1 files changed, 205 insertions, 1 deletions
diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c
index 9cce6880df..f3c9f05850 100644
--- a/src/lib/libcrypto/ec/ecp_methods.c
+++ b/src/lib/libcrypto/ec/ecp_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_methods.c,v 1.2 2024/11/12 10:26:06 tb Exp $ */
+/* $OpenBSD: ecp_methods.c,v 1.3 2024/11/12 10:44:25 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
 * for the OpenSSL project.
 * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1608,6 +1608,160 @@ ec_GFp_simple_mul_double_nonct(const EC_GROUP *group, EC_POINT *r,
        return ec_wNAF_mul(group, r, g_scalar, 1, &point, &p_scalar, ctx);
 }
+static void
+ec_GFp_mont_group_clear(EC_GROUP *group)
+{
+        BN_MONT_CTX_free(group->mont_ctx);
+        group->mont_ctx = NULL;
+        BN_free(group->mont_one);
+        group->mont_one = NULL;
+}
+static int
+ec_GFp_mont_group_init(EC_GROUP *group)
+{
+        int ok;
+        ok = ec_GFp_simple_group_init(group);
+        group->mont_ctx = NULL;
+        group->mont_one = NULL;
+        return ok;
+}
+static void
+ec_GFp_mont_group_finish(EC_GROUP *group)
+{
+        ec_GFp_mont_group_clear(group);
+        ec_GFp_simple_group_finish(group);
+}
+static int
+ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src)
+{
+        ec_GFp_mont_group_clear(dest);
+        if (!ec_GFp_simple_group_copy(dest, src))
+                return 0;
+        if (src->mont_ctx != NULL) {
+                dest->mont_ctx = BN_MONT_CTX_new();
+                if (dest->mont_ctx == NULL)
+                        return 0;
+                if (!BN_MONT_CTX_copy(dest->mont_ctx, src->mont_ctx))
+                        goto err;
+        }
+        if (src->mont_one != NULL) {
+                dest->mont_one = BN_dup(src->mont_one);
+                if (dest->mont_one == NULL)
+                        goto err;
+        }
+        return 1;
+ err:
+        if (dest->mont_ctx != NULL) {
+                BN_MONT_CTX_free(dest->mont_ctx);
+                dest->mont_ctx = NULL;
+        }
+        return 0;
+}
+static int
+ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
+    const BIGNUM *b, BN_CTX *ctx)
+{
+        BN_MONT_CTX *mont = NULL;
+        BIGNUM *one = NULL;
+        int ret = 0;
+        ec_GFp_mont_group_clear(group);
+        mont = BN_MONT_CTX_new();
+        if (mont == NULL)
+                goto err;
+        if (!BN_MONT_CTX_set(mont, p, ctx)) {
+                ECerror(ERR_R_BN_LIB);
+                goto err;
+        }
+        one = BN_new();
+        if (one == NULL)
+                goto err;
+        if (!BN_to_montgomery(one, BN_value_one(), mont, ctx))
+                goto err;
+        group->mont_ctx = mont;
+        mont = NULL;
+        group->mont_one = one;
+        one = NULL;
+        ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
+        if (!ret)
+                ec_GFp_mont_group_clear(group);
+ err:
+        BN_MONT_CTX_free(mont);
+        BN_free(one);
+        return ret;
+}
+static int
+ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+    const BIGNUM *b, BN_CTX *ctx)
+{
+        if (group->mont_ctx == NULL) {
+                ECerror(EC_R_NOT_INITIALIZED);
+                return 0;
+        }
+        return BN_mod_mul_montgomery(r, a, b, group->mont_ctx, ctx);
+}
+static int
+ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+    BN_CTX *ctx)
+{
+        if (group->mont_ctx == NULL) {
+                ECerror(EC_R_NOT_INITIALIZED);
+                return 0;
+        }
+        return BN_mod_mul_montgomery(r, a, a, group->mont_ctx, ctx);
+}
+static int
+ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+    BN_CTX *ctx)
+{
+        if (group->mont_ctx == NULL) {
+                ECerror(EC_R_NOT_INITIALIZED);
+                return 0;
+        }
+        return BN_to_montgomery(r, a, group->mont_ctx, ctx);
+}
+static int
+ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+    BN_CTX *ctx)
+{
+        if (group->mont_ctx == NULL) {
+                ECerror(EC_R_NOT_INITIALIZED);
+                return 0;
+        }
+        return BN_from_montgomery(r, a, group->mont_ctx, ctx);
+}
+static int
+ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, BN_CTX *ctx)
+{
+        if (group->mont_one == NULL) {
+                ECerror(EC_R_NOT_INITIALIZED);
+                return 0;
+        }
+        if (!bn_copy(r, group->mont_one))
+                return 0;
+        return 1;
+}
 static const EC_METHOD ec_GFp_simple_method = {
        .field_type = NID_X9_62_prime_field,
        .group_init = ec_GFp_simple_group_init,
@@ -1654,3 +1808,53 @@ EC_GFp_simple_method(void)
        return &ec_GFp_simple_method;
 }
 LCRYPTO_ALIAS(EC_GFp_simple_method);
+static const EC_METHOD ec_GFp_mont_method = {
+        .field_type = NID_X9_62_prime_field,
+        .group_init = ec_GFp_mont_group_init,
+        .group_finish = ec_GFp_mont_group_finish,
+        .group_copy = ec_GFp_mont_group_copy,
+        .group_set_curve = ec_GFp_mont_group_set_curve,
+        .group_get_curve = ec_GFp_simple_group_get_curve,
+        .group_get_degree = ec_GFp_simple_group_get_degree,
+        .group_order_bits = ec_group_simple_order_bits,
+        .group_check_discriminant = ec_GFp_simple_group_check_discriminant,
+        .point_init = ec_GFp_simple_point_init,
+        .point_finish = ec_GFp_simple_point_finish,
+        .point_copy = ec_GFp_simple_point_copy,
+        .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
+        .point_set_Jprojective_coordinates =
+            ec_GFp_simple_set_Jprojective_coordinates,
+        .point_get_Jprojective_coordinates =
+            ec_GFp_simple_get_Jprojective_coordinates,
+        .point_set_affine_coordinates =
+            ec_GFp_simple_point_set_affine_coordinates,
+        .point_get_affine_coordinates =
+            ec_GFp_simple_point_get_affine_coordinates,
+        .point_set_compressed_coordinates =
+            ec_GFp_simple_set_compressed_coordinates,
+        .add = ec_GFp_simple_add,
+        .dbl = ec_GFp_simple_dbl,
+        .invert = ec_GFp_simple_invert,
+        .is_at_infinity = ec_GFp_simple_is_at_infinity,
+        .is_on_curve = ec_GFp_simple_is_on_curve,
+        .point_cmp = ec_GFp_simple_cmp,
+        .make_affine = ec_GFp_simple_make_affine,
+        .points_make_affine = ec_GFp_simple_points_make_affine,
+        .mul_generator_ct = ec_GFp_simple_mul_generator_ct,
+        .mul_single_ct = ec_GFp_simple_mul_single_ct,
+        .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
+        .field_mul = ec_GFp_mont_field_mul,
+        .field_sqr = ec_GFp_mont_field_sqr,
+        .field_encode = ec_GFp_mont_field_encode,
+        .field_decode = ec_GFp_mont_field_decode,
+        .field_set_to_one = ec_GFp_mont_field_set_to_one,
+        .blind_coordinates = ec_GFp_simple_blind_coordinates,
+};
+const EC_METHOD *
+EC_GFp_mont_method(void)
+{
+        return &ec_GFp_mont_method;
+}
+LCRYPTO_ALIAS(EC_GFp_mont_method);

diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c index 9cce6880df..f3c9f05850 100644 --- a/src/lib/libcrypto/ec/ecp_methods.c +++ b/src/lib/libcrypto/ec/ecp_methods.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ecp_methods.c,v 1.2 2024/11/12 10:26:06 tb Exp $ */	1	/* $OpenBSD: ecp_methods.c,v 1.3 2024/11/12 10:44:25 tb Exp $ */
2	/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>	2	/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3	* for the OpenSSL project.	3	* for the OpenSSL project.
4	* Includes code written by Bodo Moeller for the OpenSSL project.	4	* Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1608,6 +1608,160 @@ ec_GFp_simple_mul_double_nonct(const EC_GROUP group, EC_POINT r,
1608	return ec_wNAF_mul(group, r, g_scalar, 1, &point, &p_scalar, ctx);	1608	return ec_wNAF_mul(group, r, g_scalar, 1, &point, &p_scalar, ctx);
1609	}	1609	}
1610		1610
		1611	static void
		1612	ec_GFp_mont_group_clear(EC_GROUP *group)
		1613	{
		1614	BN_MONT_CTX_free(group->mont_ctx);
		1615	group->mont_ctx = NULL;
		1616
		1617	BN_free(group->mont_one);
		1618	group->mont_one = NULL;
		1619	}
		1620
		1621	static int
		1622	ec_GFp_mont_group_init(EC_GROUP *group)
		1623	{
		1624	int ok;
		1625
		1626	ok = ec_GFp_simple_group_init(group);
		1627	group->mont_ctx = NULL;
		1628	group->mont_one = NULL;
		1629	return ok;
		1630	}
		1631
		1632	static void
		1633	ec_GFp_mont_group_finish(EC_GROUP *group)
		1634	{
		1635	ec_GFp_mont_group_clear(group);
		1636	ec_GFp_simple_group_finish(group);
		1637	}
		1638
		1639	static int
		1640	ec_GFp_mont_group_copy(EC_GROUP dest, const EC_GROUP src)
		1641	{
		1642	ec_GFp_mont_group_clear(dest);
		1643
		1644	if (!ec_GFp_simple_group_copy(dest, src))
		1645	return 0;
		1646
		1647	if (src->mont_ctx != NULL) {
		1648	dest->mont_ctx = BN_MONT_CTX_new();
		1649	if (dest->mont_ctx == NULL)
		1650	return 0;
		1651	if (!BN_MONT_CTX_copy(dest->mont_ctx, src->mont_ctx))
		1652	goto err;
		1653	}
		1654	if (src->mont_one != NULL) {
		1655	dest->mont_one = BN_dup(src->mont_one);
		1656	if (dest->mont_one == NULL)
		1657	goto err;
		1658	}
		1659	return 1;
		1660
		1661	err:
		1662	if (dest->mont_ctx != NULL) {
		1663	BN_MONT_CTX_free(dest->mont_ctx);
		1664	dest->mont_ctx = NULL;
		1665	}
		1666	return 0;
		1667	}
		1668
		1669	static int
		1670	ec_GFp_mont_group_set_curve(EC_GROUP group, const BIGNUM p, const BIGNUM *a,
		1671	const BIGNUM b, BN_CTX ctx)
		1672	{
		1673	BN_MONT_CTX *mont = NULL;
		1674	BIGNUM *one = NULL;
		1675	int ret = 0;
		1676
		1677	ec_GFp_mont_group_clear(group);
		1678
		1679	mont = BN_MONT_CTX_new();
		1680	if (mont == NULL)
		1681	goto err;
		1682	if (!BN_MONT_CTX_set(mont, p, ctx)) {
		1683	ECerror(ERR_R_BN_LIB);
		1684	goto err;
		1685	}
		1686	one = BN_new();
		1687	if (one == NULL)
		1688	goto err;
		1689	if (!BN_to_montgomery(one, BN_value_one(), mont, ctx))
		1690	goto err;
		1691
		1692	group->mont_ctx = mont;
		1693	mont = NULL;
		1694	group->mont_one = one;
		1695	one = NULL;
		1696
		1697	ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
		1698	if (!ret)
		1699	ec_GFp_mont_group_clear(group);
		1700
		1701	err:
		1702	BN_MONT_CTX_free(mont);
		1703	BN_free(one);
		1704
		1705	return ret;
		1706	}
		1707
		1708	static int
		1709	ec_GFp_mont_field_mul(const EC_GROUP group, BIGNUM r, const BIGNUM *a,
		1710	const BIGNUM b, BN_CTX ctx)
		1711	{
		1712	if (group->mont_ctx == NULL) {
		1713	ECerror(EC_R_NOT_INITIALIZED);
		1714	return 0;
		1715	}
		1716	return BN_mod_mul_montgomery(r, a, b, group->mont_ctx, ctx);
		1717	}
		1718
		1719	static int
		1720	ec_GFp_mont_field_sqr(const EC_GROUP group, BIGNUM r, const BIGNUM *a,
		1721	BN_CTX *ctx)
		1722	{
		1723	if (group->mont_ctx == NULL) {
		1724	ECerror(EC_R_NOT_INITIALIZED);
		1725	return 0;
		1726	}
		1727	return BN_mod_mul_montgomery(r, a, a, group->mont_ctx, ctx);
		1728	}
		1729
		1730	static int
		1731	ec_GFp_mont_field_encode(const EC_GROUP group, BIGNUM r, const BIGNUM *a,
		1732	BN_CTX *ctx)
		1733	{
		1734	if (group->mont_ctx == NULL) {
		1735	ECerror(EC_R_NOT_INITIALIZED);
		1736	return 0;
		1737	}
		1738	return BN_to_montgomery(r, a, group->mont_ctx, ctx);
		1739	}
		1740
		1741	static int
		1742	ec_GFp_mont_field_decode(const EC_GROUP group, BIGNUM r, const BIGNUM *a,
		1743	BN_CTX *ctx)
		1744	{
		1745	if (group->mont_ctx == NULL) {
		1746	ECerror(EC_R_NOT_INITIALIZED);
		1747	return 0;
		1748	}
		1749	return BN_from_montgomery(r, a, group->mont_ctx, ctx);
		1750	}
		1751
		1752	static int
		1753	ec_GFp_mont_field_set_to_one(const EC_GROUP group, BIGNUM r, BN_CTX *ctx)
		1754	{
		1755	if (group->mont_one == NULL) {
		1756	ECerror(EC_R_NOT_INITIALIZED);
		1757	return 0;
		1758	}
		1759	if (!bn_copy(r, group->mont_one))
		1760	return 0;
		1761
		1762	return 1;
		1763	}
		1764
1611	static const EC_METHOD ec_GFp_simple_method = {	1765	static const EC_METHOD ec_GFp_simple_method = {
1612	.field_type = NID_X9_62_prime_field,	1766	.field_type = NID_X9_62_prime_field,
1613	.group_init = ec_GFp_simple_group_init,	1767	.group_init = ec_GFp_simple_group_init,
@@ -1654,3 +1808,53 @@ EC_GFp_simple_method(void)
1654	return &ec_GFp_simple_method;	1808	return &ec_GFp_simple_method;
1655	}	1809	}
1656	LCRYPTO_ALIAS(EC_GFp_simple_method);	1810	LCRYPTO_ALIAS(EC_GFp_simple_method);
		1811
		1812	static const EC_METHOD ec_GFp_mont_method = {
		1813	.field_type = NID_X9_62_prime_field,
		1814	.group_init = ec_GFp_mont_group_init,
		1815	.group_finish = ec_GFp_mont_group_finish,
		1816	.group_copy = ec_GFp_mont_group_copy,
		1817	.group_set_curve = ec_GFp_mont_group_set_curve,
		1818	.group_get_curve = ec_GFp_simple_group_get_curve,
		1819	.group_get_degree = ec_GFp_simple_group_get_degree,
		1820	.group_order_bits = ec_group_simple_order_bits,
		1821	.group_check_discriminant = ec_GFp_simple_group_check_discriminant,
		1822	.point_init = ec_GFp_simple_point_init,
		1823	.point_finish = ec_GFp_simple_point_finish,
		1824	.point_copy = ec_GFp_simple_point_copy,
		1825	.point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
		1826	.point_set_Jprojective_coordinates =
		1827	ec_GFp_simple_set_Jprojective_coordinates,
		1828	.point_get_Jprojective_coordinates =
		1829	ec_GFp_simple_get_Jprojective_coordinates,
		1830	.point_set_affine_coordinates =
		1831	ec_GFp_simple_point_set_affine_coordinates,
		1832	.point_get_affine_coordinates =
		1833	ec_GFp_simple_point_get_affine_coordinates,
		1834	.point_set_compressed_coordinates =
		1835	ec_GFp_simple_set_compressed_coordinates,
		1836	.add = ec_GFp_simple_add,
		1837	.dbl = ec_GFp_simple_dbl,
		1838	.invert = ec_GFp_simple_invert,
		1839	.is_at_infinity = ec_GFp_simple_is_at_infinity,
		1840	.is_on_curve = ec_GFp_simple_is_on_curve,
		1841	.point_cmp = ec_GFp_simple_cmp,
		1842	.make_affine = ec_GFp_simple_make_affine,
		1843	.points_make_affine = ec_GFp_simple_points_make_affine,
		1844	.mul_generator_ct = ec_GFp_simple_mul_generator_ct,
		1845	.mul_single_ct = ec_GFp_simple_mul_single_ct,
		1846	.mul_double_nonct = ec_GFp_simple_mul_double_nonct,
		1847	.field_mul = ec_GFp_mont_field_mul,
		1848	.field_sqr = ec_GFp_mont_field_sqr,
		1849	.field_encode = ec_GFp_mont_field_encode,
		1850	.field_decode = ec_GFp_mont_field_decode,
		1851	.field_set_to_one = ec_GFp_mont_field_set_to_one,
		1852	.blind_coordinates = ec_GFp_simple_blind_coordinates,
		1853	};
		1854
		1855	const EC_METHOD *
		1856	EC_GFp_mont_method(void)
		1857	{
		1858	return &ec_GFp_mont_method;
		1859	}
		1860	LCRYPTO_ALIAS(EC_GFp_mont_method);