1 files changed, 202 insertions, 0 deletions
diff --git a/src/lib/libcrypto/ec/ec_field.c b/src/lib/libcrypto/ec/ec_field.c
new file mode 100644
index 0000000000..6576526e77
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_field.c
@@ -0,0 +1,202 @@
+/*      $OpenBSD: ec_field.c,v 1.3 2025/08/02 16:20:00 jsing Exp $      */
+/*
+ * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <string.h>
+#include <openssl/ec.h>
+#include "bn_local.h"
+#include "bn_internal.h"
+#include "ec_local.h"
+#include "ec_internal.h"
+int
+ec_field_modulus_from_bn(EC_FIELD_MODULUS *fm, const BIGNUM *bn, BN_CTX *ctx)
+{
+        BN_MONT_CTX *mctx = NULL;
+        size_t i;
+        int ret = 0;
+        if (BN_is_negative(bn))
+                goto err;
+        if (BN_num_bits(bn) > EC_FIELD_ELEMENT_MAX_BITS)
+                goto err;
+        memset(fm, 0, sizeof(*fm));
+        fm->n = (BN_num_bits(bn) + BN_BITS2 - 1) / BN_BITS2;
+        for (i = 0; i < bn->top; i++)
+                fm->m.w[i] = bn->d[i];
+        /* XXX - implement this without BN_MONT_CTX. */
+        if ((mctx = BN_MONT_CTX_new()) == NULL)
+                goto err;
+        if (!BN_MONT_CTX_set(mctx, bn, ctx))
+                goto err;
+        for (i = 0; i < mctx->RR.top; i++)
+                fm->rr.w[i] = mctx->RR.d[i];
+        fm->minv0 = mctx->n0[0];
+        ret = 1;
+ err:
+        BN_MONT_CTX_free(mctx);
+        return ret;
+}
+int
+ec_field_element_from_bn(const EC_FIELD_MODULUS *fm, const EC_GROUP *group,
+    EC_FIELD_ELEMENT *fe, const BIGNUM *bn, BN_CTX *ctx)
+{
+        BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
+        BIGNUM *tmp;
+        size_t i;
+        int ret = 0;
+        BN_CTX_start(ctx);
+        if ((tmp = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        /* XXX - enforce 0 <= n < p. */
+        if (BN_num_bits(bn) > EC_FIELD_ELEMENT_MAX_BITS)
+                goto err;
+        /* XXX - do this without BN. */
+        if (!BN_nnmod(tmp, bn, group->p, ctx))
+                goto err;
+        if (BN_num_bits(tmp) > EC_FIELD_ELEMENT_MAX_BITS)
+                abort();
+        memset(fe->w, 0, sizeof(fe->w));
+        for (i = 0; i < tmp->top; i++)
+                fe->w[i] = tmp->d[i];
+        bn_mod_mul_words(fe->w, fe->w, fm->rr.w, fm->m.w, t, fm->minv0, fm->n);
+        ret = 1;
+ err:
+        BN_CTX_end(ctx);
+        return ret;
+}
+int
+ec_field_element_to_bn(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *fe,
+    BIGNUM *bn, BN_CTX *ctx)
+{
+        BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
+        size_t i;
+        if (!bn_wexpand(bn, fm->n))
+                return 0;
+        memset(t, 0, sizeof(t));
+        for (i = 0; i < fm->n; i++)
+                t[i] = fe->w[i];
+        bn_montgomery_reduce_words(bn->d, t, fm->m.w, fm->minv0, fm->n);
+        bn->top = fm->n;
+        bn_correct_top(bn);
+        return 1;
+}
+void
+ec_field_element_copy(EC_FIELD_ELEMENT *dst, const EC_FIELD_ELEMENT *src)
+{
+        memcpy(dst, src, sizeof(EC_FIELD_ELEMENT));
+}
+void
+ec_field_element_select(const EC_FIELD_MODULUS *fm, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b, int conditional)
+{
+        BN_ULONG mask;
+        int i;
+        mask = bn_ct_eq_zero_mask(conditional);
+        for (i = 0; i < fm->n; i++)
+                r->w[i] = (a->w[i] & mask) | (b->w[i] & ~mask);
+}
+int
+ec_field_element_equal(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *a,
+    const EC_FIELD_ELEMENT *b)
+{
+        BN_ULONG v = 0;
+        int i;
+        for (i = 0; i < fm->n; i++)
+                v |= a->w[i] ^ b->w[i];
+        return bn_ct_eq_zero(v);
+}
+int
+ec_field_element_is_zero(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *fe)
+{
+        BN_ULONG v = 0;
+        int i;
+        for (i = 0; i < fm->n; i++)
+                v |= fe->w[i];
+        return bn_ct_eq_zero(v);
+}
+void
+ec_field_element_add(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b)
+{
+        bn_mod_add_words(r->w, a->w, b->w, m->m.w, m->n);
+}
+void
+ec_field_element_sub(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b)
+{
+        bn_mod_sub_words(r->w, a->w, b->w, m->m.w, m->n);
+}
+void
+ec_field_element_mul(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b)
+{
+        BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
+        bn_mod_mul_words(r->w, a->w, b->w, m->m.w, t, m->minv0, m->n);
+}
+void
+ec_field_element_sqr(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a)
+{
+        BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
+        bn_mod_sqr_words(r->w, a->w, m->m.w, t, m->minv0, m->n);
+}

diff --git a/src/lib/libcrypto/ec/ec_field.c b/src/lib/libcrypto/ec/ec_field.c new file mode 100644 index 0000000000..6576526e77 --- /dev/null +++ b/src/lib/libcrypto/ec/ec_field.c
@@ -0,0 +1,202 @@
	1	/* $OpenBSD: ec_field.c,v 1.3 2025/08/02 16:20:00 jsing Exp $ */
	2	/*
	3	* Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
	4	*
	5	* Permission to use, copy, modify, and distribute this software for any
	6	* purpose with or without fee is hereby granted, provided that the above
	7	* copyright notice and this permission notice appear in all copies.
	8	*
	9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	*/
	17
	18	#include <string.h>
	19
	20	#include <openssl/ec.h>
	21
	22	#include "bn_local.h"
	23	#include "bn_internal.h"
	24	#include "ec_local.h"
	25	#include "ec_internal.h"
	26
	27	int
	28	ec_field_modulus_from_bn(EC_FIELD_MODULUS fm, const BIGNUM bn, BN_CTX *ctx)
	29	{
	30	BN_MONT_CTX *mctx = NULL;
	31	size_t i;
	32	int ret = 0;
	33
	34	if (BN_is_negative(bn))
	35	goto err;
	36	if (BN_num_bits(bn) > EC_FIELD_ELEMENT_MAX_BITS)
	37	goto err;
	38
	39	memset(fm, 0, sizeof(*fm));
	40
	41	fm->n = (BN_num_bits(bn) + BN_BITS2 - 1) / BN_BITS2;
	42
	43	for (i = 0; i < bn->top; i++)
	44	fm->m.w[i] = bn->d[i];
	45
	46	/* XXX - implement this without BN_MONT_CTX. */
	47	if ((mctx = BN_MONT_CTX_new()) == NULL)
	48	goto err;
	49	if (!BN_MONT_CTX_set(mctx, bn, ctx))
	50	goto err;
	51
	52	for (i = 0; i < mctx->RR.top; i++)
	53	fm->rr.w[i] = mctx->RR.d[i];
	54
	55	fm->minv0 = mctx->n0[0];
	56
	57	ret = 1;
	58
	59	err:
	60	BN_MONT_CTX_free(mctx);
	61
	62	return ret;
	63	}
	64
	65	int
	66	ec_field_element_from_bn(const EC_FIELD_MODULUS fm, const EC_GROUP group,
	67	EC_FIELD_ELEMENT fe, const BIGNUM bn, BN_CTX *ctx)
	68	{
	69	BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
	70	BIGNUM *tmp;
	71	size_t i;
	72	int ret = 0;
	73
	74	BN_CTX_start(ctx);
	75
	76	if ((tmp = BN_CTX_get(ctx)) == NULL)
	77	goto err;
	78
	79	/* XXX - enforce 0 <= n < p. */
	80
	81	if (BN_num_bits(bn) > EC_FIELD_ELEMENT_MAX_BITS)
	82	goto err;
	83
	84	/* XXX - do this without BN. */
	85	if (!BN_nnmod(tmp, bn, group->p, ctx))
	86	goto err;
	87
	88	if (BN_num_bits(tmp) > EC_FIELD_ELEMENT_MAX_BITS)
	89	abort();
	90
	91	memset(fe->w, 0, sizeof(fe->w));
	92
	93	for (i = 0; i < tmp->top; i++)
	94	fe->w[i] = tmp->d[i];
	95
	96	bn_mod_mul_words(fe->w, fe->w, fm->rr.w, fm->m.w, t, fm->minv0, fm->n);
	97
	98	ret = 1;
	99
	100	err:
	101	BN_CTX_end(ctx);
	102
	103	return ret;
	104	}
	105
	106	int
	107	ec_field_element_to_bn(const EC_FIELD_MODULUS fm, const EC_FIELD_ELEMENT fe,
	108	BIGNUM bn, BN_CTX ctx)
	109	{
	110	BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
	111	size_t i;
	112
	113	if (!bn_wexpand(bn, fm->n))
	114	return 0;
	115
	116	memset(t, 0, sizeof(t));
	117	for (i = 0; i < fm->n; i++)
	118	t[i] = fe->w[i];
	119
	120	bn_montgomery_reduce_words(bn->d, t, fm->m.w, fm->minv0, fm->n);
	121
	122	bn->top = fm->n;
	123	bn_correct_top(bn);
	124
	125	return 1;
	126	}
	127
	128	void
	129	ec_field_element_copy(EC_FIELD_ELEMENT dst, const EC_FIELD_ELEMENT src)
	130	{
	131	memcpy(dst, src, sizeof(EC_FIELD_ELEMENT));
	132	}
	133
	134	void
	135	ec_field_element_select(const EC_FIELD_MODULUS fm, EC_FIELD_ELEMENT r,
	136	const EC_FIELD_ELEMENT a, const EC_FIELD_ELEMENT b, int conditional)
	137	{
	138	BN_ULONG mask;
	139	int i;
	140
	141	mask = bn_ct_eq_zero_mask(conditional);
	142
	143	for (i = 0; i < fm->n; i++)
	144	r->w[i] = (a->w[i] & mask) \| (b->w[i] & ~mask);
	145	}
	146
	147	int
	148	ec_field_element_equal(const EC_FIELD_MODULUS fm, const EC_FIELD_ELEMENT a,
	149	const EC_FIELD_ELEMENT *b)
	150	{
	151	BN_ULONG v = 0;
	152	int i;
	153
	154	for (i = 0; i < fm->n; i++)
	155	v \|= a->w[i] ^ b->w[i];
	156
	157	return bn_ct_eq_zero(v);
	158	}
	159
	160	int
	161	ec_field_element_is_zero(const EC_FIELD_MODULUS fm, const EC_FIELD_ELEMENT fe)
	162	{
	163	BN_ULONG v = 0;
	164	int i;
	165
	166	for (i = 0; i < fm->n; i++)
	167	v \|= fe->w[i];
	168
	169	return bn_ct_eq_zero(v);
	170	}
	171
	172	void
	173	ec_field_element_add(const EC_FIELD_MODULUS m, EC_FIELD_ELEMENT r,
	174	const EC_FIELD_ELEMENT a, const EC_FIELD_ELEMENT b)
	175	{
	176	bn_mod_add_words(r->w, a->w, b->w, m->m.w, m->n);
	177	}
	178
	179	void
	180	ec_field_element_sub(const EC_FIELD_MODULUS m, EC_FIELD_ELEMENT r,
	181	const EC_FIELD_ELEMENT a, const EC_FIELD_ELEMENT b)
	182	{
	183	bn_mod_sub_words(r->w, a->w, b->w, m->m.w, m->n);
	184	}
	185
	186	void
	187	ec_field_element_mul(const EC_FIELD_MODULUS m, EC_FIELD_ELEMENT r,
	188	const EC_FIELD_ELEMENT a, const EC_FIELD_ELEMENT b)
	189	{
	190	BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
	191
	192	bn_mod_mul_words(r->w, a->w, b->w, m->m.w, t, m->minv0, m->n);
	193	}
	194
	195	void
	196	ec_field_element_sqr(const EC_FIELD_MODULUS m, EC_FIELD_ELEMENT r,
	197	const EC_FIELD_ELEMENT *a)
	198	{
	199	BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
	200
	201	bn_mod_sqr_words(r->w, a->w, m->m.w, t, m->minv0, m->n);
	202	}