])) |= in[3] << 6;
158 (*((limb*) &out[29])) = in[4]; 160 (*((limb *) & out[29])) = in[4];
159 (*((limb*) &out[36])) |= in[5] << 2; 161 (*((limb *) & out[36])) |= in[5] << 2;
160 (*((limb*) &out[43])) |= in[6] << 4; 162 (*((limb *) & out[43])) |= in[6] << 4;
161 (*((limb*) &out[50])) |= in[7] << 6; 163 (*((limb *) & out[50])) |= in[7] << 6;
162 (*((limb*) &out[58])) = in[8]; 164 (*((limb *) & out[58])) = in[8];
163 } 165}
164 166
165/* To preserve endianness when using BN_bn2bin and BN_bin2bn */ 167/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
166static void flip_endian(u8 *out, const u8 *in, unsigned len) 168static void
167 { 169flip_endian(u8 * out, const u8 * in, unsigned len)
170{
168 unsigned i; 171 unsigned i;
169 for (i = 0; i < len; ++i) 172 for (i = 0; i < len; ++i)
170 out[i] = in[len-1-i]; 173 out[i] = in[len - 1 - i];
171 } 174}
172 175
173/* BN_to_felem converts an OpenSSL BIGNUM into an felem */ 176/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
174static int BN_to_felem(felem out, const BIGNUM *bn) 177static int
175 { 178BN_to_felem(felem out, const BIGNUM * bn)
179{
176 felem_bytearray b_in; 180 felem_bytearray b_in;
177 felem_bytearray b_out; 181 felem_bytearray b_out;
178 unsigned num_bytes; 182 unsigned num_bytes;
@@ -180,37 +184,37 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
180 /* BN_bn2bin eats leading zeroes */ 184 /* BN_bn2bin eats leading zeroes */
181 memset(b_out, 0, sizeof b_out); 185 memset(b_out, 0, sizeof b_out);
182 num_bytes = BN_num_bytes(bn); 186 num_bytes = BN_num_bytes(bn);
183 if (num_bytes > sizeof b_out) 187 if (num_bytes > sizeof b_out) {
184 {
185 ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); 188 ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
186 return 0; 189 return 0;
187 } 190 }
188 if (BN_is_negative(bn)) 191 if (BN_is_negative(bn)) {
189 {
190 ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); 192 ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
191 return 0; 193 return 0;
192 } 194 }
193 num_bytes = BN_bn2bin(bn, b_in); 195 num_bytes = BN_bn2bin(bn, b_in);
194 flip_endian(b_out, b_in, num_bytes); 196 flip_endian(b_out, b_in, num_bytes);
195 bin66_to_felem(out, b_out); 197 bin66_to_felem(out, b_out);
196 return 1; 198 return 1;
197 } 199}
198 200
199/* felem_to_BN converts an felem into an OpenSSL BIGNUM */ 201/* felem_to_BN converts an felem into an OpenSSL BIGNUM */
200static BIGNUM *felem_to_BN(BIGNUM *out, const felem in) 202static BIGNUM *
201 { 203felem_to_BN(BIGNUM * out, const felem in)
204{
202 felem_bytearray b_in, b_out; 205 felem_bytearray b_in, b_out;
203 felem_to_bin66(b_in, in); 206 felem_to_bin66(b_in, in);
204 flip_endian(b_out, b_in, sizeof b_out); 207 flip_endian(b_out, b_in, sizeof b_out);
205 return BN_bin2bn(b_out, sizeof b_out, out); 208 return BN_bin2bn(b_out, sizeof b_out, out);
206 } 209}
207 210
208 211
209/* Field operations 212/* Field operations
210 * ---------------- */ 213 * ---------------- */
211 214
212static void felem_one(felem out) 215static void
213 { 216felem_one(felem out)
217{
214 out[0] = 1; 218 out[0] = 1;
215 out[1] = 0; 219 out[1] = 0;
216 out[2] = 0; 220 out[2] = 0;
@@ -220,10 +224,11 @@ static void felem_one(felem out)
220 out[6] = 0; 224 out[6] = 0;
221 out[7] = 0; 225 out[7] = 0;
222 out[8] = 0; 226 out[8] = 0;
223 } 227}
224 228
225static void felem_assign(felem out, const felem in) 229static void
226 { 230felem_assign(felem out, const felem in)
231{
227 out[0] = in[0]; 232 out[0] = in[0];
228 out[1] = in[1]; 233 out[1] = in[1];
229 out[2] = in[2]; 234 out[2] = in[2];
@@ -233,11 +238,12 @@ static void felem_assign(felem out, const felem in)
233 out[6] = in[6]; 238 out[6] = in[6];
234 out[7] = in[7]; 239 out[7] = in[7];
235 out[8] = in[8]; 240 out[8] = in[8];
236 } 241}
237 242
238/* felem_sum64 sets out = out + in. */ 243/* felem_sum64 sets out = out + in. */
239static void felem_sum64(felem out, const felem in) 244static void
240 { 245felem_sum64(felem out, const felem in)
246{
241 out[0] += in[0]; 247 out[0] += in[0];
242 out[1] += in[1]; 248 out[1] += in[1];
243 out[2] += in[2]; 249 out[2] += in[2];
@@ -247,11 +253,12 @@ static void felem_sum64(felem out, const felem in)
247 out[6] += in[6]; 253 out[6] += in[6];
248 out[7] += in[7]; 254 out[7] += in[7];
249 out[8] += in[8]; 255 out[8] += in[8];
250 } 256}
251 257
252/* felem_scalar sets out = in * scalar */ 258/* felem_scalar sets out = in * scalar */
253static void felem_scalar(felem out, const felem in, limb scalar) 259static void
254 { 260felem_scalar(felem out, const felem in, limb scalar)
261{
255 out[0] = in[0] * scalar; 262 out[0] = in[0] * scalar;
256 out[1] = in[1] * scalar; 263 out[1] = in[1] * scalar;
257 out[2] = in[2] * scalar; 264 out[2] = in[2] * scalar;
@@ -261,11 +268,12 @@ static void felem_scalar(felem out, const felem in, limb scalar)
261 out[6] = in[6] * scalar; 268 out[6] = in[6] * scalar;
262 out[7] = in[7] * scalar; 269 out[7] = in[7] * scalar;
263 out[8] = in[8] * scalar; 270 out[8] = in[8] * scalar;
264 } 271}
265 272
266/* felem_scalar64 sets out = out * scalar */ 273/* felem_scalar64 sets out = out * scalar */
267static void felem_scalar64(felem out, limb scalar) 274static void
268 { 275felem_scalar64(felem out, limb scalar)
276{
269 out[0] *= scalar; 277 out[0] *= scalar;
270 out[1] *= scalar; 278 out[1] *= scalar;
271 out[2] *= scalar; 279 out[2] *= scalar;
@@ -275,11 +283,12 @@ static void felem_scalar64(felem out, limb scalar)
275 out[6] *= scalar; 283 out[6] *= scalar;
276 out[7] *= scalar; 284 out[7] *= scalar;
277 out[8] *= scalar; 285 out[8] *= scalar;
278 } 286}
279 287
280/* felem_scalar128 sets out = out * scalar */ 288/* felem_scalar128 sets out = out * scalar */
281static void felem_scalar128(largefelem out, limb scalar) 289static void
282 { 290felem_scalar128(largefelem out, limb scalar)
291{
283 out[0] *= scalar; 292 out[0] *= scalar;
284 out[1] *= scalar; 293 out[1] *= scalar;
285 out[2] *= scalar; 294 out[2] *= scalar;
@@ -289,7 +298,7 @@ static void felem_scalar128(largefelem out, limb scalar)
289 out[6] *= scalar; 298 out[6] *= scalar;
290 out[7] *= scalar; 299 out[7] *= scalar;
291 out[8] *= scalar; 300 out[8] *= scalar;
292 } 301}
293 302
294/* felem_neg sets |out| to |-in| 303/* felem_neg sets |out| to |-in|
295 * On entry: 304 * On entry:
@@ -297,11 +306,12 @@ static void felem_scalar128(largefelem out, limb scalar)
297 * On exit: 306 * On exit:
298 * out[i] < 2^62 307 * out[i] < 2^62
299 */ 308 */
300static void felem_neg(felem out, const felem in) 309static void
301 { 310felem_neg(felem out, const felem in)
311{
302 /* In order to prevent underflow, we subtract from 0 mod p. */ 312 /* In order to prevent underflow, we subtract from 0 mod p. */
303 static const limb two62m3 = (((limb)1) << 62) - (((limb)1) << 5); 313 static const limb two62m3 = (((limb) 1) << 62) - (((limb) 1) << 5);
304 static const limb two62m2 = (((limb)1) << 62) - (((limb)1) << 4); 314 static const limb two62m2 = (((limb) 1) << 62) - (((limb) 1) << 4);
305 315
306 out[0] = two62m3 - in[0]; 316 out[0] = two62m3 - in[0];
307 out[1] = two62m2 - in[1]; 317 out[1] = two62m2 - in[1];
@@ -312,7 +322,7 @@ static void felem_neg(felem out, const felem in)
312 out[6] = two62m2 - in[6]; 322 out[6] = two62m2 - in[6];
313 out[7] = two62m2 - in[7]; 323 out[7] = two62m2 - in[7];
314 out[8] = two62m2 - in[8]; 324 out[8] = two62m2 - in[8];
315 } 325}
316 326
317/* felem_diff64 subtracts |in| from |out| 327/* felem_diff64 subtracts |in| from |out|
318 * On entry: 328 * On entry:
@@ -320,11 +330,12 @@ static void felem_neg(felem out, const felem in)
320 * On exit: 330 * On exit:
321 * out[i] < out[i] + 2^62 331 * out[i] < out[i] + 2^62
322 */ 332 */
323static void felem_diff64(felem out, const felem in) 333static void
324 { 334felem_diff64(felem out, const felem in)
335{
325 /* In order to prevent underflow, we add 0 mod p before subtracting. */ 336 /* In order to prevent underflow, we add 0 mod p before subtracting. */
326 static const limb two62m3 = (((limb)1) << 62) - (((limb)1) << 5); 337 static const limb two62m3 = (((limb) 1) << 62) - (((limb) 1) << 5);
327 static const limb two62m2 = (((limb)1) << 62) - (((limb)1) << 4); 338 static const limb two62m2 = (((limb) 1) << 62) - (((limb) 1) << 4);
328 339
329 out[0] += two62m3 - in[0]; 340 out[0] += two62m3 - in[0];
330 out[1] += two62m2 - in[1]; 341 out[1] += two62m2 - in[1];
@@ -335,7 +346,7 @@ static void felem_diff64(felem out, const felem in)
335 out[6] += two62m2 - in[6]; 346 out[6] += two62m2 - in[6];
336 out[7] += two62m2 - in[7]; 347 out[7] += two62m2 - in[7];
337 out[8] += two62m2 - in[8]; 348 out[8] += two62m2 - in[8];
338 } 349}
339 350
340/* felem_diff_128_64 subtracts |in| from |out| 351/* felem_diff_128_64 subtracts |in| from |out|
341 * On entry: 352 * On entry:
@@ -343,11 +354,12 @@ static void felem_diff64(felem out, const felem in)
343 * On exit: 354 * On exit:
344 * out[i] < out[i] + 2^63 355 * out[i] < out[i] + 2^63
345 */ 356 */
346static void felem_diff_128_64(largefelem out, const felem in) 357static void
347 { 358felem_diff_128_64(largefelem out, const felem in)
359{
348 /* In order to prevent underflow, we add 0 mod p before subtracting. */ 360 /* In order to prevent underflow, we add 0 mod p before subtracting. */
349 static const limb two63m6 = (((limb)1) << 62) - (((limb)1) << 5); 361 static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5);
350 static const limb two63m5 = (((limb)1) << 62) - (((limb)1) << 4); 362 static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4);
351 363
352 out[0] += two63m6 - in[0]; 364 out[0] += two63m6 - in[0];
353 out[1] += two63m5 - in[1]; 365 out[1] += two63m5 - in[1];
@@ -358,7 +370,7 @@ static void felem_diff_128_64(largefelem out, const felem in)
358 out[6] += two63m5 - in[6]; 370 out[6] += two63m5 - in[6];
359 out[7] += two63m5 - in[7]; 371 out[7] += two63m5 - in[7];
360 out[8] += two63m5 - in[8]; 372 out[8] += two63m5 - in[8];
361 } 373}
362 374
363/* felem_diff_128_64 subtracts |in| from |out| 375/* felem_diff_128_64 subtracts |in| from |out|
364 * On entry: 376 * On entry:
@@ -366,11 +378,12 @@ static void felem_diff_128_64(largefelem out, const felem in)
366 * On exit: 378 * On exit:
367 * out[i] < out[i] + 2^127 - 2^69 379 * out[i] < out[i] + 2^127 - 2^69
368 */ 380 */
369static void felem_diff128(largefelem out, const largefelem in) 381static void
370 { 382felem_diff128(largefelem out, const largefelem in)
383{
371 /* In order to prevent underflow, we add 0 mod p before subtracting. */ 384 /* In order to prevent underflow, we add 0 mod p before subtracting. */
372 static const uint128_t two127m70 = (((uint128_t)1) << 127) - (((uint128_t)1) << 70); 385 static const uint128_t two127m70 = (((uint128_t) 1) << 127) - (((uint128_t) 1) << 70);
373 static const uint128_t two127m69 = (((uint128_t)1) << 127) - (((uint128_t)1) << 69); 386 static const uint128_t two127m69 = (((uint128_t) 1) << 127) - (((uint128_t) 1) << 69);
374 387
375 out[0] += (two127m70 - in[0]); 388 out[0] += (two127m70 - in[0]);
376 out[1] += (two127m69 - in[1]); 389 out[1] += (two127m69 - in[1]);
@@ -381,7 +394,7 @@ static void felem_diff128(largefelem out, const largefelem in)
381 out[6] += (two127m69 - in[6]); 394 out[6] += (two127m69 - in[6]);
382 out[7] += (two127m69 - in[7]); 395 out[7] += (two127m69 - in[7]);
383 out[8] += (two127m69 - in[8]); 396 out[8] += (two127m69 - in[8]);
384 } 397}
385 398
386/* felem_square sets |out| = |in|^2 399/* felem_square sets |out| = |in|^2
387 * On entry: 400 * On entry:
@@ -389,90 +402,92 @@ static void felem_diff128(largefelem out, const largefelem in)
389 * On exit: 402 * On exit:
390 * out[i] < 17 * max(in[i]) * max(in[i]) 403 * out[i] < 17 * max(in[i]) * max(in[i])
391 */ 404 */
392static void felem_square(largefelem out, const felem in) 405static void
393 { 406felem_square(largefelem out, const felem in)
407{
394 felem inx2, inx4; 408 felem inx2, inx4;
395 felem_scalar(inx2, in, 2); 409 felem_scalar(inx2, in, 2);
396 felem_scalar(inx4, in, 4); 410 felem_scalar(inx4, in, 4);
397 411
398 /* We have many cases were we want to do 412 /*
399 * in[x] * in[y] + 413 * We have many cases were we want to do in[x] * in[y] + in[y] *
400 * in[y] * in[x] 414 * in[x] This is obviously just 2 * in[x] * in[y] However, rather
401 * This is obviously just 415 * than do the doubling on the 128 bit result, we double one of the
402 * 2 * in[x] * in[y] 416 * inputs to the multiplication by reading from |inx2|
403 * However, rather than do the doubling on the 128 bit result, we 417 */
404 * double one of the inputs to the multiplication by reading from
405 * |inx2| */
406 418
407 out[0] = ((uint128_t) in[0]) * in[0]; 419 out[0] = ((uint128_t) in[0]) * in[0];
408 out[1] = ((uint128_t) in[0]) * inx2[1]; 420 out[1] = ((uint128_t) in[0]) * inx2[1];
409 out[2] = ((uint128_t) in[0]) * inx2[2] + 421 out[2] = ((uint128_t) in[0]) * inx2[2] +
410 ((uint128_t) in[1]) * in[1]; 422 ((uint128_t) in[1]) * in[1];
411 out[3] = ((uint128_t) in[0]) * inx2[3] + 423 out[3] = ((uint128_t) in[0]) * inx2[3] +
412 ((uint128_t) in[1]) * inx2[2]; 424 ((uint128_t) in[1]) * inx2[2];
413 out[4] = ((uint128_t) in[0]) * inx2[4] + 425 out[4] = ((uint128_t) in[0]) * inx2[4] +
414 ((uint128_t) in[1]) * inx2[3] + 426 ((uint128_t) in[1]) * inx2[3] +
415 ((uint128_t) in[2]) * in[2]; 427 ((uint128_t) in[2]) * in[2];
416 out[5] = ((uint128_t) in[0]) * inx2[5] + 428 out[5] = ((uint128_t) in[0]) * inx2[5] +
417 ((uint128_t) in[1]) * inx2[4] + 429 ((uint128_t) in[1]) * inx2[4] +
418 ((uint128_t) in[2]) * inx2[3]; 430 ((uint128_t) in[2]) * inx2[3];
419 out[6] = ((uint128_t) in[0]) * inx2[6] + 431 out[6] = ((uint128_t) in[0]) * inx2[6] +
420 ((uint128_t) in[1]) * inx2[5] + 432 ((uint128_t) in[1]) * inx2[5] +
421 ((uint128_t) in[2]) * inx2[4] + 433 ((uint128_t) in[2]) * inx2[4] +
422 ((uint128_t) in[3]) * in[3]; 434 ((uint128_t) in[3]) * in[3];
423 out[7] = ((uint128_t) in[0]) * inx2[7] + 435 out[7] = ((uint128_t) in[0]) * inx2[7] +
424 ((uint128_t) in[1]) * inx2[6] + 436 ((uint128_t) in[1]) * inx2[6] +
425 ((uint128_t) in[2]) * inx2[5] + 437 ((uint128_t) in[2]) * inx2[5] +
426 ((uint128_t) in[3]) * inx2[4]; 438 ((uint128_t) in[3]) * inx2[4];
427 out[8] = ((uint128_t) in[0]) * inx2[8] + 439 out[8] = ((uint128_t) in[0]) * inx2[8] +
428 ((uint128_t) in[1]) * inx2[7] + 440 ((uint128_t) in[1]) * inx2[7] +
429 ((uint128_t) in[2]) * inx2[6] + 441 ((uint128_t) in[2]) * inx2[6] +
430 ((uint128_t) in[3]) * inx2[5] + 442 ((uint128_t) in[3]) * inx2[5] +
431 ((uint128_t) in[4]) * in[4]; 443 ((uint128_t) in[4]) * in[4];
432 444
433 /* The remaining limbs fall above 2^521, with the first falling at 445 /*
446 * The remaining limbs fall above 2^521, with the first falling at
434 * 2^522. They correspond to locations one bit up from the limbs 447 * 2^522. They correspond to locations one bit up from the limbs
435 * produced above so we would have to multiply by two to align them. 448 * produced above so we would have to multiply by two to align them.
436 * Again, rather than operate on the 128-bit result, we double one of 449 * Again, rather than operate on the 128-bit result, we double one of
437 * the inputs to the multiplication. If we want to double for both this 450 * the inputs to the multiplication. If we want to double for both
438 * reason, and the reason above, then we end up multiplying by four. */ 451 * this reason, and the reason above, then we end up multiplying by
452 * four.
453 */
439 454
440 /* 9 */ 455 /* 9 */
441 out[0] += ((uint128_t) in[1]) * inx4[8] + 456 out[0] += ((uint128_t) in[1]) * inx4[8] +
442 ((uint128_t) in[2]) * inx4[7] + 457 ((uint128_t) in[2]) * inx4[7] +
443 ((uint128_t) in[3]) * inx4[6] + 458 ((uint128_t) in[3]) * inx4[6] +
444 ((uint128_t) in[4]) * inx4[5]; 459 ((uint128_t) in[4]) * inx4[5];
445 460
446 /* 10 */ 461 /* 10 */
447 out[1] += ((uint128_t) in[2]) * inx4[8] + 462 out[1] += ((uint128_t) in[2]) * inx4[8] +
448 ((uint128_t) in[3]) * inx4[7] + 463 ((uint128_t) in[3]) * inx4[7] +
449 ((uint128_t) in[4]) * inx4[6] + 464 ((uint128_t) in[4]) * inx4[6] +
450 ((uint128_t) in[5]) * inx2[5]; 465 ((uint128_t) in[5]) * inx2[5];
451 466
452 /* 11 */ 467 /* 11 */
453 out[2] += ((uint128_t) in[3]) * inx4[8] + 468 out[2] += ((uint128_t) in[3]) * inx4[8] +
454 ((uint128_t) in[4]) * inx4[7] + 469 ((uint128_t) in[4]) * inx4[7] +
455 ((uint128_t) in[5]) * inx4[6]; 470 ((uint128_t) in[5]) * inx4[6];
456 471
457 /* 12 */ 472 /* 12 */
458 out[3] += ((uint128_t) in[4]) * inx4[8] + 473 out[3] += ((uint128_t) in[4]) * inx4[8] +
459 ((uint128_t) in[5]) * inx4[7] + 474 ((uint128_t) in[5]) * inx4[7] +
460 ((uint128_t) in[6]) * inx2[6]; 475 ((uint128_t) in[6]) * inx2[6];
461 476
462 /* 13 */ 477 /* 13 */
463 out[4] += ((uint128_t) in[5]) * inx4[8] + 478 out[4] += ((uint128_t) in[5]) * inx4[8] +
464 ((uint128_t) in[6]) * inx4[7]; 479 ((uint128_t) in[6]) * inx4[7];
465 480
466 /* 14 */ 481 /* 14 */
467 out[5] += ((uint128_t) in[6]) * inx4[8] + 482 out[5] += ((uint128_t) in[6]) * inx4[8] +
468 ((uint128_t) in[7]) * inx2[7]; 483 ((uint128_t) in[7]) * inx2[7];
469 484
470 /* 15 */ 485 /* 15 */
471 out[6] += ((uint128_t) in[7]) * inx4[8]; 486 out[6] += ((uint128_t) in[7]) * inx4[8];
472 487
473 /* 16 */ 488 /* 16 */
474 out[7] += ((uint128_t) in[8]) * inx2[8]; 489 out[7] += ((uint128_t) in[8]) * inx2[8];
475 } 490}
476 491
477/* felem_mul sets |out| = |in1| * |in2| 492/* felem_mul sets |out| = |in1| * |in2|
478 * On entry: 493 * On entry:
@@ -481,111 +496,112 @@ static void felem_square(largefelem out, const felem in)
481 * On exit: 496 * On exit:
482 * out[i] < 17 * max(in1[i]) * max(in2[i]) 497 * out[i] < 17 * max(in1[i]) * max(in2[i])
483 */ 498 */
484static void felem_mul(largefelem out, const felem in1, const felem in2) 499static void
485 { 500felem_mul(largefelem out, const felem in1, const felem in2)
501{
486 felem in2x2; 502 felem in2x2;
487 felem_scalar(in2x2, in2, 2); 503 felem_scalar(in2x2, in2, 2);
488 504
489 out[0] = ((uint128_t) in1[0]) * in2[0]; 505 out[0] = ((uint128_t) in1[0]) * in2[0];
490 506
491 out[1] = ((uint128_t) in1[0]) * in2[1] + 507 out[1] = ((uint128_t) in1[0]) * in2[1] +
492 ((uint128_t) in1[1]) * in2[0]; 508 ((uint128_t) in1[1]) * in2[0];
493 509
494 out[2] = ((uint128_t) in1[0]) * in2[2] + 510 out[2] = ((uint128_t) in1[0]) * in2[2] +
495 ((uint128_t) in1[1]) * in2[1] + 511 ((uint128_t) in1[1]) * in2[1] +
496 ((uint128_t) in1[2]) * in2[0]; 512 ((uint128_t) in1[2]) * in2[0];
497 513
498 out[3] = ((uint128_t) in1[0]) * in2[3] + 514 out[3] = ((uint128_t) in1[0]) * in2[3] +
499 ((uint128_t) in1[1]) * in2[2] + 515 ((uint128_t) in1[1]) * in2[2] +
500 ((uint128_t) in1[2]) * in2[1] + 516 ((uint128_t) in1[2]) * in2[1] +
501 ((uint128_t) in1[3]) * in2[0]; 517 ((uint128_t) in1[3]) * in2[0];
502 518
503 out[4] = ((uint128_t) in1[0]) * in2[4] + 519 out[4] = ((uint128_t) in1[0]) * in2[4] +
504 ((uint128_t) in1[1]) * in2[3] + 520 ((uint128_t) in1[1]) * in2[3] +
505 ((uint128_t) in1[2]) * in2[2] + 521 ((uint128_t) in1[2]) * in2[2] +
506 ((uint128_t) in1[3]) * in2[1] + 522 ((uint128_t) in1[3]) * in2[1] +
507 ((uint128_t) in1[4]) * in2[0]; 523 ((uint128_t) in1[4]) * in2[0];
508 524
509 out[5] = ((uint128_t) in1[0]) * in2[5] + 525 out[5] = ((uint128_t) in1[0]) * in2[5] +
510 ((uint128_t) in1[1]) * in2[4] + 526 ((uint128_t) in1[1]) * in2[4] +
511 ((uint128_t) in1[2]) * in2[3] + 527 ((uint128_t) in1[2]) * in2[3] +
512 ((uint128_t) in1[3]) * in2[2] + 528 ((uint128_t) in1[3]) * in2[2] +
513 ((uint128_t) in1[4]) * in2[1] + 529 ((uint128_t) in1[4]) * in2[1] +
514 ((uint128_t) in1[5]) * in2[0]; 530 ((uint128_t) in1[5]) * in2[0];
515 531
516 out[6] = ((uint128_t) in1[0]) * in2[6] + 532 out[6] = ((uint128_t) in1[0]) * in2[6] +
517 ((uint128_t) in1[1]) * in2[5] + 533 ((uint128_t) in1[1]) * in2[5] +
518 ((uint128_t) in1[2]) * in2[4] + 534 ((uint128_t) in1[2]) * in2[4] +
519 ((uint128_t) in1[3]) * in2[3] + 535 ((uint128_t) in1[3]) * in2[3] +
520 ((uint128_t) in1[4]) * in2[2] + 536 ((uint128_t) in1[4]) * in2[2] +
521 ((uint128_t) in1[5]) * in2[1] + 537 ((uint128_t) in1[5]) * in2[1] +
522 ((uint128_t) in1[6]) * in2[0]; 538 ((uint128_t) in1[6]) * in2[0];
523 539
524 out[7] = ((uint128_t) in1[0]) * in2[7] + 540 out[7] = ((uint128_t) in1[0]) * in2[7] +
525 ((uint128_t) in1[1]) * in2[6] + 541 ((uint128_t) in1[1]) * in2[6] +
526 ((uint128_t) in1[2]) * in2[5] + 542 ((uint128_t) in1[2]) * in2[5] +
527 ((uint128_t) in1[3]) * in2[4] + 543 ((uint128_t) in1[3]) * in2[4] +
528 ((uint128_t) in1[4]) * in2[3] + 544 ((uint128_t) in1[4]) * in2[3] +
529 ((uint128_t) in1[5]) * in2[2] + 545 ((uint128_t) in1[5]) * in2[2] +
530 ((uint128_t) in1[6]) * in2[1] + 546 ((uint128_t) in1[6]) * in2[1] +
531 ((uint128_t) in1[7]) * in2[0]; 547 ((uint128_t) in1[7]) * in2[0];
532 548
533 out[8] = ((uint128_t) in1[0]) * in2[8] + 549 out[8] = ((uint128_t) in1[0]) * in2[8] +
534 ((uint128_t) in1[1]) * in2[7] + 550 ((uint128_t) in1[1]) * in2[7] +
535 ((uint128_t) in1[2]) * in2[6] + 551 ((uint128_t) in1[2]) * in2[6] +
536 ((uint128_t) in1[3]) * in2[5] + 552 ((uint128_t) in1[3]) * in2[5] +
537 ((uint128_t) in1[4]) * in2[4] + 553 ((uint128_t) in1[4]) * in2[4] +
538 ((uint128_t) in1[5]) * in2[3] + 554 ((uint128_t) in1[5]) * in2[3] +
539 ((uint128_t) in1[6]) * in2[2] + 555 ((uint128_t) in1[6]) * in2[2] +
540 ((uint128_t) in1[7]) * in2[1] + 556 ((uint128_t) in1[7]) * in2[1] +
541 ((uint128_t) in1[8]) * in2[0]; 557 ((uint128_t) in1[8]) * in2[0];
542 558
543 /* See comment in felem_square about the use of in2x2 here */ 559 /* See comment in felem_square about the use of in2x2 here */
544 560
545 out[0] += ((uint128_t) in1[1]) * in2x2[8] + 561 out[0] += ((uint128_t) in1[1]) * in2x2[8] +
546 ((uint128_t) in1[2]) * in2x2[7] + 562 ((uint128_t) in1[2]) * in2x2[7] +
547 ((uint128_t) in1[3]) * in2x2[6] + 563 ((uint128_t) in1[3]) * in2x2[6] +
548 ((uint128_t) in1[4]) * in2x2[5] + 564 ((uint128_t) in1[4]) * in2x2[5] +
549 ((uint128_t) in1[5]) * in2x2[4] + 565 ((uint128_t) in1[5]) * in2x2[4] +
550 ((uint128_t) in1[6]) * in2x2[3] + 566 ((uint128_t) in1[6]) * in2x2[3] +
551 ((uint128_t) in1[7]) * in2x2[2] + 567 ((uint128_t) in1[7]) * in2x2[2] +
552 ((uint128_t) in1[8]) * in2x2[1]; 568 ((uint128_t) in1[8]) * in2x2[1];
553 569
554 out[1] += ((uint128_t) in1[2]) * in2x2[8] + 570 out[1] += ((uint128_t) in1[2]) * in2x2[8] +
555 ((uint128_t) in1[3]) * in2x2[7] + 571 ((uint128_t) in1[3]) * in2x2[7] +
556 ((uint128_t) in1[4]) * in2x2[6] + 572 ((uint128_t) in1[4]) * in2x2[6] +
557 ((uint128_t) in1[5]) * in2x2[5] + 573 ((uint128_t) in1[5]) * in2x2[5] +
558 ((uint128_t) in1[6]) * in2x2[4] + 574 ((uint128_t) in1[6]) * in2x2[4] +
559 ((uint128_t) in1[7]) * in2x2[3] + 575 ((uint128_t) in1[7]) * in2x2[3] +
560 ((uint128_t) in1[8]) * in2x2[2]; 576 ((uint128_t) in1[8]) * in2x2[2];
561 577
562 out[2] += ((uint128_t) in1[3]) * in2x2[8] + 578 out[2] += ((uint128_t) in1[3]) * in2x2[8] +
563 ((uint128_t) in1[4]) * in2x2[7] + 579 ((uint128_t) in1[4]) * in2x2[7] +
564 ((uint128_t) in1[5]) * in2x2[6] + 580 ((uint128_t) in1[5]) * in2x2[6] +
565 ((uint128_t) in1[6]) * in2x2[5] + 581 ((uint128_t) in1[6]) * in2x2[5] +
566 ((uint128_t) in1[7]) * in2x2[4] + 582 ((uint128_t) in1[7]) * in2x2[4] +
567 ((uint128_t) in1[8]) * in2x2[3]; 583 ((uint128_t) in1[8]) * in2x2[3];
568 584
569 out[3] += ((uint128_t) in1[4]) * in2x2[8] + 585 out[3] += ((uint128_t) in1[4]) * in2x2[8] +
570 ((uint128_t) in1[5]) * in2x2[7] + 586 ((uint128_t) in1[5]) * in2x2[7] +
571 ((uint128_t) in1[6]) * in2x2[6] + 587 ((uint128_t) in1[6]) * in2x2[6] +
572 ((uint128_t) in1[7]) * in2x2[5] + 588 ((uint128_t) in1[7]) * in2x2[5] +
573 ((uint128_t) in1[8]) * in2x2[4]; 589 ((uint128_t) in1[8]) * in2x2[4];
574 590
575 out[4] += ((uint128_t) in1[5]) * in2x2[8] + 591 out[4] += ((uint128_t) in1[5]) * in2x2[8] +
576 ((uint128_t) in1[6]) * in2x2[7] + 592 ((uint128_t) in1[6]) * in2x2[7] +
577 ((uint128_t) in1[7]) * in2x2[6] + 593 ((uint128_t) in1[7]) * in2x2[6] +
578 ((uint128_t) in1[8]) * in2x2[5]; 594 ((uint128_t) in1[8]) * in2x2[5];
579 595
580 out[5] += ((uint128_t) in1[6]) * in2x2[8] + 596 out[5] += ((uint128_t) in1[6]) * in2x2[8] +
581 ((uint128_t) in1[7]) * in2x2[7] + 597 ((uint128_t) in1[7]) * in2x2[7] +
582 ((uint128_t) in1[8]) * in2x2[6]; 598 ((uint128_t) in1[8]) * in2x2[6];
583 599
584 out[6] += ((uint128_t) in1[7]) * in2x2[8] + 600 out[6] += ((uint128_t) in1[7]) * in2x2[8] +
585 ((uint128_t) in1[8]) * in2x2[7]; 601 ((uint128_t) in1[8]) * in2x2[7];
586 602
587 out[7] += ((uint128_t) in1[8]) * in2x2[8]; 603 out[7] += ((uint128_t) in1[8]) * in2x2[8];
588 } 604}
589 605
590static const limb bottom52bits = 0xfffffffffffff; 606static const limb bottom52bits = 0xfffffffffffff;
591 607
@@ -595,8 +611,9 @@ static const limb bottom52bits = 0xfffffffffffff;
595 * On exit: 611 * On exit:
596 * out[i] < 2^59 + 2^14 612 * out[i] < 2^59 + 2^14
597 */ 613 */
598static void felem_reduce(felem out, const largefelem in) 614static void
599 { 615felem_reduce(felem out, const largefelem in)
616{
600 u64 overflow1, overflow2; 617 u64 overflow1, overflow2;
601 618
602 out[0] = ((limb) in[0]) & bottom58bits; 619 out[0] = ((limb) in[0]) & bottom58bits;
@@ -613,8 +630,9 @@ static void felem_reduce(felem out, const largefelem in)
613 630
614 out[1] += ((limb) in[0]) >> 58; 631 out[1] += ((limb) in[0]) >> 58;
615 out[1] += (((limb) (in[0] >> 64)) & bottom52bits) << 6; 632 out[1] += (((limb) (in[0] >> 64)) & bottom52bits) << 6;
616 /* out[1] < 2^58 + 2^6 + 2^58 633 /*
617 * = 2^59 + 2^6 */ 634 * out[1] < 2^58 + 2^6 + 2^58 = 2^59 + 2^6
635 */
618 out[2] += ((limb) (in[0] >> 64)) >> 52; 636 out[2] += ((limb) (in[0] >> 64)) >> 52;
619 637
620 out[2] += ((limb) in[1]) >> 58; 638 out[2] += ((limb) in[1]) >> 58;
@@ -643,39 +661,43 @@ static void felem_reduce(felem out, const largefelem in)
643 661
644 out[8] += ((limb) in[7]) >> 58; 662 out[8] += ((limb) in[7]) >> 58;
645 out[8] += (((limb) (in[7] >> 64)) & bottom52bits) << 6; 663 out[8] += (((limb) (in[7] >> 64)) & bottom52bits) << 6;
646 /* out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12 664 /*
647 * < 2^59 + 2^13 */ 665 * out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12 < 2^59 + 2^13
666 */
648 overflow1 = ((limb) (in[7] >> 64)) >> 52; 667 overflow1 = ((limb) (in[7] >> 64)) >> 52;
649 668
650 overflow1 += ((limb) in[8]) >> 58; 669 overflow1 += ((limb) in[8]) >> 58;
651 overflow1 += (((limb) (in[8] >> 64)) & bottom52bits) << 6; 670 overflow1 += (((limb) (in[8] >> 64)) & bottom52bits) << 6;
652 overflow2 = ((limb) (in[8] >> 64)) >> 52; 671 overflow2 = ((limb) (in[8] >> 64)) >> 52;
653 672
654 overflow1 <<= 1; /* overflow1 < 2^13 + 2^7 + 2^59 */ 673 overflow1 <<= 1; /* overflow1 < 2^13 + 2^7 + 2^59 */
655 overflow2 <<= 1; /* overflow2 < 2^13 */ 674 overflow2 <<= 1; /* overflow2 < 2^13 */
656 675
657 out[0] += overflow1; /* out[0] < 2^60 */ 676 out[0] += overflow1; /* out[0] < 2^60 */
658 out[1] += overflow2; /* out[1] < 2^59 + 2^6 + 2^13 */ 677 out[1] += overflow2; /* out[1] < 2^59 + 2^6 + 2^13 */
659 678
660 out[1] += out[0] >> 58; out[0] &= bottom58bits; 679 out[1] += out[0] >> 58;
661 /* out[0] < 2^58 680 out[0] &= bottom58bits;
662 * out[1] < 2^59 + 2^6 + 2^13 + 2^2 681 /*
663 * < 2^59 + 2^14 */ 682 * out[0] < 2^58 out[1] < 2^59 + 2^6 + 2^13 + 2^2 < 2^59 + 2^14
664 } 683 */
684}
665 685
666static void felem_square_reduce(felem out, const felem in) 686static void
667 { 687felem_square_reduce(felem out, const felem in)
688{
668 largefelem tmp; 689 largefelem tmp;
669 felem_square(tmp, in); 690 felem_square(tmp, in);
670 felem_reduce(out, tmp); 691 felem_reduce(out, tmp);
671 } 692}
672 693
673static void felem_mul_reduce(felem out, const felem in1, const felem in2) 694static void
674 { 695felem_mul_reduce(felem out, const felem in1, const felem in2)
696{
675 largefelem tmp; 697 largefelem tmp;
676 felem_mul(tmp, in1, in2); 698 felem_mul(tmp, in1, in2);
677 felem_reduce(out, tmp); 699 felem_reduce(out, tmp);
678 } 700}
679 701
680/* felem_inv calculates |out| = |in|^{-1} 702/* felem_inv calculates |out| = |in|^{-1}
681 * 703 *
@@ -684,117 +706,153 @@ static void felem_mul_reduce(felem out, const felem in1, const felem in2)
684 * a^{p-1} = 1 (mod p) 706 * a^{p-1} = 1 (mod p)
685 * a^{p-2} = a^{-1} (mod p) 707 * a^{p-2} = a^{-1} (mod p)
686 */ 708 */
687static void felem_inv(felem out, const felem in) 709static void
688 { 710felem_inv(felem out, const felem in)
711{
689 felem ftmp, ftmp2, ftmp3, ftmp4; 712 felem ftmp, ftmp2, ftmp3, ftmp4;
690 largefelem tmp; 713 largefelem tmp;
691 unsigned i; 714 unsigned i;
692 715
693 felem_square(tmp, in); felem_reduce(ftmp, tmp); /* 2^1 */ 716 felem_square(tmp, in);
694 felem_mul(tmp, in, ftmp); felem_reduce(ftmp, tmp); /* 2^2 - 2^0 */ 717 felem_reduce(ftmp, tmp);/* 2^1 */
718 felem_mul(tmp, in, ftmp);
719 felem_reduce(ftmp, tmp);/* 2^2 - 2^0 */
695 felem_assign(ftmp2, ftmp); 720 felem_assign(ftmp2, ftmp);
696 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); /* 2^3 - 2^1 */ 721 felem_square(tmp, ftmp);
697 felem_mul(tmp, in, ftmp); felem_reduce(ftmp, tmp); /* 2^3 - 2^0 */ 722 felem_reduce(ftmp, tmp);/* 2^3 - 2^1 */
698 felem_square(tmp, ftmp); felem_reduce(ftmp, tmp); /* 2^4 - 2^1 */ 723 felem_mul(tmp, in, ftmp);
724 felem_reduce(ftmp, tmp);/* 2^3 - 2^0 */
725 felem_square(tmp, ftmp);
726 felem_reduce(ftmp, tmp);/* 2^4 - 2^1 */
699 727
700 felem_square(tmp, ftmp2); felem_reduce(ftmp3, tmp); /* 2^3 - 2^1 */ 728 felem_square(tmp, ftmp2);
701 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^4 - 2^2 */ 729 felem_reduce(ftmp3, tmp); /* 2^3 - 2^1 */
702 felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^4 - 2^0 */ 730 felem_square(tmp, ftmp3);
731 felem_reduce(ftmp3, tmp); /* 2^4 - 2^2 */
732 felem_mul(tmp, ftmp3, ftmp2);
733 felem_reduce(ftmp3, tmp); /* 2^4 - 2^0 */
703 734
704 felem_assign(ftmp2, ftmp3); 735 felem_assign(ftmp2, ftmp3);
705 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^5 - 2^1 */ 736 felem_square(tmp, ftmp3);
706 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^6 - 2^2 */ 737 felem_reduce(ftmp3, tmp); /* 2^5 - 2^1 */
707 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^7 - 2^3 */ 738 felem_square(tmp, ftmp3);
708 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^8 - 2^4 */ 739 felem_reduce(ftmp3, tmp); /* 2^6 - 2^2 */
740 felem_square(tmp, ftmp3);
741 felem_reduce(ftmp3, tmp); /* 2^7 - 2^3 */
742 felem_square(tmp, ftmp3);
743 felem_reduce(ftmp3, tmp); /* 2^8 - 2^4 */
709 felem_assign(ftmp4, ftmp3); 744 felem_assign(ftmp4, ftmp3);
710 felem_mul(tmp, ftmp3, ftmp); felem_reduce(ftmp4, tmp); /* 2^8 - 2^1 */ 745 felem_mul(tmp, ftmp3, ftmp);
711 felem_square(tmp, ftmp4); felem_reduce(ftmp4, tmp); /* 2^9 - 2^2 */ 746 felem_reduce(ftmp4, tmp); /* 2^8 - 2^1 */
712 felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^8 - 2^0 */ 747 felem_square(tmp, ftmp4);
748 felem_reduce(ftmp4, tmp); /* 2^9 - 2^2 */
749 felem_mul(tmp, ftmp3, ftmp2);
750 felem_reduce(ftmp3, tmp); /* 2^8 - 2^0 */
713 felem_assign(ftmp2, ftmp3); 751 felem_assign(ftmp2, ftmp3);
714 752
715 for (i = 0; i < 8; i++) 753 for (i = 0; i < 8; i++) {
716 { 754 felem_square(tmp, ftmp3);
717 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^16 - 2^8 */ 755 felem_reduce(ftmp3, tmp); /* 2^16 - 2^8 */
718 } 756 }
719 felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^16 - 2^0 */ 757 felem_mul(tmp, ftmp3, ftmp2);
758 felem_reduce(ftmp3, tmp); /* 2^16 - 2^0 */
720 felem_assign(ftmp2, ftmp3); 759 felem_assign(ftmp2, ftmp3);
721 760
722 for (i = 0; i < 16; i++) 761 for (i = 0; i < 16; i++) {
723 { 762 felem_square(tmp, ftmp3);
724 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^32 - 2^16 */ 763 felem_reduce(ftmp3, tmp); /* 2^32 - 2^16 */
725 } 764 }
726 felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^32 - 2^0 */ 765 felem_mul(tmp, ftmp3, ftmp2);
766 felem_reduce(ftmp3, tmp); /* 2^32 - 2^0 */
727 felem_assign(ftmp2, ftmp3); 767 felem_assign(ftmp2, ftmp3);
728 768
729 for (i = 0; i < 32; i++) 769 for (i = 0; i < 32; i++) {
730 { 770 felem_square(tmp, ftmp3);
731 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^64 - 2^32 */ 771 felem_reduce(ftmp3, tmp); /* 2^64 - 2^32 */
732 } 772 }
733 felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^64 - 2^0 */ 773 felem_mul(tmp, ftmp3, ftmp2);
774 felem_reduce(ftmp3, tmp); /* 2^64 - 2^0 */
734 felem_assign(ftmp2, ftmp3); 775 felem_assign(ftmp2, ftmp3);
735 776
736 for (i = 0; i < 64; i++) 777 for (i = 0; i < 64; i++) {
737 { 778 felem_square(tmp, ftmp3);
738 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^128 - 2^64 */ 779 felem_reduce(ftmp3, tmp); /* 2^128 - 2^64 */
739 } 780 }
740 felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^128 - 2^0 */ 781 felem_mul(tmp, ftmp3, ftmp2);
782 felem_reduce(ftmp3, tmp); /* 2^128 - 2^0 */
741 felem_assign(ftmp2, ftmp3); 783 felem_assign(ftmp2, ftmp3);
742 784
743 for (i = 0; i < 128; i++) 785 for (i = 0; i < 128; i++) {
744 { 786 felem_square(tmp, ftmp3);
745 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^256 - 2^128 */ 787 felem_reduce(ftmp3, tmp); /* 2^256 - 2^128 */
746 } 788 }
747 felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^256 - 2^0 */ 789 felem_mul(tmp, ftmp3, ftmp2);
790 felem_reduce(ftmp3, tmp); /* 2^256 - 2^0 */
748 felem_assign(ftmp2, ftmp3); 791 felem_assign(ftmp2, ftmp3);
749 792
750 for (i = 0; i < 256; i++) 793 for (i = 0; i < 256; i++) {
751 { 794 felem_square(tmp, ftmp3);
752 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^512 - 2^256 */ 795 felem_reduce(ftmp3, tmp); /* 2^512 - 2^256 */
753 } 796 }
754 felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^512 - 2^0 */ 797 felem_mul(tmp, ftmp3, ftmp2);
798 felem_reduce(ftmp3, tmp); /* 2^512 - 2^0 */
755 799
756 for (i = 0; i < 9; i++) 800 for (i = 0; i < 9; i++) {
757 { 801 felem_square(tmp, ftmp3);
758 felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^521 - 2^9 */ 802 felem_reduce(ftmp3, tmp); /* 2^521 - 2^9 */
759 } 803 }
760 felem_mul(tmp, ftmp3, ftmp4); felem_reduce(ftmp3, tmp); /* 2^512 - 2^2 */ 804 felem_mul(tmp, ftmp3, ftmp4);
761 felem_mul(tmp, ftmp3, in); felem_reduce(out, tmp); /* 2^512 - 3 */ 805 felem_reduce(ftmp3, tmp); /* 2^512 - 2^2 */
806 felem_mul(tmp, ftmp3, in);
807 felem_reduce(out, tmp); /* 2^512 - 3 */
762} 808}
763 809
764/* This is 2^521-1, expressed as an felem */ 810/* This is 2^521-1, expressed as an felem */
765static const felem kPrime = 811static const felem kPrime =
766 { 812{
767 0x03ffffffffffffff, 0x03ffffffffffffff, 0x03ffffffffffffff, 813 0x03ffffffffffffff, 0x03ffffffffffffff, 0x03ffffffffffffff,
768 0x03ffffffffffffff, 0x03ffffffffffffff, 0x03ffffffffffffff, 814 0x03ffffffffffffff, 0x03ffffffffffffff, 0x03ffffffffffffff,
769 0x03ffffffffffffff, 0x03ffffffffffffff, 0x01ffffffffffffff 815 0x03ffffffffffffff, 0x03ffffffffffffff, 0x01ffffffffffffff
770 }; 816};
771 817
772/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0 818/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
773 * otherwise. 819 * otherwise.
774 * On entry: 820 * On entry:
775 * in[i] < 2^59 + 2^14 821 * in[i] < 2^59 + 2^14
776 */ 822 */
777static limb felem_is_zero(const felem in) 823static limb
778 { 824felem_is_zero(const felem in)
825{
779 felem ftmp; 826 felem ftmp;
780 limb is_zero, is_p; 827 limb is_zero, is_p;
781 felem_assign(ftmp, in); 828 felem_assign(ftmp, in);
782 829
783 ftmp[0] += ftmp[8] >> 57; ftmp[8] &= bottom57bits; 830 ftmp[0] += ftmp[8] >> 57;
831 ftmp[8] &= bottom57bits;
784 /* ftmp[8] < 2^57 */ 832 /* ftmp[8] < 2^57 */
785 ftmp[1] += ftmp[0] >> 58; ftmp[0] &= bottom58bits; 833 ftmp[1] += ftmp[0] >> 58;
786 ftmp[2] += ftmp[1] >> 58; ftmp[1] &= bottom58bits; 834 ftmp[0] &= bottom58bits;
787 ftmp[3] += ftmp[2] >> 58; ftmp[2] &= bottom58bits; 835 ftmp[2] += ftmp[1] >> 58;
788 ftmp[4] += ftmp[3] >> 58; ftmp[3] &= bottom58bits; 836 ftmp[1] &= bottom58bits;
789 ftmp[5] += ftmp[4] >> 58; ftmp[4] &= bottom58bits; 837 ftmp[3] += ftmp[2] >> 58;
790 ftmp[6] += ftmp[5] >> 58; ftmp[5] &= bottom58bits; 838 ftmp[2] &= bottom58bits;
791 ftmp[7] += ftmp[6] >> 58; ftmp[6] &= bottom58bits; 839 ftmp[4] += ftmp[3] >> 58;
792 ftmp[8] += ftmp[7] >> 58; ftmp[7] &= bottom58bits; 840 ftmp[3] &= bottom58bits;
841 ftmp[5] += ftmp[4] >> 58;
842 ftmp[4] &= bottom58bits;
843 ftmp[6] += ftmp[5] >> 58;
844 ftmp[5] &= bottom58bits;
845 ftmp[7] += ftmp[6] >> 58;
846 ftmp[6] &= bottom58bits;
847 ftmp[8] += ftmp[7] >> 58;
848 ftmp[7] &= bottom58bits;
793 /* ftmp[8] < 2^57 + 4 */ 849 /* ftmp[8] < 2^57 + 4 */
794 850
795 /* The ninth limb of 2*(2^521-1) is 0x03ffffffffffffff, which is 851 /*
796 * greater than our bound for ftmp[8]. Therefore we only have to check 852 * The ninth limb of 2*(2^521-1) is 0x03ffffffffffffff, which is
797 * if the zero is zero or 2^521-1. */ 853 * greater than our bound for ftmp[8]. Therefore we only have to
854 * check if the zero is zero or 2^521-1.
855 */
798 856
799 is_zero = 0; 857 is_zero = 0;
800 is_zero |= ftmp[0]; 858 is_zero |= ftmp[0];
@@ -808,8 +866,10 @@ static limb felem_is_zero(const felem in)
808 is_zero |= ftmp[8]; 866 is_zero |= ftmp[8];
809 867
810 is_zero--; 868 is_zero--;
811 /* We know that ftmp[i] < 2^63, therefore the only way that the top bit 869 /*
812 * can be set is if is_zero was 0 before the decrement. */ 870 * We know that ftmp[i] < 2^63, therefore the only way that the top
871 * bit can be set is if is_zero was 0 before the decrement.
872 */
813 is_zero = ((s64) is_zero) >> 63; 873 is_zero = ((s64) is_zero) >> 63;
814 874
815 is_p = ftmp[0] ^ kPrime[0]; 875 is_p = ftmp[0] ^ kPrime[0];
@@ -827,41 +887,57 @@ static limb felem_is_zero(const felem in)
827 887
828 is_zero |= is_p; 888 is_zero |= is_p;
829 return is_zero; 889 return is_zero;
830 } 890}
831 891
832static int felem_is_zero_int(const felem in) 892static int
833 { 893felem_is_zero_int(const felem in)
834 return (int) (felem_is_zero(in) & ((limb)1)); 894{
835 } 895 return (int) (felem_is_zero(in) & ((limb) 1));
896}
836 897
837/* felem_contract converts |in| to its unique, minimal representation. 898/* felem_contract converts |in| to its unique, minimal representation.
838 * On entry: 899 * On entry:
839 * in[i] < 2^59 + 2^14 900 * in[i] < 2^59 + 2^14
840 */ 901 */
841static void felem_contract(felem out, const felem in) 902static void
842 { 903felem_contract(felem out, const felem in)
904{
843 limb is_p, is_greater, sign; 905 limb is_p, is_greater, sign;
844 static const limb two58 = ((limb)1) << 58; 906 static const limb two58 = ((limb) 1) << 58;
845 907
846 felem_assign(out, in); 908 felem_assign(out, in);
847 909
848 out[0] += out[8] >> 57; out[8] &= bottom57bits; 910 out[0] += out[8] >> 57;
911 out[8] &= bottom57bits;
849 /* out[8] < 2^57 */ 912 /* out[8] < 2^57 */
850 out[1] += out[0] >> 58; out[0] &= bottom58bits; 913 out[1] += out[0] >> 58;
851 out[2] += out[1] >> 58; out[1] &= bottom58bits; 914 out[0] &= bottom58bits;
852 out[3] += out[2] >> 58; out[2] &= bottom58bits; 915 out[2] += out[1] >> 58;
853 out[4] += out[3] >> 58; out[3] &= bottom58bits; 916 out[1] &= bottom58bits;
854 out[5] += out[4] >> 58; out[4] &= bottom58bits; 917 out[3] += out[2] >> 58;
855 out[6] += out[5] >> 58; out[5] &= bottom58bits; 918 out[2] &= bottom58bits;
856 out[7] += out[6] >> 58; out[6] &= bottom58bits; 919 out[4] += out[3] >> 58;
857 out[8] += out[7] >> 58; out[7] &= bottom58bits; 920 out[3] &= bottom58bits;
921 out[5] += out[4] >> 58;
922 out[4] &= bottom58bits;
923 out[6] += out[5] >> 58;
924 out[5] &= bottom58bits;
925 out[7] += out[6] >> 58;
926 out[6] &= bottom58bits;
927 out[8] += out[7] >> 58;
928 out[7] &= bottom58bits;
858 /* out[8] < 2^57 + 4 */ 929 /* out[8] < 2^57 + 4 */
859 930
860 /* If the value is greater than 2^521-1 then we have to subtract 931 /*
932 * If the value is greater than 2^521-1 then we have to subtract
861 * 2^521-1 out. See the comments in felem_is_zero regarding why we 933 * 2^521-1 out. See the comments in felem_is_zero regarding why we
862 * don't test for other multiples of the prime. */ 934 * don't test for other multiples of the prime.
935 */
863 936
864 /* First, if |out| is equal to 2^521-1, we subtract it out to get zero. */ 937 /*
938 * First, if |out| is equal to 2^521-1, we subtract it out to get
939 * zero.
940 */
865 941
866 is_p = out[0] ^ kPrime[0]; 942 is_p = out[0] ^ kPrime[0];
867 is_p |= out[1] ^ kPrime[1]; 943 is_p |= out[1] ^ kPrime[1];
@@ -895,8 +971,10 @@ static void felem_contract(felem out, const felem in)
895 out[7] &= is_p; 971 out[7] &= is_p;
896 out[8] &= is_p; 972 out[8] &= is_p;
897 973
898 /* In order to test that |out| >= 2^521-1 we need only test if out[8] 974 /*
899 * >> 57 is greater than zero as (2^521-1) + x >= 2^522 */ 975 * In order to test that |out| >= 2^521-1 we need only test if out[8]
976 * >> 57 is greater than zero as (2^521-1) + x >= 2^522
977 */
900 is_greater = out[8] >> 57; 978 is_greater = out[8] >> 57;
901 is_greater |= is_greater << 32; 979 is_greater |= is_greater << 32;
902 is_greater |= is_greater << 16; 980 is_greater |= is_greater << 16;
@@ -917,18 +995,40 @@ static void felem_contract(felem out, const felem in)
917 out[8] -= kPrime[8] & is_greater; 995 out[8] -= kPrime[8] & is_greater;
918 996
919 /* Eliminate negative coefficients */ 997 /* Eliminate negative coefficients */
920 sign = -(out[0] >> 63); out[0] += (two58 & sign); out[1] -= (1 & sign); 998 sign = -(out[0] >> 63);
921 sign = -(out[1] >> 63); out[1] += (two58 & sign); out[2] -= (1 & sign); 999 out[0] += (two58 & sign);
922 sign = -(out[2] >> 63); out[2] += (two58 & sign); out[3] -= (1 & sign); 1000 out[1] -= (1 & sign);
923 sign = -(out[3] >> 63); out[3] += (two58 & sign); out[4] -= (1 & sign); 1001 sign = -(out[1] >> 63);
924 sign = -(out[4] >> 63); out[4] += (two58 & sign); out[5] -= (1 & sign); 1002 out[1] += (two58 & sign);
925 sign = -(out[0] >> 63); out[5] += (two58 & sign); out[6] -= (1 & sign); 1003 out[2] -= (1 & sign);
926 sign = -(out[6] >> 63); out[6] += (two58 & sign); out[7] -= (1 & sign); 1004 sign = -(out[2] >> 63);
927 sign = -(out[7] >> 63); out[7] += (two58 & sign); out[8] -= (1 & sign); 1005 out[2] += (two58 & sign);
928 sign = -(out[5] >> 63); out[5] += (two58 & sign); out[6] -= (1 & sign); 1006 out[3] -= (1 & sign);
929 sign = -(out[6] >> 63); out[6] += (two58 & sign); out[7] -= (1 & sign); 1007 sign = -(out[3] >> 63);
930 sign = -(out[7] >> 63); out[7] += (two58 & sign); out[8] -= (1 & sign); 1008 out[3] += (two58 & sign);
931 } 1009 out[4] -= (1 & sign);
1010 sign = -(out[4] >> 63);
1011 out[4] += (two58 & sign);
1012 out[5] -= (1 & sign);
1013 sign = -(out[0] >> 63);
1014 out[5] += (two58 & sign);
1015 out[6] -= (1 & sign);
1016 sign = -(out[6] >> 63);
1017 out[6] += (two58 & sign);
1018 out[7] -= (1 & sign);
1019 sign = -(out[7] >> 63);
1020 out[7] += (two58 & sign);
1021 out[8] -= (1 & sign);
1022 sign = -(out[5] >> 63);
1023 out[5] += (two58 & sign);
1024 out[6] -= (1 & sign);
1025 sign = -(out[6] >> 63);
1026 out[6] += (two58 & sign);
1027 out[7] -= (1 & sign);
1028 sign = -(out[7] >> 63);
1029 out[7] += (two58 & sign);
1030 out[8] -= (1 & sign);
1031}
932 1032
933/* Group operations 1033/* Group operations
934 * ---------------- 1034 * ----------------
@@ -946,8 +1046,8 @@ static void felem_contract(felem out, const felem in)
946 * while x_out == y_in is not (maybe this works, but it's not tested). */ 1046 * while x_out == y_in is not (maybe this works, but it's not tested). */
947static void 1047static void
948point_double(felem x_out, felem y_out, felem z_out, 1048point_double(felem x_out, felem y_out, felem z_out,
949 const felem x_in, const felem y_in, const felem z_in) 1049 const felem x_in, const felem y_in, const felem z_in)
950 { 1050{
951 largefelem tmp, tmp2; 1051 largefelem tmp, tmp2;
952 felem delta, gamma, beta, alpha, ftmp, ftmp2; 1052 felem delta, gamma, beta, alpha, ftmp, ftmp2;
953 1053
@@ -956,15 +1056,15 @@ point_double(felem x_out, felem y_out, felem z_out,
956 1056
957 /* delta = z^2 */ 1057 /* delta = z^2 */
958 felem_square(tmp, z_in); 1058 felem_square(tmp, z_in);
959 felem_reduce(delta, tmp); /* delta[i] < 2^59 + 2^14 */ 1059 felem_reduce(delta, tmp); /* delta[i] < 2^59 + 2^14 */
960 1060
961 /* gamma = y^2 */ 1061 /* gamma = y^2 */
962 felem_square(tmp, y_in); 1062 felem_square(tmp, y_in);
963 felem_reduce(gamma, tmp); /* gamma[i] < 2^59 + 2^14 */ 1063 felem_reduce(gamma, tmp); /* gamma[i] < 2^59 + 2^14 */
964 1064
965 /* beta = x*gamma */ 1065 /* beta = x*gamma */
966 felem_mul(tmp, x_in, gamma); 1066 felem_mul(tmp, x_in, gamma);
967 felem_reduce(beta, tmp); /* beta[i] < 2^59 + 2^14 */ 1067 felem_reduce(beta, tmp);/* beta[i] < 2^59 + 2^14 */
968 1068
969 /* alpha = 3*(x-delta)*(x+delta) */ 1069 /* alpha = 3*(x-delta)*(x+delta) */
970 felem_diff64(ftmp, delta); 1070 felem_diff64(ftmp, delta);
@@ -974,17 +1074,17 @@ point_double(felem x_out, felem y_out, felem z_out,
974 felem_scalar64(ftmp2, 3); 1074 felem_scalar64(ftmp2, 3);
975 /* ftmp2[i] < 3*2^60 + 3*2^15 */ 1075 /* ftmp2[i] < 3*2^60 + 3*2^15 */
976 felem_mul(tmp, ftmp, ftmp2); 1076 felem_mul(tmp, ftmp, ftmp2);
977 /* tmp[i] < 17(3*2^121 + 3*2^76) 1077 /*
978 * = 61*2^121 + 61*2^76 1078 * tmp[i] < 17(3*2^121 + 3*2^76) = 61*2^121 + 61*2^76 < 64*2^121 +
979 * < 64*2^121 + 64*2^76 1079 * 64*2^76 = 2^127 + 2^82 < 2^128
980 * = 2^127 + 2^82 1080 */
981 * < 2^128 */
982 felem_reduce(alpha, tmp); 1081 felem_reduce(alpha, tmp);
983 1082
984 /* x' = alpha^2 - 8*beta */ 1083 /* x' = alpha^2 - 8*beta */
985 felem_square(tmp, alpha); 1084 felem_square(tmp, alpha);
986 /* tmp[i] < 17*2^120 1085 /*
987 * < 2^125 */ 1086 * tmp[i] < 17*2^120 < 2^125
1087 */
988 felem_assign(ftmp, beta); 1088 felem_assign(ftmp, beta);
989 felem_scalar64(ftmp, 8); 1089 felem_scalar64(ftmp, 8);
990 /* ftmp[i] < 2^62 + 2^17 */ 1090 /* ftmp[i] < 2^62 + 2^17 */
@@ -999,8 +1099,9 @@ point_double(felem x_out, felem y_out, felem z_out,
999 felem_sum64(ftmp, z_in); 1099 felem_sum64(ftmp, z_in);
1000 /* ftmp[i] < 2^60 + 2^15 */ 1100 /* ftmp[i] < 2^60 + 2^15 */
1001 felem_square(tmp, ftmp); 1101 felem_square(tmp, ftmp);
1002 /* tmp[i] < 17(2^122) 1102 /*
1003 * < 2^127 */ 1103 * tmp[i] < 17(2^122) < 2^127
1104 */
1004 felem_diff_128_64(tmp, delta); 1105 felem_diff_128_64(tmp, delta);
1005 /* tmp[i] < 2^127 + 2^63 */ 1106 /* tmp[i] < 2^127 + 2^63 */
1006 felem_reduce(z_out, tmp); 1107 felem_reduce(z_out, tmp);
@@ -1011,36 +1112,39 @@ point_double(felem x_out, felem y_out, felem z_out,
1011 felem_diff64(beta, x_out); 1112 felem_diff64(beta, x_out);
1012 /* beta[i] < 2^61 + 2^60 + 2^16 */ 1113 /* beta[i] < 2^61 + 2^60 + 2^16 */
1013 felem_mul(tmp, alpha, beta); 1114 felem_mul(tmp, alpha, beta);
1014 /* tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16)) 1115 /*
1015 * = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30) 1116 * tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16)) = 17*(2^120 + 2^75
1016 * = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30) 1117 * + 2^119 + 2^74 + 2^75 + 2^30) = 17*(2^120 + 2^119 + 2^76 + 2^74 +
1017 * < 2^128 */ 1118 * 2^30) < 2^128
1119 */
1018 felem_square(tmp2, gamma); 1120 felem_square(tmp2, gamma);
1019 /* tmp2[i] < 17*(2^59 + 2^14)^2 1121 /*
1020 * = 17*(2^118 + 2^74 + 2^28) */ 1122 * tmp2[i] < 17*(2^59 + 2^14)^2 = 17*(2^118 + 2^74 + 2^28)
1123 */
1021 felem_scalar128(tmp2, 8); 1124 felem_scalar128(tmp2, 8);
1022 /* tmp2[i] < 8*17*(2^118 + 2^74 + 2^28) 1125 /*
1023 * = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31 1126 * tmp2[i] < 8*17*(2^118 + 2^74 + 2^28) = 2^125 + 2^121 + 2^81 + 2^77
1024 * < 2^126 */ 1127 * + 2^35 + 2^31 < 2^126
1128 */
1025 felem_diff128(tmp, tmp2); 1129 felem_diff128(tmp, tmp2);
1026 /* tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30) 1130 /*
1027 * = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 + 1131 * tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30) =
1028 * 2^74 + 2^69 + 2^34 + 2^30 1132 * 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 + 2^74
1029 * < 2^128 */ 1133 * + 2^69 + 2^34 + 2^30 < 2^128
1134 */
1030 felem_reduce(y_out, tmp); 1135 felem_reduce(y_out, tmp);
1031 } 1136}
1032 1137
1033/* copy_conditional copies in to out iff mask is all ones. */ 1138/* copy_conditional copies in to out iff mask is all ones. */
1034static void 1139static void
1035copy_conditional(felem out, const felem in, limb mask) 1140copy_conditional(felem out, const felem in, limb mask)
1036 { 1141{
1037 unsigned i; 1142 unsigned i;
1038 for (i = 0; i < NLIMBS; ++i) 1143 for (i = 0; i < NLIMBS; ++i) {
1039 {
1040 const limb tmp = mask & (in[i] ^ out[i]); 1144 const limb tmp = mask & (in[i] ^ out[i]);
1041 out[i] ^= tmp; 1145 out[i] ^= tmp;
1042 }
1043 } 1146 }
1147}
1044 1148
1045/* point_add calcuates (x1, y1, z1) + (x2, y2, z2) 1149/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
1046 * 1150 *
@@ -1052,10 +1156,11 @@ copy_conditional(felem out, const felem in, limb mask)
1052 * are equal (while not equal to the point at infinity). This case never 1156 * are equal (while not equal to the point at infinity). This case never
1053 * happens during single point multiplication, so there is no timing leak for 1157 * happens during single point multiplication, so there is no timing leak for
1054 * ECDH or ECDSA signing. */ 1158 * ECDH or ECDSA signing. */
1055static void point_add(felem x3, felem y3, felem z3, 1159static void
1056 const felem x1, const felem y1, const felem z1, 1160point_add(felem x3, felem y3, felem z3,
1057 const int mixed, const felem x2, const felem y2, const felem z2) 1161 const felem x1, const felem y1, const felem z1,
1058 { 1162 const int mixed, const felem x2, const felem y2, const felem z2)
1163{
1059 felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out; 1164 felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out;
1060 largefelem tmp, tmp2; 1165 largefelem tmp, tmp2;
1061 limb x_equal, y_equal, z1_is_zero, z2_is_zero; 1166 limb x_equal, y_equal, z1_is_zero, z2_is_zero;
@@ -1067,8 +1172,7 @@ static void point_add(felem x3, felem y3, felem z3,
1067 felem_square(tmp, z1); 1172 felem_square(tmp, z1);
1068 felem_reduce(ftmp, tmp); 1173 felem_reduce(ftmp, tmp);
1069 1174
1070 if (!mixed) 1175 if (!mixed) {
1071 {
1072 /* ftmp2 = z2z2 = z2**2 */ 1176 /* ftmp2 = z2z2 = z2**2 */
1073 felem_square(tmp, z2); 1177 felem_square(tmp, z2);
1074 felem_reduce(ftmp2, tmp); 1178 felem_reduce(ftmp2, tmp);
@@ -1098,9 +1202,7 @@ static void point_add(felem x3, felem y3, felem z3,
1098 /* s1 = ftmp6 = y1 * z2**3 */ 1202 /* s1 = ftmp6 = y1 * z2**3 */
1099 felem_mul(tmp, y1, ftmp2); 1203 felem_mul(tmp, y1, ftmp2);
1100 felem_reduce(ftmp6, tmp); 1204 felem_reduce(ftmp6, tmp);
1101 } 1205 } else {
1102 else
1103 {
1104 /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */ 1206 /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */
1105 1207
1106 /* u1 = ftmp3 = x1*z2z2 */ 1208 /* u1 = ftmp3 = x1*z2z2 */
@@ -1111,7 +1213,7 @@ static void point_add(felem x3, felem y3, felem z3,
1111 1213
1112 /* s1 = ftmp6 = y1 * z2**3 */ 1214 /* s1 = ftmp6 = y1 * z2**3 */
1113 felem_assign(ftmp6, y1); 1215 felem_assign(ftmp6, y1);
1114 } 1216 }
1115 1217
1116 /* u2 = x2*z1z1 */ 1218 /* u2 = x2*z1z1 */
1117 felem_mul(tmp, x2, ftmp); 1219 felem_mul(tmp, x2, ftmp);
@@ -1144,12 +1246,10 @@ static void point_add(felem x3, felem y3, felem z3,
1144 felem_scalar64(ftmp5, 2); 1246 felem_scalar64(ftmp5, 2);
1145 /* ftmp5[i] < 2^61 */ 1247 /* ftmp5[i] < 2^61 */
1146 1248
1147 if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) 1249 if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) {
1148 {
1149 point_double(x3, y3, z3, x1, y1, z1); 1250 point_double(x3, y3, z3, x1, y1, z1);
1150 return; 1251 return;
1151 } 1252 }
1152
1153 /* I = ftmp = (2h)**2 */ 1253 /* I = ftmp = (2h)**2 */
1154 felem_assign(ftmp, ftmp4); 1254 felem_assign(ftmp, ftmp4);
1155 felem_scalar64(ftmp, 2); 1255 felem_scalar64(ftmp, 2);
@@ -1180,8 +1280,9 @@ static void point_add(felem x3, felem y3, felem z3,
1180 1280
1181 /* y_out = r(V-x_out) - 2 * s1 * J */ 1281 /* y_out = r(V-x_out) - 2 * s1 * J */
1182 felem_diff64(ftmp3, x_out); 1282 felem_diff64(ftmp3, x_out);
1183 /* ftmp3[i] < 2^60 + 2^60 1283 /*
1184 * = 2^61 */ 1284 * ftmp3[i] < 2^60 + 2^60 = 2^61
1285 */
1185 felem_mul(tmp, ftmp5, ftmp3); 1286 felem_mul(tmp, ftmp5, ftmp3);
1186 /* tmp[i] < 17*2^122 */ 1287 /* tmp[i] < 17*2^122 */
1187 felem_mul(tmp2, ftmp6, ftmp2); 1288 felem_mul(tmp2, ftmp6, ftmp2);
@@ -1189,9 +1290,10 @@ static void point_add(felem x3, felem y3, felem z3,
1189 felem_scalar128(tmp2, 2); 1290 felem_scalar128(tmp2, 2);
1190 /* tmp2[i] < 17*2^121 */ 1291 /* tmp2[i] < 17*2^121 */
1191 felem_diff128(tmp, tmp2); 1292 felem_diff128(tmp, tmp2);
1192 /* tmp[i] < 2^127 - 2^69 + 17*2^122 1293 /*
1193 * = 2^126 - 2^122 - 2^6 - 2^2 - 1 1294 * tmp[i] < 2^127 - 2^69 + 17*2^122 = 2^126 - 2^122 - 2^6 - 2^2 - 1 <
1194 * < 2^127 */ 1295 * 2^127
1296 */
1195 felem_reduce(y_out, tmp); 1297 felem_reduce(y_out, tmp);
1196 1298
1197 copy_conditional(x_out, x2, z1_is_zero); 1299 copy_conditional(x_out, x2, z1_is_zero);
@@ -1203,7 +1305,7 @@ static void point_add(felem x3, felem y3, felem z3,
1203 felem_assign(x3, x_out); 1305 felem_assign(x3, x_out);
1204 felem_assign(y3, y_out); 1306 felem_assign(y3, y_out);
1205 felem_assign(z3, z_out); 1307 felem_assign(z3, z_out);
1206 } 1308}
1207 1309
1208/* Base point pre computation 1310/* Base point pre computation
1209 * -------------------------- 1311 * --------------------------
@@ -1240,126 +1342,126 @@ static void point_add(felem x3, felem y3, felem z3,
1240 1342
1241/* gmul is the table of precomputed base points */ 1343/* gmul is the table of precomputed base points */
1242static const felem gmul[16][3] = 1344static const felem gmul[16][3] =
1243 {{{0, 0, 0, 0, 0, 0, 0, 0, 0}, 1345{{{0, 0, 0, 0, 0, 0, 0, 0, 0},
1244 {0, 0, 0, 0, 0, 0, 0, 0, 0}, 1346{0, 0, 0, 0, 0, 0, 0, 0, 0},
1245 {0, 0, 0, 0, 0, 0, 0, 0, 0}}, 1347{0, 0, 0, 0, 0, 0, 0, 0, 0}},
1246 {{0x017e7e31c2e5bd66, 0x022cf0615a90a6fe, 0x00127a2ffa8de334, 1348{{0x017e7e31c2e5bd66, 0x022cf0615a90a6fe, 0x00127a2ffa8de334,
1247 0x01dfbf9d64a3f877, 0x006b4d3dbaa14b5e, 0x014fed487e0a2bd8, 1349 0x01dfbf9d64a3f877, 0x006b4d3dbaa14b5e, 0x014fed487e0a2bd8,
1248 0x015b4429c6481390, 0x03a73678fb2d988e, 0x00c6858e06b70404}, 13500x015b4429c6481390, 0x03a73678fb2d988e, 0x00c6858e06b70404},
1249 {0x00be94769fd16650, 0x031c21a89cb09022, 0x039013fad0761353, 1351{0x00be94769fd16650, 0x031c21a89cb09022, 0x039013fad0761353,
1250 0x02657bd099031542, 0x03273e662c97ee72, 0x01e6d11a05ebef45, 1352 0x02657bd099031542, 0x03273e662c97ee72, 0x01e6d11a05ebef45,
1251 0x03d1bd998f544495, 0x03001172297ed0b1, 0x011839296a789a3b}, 13530x03d1bd998f544495, 0x03001172297ed0b1, 0x011839296a789a3b},
1252 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1354{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1253 {{0x0373faacbc875bae, 0x00f325023721c671, 0x00f666fd3dbde5ad, 1355{{0x0373faacbc875bae, 0x00f325023721c671, 0x00f666fd3dbde5ad,
1254 0x01a6932363f88ea7, 0x01fc6d9e13f9c47b, 0x03bcbffc2bbf734e, 1356 0x01a6932363f88ea7, 0x01fc6d9e13f9c47b, 0x03bcbffc2bbf734e,
1255 0x013ee3c3647f3a92, 0x029409fefe75d07d, 0x00ef9199963d85e5}, 13570x013ee3c3647f3a92, 0x029409fefe75d07d, 0x00ef9199963d85e5},
1256 {0x011173743ad5b178, 0x02499c7c21bf7d46, 0x035beaeabb8b1a58, 1358{0x011173743ad5b178, 0x02499c7c21bf7d46, 0x035beaeabb8b1a58,
1257 0x00f989c4752ea0a3, 0x0101e1de48a9c1a3, 0x01a20076be28ba6c, 1359 0x00f989c4752ea0a3, 0x0101e1de48a9c1a3, 0x01a20076be28ba6c,
1258 0x02f8052e5eb2de95, 0x01bfe8f82dea117c, 0x0160074d3c36ddb7}, 13600x02f8052e5eb2de95, 0x01bfe8f82dea117c, 0x0160074d3c36ddb7},
1259 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1361{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1260 {{0x012f3fc373393b3b, 0x03d3d6172f1419fa, 0x02adc943c0b86873, 1362{{0x012f3fc373393b3b, 0x03d3d6172f1419fa, 0x02adc943c0b86873,
1261 0x00d475584177952b, 0x012a4d1673750ee2, 0x00512517a0f13b0c, 1363 0x00d475584177952b, 0x012a4d1673750ee2, 0x00512517a0f13b0c,
1262 0x02b184671a7b1734, 0x0315b84236f1a50a, 0x00a4afc472edbdb9}, 13640x02b184671a7b1734, 0x0315b84236f1a50a, 0x00a4afc472edbdb9},
1263 {0x00152a7077f385c4, 0x03044007d8d1c2ee, 0x0065829d61d52b52, 1365{0x00152a7077f385c4, 0x03044007d8d1c2ee, 0x0065829d61d52b52,
1264 0x00494ff6b6631d0d, 0x00a11d94d5f06bcf, 0x02d2f89474d9282e, 1366 0x00494ff6b6631d0d, 0x00a11d94d5f06bcf, 0x02d2f89474d9282e,
1265 0x0241c5727c06eeb9, 0x0386928710fbdb9d, 0x01f883f727b0dfbe}, 13670x0241c5727c06eeb9, 0x0386928710fbdb9d, 0x01f883f727b0dfbe},
1266 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1368{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1267 {{0x019b0c3c9185544d, 0x006243a37c9d97db, 0x02ee3cbe030a2ad2, 1369{{0x019b0c3c9185544d, 0x006243a37c9d97db, 0x02ee3cbe030a2ad2,
1268 0x00cfdd946bb51e0d, 0x0271c00932606b91, 0x03f817d1ec68c561, 1370 0x00cfdd946bb51e0d, 0x0271c00932606b91, 0x03f817d1ec68c561,
1269 0x03f37009806a369c, 0x03c1f30baf184fd5, 0x01091022d6d2f065}, 13710x03f37009806a369c, 0x03c1f30baf184fd5, 0x01091022d6d2f065},
1270 {0x0292c583514c45ed, 0x0316fca51f9a286c, 0x00300af507c1489a, 1372{0x0292c583514c45ed, 0x0316fca51f9a286c, 0x00300af507c1489a,
1271 0x0295f69008298cf1, 0x02c0ed8274943d7b, 0x016509b9b47a431e, 1373 0x0295f69008298cf1, 0x02c0ed8274943d7b, 0x016509b9b47a431e,
1272 0x02bc9de9634868ce, 0x005b34929bffcb09, 0x000c1a0121681524}, 13740x02bc9de9634868ce, 0x005b34929bffcb09, 0x000c1a0121681524},
1273 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1375{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1274 {{0x0286abc0292fb9f2, 0x02665eee9805b3f7, 0x01ed7455f17f26d6, 1376{{0x0286abc0292fb9f2, 0x02665eee9805b3f7, 0x01ed7455f17f26d6,
1275 0x0346355b83175d13, 0x006284944cd0a097, 0x0191895bcdec5e51, 1377 0x0346355b83175d13, 0x006284944cd0a097, 0x0191895bcdec5e51,
1276 0x02e288370afda7d9, 0x03b22312bfefa67a, 0x01d104d3fc0613fe}, 13780x02e288370afda7d9, 0x03b22312bfefa67a, 0x01d104d3fc0613fe},
1277 {0x0092421a12f7e47f, 0x0077a83fa373c501, 0x03bd25c5f696bd0d, 1379{0x0092421a12f7e47f, 0x0077a83fa373c501, 0x03bd25c5f696bd0d,
1278 0x035c41e4d5459761, 0x01ca0d1742b24f53, 0x00aaab27863a509c, 1380 0x035c41e4d5459761, 0x01ca0d1742b24f53, 0x00aaab27863a509c,
1279 0x018b6de47df73917, 0x025c0b771705cd01, 0x01fd51d566d760a7}, 13810x018b6de47df73917, 0x025c0b771705cd01, 0x01fd51d566d760a7},
1280 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1382{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1281 {{0x01dd92ff6b0d1dbd, 0x039c5e2e8f8afa69, 0x0261ed13242c3b27, 1383{{0x01dd92ff6b0d1dbd, 0x039c5e2e8f8afa69, 0x0261ed13242c3b27,
1282 0x0382c6e67026e6a0, 0x01d60b10be2089f9, 0x03c15f3dce86723f, 1384 0x0382c6e67026e6a0, 0x01d60b10be2089f9, 0x03c15f3dce86723f,
1283 0x03c764a32d2a062d, 0x017307eac0fad056, 0x018207c0b96c5256}, 13850x03c764a32d2a062d, 0x017307eac0fad056, 0x018207c0b96c5256},
1284 {0x0196a16d60e13154, 0x03e6ce74c0267030, 0x00ddbf2b4e52a5aa, 1386{0x0196a16d60e13154, 0x03e6ce74c0267030, 0x00ddbf2b4e52a5aa,
1285 0x012738241bbf31c8, 0x00ebe8dc04685a28, 0x024c2ad6d380d4a2, 1387 0x012738241bbf31c8, 0x00ebe8dc04685a28, 0x024c2ad6d380d4a2,
1286 0x035ee062a6e62d0e, 0x0029ed74af7d3a0f, 0x00eef32aec142ebd}, 13880x035ee062a6e62d0e, 0x0029ed74af7d3a0f, 0x00eef32aec142ebd},
1287 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1389{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1288 {{0x00c31ec398993b39, 0x03a9f45bcda68253, 0x00ac733c24c70890, 1390{{0x00c31ec398993b39, 0x03a9f45bcda68253, 0x00ac733c24c70890,
1289 0x00872b111401ff01, 0x01d178c23195eafb, 0x03bca2c816b87f74, 1391 0x00872b111401ff01, 0x01d178c23195eafb, 0x03bca2c816b87f74,
1290 0x0261a9af46fbad7a, 0x0324b2a8dd3d28f9, 0x00918121d8f24e23}, 13920x0261a9af46fbad7a, 0x0324b2a8dd3d28f9, 0x00918121d8f24e23},
1291 {0x032bc8c1ca983cd7, 0x00d869dfb08fc8c6, 0x01693cb61fce1516, 1393{0x032bc8c1ca983cd7, 0x00d869dfb08fc8c6, 0x01693cb61fce1516,
1292 0x012a5ea68f4e88a8, 0x010869cab88d7ae3, 0x009081ad277ceee1, 1394 0x012a5ea68f4e88a8, 0x010869cab88d7ae3, 0x009081ad277ceee1,
1293 0x033a77166d064cdc, 0x03955235a1fb3a95, 0x01251a4a9b25b65e}, 13950x033a77166d064cdc, 0x03955235a1fb3a95, 0x01251a4a9b25b65e},
1294 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1396{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1295 {{0x00148a3a1b27f40b, 0x0123186df1b31fdc, 0x00026e7beaad34ce, 1397{{0x00148a3a1b27f40b, 0x0123186df1b31fdc, 0x00026e7beaad34ce,
1296 0x01db446ac1d3dbba, 0x0299c1a33437eaec, 0x024540610183cbb7, 1398 0x01db446ac1d3dbba, 0x0299c1a33437eaec, 0x024540610183cbb7,
1297 0x0173bb0e9ce92e46, 0x02b937e43921214b, 0x01ab0436a9bf01b5}, 13990x0173bb0e9ce92e46, 0x02b937e43921214b, 0x01ab0436a9bf01b5},
1298 {0x0383381640d46948, 0x008dacbf0e7f330f, 0x03602122bcc3f318, 1400{0x0383381640d46948, 0x008dacbf0e7f330f, 0x03602122bcc3f318,
1299 0x01ee596b200620d6, 0x03bd0585fda430b3, 0x014aed77fd123a83, 1401 0x01ee596b200620d6, 0x03bd0585fda430b3, 0x014aed77fd123a83,
1300 0x005ace749e52f742, 0x0390fe041da2b842, 0x0189a8ceb3299242}, 14020x005ace749e52f742, 0x0390fe041da2b842, 0x0189a8ceb3299242},
1301 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1403{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1302 {{0x012a19d6b3282473, 0x00c0915918b423ce, 0x023a954eb94405ae, 1404{{0x012a19d6b3282473, 0x00c0915918b423ce, 0x023a954eb94405ae,
1303 0x00529f692be26158, 0x0289fa1b6fa4b2aa, 0x0198ae4ceea346ef, 1405 0x00529f692be26158, 0x0289fa1b6fa4b2aa, 0x0198ae4ceea346ef,
1304 0x0047d8cdfbdedd49, 0x00cc8c8953f0f6b8, 0x001424abbff49203}, 14060x0047d8cdfbdedd49, 0x00cc8c8953f0f6b8, 0x001424abbff49203},
1305 {0x0256732a1115a03a, 0x0351bc38665c6733, 0x03f7b950fb4a6447, 1407{0x0256732a1115a03a, 0x0351bc38665c6733, 0x03f7b950fb4a6447,
1306 0x000afffa94c22155, 0x025763d0a4dab540, 0x000511e92d4fc283, 1408 0x000afffa94c22155, 0x025763d0a4dab540, 0x000511e92d4fc283,
1307 0x030a7e9eda0ee96c, 0x004c3cd93a28bf0a, 0x017edb3a8719217f}, 14090x030a7e9eda0ee96c, 0x004c3cd93a28bf0a, 0x017edb3a8719217f},
1308 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1410{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1309 {{0x011de5675a88e673, 0x031d7d0f5e567fbe, 0x0016b2062c970ae5, 1411{{0x011de5675a88e673, 0x031d7d0f5e567fbe, 0x0016b2062c970ae5,
1310 0x03f4a2be49d90aa7, 0x03cef0bd13822866, 0x03f0923dcf774a6c, 1412 0x03f4a2be49d90aa7, 0x03cef0bd13822866, 0x03f0923dcf774a6c,
1311 0x0284bebc4f322f72, 0x016ab2645302bb2c, 0x01793f95dace0e2a}, 14130x0284bebc4f322f72, 0x016ab2645302bb2c, 0x01793f95dace0e2a},
1312 {0x010646e13527a28f, 0x01ca1babd59dc5e7, 0x01afedfd9a5595df, 1414{0x010646e13527a28f, 0x01ca1babd59dc5e7, 0x01afedfd9a5595df,
1313 0x01f15785212ea6b1, 0x0324e5d64f6ae3f4, 0x02d680f526d00645, 1415 0x01f15785212ea6b1, 0x0324e5d64f6ae3f4, 0x02d680f526d00645,
1314 0x0127920fadf627a7, 0x03b383f75df4f684, 0x0089e0057e783b0a}, 14160x0127920fadf627a7, 0x03b383f75df4f684, 0x0089e0057e783b0a},
1315 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1417{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1316 {{0x00f334b9eb3c26c6, 0x0298fdaa98568dce, 0x01c2d24843a82292, 1418{{0x00f334b9eb3c26c6, 0x0298fdaa98568dce, 0x01c2d24843a82292,
1317 0x020bcb24fa1b0711, 0x02cbdb3d2b1875e6, 0x0014907598f89422, 1419 0x020bcb24fa1b0711, 0x02cbdb3d2b1875e6, 0x0014907598f89422,
1318 0x03abe3aa43b26664, 0x02cbf47f720bc168, 0x0133b5e73014b79b}, 14200x03abe3aa43b26664, 0x02cbf47f720bc168, 0x0133b5e73014b79b},
1319 {0x034aab5dab05779d, 0x00cdc5d71fee9abb, 0x0399f16bd4bd9d30, 1421{0x034aab5dab05779d, 0x00cdc5d71fee9abb, 0x0399f16bd4bd9d30,
1320 0x03582fa592d82647, 0x02be1cdfb775b0e9, 0x0034f7cea32e94cb, 1422 0x03582fa592d82647, 0x02be1cdfb775b0e9, 0x0034f7cea32e94cb,
1321 0x0335a7f08f56f286, 0x03b707e9565d1c8b, 0x0015c946ea5b614f}, 14230x0335a7f08f56f286, 0x03b707e9565d1c8b, 0x0015c946ea5b614f},
1322 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1424{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1323 {{0x024676f6cff72255, 0x00d14625cac96378, 0x00532b6008bc3767, 1425{{0x024676f6cff72255, 0x00d14625cac96378, 0x00532b6008bc3767,
1324 0x01fc16721b985322, 0x023355ea1b091668, 0x029de7afdc0317c3, 1426 0x01fc16721b985322, 0x023355ea1b091668, 0x029de7afdc0317c3,
1325 0x02fc8a7ca2da037c, 0x02de1217d74a6f30, 0x013f7173175b73bf}, 14270x02fc8a7ca2da037c, 0x02de1217d74a6f30, 0x013f7173175b73bf},
1326 {0x0344913f441490b5, 0x0200f9e272b61eca, 0x0258a246b1dd55d2, 1428{0x0344913f441490b5, 0x0200f9e272b61eca, 0x0258a246b1dd55d2,
1327 0x03753db9ea496f36, 0x025e02937a09c5ef, 0x030cbd3d14012692, 1429 0x03753db9ea496f36, 0x025e02937a09c5ef, 0x030cbd3d14012692,
1328 0x01793a67e70dc72a, 0x03ec1d37048a662e, 0x006550f700c32a8d}, 14300x01793a67e70dc72a, 0x03ec1d37048a662e, 0x006550f700c32a8d},
1329 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1431{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1330 {{0x00d3f48a347eba27, 0x008e636649b61bd8, 0x00d3b93716778fb3, 1432{{0x00d3f48a347eba27, 0x008e636649b61bd8, 0x00d3b93716778fb3,
1331 0x004d1915757bd209, 0x019d5311a3da44e0, 0x016d1afcbbe6aade, 1433 0x004d1915757bd209, 0x019d5311a3da44e0, 0x016d1afcbbe6aade,
1332 0x0241bf5f73265616, 0x0384672e5d50d39b, 0x005009fee522b684}, 14340x0241bf5f73265616, 0x0384672e5d50d39b, 0x005009fee522b684},
1333 {0x029b4fab064435fe, 0x018868ee095bbb07, 0x01ea3d6936cc92b8, 1435{0x029b4fab064435fe, 0x018868ee095bbb07, 0x01ea3d6936cc92b8,
1334 0x000608b00f78a2f3, 0x02db911073d1c20f, 0x018205938470100a, 1436 0x000608b00f78a2f3, 0x02db911073d1c20f, 0x018205938470100a,
1335 0x01f1e4964cbe6ff2, 0x021a19a29eed4663, 0x01414485f42afa81}, 14370x01f1e4964cbe6ff2, 0x021a19a29eed4663, 0x01414485f42afa81},
1336 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1438{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1337 {{0x01612b3a17f63e34, 0x03813992885428e6, 0x022b3c215b5a9608, 1439{{0x01612b3a17f63e34, 0x03813992885428e6, 0x022b3c215b5a9608,
1338 0x029b4057e19f2fcb, 0x0384059a587af7e6, 0x02d6400ace6fe610, 1440 0x029b4057e19f2fcb, 0x0384059a587af7e6, 0x02d6400ace6fe610,
1339 0x029354d896e8e331, 0x00c047ee6dfba65e, 0x0037720542e9d49d}, 14410x029354d896e8e331, 0x00c047ee6dfba65e, 0x0037720542e9d49d},
1340 {0x02ce9eed7c5e9278, 0x0374ed703e79643b, 0x01316c54c4072006, 1442{0x02ce9eed7c5e9278, 0x0374ed703e79643b, 0x01316c54c4072006,
1341 0x005aaa09054b2ee8, 0x002824000c840d57, 0x03d4eba24771ed86, 1443 0x005aaa09054b2ee8, 0x002824000c840d57, 0x03d4eba24771ed86,
1342 0x0189c50aabc3bdae, 0x0338c01541e15510, 0x00466d56e38eed42}, 14440x0189c50aabc3bdae, 0x0338c01541e15510, 0x00466d56e38eed42},
1343 {1, 0, 0, 0, 0, 0, 0, 0, 0}}, 1445{1, 0, 0, 0, 0, 0, 0, 0, 0}},
1344 {{0x007efd8330ad8bd6, 0x02465ed48047710b, 0x0034c6606b215e0c, 1446{{0x007efd8330ad8bd6, 0x02465ed48047710b, 0x0034c6606b215e0c,
1345 0x016ae30c53cbf839, 0x01fa17bd37161216, 0x018ead4e61ce8ab9, 1447 0x016ae30c53cbf839, 0x01fa17bd37161216, 0x018ead4e61ce8ab9,
1346 0x005482ed5f5dee46, 0x037543755bba1d7f, 0x005e5ac7e70a9d0f}, 14480x005482ed5f5dee46, 0x037543755bba1d7f, 0x005e5ac7e70a9d0f},
1347 {0x0117e1bb2fdcb2a2, 0x03deea36249f40c4, 0x028d09b4a6246cb7, 1449{0x0117e1bb2fdcb2a2, 0x03deea36249f40c4, 0x028d09b4a6246cb7,
1348 0x03524b8855bcf756, 0x023d7d109d5ceb58, 0x0178e43e3223ef9c, 1450 0x03524b8855bcf756, 0x023d7d109d5ceb58, 0x0178e43e3223ef9c,
1349 0x0154536a0c6e966a, 0x037964d1286ee9fe, 0x0199bcd90e125055}, 14510x0154536a0c6e966a, 0x037964d1286ee9fe, 0x0199bcd90e125055},
1350 {1, 0, 0, 0, 0, 0, 0, 0, 0}}}; 1452{1, 0, 0, 0, 0, 0, 0, 0, 0}}};
1351 1453
1352/* select_point selects the |idx|th point from a precomputation table and 1454/* select_point selects the |idx|th point from a precomputation table and
1353 * copies it to out. */ 1455 * copies it to out. */
1354static void select_point(const limb idx, unsigned int size, const felem pre_comp[/* size */][3], 1456static void
1355 felem out[3]) 1457select_point(const limb idx, unsigned int size, const felem pre_comp[ /* size */ ][3],
1356 { 1458 felem out[3])
1459{
1357 unsigned i, j; 1460 unsigned i, j;
1358 limb *outlimbs = &out[0][0]; 1461 limb *outlimbs = &out[0][0];
1359 memset(outlimbs, 0, 3 * sizeof(felem)); 1462 memset(outlimbs, 0, 3 * sizeof(felem));
1360 1463
1361 for (i = 0; i < size; i++) 1464 for (i = 0; i < size; i++) {
1362 {
1363 const limb *inlimbs = &pre_comp[i][0][0]; 1465 const limb *inlimbs = &pre_comp[i][0][0];
1364 limb mask = i ^ idx; 1466 limb mask = i ^ idx;
1365 mask |= mask >> 4; 1467 mask |= mask >> 4;
@@ -1369,26 +1471,28 @@ static void select_point(const limb idx, unsigned int size, const felem pre_comp
1369 mask--; 1471 mask--;
1370 for (j = 0; j < NLIMBS * 3; j++) 1472 for (j = 0; j < NLIMBS * 3; j++)
1371 outlimbs[j] |= inlimbs[j] & mask; 1473 outlimbs[j] |= inlimbs[j] & mask;
1372 }
1373 } 1474 }
1475}
1374 1476
1375/* get_bit returns the |i|th bit in |in| */ 1477/* get_bit returns the |i|th bit in |in| */
1376static char get_bit(const felem_bytearray in, int i) 1478static char
1377 { 1479get_bit(const felem_bytearray in, int i)
1480{
1378 if (i < 0) 1481 if (i < 0)
1379 return 0; 1482 return 0;
1380 return (in[i >> 3] >> (i & 7)) & 1; 1483 return (in[i >> 3] >> (i & 7)) & 1;
1381 } 1484}
1382 1485
1383/* Interleaved point multiplication using precomputed point multiples: 1486/* Interleaved point multiplication using precomputed point multiples:
1384 * The small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[], 1487 * The small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[],
1385 * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple 1488 * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple
1386 * of the generator, using certain (large) precomputed multiples in g_pre_comp. 1489 * of the generator, using certain (large) precomputed multiples in g_pre_comp.
1387 * Output point (X, Y, Z) is stored in x_out, y_out, z_out */ 1490 * Output point (X, Y, Z) is stored in x_out, y_out, z_out */
1388static void batch_mul(felem x_out, felem y_out, felem z_out, 1491static void
1389 const felem_bytearray scalars[], const unsigned num_points, const u8 *g_scalar, 1492batch_mul(felem x_out, felem y_out, felem z_out,
1390 const int mixed, const felem pre_comp[][17][3], const felem g_pre_comp[16][3]) 1493 const felem_bytearray scalars[], const unsigned num_points, const u8 * g_scalar,
1391 { 1494 const int mixed, const felem pre_comp[][17][3], const felem g_pre_comp[16][3])
1495{
1392 int i, skip; 1496 int i, skip;
1393 unsigned num, gen_mul = (g_scalar != NULL); 1497 unsigned num, gen_mul = (g_scalar != NULL);
1394 felem nq[3], tmp[4]; 1498 felem nq[3], tmp[4];
@@ -1398,48 +1502,41 @@ static void batch_mul(felem x_out, felem y_out, felem z_out,
1398 /* set nq to the point at infinity */ 1502 /* set nq to the point at infinity */
1399 memset(nq, 0, 3 * sizeof(felem)); 1503 memset(nq, 0, 3 * sizeof(felem));
1400 1504
1401 /* Loop over all scalars msb-to-lsb, interleaving additions 1505 /*
1402 * of multiples of the generator (last quarter of rounds) 1506 * Loop over all scalars msb-to-lsb, interleaving additions of
1403 * and additions of other points multiples (every 5th round). 1507 * multiples of the generator (last quarter of rounds) and additions
1508 * of other points multiples (every 5th round).
1404 */ 1509 */
1405 skip = 1; /* save two point operations in the first round */ 1510 skip = 1; /* save two point operations in the first
1406 for (i = (num_points ? 520 : 130); i >= 0; --i) 1511 * round */
1407 { 1512 for (i = (num_points ? 520 : 130); i >= 0; --i) {
1408 /* double */ 1513 /* double */
1409 if (!skip) 1514 if (!skip)
1410 point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]); 1515 point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
1411 1516
1412 /* add multiples of the generator */ 1517 /* add multiples of the generator */
1413 if (gen_mul && (i <= 130)) 1518 if (gen_mul && (i <= 130)) {
1414 {
1415 bits = get_bit(g_scalar, i + 390) << 3; 1519 bits = get_bit(g_scalar, i + 390) << 3;
1416 if (i < 130) 1520 if (i < 130) {
1417 {
1418 bits |= get_bit(g_scalar, i + 260) << 2; 1521 bits |= get_bit(g_scalar, i + 260) << 2;
1419 bits |= get_bit(g_scalar, i + 130) << 1; 1522 bits |= get_bit(g_scalar, i + 130) << 1;
1420 bits |= get_bit(g_scalar, i); 1523 bits |= get_bit(g_scalar, i);
1421 } 1524 }
1422 /* select the point to add, in constant time */ 1525 /* select the point to add, in constant time */
1423 select_point(bits, 16, g_pre_comp, tmp); 1526 select_point(bits, 16, g_pre_comp, tmp);
1424 if (!skip) 1527 if (!skip) {
1425 {
1426 point_add(nq[0], nq[1], nq[2], 1528 point_add(nq[0], nq[1], nq[2],
1427 nq[0], nq[1], nq[2], 1529 nq[0], nq[1], nq[2],
1428 1 /* mixed */, tmp[0], tmp[1], tmp[2]); 1530 1 /* mixed */ , tmp[0], tmp[1], tmp[2]);
1429 } 1531 } else {
1430 else
1431 {
1432 memcpy(nq, tmp, 3 * sizeof(felem)); 1532 memcpy(nq, tmp, 3 * sizeof(felem));
1433 skip = 0; 1533 skip = 0;
1434 }
1435 } 1534 }
1436 1535 }
1437 /* do other additions every 5 doublings */ 1536 /* do other additions every 5 doublings */
1438 if (num_points && (i % 5 == 0)) 1537 if (num_points && (i % 5 == 0)) {
1439 {
1440 /* loop over all scalars */ 1538 /* loop over all scalars */
1441 for (num = 0; num < num_points; ++num) 1539 for (num = 0; num < num_points; ++num) {
1442 {
1443 bits = get_bit(scalars[num], i + 4) << 5; 1540 bits = get_bit(scalars[num], i + 4) << 5;
1444 bits |= get_bit(scalars[num], i + 3) << 4; 1541 bits |= get_bit(scalars[num], i + 3) << 4;
1445 bits |= get_bit(scalars[num], i + 2) << 3; 1542 bits |= get_bit(scalars[num], i + 2) << 3;
@@ -1448,29 +1545,30 @@ static void batch_mul(felem x_out, felem y_out, felem z_out,
1448 bits |= get_bit(scalars[num], i - 1); 1545 bits |= get_bit(scalars[num], i - 1);
1449 ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); 1546 ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
1450 1547
1451 /* select the point to add or subtract, in constant time */ 1548 /*
1549 * select the point to add or subtract, in
1550 * constant time
1551 */
1452 select_point(digit, 17, pre_comp[num], tmp); 1552 select_point(digit, 17, pre_comp[num], tmp);
1453 felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative point */ 1553 felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the
1554 * negative point */
1454 copy_conditional(tmp[1], tmp[3], (-(limb) sign)); 1555 copy_conditional(tmp[1], tmp[3], (-(limb) sign));
1455 1556
1456 if (!skip) 1557 if (!skip) {
1457 {
1458 point_add(nq[0], nq[1], nq[2], 1558 point_add(nq[0], nq[1], nq[2],
1459 nq[0], nq[1], nq[2], 1559 nq[0], nq[1], nq[2],
1460 mixed, tmp[0], tmp[1], tmp[2]); 1560 mixed, tmp[0], tmp[1], tmp[2]);
1461 } 1561 } else {
1462 else
1463 {
1464 memcpy(nq, tmp, 3 * sizeof(felem)); 1562 memcpy(nq, tmp, 3 * sizeof(felem));
1465 skip = 0; 1563 skip = 0;
1466 }
1467 } 1564 }
1468 } 1565 }
1469 } 1566 }
1567 }
1470 felem_assign(x_out, nq[0]); 1568 felem_assign(x_out, nq[0]);
1471 felem_assign(y_out, nq[1]); 1569 felem_assign(y_out, nq[1]);
1472 felem_assign(z_out, nq[2]); 1570 felem_assign(z_out, nq[2]);
1473 } 1571}
1474 1572
1475 1573
1476/* Precomputation for the group generator. */ 1574/* Precomputation for the group generator. */
@@ -1493,20 +1591,20 @@ EC_GFp_nistp521_method(void)
1493 .group_get_curve = ec_GFp_simple_group_get_curve, 1591 .group_get_curve = ec_GFp_simple_group_get_curve,
1494 .group_get_degree = ec_GFp_simple_group_get_degree, 1592 .group_get_degree = ec_GFp_simple_group_get_degree,
1495 .group_check_discriminant = 1593 .group_check_discriminant =
1496 ec_GFp_simple_group_check_discriminant, 1594 ec_GFp_simple_group_check_discriminant,
1497 .point_init = ec_GFp_simple_point_init, 1595 .point_init = ec_GFp_simple_point_init,
1498 .point_finish = ec_GFp_simple_point_finish, 1596 .point_finish = ec_GFp_simple_point_finish,
1499 .point_clear_finish = ec_GFp_simple_point_clear_finish, 1597 .point_clear_finish = ec_GFp_simple_point_clear_finish,
1500 .point_copy = ec_GFp_simple_point_copy, 1598 .point_copy = ec_GFp_simple_point_copy,
1501 .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, 1599 .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
1502 .point_set_Jprojective_coordinates_GFp = 1600 .point_set_Jprojective_coordinates_GFp =
1503 ec_GFp_simple_set_Jprojective_coordinates_GFp, 1601 ec_GFp_simple_set_Jprojective_coordinates_GFp,
1504 .point_get_Jprojective_coordinates_GFp = 1602 .point_get_Jprojective_coordinates_GFp =
1505 ec_GFp_simple_get_Jprojective_coordinates_GFp, 1603 ec_GFp_simple_get_Jprojective_coordinates_GFp,
1506 .point_set_affine_coordinates = 1604 .point_set_affine_coordinates =
1507 ec_GFp_simple_point_set_affine_coordinates, 1605 ec_GFp_simple_point_set_affine_coordinates,
1508 .point_get_affine_coordinates = 1606 .point_get_affine_coordinates =
1509 ec_GFp_nistp521_point_get_affine_coordinates, 1607 ec_GFp_nistp521_point_get_affine_coordinates,
1510 .add = ec_GFp_simple_add, 1608 .add = ec_GFp_simple_add,
1511 .dbl = ec_GFp_simple_dbl, 1609 .dbl = ec_GFp_simple_dbl,
1512 .invert = ec_GFp_simple_invert, 1610 .invert = ec_GFp_simple_invert,
@@ -1530,32 +1628,34 @@ EC_GFp_nistp521_method(void)
1530/* FUNCTIONS TO MANAGE PRECOMPUTATION 1628/* FUNCTIONS TO MANAGE PRECOMPUTATION
1531 */ 1629 */
1532 1630
1533static NISTP521_PRE_COMP *nistp521_pre_comp_new() 1631static NISTP521_PRE_COMP *
1534 { 1632nistp521_pre_comp_new()
1633{
1535 NISTP521_PRE_COMP *ret = NULL; 1634 NISTP521_PRE_COMP *ret = NULL;
1536 ret = (NISTP521_PRE_COMP *)malloc(sizeof(NISTP521_PRE_COMP)); 1635 ret = (NISTP521_PRE_COMP *) malloc(sizeof(NISTP521_PRE_COMP));
1537 if (!ret) 1636 if (!ret) {
1538 {
1539 ECerr(EC_F_NISTP521_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); 1637 ECerr(EC_F_NISTP521_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
1540 return ret; 1638 return ret;
1541 } 1639 }
1542 memset(ret->g_pre_comp, 0, sizeof(ret->g_pre_comp)); 1640 memset(ret->g_pre_comp, 0, sizeof(ret->g_pre_comp));
1543 ret->references = 1; 1641 ret->references = 1;
1544 return ret; 1642 return ret;
1545 } 1643}
1546 1644
1547static void *nistp521_pre_comp_dup(void *src_) 1645static void *
1548 { 1646nistp521_pre_comp_dup(void *src_)
1647{
1549 NISTP521_PRE_COMP *src = src_; 1648 NISTP521_PRE_COMP *src = src_;
1550 1649
1551 /* no need to actually copy, these objects never change! */ 1650 /* no need to actually copy, these objects never change! */
1552 CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP); 1651 CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP);
1553 1652
1554 return src_; 1653 return src_;
1555 } 1654}
1556 1655
1557static void nistp521_pre_comp_free(void *pre_) 1656static void
1558 { 1657nistp521_pre_comp_free(void *pre_)
1658{
1559 int i; 1659 int i;
1560 NISTP521_PRE_COMP *pre = pre_; 1660 NISTP521_PRE_COMP *pre = pre_;
1561 1661
@@ -1567,10 +1667,11 @@ static void nistp521_pre_comp_free(void *pre_)
1567 return; 1667 return;
1568 1668
1569 free(pre); 1669 free(pre);
1570 } 1670}
1571 1671
1572static void nistp521_pre_comp_clear_free(void *pre_) 1672static void
1573 { 1673nistp521_pre_comp_clear_free(void *pre_)
1674{
1574 int i; 1675 int i;
1575 NISTP521_PRE_COMP *pre = pre_; 1676 NISTP521_PRE_COMP *pre = pre_;
1576 1677
@@ -1583,43 +1684,46 @@ static void nistp521_pre_comp_clear_free(void *pre_)
1583 1684
1584 OPENSSL_cleanse(pre, sizeof(*pre)); 1685 OPENSSL_cleanse(pre, sizeof(*pre));
1585 free(pre); 1686 free(pre);
1586 } 1687}
1587 1688
1588/******************************************************************************/ 1689/******************************************************************************/
1589/* OPENSSL EC_METHOD FUNCTIONS 1690/* OPENSSL EC_METHOD FUNCTIONS
1590 */ 1691 */
1591 1692
1592int ec_GFp_nistp521_group_init(EC_GROUP *group) 1693int
1593 { 1694ec_GFp_nistp521_group_init(EC_GROUP * group)
1695{
1594 int ret; 1696 int ret;
1595 ret = ec_GFp_simple_group_init(group); 1697 ret = ec_GFp_simple_group_init(group);
1596 group->a_is_minus3 = 1; 1698 group->a_is_minus3 = 1;
1597 return ret; 1699 return ret;
1598 } 1700}
1599 1701
1600int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, 1702int
1601 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 1703ec_GFp_nistp521_group_set_curve(EC_GROUP * group, const BIGNUM * p,
1602 { 1704 const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx)
1705{
1603 int ret = 0; 1706 int ret = 0;
1604 BN_CTX *new_ctx = NULL; 1707 BN_CTX *new_ctx = NULL;
1605 BIGNUM *curve_p, *curve_a, *curve_b; 1708 BIGNUM *curve_p, *curve_a, *curve_b;
1606 1709
1607 if (ctx == NULL) 1710 if (ctx == NULL)
1608 if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0; 1711 if ((ctx = new_ctx = BN_CTX_new()) == NULL)
1712 return 0;
1609 BN_CTX_start(ctx); 1713 BN_CTX_start(ctx);
1610 if (((curve_p = BN_CTX_get(ctx)) == NULL) || 1714 if (((curve_p = BN_CTX_get(ctx)) == NULL) ||
1611 ((curve_a = BN_CTX_get(ctx)) == NULL) || 1715 ((curve_a = BN_CTX_get(ctx)) == NULL) ||
1612 ((curve_b = BN_CTX_get(ctx)) == NULL)) goto err; 1716 ((curve_b = BN_CTX_get(ctx)) == NULL))
1717 goto err;
1613 BN_bin2bn(nistp521_curve_params[0], sizeof(felem_bytearray), curve_p); 1718 BN_bin2bn(nistp521_curve_params[0], sizeof(felem_bytearray), curve_p);
1614 BN_bin2bn(nistp521_curve_params[1], sizeof(felem_bytearray), curve_a); 1719 BN_bin2bn(nistp521_curve_params[1], sizeof(felem_bytearray), curve_a);
1615 BN_bin2bn(nistp521_curve_params[2], sizeof(felem_bytearray), curve_b); 1720 BN_bin2bn(nistp521_curve_params[2], sizeof(felem_bytearray), curve_b);
1616 if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) || 1721 if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) ||
1617 (BN_cmp(curve_b, b))) 1722 (BN_cmp(curve_b, b))) {
1618 {
1619 ECerr(EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE, 1723 ECerr(EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE,
1620 EC_R_WRONG_CURVE_PARAMETERS); 1724 EC_R_WRONG_CURVE_PARAMETERS);
1621 goto err; 1725 goto err;
1622 } 1726 }
1623 group->field_mod_func = BN_nist_mod_521; 1727 group->field_mod_func = BN_nist_mod_521;
1624 ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); 1728 ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
1625err: 1729err:
@@ -1627,74 +1731,79 @@ err:
1627 if (new_ctx != NULL) 1731 if (new_ctx != NULL)
1628 BN_CTX_free(new_ctx); 1732 BN_CTX_free(new_ctx);
1629 return ret; 1733 return ret;
1630 } 1734}
1631 1735
1632/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns 1736/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns
1633 * (X', Y') = (X/Z^2, Y/Z^3) */ 1737 * (X', Y') = (X/Z^2, Y/Z^3) */
1634int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, 1738int
1635 const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx) 1739ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP * group,
1636 { 1740 const EC_POINT * point, BIGNUM * x, BIGNUM * y, BN_CTX * ctx)
1741{
1637 felem z1, z2, x_in, y_in, x_out, y_out; 1742 felem z1, z2, x_in, y_in, x_out, y_out;
1638 largefelem tmp; 1743 largefelem tmp;
1639 1744
1640 if (EC_POINT_is_at_infinity(group, point)) 1745 if (EC_POINT_is_at_infinity(group, point)) {
1641 {
1642 ECerr(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES, 1746 ECerr(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES,
1643 EC_R_POINT_AT_INFINITY); 1747 EC_R_POINT_AT_INFINITY);
1644 return 0; 1748 return 0;
1645 } 1749 }
1646 if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) || 1750 if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) ||
1647 (!BN_to_felem(z1, &point->Z))) return 0; 1751 (!BN_to_felem(z1, &point->Z)))
1752 return 0;
1648 felem_inv(z2, z1); 1753 felem_inv(z2, z1);
1649 felem_square(tmp, z2); felem_reduce(z1, tmp); 1754 felem_square(tmp, z2);
1650 felem_mul(tmp, x_in, z1); felem_reduce(x_in, tmp); 1755 felem_reduce(z1, tmp);
1756 felem_mul(tmp, x_in, z1);
1757 felem_reduce(x_in, tmp);
1651 felem_contract(x_out, x_in); 1758 felem_contract(x_out, x_in);
1652 if (x != NULL) 1759 if (x != NULL) {
1653 { 1760 if (!felem_to_BN(x, x_out)) {
1654 if (!felem_to_BN(x, x_out))
1655 {
1656 ECerr(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB); 1761 ECerr(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);
1657 return 0; 1762 return 0;
1658 }
1659 } 1763 }
1660 felem_mul(tmp, z1, z2); felem_reduce(z1, tmp); 1764 }
1661 felem_mul(tmp, y_in, z1); felem_reduce(y_in, tmp); 1765 felem_mul(tmp, z1, z2);
1766 felem_reduce(z1, tmp);
1767 felem_mul(tmp, y_in, z1);
1768 felem_reduce(y_in, tmp);
1662 felem_contract(y_out, y_in); 1769 felem_contract(y_out, y_in);
1663 if (y != NULL) 1770 if (y != NULL) {
1664 { 1771 if (!felem_to_BN(y, y_out)) {
1665 if (!felem_to_BN(y, y_out))
1666 {
1667 ECerr(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB); 1772 ECerr(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);
1668 return 0; 1773 return 0;
1669 }
1670 } 1774 }
1671 return 1;
1672 } 1775 }
1776 return 1;
1777}
1673 1778
1674static void make_points_affine(size_t num, felem points[/* num */][3], felem tmp_felems[/* num+1 */]) 1779static void
1675 { 1780make_points_affine(size_t num, felem points[ /* num */ ][3], felem tmp_felems[ /* num+1 */ ])
1676 /* Runs in constant time, unless an input is the point at infinity 1781{
1677 * (which normally shouldn't happen). */ 1782 /*
1783 * Runs in constant time, unless an input is the point at infinity
1784 * (which normally shouldn't happen).
1785 */
1678 ec_GFp_nistp_points_make_affine_internal( 1786 ec_GFp_nistp_points_make_affine_internal(
1679 num, 1787 num,
1680 points, 1788 points,
1681 sizeof(felem), 1789 sizeof(felem),
1682 tmp_felems, 1790 tmp_felems,
1683 (void (*)(void *)) felem_one, 1791 (void (*) (void *)) felem_one,
1684 (int (*)(const void *)) felem_is_zero_int, 1792 (int (*) (const void *)) felem_is_zero_int,
1685 (void (*)(void *, const void *)) felem_assign, 1793 (void (*) (void *, const void *)) felem_assign,
1686 (void (*)(void *, const void *)) felem_square_reduce, 1794 (void (*) (void *, const void *)) felem_square_reduce,
1687 (void (*)(void *, const void *, const void *)) felem_mul_reduce, 1795 (void (*) (void *, const void *, const void *)) felem_mul_reduce,
1688 (void (*)(void *, const void *)) felem_inv, 1796 (void (*) (void *, const void *)) felem_inv,
1689 (void (*)(void *, const void *)) felem_contract); 1797 (void (*) (void *, const void *)) felem_contract);
1690 } 1798}
1691 1799
1692/* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values 1800/* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values
1693 * Result is stored in r (r can equal one of the inputs). */ 1801 * Result is stored in r (r can equal one of the inputs). */
1694int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, 1802int
1695 const BIGNUM *scalar, size_t num, const EC_POINT *points[], 1803ec_GFp_nistp521_points_mul(const EC_GROUP * group, EC_POINT * r,
1696 const BIGNUM *scalars[], BN_CTX *ctx) 1804 const BIGNUM * scalar, size_t num, const EC_POINT * points[],
1697 { 1805 const BIGNUM * scalars[], BN_CTX * ctx)
1806{
1698 int ret = 0; 1807 int ret = 0;
1699 int j; 1808 int j;
1700 int mixed = 0; 1809 int mixed = 0;
@@ -1702,7 +1811,7 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
1702 BIGNUM *x, *y, *z, *tmp_scalar; 1811 BIGNUM *x, *y, *z, *tmp_scalar;
1703 felem_bytearray g_secret; 1812 felem_bytearray g_secret;
1704 felem_bytearray *secrets = NULL; 1813 felem_bytearray *secrets = NULL;
1705 felem (*pre_comp)[17][3] = NULL; 1814 felem(*pre_comp)[17][3] = NULL;
1706 felem *tmp_felems = NULL; 1815 felem *tmp_felems = NULL;
1707 felem_bytearray tmp; 1816 felem_bytearray tmp;
1708 unsigned i, num_bytes; 1817 unsigned i, num_bytes;
@@ -1710,178 +1819,170 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
1710 size_t num_points = num; 1819 size_t num_points = num;
1711 felem x_in, y_in, z_in, x_out, y_out, z_out; 1820 felem x_in, y_in, z_in, x_out, y_out, z_out;
1712 NISTP521_PRE_COMP *pre = NULL; 1821 NISTP521_PRE_COMP *pre = NULL;
1713 felem (*g_pre_comp)[3] = NULL; 1822 felem(*g_pre_comp)[3] = NULL;
1714 EC_POINT *generator = NULL; 1823 EC_POINT *generator = NULL;
1715 const EC_POINT *p = NULL; 1824 const EC_POINT *p = NULL;
1716 const BIGNUM *p_scalar = NULL; 1825 const BIGNUM *p_scalar = NULL;
1717 1826
1718 if (ctx == NULL) 1827 if (ctx == NULL)
1719 if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0; 1828 if ((ctx = new_ctx = BN_CTX_new()) == NULL)
1829 return 0;
1720 BN_CTX_start(ctx); 1830 BN_CTX_start(ctx);
1721 if (((x = BN_CTX_get(ctx)) == NULL) || 1831 if (((x = BN_CTX_get(ctx)) == NULL) ||
1722 ((y = BN_CTX_get(ctx)) == NULL) || 1832 ((y = BN_CTX_get(ctx)) == NULL) ||
1723 ((z = BN_CTX_get(ctx)) == NULL) || 1833 ((z = BN_CTX_get(ctx)) == NULL) ||
1724 ((tmp_scalar = BN_CTX_get(ctx)) == NULL)) 1834 ((tmp_scalar = BN_CTX_get(ctx)) == NULL))
1725 goto err; 1835 goto err;
1726 1836
1727 if (scalar != NULL) 1837 if (scalar != NULL) {
1728 {
1729 pre = EC_EX_DATA_get_data(group->extra_data, 1838 pre = EC_EX_DATA_get_data(group->extra_data,
1730 nistp521_pre_comp_dup, nistp521_pre_comp_free, 1839 nistp521_pre_comp_dup, nistp521_pre_comp_free,
1731 nistp521_pre_comp_clear_free); 1840 nistp521_pre_comp_clear_free);
1732 if (pre) 1841 if (pre)
1733 /* we have precomputation, try to use it */ 1842 /* we have precomputation, try to use it */
1734 g_pre_comp = &pre->g_pre_comp[0]; 1843 g_pre_comp = &pre->g_pre_comp[0];
1735 else 1844 else
1736 /* try to use the standard precomputation */ 1845 /* try to use the standard precomputation */
1737 g_pre_comp = (felem (*)[3]) gmul; 1846 g_pre_comp = (felem(*)[3]) gmul;
1738 generator = EC_POINT_new(group); 1847 generator = EC_POINT_new(group);
1739 if (generator == NULL) 1848 if (generator == NULL)
1740 goto err; 1849 goto err;
1741 /* get the generator from precomputation */ 1850 /* get the generator from precomputation */
1742 if (!felem_to_BN(x, g_pre_comp[1][0]) || 1851 if (!felem_to_BN(x, g_pre_comp[1][0]) ||
1743 !felem_to_BN(y, g_pre_comp[1][1]) || 1852 !felem_to_BN(y, g_pre_comp[1][1]) ||
1744 !felem_to_BN(z, g_pre_comp[1][2])) 1853 !felem_to_BN(z, g_pre_comp[1][2])) {
1745 {
1746 ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB); 1854 ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
1747 goto err; 1855 goto err;
1748 } 1856 }
1749 if (!EC_POINT_set_Jprojective_coordinates_GFp(group, 1857 if (!EC_POINT_set_Jprojective_coordinates_GFp(group,
1750 generator, x, y, z, ctx)) 1858 generator, x, y, z, ctx))
1751 goto err; 1859 goto err;
1752 if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) 1860 if (0 == EC_POINT_cmp(group, generator, group->generator, ctx))
1753 /* precomputation matches generator */ 1861 /* precomputation matches generator */
1754 have_pre_comp = 1; 1862 have_pre_comp = 1;
1755 else 1863 else
1756 /* we don't have valid precomputation: 1864 /*
1757 * treat the generator as a random point */ 1865 * we don't have valid precomputation: treat the
1866 * generator as a random point
1867 */
1758 num_points++; 1868 num_points++;
1759 } 1869 }
1760 1870 if (num_points > 0) {
1761 if (num_points > 0) 1871 if (num_points >= 2) {
1762 { 1872 /*
1763 if (num_points >= 2) 1873 * unless we precompute multiples for just one point,
1764 { 1874 * converting those into affine form is time well
1765 /* unless we precompute multiples for just one point, 1875 * spent
1766 * converting those into affine form is time well spent */ 1876 */
1767 mixed = 1; 1877 mixed = 1;
1768 } 1878 }
1769 secrets = malloc(num_points * sizeof(felem_bytearray)); 1879 secrets = malloc(num_points * sizeof(felem_bytearray));
1770 pre_comp = malloc(num_points * 17 * 3 * sizeof(felem)); 1880 pre_comp = malloc(num_points * 17 * 3 * sizeof(felem));
1771 if (mixed) 1881 if (mixed)
1772 tmp_felems = malloc((num_points * 17 + 1) * sizeof(felem)); 1882 tmp_felems = malloc((num_points * 17 + 1) * sizeof(felem));
1773 if ((secrets == NULL) || (pre_comp == NULL) || (mixed && (tmp_felems == NULL))) 1883 if ((secrets == NULL) || (pre_comp == NULL) || (mixed && (tmp_felems == NULL))) {
1774 {
1775 ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_MALLOC_FAILURE); 1884 ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_MALLOC_FAILURE);
1776 goto err; 1885 goto err;
1777 } 1886 }
1778 1887 /*
1779 /* we treat NULL scalars as 0, and NULL points as points at infinity, 1888 * we treat NULL scalars as 0, and NULL points as points at
1780 * i.e., they contribute nothing to the linear combination */ 1889 * infinity, i.e., they contribute nothing to the linear
1890 * combination
1891 */
1781 memset(secrets, 0, num_points * sizeof(felem_bytearray)); 1892 memset(secrets, 0, num_points * sizeof(felem_bytearray));
1782 memset(pre_comp, 0, num_points * 17 * 3 * sizeof(felem)); 1893 memset(pre_comp, 0, num_points * 17 * 3 * sizeof(felem));
1783 for (i = 0; i < num_points; ++i) 1894 for (i = 0; i < num_points; ++i) {
1784 {
1785 if (i == num) 1895 if (i == num)
1786 /* we didn't have a valid precomputation, so we pick 1896 /*
1787 * the generator */ 1897 * we didn't have a valid precomputation, so
1788 { 1898 * we pick the generator
1899 */
1900 {
1789 p = EC_GROUP_get0_generator(group); 1901 p = EC_GROUP_get0_generator(group);
1790 p_scalar = scalar; 1902 p_scalar = scalar;
1791 } 1903 } else
1792 else
1793 /* the i^th point */ 1904 /* the i^th point */
1794 { 1905 {
1795 p = points[i]; 1906 p = points[i];
1796 p_scalar = scalars[i]; 1907 p_scalar = scalars[i];
1797 } 1908 }
1798 if ((p_scalar != NULL) && (p != NULL)) 1909 if ((p_scalar != NULL) && (p != NULL)) {
1799 {
1800 /* reduce scalar to 0 <= scalar < 2^521 */ 1910 /* reduce scalar to 0 <= scalar < 2^521 */
1801 if ((BN_num_bits(p_scalar) > 521) || (BN_is_negative(p_scalar))) 1911 if ((BN_num_bits(p_scalar) > 521) || (BN_is_negative(p_scalar))) {
1802 { 1912 /*
1803 /* this is an unusual input, and we don't guarantee 1913 * this is an unusual input, and we
1804 * constant-timeness */ 1914 * don't guarantee constant-timeness
1805 if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) 1915 */
1806 { 1916 if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) {
1807 ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB); 1917 ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
1808 goto err; 1918 goto err;
1809 }
1810 num_bytes = BN_bn2bin(tmp_scalar, tmp);
1811 } 1919 }
1812 else 1920 num_bytes = BN_bn2bin(tmp_scalar, tmp);
1921 } else
1813 num_bytes = BN_bn2bin(p_scalar, tmp); 1922 num_bytes = BN_bn2bin(p_scalar, tmp);
1814 flip_endian(secrets[i], tmp, num_bytes); 1923 flip_endian(secrets[i], tmp, num_bytes);
1815 /* precompute multiples */ 1924 /* precompute multiples */
1816 if ((!BN_to_felem(x_out, &p->X)) || 1925 if ((!BN_to_felem(x_out, &p->X)) ||
1817 (!BN_to_felem(y_out, &p->Y)) || 1926 (!BN_to_felem(y_out, &p->Y)) ||
1818 (!BN_to_felem(z_out, &p->Z))) goto err; 1927 (!BN_to_felem(z_out, &p->Z)))
1928 goto err;
1819 memcpy(pre_comp[i][1][0], x_out, sizeof(felem)); 1929 memcpy(pre_comp[i][1][0], x_out, sizeof(felem));
1820 memcpy(pre_comp[i][1][1], y_out, sizeof(felem)); 1930 memcpy(pre_comp[i][1][1], y_out, sizeof(felem));
1821 memcpy(pre_comp[i][1][2], z_out, sizeof(felem)); 1931 memcpy(pre_comp[i][1][2], z_out, sizeof(felem));
1822 for (j = 2; j <= 16; ++j) 1932 for (j = 2; j <= 16; ++j) {
1823 { 1933 if (j & 1) {
1824 if (j & 1)
1825 {
1826 point_add( 1934 point_add(
1827 pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], 1935 pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2],
1828 pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2], 1936 pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2],
1829 0, pre_comp[i][j-1][0], pre_comp[i][j-1][1], pre_comp[i][j-1][2]); 1937 0, pre_comp[i][j - 1][0], pre_comp[i][j - 1][1], pre_comp[i][j - 1][2]);
1830 } 1938 } else {
1831 else
1832 {
1833 point_double( 1939 point_double(
1834 pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], 1940 pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2],
1835 pre_comp[i][j/2][0], pre_comp[i][j/2][1], pre_comp[i][j/2][2]); 1941 pre_comp[i][j / 2][0], pre_comp[i][j / 2][1], pre_comp[i][j / 2][2]);
1836 }
1837 } 1942 }
1838 } 1943 }
1839 } 1944 }
1945 }
1840 if (mixed) 1946 if (mixed)
1841 make_points_affine(num_points * 17, pre_comp[0], tmp_felems); 1947 make_points_affine(num_points * 17, pre_comp[0], tmp_felems);
1842 } 1948 }
1843
1844 /* the scalar for the generator */ 1949 /* the scalar for the generator */
1845 if ((scalar != NULL) && (have_pre_comp)) 1950 if ((scalar != NULL) && (have_pre_comp)) {
1846 {
1847 memset(g_secret, 0, sizeof(g_secret)); 1951 memset(g_secret, 0, sizeof(g_secret));
1848 /* reduce scalar to 0 <= scalar < 2^521 */ 1952 /* reduce scalar to 0 <= scalar < 2^521 */
1849 if ((BN_num_bits(scalar) > 521) || (BN_is_negative(scalar))) 1953 if ((BN_num_bits(scalar) > 521) || (BN_is_negative(scalar))) {
1850 { 1954 /*
1851 /* this is an unusual input, and we don't guarantee 1955 * this is an unusual input, and we don't guarantee
1852 * constant-timeness */ 1956 * constant-timeness
1853 if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) 1957 */
1854 { 1958 if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) {
1855 ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB); 1959 ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
1856 goto err; 1960 goto err;
1857 }
1858 num_bytes = BN_bn2bin(tmp_scalar, tmp);
1859 } 1961 }
1860 else 1962 num_bytes = BN_bn2bin(tmp_scalar, tmp);
1963 } else
1861 num_bytes = BN_bn2bin(scalar, tmp); 1964 num_bytes = BN_bn2bin(scalar, tmp);
1862 flip_endian(g_secret, tmp, num_bytes); 1965 flip_endian(g_secret, tmp, num_bytes);
1863 /* do the multiplication with generator precomputation*/ 1966 /* do the multiplication with generator precomputation */
1864 batch_mul(x_out, y_out, z_out, 1967 batch_mul(x_out, y_out, z_out,
1865 (const felem_bytearray (*)) secrets, num_points, 1968 (const felem_bytearray(*)) secrets, num_points,
1866 g_secret, 1969 g_secret,
1867 mixed, (const felem (*)[17][3]) pre_comp, 1970 mixed, (const felem(*)[17][3]) pre_comp,
1868 (const felem (*)[3]) g_pre_comp); 1971 (const felem(*)[3]) g_pre_comp);
1869 } 1972 } else
1870 else
1871 /* do the multiplication without generator precomputation */ 1973 /* do the multiplication without generator precomputation */
1872 batch_mul(x_out, y_out, z_out, 1974 batch_mul(x_out, y_out, z_out,
1873 (const felem_bytearray (*)) secrets, num_points, 1975 (const felem_bytearray(*)) secrets, num_points,
1874 NULL, mixed, (const felem (*)[17][3]) pre_comp, NULL); 1976 NULL, mixed, (const felem(*)[17][3]) pre_comp, NULL);
1875 /* reduce the output to its unique minimal representation */ 1977 /* reduce the output to its unique minimal representation */
1876 felem_contract(x_in, x_out); 1978 felem_contract(x_in, x_out);
1877 felem_contract(y_in, y_out); 1979 felem_contract(y_in, y_out);
1878 felem_contract(z_in, z_out); 1980 felem_contract(z_in, z_out);
1879 if ((!felem_to_BN(x, x_in)) || (!felem_to_BN(y, y_in)) || 1981 if ((!felem_to_BN(x, x_in)) || (!felem_to_BN(y, y_in)) ||
1880 (!felem_to_BN(z, z_in))) 1982 (!felem_to_BN(z, z_in))) {
1881 {
1882 ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB); 1983 ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
1883 goto err; 1984 goto err;
1884 } 1985 }
1885 ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx); 1986 ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
1886 1987
1887err: 1988err:
@@ -1897,10 +1998,11 @@ err:
1897 if (tmp_felems != NULL) 1998 if (tmp_felems != NULL)
1898 free(tmp_felems); 1999 free(tmp_felems);
1899 return ret; 2000 return ret;
1900 } 2001}
1901 2002
1902int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx) 2003int
1903 { 2004ec_GFp_nistp521_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
2005{
1904 int ret = 0; 2006 int ret = 0;
1905 NISTP521_PRE_COMP *pre = NULL; 2007 NISTP521_PRE_COMP *pre = NULL;
1906 int i, j; 2008 int i, j;
@@ -1911,95 +2013,93 @@ int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
1911 2013
1912 /* throw away old precomputation */ 2014 /* throw away old precomputation */
1913 EC_EX_DATA_free_data(&group->extra_data, nistp521_pre_comp_dup, 2015 EC_EX_DATA_free_data(&group->extra_data, nistp521_pre_comp_dup,
1914 nistp521_pre_comp_free, nistp521_pre_comp_clear_free); 2016 nistp521_pre_comp_free, nistp521_pre_comp_clear_free);
1915 if (ctx == NULL) 2017 if (ctx == NULL)
1916 if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0; 2018 if ((ctx = new_ctx = BN_CTX_new()) == NULL)
2019 return 0;
1917 BN_CTX_start(ctx); 2020 BN_CTX_start(ctx);
1918 if (((x = BN_CTX_get(ctx)) == NULL) || 2021 if (((x = BN_CTX_get(ctx)) == NULL) ||
1919 ((y = BN_CTX_get(ctx)) == NULL)) 2022 ((y = BN_CTX_get(ctx)) == NULL))
1920 goto err; 2023 goto err;
1921 /* get the generator */ 2024 /* get the generator */
1922 if (group->generator == NULL) goto err; 2025 if (group->generator == NULL)
2026 goto err;
1923 generator = EC_POINT_new(group); 2027 generator = EC_POINT_new(group);
1924 if (generator == NULL) 2028 if (generator == NULL)
1925 goto err; 2029 goto err;
1926 BN_bin2bn(nistp521_curve_params[3], sizeof (felem_bytearray), x); 2030 BN_bin2bn(nistp521_curve_params[3], sizeof(felem_bytearray), x);
1927 BN_bin2bn(nistp521_curve_params[4], sizeof (felem_bytearray), y); 2031 BN_bin2bn(nistp521_curve_params[4], sizeof(felem_bytearray), y);
1928 if (!EC_POINT_set_affine_coordinates_GFp(group, generator, x, y, ctx)) 2032 if (!EC_POINT_set_affine_coordinates_GFp(group, generator, x, y, ctx))
1929 goto err; 2033 goto err;
1930 if ((pre = nistp521_pre_comp_new()) == NULL) 2034 if ((pre = nistp521_pre_comp_new()) == NULL)
1931 goto err; 2035 goto err;
1932 /* if the generator is the standard one, use built-in precomputation */ 2036 /* if the generator is the standard one, use built-in precomputation */
1933 if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) 2037 if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) {
1934 {
1935 memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp)); 2038 memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp));
1936 ret = 1; 2039 ret = 1;
1937 goto err; 2040 goto err;
1938 } 2041 }
1939 if ((!BN_to_felem(pre->g_pre_comp[1][0], &group->generator->X)) || 2042 if ((!BN_to_felem(pre->g_pre_comp[1][0], &group->generator->X)) ||
1940 (!BN_to_felem(pre->g_pre_comp[1][1], &group->generator->Y)) || 2043 (!BN_to_felem(pre->g_pre_comp[1][1], &group->generator->Y)) ||
1941 (!BN_to_felem(pre->g_pre_comp[1][2], &group->generator->Z))) 2044 (!BN_to_felem(pre->g_pre_comp[1][2], &group->generator->Z)))
1942 goto err; 2045 goto err;
1943 /* compute 2^130*G, 2^260*G, 2^390*G */ 2046 /* compute 2^130*G, 2^260*G, 2^390*G */
1944 for (i = 1; i <= 4; i <<= 1) 2047 for (i = 1; i <= 4; i <<= 1) {
1945 { 2048 point_double(pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1],
1946 point_double(pre->g_pre_comp[2*i][0], pre->g_pre_comp[2*i][1], 2049 pre->g_pre_comp[2 * i][2], pre->g_pre_comp[i][0],
1947 pre->g_pre_comp[2*i][2], pre->g_pre_comp[i][0], 2050 pre->g_pre_comp[i][1], pre->g_pre_comp[i][2]);
1948 pre->g_pre_comp[i][1], pre->g_pre_comp[i][2]); 2051 for (j = 0; j < 129; ++j) {
1949 for (j = 0; j < 129; ++j) 2052 point_double(pre->g_pre_comp[2 * i][0],
1950 { 2053 pre->g_pre_comp[2 * i][1],
1951 point_double(pre->g_pre_comp[2*i][0], 2054 pre->g_pre_comp[2 * i][2],
1952 pre->g_pre_comp[2*i][1], 2055 pre->g_pre_comp[2 * i][0],
1953 pre->g_pre_comp[2*i][2], 2056 pre->g_pre_comp[2 * i][1],
1954 pre->g_pre_comp[2*i][0], 2057 pre->g_pre_comp[2 * i][2]);
1955 pre->g_pre_comp[2*i][1],
1956 pre->g_pre_comp[2*i][2]);
1957 }
1958 } 2058 }
2059 }
1959 /* g_pre_comp[0] is the point at infinity */ 2060 /* g_pre_comp[0] is the point at infinity */
1960 memset(pre->g_pre_comp[0], 0, sizeof(pre->g_pre_comp[0])); 2061 memset(pre->g_pre_comp[0], 0, sizeof(pre->g_pre_comp[0]));
1961 /* the remaining multiples */ 2062 /* the remaining multiples */
1962 /* 2^130*G + 2^260*G */ 2063 /* 2^130*G + 2^260*G */
1963 point_add(pre->g_pre_comp[6][0], pre->g_pre_comp[6][1], 2064 point_add(pre->g_pre_comp[6][0], pre->g_pre_comp[6][1],
1964 pre->g_pre_comp[6][2], pre->g_pre_comp[4][0], 2065 pre->g_pre_comp[6][2], pre->g_pre_comp[4][0],
1965 pre->g_pre_comp[4][1], pre->g_pre_comp[4][2], 2066 pre->g_pre_comp[4][1], pre->g_pre_comp[4][2],
1966 0, pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], 2067 0, pre->g_pre_comp[2][0], pre->g_pre_comp[2][1],
1967 pre->g_pre_comp[2][2]); 2068 pre->g_pre_comp[2][2]);
1968 /* 2^130*G + 2^390*G */ 2069 /* 2^130*G + 2^390*G */
1969 point_add(pre->g_pre_comp[10][0], pre->g_pre_comp[10][1], 2070 point_add(pre->g_pre_comp[10][0], pre->g_pre_comp[10][1],
1970 pre->g_pre_comp[10][2], pre->g_pre_comp[8][0], 2071 pre->g_pre_comp[10][2], pre->g_pre_comp[8][0],
1971 pre->g_pre_comp[8][1], pre->g_pre_comp[8][2], 2072 pre->g_pre_comp[8][1], pre->g_pre_comp[8][2],
1972 0, pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], 2073 0, pre->g_pre_comp[2][0], pre->g_pre_comp[2][1],
1973 pre->g_pre_comp[2][2]); 2074 pre->g_pre_comp[2][2]);
1974 /* 2^260*G + 2^390*G */ 2075 /* 2^260*G + 2^390*G */
1975 point_add(pre->g_pre_comp[12][0], pre->g_pre_comp[12][1], 2076 point_add(pre->g_pre_comp[12][0], pre->g_pre_comp[12][1],
1976 pre->g_pre_comp[12][2], pre->g_pre_comp[8][0], 2077 pre->g_pre_comp[12][2], pre->g_pre_comp[8][0],
1977 pre->g_pre_comp[8][1], pre->g_pre_comp[8][2], 2078 pre->g_pre_comp[8][1], pre->g_pre_comp[8][2],
1978 0, pre->g_pre_comp[4][0], pre->g_pre_comp[4][1], 2079 0, pre->g_pre_comp[4][0], pre->g_pre_comp[4][1],
1979 pre->g_pre_comp[4][2]); 2080 pre->g_pre_comp[4][2]);
1980 /* 2^130*G + 2^260*G + 2^390*G */ 2081 /* 2^130*G + 2^260*G + 2^390*G */
1981 point_add(pre->g_pre_comp[14][0], pre->g_pre_comp[14][1], 2082 point_add(pre->g_pre_comp[14][0], pre->g_pre_comp[14][1],
1982 pre->g_pre_comp[14][2], pre->g_pre_comp[12][0], 2083 pre->g_pre_comp[14][2], pre->g_pre_comp[12][0],
1983 pre->g_pre_comp[12][1], pre->g_pre_comp[12][2], 2084 pre->g_pre_comp[12][1], pre->g_pre_comp[12][2],
1984 0, pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], 2085 0, pre->g_pre_comp[2][0], pre->g_pre_comp[2][1],
1985 pre->g_pre_comp[2][2]); 2086 pre->g_pre_comp[2][2]);
1986 for (i = 1; i < 8; ++i) 2087 for (i = 1; i < 8; ++i) {
1987 {
1988 /* odd multiples: add G */ 2088 /* odd multiples: add G */
1989 point_add(pre->g_pre_comp[2*i+1][0], pre->g_pre_comp[2*i+1][1], 2089 point_add(pre->g_pre_comp[2 * i + 1][0], pre->g_pre_comp[2 * i + 1][1],
1990 pre->g_pre_comp[2*i+1][2], pre->g_pre_comp[2*i][0], 2090 pre->g_pre_comp[2 * i + 1][2], pre->g_pre_comp[2 * i][0],
1991 pre->g_pre_comp[2*i][1], pre->g_pre_comp[2*i][2], 2091 pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2],
1992 0, pre->g_pre_comp[1][0], pre->g_pre_comp[1][1], 2092 0, pre->g_pre_comp[1][0], pre->g_pre_comp[1][1],
1993 pre->g_pre_comp[1][2]); 2093 pre->g_pre_comp[1][2]);
1994 } 2094 }
1995 make_points_affine(15, &(pre->g_pre_comp[1]), tmp_felems); 2095 make_points_affine(15, &(pre->g_pre_comp[1]), tmp_felems);
1996 2096
1997 if (!EC_EX_DATA_set_data(&group->extra_data, pre, nistp521_pre_comp_dup, 2097 if (!EC_EX_DATA_set_data(&group->extra_data, pre, nistp521_pre_comp_dup,
1998 nistp521_pre_comp_free, nistp521_pre_comp_clear_free)) 2098 nistp521_pre_comp_free, nistp521_pre_comp_clear_free))
1999 goto err; 2099 goto err;
2000 ret = 1; 2100 ret = 1;
2001 pre = NULL; 2101 pre = NULL;
2002 err: 2102err:
2003 BN_CTX_end(ctx); 2103 BN_CTX_end(ctx);
2004 if (generator != NULL) 2104 if (generator != NULL)
2005 EC_POINT_free(generator); 2105 EC_POINT_free(generator);
@@ -2008,18 +2108,19 @@ int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
2008 if (pre) 2108 if (pre)
2009 nistp521_pre_comp_free(pre); 2109 nistp521_pre_comp_free(pre);
2010 return ret; 2110 return ret;
2011 } 2111}
2012 2112
2013int ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group) 2113int
2014 { 2114ec_GFp_nistp521_have_precompute_mult(const EC_GROUP * group)
2115{
2015 if (EC_EX_DATA_get_data(group->extra_data, nistp521_pre_comp_dup, 2116 if (EC_EX_DATA_get_data(group->extra_data, nistp521_pre_comp_dup,
2016 nistp521_pre_comp_free, nistp521_pre_comp_clear_free) 2117 nistp521_pre_comp_free, nistp521_pre_comp_clear_free)
2017 != NULL) 2118 != NULL)
2018 return 1; 2119 return 1;
2019 else 2120 else
2020 return 0; 2121 return 0;
2021 } 2122}
2022 2123
2023#else 2124#else
2024static void *dummy=&dummy; 2125static void *dummy = &dummy;
2025#endif 2126#endif
diff --git a/src/lib/libcrypto/ec/ecp_nistputil.c b/src/lib/libcrypto/ec/ecp_nistputil.c
index c8140c807f..0312fb16ad 100644
--- a/src/lib/libcrypto/ec/ecp_nistputil.c
+++ b/src/lib/libcrypto/ec/ecp_nistputil.c
@@ -41,16 +41,17 @@
41 * tmp_felems needs to point to a temporary array of 'num'+1 field elements 41 * tmp_felems needs to point to a temporary array of 'num'+1 field elements
42 * for storage of intermediate values. 42 * for storage of intermediate values.
43 */ 43 */
44void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, 44void
45 size_t felem_size, void *tmp_felems, 45ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
46 void (*felem_one)(void *out), 46 size_t felem_size, void *tmp_felems,
47 int (*felem_is_zero)(const void *in), 47 void (*felem_one) (void *out),
48 void (*felem_assign)(void *out, const void *in), 48 int (*felem_is_zero) (const void *in),
49 void (*felem_square)(void *out, const void *in), 49 void (*felem_assign) (void *out, const void *in),
50 void (*felem_mul)(void *out, const void *in1, const void *in2), 50 void (*felem_square) (void *out, const void *in),
51 void (*felem_inv)(void *out, const void *in), 51 void (*felem_mul) (void *out, const void *in1, const void *in2),
52 void (*felem_contract)(void *out, const void *in)) 52 void (*felem_inv) (void *out, const void *in),
53 { 53 void (*felem_contract) (void *out, const void *in))
54{
54 int i = 0; 55 int i = 0;
55 56
56#define tmp_felem(I) (&((char *)tmp_felems)[(I) * felem_size]) 57#define tmp_felem(I) (&((char *)tmp_felems)[(I) * felem_size])
@@ -62,50 +63,59 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
62 felem_assign(tmp_felem(0), Z(0)); 63 felem_assign(tmp_felem(0), Z(0));
63 else 64 else
64 felem_one(tmp_felem(0)); 65 felem_one(tmp_felem(0));
65 for (i = 1; i < (int)num; i++) 66 for (i = 1; i < (int) num; i++) {
66 {
67 if (!felem_is_zero(Z(i))) 67 if (!felem_is_zero(Z(i)))
68 felem_mul(tmp_felem(i), tmp_felem(i-1), Z(i)); 68 felem_mul(tmp_felem(i), tmp_felem(i - 1), Z(i));
69 else 69 else
70 felem_assign(tmp_felem(i), tmp_felem(i-1)); 70 felem_assign(tmp_felem(i), tmp_felem(i - 1));
71 } 71 }
72 /* Now each tmp_felem(i) is the product of Z(0) .. Z(i), skipping any zero-valued factors: 72 /*
73 * if Z(i) = 0, we essentially pretend that Z(i) = 1 */ 73 * Now each tmp_felem(i) is the product of Z(0) .. Z(i), skipping any
74 * zero-valued factors: if Z(i) = 0, we essentially pretend that Z(i)
75 * = 1
76 */
74 77
75 felem_inv(tmp_felem(num-1), tmp_felem(num-1)); 78 felem_inv(tmp_felem(num - 1), tmp_felem(num - 1));
76 for (i = num - 1; i >= 0; i--) 79 for (i = num - 1; i >= 0; i--) {
77 {
78 if (i > 0) 80 if (i > 0)
79 /* tmp_felem(i-1) is the product of Z(0) .. Z(i-1), 81 /*
80 * tmp_felem(i) is the inverse of the product of Z(0) .. Z(i) 82 * tmp_felem(i-1) is the product of Z(0) .. Z(i-1),
83 * tmp_felem(i) is the inverse of the product of Z(0)
84 * .. Z(i)
81 */ 85 */
82 felem_mul(tmp_felem(num), tmp_felem(i-1), tmp_felem(i)); /* 1/Z(i) */ 86 felem_mul(tmp_felem(num), tmp_felem(i - 1), tmp_felem(i)); /* 1/Z(i) */
83 else 87 else
84 felem_assign(tmp_felem(num), tmp_felem(0)); /* 1/Z(0) */ 88 felem_assign(tmp_felem(num), tmp_felem(0)); /* 1/Z(0) */
85 89
86 if (!felem_is_zero(Z(i))) 90 if (!felem_is_zero(Z(i))) {
87 {
88 if (i > 0) 91 if (i > 0)
89 /* For next iteration, replace tmp_felem(i-1) by its inverse */ 92 /*
90 felem_mul(tmp_felem(i-1), tmp_felem(i), Z(i)); 93 * For next iteration, replace tmp_felem(i-1)
94 * by its inverse
95 */
96 felem_mul(tmp_felem(i - 1), tmp_felem(i), Z(i));
91 97
92 /* Convert point (X, Y, Z) into affine form (X/(Z^2), Y/(Z^3), 1) */ 98 /*
93 felem_square(Z(i), tmp_felem(num)); /* 1/(Z^2) */ 99 * Convert point (X, Y, Z) into affine form (X/(Z^2),
94 felem_mul(X(i), X(i), Z(i)); /* X/(Z^2) */ 100 * Y/(Z^3), 1)
95 felem_mul(Z(i), Z(i), tmp_felem(num)); /* 1/(Z^3) */ 101 */
96 felem_mul(Y(i), Y(i), Z(i)); /* Y/(Z^3) */ 102 felem_square(Z(i), tmp_felem(num)); /* 1/(Z^2) */
103 felem_mul(X(i), X(i), Z(i)); /* X/(Z^2) */
104 felem_mul(Z(i), Z(i), tmp_felem(num)); /* 1/(Z^3) */
105 felem_mul(Y(i), Y(i), Z(i)); /* Y/(Z^3) */
97 felem_contract(X(i), X(i)); 106 felem_contract(X(i), X(i));
98 felem_contract(Y(i), Y(i)); 107 felem_contract(Y(i), Y(i));
99 felem_one(Z(i)); 108 felem_one(Z(i));
100 } 109 } else {
101 else
102 {
103 if (i > 0) 110 if (i > 0)
104 /* For next iteration, replace tmp_felem(i-1) by its inverse */ 111 /*
105 felem_assign(tmp_felem(i-1), tmp_felem(i)); 112 * For next iteration, replace tmp_felem(i-1)
106 } 113 * by its inverse
114 */
115 felem_assign(tmp_felem(i - 1), tmp_felem(i));
107 } 116 }
108 } 117 }
118}
109 119
110/* 120/*
111 * This function looks at 5+1 scalar bits (5 current, 1 adjacent less 121 * This function looks at 5+1 scalar bits (5 current, 1 adjacent less
@@ -180,18 +190,20 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
180 * has to be b_4 b_3 b_2 b_1 b_0 0. 190 * has to be b_4 b_3 b_2 b_1 b_0 0.
181 * 191 *
182 */ 192 */
183void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, unsigned char *digit, unsigned char in) 193void
184 { 194ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, unsigned char *digit, unsigned char in)
195{
185 unsigned char s, d; 196 unsigned char s, d;
186 197
187 s = ~((in >> 5) - 1); /* sets all bits to MSB(in), 'in' seen as 6-bit value */ 198 s = ~((in >> 5) - 1); /* sets all bits to MSB(in), 'in' seen as
199 * 6-bit value */
188 d = (1 << 6) - in - 1; 200 d = (1 << 6) - in - 1;
189 d = (d & s) | (in & ~s); 201 d = (d & s) | (in & ~s);
190 d = (d >> 1) + (d & 1); 202 d = (d >> 1) + (d & 1);
191 203
192 *sign = s & 1; 204 *sign = s & 1;
193 *digit = d; 205 *digit = d;
194 } 206}
195#else 207#else
196static void *dummy=&dummy; 208static void *dummy = &dummy;
197#endif 209#endif
diff --git a/src/lib/libcrypto/ec/ecp_oct.c b/src/lib/libcrypto/ec/ecp_oct.c
index a06abbc8cd..c7719c7413 100644
--- a/src/lib/libcrypto/ec/ecp_oct.c
+++ b/src/lib/libcrypto/ec/ecp_oct.c
@@ -1,6 +1,6 @@
1/* crypto/ec/ecp_oct.c */ 1/* crypto/ec/ecp_oct.c */
2/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> 2/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3 * for the OpenSSL project. 3 * for the OpenSSL project.
4 * Includes code written by Bodo Moeller for the OpenSSL project. 4 * Includes code written by Bodo Moeller for the OpenSSL project.
5*/ 5*/
6/* ==================================================================== 6/* ====================================================================
@@ -11,7 +11,7 @@
11 * are met: 11 * are met:
12 * 12 *
13 * 1. Redistributions of source code must retain the above copyright 13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer. 14 * notice, this list of conditions and the following disclaimer.
15 * 15 *
16 * 2. Redistributions in binary form must reproduce the above copyright 16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in 17 * notice, this list of conditions and the following disclaimer in
@@ -66,23 +66,22 @@
66 66
67#include "ec_lcl.h" 67#include "ec_lcl.h"
68 68
69int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point, 69int
70 const BIGNUM *x_, int y_bit, BN_CTX *ctx) 70ec_GFp_simple_set_compressed_coordinates(const EC_GROUP * group, EC_POINT * point,
71 { 71 const BIGNUM * x_, int y_bit, BN_CTX * ctx)
72{
72 BN_CTX *new_ctx = NULL; 73 BN_CTX *new_ctx = NULL;
73 BIGNUM *tmp1, *tmp2, *x, *y; 74 BIGNUM *tmp1, *tmp2, *x, *y;
74 int ret = 0; 75 int ret = 0;
75 76
76 /* clear error queue*/ 77 /* clear error queue */
77 ERR_clear_error(); 78 ERR_clear_error();
78 79
79 if (ctx == NULL) 80 if (ctx == NULL) {
80 {
81 ctx = new_ctx = BN_CTX_new(); 81 ctx = new_ctx = BN_CTX_new();
82 if (ctx == NULL) 82 if (ctx == NULL)
83 return 0; 83 return 0;
84 } 84 }
85
86 y_bit = (y_bit != 0); 85 y_bit = (y_bit != 0);
87 86
88 BN_CTX_start(ctx); 87 BN_CTX_start(ctx);
@@ -90,114 +89,117 @@ int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *po
90 tmp2 = BN_CTX_get(ctx); 89 tmp2 = BN_CTX_get(ctx);
91 x = BN_CTX_get(ctx); 90 x = BN_CTX_get(ctx);
92 y = BN_CTX_get(ctx); 91 y = BN_CTX_get(ctx);
93 if (y == NULL) goto err; 92 if (y == NULL)
93 goto err;
94 94
95 /* Recover y. We have a Weierstrass equation 95 /*
96 * y^2 = x^3 + a*x + b, 96 * Recover y. We have a Weierstrass equation y^2 = x^3 + a*x + b, so
97 * so y is one of the square roots of x^3 + a*x + b. 97 * y is one of the square roots of x^3 + a*x + b.
98 */ 98 */
99 99
100 /* tmp1 := x^3 */ 100 /* tmp1 := x^3 */
101 if (!BN_nnmod(x, x_, &group->field,ctx)) goto err; 101 if (!BN_nnmod(x, x_, &group->field, ctx))
102 if (group->meth->field_decode == 0) 102 goto err;
103 { 103 if (group->meth->field_decode == 0) {
104 /* field_{sqr,mul} work on standard representation */ 104 /* field_{sqr,mul} work on standard representation */
105 if (!group->meth->field_sqr(group, tmp2, x_, ctx)) goto err; 105 if (!group->meth->field_sqr(group, tmp2, x_, ctx))
106 if (!group->meth->field_mul(group, tmp1, tmp2, x_, ctx)) goto err; 106 goto err;
107 } 107 if (!group->meth->field_mul(group, tmp1, tmp2, x_, ctx))
108 else 108 goto err;
109 { 109 } else {
110 if (!BN_mod_sqr(tmp2, x_, &group->field, ctx)) goto err; 110 if (!BN_mod_sqr(tmp2, x_, &group->field, ctx))
111 if (!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx)) goto err; 111 goto err;
112 } 112 if (!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx))
113 113 goto err;
114 }
115
114 /* tmp1 := tmp1 + a*x */ 116 /* tmp1 := tmp1 + a*x */
115 if (group->a_is_minus3) 117 if (group->a_is_minus3) {
116 { 118 if (!BN_mod_lshift1_quick(tmp2, x, &group->field))
117 if (!BN_mod_lshift1_quick(tmp2, x, &group->field)) goto err; 119 goto err;
118 if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field)) goto err; 120 if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field))
119 if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) goto err; 121 goto err;
120 } 122 if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field))
121 else 123 goto err;
122 { 124 } else {
123 if (group->meth->field_decode) 125 if (group->meth->field_decode) {
124 { 126 if (!group->meth->field_decode(group, tmp2, &group->a, ctx))
125 if (!group->meth->field_decode(group, tmp2, &group->a, ctx)) goto err; 127 goto err;
126 if (!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx)) goto err; 128 if (!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx))
127 } 129 goto err;
128 else 130 } else {
129 {
130 /* field_mul works on standard representation */ 131 /* field_mul works on standard representation */
131 if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) goto err; 132 if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx))
132 } 133 goto err;
133
134 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
135 } 134 }
136 135
136 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field))
137 goto err;
138 }
139
137 /* tmp1 := tmp1 + b */ 140 /* tmp1 := tmp1 + b */
138 if (group->meth->field_decode) 141 if (group->meth->field_decode) {
139 { 142 if (!group->meth->field_decode(group, tmp2, &group->b, ctx))
140 if (!group->meth->field_decode(group, tmp2, &group->b, ctx)) goto err; 143 goto err;
141 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err; 144 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field))
142 } 145 goto err;
143 else 146 } else {
144 { 147 if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field))
145 if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) goto err; 148 goto err;
146 } 149 }
147 150
148 if (!BN_mod_sqrt(y, tmp1, &group->field, ctx)) 151 if (!BN_mod_sqrt(y, tmp1, &group->field, ctx)) {
149 {
150 unsigned long err = ERR_peek_last_error(); 152 unsigned long err = ERR_peek_last_error();
151 153
152 if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) 154 if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) {
153 {
154 ERR_clear_error(); 155 ERR_clear_error();
155 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT); 156 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
156 } 157 } else
157 else
158 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB); 158 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB);
159 goto err; 159 goto err;
160 } 160 }
161 161 if (y_bit != BN_is_odd(y)) {
162 if (y_bit != BN_is_odd(y)) 162 if (BN_is_zero(y)) {
163 {
164 if (BN_is_zero(y))
165 {
166 int kron; 163 int kron;
167 164
168 kron = BN_kronecker(x, &group->field, ctx); 165 kron = BN_kronecker(x, &group->field, ctx);
169 if (kron == -2) goto err; 166 if (kron == -2)
167 goto err;
170 168
171 if (kron == 1) 169 if (kron == 1)
172 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSION_BIT); 170 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSION_BIT);
173 else 171 else
174 /* BN_mod_sqrt() should have cought this error (not a square) */ 172 /*
173 * BN_mod_sqrt() should have cought this
174 * error (not a square)
175 */
175 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT); 176 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
176 goto err; 177 goto err;
177 }
178 if (!BN_usub(y, &group->field, y)) goto err;
179 } 178 }
180 if (y_bit != BN_is_odd(y)) 179 if (!BN_usub(y, &group->field, y))
181 { 180 goto err;
181 }
182 if (y_bit != BN_is_odd(y)) {
182 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_INTERNAL_ERROR); 183 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_INTERNAL_ERROR);
183 goto err; 184 goto err;
184 } 185 }
185 186 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
186 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; 187 goto err;
187 188
188 ret = 1; 189 ret = 1;
189 190
190 err: 191err:
191 BN_CTX_end(ctx); 192 BN_CTX_end(ctx);
192 if (new_ctx != NULL) 193 if (new_ctx != NULL)
193 BN_CTX_free(new_ctx); 194 BN_CTX_free(new_ctx);
194 return ret; 195 return ret;
195 } 196}
196 197
197 198
198size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form, 199size_t
199 unsigned char *buf, size_t len, BN_CTX *ctx) 200ec_GFp_simple_point2oct(const EC_GROUP * group, const EC_POINT * point, point_conversion_form_t form,
200 { 201 unsigned char *buf, size_t len, BN_CTX * ctx)
202{
201 size_t ret; 203 size_t ret;
202 BN_CTX *new_ctx = NULL; 204 BN_CTX *new_ctx = NULL;
203 int used_ctx = 0; 205 int used_ctx = 0;
@@ -205,125 +207,106 @@ size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, poi
205 size_t field_len, i, skip; 207 size_t field_len, i, skip;
206 208
207 if ((form != POINT_CONVERSION_COMPRESSED) 209 if ((form != POINT_CONVERSION_COMPRESSED)
208 && (form != POINT_CONVERSION_UNCOMPRESSED) 210 && (form != POINT_CONVERSION_UNCOMPRESSED)
209 && (form != POINT_CONVERSION_HYBRID)) 211 && (form != POINT_CONVERSION_HYBRID)) {
210 {
211 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM); 212 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
212 goto err; 213 goto err;
213 } 214 }
214 215 if (EC_POINT_is_at_infinity(group, point)) {
215 if (EC_POINT_is_at_infinity(group, point))
216 {
217 /* encodes to a single 0 octet */ 216 /* encodes to a single 0 octet */
218 if (buf != NULL) 217 if (buf != NULL) {
219 { 218 if (len < 1) {
220 if (len < 1)
221 {
222 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL); 219 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
223 return 0; 220 return 0;
224 }
225 buf[0] = 0;
226 } 221 }
227 return 1; 222 buf[0] = 0;
228 } 223 }
229 224 return 1;
230 225 }
231 /* ret := required output buffer length */ 226 /* ret := required output buffer length */
232 field_len = BN_num_bytes(&group->field); 227 field_len = BN_num_bytes(&group->field);
233 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len; 228 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len;
234 229
235 /* if 'buf' is NULL, just return required length */ 230 /* if 'buf' is NULL, just return required length */
236 if (buf != NULL) 231 if (buf != NULL) {
237 { 232 if (len < ret) {
238 if (len < ret)
239 {
240 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL); 233 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
241 goto err; 234 goto err;
242 } 235 }
243 236 if (ctx == NULL) {
244 if (ctx == NULL)
245 {
246 ctx = new_ctx = BN_CTX_new(); 237 ctx = new_ctx = BN_CTX_new();
247 if (ctx == NULL) 238 if (ctx == NULL)
248 return 0; 239 return 0;
249 } 240 }
250
251 BN_CTX_start(ctx); 241 BN_CTX_start(ctx);
252 used_ctx = 1; 242 used_ctx = 1;
253 x = BN_CTX_get(ctx); 243 x = BN_CTX_get(ctx);
254 y = BN_CTX_get(ctx); 244 y = BN_CTX_get(ctx);
255 if (y == NULL) goto err; 245 if (y == NULL)
246 goto err;
256 247
257 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; 248 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
249 goto err;
258 250
259 if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y)) 251 if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y))
260 buf[0] = form + 1; 252 buf[0] = form + 1;
261 else 253 else
262 buf[0] = form; 254 buf[0] = form;
263 255
264 i = 1; 256 i = 1;
265 257
266 skip = field_len - BN_num_bytes(x); 258 skip = field_len - BN_num_bytes(x);
267 if (skip > field_len) 259 if (skip > field_len) {
268 {
269 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR); 260 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
270 goto err; 261 goto err;
271 } 262 }
272 while (skip > 0) 263 while (skip > 0) {
273 {
274 buf[i++] = 0; 264 buf[i++] = 0;
275 skip--; 265 skip--;
276 } 266 }
277 skip = BN_bn2bin(x, buf + i); 267 skip = BN_bn2bin(x, buf + i);
278 i += skip; 268 i += skip;
279 if (i != 1 + field_len) 269 if (i != 1 + field_len) {
280 {
281 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR); 270 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
282 goto err; 271 goto err;
283 } 272 }
284 273 if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID) {
285 if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
286 {
287 skip = field_len - BN_num_bytes(y); 274 skip = field_len - BN_num_bytes(y);
288 if (skip > field_len) 275 if (skip > field_len) {
289 {
290 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR); 276 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
291 goto err; 277 goto err;
292 } 278 }
293 while (skip > 0) 279 while (skip > 0) {
294 {
295 buf[i++] = 0; 280 buf[i++] = 0;
296 skip--; 281 skip--;
297 } 282 }
298 skip = BN_bn2bin(y, buf + i); 283 skip = BN_bn2bin(y, buf + i);
299 i += skip; 284 i += skip;
300 } 285 }
301 286 if (i != ret) {
302 if (i != ret)
303 {
304 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR); 287 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
305 goto err; 288 goto err;
306 }
307 } 289 }
308 290 }
309 if (used_ctx) 291 if (used_ctx)
310 BN_CTX_end(ctx); 292 BN_CTX_end(ctx);
311 if (new_ctx != NULL) 293 if (new_ctx != NULL)
312 BN_CTX_free(new_ctx); 294 BN_CTX_free(new_ctx);
313 return ret; 295 return ret;
314 296
315 err: 297err:
316 if (used_ctx) 298 if (used_ctx)
317 BN_CTX_end(ctx); 299 BN_CTX_end(ctx);
318 if (new_ctx != NULL) 300 if (new_ctx != NULL)
319 BN_CTX_free(new_ctx); 301 BN_CTX_free(new_ctx);
320 return 0; 302 return 0;
321 } 303}
322 304
323 305
324int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, 306int
325 const unsigned char *buf, size_t len, BN_CTX *ctx) 307ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point,
326 { 308 const unsigned char *buf, size_t len, BN_CTX * ctx)
309{
327 point_conversion_form_t form; 310 point_conversion_form_t form;
328 int y_bit; 311 int y_bit;
329 BN_CTX *new_ctx = NULL; 312 BN_CTX *new_ctx = NULL;
@@ -331,102 +314,84 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
331 size_t field_len, enc_len; 314 size_t field_len, enc_len;
332 int ret = 0; 315 int ret = 0;
333 316
334 if (len == 0) 317 if (len == 0) {
335 {
336 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL); 318 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
337 return 0; 319 return 0;
338 } 320 }
339 form = buf[0]; 321 form = buf[0];
340 y_bit = form & 1; 322 y_bit = form & 1;
341 form = form & ~1U; 323 form = form & ~1U;
342 if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED) 324 if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
343 && (form != POINT_CONVERSION_UNCOMPRESSED) 325 && (form != POINT_CONVERSION_UNCOMPRESSED)
344 && (form != POINT_CONVERSION_HYBRID)) 326 && (form != POINT_CONVERSION_HYBRID)) {
345 {
346 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 327 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
347 return 0; 328 return 0;
348 } 329 }
349 if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit) 330 if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit) {
350 {
351 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 331 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
352 return 0; 332 return 0;
353 } 333 }
354 334 if (form == 0) {
355 if (form == 0) 335 if (len != 1) {
356 {
357 if (len != 1)
358 {
359 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 336 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
360 return 0; 337 return 0;
361 }
362
363 return EC_POINT_set_to_infinity(group, point);
364 } 338 }
365 339 return EC_POINT_set_to_infinity(group, point);
340 }
366 field_len = BN_num_bytes(&group->field); 341 field_len = BN_num_bytes(&group->field);
367 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len; 342 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len;
368 343
369 if (len != enc_len) 344 if (len != enc_len) {
370 {
371 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 345 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
372 return 0; 346 return 0;
373 } 347 }
374 348 if (ctx == NULL) {
375 if (ctx == NULL)
376 {
377 ctx = new_ctx = BN_CTX_new(); 349 ctx = new_ctx = BN_CTX_new();
378 if (ctx == NULL) 350 if (ctx == NULL)
379 return 0; 351 return 0;
380 } 352 }
381
382 BN_CTX_start(ctx); 353 BN_CTX_start(ctx);
383 x = BN_CTX_get(ctx); 354 x = BN_CTX_get(ctx);
384 y = BN_CTX_get(ctx); 355 y = BN_CTX_get(ctx);
385 if (y == NULL) goto err; 356 if (y == NULL)
357 goto err;
386 358
387 if (!BN_bin2bn(buf + 1, field_len, x)) goto err; 359 if (!BN_bin2bn(buf + 1, field_len, x))
388 if (BN_ucmp(x, &group->field) >= 0) 360 goto err;
389 { 361 if (BN_ucmp(x, &group->field) >= 0) {
390 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 362 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
391 goto err; 363 goto err;
392 } 364 }
393 365 if (form == POINT_CONVERSION_COMPRESSED) {
394 if (form == POINT_CONVERSION_COMPRESSED) 366 if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx))
395 { 367 goto err;
396 if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) goto err; 368 } else {
397 } 369 if (!BN_bin2bn(buf + 1 + field_len, field_len, y))
398 else 370 goto err;
399 { 371 if (BN_ucmp(y, &group->field) >= 0) {
400 if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
401 if (BN_ucmp(y, &group->field) >= 0)
402 {
403 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 372 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
404 goto err; 373 goto err;
405 } 374 }
406 if (form == POINT_CONVERSION_HYBRID) 375 if (form == POINT_CONVERSION_HYBRID) {
407 { 376 if (y_bit != BN_is_odd(y)) {
408 if (y_bit != BN_is_odd(y))
409 {
410 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); 377 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
411 goto err; 378 goto err;
412 }
413 } 379 }
414
415 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
416 } 380 }
417 381 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
418 if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */ 382 goto err;
419 { 383 }
384
385 if (!EC_POINT_is_on_curve(group, point, ctx)) { /* test required by
386 * X9.62 */
420 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); 387 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
421 goto err; 388 goto err;
422 } 389 }
423
424 ret = 1; 390 ret = 1;
425 391
426 err: 392err:
427 BN_CTX_end(ctx); 393 BN_CTX_end(ctx);
428 if (new_ctx != NULL) 394 if (new_ctx != NULL)
429 BN_CTX_free(new_ctx); 395 BN_CTX_free(new_ctx);
430 return ret; 396 return ret;
431 } 397}
432
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index c99348f08f..b87410120d 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -1,6 +1,6 @@
1/* crypto/ec/ecp_smpl.c */ 1/* crypto/ec/ecp_smpl.c */
2/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> 2/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3 * for the OpenSSL project. 3 * for the OpenSSL project.
4 * Includes code written by Bodo Moeller for the OpenSSL project. 4 * Includes code written by Bodo Moeller for the OpenSSL project.
5*/ 5*/
6/* ==================================================================== 6/* ====================================================================
@@ -11,7 +11,7 @@
11 * are met: 11 * are met:
12 * 12 *
13 * 1. Redistributions of source code must retain the above copyright 13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer. 14 * notice, this list of conditions and the following disclaimer.
15 * 15 *
16 * 2. Redistributions in binary form must reproduce the above copyright 16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in 17 * notice, this list of conditions and the following disclaimer in
@@ -80,20 +80,20 @@ EC_GFp_simple_method(void)
80 .group_get_curve = ec_GFp_simple_group_get_curve, 80 .group_get_curve = ec_GFp_simple_group_get_curve,
81 .group_get_degree = ec_GFp_simple_group_get_degree, 81 .group_get_degree = ec_GFp_simple_group_get_degree,
82 .group_check_discriminant = 82 .group_check_discriminant =
83 ec_GFp_simple_group_check_discriminant, 83 ec_GFp_simple_group_check_discriminant,
84 .point_init = ec_GFp_simple_point_init, 84 .point_init = ec_GFp_simple_point_init,
85 .point_finish = ec_GFp_simple_point_finish, 85 .point_finish = ec_GFp_simple_point_finish,
86 .point_clear_finish = ec_GFp_simple_point_clear_finish, 86 .point_clear_finish = ec_GFp_simple_point_clear_finish,
87 .point_copy = ec_GFp_simple_point_copy, 87 .point_copy = ec_GFp_simple_point_copy,
88 .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, 88 .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
89 .point_set_Jprojective_coordinates_GFp = 89 .point_set_Jprojective_coordinates_GFp =
90 ec_GFp_simple_set_Jprojective_coordinates_GFp, 90 ec_GFp_simple_set_Jprojective_coordinates_GFp,
91 .point_get_Jprojective_coordinates_GFp = 91 .point_get_Jprojective_coordinates_GFp =
92 ec_GFp_simple_get_Jprojective_coordinates_GFp, 92 ec_GFp_simple_get_Jprojective_coordinates_GFp,
93 .point_set_affine_coordinates = 93 .point_set_affine_coordinates =
94 ec_GFp_simple_point_set_affine_coordinates, 94 ec_GFp_simple_point_set_affine_coordinates,
95 .point_get_affine_coordinates = 95 .point_get_affine_coordinates =
96 ec_GFp_simple_point_get_affine_coordinates, 96 ec_GFp_simple_point_get_affine_coordinates,
97 .add = ec_GFp_simple_add, 97 .add = ec_GFp_simple_add,
98 .dbl = ec_GFp_simple_dbl, 98 .dbl = ec_GFp_simple_dbl,
99 .invert = ec_GFp_simple_invert, 99 .invert = ec_GFp_simple_invert,
@@ -124,212 +124,225 @@ EC_GFp_simple_method(void)
124 */ 124 */
125 125
126 126
127int ec_GFp_simple_group_init(EC_GROUP *group) 127int
128 { 128ec_GFp_simple_group_init(EC_GROUP * group)
129{
129 BN_init(&group->field); 130 BN_init(&group->field);
130 BN_init(&group->a); 131 BN_init(&group->a);
131 BN_init(&group->b); 132 BN_init(&group->b);
132 group->a_is_minus3 = 0; 133 group->a_is_minus3 = 0;
133 return 1; 134 return 1;
134 } 135}
135 136
136 137
137void ec_GFp_simple_group_finish(EC_GROUP *group) 138void
138 { 139ec_GFp_simple_group_finish(EC_GROUP * group)
140{
139 BN_free(&group->field); 141 BN_free(&group->field);
140 BN_free(&group->a); 142 BN_free(&group->a);
141 BN_free(&group->b); 143 BN_free(&group->b);
142 } 144}
143 145
144 146
145void ec_GFp_simple_group_clear_finish(EC_GROUP *group) 147void
146 { 148ec_GFp_simple_group_clear_finish(EC_GROUP * group)
149{
147 BN_clear_free(&group->field); 150 BN_clear_free(&group->field);
148 BN_clear_free(&group->a); 151 BN_clear_free(&group->a);
149 BN_clear_free(&group->b); 152 BN_clear_free(&group->b);
150 } 153}
151 154
152 155
153int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src) 156int
154 { 157ec_GFp_simple_group_copy(EC_GROUP * dest, const EC_GROUP * src)
155 if (!BN_copy(&dest->field, &src->field)) return 0; 158{
156 if (!BN_copy(&dest->a, &src->a)) return 0; 159 if (!BN_copy(&dest->field, &src->field))
157 if (!BN_copy(&dest->b, &src->b)) return 0; 160 return 0;
161 if (!BN_copy(&dest->a, &src->a))
162 return 0;
163 if (!BN_copy(&dest->b, &src->b))
164 return 0;
158 165
159 dest->a_is_minus3 = src->a_is_minus3; 166 dest->a_is_minus3 = src->a_is_minus3;
160 167
161 return 1; 168 return 1;
162 } 169}
163 170
164 171
165int ec_GFp_simple_group_set_curve(EC_GROUP *group, 172int
166 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 173ec_GFp_simple_group_set_curve(EC_GROUP * group,
167 { 174 const BIGNUM * p, const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx)
175{
168 int ret = 0; 176 int ret = 0;
169 BN_CTX *new_ctx = NULL; 177 BN_CTX *new_ctx = NULL;
170 BIGNUM *tmp_a; 178 BIGNUM *tmp_a;
171 179
172 /* p must be a prime > 3 */ 180 /* p must be a prime > 3 */
173 if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) 181 if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
174 {
175 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD); 182 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD);
176 return 0; 183 return 0;
177 } 184 }
178 185 if (ctx == NULL) {
179 if (ctx == NULL)
180 {
181 ctx = new_ctx = BN_CTX_new(); 186 ctx = new_ctx = BN_CTX_new();
182 if (ctx == NULL) 187 if (ctx == NULL)
183 return 0; 188 return 0;
184 } 189 }
185
186 BN_CTX_start(ctx); 190 BN_CTX_start(ctx);
187 tmp_a = BN_CTX_get(ctx); 191 tmp_a = BN_CTX_get(ctx);
188 if (tmp_a == NULL) goto err; 192 if (tmp_a == NULL)
193 goto err;
189 194
190 /* group->field */ 195 /* group->field */
191 if (!BN_copy(&group->field, p)) goto err; 196 if (!BN_copy(&group->field, p))
197 goto err;
192 BN_set_negative(&group->field, 0); 198 BN_set_negative(&group->field, 0);
193 199
194 /* group->a */ 200 /* group->a */
195 if (!BN_nnmod(tmp_a, a, p, ctx)) goto err; 201 if (!BN_nnmod(tmp_a, a, p, ctx))
196 if (group->meth->field_encode) 202 goto err;
197 { if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) goto err; } 203 if (group->meth->field_encode) {
198 else 204 if (!group->meth->field_encode(group, &group->a, tmp_a, ctx))
199 if (!BN_copy(&group->a, tmp_a)) goto err; 205 goto err;
200 206 } else if (!BN_copy(&group->a, tmp_a))
207 goto err;
208
201 /* group->b */ 209 /* group->b */
202 if (!BN_nnmod(&group->b, b, p, ctx)) goto err; 210 if (!BN_nnmod(&group->b, b, p, ctx))
211 goto err;
203 if (group->meth->field_encode) 212 if (group->meth->field_encode)
204 if (!group->meth->field_encode(group, &group->b, &group->b, ctx)) goto err; 213 if (!group->meth->field_encode(group, &group->b, &group->b, ctx))
205 214 goto err;
215
206 /* group->a_is_minus3 */ 216 /* group->a_is_minus3 */
207 if (!BN_add_word(tmp_a, 3)) goto err; 217 if (!BN_add_word(tmp_a, 3))
218 goto err;
208 group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field)); 219 group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
209 220
210 ret = 1; 221 ret = 1;
211 222
212 err: 223err:
213 BN_CTX_end(ctx); 224 BN_CTX_end(ctx);
214 if (new_ctx != NULL) 225 if (new_ctx != NULL)
215 BN_CTX_free(new_ctx); 226 BN_CTX_free(new_ctx);
216 return ret; 227 return ret;
217 } 228}
218 229
219 230
220int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) 231int
221 { 232ec_GFp_simple_group_get_curve(const EC_GROUP * group, BIGNUM * p, BIGNUM * a, BIGNUM * b, BN_CTX * ctx)
233{
222 int ret = 0; 234 int ret = 0;
223 BN_CTX *new_ctx = NULL; 235 BN_CTX *new_ctx = NULL;
224
225 if (p != NULL)
226 {
227 if (!BN_copy(p, &group->field)) return 0;
228 }
229 236
230 if (a != NULL || b != NULL) 237 if (p != NULL) {
231 { 238 if (!BN_copy(p, &group->field))
232 if (group->meth->field_decode) 239 return 0;
233 { 240 }
234 if (ctx == NULL) 241 if (a != NULL || b != NULL) {
235 { 242 if (group->meth->field_decode) {
243 if (ctx == NULL) {
236 ctx = new_ctx = BN_CTX_new(); 244 ctx = new_ctx = BN_CTX_new();
237 if (ctx == NULL) 245 if (ctx == NULL)
238 return 0; 246 return 0;
239 }
240 if (a != NULL)
241 {
242 if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
243 }
244 if (b != NULL)
245 {
246 if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
247 }
248 } 247 }
249 else 248 if (a != NULL) {
250 { 249 if (!group->meth->field_decode(group, a, &group->a, ctx))
251 if (a != NULL) 250 goto err;
252 { 251 }
253 if (!BN_copy(a, &group->a)) goto err; 252 if (b != NULL) {
254 } 253 if (!group->meth->field_decode(group, b, &group->b, ctx))
255 if (b != NULL) 254 goto err;
256 { 255 }
257 if (!BN_copy(b, &group->b)) goto err; 256 } else {
258 } 257 if (a != NULL) {
258 if (!BN_copy(a, &group->a))
259 goto err;
260 }
261 if (b != NULL) {
262 if (!BN_copy(b, &group->b))
263 goto err;
259 } 264 }
260 } 265 }
261 266 }
262 ret = 1; 267 ret = 1;
263 268
264 err: 269err:
265 if (new_ctx) 270 if (new_ctx)
266 BN_CTX_free(new_ctx); 271 BN_CTX_free(new_ctx);
267 return ret; 272 return ret;
268 } 273}
269 274
270 275
271int ec_GFp_simple_group_get_degree(const EC_GROUP *group) 276int
272 { 277ec_GFp_simple_group_get_degree(const EC_GROUP * group)
278{
273 return BN_num_bits(&group->field); 279 return BN_num_bits(&group->field);
274 } 280}
275 281
276 282
277int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx) 283int
278 { 284ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx)
285{
279 int ret = 0; 286 int ret = 0;
280 BIGNUM *a,*b,*order,*tmp_1,*tmp_2; 287 BIGNUM *a, *b, *order, *tmp_1, *tmp_2;
281 const BIGNUM *p = &group->field; 288 const BIGNUM *p = &group->field;
282 BN_CTX *new_ctx = NULL; 289 BN_CTX *new_ctx = NULL;
283 290
284 if (ctx == NULL) 291 if (ctx == NULL) {
285 {
286 ctx = new_ctx = BN_CTX_new(); 292 ctx = new_ctx = BN_CTX_new();
287 if (ctx == NULL) 293 if (ctx == NULL) {
288 {
289 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE); 294 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE);
290 goto err; 295 goto err;
291 }
292 } 296 }
297 }
293 BN_CTX_start(ctx); 298 BN_CTX_start(ctx);
294 a = BN_CTX_get(ctx); 299 a = BN_CTX_get(ctx);
295 b = BN_CTX_get(ctx); 300 b = BN_CTX_get(ctx);
296 tmp_1 = BN_CTX_get(ctx); 301 tmp_1 = BN_CTX_get(ctx);
297 tmp_2 = BN_CTX_get(ctx); 302 tmp_2 = BN_CTX_get(ctx);
298 order = BN_CTX_get(ctx); 303 order = BN_CTX_get(ctx);
299 if (order == NULL) goto err; 304 if (order == NULL)
305 goto err;
300 306
301 if (group->meth->field_decode) 307 if (group->meth->field_decode) {
302 { 308 if (!group->meth->field_decode(group, a, &group->a, ctx))
303 if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err; 309 goto err;
304 if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err; 310 if (!group->meth->field_decode(group, b, &group->b, ctx))
305 } 311 goto err;
306 else 312 } else {
307 { 313 if (!BN_copy(a, &group->a))
308 if (!BN_copy(a, &group->a)) goto err; 314 goto err;
309 if (!BN_copy(b, &group->b)) goto err; 315 if (!BN_copy(b, &group->b))
310 } 316 goto err;
311 317 }
312 /* check the discriminant: 318
313 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p) 319 /*
314 * 0 =< a, b < p */ 320 * check the discriminant: y^2 = x^3 + a*x + b is an elliptic curve
315 if (BN_is_zero(a)) 321 * <=> 4*a^3 + 27*b^2 != 0 (mod p) 0 =< a, b < p
316 { 322 */
317 if (BN_is_zero(b)) goto err; 323 if (BN_is_zero(a)) {
318 } 324 if (BN_is_zero(b))
319 else if (!BN_is_zero(b)) 325 goto err;
320 { 326 } else if (!BN_is_zero(b)) {
321 if (!BN_mod_sqr(tmp_1, a, p, ctx)) goto err; 327 if (!BN_mod_sqr(tmp_1, a, p, ctx))
322 if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx)) goto err; 328 goto err;
323 if (!BN_lshift(tmp_1, tmp_2, 2)) goto err; 329 if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx))
330 goto err;
331 if (!BN_lshift(tmp_1, tmp_2, 2))
332 goto err;
324 /* tmp_1 = 4*a^3 */ 333 /* tmp_1 = 4*a^3 */
325 334
326 if (!BN_mod_sqr(tmp_2, b, p, ctx)) goto err; 335 if (!BN_mod_sqr(tmp_2, b, p, ctx))
327 if (!BN_mul_word(tmp_2, 27)) goto err; 336 goto err;
337 if (!BN_mul_word(tmp_2, 27))
338 goto err;
328 /* tmp_2 = 27*b^2 */ 339 /* tmp_2 = 27*b^2 */
329 340
330 if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx)) goto err; 341 if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx))
331 if (BN_is_zero(a)) goto err; 342 goto err;
332 } 343 if (BN_is_zero(a))
344 goto err;
345 }
333 ret = 1; 346 ret = 1;
334 347
335err: 348err:
@@ -338,325 +351,312 @@ err:
338 if (new_ctx != NULL) 351 if (new_ctx != NULL)
339 BN_CTX_free(new_ctx); 352 BN_CTX_free(new_ctx);
340 return ret; 353 return ret;
341 } 354}
342 355
343 356
344int ec_GFp_simple_point_init(EC_POINT *point) 357int
345 { 358ec_GFp_simple_point_init(EC_POINT * point)
359{
346 BN_init(&point->X); 360 BN_init(&point->X);
347 BN_init(&point->Y); 361 BN_init(&point->Y);
348 BN_init(&point->Z); 362 BN_init(&point->Z);
349 point->Z_is_one = 0; 363 point->Z_is_one = 0;
350 364
351 return 1; 365 return 1;
352 } 366}
353 367
354 368
355void ec_GFp_simple_point_finish(EC_POINT *point) 369void
356 { 370ec_GFp_simple_point_finish(EC_POINT * point)
371{
357 BN_free(&point->X); 372 BN_free(&point->X);
358 BN_free(&point->Y); 373 BN_free(&point->Y);
359 BN_free(&point->Z); 374 BN_free(&point->Z);
360 } 375}
361 376
362 377
363void ec_GFp_simple_point_clear_finish(EC_POINT *point) 378void
364 { 379ec_GFp_simple_point_clear_finish(EC_POINT * point)
380{
365 BN_clear_free(&point->X); 381 BN_clear_free(&point->X);
366 BN_clear_free(&point->Y); 382 BN_clear_free(&point->Y);
367 BN_clear_free(&point->Z); 383 BN_clear_free(&point->Z);
368 point->Z_is_one = 0; 384 point->Z_is_one = 0;
369 } 385}
370 386
371 387
372int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) 388int
373 { 389ec_GFp_simple_point_copy(EC_POINT * dest, const EC_POINT * src)
374 if (!BN_copy(&dest->X, &src->X)) return 0; 390{
375 if (!BN_copy(&dest->Y, &src->Y)) return 0; 391 if (!BN_copy(&dest->X, &src->X))
376 if (!BN_copy(&dest->Z, &src->Z)) return 0; 392 return 0;
393 if (!BN_copy(&dest->Y, &src->Y))
394 return 0;
395 if (!BN_copy(&dest->Z, &src->Z))
396 return 0;
377 dest->Z_is_one = src->Z_is_one; 397 dest->Z_is_one = src->Z_is_one;
378 398
379 return 1; 399 return 1;
380 } 400}
381 401
382 402
383int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point) 403int
384 { 404ec_GFp_simple_point_set_to_infinity(const EC_GROUP * group, EC_POINT * point)
405{
385 point->Z_is_one = 0; 406 point->Z_is_one = 0;
386 BN_zero(&point->Z); 407 BN_zero(&point->Z);
387 return 1; 408 return 1;
388 } 409}
389 410
390 411
391int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, 412int
392 const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx) 413ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP * group, EC_POINT * point,
393 { 414 const BIGNUM * x, const BIGNUM * y, const BIGNUM * z, BN_CTX * ctx)
415{
394 BN_CTX *new_ctx = NULL; 416 BN_CTX *new_ctx = NULL;
395 int ret = 0; 417 int ret = 0;
396 418
397 if (ctx == NULL) 419 if (ctx == NULL) {
398 {
399 ctx = new_ctx = BN_CTX_new(); 420 ctx = new_ctx = BN_CTX_new();
400 if (ctx == NULL) 421 if (ctx == NULL)
401 return 0; 422 return 0;
423 }
424 if (x != NULL) {
425 if (!BN_nnmod(&point->X, x, &group->field, ctx))
426 goto err;
427 if (group->meth->field_encode) {
428 if (!group->meth->field_encode(group, &point->X, &point->X, ctx))
429 goto err;
402 } 430 }
403 431 }
404 if (x != NULL) 432 if (y != NULL) {
405 { 433 if (!BN_nnmod(&point->Y, y, &group->field, ctx))
406 if (!BN_nnmod(&point->X, x, &group->field, ctx)) goto err; 434 goto err;
407 if (group->meth->field_encode) 435 if (group->meth->field_encode) {
408 { 436 if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx))
409 if (!group->meth->field_encode(group, &point->X, &point->X, ctx)) goto err; 437 goto err;
410 }
411 }
412
413 if (y != NULL)
414 {
415 if (!BN_nnmod(&point->Y, y, &group->field, ctx)) goto err;
416 if (group->meth->field_encode)
417 {
418 if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx)) goto err;
419 }
420 } 438 }
421 439 }
422 if (z != NULL) 440 if (z != NULL) {
423 {
424 int Z_is_one; 441 int Z_is_one;
425 442
426 if (!BN_nnmod(&point->Z, z, &group->field, ctx)) goto err; 443 if (!BN_nnmod(&point->Z, z, &group->field, ctx))
444 goto err;
427 Z_is_one = BN_is_one(&point->Z); 445 Z_is_one = BN_is_one(&point->Z);
428 if (group->meth->field_encode) 446 if (group->meth->field_encode) {
429 { 447 if (Z_is_one && (group->meth->field_set_to_one != 0)) {
430 if (Z_is_one && (group->meth->field_set_to_one != 0)) 448 if (!group->meth->field_set_to_one(group, &point->Z, ctx))
431 { 449 goto err;
432 if (!group->meth->field_set_to_one(group, &point->Z, ctx)) goto err; 450 } else {
433 } 451 if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx))
434 else 452 goto err;
435 {
436 if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) goto err;
437 }
438 } 453 }
439 point->Z_is_one = Z_is_one;
440 } 454 }
441 455 point->Z_is_one = Z_is_one;
456 }
442 ret = 1; 457 ret = 1;
443 458
444 err: 459err:
445 if (new_ctx != NULL) 460 if (new_ctx != NULL)
446 BN_CTX_free(new_ctx); 461 BN_CTX_free(new_ctx);
447 return ret; 462 return ret;
448 } 463}
449 464
450 465
451int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point, 466int
452 BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx) 467ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP * group, const EC_POINT * point,
453 { 468 BIGNUM * x, BIGNUM * y, BIGNUM * z, BN_CTX * ctx)
469{
454 BN_CTX *new_ctx = NULL; 470 BN_CTX *new_ctx = NULL;
455 int ret = 0; 471 int ret = 0;
456 472
457 if (group->meth->field_decode != 0) 473 if (group->meth->field_decode != 0) {
458 { 474 if (ctx == NULL) {
459 if (ctx == NULL)
460 {
461 ctx = new_ctx = BN_CTX_new(); 475 ctx = new_ctx = BN_CTX_new();
462 if (ctx == NULL) 476 if (ctx == NULL)
463 return 0; 477 return 0;
464 }
465
466 if (x != NULL)
467 {
468 if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
469 }
470 if (y != NULL)
471 {
472 if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
473 }
474 if (z != NULL)
475 {
476 if (!group->meth->field_decode(group, z, &point->Z, ctx)) goto err;
477 }
478 } 478 }
479 else 479 if (x != NULL) {
480 { 480 if (!group->meth->field_decode(group, x, &point->X, ctx))
481 if (x != NULL) 481 goto err;
482 { 482 }
483 if (!BN_copy(x, &point->X)) goto err; 483 if (y != NULL) {
484 } 484 if (!group->meth->field_decode(group, y, &point->Y, ctx))
485 if (y != NULL) 485 goto err;
486 { 486 }
487 if (!BN_copy(y, &point->Y)) goto err; 487 if (z != NULL) {
488 } 488 if (!group->meth->field_decode(group, z, &point->Z, ctx))
489 if (z != NULL) 489 goto err;
490 { 490 }
491 if (!BN_copy(z, &point->Z)) goto err; 491 } else {
492 } 492 if (x != NULL) {
493 if (!BN_copy(x, &point->X))
494 goto err;
493 } 495 }
494 496 if (y != NULL) {
497 if (!BN_copy(y, &point->Y))
498 goto err;
499 }
500 if (z != NULL) {
501 if (!BN_copy(z, &point->Z))
502 goto err;
503 }
504 }
505
495 ret = 1; 506 ret = 1;
496 507
497 err: 508err:
498 if (new_ctx != NULL) 509 if (new_ctx != NULL)
499 BN_CTX_free(new_ctx); 510 BN_CTX_free(new_ctx);
500 return ret; 511 return ret;
501 } 512}
502 513
503 514
504int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point, 515int
505 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) 516ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * point,
506 { 517 const BIGNUM * x, const BIGNUM * y, BN_CTX * ctx)
507 if (x == NULL || y == NULL) 518{
508 { 519 if (x == NULL || y == NULL) {
509 /* unlike for projective coordinates, we do not tolerate this */ 520 /* unlike for projective coordinates, we do not tolerate this */
510 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES, ERR_R_PASSED_NULL_PARAMETER); 521 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES, ERR_R_PASSED_NULL_PARAMETER);
511 return 0; 522 return 0;
512 }
513
514 return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
515 } 523 }
524 return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
525}
516 526
517 527
518int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, 528int
519 BIGNUM *x, BIGNUM *y, BN_CTX *ctx) 529ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POINT * point,
520 { 530 BIGNUM * x, BIGNUM * y, BN_CTX * ctx)
531{
521 BN_CTX *new_ctx = NULL; 532 BN_CTX *new_ctx = NULL;
522 BIGNUM *Z, *Z_1, *Z_2, *Z_3; 533 BIGNUM *Z, *Z_1, *Z_2, *Z_3;
523 const BIGNUM *Z_; 534 const BIGNUM *Z_;
524 int ret = 0; 535 int ret = 0;
525 536
526 if (EC_POINT_is_at_infinity(group, point)) 537 if (EC_POINT_is_at_infinity(group, point)) {
527 {
528 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY); 538 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY);
529 return 0; 539 return 0;
530 } 540 }
531 541 if (ctx == NULL) {
532 if (ctx == NULL)
533 {
534 ctx = new_ctx = BN_CTX_new(); 542 ctx = new_ctx = BN_CTX_new();
535 if (ctx == NULL) 543 if (ctx == NULL)
536 return 0; 544 return 0;
537 } 545 }
538
539 BN_CTX_start(ctx); 546 BN_CTX_start(ctx);
540 Z = BN_CTX_get(ctx); 547 Z = BN_CTX_get(ctx);
541 Z_1 = BN_CTX_get(ctx); 548 Z_1 = BN_CTX_get(ctx);
542 Z_2 = BN_CTX_get(ctx); 549 Z_2 = BN_CTX_get(ctx);
543 Z_3 = BN_CTX_get(ctx); 550 Z_3 = BN_CTX_get(ctx);
544 if (Z_3 == NULL) goto err; 551 if (Z_3 == NULL)
552 goto err;
545 553
546 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */ 554 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
547 555
548 if (group->meth->field_decode) 556 if (group->meth->field_decode) {
549 { 557 if (!group->meth->field_decode(group, Z, &point->Z, ctx))
550 if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err; 558 goto err;
551 Z_ = Z; 559 Z_ = Z;
552 } 560 } else {
553 else
554 {
555 Z_ = &point->Z; 561 Z_ = &point->Z;
556 } 562 }
557 563
558 if (BN_is_one(Z_)) 564 if (BN_is_one(Z_)) {
559 { 565 if (group->meth->field_decode) {
560 if (group->meth->field_decode) 566 if (x != NULL) {
561 { 567 if (!group->meth->field_decode(group, x, &point->X, ctx))
562 if (x != NULL) 568 goto err;
563 {
564 if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
565 }
566 if (y != NULL)
567 {
568 if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
569 }
570 } 569 }
571 else 570 if (y != NULL) {
572 { 571 if (!group->meth->field_decode(group, y, &point->Y, ctx))
573 if (x != NULL) 572 goto err;
574 { 573 }
575 if (!BN_copy(x, &point->X)) goto err; 574 } else {
576 } 575 if (x != NULL) {
577 if (y != NULL) 576 if (!BN_copy(x, &point->X))
578 { 577 goto err;
579 if (!BN_copy(y, &point->Y)) goto err; 578 }
580 } 579 if (y != NULL) {
580 if (!BN_copy(y, &point->Y))
581 goto err;
581 } 582 }
582 } 583 }
583 else 584 } else {
584 { 585 if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx)) {
585 if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx))
586 {
587 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB); 586 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);
588 goto err; 587 goto err;
589 } 588 }
590 589 if (group->meth->field_encode == 0) {
591 if (group->meth->field_encode == 0)
592 {
593 /* field_sqr works on standard representation */ 590 /* field_sqr works on standard representation */
594 if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) goto err; 591 if (!group->meth->field_sqr(group, Z_2, Z_1, ctx))
595 } 592 goto err;
596 else 593 } else {
597 { 594 if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx))
598 if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) goto err; 595 goto err;
599 } 596 }
600
601 if (x != NULL)
602 {
603 /* in the Montgomery case, field_mul will cancel out Montgomery factor in X: */
604 if (!group->meth->field_mul(group, x, &point->X, Z_2, ctx)) goto err;
605 }
606 597
607 if (y != NULL) 598 if (x != NULL) {
608 { 599 /*
609 if (group->meth->field_encode == 0) 600 * in the Montgomery case, field_mul will cancel out
610 { 601 * Montgomery factor in X:
602 */
603 if (!group->meth->field_mul(group, x, &point->X, Z_2, ctx))
604 goto err;
605 }
606 if (y != NULL) {
607 if (group->meth->field_encode == 0) {
611 /* field_mul works on standard representation */ 608 /* field_mul works on standard representation */
612 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err; 609 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx))
613 } 610 goto err;
614 else 611 } else {
615 { 612 if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx))
616 if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err; 613 goto err;
617 }
618
619 /* in the Montgomery case, field_mul will cancel out Montgomery factor in Y: */
620 if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx)) goto err;
621 } 614 }
615
616 /*
617 * in the Montgomery case, field_mul will cancel out
618 * Montgomery factor in Y:
619 */
620 if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx))
621 goto err;
622 } 622 }
623 }
623 624
624 ret = 1; 625 ret = 1;
625 626
626 err: 627err:
627 BN_CTX_end(ctx); 628 BN_CTX_end(ctx);
628 if (new_ctx != NULL) 629 if (new_ctx != NULL)
629 BN_CTX_free(new_ctx); 630 BN_CTX_free(new_ctx);
630 return ret; 631 return ret;
631 } 632}
632 633
633int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) 634int
634 { 635ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx)
635 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); 636{
636 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); 637 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
638 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
637 const BIGNUM *p; 639 const BIGNUM *p;
638 BN_CTX *new_ctx = NULL; 640 BN_CTX *new_ctx = NULL;
639 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6; 641 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
640 int ret = 0; 642 int ret = 0;
641 643
642 if (a == b) 644 if (a == b)
643 return EC_POINT_dbl(group, r, a, ctx); 645 return EC_POINT_dbl(group, r, a, ctx);
644 if (EC_POINT_is_at_infinity(group, a)) 646 if (EC_POINT_is_at_infinity(group, a))
645 return EC_POINT_copy(r, b); 647 return EC_POINT_copy(r, b);
646 if (EC_POINT_is_at_infinity(group, b)) 648 if (EC_POINT_is_at_infinity(group, b))
647 return EC_POINT_copy(r, a); 649 return EC_POINT_copy(r, a);
648 650
649 field_mul = group->meth->field_mul; 651 field_mul = group->meth->field_mul;
650 field_sqr = group->meth->field_sqr; 652 field_sqr = group->meth->field_sqr;
651 p = &group->field; 653 p = &group->field;
652 654
653 if (ctx == NULL) 655 if (ctx == NULL) {
654 {
655 ctx = new_ctx = BN_CTX_new(); 656 ctx = new_ctx = BN_CTX_new();
656 if (ctx == NULL) 657 if (ctx == NULL)
657 return 0; 658 return 0;
658 } 659 }
659
660 BN_CTX_start(ctx); 660 BN_CTX_start(ctx);
661 n0 = BN_CTX_get(ctx); 661 n0 = BN_CTX_get(ctx);
662 n1 = BN_CTX_get(ctx); 662 n1 = BN_CTX_get(ctx);
@@ -665,272 +665,321 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, con
665 n4 = BN_CTX_get(ctx); 665 n4 = BN_CTX_get(ctx);
666 n5 = BN_CTX_get(ctx); 666 n5 = BN_CTX_get(ctx);
667 n6 = BN_CTX_get(ctx); 667 n6 = BN_CTX_get(ctx);
668 if (n6 == NULL) goto end; 668 if (n6 == NULL)
669 goto end;
669 670
670 /* Note that in this function we must not read components of 'a' or 'b' 671 /*
671 * once we have written the corresponding components of 'r'. 672 * Note that in this function we must not read components of 'a' or
672 * ('r' might be one of 'a' or 'b'.) 673 * 'b' once we have written the corresponding components of 'r'. ('r'
674 * might be one of 'a' or 'b'.)
673 */ 675 */
674 676
675 /* n1, n2 */ 677 /* n1, n2 */
676 if (b->Z_is_one) 678 if (b->Z_is_one) {
677 { 679 if (!BN_copy(n1, &a->X))
678 if (!BN_copy(n1, &a->X)) goto end; 680 goto end;
679 if (!BN_copy(n2, &a->Y)) goto end; 681 if (!BN_copy(n2, &a->Y))
682 goto end;
680 /* n1 = X_a */ 683 /* n1 = X_a */
681 /* n2 = Y_a */ 684 /* n2 = Y_a */
682 } 685 } else {
683 else 686 if (!field_sqr(group, n0, &b->Z, ctx))
684 { 687 goto end;
685 if (!field_sqr(group, n0, &b->Z, ctx)) goto end; 688 if (!field_mul(group, n1, &a->X, n0, ctx))
686 if (!field_mul(group, n1, &a->X, n0, ctx)) goto end; 689 goto end;
687 /* n1 = X_a * Z_b^2 */ 690 /* n1 = X_a * Z_b^2 */
688 691
689 if (!field_mul(group, n0, n0, &b->Z, ctx)) goto end; 692 if (!field_mul(group, n0, n0, &b->Z, ctx))
690 if (!field_mul(group, n2, &a->Y, n0, ctx)) goto end; 693 goto end;
694 if (!field_mul(group, n2, &a->Y, n0, ctx))
695 goto end;
691 /* n2 = Y_a * Z_b^3 */ 696 /* n2 = Y_a * Z_b^3 */
692 } 697 }
693 698
694 /* n3, n4 */ 699 /* n3, n4 */
695 if (a->Z_is_one) 700 if (a->Z_is_one) {
696 { 701 if (!BN_copy(n3, &b->X))
697 if (!BN_copy(n3, &b->X)) goto end; 702 goto end;
698 if (!BN_copy(n4, &b->Y)) goto end; 703 if (!BN_copy(n4, &b->Y))
704 goto end;
699 /* n3 = X_b */ 705 /* n3 = X_b */
700 /* n4 = Y_b */ 706 /* n4 = Y_b */
701 } 707 } else {
702 else 708 if (!field_sqr(group, n0, &a->Z, ctx))
703 { 709 goto end;
704 if (!field_sqr(group, n0, &a->Z, ctx)) goto end; 710 if (!field_mul(group, n3, &b->X, n0, ctx))
705 if (!field_mul(group, n3, &b->X, n0, ctx)) goto end; 711 goto end;
706 /* n3 = X_b * Z_a^2 */ 712 /* n3 = X_b * Z_a^2 */
707 713
708 if (!field_mul(group, n0, n0, &a->Z, ctx)) goto end; 714 if (!field_mul(group, n0, n0, &a->Z, ctx))
709 if (!field_mul(group, n4, &b->Y, n0, ctx)) goto end; 715 goto end;
716 if (!field_mul(group, n4, &b->Y, n0, ctx))
717 goto end;
710 /* n4 = Y_b * Z_a^3 */ 718 /* n4 = Y_b * Z_a^3 */
711 } 719 }
712 720
713 /* n5, n6 */ 721 /* n5, n6 */
714 if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end; 722 if (!BN_mod_sub_quick(n5, n1, n3, p))
715 if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end; 723 goto end;
724 if (!BN_mod_sub_quick(n6, n2, n4, p))
725 goto end;
716 /* n5 = n1 - n3 */ 726 /* n5 = n1 - n3 */
717 /* n6 = n2 - n4 */ 727 /* n6 = n2 - n4 */
718 728
719 if (BN_is_zero(n5)) 729 if (BN_is_zero(n5)) {
720 { 730 if (BN_is_zero(n6)) {
721 if (BN_is_zero(n6))
722 {
723 /* a is the same point as b */ 731 /* a is the same point as b */
724 BN_CTX_end(ctx); 732 BN_CTX_end(ctx);
725 ret = EC_POINT_dbl(group, r, a, ctx); 733 ret = EC_POINT_dbl(group, r, a, ctx);
726 ctx = NULL; 734 ctx = NULL;
727 goto end; 735 goto end;
728 } 736 } else {
729 else
730 {
731 /* a is the inverse of b */ 737 /* a is the inverse of b */
732 BN_zero(&r->Z); 738 BN_zero(&r->Z);
733 r->Z_is_one = 0; 739 r->Z_is_one = 0;
734 ret = 1; 740 ret = 1;
735 goto end; 741 goto end;
736 }
737 } 742 }
738 743 }
739 /* 'n7', 'n8' */ 744 /* 'n7', 'n8' */
740 if (!BN_mod_add_quick(n1, n1, n3, p)) goto end; 745 if (!BN_mod_add_quick(n1, n1, n3, p))
741 if (!BN_mod_add_quick(n2, n2, n4, p)) goto end; 746 goto end;
747 if (!BN_mod_add_quick(n2, n2, n4, p))
748 goto end;
742 /* 'n7' = n1 + n3 */ 749 /* 'n7' = n1 + n3 */
743 /* 'n8' = n2 + n4 */ 750 /* 'n8' = n2 + n4 */
744 751
745 /* Z_r */ 752 /* Z_r */
746 if (a->Z_is_one && b->Z_is_one) 753 if (a->Z_is_one && b->Z_is_one) {
747 { 754 if (!BN_copy(&r->Z, n5))
748 if (!BN_copy(&r->Z, n5)) goto end; 755 goto end;
749 } 756 } else {
750 else 757 if (a->Z_is_one) {
751 { 758 if (!BN_copy(n0, &b->Z))
752 if (a->Z_is_one) 759 goto end;
753 { if (!BN_copy(n0, &b->Z)) goto end; } 760 } else if (b->Z_is_one) {
754 else if (b->Z_is_one) 761 if (!BN_copy(n0, &a->Z))
755 { if (!BN_copy(n0, &a->Z)) goto end; } 762 goto end;
756 else 763 } else {
757 { if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) goto end; } 764 if (!field_mul(group, n0, &a->Z, &b->Z, ctx))
758 if (!field_mul(group, &r->Z, n0, n5, ctx)) goto end; 765 goto end;
759 } 766 }
767 if (!field_mul(group, &r->Z, n0, n5, ctx))
768 goto end;
769 }
760 r->Z_is_one = 0; 770 r->Z_is_one = 0;
761 /* Z_r = Z_a * Z_b * n5 */ 771 /* Z_r = Z_a * Z_b * n5 */
762 772
763 /* X_r */ 773 /* X_r */
764 if (!field_sqr(group, n0, n6, ctx)) goto end; 774 if (!field_sqr(group, n0, n6, ctx))
765 if (!field_sqr(group, n4, n5, ctx)) goto end; 775 goto end;
766 if (!field_mul(group, n3, n1, n4, ctx)) goto end; 776 if (!field_sqr(group, n4, n5, ctx))
767 if (!BN_mod_sub_quick(&r->X, n0, n3, p)) goto end; 777 goto end;
778 if (!field_mul(group, n3, n1, n4, ctx))
779 goto end;
780 if (!BN_mod_sub_quick(&r->X, n0, n3, p))
781 goto end;
768 /* X_r = n6^2 - n5^2 * 'n7' */ 782 /* X_r = n6^2 - n5^2 * 'n7' */
769 783
770 /* 'n9' */ 784 /* 'n9' */
771 if (!BN_mod_lshift1_quick(n0, &r->X, p)) goto end; 785 if (!BN_mod_lshift1_quick(n0, &r->X, p))
772 if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end; 786 goto end;
787 if (!BN_mod_sub_quick(n0, n3, n0, p))
788 goto end;
773 /* n9 = n5^2 * 'n7' - 2 * X_r */ 789 /* n9 = n5^2 * 'n7' - 2 * X_r */
774 790
775 /* Y_r */ 791 /* Y_r */
776 if (!field_mul(group, n0, n0, n6, ctx)) goto end; 792 if (!field_mul(group, n0, n0, n6, ctx))
777 if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */ 793 goto end;
778 if (!field_mul(group, n1, n2, n5, ctx)) goto end; 794 if (!field_mul(group, n5, n4, n5, ctx))
779 if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end; 795 goto end; /* now n5 is n5^3 */
796 if (!field_mul(group, n1, n2, n5, ctx))
797 goto end;
798 if (!BN_mod_sub_quick(n0, n0, n1, p))
799 goto end;
780 if (BN_is_odd(n0)) 800 if (BN_is_odd(n0))
781 if (!BN_add(n0, n0, p)) goto end; 801 if (!BN_add(n0, n0, p))
802 goto end;
782 /* now 0 <= n0 < 2*p, and n0 is even */ 803 /* now 0 <= n0 < 2*p, and n0 is even */
783 if (!BN_rshift1(&r->Y, n0)) goto end; 804 if (!BN_rshift1(&r->Y, n0))
805 goto end;
784 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */ 806 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
785 807
786 ret = 1; 808 ret = 1;
787 809
788 end: 810end:
789 if (ctx) /* otherwise we already called BN_CTX_end */ 811 if (ctx) /* otherwise we already called BN_CTX_end */
790 BN_CTX_end(ctx); 812 BN_CTX_end(ctx);
791 if (new_ctx != NULL) 813 if (new_ctx != NULL)
792 BN_CTX_free(new_ctx); 814 BN_CTX_free(new_ctx);
793 return ret; 815 return ret;
794 } 816}
795 817
796 818
797int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) 819int
798 { 820ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_CTX * ctx)
799 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); 821{
800 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); 822 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
823 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
801 const BIGNUM *p; 824 const BIGNUM *p;
802 BN_CTX *new_ctx = NULL; 825 BN_CTX *new_ctx = NULL;
803 BIGNUM *n0, *n1, *n2, *n3; 826 BIGNUM *n0, *n1, *n2, *n3;
804 int ret = 0; 827 int ret = 0;
805 828
806 if (EC_POINT_is_at_infinity(group, a)) 829 if (EC_POINT_is_at_infinity(group, a)) {
807 {
808 BN_zero(&r->Z); 830 BN_zero(&r->Z);
809 r->Z_is_one = 0; 831 r->Z_is_one = 0;
810 return 1; 832 return 1;
811 } 833 }
812
813 field_mul = group->meth->field_mul; 834 field_mul = group->meth->field_mul;
814 field_sqr = group->meth->field_sqr; 835 field_sqr = group->meth->field_sqr;
815 p = &group->field; 836 p = &group->field;
816 837
817 if (ctx == NULL) 838 if (ctx == NULL) {
818 {
819 ctx = new_ctx = BN_CTX_new(); 839 ctx = new_ctx = BN_CTX_new();
820 if (ctx == NULL) 840 if (ctx == NULL)
821 return 0; 841 return 0;
822 } 842 }
823
824 BN_CTX_start(ctx); 843 BN_CTX_start(ctx);
825 n0 = BN_CTX_get(ctx); 844 n0 = BN_CTX_get(ctx);
826 n1 = BN_CTX_get(ctx); 845 n1 = BN_CTX_get(ctx);
827 n2 = BN_CTX_get(ctx); 846 n2 = BN_CTX_get(ctx);
828 n3 = BN_CTX_get(ctx); 847 n3 = BN_CTX_get(ctx);
829 if (n3 == NULL) goto err; 848 if (n3 == NULL)
849 goto err;
830 850
831 /* Note that in this function we must not read components of 'a' 851 /*
832 * once we have written the corresponding components of 'r'. 852 * Note that in this function we must not read components of 'a' once
833 * ('r' might the same as 'a'.) 853 * we have written the corresponding components of 'r'. ('r' might
854 * the same as 'a'.)
834 */ 855 */
835 856
836 /* n1 */ 857 /* n1 */
837 if (a->Z_is_one) 858 if (a->Z_is_one) {
838 { 859 if (!field_sqr(group, n0, &a->X, ctx))
839 if (!field_sqr(group, n0, &a->X, ctx)) goto err; 860 goto err;
840 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err; 861 if (!BN_mod_lshift1_quick(n1, n0, p))
841 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err; 862 goto err;
842 if (!BN_mod_add_quick(n1, n0, &group->a, p)) goto err; 863 if (!BN_mod_add_quick(n0, n0, n1, p))
864 goto err;
865 if (!BN_mod_add_quick(n1, n0, &group->a, p))
866 goto err;
843 /* n1 = 3 * X_a^2 + a_curve */ 867 /* n1 = 3 * X_a^2 + a_curve */
844 } 868 } else if (group->a_is_minus3) {
845 else if (group->a_is_minus3) 869 if (!field_sqr(group, n1, &a->Z, ctx))
846 { 870 goto err;
847 if (!field_sqr(group, n1, &a->Z, ctx)) goto err; 871 if (!BN_mod_add_quick(n0, &a->X, n1, p))
848 if (!BN_mod_add_quick(n0, &a->X, n1, p)) goto err; 872 goto err;
849 if (!BN_mod_sub_quick(n2, &a->X, n1, p)) goto err; 873 if (!BN_mod_sub_quick(n2, &a->X, n1, p))
850 if (!field_mul(group, n1, n0, n2, ctx)) goto err; 874 goto err;
851 if (!BN_mod_lshift1_quick(n0, n1, p)) goto err; 875 if (!field_mul(group, n1, n0, n2, ctx))
852 if (!BN_mod_add_quick(n1, n0, n1, p)) goto err; 876 goto err;
853 /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2) 877 if (!BN_mod_lshift1_quick(n0, n1, p))
854 * = 3 * X_a^2 - 3 * Z_a^4 */ 878 goto err;
855 } 879 if (!BN_mod_add_quick(n1, n0, n1, p))
856 else 880 goto err;
857 { 881 /*
858 if (!field_sqr(group, n0, &a->X, ctx)) goto err; 882 * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2) = 3 * X_a^2 - 3 *
859 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err; 883 * Z_a^4
860 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err; 884 */
861 if (!field_sqr(group, n1, &a->Z, ctx)) goto err; 885 } else {
862 if (!field_sqr(group, n1, n1, ctx)) goto err; 886 if (!field_sqr(group, n0, &a->X, ctx))
863 if (!field_mul(group, n1, n1, &group->a, ctx)) goto err; 887 goto err;
864 if (!BN_mod_add_quick(n1, n1, n0, p)) goto err; 888 if (!BN_mod_lshift1_quick(n1, n0, p))
889 goto err;
890 if (!BN_mod_add_quick(n0, n0, n1, p))
891 goto err;
892 if (!field_sqr(group, n1, &a->Z, ctx))
893 goto err;
894 if (!field_sqr(group, n1, n1, ctx))
895 goto err;
896 if (!field_mul(group, n1, n1, &group->a, ctx))
897 goto err;
898 if (!BN_mod_add_quick(n1, n1, n0, p))
899 goto err;
865 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */ 900 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
866 } 901 }
867 902
868 /* Z_r */ 903 /* Z_r */
869 if (a->Z_is_one) 904 if (a->Z_is_one) {
870 { 905 if (!BN_copy(n0, &a->Y))
871 if (!BN_copy(n0, &a->Y)) goto err; 906 goto err;
872 } 907 } else {
873 else 908 if (!field_mul(group, n0, &a->Y, &a->Z, ctx))
874 { 909 goto err;
875 if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) goto err; 910 }
876 } 911 if (!BN_mod_lshift1_quick(&r->Z, n0, p))
877 if (!BN_mod_lshift1_quick(&r->Z, n0, p)) goto err; 912 goto err;
878 r->Z_is_one = 0; 913 r->Z_is_one = 0;
879 /* Z_r = 2 * Y_a * Z_a */ 914 /* Z_r = 2 * Y_a * Z_a */
880 915
881 /* n2 */ 916 /* n2 */
882 if (!field_sqr(group, n3, &a->Y, ctx)) goto err; 917 if (!field_sqr(group, n3, &a->Y, ctx))
883 if (!field_mul(group, n2, &a->X, n3, ctx)) goto err; 918 goto err;
884 if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err; 919 if (!field_mul(group, n2, &a->X, n3, ctx))
920 goto err;
921 if (!BN_mod_lshift_quick(n2, n2, 2, p))
922 goto err;
885 /* n2 = 4 * X_a * Y_a^2 */ 923 /* n2 = 4 * X_a * Y_a^2 */
886 924
887 /* X_r */ 925 /* X_r */
888 if (!BN_mod_lshift1_quick(n0, n2, p)) goto err; 926 if (!BN_mod_lshift1_quick(n0, n2, p))
889 if (!field_sqr(group, &r->X, n1, ctx)) goto err; 927 goto err;
890 if (!BN_mod_sub_quick(&r->X, &r->X, n0, p)) goto err; 928 if (!field_sqr(group, &r->X, n1, ctx))
929 goto err;
930 if (!BN_mod_sub_quick(&r->X, &r->X, n0, p))
931 goto err;
891 /* X_r = n1^2 - 2 * n2 */ 932 /* X_r = n1^2 - 2 * n2 */
892 933
893 /* n3 */ 934 /* n3 */
894 if (!field_sqr(group, n0, n3, ctx)) goto err; 935 if (!field_sqr(group, n0, n3, ctx))
895 if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err; 936 goto err;
937 if (!BN_mod_lshift_quick(n3, n0, 3, p))
938 goto err;
896 /* n3 = 8 * Y_a^4 */ 939 /* n3 = 8 * Y_a^4 */
897 940
898 /* Y_r */ 941 /* Y_r */
899 if (!BN_mod_sub_quick(n0, n2, &r->X, p)) goto err; 942 if (!BN_mod_sub_quick(n0, n2, &r->X, p))
900 if (!field_mul(group, n0, n1, n0, ctx)) goto err; 943 goto err;
901 if (!BN_mod_sub_quick(&r->Y, n0, n3, p)) goto err; 944 if (!field_mul(group, n0, n1, n0, ctx))
945 goto err;
946 if (!BN_mod_sub_quick(&r->Y, n0, n3, p))
947 goto err;
902 /* Y_r = n1 * (n2 - X_r) - n3 */ 948 /* Y_r = n1 * (n2 - X_r) - n3 */
903 949
904 ret = 1; 950 ret = 1;
905 951
906 err: 952err:
907 BN_CTX_end(ctx); 953 BN_CTX_end(ctx);
908 if (new_ctx != NULL) 954 if (new_ctx != NULL)
909 BN_CTX_free(new_ctx); 955 BN_CTX_free(new_ctx);
910 return ret; 956 return ret;
911 } 957}
912 958
913 959
914int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) 960int
915 { 961ec_GFp_simple_invert(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx)
962{
916 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y)) 963 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
917 /* point is its own inverse */ 964 /* point is its own inverse */
918 return 1; 965 return 1;
919 966
920 return BN_usub(&point->Y, &group->field, &point->Y); 967 return BN_usub(&point->Y, &group->field, &point->Y);
921 } 968}
922 969
923 970
924int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) 971int
925 { 972ec_GFp_simple_is_at_infinity(const EC_GROUP * group, const EC_POINT * point)
973{
926 return BN_is_zero(&point->Z); 974 return BN_is_zero(&point->Z);
927 } 975}
928 976
929 977
930int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx) 978int
931 { 979ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX * ctx)
932 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); 980{
933 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); 981 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
982 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
934 const BIGNUM *p; 983 const BIGNUM *p;
935 BN_CTX *new_ctx = NULL; 984 BN_CTX *new_ctx = NULL;
936 BIGNUM *rh, *tmp, *Z4, *Z6; 985 BIGNUM *rh, *tmp, *Z4, *Z6;
@@ -938,199 +987,200 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_C
938 987
939 if (EC_POINT_is_at_infinity(group, point)) 988 if (EC_POINT_is_at_infinity(group, point))
940 return 1; 989 return 1;
941 990
942 field_mul = group->meth->field_mul; 991 field_mul = group->meth->field_mul;
943 field_sqr = group->meth->field_sqr; 992 field_sqr = group->meth->field_sqr;
944 p = &group->field; 993 p = &group->field;
945 994
946 if (ctx == NULL) 995 if (ctx == NULL) {
947 {
948 ctx = new_ctx = BN_CTX_new(); 996 ctx = new_ctx = BN_CTX_new();
949 if (ctx == NULL) 997 if (ctx == NULL)
950 return -1; 998 return -1;
951 } 999 }
952
953 BN_CTX_start(ctx); 1000 BN_CTX_start(ctx);
954 rh = BN_CTX_get(ctx); 1001 rh = BN_CTX_get(ctx);
955 tmp = BN_CTX_get(ctx); 1002 tmp = BN_CTX_get(ctx);
956 Z4 = BN_CTX_get(ctx); 1003 Z4 = BN_CTX_get(ctx);
957 Z6 = BN_CTX_get(ctx); 1004 Z6 = BN_CTX_get(ctx);
958 if (Z6 == NULL) goto err; 1005 if (Z6 == NULL)
959 1006 goto err;
960 /* We have a curve defined by a Weierstrass equation 1007
961 * y^2 = x^3 + a*x + b. 1008 /*
962 * The point to consider is given in Jacobian projective coordinates 1009 * We have a curve defined by a Weierstrass equation y^2 = x^3 + a*x
963 * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3). 1010 * + b. The point to consider is given in Jacobian projective
964 * Substituting this and multiplying by Z^6 transforms the above equation into 1011 * coordinates where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
965 * Y^2 = X^3 + a*X*Z^4 + b*Z^6. 1012 * Substituting this and multiplying by Z^6 transforms the above
966 * To test this, we add up the right-hand side in 'rh'. 1013 * equation into Y^2 = X^3 + a*X*Z^4 + b*Z^6. To test this, we add up
1014 * the right-hand side in 'rh'.
967 */ 1015 */
968 1016
969 /* rh := X^2 */ 1017 /* rh := X^2 */
970 if (!field_sqr(group, rh, &point->X, ctx)) goto err; 1018 if (!field_sqr(group, rh, &point->X, ctx))
1019 goto err;
971 1020
972 if (!point->Z_is_one) 1021 if (!point->Z_is_one) {
973 { 1022 if (!field_sqr(group, tmp, &point->Z, ctx))
974 if (!field_sqr(group, tmp, &point->Z, ctx)) goto err; 1023 goto err;
975 if (!field_sqr(group, Z4, tmp, ctx)) goto err; 1024 if (!field_sqr(group, Z4, tmp, ctx))
976 if (!field_mul(group, Z6, Z4, tmp, ctx)) goto err; 1025 goto err;
1026 if (!field_mul(group, Z6, Z4, tmp, ctx))
1027 goto err;
977 1028
978 /* rh := (rh + a*Z^4)*X */ 1029 /* rh := (rh + a*Z^4)*X */
979 if (group->a_is_minus3) 1030 if (group->a_is_minus3) {
980 { 1031 if (!BN_mod_lshift1_quick(tmp, Z4, p))
981 if (!BN_mod_lshift1_quick(tmp, Z4, p)) goto err; 1032 goto err;
982 if (!BN_mod_add_quick(tmp, tmp, Z4, p)) goto err; 1033 if (!BN_mod_add_quick(tmp, tmp, Z4, p))
983 if (!BN_mod_sub_quick(rh, rh, tmp, p)) goto err; 1034 goto err;
984 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err; 1035 if (!BN_mod_sub_quick(rh, rh, tmp, p))
985 } 1036 goto err;
986 else 1037 if (!field_mul(group, rh, rh, &point->X, ctx))
987 { 1038 goto err;
988 if (!field_mul(group, tmp, Z4, &group->a, ctx)) goto err; 1039 } else {
989 if (!BN_mod_add_quick(rh, rh, tmp, p)) goto err; 1040 if (!field_mul(group, tmp, Z4, &group->a, ctx))
990 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err; 1041 goto err;
991 } 1042 if (!BN_mod_add_quick(rh, rh, tmp, p))
1043 goto err;
1044 if (!field_mul(group, rh, rh, &point->X, ctx))
1045 goto err;
1046 }
992 1047
993 /* rh := rh + b*Z^6 */ 1048 /* rh := rh + b*Z^6 */
994 if (!field_mul(group, tmp, &group->b, Z6, ctx)) goto err; 1049 if (!field_mul(group, tmp, &group->b, Z6, ctx))
995 if (!BN_mod_add_quick(rh, rh, tmp, p)) goto err; 1050 goto err;
996 } 1051 if (!BN_mod_add_quick(rh, rh, tmp, p))
997 else 1052 goto err;
998 { 1053 } else {
999 /* point->Z_is_one */ 1054 /* point->Z_is_one */
1000 1055
1001 /* rh := (rh + a)*X */ 1056 /* rh := (rh + a)*X */
1002 if (!BN_mod_add_quick(rh, rh, &group->a, p)) goto err; 1057 if (!BN_mod_add_quick(rh, rh, &group->a, p))
1003 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err; 1058 goto err;
1059 if (!field_mul(group, rh, rh, &point->X, ctx))
1060 goto err;
1004 /* rh := rh + b */ 1061 /* rh := rh + b */
1005 if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err; 1062 if (!BN_mod_add_quick(rh, rh, &group->b, p))
1006 } 1063 goto err;
1064 }
1007 1065
1008 /* 'lh' := Y^2 */ 1066 /* 'lh' := Y^2 */
1009 if (!field_sqr(group, tmp, &point->Y, ctx)) goto err; 1067 if (!field_sqr(group, tmp, &point->Y, ctx))
1068 goto err;
1010 1069
1011 ret = (0 == BN_ucmp(tmp, rh)); 1070 ret = (0 == BN_ucmp(tmp, rh));
1012 1071
1013 err: 1072err:
1014 BN_CTX_end(ctx); 1073 BN_CTX_end(ctx);
1015 if (new_ctx != NULL) 1074 if (new_ctx != NULL)
1016 BN_CTX_free(new_ctx); 1075 BN_CTX_free(new_ctx);
1017 return ret; 1076 return ret;
1018 } 1077}
1019 1078
1020 1079
1021int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) 1080int
1022 { 1081ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx)
1023 /* return values: 1082{
1024 * -1 error 1083 /*
1025 * 0 equal (in affine coordinates) 1084 * return values: -1 error 0 equal (in affine coordinates) 1
1026 * 1 not equal 1085 * not equal
1027 */ 1086 */
1028 1087
1029 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); 1088 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1030 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); 1089 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1031 BN_CTX *new_ctx = NULL; 1090 BN_CTX *new_ctx = NULL;
1032 BIGNUM *tmp1, *tmp2, *Za23, *Zb23; 1091 BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
1033 const BIGNUM *tmp1_, *tmp2_; 1092 const BIGNUM *tmp1_, *tmp2_;
1034 int ret = -1; 1093 int ret = -1;
1035
1036 if (EC_POINT_is_at_infinity(group, a))
1037 {
1038 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
1039 }
1040 1094
1095 if (EC_POINT_is_at_infinity(group, a)) {
1096 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
1097 }
1041 if (EC_POINT_is_at_infinity(group, b)) 1098 if (EC_POINT_is_at_infinity(group, b))
1042 return 1; 1099 return 1;
1043
1044 if (a->Z_is_one && b->Z_is_one)
1045 {
1046 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
1047 }
1048 1100
1101 if (a->Z_is_one && b->Z_is_one) {
1102 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
1103 }
1049 field_mul = group->meth->field_mul; 1104 field_mul = group->meth->field_mul;
1050 field_sqr = group->meth->field_sqr; 1105 field_sqr = group->meth->field_sqr;
1051 1106
1052 if (ctx == NULL) 1107 if (ctx == NULL) {
1053 {
1054 ctx = new_ctx = BN_CTX_new(); 1108 ctx = new_ctx = BN_CTX_new();
1055 if (ctx == NULL) 1109 if (ctx == NULL)
1056 return -1; 1110 return -1;
1057 } 1111 }
1058
1059 BN_CTX_start(ctx); 1112 BN_CTX_start(ctx);
1060 tmp1 = BN_CTX_get(ctx); 1113 tmp1 = BN_CTX_get(ctx);
1061 tmp2 = BN_CTX_get(ctx); 1114 tmp2 = BN_CTX_get(ctx);
1062 Za23 = BN_CTX_get(ctx); 1115 Za23 = BN_CTX_get(ctx);
1063 Zb23 = BN_CTX_get(ctx); 1116 Zb23 = BN_CTX_get(ctx);
1064 if (Zb23 == NULL) goto end; 1117 if (Zb23 == NULL)
1118 goto end;
1065 1119
1066 /* We have to decide whether 1120 /*
1067 * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3), 1121 * We have to decide whether (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2,
1068 * or equivalently, whether 1122 * Y_b/Z_b^3), or equivalently, whether (X_a*Z_b^2, Y_a*Z_b^3) =
1069 * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3). 1123 * (X_b*Z_a^2, Y_b*Z_a^3).
1070 */ 1124 */
1071 1125
1072 if (!b->Z_is_one) 1126 if (!b->Z_is_one) {
1073 { 1127 if (!field_sqr(group, Zb23, &b->Z, ctx))
1074 if (!field_sqr(group, Zb23, &b->Z, ctx)) goto end; 1128 goto end;
1075 if (!field_mul(group, tmp1, &a->X, Zb23, ctx)) goto end; 1129 if (!field_mul(group, tmp1, &a->X, Zb23, ctx))
1130 goto end;
1076 tmp1_ = tmp1; 1131 tmp1_ = tmp1;
1077 } 1132 } else
1078 else
1079 tmp1_ = &a->X; 1133 tmp1_ = &a->X;
1080 if (!a->Z_is_one) 1134 if (!a->Z_is_one) {
1081 { 1135 if (!field_sqr(group, Za23, &a->Z, ctx))
1082 if (!field_sqr(group, Za23, &a->Z, ctx)) goto end; 1136 goto end;
1083 if (!field_mul(group, tmp2, &b->X, Za23, ctx)) goto end; 1137 if (!field_mul(group, tmp2, &b->X, Za23, ctx))
1138 goto end;
1084 tmp2_ = tmp2; 1139 tmp2_ = tmp2;
1085 } 1140 } else
1086 else
1087 tmp2_ = &b->X; 1141 tmp2_ = &b->X;
1088 1142
1089 /* compare X_a*Z_b^2 with X_b*Z_a^2 */ 1143 /* compare X_a*Z_b^2 with X_b*Z_a^2 */
1090 if (BN_cmp(tmp1_, tmp2_) != 0) 1144 if (BN_cmp(tmp1_, tmp2_) != 0) {
1091 { 1145 ret = 1; /* points differ */
1092 ret = 1; /* points differ */
1093 goto end; 1146 goto end;
1094 } 1147 }
1095 1148 if (!b->Z_is_one) {
1096 1149 if (!field_mul(group, Zb23, Zb23, &b->Z, ctx))
1097 if (!b->Z_is_one) 1150 goto end;
1098 { 1151 if (!field_mul(group, tmp1, &a->Y, Zb23, ctx))
1099 if (!field_mul(group, Zb23, Zb23, &b->Z, ctx)) goto end; 1152 goto end;
1100 if (!field_mul(group, tmp1, &a->Y, Zb23, ctx)) goto end;
1101 /* tmp1_ = tmp1 */ 1153 /* tmp1_ = tmp1 */
1102 } 1154 } else
1103 else
1104 tmp1_ = &a->Y; 1155 tmp1_ = &a->Y;
1105 if (!a->Z_is_one) 1156 if (!a->Z_is_one) {
1106 { 1157 if (!field_mul(group, Za23, Za23, &a->Z, ctx))
1107 if (!field_mul(group, Za23, Za23, &a->Z, ctx)) goto end; 1158 goto end;
1108 if (!field_mul(group, tmp2, &b->Y, Za23, ctx)) goto end; 1159 if (!field_mul(group, tmp2, &b->Y, Za23, ctx))
1160 goto end;
1109 /* tmp2_ = tmp2 */ 1161 /* tmp2_ = tmp2 */
1110 } 1162 } else
1111 else
1112 tmp2_ = &b->Y; 1163 tmp2_ = &b->Y;
1113 1164
1114 /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */ 1165 /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
1115 if (BN_cmp(tmp1_, tmp2_) != 0) 1166 if (BN_cmp(tmp1_, tmp2_) != 0) {
1116 { 1167 ret = 1; /* points differ */
1117 ret = 1; /* points differ */
1118 goto end; 1168 goto end;
1119 } 1169 }
1120
1121 /* points are equal */ 1170 /* points are equal */
1122 ret = 0; 1171 ret = 0;
1123 1172
1124 end: 1173end:
1125 BN_CTX_end(ctx); 1174 BN_CTX_end(ctx);
1126 if (new_ctx != NULL) 1175 if (new_ctx != NULL)
1127 BN_CTX_free(new_ctx); 1176 BN_CTX_free(new_ctx);
1128 return ret; 1177 return ret;
1129 } 1178}
1130 1179
1131 1180
1132int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) 1181int
1133 { 1182ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx)
1183{
1134 BN_CTX *new_ctx = NULL; 1184 BN_CTX *new_ctx = NULL;
1135 BIGNUM *x, *y; 1185 BIGNUM *x, *y;
1136 int ret = 0; 1186 int ret = 0;
@@ -1138,38 +1188,38 @@ int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ct
1138 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point)) 1188 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
1139 return 1; 1189 return 1;
1140 1190
1141 if (ctx == NULL) 1191 if (ctx == NULL) {
1142 {
1143 ctx = new_ctx = BN_CTX_new(); 1192 ctx = new_ctx = BN_CTX_new();
1144 if (ctx == NULL) 1193 if (ctx == NULL)
1145 return 0; 1194 return 0;
1146 } 1195 }
1147
1148 BN_CTX_start(ctx); 1196 BN_CTX_start(ctx);
1149 x = BN_CTX_get(ctx); 1197 x = BN_CTX_get(ctx);
1150 y = BN_CTX_get(ctx); 1198 y = BN_CTX_get(ctx);
1151 if (y == NULL) goto err; 1199 if (y == NULL)
1200 goto err;
1152 1201
1153 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; 1202 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
1154 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; 1203 goto err;
1155 if (!point->Z_is_one) 1204 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
1156 { 1205 goto err;
1206 if (!point->Z_is_one) {
1157 ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR); 1207 ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
1158 goto err; 1208 goto err;
1159 } 1209 }
1160
1161 ret = 1; 1210 ret = 1;
1162 1211
1163 err: 1212err:
1164 BN_CTX_end(ctx); 1213 BN_CTX_end(ctx);
1165 if (new_ctx != NULL) 1214 if (new_ctx != NULL)
1166 BN_CTX_free(new_ctx); 1215 BN_CTX_free(new_ctx);
1167 return ret; 1216 return ret;
1168 } 1217}
1169 1218
1170 1219
1171int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx) 1220int
1172 { 1221ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * points[], BN_CTX * ctx)
1222{
1173 BN_CTX *new_ctx = NULL; 1223 BN_CTX *new_ctx = NULL;
1174 BIGNUM *tmp0, *tmp1; 1224 BIGNUM *tmp0, *tmp1;
1175 size_t pow2 = 0; 1225 size_t pow2 = 0;
@@ -1180,171 +1230,179 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT
1180 if (num == 0) 1230 if (num == 0)
1181 return 1; 1231 return 1;
1182 1232
1183 if (ctx == NULL) 1233 if (ctx == NULL) {
1184 {
1185 ctx = new_ctx = BN_CTX_new(); 1234 ctx = new_ctx = BN_CTX_new();
1186 if (ctx == NULL) 1235 if (ctx == NULL)
1187 return 0; 1236 return 0;
1188 } 1237 }
1189
1190 BN_CTX_start(ctx); 1238 BN_CTX_start(ctx);
1191 tmp0 = BN_CTX_get(ctx); 1239 tmp0 = BN_CTX_get(ctx);
1192 tmp1 = BN_CTX_get(ctx); 1240 tmp1 = BN_CTX_get(ctx);
1193 if (tmp0 == NULL || tmp1 == NULL) goto err; 1241 if (tmp0 == NULL || tmp1 == NULL)
1242 goto err;
1194 1243
1195 /* Before converting the individual points, compute inverses of all Z values. 1244 /*
1196 * Modular inversion is rather slow, but luckily we can do with a single 1245 * Before converting the individual points, compute inverses of all Z
1197 * explicit inversion, plus about 3 multiplications per input value. 1246 * values. Modular inversion is rather slow, but luckily we can do
1247 * with a single explicit inversion, plus about 3 multiplications per
1248 * input value.
1198 */ 1249 */
1199 1250
1200 pow2 = 1; 1251 pow2 = 1;
1201 while (num > pow2) 1252 while (num > pow2)
1202 pow2 <<= 1; 1253 pow2 <<= 1;
1203 /* Now pow2 is the smallest power of 2 satifsying pow2 >= num. 1254 /*
1204 * We need twice that. */ 1255 * Now pow2 is the smallest power of 2 satifsying pow2 >= num. We
1256 * need twice that.
1257 */
1205 pow2 <<= 1; 1258 pow2 <<= 1;
1206 1259
1207 heap = malloc(pow2 * sizeof heap[0]); 1260 heap = malloc(pow2 * sizeof heap[0]);
1208 if (heap == NULL) goto err; 1261 if (heap == NULL)
1209 1262 goto err;
1210 /* The array is used as a binary tree, exactly as in heapsort: 1263
1211 * 1264 /*
1212 * heap[1] 1265 * The array is used as a binary tree, exactly as in heapsort:
1213 * heap[2] heap[3] 1266 *
1214 * heap[4] heap[5] heap[6] heap[7] 1267 * heap[1] heap[2] heap[3] heap[4] heap[5]
1215 * heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15] 1268 * heap[6] heap[7] heap[8]heap[9] heap[10]heap[11]
1216 * 1269 * heap[12]heap[13] heap[14] heap[15]
1217 * We put the Z's in the last line; 1270 *
1218 * then we set each other node to the product of its two child-nodes (where 1271 * We put the Z's in the last line; then we set each other node to the
1219 * empty or 0 entries are treated as ones); 1272 * product of its two child-nodes (where empty or 0 entries are
1220 * then we invert heap[1]; 1273 * treated as ones); then we invert heap[1]; then we invert each
1221 * then we invert each other node by replacing it by the product of its 1274 * other node by replacing it by the product of its parent (after
1222 * parent (after inversion) and its sibling (before inversion). 1275 * inversion) and its sibling (before inversion).
1223 */ 1276 */
1224 heap[0] = NULL; 1277 heap[0] = NULL;
1225 for (i = pow2/2 - 1; i > 0; i--) 1278 for (i = pow2 / 2 - 1; i > 0; i--)
1226 heap[i] = NULL; 1279 heap[i] = NULL;
1227 for (i = 0; i < num; i++) 1280 for (i = 0; i < num; i++)
1228 heap[pow2/2 + i] = &points[i]->Z; 1281 heap[pow2 / 2 + i] = &points[i]->Z;
1229 for (i = pow2/2 + num; i < pow2; i++) 1282 for (i = pow2 / 2 + num; i < pow2; i++)
1230 heap[i] = NULL; 1283 heap[i] = NULL;
1231 1284
1232 /* set each node to the product of its children */ 1285 /* set each node to the product of its children */
1233 for (i = pow2/2 - 1; i > 0; i--) 1286 for (i = pow2 / 2 - 1; i > 0; i--) {
1234 {
1235 heap[i] = BN_new(); 1287 heap[i] = BN_new();
1236 if (heap[i] == NULL) goto err; 1288 if (heap[i] == NULL)
1237 1289 goto err;
1238 if (heap[2*i] != NULL) 1290
1239 { 1291 if (heap[2 * i] != NULL) {
1240 if ((heap[2*i + 1] == NULL) || BN_is_zero(heap[2*i + 1])) 1292 if ((heap[2 * i + 1] == NULL) || BN_is_zero(heap[2 * i + 1])) {
1241 { 1293 if (!BN_copy(heap[i], heap[2 * i]))
1242 if (!BN_copy(heap[i], heap[2*i])) goto err; 1294 goto err;
1243 } 1295 } else {
1244 else 1296 if (BN_is_zero(heap[2 * i])) {
1245 { 1297 if (!BN_copy(heap[i], heap[2 * i + 1]))
1246 if (BN_is_zero(heap[2*i])) 1298 goto err;
1247 { 1299 } else {
1248 if (!BN_copy(heap[i], heap[2*i + 1])) goto err;
1249 }
1250 else
1251 {
1252 if (!group->meth->field_mul(group, heap[i], 1300 if (!group->meth->field_mul(group, heap[i],
1253 heap[2*i], heap[2*i + 1], ctx)) goto err; 1301 heap[2 * i], heap[2 * i + 1], ctx))
1254 } 1302 goto err;
1255 } 1303 }
1256 } 1304 }
1257 } 1305 }
1306 }
1258 1307
1259 /* invert heap[1] */ 1308 /* invert heap[1] */
1260 if (!BN_is_zero(heap[1])) 1309 if (!BN_is_zero(heap[1])) {
1261 { 1310 if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx)) {
1262 if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx))
1263 {
1264 ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB); 1311 ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
1265 goto err; 1312 goto err;
1266 }
1267 } 1313 }
1268 if (group->meth->field_encode != 0) 1314 }
1269 { 1315 if (group->meth->field_encode != 0) {
1270 /* in the Montgomery case, we just turned R*H (representing H) 1316 /*
1271 * into 1/(R*H), but we need R*(1/H) (representing 1/H); 1317 * in the Montgomery case, we just turned R*H (representing
1272 * i.e. we have need to multiply by the Montgomery factor twice */ 1318 * H) into 1/(R*H), but we need R*(1/H) (representing
1273 if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err; 1319 * 1/H); i.e. we have need to multiply by the Montgomery
1274 if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err; 1320 * factor twice
1275 } 1321 */
1276 1322 if (!group->meth->field_encode(group, heap[1], heap[1], ctx))
1323 goto err;
1324 if (!group->meth->field_encode(group, heap[1], heap[1], ctx))
1325 goto err;
1326 }
1277 /* set other heap[i]'s to their inverses */ 1327 /* set other heap[i]'s to their inverses */
1278 for (i = 2; i < pow2/2 + num; i += 2) 1328 for (i = 2; i < pow2 / 2 + num; i += 2) {
1279 {
1280 /* i is even */ 1329 /* i is even */
1281 if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1])) 1330 if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1])) {
1282 { 1331 if (!group->meth->field_mul(group, tmp0, heap[i / 2], heap[i + 1], ctx))
1283 if (!group->meth->field_mul(group, tmp0, heap[i/2], heap[i + 1], ctx)) goto err; 1332 goto err;
1284 if (!group->meth->field_mul(group, tmp1, heap[i/2], heap[i], ctx)) goto err; 1333 if (!group->meth->field_mul(group, tmp1, heap[i / 2], heap[i], ctx))
1285 if (!BN_copy(heap[i], tmp0)) goto err; 1334 goto err;
1286 if (!BN_copy(heap[i + 1], tmp1)) goto err; 1335 if (!BN_copy(heap[i], tmp0))
1287 } 1336 goto err;
1288 else 1337 if (!BN_copy(heap[i + 1], tmp1))
1289 { 1338 goto err;
1290 if (!BN_copy(heap[i], heap[i/2])) goto err; 1339 } else {
1291 } 1340 if (!BN_copy(heap[i], heap[i / 2]))
1341 goto err;
1292 } 1342 }
1343 }
1293 1344
1294 /* we have replaced all non-zero Z's by their inverses, now fix up all the points */ 1345 /*
1295 for (i = 0; i < num; i++) 1346 * we have replaced all non-zero Z's by their inverses, now fix up
1296 { 1347 * all the points
1348 */
1349 for (i = 0; i < num; i++) {
1297 EC_POINT *p = points[i]; 1350 EC_POINT *p = points[i];
1298
1299 if (!BN_is_zero(&p->Z))
1300 {
1301 /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
1302 1351
1303 if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx)) goto err; 1352 if (!BN_is_zero(&p->Z)) {
1304 if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx)) goto err; 1353 /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
1305 1354
1306 if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx)) goto err; 1355 if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx))
1307 if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx)) goto err; 1356 goto err;
1308 1357 if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx))
1309 if (group->meth->field_set_to_one != 0) 1358 goto err;
1310 { 1359
1311 if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err; 1360 if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx))
1312 } 1361 goto err;
1313 else 1362 if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx))
1314 { 1363 goto err;
1315 if (!BN_one(&p->Z)) goto err; 1364
1316 } 1365 if (group->meth->field_set_to_one != 0) {
1317 p->Z_is_one = 1; 1366 if (!group->meth->field_set_to_one(group, &p->Z, ctx))
1367 goto err;
1368 } else {
1369 if (!BN_one(&p->Z))
1370 goto err;
1318 } 1371 }
1372 p->Z_is_one = 1;
1319 } 1373 }
1374 }
1320 1375
1321 ret = 1; 1376 ret = 1;
1322 1377
1323 err: 1378err:
1324 BN_CTX_end(ctx); 1379 BN_CTX_end(ctx);
1325 if (new_ctx != NULL) 1380 if (new_ctx != NULL)
1326 BN_CTX_free(new_ctx); 1381 BN_CTX_free(new_ctx);
1327 if (heap != NULL) 1382 if (heap != NULL) {
1328 { 1383 /*
1329 /* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */ 1384 * heap[pow2/2] .. heap[pow2-1] have not been allocated
1330 for (i = pow2/2 - 1; i > 0; i--) 1385 * locally!
1331 { 1386 */
1387 for (i = pow2 / 2 - 1; i > 0; i--) {
1332 if (heap[i] != NULL) 1388 if (heap[i] != NULL)
1333 BN_clear_free(heap[i]); 1389 BN_clear_free(heap[i]);
1334 }
1335 free(heap);
1336 } 1390 }
1337 return ret; 1391 free(heap);
1338 } 1392 }
1393 return ret;
1394}
1339 1395
1340 1396
1341int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 1397int
1342 { 1398ec_GFp_simple_field_mul(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx)
1399{
1343 return BN_mod_mul(r, a, b, &group->field, ctx); 1400 return BN_mod_mul(r, a, b, &group->field, ctx);
1344 } 1401}
1345 1402
1346 1403
1347int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) 1404int
1348 { 1405ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx)
1406{
1349 return BN_mod_sqr(r, a, &group->field, ctx); 1407 return BN_mod_sqr(r, a, &group->field, ctx);
1350 } 1408}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-29 03:35:46 +0000