summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ec
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/ec')
-rw-r--r--src/lib/libcrypto/ec/ec.h319
-rw-r--r--src/lib/libcrypto/ec/ec2_mult.c380
-rw-r--r--src/lib/libcrypto/ec/ec2_smpl.c971
-rw-r--r--src/lib/libcrypto/ec/ec_asn1.c1429
-rw-r--r--src/lib/libcrypto/ec/ec_check.c123
-rw-r--r--src/lib/libcrypto/ec/ec_curve.c1270
-rw-r--r--src/lib/libcrypto/ec/ec_cvt.c76
-rw-r--r--src/lib/libcrypto/ec/ec_err.c114
-rw-r--r--src/lib/libcrypto/ec/ec_key.c465
-rw-r--r--src/lib/libcrypto/ec/ec_lcl.h241
-rw-r--r--src/lib/libcrypto/ec/ec_lib.c678
-rw-r--r--src/lib/libcrypto/ec/ec_mult.c673
-rw-r--r--src/lib/libcrypto/ec/ec_print.c195
-rw-r--r--src/lib/libcrypto/ec/ecp_mont.c151
-rw-r--r--src/lib/libcrypto/ec/ecp_nist.c180
-rw-r--r--src/lib/libcrypto/ec/ecp_smpl.c335
16 files changed, 7026 insertions, 574 deletions
diff --git a/src/lib/libcrypto/ec/ec.h b/src/lib/libcrypto/ec/ec.h
index 6d6a9b7127..8bc2a235b1 100644
--- a/src/lib/libcrypto/ec/ec.h
+++ b/src/lib/libcrypto/ec/ec.h
@@ -1,6 +1,9 @@
1/* crypto/ec/ec.h */ 1/* crypto/ec/ec.h */
2/*
3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */
2/* ==================================================================== 5/* ====================================================================
3 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
4 * 7 *
5 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -52,22 +55,48 @@
52 * Hudson (tjh@cryptsoft.com). 55 * Hudson (tjh@cryptsoft.com).
53 * 56 *
54 */ 57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 *
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
63 *
64 * The Contribution is licensed pursuant to the OpenSSL open source
65 * license provided above.
66 *
67 * The elliptic curve binary polynomial software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
69 *
70 */
55 71
56#ifndef HEADER_EC_H 72#ifndef HEADER_EC_H
57#define HEADER_EC_H 73#define HEADER_EC_H
58 74
75#include <openssl/opensslconf.h>
76
59#ifdef OPENSSL_NO_EC 77#ifdef OPENSSL_NO_EC
60#error EC is disabled. 78#error EC is disabled.
61#endif 79#endif
62 80
63#include <openssl/bn.h> 81#include <openssl/asn1.h>
64#include <openssl/symhacks.h> 82#include <openssl/symhacks.h>
83#ifndef OPENSSL_NO_DEPRECATED
84#include <openssl/bn.h>
85#endif
65 86
66#ifdef __cplusplus 87#ifdef __cplusplus
67extern "C" { 88extern "C" {
89#elif defined(__SUNPRO_C)
90# if __SUNPRO_C >= 0x520
91# pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE)
92# endif
68#endif 93#endif
69 94
70 95
96#ifndef OPENSSL_ECC_MAX_FIELD_BITS
97# define OPENSSL_ECC_MAX_FIELD_BITS 661
98#endif
99
71typedef enum { 100typedef enum {
72 /* values as defined in X9.62 (ECDSA) and elsewhere */ 101 /* values as defined in X9.62 (ECDSA) and elsewhere */
73 POINT_CONVERSION_COMPRESSED = 2, 102 POINT_CONVERSION_COMPRESSED = 2,
@@ -84,7 +113,8 @@ typedef struct ec_group_st
84 -- field definition 113 -- field definition
85 -- curve coefficients 114 -- curve coefficients
86 -- optional generator with associated information (order, cofactor) 115 -- optional generator with associated information (order, cofactor)
87 -- optional extra data (TODO: precomputed table for fast computation of multiples of generator) 116 -- optional extra data (precomputed table for fast computation of multiples of generator)
117 -- ASN1 stuff
88 */ 118 */
89 EC_GROUP; 119 EC_GROUP;
90 120
@@ -96,40 +126,84 @@ typedef struct ec_point_st EC_POINT;
96 */ 126 */
97const EC_METHOD *EC_GFp_simple_method(void); 127const EC_METHOD *EC_GFp_simple_method(void);
98const EC_METHOD *EC_GFp_mont_method(void); 128const EC_METHOD *EC_GFp_mont_method(void);
99#if 0 129const EC_METHOD *EC_GFp_nist_method(void);
100const EC_METHOD *EC_GFp_recp_method(void); /* TODO */ 130
101const EC_METHOD *EC_GFp_nist_method(void); /* TODO */ 131/* EC_METHOD for curves over GF(2^m).
102#endif 132 */
133const EC_METHOD *EC_GF2m_simple_method(void);
103 134
104 135
105EC_GROUP *EC_GROUP_new(const EC_METHOD *); 136EC_GROUP *EC_GROUP_new(const EC_METHOD *);
106void EC_GROUP_free(EC_GROUP *); 137void EC_GROUP_free(EC_GROUP *);
107void EC_GROUP_clear_free(EC_GROUP *); 138void EC_GROUP_clear_free(EC_GROUP *);
108int EC_GROUP_copy(EC_GROUP *, const EC_GROUP *); 139int EC_GROUP_copy(EC_GROUP *, const EC_GROUP *);
140EC_GROUP *EC_GROUP_dup(const EC_GROUP *);
109 141
110const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *); 142const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *);
111 143int EC_METHOD_get_field_type(const EC_METHOD *);
144
145int EC_GROUP_set_generator(EC_GROUP *, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor);
146const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *);
147int EC_GROUP_get_order(const EC_GROUP *, BIGNUM *order, BN_CTX *);
148int EC_GROUP_get_cofactor(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
149
150void EC_GROUP_set_curve_name(EC_GROUP *, int nid);
151int EC_GROUP_get_curve_name(const EC_GROUP *);
152
153void EC_GROUP_set_asn1_flag(EC_GROUP *, int flag);
154int EC_GROUP_get_asn1_flag(const EC_GROUP *);
155
156void EC_GROUP_set_point_conversion_form(EC_GROUP *, point_conversion_form_t);
157point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *);
158
159unsigned char *EC_GROUP_get0_seed(const EC_GROUP *);
160size_t EC_GROUP_get_seed_len(const EC_GROUP *);
161size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
112 162
113/* We don't have types for field specifications and field elements in general.
114 * Otherwise we could declare
115 * int EC_GROUP_set_curve(EC_GROUP *, .....);
116 */
117int EC_GROUP_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); 163int EC_GROUP_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
118int EC_GROUP_get_curve_GFp(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *); 164int EC_GROUP_get_curve_GFp(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
165int EC_GROUP_set_curve_GF2m(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
166int EC_GROUP_get_curve_GF2m(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
167
168/* returns the number of bits needed to represent a field element */
169int EC_GROUP_get_degree(const EC_GROUP *);
170
171/* EC_GROUP_check() returns 1 if 'group' defines a valid group, 0 otherwise */
172int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx);
173/* EC_GROUP_check_discriminant() returns 1 if the discriminant of the
174 * elliptic curve is not zero, 0 otherwise */
175int EC_GROUP_check_discriminant(const EC_GROUP *, BN_CTX *);
119 176
120/* EC_GROUP_new_GFp() calls EC_GROUP_new() and EC_GROUP_set_GFp() 177/* EC_GROUP_cmp() returns 0 if both groups are equal and 1 otherwise */
178int EC_GROUP_cmp(const EC_GROUP *, const EC_GROUP *, BN_CTX *);
179
180/* EC_GROUP_new_GF*() calls EC_GROUP_new() and EC_GROUP_set_GF*()
121 * after choosing an appropriate EC_METHOD */ 181 * after choosing an appropriate EC_METHOD */
122EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); 182EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
183EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
123 184
124int EC_GROUP_set_generator(EC_GROUP *, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor); 185/* EC_GROUP_new_by_curve_name() creates a EC_GROUP structure
125EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *); 186 * specified by a curve name (in form of a NID) */
126int EC_GROUP_get_order(const EC_GROUP *, BIGNUM *order, BN_CTX *); 187EC_GROUP *EC_GROUP_new_by_curve_name(int nid);
127int EC_GROUP_get_cofactor(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *); 188/* handling of internal curves */
189typedef struct {
190 int nid;
191 const char *comment;
192 } EC_builtin_curve;
193/* EC_builtin_curves(EC_builtin_curve *r, size_t size) returns number
194 * of all available curves or zero if a error occurred.
195 * In case r ist not zero nitems EC_builtin_curve structures
196 * are filled with the data of the first nitems internal groups */
197size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems);
198
199
200/* EC_POINT functions */
128 201
129EC_POINT *EC_POINT_new(const EC_GROUP *); 202EC_POINT *EC_POINT_new(const EC_GROUP *);
130void EC_POINT_free(EC_POINT *); 203void EC_POINT_free(EC_POINT *);
131void EC_POINT_clear_free(EC_POINT *); 204void EC_POINT_clear_free(EC_POINT *);
132int EC_POINT_copy(EC_POINT *, const EC_POINT *); 205int EC_POINT_copy(EC_POINT *, const EC_POINT *);
206EC_POINT *EC_POINT_dup(const EC_POINT *, const EC_GROUP *);
133 207
134const EC_METHOD *EC_POINT_method_of(const EC_POINT *); 208const EC_METHOD *EC_POINT_method_of(const EC_POINT *);
135 209
@@ -145,11 +219,28 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
145int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *, EC_POINT *, 219int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *, EC_POINT *,
146 const BIGNUM *x, int y_bit, BN_CTX *); 220 const BIGNUM *x, int y_bit, BN_CTX *);
147 221
222int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *, EC_POINT *,
223 const BIGNUM *x, const BIGNUM *y, BN_CTX *);
224int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *, const EC_POINT *,
225 BIGNUM *x, BIGNUM *y, BN_CTX *);
226int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *, EC_POINT *,
227 const BIGNUM *x, int y_bit, BN_CTX *);
228
148size_t EC_POINT_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form, 229size_t EC_POINT_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
149 unsigned char *buf, size_t len, BN_CTX *); 230 unsigned char *buf, size_t len, BN_CTX *);
150int EC_POINT_oct2point(const EC_GROUP *, EC_POINT *, 231int EC_POINT_oct2point(const EC_GROUP *, EC_POINT *,
151 const unsigned char *buf, size_t len, BN_CTX *); 232 const unsigned char *buf, size_t len, BN_CTX *);
152 233
234/* other interfaces to point2oct/oct2point: */
235BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *,
236 point_conversion_form_t form, BIGNUM *, BN_CTX *);
237EC_POINT *EC_POINT_bn2point(const EC_GROUP *, const BIGNUM *,
238 EC_POINT *, BN_CTX *);
239char *EC_POINT_point2hex(const EC_GROUP *, const EC_POINT *,
240 point_conversion_form_t form, BN_CTX *);
241EC_POINT *EC_POINT_hex2point(const EC_GROUP *, const char *,
242 EC_POINT *, BN_CTX *);
243
153int EC_POINT_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *); 244int EC_POINT_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
154int EC_POINT_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *); 245int EC_POINT_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
155int EC_POINT_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); 246int EC_POINT_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
@@ -164,9 +255,112 @@ int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
164 255
165int EC_POINTs_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, size_t num, const EC_POINT *[], const BIGNUM *[], BN_CTX *); 256int EC_POINTs_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, size_t num, const EC_POINT *[], const BIGNUM *[], BN_CTX *);
166int EC_POINT_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, const EC_POINT *, const BIGNUM *, BN_CTX *); 257int EC_POINT_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, const EC_POINT *, const BIGNUM *, BN_CTX *);
258
259/* EC_GROUP_precompute_mult() stores multiples of generator for faster point multiplication */
167int EC_GROUP_precompute_mult(EC_GROUP *, BN_CTX *); 260int EC_GROUP_precompute_mult(EC_GROUP *, BN_CTX *);
261/* EC_GROUP_have_precompute_mult() reports whether such precomputation has been done */
262int EC_GROUP_have_precompute_mult(const EC_GROUP *);
263
264
168 265
266/* ASN1 stuff */
169 267
268/* EC_GROUP_get_basis_type() returns the NID of the basis type
269 * used to represent the field elements */
270int EC_GROUP_get_basis_type(const EC_GROUP *);
271int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k);
272int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1,
273 unsigned int *k2, unsigned int *k3);
274
275#define OPENSSL_EC_NAMED_CURVE 0x001
276
277typedef struct ecpk_parameters_st ECPKPARAMETERS;
278
279EC_GROUP *d2i_ECPKParameters(EC_GROUP **, const unsigned char **in, long len);
280int i2d_ECPKParameters(const EC_GROUP *, unsigned char **out);
281
282#define d2i_ECPKParameters_bio(bp,x) ASN1_d2i_bio_of(EC_GROUP,NULL,d2i_ECPKParameters,bp,x)
283#define i2d_ECPKParameters_bio(bp,x) ASN1_i2d_bio_of_const(EC_GROUP,i2d_ECPKParameters,bp,x)
284#define d2i_ECPKParameters_fp(fp,x) (EC_GROUP *)ASN1_d2i_fp(NULL, \
285 (char *(*)())d2i_ECPKParameters,(fp),(unsigned char **)(x))
286#define i2d_ECPKParameters_fp(fp,x) ASN1_i2d_fp(i2d_ECPKParameters,(fp), \
287 (unsigned char *)(x))
288
289#ifndef OPENSSL_NO_BIO
290int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off);
291#endif
292#ifndef OPENSSL_NO_FP_API
293int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off);
294#endif
295
296/* the EC_KEY stuff */
297typedef struct ec_key_st EC_KEY;
298
299/* some values for the encoding_flag */
300#define EC_PKEY_NO_PARAMETERS 0x001
301#define EC_PKEY_NO_PUBKEY 0x002
302
303EC_KEY *EC_KEY_new(void);
304EC_KEY *EC_KEY_new_by_curve_name(int nid);
305void EC_KEY_free(EC_KEY *);
306EC_KEY *EC_KEY_copy(EC_KEY *, const EC_KEY *);
307EC_KEY *EC_KEY_dup(const EC_KEY *);
308
309int EC_KEY_up_ref(EC_KEY *);
310
311const EC_GROUP *EC_KEY_get0_group(const EC_KEY *);
312int EC_KEY_set_group(EC_KEY *, const EC_GROUP *);
313const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *);
314int EC_KEY_set_private_key(EC_KEY *, const BIGNUM *);
315const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *);
316int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *);
317unsigned EC_KEY_get_enc_flags(const EC_KEY *);
318void EC_KEY_set_enc_flags(EC_KEY *, unsigned int);
319point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *);
320void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t);
321/* functions to set/get method specific data */
322void *EC_KEY_get_key_method_data(EC_KEY *,
323 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
324void EC_KEY_insert_key_method_data(EC_KEY *, void *data,
325 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
326/* wrapper functions for the underlying EC_GROUP object */
327void EC_KEY_set_asn1_flag(EC_KEY *, int);
328int EC_KEY_precompute_mult(EC_KEY *, BN_CTX *ctx);
329
330/* EC_KEY_generate_key() creates a ec private (public) key */
331int EC_KEY_generate_key(EC_KEY *);
332/* EC_KEY_check_key() */
333int EC_KEY_check_key(const EC_KEY *);
334
335/* de- and encoding functions for SEC1 ECPrivateKey */
336EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len);
337int i2d_ECPrivateKey(EC_KEY *a, unsigned char **out);
338/* de- and encoding functions for EC parameters */
339EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len);
340int i2d_ECParameters(EC_KEY *a, unsigned char **out);
341/* de- and encoding functions for EC public key
342 * (octet string, not DER -- hence 'o2i' and 'i2o') */
343EC_KEY *o2i_ECPublicKey(EC_KEY **a, const unsigned char **in, long len);
344int i2o_ECPublicKey(EC_KEY *a, unsigned char **out);
345
346#ifndef OPENSSL_NO_BIO
347int ECParameters_print(BIO *bp, const EC_KEY *x);
348int EC_KEY_print(BIO *bp, const EC_KEY *x, int off);
349#endif
350#ifndef OPENSSL_NO_FP_API
351int ECParameters_print_fp(FILE *fp, const EC_KEY *x);
352int EC_KEY_print_fp(FILE *fp, const EC_KEY *x, int off);
353#endif
354
355#define ECParameters_dup(x) ASN1_dup_of(EC_KEY,i2d_ECParameters,d2i_ECParameters,x)
356
357#ifndef __cplusplus
358#if defined(__SUNPRO_C)
359# if __SUNPRO_C >= 0x520
360# pragma error_messages (default,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE)
361# endif
362# endif
363#endif
170 364
171/* BEGIN ERROR CODES */ 365/* BEGIN ERROR CODES */
172/* The following lines are auto generated by the script mkerr.pl. Any changes 366/* The following lines are auto generated by the script mkerr.pl. Any changes
@@ -178,51 +372,124 @@ void ERR_load_EC_strings(void);
178 372
179/* Function codes. */ 373/* Function codes. */
180#define EC_F_COMPUTE_WNAF 143 374#define EC_F_COMPUTE_WNAF 143
375#define EC_F_D2I_ECPARAMETERS 144
376#define EC_F_D2I_ECPKPARAMETERS 145
377#define EC_F_D2I_ECPRIVATEKEY 146
378#define EC_F_ECPARAMETERS_PRINT 147
379#define EC_F_ECPARAMETERS_PRINT_FP 148
380#define EC_F_ECPKPARAMETERS_PRINT 149
381#define EC_F_ECPKPARAMETERS_PRINT_FP 150
382#define EC_F_ECP_NIST_MOD_192 203
383#define EC_F_ECP_NIST_MOD_224 204
384#define EC_F_ECP_NIST_MOD_256 205
385#define EC_F_ECP_NIST_MOD_521 206
386#define EC_F_EC_ASN1_GROUP2CURVE 153
387#define EC_F_EC_ASN1_GROUP2FIELDID 154
388#define EC_F_EC_ASN1_GROUP2PARAMETERS 155
389#define EC_F_EC_ASN1_GROUP2PKPARAMETERS 156
390#define EC_F_EC_ASN1_PARAMETERS2GROUP 157
391#define EC_F_EC_ASN1_PKPARAMETERS2GROUP 158
392#define EC_F_EC_EX_DATA_SET_DATA 211
393#define EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY 208
394#define EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT 159
395#define EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE 195
396#define EC_F_EC_GF2M_SIMPLE_OCT2POINT 160
397#define EC_F_EC_GF2M_SIMPLE_POINT2OCT 161
398#define EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES 162
399#define EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES 163
400#define EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES 164
181#define EC_F_EC_GFP_MONT_FIELD_DECODE 133 401#define EC_F_EC_GFP_MONT_FIELD_DECODE 133
182#define EC_F_EC_GFP_MONT_FIELD_ENCODE 134 402#define EC_F_EC_GFP_MONT_FIELD_ENCODE 134
183#define EC_F_EC_GFP_MONT_FIELD_MUL 131 403#define EC_F_EC_GFP_MONT_FIELD_MUL 131
404#define EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE 209
184#define EC_F_EC_GFP_MONT_FIELD_SQR 132 405#define EC_F_EC_GFP_MONT_FIELD_SQR 132
406#define EC_F_EC_GFP_MONT_GROUP_SET_CURVE 189
407#define EC_F_EC_GFP_MONT_GROUP_SET_CURVE_GFP 135
408#define EC_F_EC_GFP_NIST_FIELD_MUL 200
409#define EC_F_EC_GFP_NIST_FIELD_SQR 201
410#define EC_F_EC_GFP_NIST_GROUP_SET_CURVE 202
411#define EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT 165
412#define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE 166
185#define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP 100 413#define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP 100
186#define EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR 101 414#define EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR 101
187#define EC_F_EC_GFP_SIMPLE_MAKE_AFFINE 102 415#define EC_F_EC_GFP_SIMPLE_MAKE_AFFINE 102
188#define EC_F_EC_GFP_SIMPLE_OCT2POINT 103 416#define EC_F_EC_GFP_SIMPLE_OCT2POINT 103
189#define EC_F_EC_GFP_SIMPLE_POINT2OCT 104 417#define EC_F_EC_GFP_SIMPLE_POINT2OCT 104
190#define EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE 137 418#define EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE 137
419#define EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES 167
191#define EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP 105 420#define EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP 105
421#define EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES 168
192#define EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP 128 422#define EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP 128
423#define EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES 169
193#define EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP 129 424#define EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP 129
425#define EC_F_EC_GROUP_CHECK 170
426#define EC_F_EC_GROUP_CHECK_DISCRIMINANT 171
194#define EC_F_EC_GROUP_COPY 106 427#define EC_F_EC_GROUP_COPY 106
195#define EC_F_EC_GROUP_GET0_GENERATOR 139 428#define EC_F_EC_GROUP_GET0_GENERATOR 139
196#define EC_F_EC_GROUP_GET_COFACTOR 140 429#define EC_F_EC_GROUP_GET_COFACTOR 140
430#define EC_F_EC_GROUP_GET_CURVE_GF2M 172
197#define EC_F_EC_GROUP_GET_CURVE_GFP 130 431#define EC_F_EC_GROUP_GET_CURVE_GFP 130
432#define EC_F_EC_GROUP_GET_DEGREE 173
198#define EC_F_EC_GROUP_GET_ORDER 141 433#define EC_F_EC_GROUP_GET_ORDER 141
434#define EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS 193
435#define EC_F_EC_GROUP_GET_TRINOMIAL_BASIS 194
199#define EC_F_EC_GROUP_NEW 108 436#define EC_F_EC_GROUP_NEW 108
437#define EC_F_EC_GROUP_NEW_BY_CURVE_NAME 174
438#define EC_F_EC_GROUP_NEW_FROM_DATA 175
200#define EC_F_EC_GROUP_PRECOMPUTE_MULT 142 439#define EC_F_EC_GROUP_PRECOMPUTE_MULT 142
440#define EC_F_EC_GROUP_SET_CURVE_GF2M 176
201#define EC_F_EC_GROUP_SET_CURVE_GFP 109 441#define EC_F_EC_GROUP_SET_CURVE_GFP 109
202#define EC_F_EC_GROUP_SET_EXTRA_DATA 110 442#define EC_F_EC_GROUP_SET_EXTRA_DATA 110
203#define EC_F_EC_GROUP_SET_GENERATOR 111 443#define EC_F_EC_GROUP_SET_GENERATOR 111
444#define EC_F_EC_KEY_CHECK_KEY 177
445#define EC_F_EC_KEY_COPY 178
446#define EC_F_EC_KEY_GENERATE_KEY 179
447#define EC_F_EC_KEY_NEW 182
448#define EC_F_EC_KEY_PRINT 180
449#define EC_F_EC_KEY_PRINT_FP 181
204#define EC_F_EC_POINTS_MAKE_AFFINE 136 450#define EC_F_EC_POINTS_MAKE_AFFINE 136
205#define EC_F_EC_POINTS_MUL 138 451#define EC_F_EC_POINTS_MUL 138
206#define EC_F_EC_POINT_ADD 112 452#define EC_F_EC_POINT_ADD 112
207#define EC_F_EC_POINT_CMP 113 453#define EC_F_EC_POINT_CMP 113
208#define EC_F_EC_POINT_COPY 114 454#define EC_F_EC_POINT_COPY 114
209#define EC_F_EC_POINT_DBL 115 455#define EC_F_EC_POINT_DBL 115
456#define EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M 183
210#define EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP 116 457#define EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP 116
211#define EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP 117 458#define EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP 117
459#define EC_F_EC_POINT_INVERT 210
212#define EC_F_EC_POINT_IS_AT_INFINITY 118 460#define EC_F_EC_POINT_IS_AT_INFINITY 118
213#define EC_F_EC_POINT_IS_ON_CURVE 119 461#define EC_F_EC_POINT_IS_ON_CURVE 119
214#define EC_F_EC_POINT_MAKE_AFFINE 120 462#define EC_F_EC_POINT_MAKE_AFFINE 120
463#define EC_F_EC_POINT_MUL 184
215#define EC_F_EC_POINT_NEW 121 464#define EC_F_EC_POINT_NEW 121
216#define EC_F_EC_POINT_OCT2POINT 122 465#define EC_F_EC_POINT_OCT2POINT 122
217#define EC_F_EC_POINT_POINT2OCT 123 466#define EC_F_EC_POINT_POINT2OCT 123
467#define EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M 185
218#define EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP 124 468#define EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP 124
469#define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M 186
219#define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP 125 470#define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP 125
220#define EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP 126 471#define EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP 126
221#define EC_F_EC_POINT_SET_TO_INFINITY 127 472#define EC_F_EC_POINT_SET_TO_INFINITY 127
222#define EC_F_GFP_MONT_GROUP_SET_CURVE_GFP 135 473#define EC_F_EC_PRE_COMP_DUP 207
474#define EC_F_EC_PRE_COMP_NEW 196
475#define EC_F_EC_WNAF_MUL 187
476#define EC_F_EC_WNAF_PRECOMPUTE_MULT 188
477#define EC_F_I2D_ECPARAMETERS 190
478#define EC_F_I2D_ECPKPARAMETERS 191
479#define EC_F_I2D_ECPRIVATEKEY 192
480#define EC_F_I2O_ECPUBLICKEY 151
481#define EC_F_O2I_ECPUBLICKEY 152
223 482
224/* Reason codes. */ 483/* Reason codes. */
484#define EC_R_ASN1_ERROR 115
485#define EC_R_ASN1_UNKNOWN_FIELD 116
225#define EC_R_BUFFER_TOO_SMALL 100 486#define EC_R_BUFFER_TOO_SMALL 100
487#define EC_R_D2I_ECPKPARAMETERS_FAILURE 117
488#define EC_R_DISCRIMINANT_IS_ZERO 118
489#define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 119
490#define EC_R_FIELD_TOO_LARGE 138
491#define EC_R_GROUP2PKPARAMETERS_FAILURE 120
492#define EC_R_I2D_ECPKPARAMETERS_FAILURE 121
226#define EC_R_INCOMPATIBLE_OBJECTS 101 493#define EC_R_INCOMPATIBLE_OBJECTS 101
227#define EC_R_INVALID_ARGUMENT 112 494#define EC_R_INVALID_ARGUMENT 112
228#define EC_R_INVALID_COMPRESSED_POINT 110 495#define EC_R_INVALID_COMPRESSED_POINT 110
@@ -230,12 +497,28 @@ void ERR_load_EC_strings(void);
230#define EC_R_INVALID_ENCODING 102 497#define EC_R_INVALID_ENCODING 102
231#define EC_R_INVALID_FIELD 103 498#define EC_R_INVALID_FIELD 103
232#define EC_R_INVALID_FORM 104 499#define EC_R_INVALID_FORM 104
500#define EC_R_INVALID_GROUP_ORDER 122
501#define EC_R_INVALID_PENTANOMIAL_BASIS 132
502#define EC_R_INVALID_PRIVATE_KEY 123
503#define EC_R_INVALID_TRINOMIAL_BASIS 137
504#define EC_R_MISSING_PARAMETERS 124
505#define EC_R_MISSING_PRIVATE_KEY 125
506#define EC_R_NOT_A_NIST_PRIME 135
507#define EC_R_NOT_A_SUPPORTED_NIST_PRIME 136
508#define EC_R_NOT_IMPLEMENTED 126
233#define EC_R_NOT_INITIALIZED 111 509#define EC_R_NOT_INITIALIZED 111
510#define EC_R_NO_FIELD_MOD 133
511#define EC_R_PASSED_NULL_PARAMETER 134
512#define EC_R_PKPARAMETERS2GROUP_FAILURE 127
234#define EC_R_POINT_AT_INFINITY 106 513#define EC_R_POINT_AT_INFINITY 106
235#define EC_R_POINT_IS_NOT_ON_CURVE 107 514#define EC_R_POINT_IS_NOT_ON_CURVE 107
236#define EC_R_SLOT_FULL 108 515#define EC_R_SLOT_FULL 108
237#define EC_R_UNDEFINED_GENERATOR 113 516#define EC_R_UNDEFINED_GENERATOR 113
517#define EC_R_UNDEFINED_ORDER 128
518#define EC_R_UNKNOWN_GROUP 129
238#define EC_R_UNKNOWN_ORDER 114 519#define EC_R_UNKNOWN_ORDER 114
520#define EC_R_UNSUPPORTED_FIELD 131
521#define EC_R_WRONG_ORDER 130
239 522
240#ifdef __cplusplus 523#ifdef __cplusplus
241} 524}
diff --git a/src/lib/libcrypto/ec/ec2_mult.c b/src/lib/libcrypto/ec/ec2_mult.c
new file mode 100644
index 0000000000..ff368fd7d7
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec2_mult.c
@@ -0,0 +1,380 @@
1/* crypto/ec/ec2_mult.c */
2/* ====================================================================
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4 *
5 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
6 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
7 * to the OpenSSL project.
8 *
9 * The ECC Code is licensed pursuant to the OpenSSL open source
10 * license provided below.
11 *
12 * The software is originally written by Sheueling Chang Shantz and
13 * Douglas Stebila of Sun Microsystems Laboratories.
14 *
15 */
16/* ====================================================================
17 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
18 *
19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions
21 * are met:
22 *
23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer.
25 *
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in
28 * the documentation and/or other materials provided with the
29 * distribution.
30 *
31 * 3. All advertising materials mentioning features or use of this
32 * software must display the following acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
35 *
36 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
37 * endorse or promote products derived from this software without
38 * prior written permission. For written permission, please contact
39 * openssl-core@openssl.org.
40 *
41 * 5. Products derived from this software may not be called "OpenSSL"
42 * nor may "OpenSSL" appear in their names without prior written
43 * permission of the OpenSSL Project.
44 *
45 * 6. Redistributions of any form whatsoever must retain the following
46 * acknowledgment:
47 * "This product includes software developed by the OpenSSL Project
48 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
49 *
50 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
51 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
52 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
53 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
54 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
55 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
56 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
57 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
59 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
60 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
61 * OF THE POSSIBILITY OF SUCH DAMAGE.
62 * ====================================================================
63 *
64 * This product includes cryptographic software written by Eric Young
65 * (eay@cryptsoft.com). This product includes software written by Tim
66 * Hudson (tjh@cryptsoft.com).
67 *
68 */
69
70#include <openssl/err.h>
71
72#include "ec_lcl.h"
73
74
75/* Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery projective
76 * coordinates.
77 * Uses algorithm Mdouble in appendix of
78 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
79 * GF(2^m) without precomputation".
80 * modified to not require precomputation of c=b^{2^{m-1}}.
81 */
82static int gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx)
83 {
84 BIGNUM *t1;
85 int ret = 0;
86
87 /* Since Mdouble is static we can guarantee that ctx != NULL. */
88 BN_CTX_start(ctx);
89 t1 = BN_CTX_get(ctx);
90 if (t1 == NULL) goto err;
91
92 if (!group->meth->field_sqr(group, x, x, ctx)) goto err;
93 if (!group->meth->field_sqr(group, t1, z, ctx)) goto err;
94 if (!group->meth->field_mul(group, z, x, t1, ctx)) goto err;
95 if (!group->meth->field_sqr(group, x, x, ctx)) goto err;
96 if (!group->meth->field_sqr(group, t1, t1, ctx)) goto err;
97 if (!group->meth->field_mul(group, t1, &group->b, t1, ctx)) goto err;
98 if (!BN_GF2m_add(x, x, t1)) goto err;
99
100 ret = 1;
101
102 err:
103 BN_CTX_end(ctx);
104 return ret;
105 }
106
107/* Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in Montgomery
108 * projective coordinates.
109 * Uses algorithm Madd in appendix of
110 * Lopex, J. and Dahab, R. "Fast multiplication on elliptic curves over
111 * GF(2^m) without precomputation".
112 */
113static int gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1,
114 const BIGNUM *x2, const BIGNUM *z2, BN_CTX *ctx)
115 {
116 BIGNUM *t1, *t2;
117 int ret = 0;
118
119 /* Since Madd is static we can guarantee that ctx != NULL. */
120 BN_CTX_start(ctx);
121 t1 = BN_CTX_get(ctx);
122 t2 = BN_CTX_get(ctx);
123 if (t2 == NULL) goto err;
124
125 if (!BN_copy(t1, x)) goto err;
126 if (!group->meth->field_mul(group, x1, x1, z2, ctx)) goto err;
127 if (!group->meth->field_mul(group, z1, z1, x2, ctx)) goto err;
128 if (!group->meth->field_mul(group, t2, x1, z1, ctx)) goto err;
129 if (!BN_GF2m_add(z1, z1, x1)) goto err;
130 if (!group->meth->field_sqr(group, z1, z1, ctx)) goto err;
131 if (!group->meth->field_mul(group, x1, z1, t1, ctx)) goto err;
132 if (!BN_GF2m_add(x1, x1, t2)) goto err;
133
134 ret = 1;
135
136 err:
137 BN_CTX_end(ctx);
138 return ret;
139 }
140
141/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2)
142 * using Montgomery point multiplication algorithm Mxy() in appendix of
143 * Lopex, J. and Dahab, R. "Fast multiplication on elliptic curves over
144 * GF(2^m) without precomputation".
145 * Returns:
146 * 0 on error
147 * 1 if return value should be the point at infinity
148 * 2 otherwise
149 */
150static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1,
151 BIGNUM *z1, BIGNUM *x2, BIGNUM *z2, BN_CTX *ctx)
152 {
153 BIGNUM *t3, *t4, *t5;
154 int ret = 0;
155
156 if (BN_is_zero(z1))
157 {
158 BN_zero(x2);
159 BN_zero(z2);
160 return 1;
161 }
162
163 if (BN_is_zero(z2))
164 {
165 if (!BN_copy(x2, x)) return 0;
166 if (!BN_GF2m_add(z2, x, y)) return 0;
167 return 2;
168 }
169
170 /* Since Mxy is static we can guarantee that ctx != NULL. */
171 BN_CTX_start(ctx);
172 t3 = BN_CTX_get(ctx);
173 t4 = BN_CTX_get(ctx);
174 t5 = BN_CTX_get(ctx);
175 if (t5 == NULL) goto err;
176
177 if (!BN_one(t5)) goto err;
178
179 if (!group->meth->field_mul(group, t3, z1, z2, ctx)) goto err;
180
181 if (!group->meth->field_mul(group, z1, z1, x, ctx)) goto err;
182 if (!BN_GF2m_add(z1, z1, x1)) goto err;
183 if (!group->meth->field_mul(group, z2, z2, x, ctx)) goto err;
184 if (!group->meth->field_mul(group, x1, z2, x1, ctx)) goto err;
185 if (!BN_GF2m_add(z2, z2, x2)) goto err;
186
187 if (!group->meth->field_mul(group, z2, z2, z1, ctx)) goto err;
188 if (!group->meth->field_sqr(group, t4, x, ctx)) goto err;
189 if (!BN_GF2m_add(t4, t4, y)) goto err;
190 if (!group->meth->field_mul(group, t4, t4, t3, ctx)) goto err;
191 if (!BN_GF2m_add(t4, t4, z2)) goto err;
192
193 if (!group->meth->field_mul(group, t3, t3, x, ctx)) goto err;
194 if (!group->meth->field_div(group, t3, t5, t3, ctx)) goto err;
195 if (!group->meth->field_mul(group, t4, t3, t4, ctx)) goto err;
196 if (!group->meth->field_mul(group, x2, x1, t3, ctx)) goto err;
197 if (!BN_GF2m_add(z2, x2, x)) goto err;
198
199 if (!group->meth->field_mul(group, z2, z2, t4, ctx)) goto err;
200 if (!BN_GF2m_add(z2, z2, y)) goto err;
201
202 ret = 2;
203
204 err:
205 BN_CTX_end(ctx);
206 return ret;
207 }
208
209/* Computes scalar*point and stores the result in r.
210 * point can not equal r.
211 * Uses algorithm 2P of
212 * Lopex, J. and Dahab, R. "Fast multiplication on elliptic curves over
213 * GF(2^m) without precomputation".
214 */
215static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
216 const EC_POINT *point, BN_CTX *ctx)
217 {
218 BIGNUM *x1, *x2, *z1, *z2;
219 int ret = 0, i, j;
220 BN_ULONG mask;
221
222 if (r == point)
223 {
224 ECerr(EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY, EC_R_INVALID_ARGUMENT);
225 return 0;
226 }
227
228 /* if result should be point at infinity */
229 if ((scalar == NULL) || BN_is_zero(scalar) || (point == NULL) ||
230 EC_POINT_is_at_infinity(group, point))
231 {
232 return EC_POINT_set_to_infinity(group, r);
233 }
234
235 /* only support affine coordinates */
236 if (!point->Z_is_one) return 0;
237
238 /* Since point_multiply is static we can guarantee that ctx != NULL. */
239 BN_CTX_start(ctx);
240 x1 = BN_CTX_get(ctx);
241 z1 = BN_CTX_get(ctx);
242 if (z1 == NULL) goto err;
243
244 x2 = &r->X;
245 z2 = &r->Y;
246
247 if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
248 if (!BN_one(z1)) goto err; /* z1 = 1 */
249 if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
250 if (!group->meth->field_sqr(group, x2, z2, ctx)) goto err;
251 if (!BN_GF2m_add(x2, x2, &group->b)) goto err; /* x2 = x^4 + b */
252
253 /* find top most bit and go one past it */
254 i = scalar->top - 1; j = BN_BITS2 - 1;
255 mask = BN_TBIT;
256 while (!(scalar->d[i] & mask)) { mask >>= 1; j--; }
257 mask >>= 1; j--;
258 /* if top most bit was at word break, go to next word */
259 if (!mask)
260 {
261 i--; j = BN_BITS2 - 1;
262 mask = BN_TBIT;
263 }
264
265 for (; i >= 0; i--)
266 {
267 for (; j >= 0; j--)
268 {
269 if (scalar->d[i] & mask)
270 {
271 if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
272 if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
273 }
274 else
275 {
276 if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
277 if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
278 }
279 mask >>= 1;
280 }
281 j = BN_BITS2 - 1;
282 mask = BN_TBIT;
283 }
284
285 /* convert out of "projective" coordinates */
286 i = gf2m_Mxy(group, &point->X, &point->Y, x1, z1, x2, z2, ctx);
287 if (i == 0) goto err;
288 else if (i == 1)
289 {
290 if (!EC_POINT_set_to_infinity(group, r)) goto err;
291 }
292 else
293 {
294 if (!BN_one(&r->Z)) goto err;
295 r->Z_is_one = 1;
296 }
297
298 /* GF(2^m) field elements should always have BIGNUM::neg = 0 */
299 BN_set_negative(&r->X, 0);
300 BN_set_negative(&r->Y, 0);
301
302 ret = 1;
303
304 err:
305 BN_CTX_end(ctx);
306 return ret;
307 }
308
309
310/* Computes the sum
311 * scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1]
312 * gracefully ignoring NULL scalar values.
313 */
314int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
315 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
316 {
317 BN_CTX *new_ctx = NULL;
318 int ret = 0;
319 size_t i;
320 EC_POINT *p=NULL;
321
322 if (ctx == NULL)
323 {
324 ctx = new_ctx = BN_CTX_new();
325 if (ctx == NULL)
326 return 0;
327 }
328
329 /* This implementation is more efficient than the wNAF implementation for 2
330 * or fewer points. Use the ec_wNAF_mul implementation for 3 or more points,
331 * or if we can perform a fast multiplication based on precomputation.
332 */
333 if ((scalar && (num > 1)) || (num > 2) || (num == 0 && EC_GROUP_have_precompute_mult(group)))
334 {
335 ret = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
336 goto err;
337 }
338
339 if ((p = EC_POINT_new(group)) == NULL) goto err;
340
341 if (!EC_POINT_set_to_infinity(group, r)) goto err;
342
343 if (scalar)
344 {
345 if (!ec_GF2m_montgomery_point_multiply(group, p, scalar, group->generator, ctx)) goto err;
346 if (BN_is_negative(scalar))
347 if (!group->meth->invert(group, p, ctx)) goto err;
348 if (!group->meth->add(group, r, r, p, ctx)) goto err;
349 }
350
351 for (i = 0; i < num; i++)
352 {
353 if (!ec_GF2m_montgomery_point_multiply(group, p, scalars[i], points[i], ctx)) goto err;
354 if (BN_is_negative(scalars[i]))
355 if (!group->meth->invert(group, p, ctx)) goto err;
356 if (!group->meth->add(group, r, r, p, ctx)) goto err;
357 }
358
359 ret = 1;
360
361 err:
362 if (p) EC_POINT_free(p);
363 if (new_ctx != NULL)
364 BN_CTX_free(new_ctx);
365 return ret;
366 }
367
368
369/* Precomputation for point multiplication: fall back to wNAF methods
370 * because ec_GF2m_simple_mul() uses ec_wNAF_mul() if appropriate */
371
372int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
373 {
374 return ec_wNAF_precompute_mult(group, ctx);
375 }
376
377int ec_GF2m_have_precompute_mult(const EC_GROUP *group)
378 {
379 return ec_wNAF_have_precompute_mult(group);
380 }
diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c
new file mode 100644
index 0000000000..5cd1eac41f
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec2_smpl.c
@@ -0,0 +1,971 @@
1/* crypto/ec/ec2_smpl.c */
2/* ====================================================================
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4 *
5 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
6 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
7 * to the OpenSSL project.
8 *
9 * The ECC Code is licensed pursuant to the OpenSSL open source
10 * license provided below.
11 *
12 * The software is originally written by Sheueling Chang Shantz and
13 * Douglas Stebila of Sun Microsystems Laboratories.
14 *
15 */
16/* ====================================================================
17 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
18 *
19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions
21 * are met:
22 *
23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer.
25 *
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in
28 * the documentation and/or other materials provided with the
29 * distribution.
30 *
31 * 3. All advertising materials mentioning features or use of this
32 * software must display the following acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
35 *
36 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
37 * endorse or promote products derived from this software without
38 * prior written permission. For written permission, please contact
39 * openssl-core@openssl.org.
40 *
41 * 5. Products derived from this software may not be called "OpenSSL"
42 * nor may "OpenSSL" appear in their names without prior written
43 * permission of the OpenSSL Project.
44 *
45 * 6. Redistributions of any form whatsoever must retain the following
46 * acknowledgment:
47 * "This product includes software developed by the OpenSSL Project
48 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
49 *
50 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
51 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
52 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
53 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
54 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
55 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
56 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
57 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
59 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
60 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
61 * OF THE POSSIBILITY OF SUCH DAMAGE.
62 * ====================================================================
63 *
64 * This product includes cryptographic software written by Eric Young
65 * (eay@cryptsoft.com). This product includes software written by Tim
66 * Hudson (tjh@cryptsoft.com).
67 *
68 */
69
70#include <openssl/err.h>
71
72#include "ec_lcl.h"
73
74
75const EC_METHOD *EC_GF2m_simple_method(void)
76 {
77 static const EC_METHOD ret = {
78 NID_X9_62_characteristic_two_field,
79 ec_GF2m_simple_group_init,
80 ec_GF2m_simple_group_finish,
81 ec_GF2m_simple_group_clear_finish,
82 ec_GF2m_simple_group_copy,
83 ec_GF2m_simple_group_set_curve,
84 ec_GF2m_simple_group_get_curve,
85 ec_GF2m_simple_group_get_degree,
86 ec_GF2m_simple_group_check_discriminant,
87 ec_GF2m_simple_point_init,
88 ec_GF2m_simple_point_finish,
89 ec_GF2m_simple_point_clear_finish,
90 ec_GF2m_simple_point_copy,
91 ec_GF2m_simple_point_set_to_infinity,
92 0 /* set_Jprojective_coordinates_GFp */,
93 0 /* get_Jprojective_coordinates_GFp */,
94 ec_GF2m_simple_point_set_affine_coordinates,
95 ec_GF2m_simple_point_get_affine_coordinates,
96 ec_GF2m_simple_set_compressed_coordinates,
97 ec_GF2m_simple_point2oct,
98 ec_GF2m_simple_oct2point,
99 ec_GF2m_simple_add,
100 ec_GF2m_simple_dbl,
101 ec_GF2m_simple_invert,
102 ec_GF2m_simple_is_at_infinity,
103 ec_GF2m_simple_is_on_curve,
104 ec_GF2m_simple_cmp,
105 ec_GF2m_simple_make_affine,
106 ec_GF2m_simple_points_make_affine,
107
108 /* the following three method functions are defined in ec2_mult.c */
109 ec_GF2m_simple_mul,
110 ec_GF2m_precompute_mult,
111 ec_GF2m_have_precompute_mult,
112
113 ec_GF2m_simple_field_mul,
114 ec_GF2m_simple_field_sqr,
115 ec_GF2m_simple_field_div,
116 0 /* field_encode */,
117 0 /* field_decode */,
118 0 /* field_set_to_one */ };
119
120 return &ret;
121 }
122
123
124/* Initialize a GF(2^m)-based EC_GROUP structure.
125 * Note that all other members are handled by EC_GROUP_new.
126 */
127int ec_GF2m_simple_group_init(EC_GROUP *group)
128 {
129 BN_init(&group->field);
130 BN_init(&group->a);
131 BN_init(&group->b);
132 return 1;
133 }
134
135
136/* Free a GF(2^m)-based EC_GROUP structure.
137 * Note that all other members are handled by EC_GROUP_free.
138 */
139void ec_GF2m_simple_group_finish(EC_GROUP *group)
140 {
141 BN_free(&group->field);
142 BN_free(&group->a);
143 BN_free(&group->b);
144 }
145
146
147/* Clear and free a GF(2^m)-based EC_GROUP structure.
148 * Note that all other members are handled by EC_GROUP_clear_free.
149 */
150void ec_GF2m_simple_group_clear_finish(EC_GROUP *group)
151 {
152 BN_clear_free(&group->field);
153 BN_clear_free(&group->a);
154 BN_clear_free(&group->b);
155 group->poly[0] = 0;
156 group->poly[1] = 0;
157 group->poly[2] = 0;
158 group->poly[3] = 0;
159 group->poly[4] = 0;
160 }
161
162
163/* Copy a GF(2^m)-based EC_GROUP structure.
164 * Note that all other members are handled by EC_GROUP_copy.
165 */
166int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
167 {
168 int i;
169 if (!BN_copy(&dest->field, &src->field)) return 0;
170 if (!BN_copy(&dest->a, &src->a)) return 0;
171 if (!BN_copy(&dest->b, &src->b)) return 0;
172 dest->poly[0] = src->poly[0];
173 dest->poly[1] = src->poly[1];
174 dest->poly[2] = src->poly[2];
175 dest->poly[3] = src->poly[3];
176 dest->poly[4] = src->poly[4];
177 bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
178 bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
179 for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;
180 for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;
181 return 1;
182 }
183
184
185/* Set the curve parameters of an EC_GROUP structure. */
186int ec_GF2m_simple_group_set_curve(EC_GROUP *group,
187 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
188 {
189 int ret = 0, i;
190
191 /* group->field */
192 if (!BN_copy(&group->field, p)) goto err;
193 i = BN_GF2m_poly2arr(&group->field, group->poly, 5);
194 if ((i != 5) && (i != 3))
195 {
196 ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
197 goto err;
198 }
199
200 /* group->a */
201 if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err;
202 bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
203 for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0;
204
205 /* group->b */
206 if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err;
207 bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
208 for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0;
209
210 ret = 1;
211 err:
212 return ret;
213 }
214
215
216/* Get the curve parameters of an EC_GROUP structure.
217 * If p, a, or b are NULL then there values will not be set but the method will return with success.
218 */
219int ec_GF2m_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
220 {
221 int ret = 0;
222
223 if (p != NULL)
224 {
225 if (!BN_copy(p, &group->field)) return 0;
226 }
227
228 if (a != NULL)
229 {
230 if (!BN_copy(a, &group->a)) goto err;
231 }
232
233 if (b != NULL)
234 {
235 if (!BN_copy(b, &group->b)) goto err;
236 }
237
238 ret = 1;
239
240 err:
241 return ret;
242 }
243
244
245/* Gets the degree of the field. For a curve over GF(2^m) this is the value m. */
246int ec_GF2m_simple_group_get_degree(const EC_GROUP *group)
247 {
248 return BN_num_bits(&group->field)-1;
249 }
250
251
252/* Checks the discriminant of the curve.
253 * y^2 + x*y = x^3 + a*x^2 + b is an elliptic curve <=> b != 0 (mod p)
254 */
255int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
256 {
257 int ret = 0;
258 BIGNUM *b;
259 BN_CTX *new_ctx = NULL;
260
261 if (ctx == NULL)
262 {
263 ctx = new_ctx = BN_CTX_new();
264 if (ctx == NULL)
265 {
266 ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE);
267 goto err;
268 }
269 }
270 BN_CTX_start(ctx);
271 b = BN_CTX_get(ctx);
272 if (b == NULL) goto err;
273
274 if (!BN_GF2m_mod_arr(b, &group->b, group->poly)) goto err;
275
276 /* check the discriminant:
277 * y^2 + x*y = x^3 + a*x^2 + b is an elliptic curve <=> b != 0 (mod p)
278 */
279 if (BN_is_zero(b)) goto err;
280
281 ret = 1;
282
283err:
284 if (ctx != NULL)
285 BN_CTX_end(ctx);
286 if (new_ctx != NULL)
287 BN_CTX_free(new_ctx);
288 return ret;
289 }
290
291
292/* Initializes an EC_POINT. */
293int ec_GF2m_simple_point_init(EC_POINT *point)
294 {
295 BN_init(&point->X);
296 BN_init(&point->Y);
297 BN_init(&point->Z);
298 return 1;
299 }
300
301
302/* Frees an EC_POINT. */
303void ec_GF2m_simple_point_finish(EC_POINT *point)
304 {
305 BN_free(&point->X);
306 BN_free(&point->Y);
307 BN_free(&point->Z);
308 }
309
310
311/* Clears and frees an EC_POINT. */
312void ec_GF2m_simple_point_clear_finish(EC_POINT *point)
313 {
314 BN_clear_free(&point->X);
315 BN_clear_free(&point->Y);
316 BN_clear_free(&point->Z);
317 point->Z_is_one = 0;
318 }
319
320
321/* Copy the contents of one EC_POINT into another. Assumes dest is initialized. */
322int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
323 {
324 if (!BN_copy(&dest->X, &src->X)) return 0;
325 if (!BN_copy(&dest->Y, &src->Y)) return 0;
326 if (!BN_copy(&dest->Z, &src->Z)) return 0;
327 dest->Z_is_one = src->Z_is_one;
328
329 return 1;
330 }
331
332
333/* Set an EC_POINT to the point at infinity.
334 * A point at infinity is represented by having Z=0.
335 */
336int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
337 {
338 point->Z_is_one = 0;
339 BN_zero(&point->Z);
340 return 1;
341 }
342
343
344/* Set the coordinates of an EC_POINT using affine coordinates.
345 * Note that the simple implementation only uses affine coordinates.
346 */
347int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
348 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
349 {
350 int ret = 0;
351 if (x == NULL || y == NULL)
352 {
353 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES, ERR_R_PASSED_NULL_PARAMETER);
354 return 0;
355 }
356
357 if (!BN_copy(&point->X, x)) goto err;
358 BN_set_negative(&point->X, 0);
359 if (!BN_copy(&point->Y, y)) goto err;
360 BN_set_negative(&point->Y, 0);
361 if (!BN_copy(&point->Z, BN_value_one())) goto err;
362 BN_set_negative(&point->Z, 0);
363 point->Z_is_one = 1;
364 ret = 1;
365
366 err:
367 return ret;
368 }
369
370
371/* Gets the affine coordinates of an EC_POINT.
372 * Note that the simple implementation only uses affine coordinates.
373 */
374int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
375 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
376 {
377 int ret = 0;
378
379 if (EC_POINT_is_at_infinity(group, point))
380 {
381 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY);
382 return 0;
383 }
384
385 if (BN_cmp(&point->Z, BN_value_one()))
386 {
387 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
388 return 0;
389 }
390 if (x != NULL)
391 {
392 if (!BN_copy(x, &point->X)) goto err;
393 BN_set_negative(x, 0);
394 }
395 if (y != NULL)
396 {
397 if (!BN_copy(y, &point->Y)) goto err;
398 BN_set_negative(y, 0);
399 }
400 ret = 1;
401
402 err:
403 return ret;
404 }
405
406
407/* Include patented algorithms. */
408#include "ec2_smpt.c"
409
410
411/* Converts an EC_POINT to an octet string.
412 * If buf is NULL, the encoded length will be returned.
413 * If the length len of buf is smaller than required an error will be returned.
414 *
415 * The point compression section of this function is patented by Certicom Corp.
416 * under US Patent 6,141,420. Point compression is disabled by default and can
417 * be enabled by defining the preprocessor macro OPENSSL_EC_BIN_PT_COMP at
418 * Configure-time.
419 */
420size_t ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
421 unsigned char *buf, size_t len, BN_CTX *ctx)
422 {
423 size_t ret;
424 BN_CTX *new_ctx = NULL;
425 int used_ctx = 0;
426 BIGNUM *x, *y, *yxi;
427 size_t field_len, i, skip;
428
429#ifndef OPENSSL_EC_BIN_PT_COMP
430 if ((form == POINT_CONVERSION_COMPRESSED) || (form == POINT_CONVERSION_HYBRID))
431 {
432 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_DISABLED);
433 goto err;
434 }
435#endif
436
437 if ((form != POINT_CONVERSION_COMPRESSED)
438 && (form != POINT_CONVERSION_UNCOMPRESSED)
439 && (form != POINT_CONVERSION_HYBRID))
440 {
441 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
442 goto err;
443 }
444
445 if (EC_POINT_is_at_infinity(group, point))
446 {
447 /* encodes to a single 0 octet */
448 if (buf != NULL)
449 {
450 if (len < 1)
451 {
452 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
453 return 0;
454 }
455 buf[0] = 0;
456 }
457 return 1;
458 }
459
460
461 /* ret := required output buffer length */
462 field_len = (EC_GROUP_get_degree(group) + 7) / 8;
463 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
464
465 /* if 'buf' is NULL, just return required length */
466 if (buf != NULL)
467 {
468 if (len < ret)
469 {
470 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
471 goto err;
472 }
473
474 if (ctx == NULL)
475 {
476 ctx = new_ctx = BN_CTX_new();
477 if (ctx == NULL)
478 return 0;
479 }
480
481 BN_CTX_start(ctx);
482 used_ctx = 1;
483 x = BN_CTX_get(ctx);
484 y = BN_CTX_get(ctx);
485 yxi = BN_CTX_get(ctx);
486 if (yxi == NULL) goto err;
487
488 if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
489
490 buf[0] = form;
491#ifdef OPENSSL_EC_BIN_PT_COMP
492 if ((form != POINT_CONVERSION_UNCOMPRESSED) && !BN_is_zero(x))
493 {
494 if (!group->meth->field_div(group, yxi, y, x, ctx)) goto err;
495 if (BN_is_odd(yxi)) buf[0]++;
496 }
497#endif
498
499 i = 1;
500
501 skip = field_len - BN_num_bytes(x);
502 if (skip > field_len)
503 {
504 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
505 goto err;
506 }
507 while (skip > 0)
508 {
509 buf[i++] = 0;
510 skip--;
511 }
512 skip = BN_bn2bin(x, buf + i);
513 i += skip;
514 if (i != 1 + field_len)
515 {
516 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
517 goto err;
518 }
519
520 if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
521 {
522 skip = field_len - BN_num_bytes(y);
523 if (skip > field_len)
524 {
525 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
526 goto err;
527 }
528 while (skip > 0)
529 {
530 buf[i++] = 0;
531 skip--;
532 }
533 skip = BN_bn2bin(y, buf + i);
534 i += skip;
535 }
536
537 if (i != ret)
538 {
539 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
540 goto err;
541 }
542 }
543
544 if (used_ctx)
545 BN_CTX_end(ctx);
546 if (new_ctx != NULL)
547 BN_CTX_free(new_ctx);
548 return ret;
549
550 err:
551 if (used_ctx)
552 BN_CTX_end(ctx);
553 if (new_ctx != NULL)
554 BN_CTX_free(new_ctx);
555 return 0;
556 }
557
558
559/* Converts an octet string representation to an EC_POINT.
560 * Note that the simple implementation only uses affine coordinates.
561 */
562int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
563 const unsigned char *buf, size_t len, BN_CTX *ctx)
564 {
565 point_conversion_form_t form;
566 int y_bit;
567 BN_CTX *new_ctx = NULL;
568 BIGNUM *x, *y, *yxi;
569 size_t field_len, enc_len;
570 int ret = 0;
571
572 if (len == 0)
573 {
574 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
575 return 0;
576 }
577 form = buf[0];
578 y_bit = form & 1;
579 form = form & ~1U;
580 if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
581 && (form != POINT_CONVERSION_UNCOMPRESSED)
582 && (form != POINT_CONVERSION_HYBRID))
583 {
584 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
585 return 0;
586 }
587 if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit)
588 {
589 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
590 return 0;
591 }
592
593 if (form == 0)
594 {
595 if (len != 1)
596 {
597 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
598 return 0;
599 }
600
601 return EC_POINT_set_to_infinity(group, point);
602 }
603
604 field_len = (EC_GROUP_get_degree(group) + 7) / 8;
605 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
606
607 if (len != enc_len)
608 {
609 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
610 return 0;
611 }
612
613 if (ctx == NULL)
614 {
615 ctx = new_ctx = BN_CTX_new();
616 if (ctx == NULL)
617 return 0;
618 }
619
620 BN_CTX_start(ctx);
621 x = BN_CTX_get(ctx);
622 y = BN_CTX_get(ctx);
623 yxi = BN_CTX_get(ctx);
624 if (yxi == NULL) goto err;
625
626 if (!BN_bin2bn(buf + 1, field_len, x)) goto err;
627 if (BN_ucmp(x, &group->field) >= 0)
628 {
629 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
630 goto err;
631 }
632
633 if (form == POINT_CONVERSION_COMPRESSED)
634 {
635 if (!EC_POINT_set_compressed_coordinates_GF2m(group, point, x, y_bit, ctx)) goto err;
636 }
637 else
638 {
639 if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
640 if (BN_ucmp(y, &group->field) >= 0)
641 {
642 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
643 goto err;
644 }
645 if (form == POINT_CONVERSION_HYBRID)
646 {
647 if (!group->meth->field_div(group, yxi, y, x, ctx)) goto err;
648 if (y_bit != BN_is_odd(yxi))
649 {
650 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
651 goto err;
652 }
653 }
654
655 if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
656 }
657
658 if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
659 {
660 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
661 goto err;
662 }
663
664 ret = 1;
665
666 err:
667 BN_CTX_end(ctx);
668 if (new_ctx != NULL)
669 BN_CTX_free(new_ctx);
670 return ret;
671 }
672
673
674/* Computes a + b and stores the result in r. r could be a or b, a could be b.
675 * Uses algorithm A.10.2 of IEEE P1363.
676 */
677int ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
678 {
679 BN_CTX *new_ctx = NULL;
680 BIGNUM *x0, *y0, *x1, *y1, *x2, *y2, *s, *t;
681 int ret = 0;
682
683 if (EC_POINT_is_at_infinity(group, a))
684 {
685 if (!EC_POINT_copy(r, b)) return 0;
686 return 1;
687 }
688
689 if (EC_POINT_is_at_infinity(group, b))
690 {
691 if (!EC_POINT_copy(r, a)) return 0;
692 return 1;
693 }
694
695 if (ctx == NULL)
696 {
697 ctx = new_ctx = BN_CTX_new();
698 if (ctx == NULL)
699 return 0;
700 }
701
702 BN_CTX_start(ctx);
703 x0 = BN_CTX_get(ctx);
704 y0 = BN_CTX_get(ctx);
705 x1 = BN_CTX_get(ctx);
706 y1 = BN_CTX_get(ctx);
707 x2 = BN_CTX_get(ctx);
708 y2 = BN_CTX_get(ctx);
709 s = BN_CTX_get(ctx);
710 t = BN_CTX_get(ctx);
711 if (t == NULL) goto err;
712
713 if (a->Z_is_one)
714 {
715 if (!BN_copy(x0, &a->X)) goto err;
716 if (!BN_copy(y0, &a->Y)) goto err;
717 }
718 else
719 {
720 if (!EC_POINT_get_affine_coordinates_GF2m(group, a, x0, y0, ctx)) goto err;
721 }
722 if (b->Z_is_one)
723 {
724 if (!BN_copy(x1, &b->X)) goto err;
725 if (!BN_copy(y1, &b->Y)) goto err;
726 }
727 else
728 {
729 if (!EC_POINT_get_affine_coordinates_GF2m(group, b, x1, y1, ctx)) goto err;
730 }
731
732
733 if (BN_GF2m_cmp(x0, x1))
734 {
735 if (!BN_GF2m_add(t, x0, x1)) goto err;
736 if (!BN_GF2m_add(s, y0, y1)) goto err;
737 if (!group->meth->field_div(group, s, s, t, ctx)) goto err;
738 if (!group->meth->field_sqr(group, x2, s, ctx)) goto err;
739 if (!BN_GF2m_add(x2, x2, &group->a)) goto err;
740 if (!BN_GF2m_add(x2, x2, s)) goto err;
741 if (!BN_GF2m_add(x2, x2, t)) goto err;
742 }
743 else
744 {
745 if (BN_GF2m_cmp(y0, y1) || BN_is_zero(x1))
746 {
747 if (!EC_POINT_set_to_infinity(group, r)) goto err;
748 ret = 1;
749 goto err;
750 }
751 if (!group->meth->field_div(group, s, y1, x1, ctx)) goto err;
752 if (!BN_GF2m_add(s, s, x1)) goto err;
753
754 if (!group->meth->field_sqr(group, x2, s, ctx)) goto err;
755 if (!BN_GF2m_add(x2, x2, s)) goto err;
756 if (!BN_GF2m_add(x2, x2, &group->a)) goto err;
757 }
758
759 if (!BN_GF2m_add(y2, x1, x2)) goto err;
760 if (!group->meth->field_mul(group, y2, y2, s, ctx)) goto err;
761 if (!BN_GF2m_add(y2, y2, x2)) goto err;
762 if (!BN_GF2m_add(y2, y2, y1)) goto err;
763
764 if (!EC_POINT_set_affine_coordinates_GF2m(group, r, x2, y2, ctx)) goto err;
765
766 ret = 1;
767
768 err:
769 BN_CTX_end(ctx);
770 if (new_ctx != NULL)
771 BN_CTX_free(new_ctx);
772 return ret;
773 }
774
775
776/* Computes 2 * a and stores the result in r. r could be a.
777 * Uses algorithm A.10.2 of IEEE P1363.
778 */
779int ec_GF2m_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
780 {
781 return ec_GF2m_simple_add(group, r, a, a, ctx);
782 }
783
784
785int ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
786 {
787 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
788 /* point is its own inverse */
789 return 1;
790
791 if (!EC_POINT_make_affine(group, point, ctx)) return 0;
792 return BN_GF2m_add(&point->Y, &point->X, &point->Y);
793 }
794
795
796/* Indicates whether the given point is the point at infinity. */
797int ec_GF2m_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
798 {
799 return BN_is_zero(&point->Z);
800 }
801
802
803/* Determines whether the given EC_POINT is an actual point on the curve defined
804 * in the EC_GROUP. A point is valid if it satisfies the Weierstrass equation:
805 * y^2 + x*y = x^3 + a*x^2 + b.
806 */
807int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
808 {
809 int ret = -1;
810 BN_CTX *new_ctx = NULL;
811 BIGNUM *lh, *y2;
812 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
813 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
814
815 if (EC_POINT_is_at_infinity(group, point))
816 return 1;
817
818 field_mul = group->meth->field_mul;
819 field_sqr = group->meth->field_sqr;
820
821 /* only support affine coordinates */
822 if (!point->Z_is_one) goto err;
823
824 if (ctx == NULL)
825 {
826 ctx = new_ctx = BN_CTX_new();
827 if (ctx == NULL)
828 return -1;
829 }
830
831 BN_CTX_start(ctx);
832 y2 = BN_CTX_get(ctx);
833 lh = BN_CTX_get(ctx);
834 if (lh == NULL) goto err;
835
836 /* We have a curve defined by a Weierstrass equation
837 * y^2 + x*y = x^3 + a*x^2 + b.
838 * <=> x^3 + a*x^2 + x*y + b + y^2 = 0
839 * <=> ((x + a) * x + y ) * x + b + y^2 = 0
840 */
841 if (!BN_GF2m_add(lh, &point->X, &group->a)) goto err;
842 if (!field_mul(group, lh, lh, &point->X, ctx)) goto err;
843 if (!BN_GF2m_add(lh, lh, &point->Y)) goto err;
844 if (!field_mul(group, lh, lh, &point->X, ctx)) goto err;
845 if (!BN_GF2m_add(lh, lh, &group->b)) goto err;
846 if (!field_sqr(group, y2, &point->Y, ctx)) goto err;
847 if (!BN_GF2m_add(lh, lh, y2)) goto err;
848 ret = BN_is_zero(lh);
849 err:
850 if (ctx) BN_CTX_end(ctx);
851 if (new_ctx) BN_CTX_free(new_ctx);
852 return ret;
853 }
854
855
856/* Indicates whether two points are equal.
857 * Return values:
858 * -1 error
859 * 0 equal (in affine coordinates)
860 * 1 not equal
861 */
862int ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
863 {
864 BIGNUM *aX, *aY, *bX, *bY;
865 BN_CTX *new_ctx = NULL;
866 int ret = -1;
867
868 if (EC_POINT_is_at_infinity(group, a))
869 {
870 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
871 }
872
873 if (a->Z_is_one && b->Z_is_one)
874 {
875 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
876 }
877
878 if (ctx == NULL)
879 {
880 ctx = new_ctx = BN_CTX_new();
881 if (ctx == NULL)
882 return -1;
883 }
884
885 BN_CTX_start(ctx);
886 aX = BN_CTX_get(ctx);
887 aY = BN_CTX_get(ctx);
888 bX = BN_CTX_get(ctx);
889 bY = BN_CTX_get(ctx);
890 if (bY == NULL) goto err;
891
892 if (!EC_POINT_get_affine_coordinates_GF2m(group, a, aX, aY, ctx)) goto err;
893 if (!EC_POINT_get_affine_coordinates_GF2m(group, b, bX, bY, ctx)) goto err;
894 ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1;
895
896 err:
897 if (ctx) BN_CTX_end(ctx);
898 if (new_ctx) BN_CTX_free(new_ctx);
899 return ret;
900 }
901
902
903/* Forces the given EC_POINT to internally use affine coordinates. */
904int ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
905 {
906 BN_CTX *new_ctx = NULL;
907 BIGNUM *x, *y;
908 int ret = 0;
909
910 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
911 return 1;
912
913 if (ctx == NULL)
914 {
915 ctx = new_ctx = BN_CTX_new();
916 if (ctx == NULL)
917 return 0;
918 }
919
920 BN_CTX_start(ctx);
921 x = BN_CTX_get(ctx);
922 y = BN_CTX_get(ctx);
923 if (y == NULL) goto err;
924
925 if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
926 if (!BN_copy(&point->X, x)) goto err;
927 if (!BN_copy(&point->Y, y)) goto err;
928 if (!BN_one(&point->Z)) goto err;
929
930 ret = 1;
931
932 err:
933 if (ctx) BN_CTX_end(ctx);
934 if (new_ctx) BN_CTX_free(new_ctx);
935 return ret;
936 }
937
938
939/* Forces each of the EC_POINTs in the given array to use affine coordinates. */
940int ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
941 {
942 size_t i;
943
944 for (i = 0; i < num; i++)
945 {
946 if (!group->meth->make_affine(group, points[i], ctx)) return 0;
947 }
948
949 return 1;
950 }
951
952
953/* Wrapper to simple binary polynomial field multiplication implementation. */
954int ec_GF2m_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
955 {
956 return BN_GF2m_mod_mul_arr(r, a, b, group->poly, ctx);
957 }
958
959
960/* Wrapper to simple binary polynomial field squaring implementation. */
961int ec_GF2m_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
962 {
963 return BN_GF2m_mod_sqr_arr(r, a, group->poly, ctx);
964 }
965
966
967/* Wrapper to simple binary polynomial field division implementation. */
968int ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
969 {
970 return BN_GF2m_mod_div(r, a, b, &group->field, ctx);
971 }
diff --git a/src/lib/libcrypto/ec/ec_asn1.c b/src/lib/libcrypto/ec/ec_asn1.c
new file mode 100644
index 0000000000..ae55539859
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_asn1.c
@@ -0,0 +1,1429 @@
1/* crypto/ec/ec_asn1.c */
2/*
3 * Written by Nils Larsch for the OpenSSL project.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <string.h>
60#include "ec_lcl.h"
61#include <openssl/err.h>
62#include <openssl/asn1t.h>
63#include <openssl/objects.h>
64
65
66int EC_GROUP_get_basis_type(const EC_GROUP *group)
67 {
68 int i=0;
69
70 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
71 NID_X9_62_characteristic_two_field)
72 /* everything else is currently not supported */
73 return 0;
74
75 while (group->poly[i] != 0)
76 i++;
77
78 if (i == 4)
79 return NID_X9_62_ppBasis;
80 else if (i == 2)
81 return NID_X9_62_tpBasis;
82 else
83 /* everything else is currently not supported */
84 return 0;
85 }
86
87int EC_GROUP_get_trinomial_basis(const EC_GROUP *group, unsigned int *k)
88 {
89 if (group == NULL)
90 return 0;
91
92 if (EC_GROUP_method_of(group)->group_set_curve != ec_GF2m_simple_group_set_curve
93 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0)))
94 {
95 ECerr(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
96 return 0;
97 }
98
99 if (k)
100 *k = group->poly[1];
101
102 return 1;
103 }
104
105int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
106 unsigned int *k2, unsigned int *k3)
107 {
108 if (group == NULL)
109 return 0;
110
111 if (EC_GROUP_method_of(group)->group_set_curve != ec_GF2m_simple_group_set_curve
112 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0)))
113 {
114 ECerr(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
115 return 0;
116 }
117
118 if (k1)
119 *k1 = group->poly[3];
120 if (k2)
121 *k2 = group->poly[2];
122 if (k3)
123 *k3 = group->poly[1];
124
125 return 1;
126 }
127
128
129
130/* some structures needed for the asn1 encoding */
131typedef struct x9_62_pentanomial_st {
132 long k1;
133 long k2;
134 long k3;
135 } X9_62_PENTANOMIAL;
136
137typedef struct x9_62_characteristic_two_st {
138 long m;
139 ASN1_OBJECT *type;
140 union {
141 char *ptr;
142 /* NID_X9_62_onBasis */
143 ASN1_NULL *onBasis;
144 /* NID_X9_62_tpBasis */
145 ASN1_INTEGER *tpBasis;
146 /* NID_X9_62_ppBasis */
147 X9_62_PENTANOMIAL *ppBasis;
148 /* anything else */
149 ASN1_TYPE *other;
150 } p;
151 } X9_62_CHARACTERISTIC_TWO;
152
153typedef struct x9_62_fieldid_st {
154 ASN1_OBJECT *fieldType;
155 union {
156 char *ptr;
157 /* NID_X9_62_prime_field */
158 ASN1_INTEGER *prime;
159 /* NID_X9_62_characteristic_two_field */
160 X9_62_CHARACTERISTIC_TWO *char_two;
161 /* anything else */
162 ASN1_TYPE *other;
163 } p;
164 } X9_62_FIELDID;
165
166typedef struct x9_62_curve_st {
167 ASN1_OCTET_STRING *a;
168 ASN1_OCTET_STRING *b;
169 ASN1_BIT_STRING *seed;
170 } X9_62_CURVE;
171
172typedef struct ec_parameters_st {
173 long version;
174 X9_62_FIELDID *fieldID;
175 X9_62_CURVE *curve;
176 ASN1_OCTET_STRING *base;
177 ASN1_INTEGER *order;
178 ASN1_INTEGER *cofactor;
179 } ECPARAMETERS;
180
181struct ecpk_parameters_st {
182 int type;
183 union {
184 ASN1_OBJECT *named_curve;
185 ECPARAMETERS *parameters;
186 ASN1_NULL *implicitlyCA;
187 } value;
188 }/* ECPKPARAMETERS */;
189
190/* SEC1 ECPrivateKey */
191typedef struct ec_privatekey_st {
192 long version;
193 ASN1_OCTET_STRING *privateKey;
194 ECPKPARAMETERS *parameters;
195 ASN1_BIT_STRING *publicKey;
196 } EC_PRIVATEKEY;
197
198/* the OpenSSL ASN.1 definitions */
199ASN1_SEQUENCE(X9_62_PENTANOMIAL) = {
200 ASN1_SIMPLE(X9_62_PENTANOMIAL, k1, LONG),
201 ASN1_SIMPLE(X9_62_PENTANOMIAL, k2, LONG),
202 ASN1_SIMPLE(X9_62_PENTANOMIAL, k3, LONG)
203} ASN1_SEQUENCE_END(X9_62_PENTANOMIAL)
204
205DECLARE_ASN1_ALLOC_FUNCTIONS(X9_62_PENTANOMIAL)
206IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X9_62_PENTANOMIAL)
207
208ASN1_ADB_TEMPLATE(char_two_def) = ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, p.other, ASN1_ANY);
209
210ASN1_ADB(X9_62_CHARACTERISTIC_TWO) = {
211 ADB_ENTRY(NID_X9_62_onBasis, ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, p.onBasis, ASN1_NULL)),
212 ADB_ENTRY(NID_X9_62_tpBasis, ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, p.tpBasis, ASN1_INTEGER)),
213 ADB_ENTRY(NID_X9_62_ppBasis, ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, p.ppBasis, X9_62_PENTANOMIAL))
214} ASN1_ADB_END(X9_62_CHARACTERISTIC_TWO, 0, type, 0, &char_two_def_tt, NULL);
215
216ASN1_SEQUENCE(X9_62_CHARACTERISTIC_TWO) = {
217 ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, m, LONG),
218 ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, type, ASN1_OBJECT),
219 ASN1_ADB_OBJECT(X9_62_CHARACTERISTIC_TWO)
220} ASN1_SEQUENCE_END(X9_62_CHARACTERISTIC_TWO)
221
222DECLARE_ASN1_ALLOC_FUNCTIONS(X9_62_CHARACTERISTIC_TWO)
223IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X9_62_CHARACTERISTIC_TWO)
224
225ASN1_ADB_TEMPLATE(fieldID_def) = ASN1_SIMPLE(X9_62_FIELDID, p.other, ASN1_ANY);
226
227ASN1_ADB(X9_62_FIELDID) = {
228 ADB_ENTRY(NID_X9_62_prime_field, ASN1_SIMPLE(X9_62_FIELDID, p.prime, ASN1_INTEGER)),
229 ADB_ENTRY(NID_X9_62_characteristic_two_field, ASN1_SIMPLE(X9_62_FIELDID, p.char_two, X9_62_CHARACTERISTIC_TWO))
230} ASN1_ADB_END(X9_62_FIELDID, 0, fieldType, 0, &fieldID_def_tt, NULL);
231
232ASN1_SEQUENCE(X9_62_FIELDID) = {
233 ASN1_SIMPLE(X9_62_FIELDID, fieldType, ASN1_OBJECT),
234 ASN1_ADB_OBJECT(X9_62_FIELDID)
235} ASN1_SEQUENCE_END(X9_62_FIELDID)
236
237ASN1_SEQUENCE(X9_62_CURVE) = {
238 ASN1_SIMPLE(X9_62_CURVE, a, ASN1_OCTET_STRING),
239 ASN1_SIMPLE(X9_62_CURVE, b, ASN1_OCTET_STRING),
240 ASN1_OPT(X9_62_CURVE, seed, ASN1_BIT_STRING)
241} ASN1_SEQUENCE_END(X9_62_CURVE)
242
243ASN1_SEQUENCE(ECPARAMETERS) = {
244 ASN1_SIMPLE(ECPARAMETERS, version, LONG),
245 ASN1_SIMPLE(ECPARAMETERS, fieldID, X9_62_FIELDID),
246 ASN1_SIMPLE(ECPARAMETERS, curve, X9_62_CURVE),
247 ASN1_SIMPLE(ECPARAMETERS, base, ASN1_OCTET_STRING),
248 ASN1_SIMPLE(ECPARAMETERS, order, ASN1_INTEGER),
249 ASN1_OPT(ECPARAMETERS, cofactor, ASN1_INTEGER)
250} ASN1_SEQUENCE_END(ECPARAMETERS)
251
252DECLARE_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS)
253IMPLEMENT_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS)
254
255ASN1_CHOICE(ECPKPARAMETERS) = {
256 ASN1_SIMPLE(ECPKPARAMETERS, value.named_curve, ASN1_OBJECT),
257 ASN1_SIMPLE(ECPKPARAMETERS, value.parameters, ECPARAMETERS),
258 ASN1_SIMPLE(ECPKPARAMETERS, value.implicitlyCA, ASN1_NULL)
259} ASN1_CHOICE_END(ECPKPARAMETERS)
260
261DECLARE_ASN1_FUNCTIONS_const(ECPKPARAMETERS)
262DECLARE_ASN1_ENCODE_FUNCTIONS_const(ECPKPARAMETERS, ECPKPARAMETERS)
263IMPLEMENT_ASN1_FUNCTIONS_const(ECPKPARAMETERS)
264
265ASN1_SEQUENCE(EC_PRIVATEKEY) = {
266 ASN1_SIMPLE(EC_PRIVATEKEY, version, LONG),
267 ASN1_SIMPLE(EC_PRIVATEKEY, privateKey, ASN1_OCTET_STRING),
268 ASN1_EXP_OPT(EC_PRIVATEKEY, parameters, ECPKPARAMETERS, 0),
269 ASN1_EXP_OPT(EC_PRIVATEKEY, publicKey, ASN1_BIT_STRING, 1)
270} ASN1_SEQUENCE_END(EC_PRIVATEKEY)
271
272DECLARE_ASN1_FUNCTIONS_const(EC_PRIVATEKEY)
273DECLARE_ASN1_ENCODE_FUNCTIONS_const(EC_PRIVATEKEY, EC_PRIVATEKEY)
274IMPLEMENT_ASN1_FUNCTIONS_const(EC_PRIVATEKEY)
275
276/* some declarations of internal function */
277
278/* ec_asn1_group2field() sets the values in a X9_62_FIELDID object */
279static int ec_asn1_group2fieldid(const EC_GROUP *, X9_62_FIELDID *);
280/* ec_asn1_group2curve() sets the values in a X9_62_CURVE object */
281static int ec_asn1_group2curve(const EC_GROUP *, X9_62_CURVE *);
282/* ec_asn1_parameters2group() creates a EC_GROUP object from a
283 * ECPARAMETERS object */
284static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *);
285/* ec_asn1_group2parameters() creates a ECPARAMETERS object from a
286 * EC_GROUP object */
287static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *,ECPARAMETERS *);
288/* ec_asn1_pkparameters2group() creates a EC_GROUP object from a
289 * ECPKPARAMETERS object */
290static EC_GROUP *ec_asn1_pkparameters2group(const ECPKPARAMETERS *);
291/* ec_asn1_group2pkparameters() creates a ECPKPARAMETERS object from a
292 * EC_GROUP object */
293static ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *,
294 ECPKPARAMETERS *);
295
296
297/* the function definitions */
298
299static int ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field)
300 {
301 int ok=0, nid;
302 BIGNUM *tmp = NULL;
303
304 if (group == NULL || field == NULL)
305 return 0;
306
307 /* clear the old values (if necessary) */
308 if (field->fieldType != NULL)
309 ASN1_OBJECT_free(field->fieldType);
310 if (field->p.other != NULL)
311 ASN1_TYPE_free(field->p.other);
312
313 nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
314 /* set OID for the field */
315 if ((field->fieldType = OBJ_nid2obj(nid)) == NULL)
316 {
317 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_OBJ_LIB);
318 goto err;
319 }
320
321 if (nid == NID_X9_62_prime_field)
322 {
323 if ((tmp = BN_new()) == NULL)
324 {
325 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
326 goto err;
327 }
328 /* the parameters are specified by the prime number p */
329 if (!EC_GROUP_get_curve_GFp(group, tmp, NULL, NULL, NULL))
330 {
331 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_EC_LIB);
332 goto err;
333 }
334 /* set the prime number */
335 field->p.prime = BN_to_ASN1_INTEGER(tmp,NULL);
336 if (field->p.prime == NULL)
337 {
338 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_ASN1_LIB);
339 goto err;
340 }
341 }
342 else /* nid == NID_X9_62_characteristic_two_field */
343 {
344 int field_type;
345 X9_62_CHARACTERISTIC_TWO *char_two;
346
347 field->p.char_two = X9_62_CHARACTERISTIC_TWO_new();
348 char_two = field->p.char_two;
349
350 if (char_two == NULL)
351 {
352 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
353 goto err;
354 }
355
356 char_two->m = (long)EC_GROUP_get_degree(group);
357
358 field_type = EC_GROUP_get_basis_type(group);
359
360 if (field_type == 0)
361 {
362 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_EC_LIB);
363 goto err;
364 }
365 /* set base type OID */
366 if ((char_two->type = OBJ_nid2obj(field_type)) == NULL)
367 {
368 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_OBJ_LIB);
369 goto err;
370 }
371
372 if (field_type == NID_X9_62_tpBasis)
373 {
374 unsigned int k;
375
376 if (!EC_GROUP_get_trinomial_basis(group, &k))
377 goto err;
378
379 char_two->p.tpBasis = ASN1_INTEGER_new();
380 if (!char_two->p.tpBasis)
381 {
382 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
383 goto err;
384 }
385 if (!ASN1_INTEGER_set(char_two->p.tpBasis, (long)k))
386 {
387 ECerr(EC_F_EC_ASN1_GROUP2FIELDID,
388 ERR_R_ASN1_LIB);
389 goto err;
390 }
391 }
392 else if (field_type == NID_X9_62_ppBasis)
393 {
394 unsigned int k1, k2, k3;
395
396 if (!EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3))
397 goto err;
398
399 char_two->p.ppBasis = X9_62_PENTANOMIAL_new();
400 if (!char_two->p.ppBasis)
401 {
402 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
403 goto err;
404 }
405
406 /* set k? values */
407 char_two->p.ppBasis->k1 = (long)k1;
408 char_two->p.ppBasis->k2 = (long)k2;
409 char_two->p.ppBasis->k3 = (long)k3;
410 }
411 else /* field_type == NID_X9_62_onBasis */
412 {
413 /* for ONB the parameters are (asn1) NULL */
414 char_two->p.onBasis = ASN1_NULL_new();
415 if (!char_two->p.onBasis)
416 {
417 ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
418 goto err;
419 }
420 }
421 }
422
423 ok = 1;
424
425err : if (tmp)
426 BN_free(tmp);
427 return(ok);
428}
429
430static int ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve)
431 {
432 int ok=0, nid;
433 BIGNUM *tmp_1=NULL, *tmp_2=NULL;
434 unsigned char *buffer_1=NULL, *buffer_2=NULL,
435 *a_buf=NULL, *b_buf=NULL;
436 size_t len_1, len_2;
437 unsigned char char_zero = 0;
438
439 if (!group || !curve || !curve->a || !curve->b)
440 return 0;
441
442 if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL)
443 {
444 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE);
445 goto err;
446 }
447
448 nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
449
450 /* get a and b */
451 if (nid == NID_X9_62_prime_field)
452 {
453 if (!EC_GROUP_get_curve_GFp(group, NULL, tmp_1, tmp_2, NULL))
454 {
455 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_EC_LIB);
456 goto err;
457 }
458 }
459 else /* nid == NID_X9_62_characteristic_two_field */
460 {
461 if (!EC_GROUP_get_curve_GF2m(group, NULL, tmp_1, tmp_2, NULL))
462 {
463 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_EC_LIB);
464 goto err;
465 }
466 }
467
468 len_1 = (size_t)BN_num_bytes(tmp_1);
469 len_2 = (size_t)BN_num_bytes(tmp_2);
470
471 if (len_1 == 0)
472 {
473 /* len_1 == 0 => a == 0 */
474 a_buf = &char_zero;
475 len_1 = 1;
476 }
477 else
478 {
479 if ((buffer_1 = OPENSSL_malloc(len_1)) == NULL)
480 {
481 ECerr(EC_F_EC_ASN1_GROUP2CURVE,
482 ERR_R_MALLOC_FAILURE);
483 goto err;
484 }
485 if ( (len_1 = BN_bn2bin(tmp_1, buffer_1)) == 0)
486 {
487 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_BN_LIB);
488 goto err;
489 }
490 a_buf = buffer_1;
491 }
492
493 if (len_2 == 0)
494 {
495 /* len_2 == 0 => b == 0 */
496 b_buf = &char_zero;
497 len_2 = 1;
498 }
499 else
500 {
501 if ((buffer_2 = OPENSSL_malloc(len_2)) == NULL)
502 {
503 ECerr(EC_F_EC_ASN1_GROUP2CURVE,
504 ERR_R_MALLOC_FAILURE);
505 goto err;
506 }
507 if ( (len_2 = BN_bn2bin(tmp_2, buffer_2)) == 0)
508 {
509 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_BN_LIB);
510 goto err;
511 }
512 b_buf = buffer_2;
513 }
514
515 /* set a and b */
516 if (!M_ASN1_OCTET_STRING_set(curve->a, a_buf, len_1) ||
517 !M_ASN1_OCTET_STRING_set(curve->b, b_buf, len_2))
518 {
519 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_ASN1_LIB);
520 goto err;
521 }
522
523 /* set the seed (optional) */
524 if (group->seed)
525 {
526 if (!curve->seed)
527 if ((curve->seed = ASN1_BIT_STRING_new()) == NULL)
528 {
529 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE);
530 goto err;
531 }
532 curve->seed->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
533 curve->seed->flags |= ASN1_STRING_FLAG_BITS_LEFT;
534 if (!ASN1_BIT_STRING_set(curve->seed, group->seed,
535 (int)group->seed_len))
536 {
537 ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_ASN1_LIB);
538 goto err;
539 }
540 }
541 else
542 {
543 if (curve->seed)
544 {
545 ASN1_BIT_STRING_free(curve->seed);
546 curve->seed = NULL;
547 }
548 }
549
550 ok = 1;
551
552err: if (buffer_1)
553 OPENSSL_free(buffer_1);
554 if (buffer_2)
555 OPENSSL_free(buffer_2);
556 if (tmp_1)
557 BN_free(tmp_1);
558 if (tmp_2)
559 BN_free(tmp_2);
560 return(ok);
561 }
562
563static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *group,
564 ECPARAMETERS *param)
565 {
566 int ok=0;
567 size_t len=0;
568 ECPARAMETERS *ret=NULL;
569 BIGNUM *tmp=NULL;
570 unsigned char *buffer=NULL;
571 const EC_POINT *point=NULL;
572 point_conversion_form_t form;
573
574 if ((tmp = BN_new()) == NULL)
575 {
576 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE);
577 goto err;
578 }
579
580 if (param == NULL)
581 {
582 if ((ret = ECPARAMETERS_new()) == NULL)
583 {
584 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS,
585 ERR_R_MALLOC_FAILURE);
586 goto err;
587 }
588 }
589 else
590 ret = param;
591
592 /* set the version (always one) */
593 ret->version = (long)0x1;
594
595 /* set the fieldID */
596 if (!ec_asn1_group2fieldid(group, ret->fieldID))
597 {
598 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
599 goto err;
600 }
601
602 /* set the curve */
603 if (!ec_asn1_group2curve(group, ret->curve))
604 {
605 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
606 goto err;
607 }
608
609 /* set the base point */
610 if ((point = EC_GROUP_get0_generator(group)) == NULL)
611 {
612 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, EC_R_UNDEFINED_GENERATOR);
613 goto err;
614 }
615
616 form = EC_GROUP_get_point_conversion_form(group);
617
618 len = EC_POINT_point2oct(group, point, form, NULL, len, NULL);
619 if (len == 0)
620 {
621 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
622 goto err;
623 }
624 if ((buffer = OPENSSL_malloc(len)) == NULL)
625 {
626 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE);
627 goto err;
628 }
629 if (!EC_POINT_point2oct(group, point, form, buffer, len, NULL))
630 {
631 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
632 goto err;
633 }
634 if (ret->base == NULL && (ret->base = ASN1_OCTET_STRING_new()) == NULL)
635 {
636 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE);
637 goto err;
638 }
639 if (!ASN1_OCTET_STRING_set(ret->base, buffer, len))
640 {
641 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB);
642 goto err;
643 }
644
645 /* set the order */
646 if (!EC_GROUP_get_order(group, tmp, NULL))
647 {
648 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
649 goto err;
650 }
651 ret->order = BN_to_ASN1_INTEGER(tmp, ret->order);
652 if (ret->order == NULL)
653 {
654 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB);
655 goto err;
656 }
657
658 /* set the cofactor (optional) */
659 if (EC_GROUP_get_cofactor(group, tmp, NULL))
660 {
661 ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor);
662 if (ret->cofactor == NULL)
663 {
664 ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB);
665 goto err;
666 }
667 }
668
669 ok = 1;
670
671err : if(!ok)
672 {
673 if (ret && !param)
674 ECPARAMETERS_free(ret);
675 ret = NULL;
676 }
677 if (tmp)
678 BN_free(tmp);
679 if (buffer)
680 OPENSSL_free(buffer);
681 return(ret);
682 }
683
684ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *group,
685 ECPKPARAMETERS *params)
686 {
687 int ok = 1, tmp;
688 ECPKPARAMETERS *ret = params;
689
690 if (ret == NULL)
691 {
692 if ((ret = ECPKPARAMETERS_new()) == NULL)
693 {
694 ECerr(EC_F_EC_ASN1_GROUP2PKPARAMETERS,
695 ERR_R_MALLOC_FAILURE);
696 return NULL;
697 }
698 }
699 else
700 {
701 if (ret->type == 0 && ret->value.named_curve)
702 ASN1_OBJECT_free(ret->value.named_curve);
703 else if (ret->type == 1 && ret->value.parameters)
704 ECPARAMETERS_free(ret->value.parameters);
705 }
706
707 if (EC_GROUP_get_asn1_flag(group))
708 {
709 /* use the asn1 OID to describe the
710 * the elliptic curve parameters
711 */
712 tmp = EC_GROUP_get_curve_name(group);
713 if (tmp)
714 {
715 ret->type = 0;
716 if ((ret->value.named_curve = OBJ_nid2obj(tmp)) == NULL)
717 ok = 0;
718 }
719 else
720 /* we don't kmow the nid => ERROR */
721 ok = 0;
722 }
723 else
724 {
725 /* use the ECPARAMETERS structure */
726 ret->type = 1;
727 if ((ret->value.parameters = ec_asn1_group2parameters(
728 group, NULL)) == NULL)
729 ok = 0;
730 }
731
732 if (!ok)
733 {
734 ECPKPARAMETERS_free(ret);
735 return NULL;
736 }
737 return ret;
738 }
739
740static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params)
741 {
742 int ok = 0, tmp;
743 EC_GROUP *ret = NULL;
744 BIGNUM *p = NULL, *a = NULL, *b = NULL;
745 EC_POINT *point=NULL;
746 long field_bits;
747
748 if (!params->fieldID || !params->fieldID->fieldType ||
749 !params->fieldID->p.ptr)
750 {
751 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
752 goto err;
753 }
754
755 /* now extract the curve parameters a and b */
756 if (!params->curve || !params->curve->a ||
757 !params->curve->a->data || !params->curve->b ||
758 !params->curve->b->data)
759 {
760 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
761 goto err;
762 }
763 a = BN_bin2bn(params->curve->a->data, params->curve->a->length, NULL);
764 if (a == NULL)
765 {
766 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_BN_LIB);
767 goto err;
768 }
769 b = BN_bin2bn(params->curve->b->data, params->curve->b->length, NULL);
770 if (b == NULL)
771 {
772 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_BN_LIB);
773 goto err;
774 }
775
776 /* get the field parameters */
777 tmp = OBJ_obj2nid(params->fieldID->fieldType);
778
779 if (tmp == NID_X9_62_characteristic_two_field)
780 {
781 X9_62_CHARACTERISTIC_TWO *char_two;
782
783 char_two = params->fieldID->p.char_two;
784
785 field_bits = char_two->m;
786 if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS)
787 {
788 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_FIELD_TOO_LARGE);
789 goto err;
790 }
791
792 if ((p = BN_new()) == NULL)
793 {
794 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_MALLOC_FAILURE);
795 goto err;
796 }
797
798 /* get the base type */
799 tmp = OBJ_obj2nid(char_two->type);
800
801 if (tmp == NID_X9_62_tpBasis)
802 {
803 long tmp_long;
804
805 if (!char_two->p.tpBasis)
806 {
807 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
808 goto err;
809 }
810
811 tmp_long = ASN1_INTEGER_get(char_two->p.tpBasis);
812
813 if (!(char_two->m > tmp_long && tmp_long > 0))
814 {
815 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_TRINOMIAL_BASIS);
816 goto err;
817 }
818
819 /* create the polynomial */
820 if (!BN_set_bit(p, (int)char_two->m))
821 goto err;
822 if (!BN_set_bit(p, (int)tmp_long))
823 goto err;
824 if (!BN_set_bit(p, 0))
825 goto err;
826 }
827 else if (tmp == NID_X9_62_ppBasis)
828 {
829 X9_62_PENTANOMIAL *penta;
830
831 penta = char_two->p.ppBasis;
832 if (!penta)
833 {
834 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
835 goto err;
836 }
837
838 if (!(char_two->m > penta->k3 && penta->k3 > penta->k2 && penta->k2 > penta->k1 && penta->k1 > 0))
839 {
840 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_PENTANOMIAL_BASIS);
841 goto err;
842 }
843
844 /* create the polynomial */
845 if (!BN_set_bit(p, (int)char_two->m)) goto err;
846 if (!BN_set_bit(p, (int)penta->k1)) goto err;
847 if (!BN_set_bit(p, (int)penta->k2)) goto err;
848 if (!BN_set_bit(p, (int)penta->k3)) goto err;
849 if (!BN_set_bit(p, 0)) goto err;
850 }
851 else if (tmp == NID_X9_62_onBasis)
852 {
853 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_NOT_IMPLEMENTED);
854 goto err;
855 }
856 else /* error */
857 {
858 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
859 goto err;
860 }
861
862 /* create the EC_GROUP structure */
863 ret = EC_GROUP_new_curve_GF2m(p, a, b, NULL);
864 }
865 else if (tmp == NID_X9_62_prime_field)
866 {
867 /* we have a curve over a prime field */
868 /* extract the prime number */
869 if (!params->fieldID->p.prime)
870 {
871 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
872 goto err;
873 }
874 p = ASN1_INTEGER_to_BN(params->fieldID->p.prime, NULL);
875 if (p == NULL)
876 {
877 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB);
878 goto err;
879 }
880
881 if (BN_is_negative(p) || BN_is_zero(p))
882 {
883 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_FIELD);
884 goto err;
885 }
886
887 field_bits = BN_num_bits(p);
888 if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS)
889 {
890 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_FIELD_TOO_LARGE);
891 goto err;
892 }
893
894 /* create the EC_GROUP structure */
895 ret = EC_GROUP_new_curve_GFp(p, a, b, NULL);
896 }
897 else
898 {
899 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_FIELD);
900 goto err;
901 }
902
903 if (ret == NULL)
904 {
905 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB);
906 goto err;
907 }
908
909 /* extract seed (optional) */
910 if (params->curve->seed != NULL)
911 {
912 if (ret->seed != NULL)
913 OPENSSL_free(ret->seed);
914 if (!(ret->seed = OPENSSL_malloc(params->curve->seed->length)))
915 {
916 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP,
917 ERR_R_MALLOC_FAILURE);
918 goto err;
919 }
920 memcpy(ret->seed, params->curve->seed->data,
921 params->curve->seed->length);
922 ret->seed_len = params->curve->seed->length;
923 }
924
925 if (!params->order || !params->base || !params->base->data)
926 {
927 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
928 goto err;
929 }
930
931 if ((point = EC_POINT_new(ret)) == NULL) goto err;
932
933 /* set the point conversion form */
934 EC_GROUP_set_point_conversion_form(ret, (point_conversion_form_t)
935 (params->base->data[0] & ~0x01));
936
937 /* extract the ec point */
938 if (!EC_POINT_oct2point(ret, point, params->base->data,
939 params->base->length, NULL))
940 {
941 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB);
942 goto err;
943 }
944
945 /* extract the order */
946 if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL)
947 {
948 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB);
949 goto err;
950 }
951 if (BN_is_negative(a) || BN_is_zero(a))
952 {
953 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_GROUP_ORDER);
954 goto err;
955 }
956 if (BN_num_bits(a) > (int)field_bits + 1) /* Hasse bound */
957 {
958 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_GROUP_ORDER);
959 goto err;
960 }
961
962 /* extract the cofactor (optional) */
963 if (params->cofactor == NULL)
964 {
965 if (b)
966 {
967 BN_free(b);
968 b = NULL;
969 }
970 }
971 else
972 if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL)
973 {
974 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB);
975 goto err;
976 }
977 /* set the generator, order and cofactor (if present) */
978 if (!EC_GROUP_set_generator(ret, point, a, b))
979 {
980 ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB);
981 goto err;
982 }
983
984 ok = 1;
985
986err: if (!ok)
987 {
988 if (ret)
989 EC_GROUP_clear_free(ret);
990 ret = NULL;
991 }
992
993 if (p)
994 BN_free(p);
995 if (a)
996 BN_free(a);
997 if (b)
998 BN_free(b);
999 if (point)
1000 EC_POINT_free(point);
1001 return(ret);
1002}
1003
1004EC_GROUP *ec_asn1_pkparameters2group(const ECPKPARAMETERS *params)
1005 {
1006 EC_GROUP *ret=NULL;
1007 int tmp=0;
1008
1009 if (params == NULL)
1010 {
1011 ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP,
1012 EC_R_MISSING_PARAMETERS);
1013 return NULL;
1014 }
1015
1016 if (params->type == 0)
1017 { /* the curve is given by an OID */
1018 tmp = OBJ_obj2nid(params->value.named_curve);
1019 if ((ret = EC_GROUP_new_by_curve_name(tmp)) == NULL)
1020 {
1021 ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP,
1022 EC_R_EC_GROUP_NEW_BY_NAME_FAILURE);
1023 return NULL;
1024 }
1025 EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_NAMED_CURVE);
1026 }
1027 else if (params->type == 1)
1028 { /* the parameters are given by a ECPARAMETERS
1029 * structure */
1030 ret = ec_asn1_parameters2group(params->value.parameters);
1031 if (!ret)
1032 {
1033 ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP, ERR_R_EC_LIB);
1034 return NULL;
1035 }
1036 EC_GROUP_set_asn1_flag(ret, 0x0);
1037 }
1038 else if (params->type == 2)
1039 { /* implicitlyCA */
1040 return NULL;
1041 }
1042 else
1043 {
1044 ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP, EC_R_ASN1_ERROR);
1045 return NULL;
1046 }
1047
1048 return ret;
1049 }
1050
1051/* EC_GROUP <-> DER encoding of ECPKPARAMETERS */
1052
1053EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
1054 {
1055 EC_GROUP *group = NULL;
1056 ECPKPARAMETERS *params = NULL;
1057
1058 if ((params = d2i_ECPKPARAMETERS(NULL, in, len)) == NULL)
1059 {
1060 ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_D2I_ECPKPARAMETERS_FAILURE);
1061 ECPKPARAMETERS_free(params);
1062 return NULL;
1063 }
1064
1065 if ((group = ec_asn1_pkparameters2group(params)) == NULL)
1066 {
1067 ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_PKPARAMETERS2GROUP_FAILURE);
1068 return NULL;
1069 }
1070
1071
1072 if (a && *a)
1073 EC_GROUP_clear_free(*a);
1074 if (a)
1075 *a = group;
1076
1077 ECPKPARAMETERS_free(params);
1078 return(group);
1079 }
1080
1081int i2d_ECPKParameters(const EC_GROUP *a, unsigned char **out)
1082 {
1083 int ret=0;
1084 ECPKPARAMETERS *tmp = ec_asn1_group2pkparameters(a, NULL);
1085 if (tmp == NULL)
1086 {
1087 ECerr(EC_F_I2D_ECPKPARAMETERS, EC_R_GROUP2PKPARAMETERS_FAILURE);
1088 return 0;
1089 }
1090 if ((ret = i2d_ECPKPARAMETERS(tmp, out)) == 0)
1091 {
1092 ECerr(EC_F_I2D_ECPKPARAMETERS, EC_R_I2D_ECPKPARAMETERS_FAILURE);
1093 ECPKPARAMETERS_free(tmp);
1094 return 0;
1095 }
1096 ECPKPARAMETERS_free(tmp);
1097 return(ret);
1098 }
1099
1100/* some EC_KEY functions */
1101
1102EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
1103 {
1104 int ok=0;
1105 EC_KEY *ret=NULL;
1106 EC_PRIVATEKEY *priv_key=NULL;
1107
1108 if ((priv_key = EC_PRIVATEKEY_new()) == NULL)
1109 {
1110 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
1111 return NULL;
1112 }
1113
1114 if ((priv_key = d2i_EC_PRIVATEKEY(&priv_key, in, len)) == NULL)
1115 {
1116 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
1117 EC_PRIVATEKEY_free(priv_key);
1118 return NULL;
1119 }
1120
1121 if (a == NULL || *a == NULL)
1122 {
1123 if ((ret = EC_KEY_new()) == NULL)
1124 {
1125 ECerr(EC_F_D2I_ECPRIVATEKEY,
1126 ERR_R_MALLOC_FAILURE);
1127 goto err;
1128 }
1129 if (a)
1130 *a = ret;
1131 }
1132 else
1133 ret = *a;
1134
1135 if (priv_key->parameters)
1136 {
1137 if (ret->group)
1138 EC_GROUP_clear_free(ret->group);
1139 ret->group = ec_asn1_pkparameters2group(priv_key->parameters);
1140 }
1141
1142 if (ret->group == NULL)
1143 {
1144 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
1145 goto err;
1146 }
1147
1148 ret->version = priv_key->version;
1149
1150 if (priv_key->privateKey)
1151 {
1152 ret->priv_key = BN_bin2bn(
1153 M_ASN1_STRING_data(priv_key->privateKey),
1154 M_ASN1_STRING_length(priv_key->privateKey),
1155 ret->priv_key);
1156 if (ret->priv_key == NULL)
1157 {
1158 ECerr(EC_F_D2I_ECPRIVATEKEY,
1159 ERR_R_BN_LIB);
1160 goto err;
1161 }
1162 }
1163 else
1164 {
1165 ECerr(EC_F_D2I_ECPRIVATEKEY,
1166 EC_R_MISSING_PRIVATE_KEY);
1167 goto err;
1168 }
1169
1170 if (priv_key->publicKey)
1171 {
1172 const unsigned char *pub_oct;
1173 size_t pub_oct_len;
1174
1175 if (ret->pub_key)
1176 EC_POINT_clear_free(ret->pub_key);
1177 ret->pub_key = EC_POINT_new(ret->group);
1178 if (ret->pub_key == NULL)
1179 {
1180 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
1181 goto err;
1182 }
1183 pub_oct = M_ASN1_STRING_data(priv_key->publicKey);
1184 pub_oct_len = M_ASN1_STRING_length(priv_key->publicKey);
1185 /* save the point conversion form */
1186 ret->conv_form = (point_conversion_form_t)(pub_oct[0] & ~0x01);
1187 if (!EC_POINT_oct2point(ret->group, ret->pub_key,
1188 pub_oct, pub_oct_len, NULL))
1189 {
1190 ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
1191 goto err;
1192 }
1193 }
1194
1195 ok = 1;
1196err:
1197 if (!ok)
1198 {
1199 if (ret)
1200 EC_KEY_free(ret);
1201 ret = NULL;
1202 }
1203
1204 if (priv_key)
1205 EC_PRIVATEKEY_free(priv_key);
1206
1207 return(ret);
1208 }
1209
1210int i2d_ECPrivateKey(EC_KEY *a, unsigned char **out)
1211 {
1212 int ret=0, ok=0;
1213 unsigned char *buffer=NULL;
1214 size_t buf_len=0, tmp_len;
1215 EC_PRIVATEKEY *priv_key=NULL;
1216
1217 if (a == NULL || a->group == NULL || a->priv_key == NULL)
1218 {
1219 ECerr(EC_F_I2D_ECPRIVATEKEY,
1220 ERR_R_PASSED_NULL_PARAMETER);
1221 goto err;
1222 }
1223
1224 if ((priv_key = EC_PRIVATEKEY_new()) == NULL)
1225 {
1226 ECerr(EC_F_I2D_ECPRIVATEKEY,
1227 ERR_R_MALLOC_FAILURE);
1228 goto err;
1229 }
1230
1231 priv_key->version = a->version;
1232
1233 buf_len = (size_t)BN_num_bytes(a->priv_key);
1234 buffer = OPENSSL_malloc(buf_len);
1235 if (buffer == NULL)
1236 {
1237 ECerr(EC_F_I2D_ECPRIVATEKEY,
1238 ERR_R_MALLOC_FAILURE);
1239 goto err;
1240 }
1241
1242 if (!BN_bn2bin(a->priv_key, buffer))
1243 {
1244 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_BN_LIB);
1245 goto err;
1246 }
1247
1248 if (!M_ASN1_OCTET_STRING_set(priv_key->privateKey, buffer, buf_len))
1249 {
1250 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_ASN1_LIB);
1251 goto err;
1252 }
1253
1254 if (!(a->enc_flag & EC_PKEY_NO_PARAMETERS))
1255 {
1256 if ((priv_key->parameters = ec_asn1_group2pkparameters(
1257 a->group, priv_key->parameters)) == NULL)
1258 {
1259 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
1260 goto err;
1261 }
1262 }
1263
1264 if (!(a->enc_flag & EC_PKEY_NO_PUBKEY))
1265 {
1266 priv_key->publicKey = M_ASN1_BIT_STRING_new();
1267 if (priv_key->publicKey == NULL)
1268 {
1269 ECerr(EC_F_I2D_ECPRIVATEKEY,
1270 ERR_R_MALLOC_FAILURE);
1271 goto err;
1272 }
1273
1274 tmp_len = EC_POINT_point2oct(a->group, a->pub_key,
1275 a->conv_form, NULL, 0, NULL);
1276
1277 if (tmp_len > buf_len)
1278 {
1279 unsigned char *tmp_buffer = OPENSSL_realloc(buffer, tmp_len);
1280 if (!tmp_buffer)
1281 {
1282 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
1283 goto err;
1284 }
1285 buffer = tmp_buffer;
1286 buf_len = tmp_len;
1287 }
1288
1289 if (!EC_POINT_point2oct(a->group, a->pub_key,
1290 a->conv_form, buffer, buf_len, NULL))
1291 {
1292 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
1293 goto err;
1294 }
1295
1296 priv_key->publicKey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
1297 priv_key->publicKey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
1298 if (!M_ASN1_BIT_STRING_set(priv_key->publicKey, buffer,
1299 buf_len))
1300 {
1301 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_ASN1_LIB);
1302 goto err;
1303 }
1304 }
1305
1306 if ((ret = i2d_EC_PRIVATEKEY(priv_key, out)) == 0)
1307 {
1308 ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
1309 goto err;
1310 }
1311 ok=1;
1312err:
1313 if (buffer)
1314 OPENSSL_free(buffer);
1315 if (priv_key)
1316 EC_PRIVATEKEY_free(priv_key);
1317 return(ok?ret:0);
1318 }
1319
1320int i2d_ECParameters(EC_KEY *a, unsigned char **out)
1321 {
1322 if (a == NULL)
1323 {
1324 ECerr(EC_F_I2D_ECPARAMETERS, ERR_R_PASSED_NULL_PARAMETER);
1325 return 0;
1326 }
1327 return i2d_ECPKParameters(a->group, out);
1328 }
1329
1330EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
1331 {
1332 EC_KEY *ret;
1333
1334 if (in == NULL || *in == NULL)
1335 {
1336 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_PASSED_NULL_PARAMETER);
1337 return NULL;
1338 }
1339
1340 if (a == NULL || *a == NULL)
1341 {
1342 if ((ret = EC_KEY_new()) == NULL)
1343 {
1344 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
1345 return NULL;
1346 }
1347 if (a)
1348 *a = ret;
1349 }
1350 else
1351 ret = *a;
1352
1353 if (!d2i_ECPKParameters(&ret->group, in, len))
1354 {
1355 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
1356 return NULL;
1357 }
1358
1359 return ret;
1360 }
1361
1362EC_KEY *o2i_ECPublicKey(EC_KEY **a, const unsigned char **in, long len)
1363 {
1364 EC_KEY *ret=NULL;
1365
1366 if (a == NULL || (*a) == NULL || (*a)->group == NULL)
1367 {
1368 /* sorry, but a EC_GROUP-structur is necessary
1369 * to set the public key */
1370 ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_PASSED_NULL_PARAMETER);
1371 return 0;
1372 }
1373 ret = *a;
1374 if (ret->pub_key == NULL &&
1375 (ret->pub_key = EC_POINT_new(ret->group)) == NULL)
1376 {
1377 ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_MALLOC_FAILURE);
1378 return 0;
1379 }
1380 if (!EC_POINT_oct2point(ret->group, ret->pub_key, *in, len, NULL))
1381 {
1382 ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_EC_LIB);
1383 return 0;
1384 }
1385 /* save the point conversion form */
1386 ret->conv_form = (point_conversion_form_t)(*in[0] & ~0x01);
1387 *in += len;
1388 return ret;
1389 }
1390
1391int i2o_ECPublicKey(EC_KEY *a, unsigned char **out)
1392 {
1393 size_t buf_len=0;
1394 int new_buffer = 0;
1395
1396 if (a == NULL)
1397 {
1398 ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_PASSED_NULL_PARAMETER);
1399 return 0;
1400 }
1401
1402 buf_len = EC_POINT_point2oct(a->group, a->pub_key,
1403 a->conv_form, NULL, 0, NULL);
1404
1405 if (out == NULL || buf_len == 0)
1406 /* out == NULL => just return the length of the octet string */
1407 return buf_len;
1408
1409 if (*out == NULL)
1410 {
1411 if ((*out = OPENSSL_malloc(buf_len)) == NULL)
1412 {
1413 ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_MALLOC_FAILURE);
1414 return 0;
1415 }
1416 new_buffer = 1;
1417 }
1418 if (!EC_POINT_point2oct(a->group, a->pub_key, a->conv_form,
1419 *out, buf_len, NULL))
1420 {
1421 ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB);
1422 OPENSSL_free(*out);
1423 *out = NULL;
1424 return 0;
1425 }
1426 if (!new_buffer)
1427 *out += buf_len;
1428 return buf_len;
1429 }
diff --git a/src/lib/libcrypto/ec/ec_check.c b/src/lib/libcrypto/ec/ec_check.c
new file mode 100644
index 0000000000..0e316b4b3f
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_check.c
@@ -0,0 +1,123 @@
1/* crypto/ec/ec_check.c */
2/* ====================================================================
3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56#include "ec_lcl.h"
57#include <openssl/err.h>
58
59int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx)
60 {
61 int ret = 0;
62 BIGNUM *order;
63 BN_CTX *new_ctx = NULL;
64 EC_POINT *point = NULL;
65
66 if (ctx == NULL)
67 {
68 ctx = new_ctx = BN_CTX_new();
69 if (ctx == NULL)
70 {
71 ECerr(EC_F_EC_GROUP_CHECK, ERR_R_MALLOC_FAILURE);
72 goto err;
73 }
74 }
75 BN_CTX_start(ctx);
76 if ((order = BN_CTX_get(ctx)) == NULL) goto err;
77
78 /* check the discriminant */
79 if (!EC_GROUP_check_discriminant(group, ctx))
80 {
81 ECerr(EC_F_EC_GROUP_CHECK, EC_R_DISCRIMINANT_IS_ZERO);
82 goto err;
83 }
84
85 /* check the generator */
86 if (group->generator == NULL)
87 {
88 ECerr(EC_F_EC_GROUP_CHECK, EC_R_UNDEFINED_GENERATOR);
89 goto err;
90 }
91 if (!EC_POINT_is_on_curve(group, group->generator, ctx))
92 {
93 ECerr(EC_F_EC_GROUP_CHECK, EC_R_POINT_IS_NOT_ON_CURVE);
94 goto err;
95 }
96
97 /* check the order of the generator */
98 if ((point = EC_POINT_new(group)) == NULL) goto err;
99 if (!EC_GROUP_get_order(group, order, ctx)) goto err;
100 if (BN_is_zero(order))
101 {
102 ECerr(EC_F_EC_GROUP_CHECK, EC_R_UNDEFINED_ORDER);
103 goto err;
104 }
105
106 if (!EC_POINT_mul(group, point, order, NULL, NULL, ctx)) goto err;
107 if (!EC_POINT_is_at_infinity(group, point))
108 {
109 ECerr(EC_F_EC_GROUP_CHECK, EC_R_INVALID_GROUP_ORDER);
110 goto err;
111 }
112
113 ret = 1;
114
115err:
116 if (ctx != NULL)
117 BN_CTX_end(ctx);
118 if (new_ctx != NULL)
119 BN_CTX_free(new_ctx);
120 if (point)
121 EC_POINT_free(point);
122 return ret;
123 }
diff --git a/src/lib/libcrypto/ec/ec_curve.c b/src/lib/libcrypto/ec/ec_curve.c
new file mode 100644
index 0000000000..beac20969b
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_curve.c
@@ -0,0 +1,1270 @@
1/* crypto/ec/ec_curve.c */
2/*
3 * Written by Nils Larsch for the OpenSSL project.
4 */
5/* ====================================================================
6 * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 *
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
63 *
64 * The Contribution is licensed pursuant to the OpenSSL open source
65 * license provided above.
66 *
67 * The elliptic curve binary polynomial software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
69 *
70 */
71
72#include "ec_lcl.h"
73#include <openssl/err.h>
74#include <openssl/obj_mac.h>
75
76typedef struct ec_curve_data_st {
77 int field_type; /* either NID_X9_62_prime_field or
78 * NID_X9_62_characteristic_two_field */
79 const char *p; /* either a prime number or a polynomial */
80 const char *a;
81 const char *b;
82 const char *x; /* the x coordinate of the generator */
83 const char *y; /* the y coordinate of the generator */
84 const char *order; /* the order of the group generated by the
85 * generator */
86 const BN_ULONG cofactor;/* the cofactor */
87 const unsigned char *seed;/* the seed (optional) */
88 size_t seed_len;
89 const char *comment; /* a short description of the curve */
90} EC_CURVE_DATA;
91
92/* the nist prime curves */
93static const unsigned char _EC_NIST_PRIME_192_SEED[] = {
94 0x30,0x45,0xAE,0x6F,0xC8,0x42,0x2F,0x64,0xED,0x57,
95 0x95,0x28,0xD3,0x81,0x20,0xEA,0xE1,0x21,0x96,0xD5};
96static const EC_CURVE_DATA _EC_NIST_PRIME_192 = {
97 NID_X9_62_prime_field,
98 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
99 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
100 "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1",
101 "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012",
102 "07192b95ffc8da78631011ed6b24cdd573f977a11e794811",
103 "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831",1,
104 _EC_NIST_PRIME_192_SEED, 20,
105 "NIST/X9.62/SECG curve over a 192 bit prime field"
106 };
107
108static const unsigned char _EC_NIST_PRIME_224_SEED[] = {
109 0xBD,0x71,0x34,0x47,0x99,0xD5,0xC7,0xFC,0xDC,0x45,
110 0xB5,0x9F,0xA3,0xB9,0xAB,0x8F,0x6A,0x94,0x8B,0xC5};
111static const EC_CURVE_DATA _EC_NIST_PRIME_224 = {
112 NID_X9_62_prime_field,
113 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
114 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
115 "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
116 "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
117 "bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34",
118 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",1,
119 _EC_NIST_PRIME_224_SEED, 20,
120 "NIST/SECG curve over a 224 bit prime field"
121 };
122
123static const unsigned char _EC_NIST_PRIME_384_SEED[] = {
124 0xA3,0x35,0x92,0x6A,0xA3,0x19,0xA2,0x7A,0x1D,0x00,
125 0x89,0x6A,0x67,0x73,0xA4,0x82,0x7A,0xCD,0xAC,0x73};
126static const EC_CURVE_DATA _EC_NIST_PRIME_384 = {
127 NID_X9_62_prime_field,
128 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFF"
129 "FFF0000000000000000FFFFFFFF",
130 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFF"
131 "FFF0000000000000000FFFFFFFC",
132 "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC6563"
133 "98D8A2ED19D2A85C8EDD3EC2AEF",
134 "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F"
135 "25DBF55296C3A545E3872760AB7",
136 "3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b"
137 "1ce1d7e819d7a431d7c90ea0e5f",
138 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0"
139 "DB248B0A77AECEC196ACCC52973",1,
140 _EC_NIST_PRIME_384_SEED, 20,
141 "NIST/SECG curve over a 384 bit prime field"
142 };
143
144static const unsigned char _EC_NIST_PRIME_521_SEED[] = {
145 0xD0,0x9E,0x88,0x00,0x29,0x1C,0xB8,0x53,0x96,0xCC,
146 0x67,0x17,0x39,0x32,0x84,0xAA,0xA0,0xDA,0x64,0xBA};
147static const EC_CURVE_DATA _EC_NIST_PRIME_521 = {
148 NID_X9_62_prime_field,
149 "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
150 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
151 "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
152 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC",
153 "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156"
154 "193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
155 "C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14"
156 "B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
157 "011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c9"
158 "7ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
159 "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51"
160 "868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",1,
161 _EC_NIST_PRIME_521_SEED, 20,
162 "NIST/SECG curve over a 521 bit prime field"
163 };
164/* the x9.62 prime curves (minus the nist prime curves) */
165static const unsigned char _EC_X9_62_PRIME_192V2_SEED[] = {
166 0x31,0xA9,0x2E,0xE2,0x02,0x9F,0xD1,0x0D,0x90,0x1B,
167 0x11,0x3E,0x99,0x07,0x10,0xF0,0xD2,0x1A,0xC6,0xB6};
168static const EC_CURVE_DATA _EC_X9_62_PRIME_192V2 = {
169 NID_X9_62_prime_field,
170 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
171 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
172 "CC22D6DFB95C6B25E49C0D6364A4E5980C393AA21668D953",
173 "EEA2BAE7E1497842F2DE7769CFE9C989C072AD696F48034A",
174 "6574d11d69b6ec7a672bb82a083df2f2b0847de970b2de15",
175 "FFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31",1,
176 _EC_X9_62_PRIME_192V2_SEED, 20,
177 "X9.62 curve over a 192 bit prime field"
178 };
179
180static const unsigned char _EC_X9_62_PRIME_192V3_SEED[] = {
181 0xC4,0x69,0x68,0x44,0x35,0xDE,0xB3,0x78,0xC4,0xB6,
182 0x5C,0xA9,0x59,0x1E,0x2A,0x57,0x63,0x05,0x9A,0x2E};
183static const EC_CURVE_DATA _EC_X9_62_PRIME_192V3 = {
184 NID_X9_62_prime_field,
185 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
186 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
187 "22123DC2395A05CAA7423DAECCC94760A7D462256BD56916",
188 "7D29778100C65A1DA1783716588DCE2B8B4AEE8E228F1896",
189 "38a90f22637337334b49dcb66a6dc8f9978aca7648a943b0",
190 "FFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13",1,
191 _EC_X9_62_PRIME_192V3_SEED, 20,
192 "X9.62 curve over a 192 bit prime field"
193 };
194
195static const unsigned char _EC_X9_62_PRIME_239V1_SEED[] = {
196 0xE4,0x3B,0xB4,0x60,0xF0,0xB8,0x0C,0xC0,0xC0,0xB0,
197 0x75,0x79,0x8E,0x94,0x80,0x60,0xF8,0x32,0x1B,0x7D};
198static const EC_CURVE_DATA _EC_X9_62_PRIME_239V1 = {
199 NID_X9_62_prime_field,
200 "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
201 "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
202 "6B016C3BDCF18941D0D654921475CA71A9DB2FB27D1D37796185C2942C0A",
203 "0FFA963CDCA8816CCC33B8642BEDF905C3D358573D3F27FBBD3B3CB9AAAF",
204 "7debe8e4e90a5dae6e4054ca530ba04654b36818ce226b39fccb7b02f1ae",
205 "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B",1,
206 _EC_X9_62_PRIME_239V1_SEED, 20,
207 "X9.62 curve over a 239 bit prime field"
208 };
209
210static const unsigned char _EC_X9_62_PRIME_239V2_SEED[] = {
211 0xE8,0xB4,0x01,0x16,0x04,0x09,0x53,0x03,0xCA,0x3B,
212 0x80,0x99,0x98,0x2B,0xE0,0x9F,0xCB,0x9A,0xE6,0x16};
213static const EC_CURVE_DATA _EC_X9_62_PRIME_239V2 = {
214 NID_X9_62_prime_field,
215 "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
216 "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
217 "617FAB6832576CBBFED50D99F0249C3FEE58B94BA0038C7AE84C8C832F2C",
218 "38AF09D98727705120C921BB5E9E26296A3CDCF2F35757A0EAFD87B830E7",
219 "5b0125e4dbea0ec7206da0fc01d9b081329fb555de6ef460237dff8be4ba",
220 "7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063",1,
221 _EC_X9_62_PRIME_239V2_SEED, 20,
222 "X9.62 curve over a 239 bit prime field"
223 };
224
225static const unsigned char _EC_X9_62_PRIME_239V3_SEED[] = {
226 0x7D,0x73,0x74,0x16,0x8F,0xFE,0x34,0x71,0xB6,0x0A,
227 0x85,0x76,0x86,0xA1,0x94,0x75,0xD3,0xBF,0xA2,0xFF};
228static const EC_CURVE_DATA _EC_X9_62_PRIME_239V3 = {
229 NID_X9_62_prime_field,
230 "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
231 "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
232 "255705FA2A306654B1F4CB03D6A750A30C250102D4988717D9BA15AB6D3E",
233 "6768AE8E18BB92CFCF005C949AA2C6D94853D0E660BBF854B1C9505FE95A",
234 "1607e6898f390c06bc1d552bad226f3b6fcfe48b6e818499af18e3ed6cf3",
235 "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551",1,
236 _EC_X9_62_PRIME_239V3_SEED, 20,
237 "X9.62 curve over a 239 bit prime field"
238 };
239
240static const unsigned char _EC_X9_62_PRIME_256V1_SEED[] = {
241 0xC4,0x9D,0x36,0x08,0x86,0xE7,0x04,0x93,0x6A,0x66,
242 0x78,0xE1,0x13,0x9D,0x26,0xB7,0x81,0x9F,0x7E,0x90};
243static const EC_CURVE_DATA _EC_X9_62_PRIME_256V1 = {
244 NID_X9_62_prime_field,
245 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
246 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
247 "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
248 "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
249 "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
250 "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",1,
251 _EC_X9_62_PRIME_256V1_SEED, 20,
252 "X9.62/SECG curve over a 256 bit prime field"
253 };
254/* the secg prime curves (minus the nist and x9.62 prime curves) */
255static const unsigned char _EC_SECG_PRIME_112R1_SEED[] = {
256 0x00,0xF5,0x0B,0x02,0x8E,0x4D,0x69,0x6E,0x67,0x68,
257 0x75,0x61,0x51,0x75,0x29,0x04,0x72,0x78,0x3F,0xB1};
258static const EC_CURVE_DATA _EC_SECG_PRIME_112R1 = {
259 NID_X9_62_prime_field,
260 "DB7C2ABF62E35E668076BEAD208B",
261 "DB7C2ABF62E35E668076BEAD2088",
262 "659EF8BA043916EEDE8911702B22",
263 "09487239995A5EE76B55F9C2F098",
264 "a89ce5af8724c0a23e0e0ff77500",
265 "DB7C2ABF62E35E7628DFAC6561C5",1,
266 _EC_SECG_PRIME_112R1_SEED, 20,
267 "SECG/WTLS curve over a 112 bit prime field"
268 };
269
270static const unsigned char _EC_SECG_PRIME_112R2_SEED[] = {
271 0x00,0x27,0x57,0xA1,0x11,0x4D,0x69,0x6E,0x67,0x68,
272 0x75,0x61,0x51,0x75,0x53,0x16,0xC0,0x5E,0x0B,0xD4};
273static const EC_CURVE_DATA _EC_SECG_PRIME_112R2 = {
274 NID_X9_62_prime_field,
275 "DB7C2ABF62E35E668076BEAD208B",
276 "6127C24C05F38A0AAAF65C0EF02C",
277 "51DEF1815DB5ED74FCC34C85D709",
278 "4BA30AB5E892B4E1649DD0928643",
279 "adcd46f5882e3747def36e956e97",
280 "36DF0AAFD8B8D7597CA10520D04B",4,
281 _EC_SECG_PRIME_112R2_SEED, 20,
282 "SECG curve over a 112 bit prime field"
283 };
284
285static const unsigned char _EC_SECG_PRIME_128R1_SEED[] = {
286 0x00,0x0E,0x0D,0x4D,0x69,0x6E,0x67,0x68,0x75,0x61,
287 0x51,0x75,0x0C,0xC0,0x3A,0x44,0x73,0xD0,0x36,0x79};
288static const EC_CURVE_DATA _EC_SECG_PRIME_128R1 = {
289 NID_X9_62_prime_field,
290 "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF",
291 "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFC",
292 "E87579C11079F43DD824993C2CEE5ED3",
293 "161FF7528B899B2D0C28607CA52C5B86",
294 "cf5ac8395bafeb13c02da292dded7a83",
295 "FFFFFFFE0000000075A30D1B9038A115",1,
296 _EC_SECG_PRIME_128R1_SEED, 20,
297 "SECG curve over a 128 bit prime field"
298 };
299
300static const unsigned char _EC_SECG_PRIME_128R2_SEED[] = {
301 0x00,0x4D,0x69,0x6E,0x67,0x68,0x75,0x61,0x51,0x75,
302 0x12,0xD8,0xF0,0x34,0x31,0xFC,0xE6,0x3B,0x88,0xF4};
303static const EC_CURVE_DATA _EC_SECG_PRIME_128R2 = {
304 NID_X9_62_prime_field,
305 "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF",
306 "D6031998D1B3BBFEBF59CC9BBFF9AEE1",
307 "5EEEFCA380D02919DC2C6558BB6D8A5D",
308 "7B6AA5D85E572983E6FB32A7CDEBC140",
309 "27b6916a894d3aee7106fe805fc34b44",
310 "3FFFFFFF7FFFFFFFBE0024720613B5A3",4,
311 _EC_SECG_PRIME_128R2_SEED, 20,
312 "SECG curve over a 128 bit prime field"
313 };
314
315static const EC_CURVE_DATA _EC_SECG_PRIME_160K1 = {
316 NID_X9_62_prime_field,
317 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73",
318 "0",
319 "7",
320 "3B4C382CE37AA192A4019E763036F4F5DD4D7EBB",
321 "938cf935318fdced6bc28286531733c3f03c4fee",
322 "0100000000000000000001B8FA16DFAB9ACA16B6B3",1,
323 NULL, 0,
324 "SECG curve over a 160 bit prime field"
325 };
326
327static const unsigned char _EC_SECG_PRIME_160R1_SEED[] = {
328 0x10,0x53,0xCD,0xE4,0x2C,0x14,0xD6,0x96,0xE6,0x76,
329 0x87,0x56,0x15,0x17,0x53,0x3B,0xF3,0xF8,0x33,0x45};
330static const EC_CURVE_DATA _EC_SECG_PRIME_160R1 = {
331 NID_X9_62_prime_field,
332 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF",
333 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC",
334 "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45",
335 "4A96B5688EF573284664698968C38BB913CBFC82",
336 "23a628553168947d59dcc912042351377ac5fb32",
337 "0100000000000000000001F4C8F927AED3CA752257",1,
338 _EC_SECG_PRIME_160R1_SEED, 20,
339 "SECG curve over a 160 bit prime field"
340 };
341
342static const unsigned char _EC_SECG_PRIME_160R2_SEED[] = {
343 0xB9,0x9B,0x99,0xB0,0x99,0xB3,0x23,0xE0,0x27,0x09,
344 0xA4,0xD6,0x96,0xE6,0x76,0x87,0x56,0x15,0x17,0x51};
345static const EC_CURVE_DATA _EC_SECG_PRIME_160R2 = {
346 NID_X9_62_prime_field,
347 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73",
348 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70",
349 "B4E134D3FB59EB8BAB57274904664D5AF50388BA",
350 "52DCB034293A117E1F4FF11B30F7199D3144CE6D",
351 "feaffef2e331f296e071fa0df9982cfea7d43f2e",
352 "0100000000000000000000351EE786A818F3A1A16B",1,
353 _EC_SECG_PRIME_160R2_SEED, 20,
354 "SECG/WTLS curve over a 160 bit prime field"
355 };
356
357static const EC_CURVE_DATA _EC_SECG_PRIME_192K1 = {
358 NID_X9_62_prime_field,
359 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37",
360 "0",
361 "3",
362 "DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D",
363 "9b2f2f6d9c5628a7844163d015be86344082aa88d95e2f9d",
364 "FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D",1,
365 NULL, 20,
366 "SECG curve over a 192 bit prime field"
367 };
368
369static const EC_CURVE_DATA _EC_SECG_PRIME_224K1 = {
370 NID_X9_62_prime_field,
371 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D",
372 "0",
373 "5",
374 "A1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C",
375 "7e089fed7fba344282cafbd6f7e319f7c0b0bd59e2ca4bdb556d61a5",
376 "010000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7",1,
377 NULL, 20,
378 "SECG curve over a 224 bit prime field"
379 };
380
381static const EC_CURVE_DATA _EC_SECG_PRIME_256K1 = {
382 NID_X9_62_prime_field,
383 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F",
384 "0",
385 "7",
386 "79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798",
387 "483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8",
388 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141",1,
389 NULL, 20,
390 "SECG curve over a 256 bit prime field"
391 };
392
393/* some wap/wtls curves */
394static const EC_CURVE_DATA _EC_WTLS_8 = {
395 NID_X9_62_prime_field,
396 "FFFFFFFFFFFFFFFFFFFFFFFFFDE7",
397 "0",
398 "3",
399 "1",
400 "2",
401 "0100000000000001ECEA551AD837E9",1,
402 NULL, 20,
403 "WTLS curve over a 112 bit prime field"
404 };
405
406static const EC_CURVE_DATA _EC_WTLS_9 = {
407 NID_X9_62_prime_field,
408 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC808F",
409 "0",
410 "3",
411 "1",
412 "2",
413 "0100000000000000000001CDC98AE0E2DE574ABF33",1,
414 NULL, 20,
415 "WTLS curve over a 160 bit prime field"
416 };
417
418static const EC_CURVE_DATA _EC_WTLS_12 = {
419 NID_X9_62_prime_field,
420 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
421 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
422 "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
423 "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
424 "bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34",
425 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", 1,
426 NULL, 0,
427 "WTLS curvs over a 224 bit prime field"
428 };
429
430/* characteristic two curves */
431static const unsigned char _EC_SECG_CHAR2_113R1_SEED[] = {
432 0x10,0xE7,0x23,0xAB,0x14,0xD6,0x96,0xE6,0x76,0x87,
433 0x56,0x15,0x17,0x56,0xFE,0xBF,0x8F,0xCB,0x49,0xA9};
434static const EC_CURVE_DATA _EC_SECG_CHAR2_113R1 = {
435 NID_X9_62_characteristic_two_field,
436 "020000000000000000000000000201",
437 "003088250CA6E7C7FE649CE85820F7",
438 "00E8BEE4D3E2260744188BE0E9C723",
439 "009D73616F35F4AB1407D73562C10F",
440 "00A52830277958EE84D1315ED31886",
441 "0100000000000000D9CCEC8A39E56F", 2,
442 _EC_SECG_CHAR2_113R1_SEED, 20,
443 "SECG curve over a 113 bit binary field"
444 };
445
446static const unsigned char _EC_SECG_CHAR2_113R2_SEED[] = {
447 0x10,0xC0,0xFB,0x15,0x76,0x08,0x60,0xDE,0xF1,0xEE,
448 0xF4,0xD6,0x96,0xE6,0x76,0x87,0x56,0x15,0x17,0x5D};
449static const EC_CURVE_DATA _EC_SECG_CHAR2_113R2 = {
450 NID_X9_62_characteristic_two_field,
451 "020000000000000000000000000201",
452 "00689918DBEC7E5A0DD6DFC0AA55C7",
453 "0095E9A9EC9B297BD4BF36E059184F",
454 "01A57A6A7B26CA5EF52FCDB8164797",
455 "00B3ADC94ED1FE674C06E695BABA1D",
456 "010000000000000108789B2496AF93", 2,
457 _EC_SECG_CHAR2_113R2_SEED, 20,
458 "SECG curve over a 113 bit binary field"
459 };
460
461static const unsigned char _EC_SECG_CHAR2_131R1_SEED[] = {
462 0x4D,0x69,0x6E,0x67,0x68,0x75,0x61,0x51,0x75,0x98,
463 0x5B,0xD3,0xAD,0xBA,0xDA,0x21,0xB4,0x3A,0x97,0xE2};
464static const EC_CURVE_DATA _EC_SECG_CHAR2_131R1 = {
465 NID_X9_62_characteristic_two_field,
466 "080000000000000000000000000000010D",
467 "07A11B09A76B562144418FF3FF8C2570B8",
468 "0217C05610884B63B9C6C7291678F9D341",
469 "0081BAF91FDF9833C40F9C181343638399",
470 "078C6E7EA38C001F73C8134B1B4EF9E150",
471 "0400000000000000023123953A9464B54D", 2,
472 _EC_SECG_CHAR2_131R1_SEED, 20,
473 "SECG/WTLS curve over a 131 bit binary field"
474 };
475
476static const unsigned char _EC_SECG_CHAR2_131R2_SEED[] = {
477 0x98,0x5B,0xD3,0xAD,0xBA,0xD4,0xD6,0x96,0xE6,0x76,
478 0x87,0x56,0x15,0x17,0x5A,0x21,0xB4,0x3A,0x97,0xE3};
479static const EC_CURVE_DATA _EC_SECG_CHAR2_131R2 = {
480 NID_X9_62_characteristic_two_field,
481 "080000000000000000000000000000010D",
482 "03E5A88919D7CAFCBF415F07C2176573B2",
483 "04B8266A46C55657AC734CE38F018F2192",
484 "0356DCD8F2F95031AD652D23951BB366A8",
485 "0648F06D867940A5366D9E265DE9EB240F",
486 "0400000000000000016954A233049BA98F", 2,
487 _EC_SECG_CHAR2_131R2_SEED, 20,
488 "SECG curve over a 131 bit binary field"
489 };
490
491static const EC_CURVE_DATA _EC_NIST_CHAR2_163K = {
492 NID_X9_62_characteristic_two_field,
493 "0800000000000000000000000000000000000000C9",
494 "1",
495 "1",
496 "02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8",
497 "0289070FB05D38FF58321F2E800536D538CCDAA3D9",
498 "04000000000000000000020108A2E0CC0D99F8A5EF", 2,
499 NULL, 0,
500 "NIST/SECG/WTLS curve over a 163 bit binary field"
501 };
502
503static const unsigned char _EC_SECG_CHAR2_163R1_SEED[] = {
504 0x24,0xB7,0xB1,0x37,0xC8,0xA1,0x4D,0x69,0x6E,0x67,
505 0x68,0x75,0x61,0x51,0x75,0x6F,0xD0,0xDA,0x2E,0x5C};
506static const EC_CURVE_DATA _EC_SECG_CHAR2_163R1 = {
507 NID_X9_62_characteristic_two_field,
508 "0800000000000000000000000000000000000000C9",
509 "07B6882CAAEFA84F9554FF8428BD88E246D2782AE2",
510 "0713612DCDDCB40AAB946BDA29CA91F73AF958AFD9",
511 "0369979697AB43897789566789567F787A7876A654",
512 "00435EDB42EFAFB2989D51FEFCE3C80988F41FF883",
513 "03FFFFFFFFFFFFFFFFFFFF48AAB689C29CA710279B", 2,
514/* The algorithm used to derive the curve parameters from
515 * the seed used here is slightly different than the
516 * algorithm described in X9.62 .
517 */
518#if 0
519 _EC_SECG_CHAR2_163R1_SEED, 20,
520#else
521 NULL, 0,
522#endif
523 "SECG curve over a 163 bit binary field"
524 };
525
526static const unsigned char _EC_NIST_CHAR2_163B_SEED[] = {
527 0x85,0xE2,0x5B,0xFE,0x5C,0x86,0x22,0x6C,0xDB,0x12,
528 0x01,0x6F,0x75,0x53,0xF9,0xD0,0xE6,0x93,0xA2,0x68};
529static const EC_CURVE_DATA _EC_NIST_CHAR2_163B ={
530 NID_X9_62_characteristic_two_field,
531 "0800000000000000000000000000000000000000C9",
532 "1",
533 "020A601907B8C953CA1481EB10512F78744A3205FD",
534 "03F0EBA16286A2D57EA0991168D4994637E8343E36",
535 "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1",
536 "040000000000000000000292FE77E70C12A4234C33", 2,
537/* The seed here was used to created the curve parameters in normal
538 * basis representation (and not the polynomial representation used here)
539 */
540#if 0
541 _EC_NIST_CHAR2_163B_SEED, 20,
542#else
543 NULL, 0,
544#endif
545 "NIST/SECG curve over a 163 bit binary field"
546 };
547
548static const unsigned char _EC_SECG_CHAR2_193R1_SEED[] = {
549 0x10,0x3F,0xAE,0xC7,0x4D,0x69,0x6E,0x67,0x68,0x75,
550 0x61,0x51,0x75,0x77,0x7F,0xC5,0xB1,0x91,0xEF,0x30};
551static const EC_CURVE_DATA _EC_SECG_CHAR2_193R1 = {
552 NID_X9_62_characteristic_two_field,
553 "02000000000000000000000000000000000000000000008001",
554 "0017858FEB7A98975169E171F77B4087DE098AC8A911DF7B01",
555 "00FDFB49BFE6C3A89FACADAA7A1E5BBC7CC1C2E5D831478814",
556 "01F481BC5F0FF84A74AD6CDF6FDEF4BF6179625372D8C0C5E1",
557 "0025E399F2903712CCF3EA9E3A1AD17FB0B3201B6AF7CE1B05",
558 "01000000000000000000000000C7F34A778F443ACC920EBA49", 2,
559 _EC_SECG_CHAR2_193R1_SEED, 20,
560 "SECG curve over a 193 bit binary field"
561 };
562
563static const unsigned char _EC_SECG_CHAR2_193R2_SEED[] = {
564 0x10,0xB7,0xB4,0xD6,0x96,0xE6,0x76,0x87,0x56,0x15,
565 0x17,0x51,0x37,0xC8,0xA1,0x6F,0xD0,0xDA,0x22,0x11};
566static const EC_CURVE_DATA _EC_SECG_CHAR2_193R2 = {
567 NID_X9_62_characteristic_two_field,
568 "02000000000000000000000000000000000000000000008001",
569 "0163F35A5137C2CE3EA6ED8667190B0BC43ECD69977702709B",
570 "00C9BB9E8927D4D64C377E2AB2856A5B16E3EFB7F61D4316AE",
571 "00D9B67D192E0367C803F39E1A7E82CA14A651350AAE617E8F",
572 "01CE94335607C304AC29E7DEFBD9CA01F596F927224CDECF6C",
573 "010000000000000000000000015AAB561B005413CCD4EE99D5", 2,
574 _EC_SECG_CHAR2_193R2_SEED, 20,
575 "SECG curve over a 193 bit binary field"
576 };
577
578static const EC_CURVE_DATA _EC_NIST_CHAR2_233K = {
579 NID_X9_62_characteristic_two_field,
580 "020000000000000000000000000000000000000004000000000000000001",
581 "0",
582 "1",
583 "017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126",
584 "01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3",
585 "008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF", 4,
586 NULL, 0,
587 "NIST/SECG/WTLS curve over a 233 bit binary field"
588 };
589
590static const unsigned char _EC_NIST_CHAR2_233B_SEED[] = {
591 0x74,0xD5,0x9F,0xF0,0x7F,0x6B,0x41,0x3D,0x0E,0xA1,
592 0x4B,0x34,0x4B,0x20,0xA2,0xDB,0x04,0x9B,0x50,0xC3};
593static const EC_CURVE_DATA _EC_NIST_CHAR2_233B = {
594 NID_X9_62_characteristic_two_field,
595 "020000000000000000000000000000000000000004000000000000000001",
596 "000000000000000000000000000000000000000000000000000000000001",
597 "0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD",
598 "00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B",
599 "01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052",
600 "01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7", 2,
601 _EC_NIST_CHAR2_233B_SEED, 20,
602 "NIST/SECG/WTLS curve over a 233 bit binary field"
603 };
604
605static const EC_CURVE_DATA _EC_SECG_CHAR2_239K1 = {
606 NID_X9_62_characteristic_two_field,
607 "800000000000000000004000000000000000000000000000000000000001",
608 "0",
609 "1",
610 "29A0B6A887A983E9730988A68727A8B2D126C44CC2CC7B2A6555193035DC",
611 "76310804F12E549BDB011C103089E73510ACB275FC312A5DC6B76553F0CA",
612 "2000000000000000000000000000005A79FEC67CB6E91F1C1DA800E478A5", 4,
613 NULL, 0,
614 "SECG curve over a 239 bit binary field"
615 };
616
617static const EC_CURVE_DATA _EC_NIST_CHAR2_283K = {
618 NID_X9_62_characteristic_two_field,
619 "080000000000000000000000000000000000000000000000000000000000000000001"
620 "0A1",
621 "0",
622 "1",
623 "0503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492"
624 "836",
625 "01CCDA380F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2"
626 "259",
627 "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163"
628 "C61", 4,
629 NULL, 20,
630 "NIST/SECG curve over a 283 bit binary field"
631 };
632
633static const unsigned char _EC_NIST_CHAR2_283B_SEED[] = {
634 0x77,0xE2,0xB0,0x73,0x70,0xEB,0x0F,0x83,0x2A,0x6D,
635 0xD5,0xB6,0x2D,0xFC,0x88,0xCD,0x06,0xBB,0x84,0xBE};
636static const EC_CURVE_DATA _EC_NIST_CHAR2_283B = {
637 NID_X9_62_characteristic_two_field,
638 "080000000000000000000000000000000000000000000000000000000000000000001"
639 "0A1",
640 "000000000000000000000000000000000000000000000000000000000000000000000"
641 "001",
642 "027B680AC8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A"
643 "2F5",
644 "05F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12"
645 "053",
646 "03676854FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE811"
647 "2F4",
648 "03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB"
649 "307", 2,
650 _EC_NIST_CHAR2_283B_SEED, 20,
651 "NIST/SECG curve over a 283 bit binary field"
652 };
653
654static const EC_CURVE_DATA _EC_NIST_CHAR2_409K = {
655 NID_X9_62_characteristic_two_field,
656 "020000000000000000000000000000000000000000000000000000000000000000000"
657 "00000000000008000000000000000000001",
658 "0",
659 "1",
660 "0060F05F658F49C1AD3AB1890F7184210EFD0987E307C84C27ACCFB8F9F67CC2C4601"
661 "89EB5AAAA62EE222EB1B35540CFE9023746",
662 "01E369050B7C4E42ACBA1DACBF04299C3460782F918EA427E6325165E9EA10E3DA5F6"
663 "C42E9C55215AA9CA27A5863EC48D8E0286B",
664 "007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F83B2D4EA20400"
665 "EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF", 4,
666 NULL, 0,
667 "NIST/SECG curve over a 409 bit binary field"
668 };
669
670static const unsigned char _EC_NIST_CHAR2_409B_SEED[] = {
671 0x40,0x99,0xB5,0xA4,0x57,0xF9,0xD6,0x9F,0x79,0x21,
672 0x3D,0x09,0x4C,0x4B,0xCD,0x4D,0x42,0x62,0x21,0x0B};
673static const EC_CURVE_DATA _EC_NIST_CHAR2_409B = {
674 NID_X9_62_characteristic_two_field,
675 "020000000000000000000000000000000000000000000000000000000000000000000"
676 "00000000000008000000000000000000001",
677 "000000000000000000000000000000000000000000000000000000000000000000000"
678 "00000000000000000000000000000000001",
679 "0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422EF1F3DD674761FA99D6AC27C8A9A19"
680 "7B272822F6CD57A55AA4F50AE317B13545F",
681 "015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01FFE5B34E59703DC255"
682 "A868A1180515603AEAB60794E54BB7996A7",
683 "0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5A7BD198D0158AA4F5488D08F38514"
684 "F1FDF4B4F40D2181B3681C364BA0273C706",
685 "010000000000000000000000000000000000000000000000000001E2AAD6A612F3330"
686 "7BE5FA47C3C9E052F838164CD37D9A21173", 2,
687 _EC_NIST_CHAR2_409B_SEED, 20,
688 "NIST/SECG curve over a 409 bit binary field"
689 };
690
691static const EC_CURVE_DATA _EC_NIST_CHAR2_571K = {
692 NID_X9_62_characteristic_two_field,
693 "800000000000000000000000000000000000000000000000000000000000000000000"
694 "000000000000000000000000000000000000000000000000000000000000000000000"
695 "00425",
696 "0",
697 "1",
698 "026EB7A859923FBC82189631F8103FE4AC9CA2970012D5D46024804801841CA443709"
699 "58493B205E647DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A0"
700 "1C8972",
701 "0349DC807F4FBF374F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D497"
702 "9C0AC44AEA74FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143E"
703 "F1C7A3",
704 "020000000000000000000000000000000000000000000000000000000000000000000"
705 "000131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F63"
706 "7C1001", 4,
707 NULL, 0,
708 "NIST/SECG curve over a 571 bit binary field"
709 };
710
711static const unsigned char _EC_NIST_CHAR2_571B_SEED[] = {
712 0x2A,0xA0,0x58,0xF7,0x3A,0x0E,0x33,0xAB,0x48,0x6B,
713 0x0F,0x61,0x04,0x10,0xC5,0x3A,0x7F,0x13,0x23,0x10};
714static const EC_CURVE_DATA _EC_NIST_CHAR2_571B = {
715 NID_X9_62_characteristic_two_field,
716 "800000000000000000000000000000000000000000000000000000000000000000000"
717 "000000000000000000000000000000000000000000000000000000000000000000000"
718 "00425",
719 "000000000000000000000000000000000000000000000000000000000000000000000"
720 "000000000000000000000000000000000000000000000000000000000000000000000"
721 "000001",
722 "02F40E7E2221F295DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFA"
723 "BBD8EFA59332BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F29"
724 "55727A",
725 "0303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53"
726 "950F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8E"
727 "EC2D19",
728 "037BF27342DA639B6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423"
729 "E43BAB08A576291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B"
730 "8AC15B",
731 "03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
732 "FFFE661CE18FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2F"
733 "E84E47", 2,
734 _EC_NIST_CHAR2_571B_SEED, 20,
735 "NIST/SECG curve over a 571 bit binary field"
736 };
737
738static const unsigned char _EC_X9_62_CHAR2_163V1_SEED[] = {
739 0xD2,0xC0,0xFB,0x15,0x76,0x08,0x60,0xDE,0xF1,0xEE,
740 0xF4,0xD6,0x96,0xE6,0x76,0x87,0x56,0x15,0x17,0x54};
741static const EC_CURVE_DATA _EC_X9_62_CHAR2_163V1 = {
742 NID_X9_62_characteristic_two_field,
743 "080000000000000000000000000000000000000107",
744 "072546B5435234A422E0789675F432C89435DE5242",
745 "00C9517D06D5240D3CFF38C74B20B6CD4D6F9DD4D9",
746 "07AF69989546103D79329FCC3D74880F33BBE803CB",
747 "01EC23211B5966ADEA1D3F87F7EA5848AEF0B7CA9F",
748 "0400000000000000000001E60FC8821CC74DAEAFC1", 2,
749 _EC_X9_62_CHAR2_163V1_SEED, 20,
750 "X9.62 curve over a 163 bit binary field"
751 };
752
753static const unsigned char _EC_X9_62_CHAR2_163V2_SEED[] = {
754 0x53,0x81,0x4C,0x05,0x0D,0x44,0xD6,0x96,0xE6,0x76,
755 0x87,0x56,0x15,0x17,0x58,0x0C,0xA4,0xE2,0x9F,0xFD};
756static const EC_CURVE_DATA _EC_X9_62_CHAR2_163V2 = {
757 NID_X9_62_characteristic_two_field,
758 "080000000000000000000000000000000000000107",
759 "0108B39E77C4B108BED981ED0E890E117C511CF072",
760 "0667ACEB38AF4E488C407433FFAE4F1C811638DF20",
761 "0024266E4EB5106D0A964D92C4860E2671DB9B6CC5",
762 "079F684DDF6684C5CD258B3890021B2386DFD19FC5",
763 "03FFFFFFFFFFFFFFFFFFFDF64DE1151ADBB78F10A7", 2,
764 _EC_X9_62_CHAR2_163V2_SEED, 20,
765 "X9.62 curve over a 163 bit binary field"
766 };
767
768static const unsigned char _EC_X9_62_CHAR2_163V3_SEED[] = {
769 0x50,0xCB,0xF1,0xD9,0x5C,0xA9,0x4D,0x69,0x6E,0x67,
770 0x68,0x75,0x61,0x51,0x75,0xF1,0x6A,0x36,0xA3,0xB8};
771static const EC_CURVE_DATA _EC_X9_62_CHAR2_163V3 = {
772 NID_X9_62_characteristic_two_field,
773 "080000000000000000000000000000000000000107",
774 "07A526C63D3E25A256A007699F5447E32AE456B50E",
775 "03F7061798EB99E238FD6F1BF95B48FEEB4854252B",
776 "02F9F87B7C574D0BDECF8A22E6524775F98CDEBDCB",
777 "05B935590C155E17EA48EB3FF3718B893DF59A05D0",
778 "03FFFFFFFFFFFFFFFFFFFE1AEE140F110AFF961309", 2,
779 _EC_X9_62_CHAR2_163V3_SEED, 20,
780 "X9.62 curve over a 163 bit binary field"
781 };
782
783static const EC_CURVE_DATA _EC_X9_62_CHAR2_176V1 = {
784 NID_X9_62_characteristic_two_field,
785 "0100000000000000000000000000000000080000000007",
786 "E4E6DB2995065C407D9D39B8D0967B96704BA8E9C90B",
787 "5DDA470ABE6414DE8EC133AE28E9BBD7FCEC0AE0FFF2",
788 "8D16C2866798B600F9F08BB4A8E860F3298CE04A5798",
789 "6FA4539C2DADDDD6BAB5167D61B436E1D92BB16A562C",
790 "00010092537397ECA4F6145799D62B0A19CE06FE26AD", 0xFF6E,
791 NULL, 0,
792 "X9.62 curve over a 176 bit binary field"
793 };
794
795static const unsigned char _EC_X9_62_CHAR2_191V1_SEED[] = {
796 0x4E,0x13,0xCA,0x54,0x27,0x44,0xD6,0x96,0xE6,0x76,
797 0x87,0x56,0x15,0x17,0x55,0x2F,0x27,0x9A,0x8C,0x84};
798static const EC_CURVE_DATA _EC_X9_62_CHAR2_191V1 = {
799 NID_X9_62_characteristic_two_field,
800 "800000000000000000000000000000000000000000000201",
801 "2866537B676752636A68F56554E12640276B649EF7526267",
802 "2E45EF571F00786F67B0081B9495A3D95462F5DE0AA185EC",
803 "36B3DAF8A23206F9C4F299D7B21A9C369137F2C84AE1AA0D",
804 "765BE73433B3F95E332932E70EA245CA2418EA0EF98018FB",
805 "40000000000000000000000004A20E90C39067C893BBB9A5", 2,
806 _EC_X9_62_CHAR2_191V1_SEED, 20,
807 "X9.62 curve over a 191 bit binary field"
808 };
809
810static const unsigned char _EC_X9_62_CHAR2_191V2_SEED[] = {
811 0x08,0x71,0xEF,0x2F,0xEF,0x24,0xD6,0x96,0xE6,0x76,
812 0x87,0x56,0x15,0x17,0x58,0xBE,0xE0,0xD9,0x5C,0x15};
813static const EC_CURVE_DATA _EC_X9_62_CHAR2_191V2 = {
814 NID_X9_62_characteristic_two_field,
815 "800000000000000000000000000000000000000000000201",
816 "401028774D7777C7B7666D1366EA432071274F89FF01E718",
817 "0620048D28BCBD03B6249C99182B7C8CD19700C362C46A01",
818 "3809B2B7CC1B28CC5A87926AAD83FD28789E81E2C9E3BF10",
819 "17434386626D14F3DBF01760D9213A3E1CF37AEC437D668A",
820 "20000000000000000000000050508CB89F652824E06B8173", 4,
821 _EC_X9_62_CHAR2_191V2_SEED, 20,
822 "X9.62 curve over a 191 bit binary field"
823 };
824
825static const unsigned char _EC_X9_62_CHAR2_191V3_SEED[] = {
826 0xE0,0x53,0x51,0x2D,0xC6,0x84,0xD6,0x96,0xE6,0x76,
827 0x87,0x56,0x15,0x17,0x50,0x67,0xAE,0x78,0x6D,0x1F};
828static const EC_CURVE_DATA _EC_X9_62_CHAR2_191V3 = {
829 NID_X9_62_characteristic_two_field,
830 "800000000000000000000000000000000000000000000201",
831 "6C01074756099122221056911C77D77E77A777E7E7E77FCB",
832 "71FE1AF926CF847989EFEF8DB459F66394D90F32AD3F15E8",
833 "375D4CE24FDE434489DE8746E71786015009E66E38A926DD",
834 "545A39176196575D985999366E6AD34CE0A77CD7127B06BE",
835 "155555555555555555555555610C0B196812BFB6288A3EA3", 6,
836 _EC_X9_62_CHAR2_191V3_SEED, 20,
837 "X9.62 curve over a 191 bit binary field"
838 };
839
840static const EC_CURVE_DATA _EC_X9_62_CHAR2_208W1 = {
841 NID_X9_62_characteristic_two_field,
842 "010000000000000000000000000000000800000000000000000007",
843 "0000000000000000000000000000000000000000000000000000",
844 "C8619ED45A62E6212E1160349E2BFA844439FAFC2A3FD1638F9E",
845 "89FDFBE4ABE193DF9559ECF07AC0CE78554E2784EB8C1ED1A57A",
846 "0F55B51A06E78E9AC38A035FF520D8B01781BEB1A6BB08617DE3",
847 "000101BAF95C9723C57B6C21DA2EFF2D5ED588BDD5717E212F9D", 0xFE48,
848 NULL, 0,
849 "X9.62 curve over a 208 bit binary field"
850 };
851
852static const unsigned char _EC_X9_62_CHAR2_239V1_SEED[] = {
853 0xD3,0x4B,0x9A,0x4D,0x69,0x6E,0x67,0x68,0x75,0x61,
854 0x51,0x75,0xCA,0x71,0xB9,0x20,0xBF,0xEF,0xB0,0x5D};
855static const EC_CURVE_DATA _EC_X9_62_CHAR2_239V1 = {
856 NID_X9_62_characteristic_two_field,
857 "800000000000000000000000000000000000000000000000001000000001",
858 "32010857077C5431123A46B808906756F543423E8D27877578125778AC76",
859 "790408F2EEDAF392B012EDEFB3392F30F4327C0CA3F31FC383C422AA8C16",
860 "57927098FA932E7C0A96D3FD5B706EF7E5F5C156E16B7E7C86038552E91D",
861 "61D8EE5077C33FECF6F1A16B268DE469C3C7744EA9A971649FC7A9616305",
862 "2000000000000000000000000000000F4D42FFE1492A4993F1CAD666E447", 4,
863 _EC_X9_62_CHAR2_239V1_SEED, 20,
864 "X9.62 curve over a 239 bit binary field"
865 };
866
867static const unsigned char _EC_X9_62_CHAR2_239V2_SEED[] = {
868 0x2A,0xA6,0x98,0x2F,0xDF,0xA4,0xD6,0x96,0xE6,0x76,
869 0x87,0x56,0x15,0x17,0x5D,0x26,0x67,0x27,0x27,0x7D};
870static const EC_CURVE_DATA _EC_X9_62_CHAR2_239V2 = {
871 NID_X9_62_characteristic_two_field,
872 "800000000000000000000000000000000000000000000000001000000001",
873 "4230017757A767FAE42398569B746325D45313AF0766266479B75654E65F",
874 "5037EA654196CFF0CD82B2C14A2FCF2E3FF8775285B545722F03EACDB74B",
875 "28F9D04E900069C8DC47A08534FE76D2B900B7D7EF31F5709F200C4CA205",
876 "5667334C45AFF3B5A03BAD9DD75E2C71A99362567D5453F7FA6E227EC833",
877 "1555555555555555555555555555553C6F2885259C31E3FCDF154624522D", 6,
878 _EC_X9_62_CHAR2_239V2_SEED, 20,
879 "X9.62 curve over a 239 bit binary field"
880 };
881
882static const unsigned char _EC_X9_62_CHAR2_239V3_SEED[] = {
883 0x9E,0x07,0x6F,0x4D,0x69,0x6E,0x67,0x68,0x75,0x61,
884 0x51,0x75,0xE1,0x1E,0x9F,0xDD,0x77,0xF9,0x20,0x41};
885static const EC_CURVE_DATA _EC_X9_62_CHAR2_239V3 = {
886 NID_X9_62_characteristic_two_field,
887 "800000000000000000000000000000000000000000000000001000000001",
888 "01238774666A67766D6676F778E676B66999176666E687666D8766C66A9F",
889 "6A941977BA9F6A435199ACFC51067ED587F519C5ECB541B8E44111DE1D40",
890 "70F6E9D04D289C4E89913CE3530BFDE903977D42B146D539BF1BDE4E9C92",
891 "2E5A0EAF6E5E1305B9004DCE5C0ED7FE59A35608F33837C816D80B79F461",
892 "0CCCCCCCCCCCCCCCCCCCCCCCCCCCCCAC4912D2D9DF903EF9888B8A0E4CFF", 0xA,
893 _EC_X9_62_CHAR2_239V3_SEED, 20,
894 "X9.62 curve over a 239 bit binary field"
895 };
896
897static const EC_CURVE_DATA _EC_X9_62_CHAR2_272W1 = {
898 NID_X9_62_characteristic_two_field,
899 "010000000000000000000000000000000000000000000000000000010000000000000"
900 "B",
901 "91A091F03B5FBA4AB2CCF49C4EDD220FB028712D42BE752B2C40094DBACDB586FB20",
902 "7167EFC92BB2E3CE7C8AAAFF34E12A9C557003D7C73A6FAF003F99F6CC8482E540F7",
903 "6108BABB2CEEBCF787058A056CBE0CFE622D7723A289E08A07AE13EF0D10D171DD8D",
904 "10C7695716851EEF6BA7F6872E6142FBD241B830FF5EFCACECCAB05E02005DDE9D23",
905 "000100FAF51354E0E39E4892DF6E319C72C8161603FA45AA7B998A167B8F1E629521",
906 0xFF06,
907 NULL, 0,
908 "X9.62 curve over a 272 bit binary field"
909 };
910
911static const EC_CURVE_DATA _EC_X9_62_CHAR2_304W1 = {
912 NID_X9_62_characteristic_two_field,
913 "010000000000000000000000000000000000000000000000000000000000000000000"
914 "000000807",
915 "FD0D693149A118F651E6DCE6802085377E5F882D1B510B44160074C1288078365A039"
916 "6C8E681",
917 "BDDB97E555A50A908E43B01C798EA5DAA6788F1EA2794EFCF57166B8C14039601E558"
918 "27340BE",
919 "197B07845E9BE2D96ADB0F5F3C7F2CFFBD7A3EB8B6FEC35C7FD67F26DDF6285A644F7"
920 "40A2614",
921 "E19FBEB76E0DA171517ECF401B50289BF014103288527A9B416A105E80260B549FDC1"
922 "B92C03B",
923 "000101D556572AABAC800101D556572AABAC8001022D5C91DD173F8FB561DA6899164"
924 "443051D", 0xFE2E,
925 NULL, 0,
926 "X9.62 curve over a 304 bit binary field"
927 };
928
929static const unsigned char _EC_X9_62_CHAR2_359V1_SEED[] = {
930 0x2B,0x35,0x49,0x20,0xB7,0x24,0xD6,0x96,0xE6,0x76,
931 0x87,0x56,0x15,0x17,0x58,0x5B,0xA1,0x33,0x2D,0xC6};
932static const EC_CURVE_DATA _EC_X9_62_CHAR2_359V1 = {
933 NID_X9_62_characteristic_two_field,
934 "800000000000000000000000000000000000000000000000000000000000000000000"
935 "000100000000000000001",
936 "5667676A654B20754F356EA92017D946567C46675556F19556A04616B567D223A5E05"
937 "656FB549016A96656A557",
938 "2472E2D0197C49363F1FE7F5B6DB075D52B6947D135D8CA445805D39BC34562608968"
939 "7742B6329E70680231988",
940 "3C258EF3047767E7EDE0F1FDAA79DAEE3841366A132E163ACED4ED2401DF9C6BDCDE9"
941 "8E8E707C07A2239B1B097",
942 "53D7E08529547048121E9C95F3791DD804963948F34FAE7BF44EA82365DC7868FE57E"
943 "4AE2DE211305A407104BD",
944 "01AF286BCA1AF286BCA1AF286BCA1AF286BCA1AF286BC9FB8F6B85C556892C20A7EB9"
945 "64FE7719E74F490758D3B", 0x4C,
946 _EC_X9_62_CHAR2_359V1_SEED, 20,
947 "X9.62 curve over a 359 bit binary field"
948 };
949
950static const EC_CURVE_DATA _EC_X9_62_CHAR2_368W1 = {
951 NID_X9_62_characteristic_two_field,
952 "010000000000000000000000000000000000000000000000000000000000000000000"
953 "0002000000000000000000007",
954 "E0D2EE25095206F5E2A4F9ED229F1F256E79A0E2B455970D8D0D865BD94778C576D62"
955 "F0AB7519CCD2A1A906AE30D",
956 "FC1217D4320A90452C760A58EDCD30C8DD069B3C34453837A34ED50CB54917E1C2112"
957 "D84D164F444F8F74786046A",
958 "1085E2755381DCCCE3C1557AFA10C2F0C0C2825646C5B34A394CBCFA8BC16B22E7E78"
959 "9E927BE216F02E1FB136A5F",
960 "7B3EB1BDDCBA62D5D8B2059B525797FC73822C59059C623A45FF3843CEE8F87CD1855"
961 "ADAA81E2A0750B80FDA2310",
962 "00010090512DA9AF72B08349D98A5DD4C7B0532ECA51CE03E2D10F3B7AC579BD87E90"
963 "9AE40A6F131E9CFCE5BD967", 0xFF70,
964 NULL, 0,
965 "X9.62 curve over a 368 bit binary field"
966 };
967
968static const EC_CURVE_DATA _EC_X9_62_CHAR2_431R1 = {
969 NID_X9_62_characteristic_two_field,
970 "800000000000000000000000000000000000000000000000000000000000000000000"
971 "000000001000000000000000000000000000001",
972 "1A827EF00DD6FC0E234CAF046C6A5D8A85395B236CC4AD2CF32A0CADBDC9DDF620B0E"
973 "B9906D0957F6C6FEACD615468DF104DE296CD8F",
974 "10D9B4A3D9047D8B154359ABFB1B7F5485B04CEB868237DDC9DEDA982A679A5A919B6"
975 "26D4E50A8DD731B107A9962381FB5D807BF2618",
976 "120FC05D3C67A99DE161D2F4092622FECA701BE4F50F4758714E8A87BBF2A658EF8C2"
977 "1E7C5EFE965361F6C2999C0C247B0DBD70CE6B7",
978 "20D0AF8903A96F8D5FA2C255745D3C451B302C9346D9B7E485E7BCE41F6B591F3E8F6"
979 "ADDCBB0BC4C2F947A7DE1A89B625D6A598B3760",
980 "0340340340340340340340340340340340340340340340340340340323C313FAB5058"
981 "9703B5EC68D3587FEC60D161CC149C1AD4A91", 0x2760,
982 NULL, 0,
983 "X9.62 curve over a 431 bit binary field"
984 };
985
986static const EC_CURVE_DATA _EC_WTLS_1 = {
987 NID_X9_62_characteristic_two_field,
988 "020000000000000000000000000201",
989 "1",
990 "1",
991 "01667979A40BA497E5D5C270780617",
992 "00F44B4AF1ECC2630E08785CEBCC15",
993 "00FFFFFFFFFFFFFFFDBF91AF6DEA73", 2,
994 NULL, 0,
995 "WTLS curve over a 113 bit binary field"
996 };
997
998/* IPSec curves */
999/* NOTE: The of curves over a extension field of non prime degree
1000 * is not recommended (Weil-descent).
1001 * As the group order is not a prime this curve is not suitable
1002 * for ECDSA.
1003 */
1004static const EC_CURVE_DATA _EC_IPSEC_155_ID3 = {
1005 NID_X9_62_characteristic_two_field,
1006 "0800000000000000000000004000000000000001",
1007 "0",
1008 "07338f",
1009 "7b",
1010 "1c8",
1011 "2AAAAAAAAAAAAAAAAAAC7F3C7881BD0868FA86C",3,
1012 NULL, 0,
1013 "\n\tIPSec/IKE/Oakley curve #3 over a 155 bit binary field.\n"
1014 "\tNot suitable for ECDSA.\n\tQuestionable extension field!"
1015 };
1016
1017/* NOTE: The of curves over a extension field of non prime degree
1018 * is not recommended (Weil-descent).
1019 * As the group order is not a prime this curve is not suitable
1020 * for ECDSA.
1021 */
1022static const EC_CURVE_DATA _EC_IPSEC_185_ID4 = {
1023 NID_X9_62_characteristic_two_field,
1024 "020000000000000000000000000000200000000000000001",
1025 "0",
1026 "1ee9",
1027 "18",
1028 "0d",
1029 "FFFFFFFFFFFFFFFFFFFFFFEDF97C44DB9F2420BAFCA75E",2,
1030 NULL, 0,
1031 "\n\tIPSec/IKE/Oakley curve #4 over a 185 bit binary field.\n"
1032 "\tNot suitable for ECDSA.\n\tQuestionable extension field!"
1033 };
1034
1035typedef struct _ec_list_element_st {
1036 int nid;
1037 const EC_CURVE_DATA *data;
1038 } ec_list_element;
1039
1040static const ec_list_element curve_list[] = {
1041 /* prime field curves */
1042 /* secg curves */
1043 { NID_secp112r1, &_EC_SECG_PRIME_112R1},
1044 { NID_secp112r2, &_EC_SECG_PRIME_112R2},
1045 { NID_secp128r1, &_EC_SECG_PRIME_128R1},
1046 { NID_secp128r2, &_EC_SECG_PRIME_128R2},
1047 { NID_secp160k1, &_EC_SECG_PRIME_160K1},
1048 { NID_secp160r1, &_EC_SECG_PRIME_160R1},
1049 { NID_secp160r2, &_EC_SECG_PRIME_160R2},
1050 /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */
1051 { NID_secp192k1, &_EC_SECG_PRIME_192K1},
1052 { NID_secp224k1, &_EC_SECG_PRIME_224K1},
1053 { NID_secp224r1, &_EC_NIST_PRIME_224},
1054 { NID_secp256k1, &_EC_SECG_PRIME_256K1},
1055 /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
1056 { NID_secp384r1, &_EC_NIST_PRIME_384},
1057 { NID_secp521r1, &_EC_NIST_PRIME_521},
1058 /* X9.62 curves */
1059 { NID_X9_62_prime192v1, &_EC_NIST_PRIME_192},
1060 { NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2},
1061 { NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3},
1062 { NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1},
1063 { NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2},
1064 { NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3},
1065 { NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1},
1066 /* characteristic two field curves */
1067 /* NIST/SECG curves */
1068 { NID_sect113r1, &_EC_SECG_CHAR2_113R1},
1069 { NID_sect113r2, &_EC_SECG_CHAR2_113R2},
1070 { NID_sect131r1, &_EC_SECG_CHAR2_131R1},
1071 { NID_sect131r2, &_EC_SECG_CHAR2_131R2},
1072 { NID_sect163k1, &_EC_NIST_CHAR2_163K },
1073 { NID_sect163r1, &_EC_SECG_CHAR2_163R1},
1074 { NID_sect163r2, &_EC_NIST_CHAR2_163B },
1075 { NID_sect193r1, &_EC_SECG_CHAR2_193R1},
1076 { NID_sect193r2, &_EC_SECG_CHAR2_193R2},
1077 { NID_sect233k1, &_EC_NIST_CHAR2_233K },
1078 { NID_sect233r1, &_EC_NIST_CHAR2_233B },
1079 { NID_sect239k1, &_EC_SECG_CHAR2_239K1},
1080 { NID_sect283k1, &_EC_NIST_CHAR2_283K },
1081 { NID_sect283r1, &_EC_NIST_CHAR2_283B },
1082 { NID_sect409k1, &_EC_NIST_CHAR2_409K },
1083 { NID_sect409r1, &_EC_NIST_CHAR2_409B },
1084 { NID_sect571k1, &_EC_NIST_CHAR2_571K },
1085 { NID_sect571r1, &_EC_NIST_CHAR2_571B },
1086 /* X9.62 curves */
1087 { NID_X9_62_c2pnb163v1, &_EC_X9_62_CHAR2_163V1},
1088 { NID_X9_62_c2pnb163v2, &_EC_X9_62_CHAR2_163V2},
1089 { NID_X9_62_c2pnb163v3, &_EC_X9_62_CHAR2_163V3},
1090 { NID_X9_62_c2pnb176v1, &_EC_X9_62_CHAR2_176V1},
1091 { NID_X9_62_c2tnb191v1, &_EC_X9_62_CHAR2_191V1},
1092 { NID_X9_62_c2tnb191v2, &_EC_X9_62_CHAR2_191V2},
1093 { NID_X9_62_c2tnb191v3, &_EC_X9_62_CHAR2_191V3},
1094 { NID_X9_62_c2pnb208w1, &_EC_X9_62_CHAR2_208W1},
1095 { NID_X9_62_c2tnb239v1, &_EC_X9_62_CHAR2_239V1},
1096 { NID_X9_62_c2tnb239v2, &_EC_X9_62_CHAR2_239V2},
1097 { NID_X9_62_c2tnb239v3, &_EC_X9_62_CHAR2_239V3},
1098 { NID_X9_62_c2pnb272w1, &_EC_X9_62_CHAR2_272W1},
1099 { NID_X9_62_c2pnb304w1, &_EC_X9_62_CHAR2_304W1},
1100 { NID_X9_62_c2tnb359v1, &_EC_X9_62_CHAR2_359V1},
1101 { NID_X9_62_c2pnb368w1, &_EC_X9_62_CHAR2_368W1},
1102 { NID_X9_62_c2tnb431r1, &_EC_X9_62_CHAR2_431R1},
1103 /* the WAP/WTLS curves
1104 * [unlike SECG, spec has its own OIDs for curves from X9.62] */
1105 { NID_wap_wsg_idm_ecid_wtls1, &_EC_WTLS_1},
1106 { NID_wap_wsg_idm_ecid_wtls3, &_EC_NIST_CHAR2_163K},
1107 { NID_wap_wsg_idm_ecid_wtls4, &_EC_SECG_CHAR2_113R1},
1108 { NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1},
1109 { NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1},
1110 { NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2},
1111 { NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8},
1112 { NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9 },
1113 { NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K},
1114 { NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B},
1115 { NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12},
1116 /* IPSec curves */
1117 { NID_ipsec3, &_EC_IPSEC_155_ID3},
1118 { NID_ipsec4, &_EC_IPSEC_185_ID4},
1119};
1120
1121static size_t curve_list_length = sizeof(curve_list)/sizeof(ec_list_element);
1122
1123static EC_GROUP *ec_group_new_from_data(const EC_CURVE_DATA *data)
1124 {
1125 EC_GROUP *group=NULL;
1126 EC_POINT *P=NULL;
1127 BN_CTX *ctx=NULL;
1128 BIGNUM *p=NULL, *a=NULL, *b=NULL, *x=NULL, *y=NULL, *order=NULL;
1129 int ok=0;
1130
1131 if ((ctx = BN_CTX_new()) == NULL)
1132 {
1133 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
1134 goto err;
1135 }
1136 if ((p = BN_new()) == NULL || (a = BN_new()) == NULL ||
1137 (b = BN_new()) == NULL || (x = BN_new()) == NULL ||
1138 (y = BN_new()) == NULL || (order = BN_new()) == NULL)
1139 {
1140 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
1141 goto err;
1142 }
1143
1144 if (!BN_hex2bn(&p, data->p) || !BN_hex2bn(&a, data->a)
1145 || !BN_hex2bn(&b, data->b))
1146 {
1147 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
1148 goto err;
1149 }
1150
1151 if (data->field_type == NID_X9_62_prime_field)
1152 {
1153 if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL)
1154 {
1155 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
1156 goto err;
1157 }
1158 }
1159 else
1160 { /* field_type == NID_X9_62_characteristic_two_field */
1161 if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL)
1162 {
1163 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
1164 goto err;
1165 }
1166 }
1167
1168 if ((P = EC_POINT_new(group)) == NULL)
1169 {
1170 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
1171 goto err;
1172 }
1173
1174 if (!BN_hex2bn(&x, data->x) || !BN_hex2bn(&y, data->y))
1175 {
1176 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
1177 goto err;
1178 }
1179 if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx))
1180 {
1181 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
1182 goto err;
1183 }
1184 if (!BN_hex2bn(&order, data->order) || !BN_set_word(x, data->cofactor))
1185 {
1186 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
1187 goto err;
1188 }
1189 if (!EC_GROUP_set_generator(group, P, order, x))
1190 {
1191 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
1192 goto err;
1193 }
1194 if (data->seed)
1195 {
1196 if (!EC_GROUP_set_seed(group, data->seed, data->seed_len))
1197 {
1198 ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
1199 goto err;
1200 }
1201 }
1202 ok=1;
1203err:
1204 if (!ok)
1205 {
1206 EC_GROUP_free(group);
1207 group = NULL;
1208 }
1209 if (P)
1210 EC_POINT_free(P);
1211 if (ctx)
1212 BN_CTX_free(ctx);
1213 if (p)
1214 BN_free(p);
1215 if (a)
1216 BN_free(a);
1217 if (b)
1218 BN_free(b);
1219 if (order)
1220 BN_free(order);
1221 if (x)
1222 BN_free(x);
1223 if (y)
1224 BN_free(y);
1225 return group;
1226 }
1227
1228EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
1229 {
1230 size_t i;
1231 EC_GROUP *ret = NULL;
1232
1233 if (nid <= 0)
1234 return NULL;
1235
1236 for (i=0; i<curve_list_length; i++)
1237 if (curve_list[i].nid == nid)
1238 {
1239 ret = ec_group_new_from_data(curve_list[i].data);
1240 break;
1241 }
1242
1243 if (ret == NULL)
1244 {
1245 ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
1246 return NULL;
1247 }
1248
1249 EC_GROUP_set_curve_name(ret, nid);
1250
1251 return ret;
1252 }
1253
1254size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
1255 {
1256 size_t i, min;
1257
1258 if (r == NULL || nitems == 0)
1259 return curve_list_length;
1260
1261 min = nitems < curve_list_length ? nitems : curve_list_length;
1262
1263 for (i = 0; i < min; i++)
1264 {
1265 r[i].nid = curve_list[i].nid;
1266 r[i].comment = curve_list[i].data->comment;
1267 }
1268
1269 return curve_list_length;
1270 }
diff --git a/src/lib/libcrypto/ec/ec_cvt.c b/src/lib/libcrypto/ec/ec_cvt.c
index 45b0ec33a0..d45640bab9 100644
--- a/src/lib/libcrypto/ec/ec_cvt.c
+++ b/src/lib/libcrypto/ec/ec_cvt.c
@@ -1,6 +1,9 @@
1/* crypto/ec/ec_cvt.c */ 1/* crypto/ec/ec_cvt.c */
2/*
3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */
2/* ==================================================================== 5/* ====================================================================
3 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4 * 7 *
5 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -52,7 +55,21 @@
52 * Hudson (tjh@cryptsoft.com). 55 * Hudson (tjh@cryptsoft.com).
53 * 56 *
54 */ 57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 *
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
63 *
64 * The Contribution is licensed pursuant to the OpenSSL open source
65 * license provided above.
66 *
67 * The elliptic curve binary polynomial software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
69 *
70 */
55 71
72#include <openssl/err.h>
56#include "ec_lcl.h" 73#include "ec_lcl.h"
57 74
58 75
@@ -60,11 +77,8 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM
60 { 77 {
61 const EC_METHOD *meth; 78 const EC_METHOD *meth;
62 EC_GROUP *ret; 79 EC_GROUP *ret;
63 80
64 /* Finally, this will use EC_GFp_nist_method if 'p' is a special 81 meth = EC_GFp_nist_method();
65 * prime with optimized modular arithmetics (for NIST curves)
66 */
67 meth = EC_GFp_mont_method();
68 82
69 ret = EC_GROUP_new(meth); 83 ret = EC_GROUP_new(meth);
70 if (ret == NULL) 84 if (ret == NULL)
@@ -72,6 +86,56 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM
72 86
73 if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx)) 87 if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx))
74 { 88 {
89 unsigned long err;
90
91 err = ERR_peek_last_error();
92
93 if (!(ERR_GET_LIB(err) == ERR_LIB_EC &&
94 ((ERR_GET_REASON(err) == EC_R_NOT_A_NIST_PRIME) ||
95 (ERR_GET_REASON(err) == EC_R_NOT_A_SUPPORTED_NIST_PRIME))))
96 {
97 /* real error */
98
99 EC_GROUP_clear_free(ret);
100 return NULL;
101 }
102
103
104 /* not an actual error, we just cannot use EC_GFp_nist_method */
105
106 ERR_clear_error();
107
108 EC_GROUP_clear_free(ret);
109 meth = EC_GFp_mont_method();
110
111 ret = EC_GROUP_new(meth);
112 if (ret == NULL)
113 return NULL;
114
115 if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx))
116 {
117 EC_GROUP_clear_free(ret);
118 return NULL;
119 }
120 }
121
122 return ret;
123 }
124
125
126EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
127 {
128 const EC_METHOD *meth;
129 EC_GROUP *ret;
130
131 meth = EC_GF2m_simple_method();
132
133 ret = EC_GROUP_new(meth);
134 if (ret == NULL)
135 return NULL;
136
137 if (!EC_GROUP_set_curve_GF2m(ret, p, a, b, ctx))
138 {
75 EC_GROUP_clear_free(ret); 139 EC_GROUP_clear_free(ret);
76 return NULL; 140 return NULL;
77 } 141 }
diff --git a/src/lib/libcrypto/ec/ec_err.c b/src/lib/libcrypto/ec/ec_err.c
index 5b70f94382..d04c895560 100644
--- a/src/lib/libcrypto/ec/ec_err.c
+++ b/src/lib/libcrypto/ec/ec_err.c
@@ -1,6 +1,6 @@
1/* crypto/ec/ec_err.c */ 1/* crypto/ec/ec_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -71,54 +71,127 @@
71static ERR_STRING_DATA EC_str_functs[]= 71static ERR_STRING_DATA EC_str_functs[]=
72 { 72 {
73{ERR_FUNC(EC_F_COMPUTE_WNAF), "COMPUTE_WNAF"}, 73{ERR_FUNC(EC_F_COMPUTE_WNAF), "COMPUTE_WNAF"},
74{ERR_FUNC(EC_F_D2I_ECPARAMETERS), "d2i_ECParameters"},
75{ERR_FUNC(EC_F_D2I_ECPKPARAMETERS), "d2i_ECPKParameters"},
76{ERR_FUNC(EC_F_D2I_ECPRIVATEKEY), "d2i_ECPrivateKey"},
77{ERR_FUNC(EC_F_ECPARAMETERS_PRINT), "ECParameters_print"},
78{ERR_FUNC(EC_F_ECPARAMETERS_PRINT_FP), "ECParameters_print_fp"},
79{ERR_FUNC(EC_F_ECPKPARAMETERS_PRINT), "ECPKParameters_print"},
80{ERR_FUNC(EC_F_ECPKPARAMETERS_PRINT_FP), "ECPKParameters_print_fp"},
81{ERR_FUNC(EC_F_ECP_NIST_MOD_192), "ECP_NIST_MOD_192"},
82{ERR_FUNC(EC_F_ECP_NIST_MOD_224), "ECP_NIST_MOD_224"},
83{ERR_FUNC(EC_F_ECP_NIST_MOD_256), "ECP_NIST_MOD_256"},
84{ERR_FUNC(EC_F_ECP_NIST_MOD_521), "ECP_NIST_MOD_521"},
85{ERR_FUNC(EC_F_EC_ASN1_GROUP2CURVE), "EC_ASN1_GROUP2CURVE"},
86{ERR_FUNC(EC_F_EC_ASN1_GROUP2FIELDID), "EC_ASN1_GROUP2FIELDID"},
87{ERR_FUNC(EC_F_EC_ASN1_GROUP2PARAMETERS), "EC_ASN1_GROUP2PARAMETERS"},
88{ERR_FUNC(EC_F_EC_ASN1_GROUP2PKPARAMETERS), "EC_ASN1_GROUP2PKPARAMETERS"},
89{ERR_FUNC(EC_F_EC_ASN1_PARAMETERS2GROUP), "EC_ASN1_PARAMETERS2GROUP"},
90{ERR_FUNC(EC_F_EC_ASN1_PKPARAMETERS2GROUP), "EC_ASN1_PKPARAMETERS2GROUP"},
91{ERR_FUNC(EC_F_EC_EX_DATA_SET_DATA), "EC_EX_DATA_set_data"},
92{ERR_FUNC(EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY), "EC_GF2M_MONTGOMERY_POINT_MULTIPLY"},
93{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT), "ec_GF2m_simple_group_check_discriminant"},
94{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE), "ec_GF2m_simple_group_set_curve"},
95{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_OCT2POINT), "ec_GF2m_simple_oct2point"},
96{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_POINT2OCT), "ec_GF2m_simple_point2oct"},
97{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES), "ec_GF2m_simple_point_get_affine_coordinates"},
98{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES), "ec_GF2m_simple_point_set_affine_coordinates"},
99{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES), "ec_GF2m_simple_set_compressed_coordinates"},
74{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_DECODE), "ec_GFp_mont_field_decode"}, 100{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_DECODE), "ec_GFp_mont_field_decode"},
75{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_ENCODE), "ec_GFp_mont_field_encode"}, 101{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_ENCODE), "ec_GFp_mont_field_encode"},
76{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_MUL), "ec_GFp_mont_field_mul"}, 102{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_MUL), "ec_GFp_mont_field_mul"},
103{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE), "ec_GFp_mont_field_set_to_one"},
77{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SQR), "ec_GFp_mont_field_sqr"}, 104{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SQR), "ec_GFp_mont_field_sqr"},
78{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP), "ec_GFp_simple_group_set_curve_GFp"}, 105{ERR_FUNC(EC_F_EC_GFP_MONT_GROUP_SET_CURVE), "ec_GFp_mont_group_set_curve"},
79{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR), "ec_GFp_simple_group_set_generator"}, 106{ERR_FUNC(EC_F_EC_GFP_MONT_GROUP_SET_CURVE_GFP), "EC_GFP_MONT_GROUP_SET_CURVE_GFP"},
107{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_MUL), "ec_GFp_nist_field_mul"},
108{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_SQR), "ec_GFp_nist_field_sqr"},
109{ERR_FUNC(EC_F_EC_GFP_NIST_GROUP_SET_CURVE), "ec_GFp_nist_group_set_curve"},
110{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT), "ec_GFp_simple_group_check_discriminant"},
111{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE), "ec_GFp_simple_group_set_curve"},
112{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP), "EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP"},
113{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR), "EC_GFP_SIMPLE_GROUP_SET_GENERATOR"},
80{ERR_FUNC(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE), "ec_GFp_simple_make_affine"}, 114{ERR_FUNC(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE), "ec_GFp_simple_make_affine"},
81{ERR_FUNC(EC_F_EC_GFP_SIMPLE_OCT2POINT), "ec_GFp_simple_oct2point"}, 115{ERR_FUNC(EC_F_EC_GFP_SIMPLE_OCT2POINT), "ec_GFp_simple_oct2point"},
82{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT2OCT), "ec_GFp_simple_point2oct"}, 116{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT2OCT), "ec_GFp_simple_point2oct"},
83{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE), "ec_GFp_simple_points_make_affine"}, 117{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE), "ec_GFp_simple_points_make_affine"},
84{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP), "ec_GFp_simple_point_get_affine_coordinates_GFp"}, 118{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES), "ec_GFp_simple_point_get_affine_coordinates"},
85{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP), "ec_GFp_simple_point_set_affine_coordinates_GFp"}, 119{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP), "EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP"},
86{ERR_FUNC(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP), "ec_GFp_simple_set_compressed_coordinates_GFp"}, 120{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES), "ec_GFp_simple_point_set_affine_coordinates"},
121{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP), "EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP"},
122{ERR_FUNC(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES), "ec_GFp_simple_set_compressed_coordinates"},
123{ERR_FUNC(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP), "EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP"},
124{ERR_FUNC(EC_F_EC_GROUP_CHECK), "EC_GROUP_check"},
125{ERR_FUNC(EC_F_EC_GROUP_CHECK_DISCRIMINANT), "EC_GROUP_check_discriminant"},
87{ERR_FUNC(EC_F_EC_GROUP_COPY), "EC_GROUP_copy"}, 126{ERR_FUNC(EC_F_EC_GROUP_COPY), "EC_GROUP_copy"},
88{ERR_FUNC(EC_F_EC_GROUP_GET0_GENERATOR), "EC_GROUP_get0_generator"}, 127{ERR_FUNC(EC_F_EC_GROUP_GET0_GENERATOR), "EC_GROUP_get0_generator"},
89{ERR_FUNC(EC_F_EC_GROUP_GET_COFACTOR), "EC_GROUP_get_cofactor"}, 128{ERR_FUNC(EC_F_EC_GROUP_GET_COFACTOR), "EC_GROUP_get_cofactor"},
129{ERR_FUNC(EC_F_EC_GROUP_GET_CURVE_GF2M), "EC_GROUP_get_curve_GF2m"},
90{ERR_FUNC(EC_F_EC_GROUP_GET_CURVE_GFP), "EC_GROUP_get_curve_GFp"}, 130{ERR_FUNC(EC_F_EC_GROUP_GET_CURVE_GFP), "EC_GROUP_get_curve_GFp"},
131{ERR_FUNC(EC_F_EC_GROUP_GET_DEGREE), "EC_GROUP_get_degree"},
91{ERR_FUNC(EC_F_EC_GROUP_GET_ORDER), "EC_GROUP_get_order"}, 132{ERR_FUNC(EC_F_EC_GROUP_GET_ORDER), "EC_GROUP_get_order"},
133{ERR_FUNC(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS), "EC_GROUP_get_pentanomial_basis"},
134{ERR_FUNC(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS), "EC_GROUP_get_trinomial_basis"},
92{ERR_FUNC(EC_F_EC_GROUP_NEW), "EC_GROUP_new"}, 135{ERR_FUNC(EC_F_EC_GROUP_NEW), "EC_GROUP_new"},
136{ERR_FUNC(EC_F_EC_GROUP_NEW_BY_CURVE_NAME), "EC_GROUP_new_by_curve_name"},
137{ERR_FUNC(EC_F_EC_GROUP_NEW_FROM_DATA), "EC_GROUP_NEW_FROM_DATA"},
93{ERR_FUNC(EC_F_EC_GROUP_PRECOMPUTE_MULT), "EC_GROUP_precompute_mult"}, 138{ERR_FUNC(EC_F_EC_GROUP_PRECOMPUTE_MULT), "EC_GROUP_precompute_mult"},
139{ERR_FUNC(EC_F_EC_GROUP_SET_CURVE_GF2M), "EC_GROUP_set_curve_GF2m"},
94{ERR_FUNC(EC_F_EC_GROUP_SET_CURVE_GFP), "EC_GROUP_set_curve_GFp"}, 140{ERR_FUNC(EC_F_EC_GROUP_SET_CURVE_GFP), "EC_GROUP_set_curve_GFp"},
95{ERR_FUNC(EC_F_EC_GROUP_SET_EXTRA_DATA), "EC_GROUP_set_extra_data"}, 141{ERR_FUNC(EC_F_EC_GROUP_SET_EXTRA_DATA), "EC_GROUP_SET_EXTRA_DATA"},
96{ERR_FUNC(EC_F_EC_GROUP_SET_GENERATOR), "EC_GROUP_set_generator"}, 142{ERR_FUNC(EC_F_EC_GROUP_SET_GENERATOR), "EC_GROUP_set_generator"},
143{ERR_FUNC(EC_F_EC_KEY_CHECK_KEY), "EC_KEY_check_key"},
144{ERR_FUNC(EC_F_EC_KEY_COPY), "EC_KEY_copy"},
145{ERR_FUNC(EC_F_EC_KEY_GENERATE_KEY), "EC_KEY_generate_key"},
146{ERR_FUNC(EC_F_EC_KEY_NEW), "EC_KEY_new"},
147{ERR_FUNC(EC_F_EC_KEY_PRINT), "EC_KEY_print"},
148{ERR_FUNC(EC_F_EC_KEY_PRINT_FP), "EC_KEY_print_fp"},
97{ERR_FUNC(EC_F_EC_POINTS_MAKE_AFFINE), "EC_POINTs_make_affine"}, 149{ERR_FUNC(EC_F_EC_POINTS_MAKE_AFFINE), "EC_POINTs_make_affine"},
98{ERR_FUNC(EC_F_EC_POINTS_MUL), "EC_POINTs_mul"}, 150{ERR_FUNC(EC_F_EC_POINTS_MUL), "EC_POINTs_mul"},
99{ERR_FUNC(EC_F_EC_POINT_ADD), "EC_POINT_add"}, 151{ERR_FUNC(EC_F_EC_POINT_ADD), "EC_POINT_add"},
100{ERR_FUNC(EC_F_EC_POINT_CMP), "EC_POINT_cmp"}, 152{ERR_FUNC(EC_F_EC_POINT_CMP), "EC_POINT_cmp"},
101{ERR_FUNC(EC_F_EC_POINT_COPY), "EC_POINT_copy"}, 153{ERR_FUNC(EC_F_EC_POINT_COPY), "EC_POINT_copy"},
102{ERR_FUNC(EC_F_EC_POINT_DBL), "EC_POINT_dbl"}, 154{ERR_FUNC(EC_F_EC_POINT_DBL), "EC_POINT_dbl"},
155{ERR_FUNC(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M), "EC_POINT_get_affine_coordinates_GF2m"},
103{ERR_FUNC(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP), "EC_POINT_get_affine_coordinates_GFp"}, 156{ERR_FUNC(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP), "EC_POINT_get_affine_coordinates_GFp"},
104{ERR_FUNC(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP), "EC_POINT_get_Jprojective_coordinates_GFp"}, 157{ERR_FUNC(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP), "EC_POINT_get_Jprojective_coordinates_GFp"},
158{ERR_FUNC(EC_F_EC_POINT_INVERT), "EC_POINT_invert"},
105{ERR_FUNC(EC_F_EC_POINT_IS_AT_INFINITY), "EC_POINT_is_at_infinity"}, 159{ERR_FUNC(EC_F_EC_POINT_IS_AT_INFINITY), "EC_POINT_is_at_infinity"},
106{ERR_FUNC(EC_F_EC_POINT_IS_ON_CURVE), "EC_POINT_is_on_curve"}, 160{ERR_FUNC(EC_F_EC_POINT_IS_ON_CURVE), "EC_POINT_is_on_curve"},
107{ERR_FUNC(EC_F_EC_POINT_MAKE_AFFINE), "EC_POINT_make_affine"}, 161{ERR_FUNC(EC_F_EC_POINT_MAKE_AFFINE), "EC_POINT_make_affine"},
162{ERR_FUNC(EC_F_EC_POINT_MUL), "EC_POINT_mul"},
108{ERR_FUNC(EC_F_EC_POINT_NEW), "EC_POINT_new"}, 163{ERR_FUNC(EC_F_EC_POINT_NEW), "EC_POINT_new"},
109{ERR_FUNC(EC_F_EC_POINT_OCT2POINT), "EC_POINT_oct2point"}, 164{ERR_FUNC(EC_F_EC_POINT_OCT2POINT), "EC_POINT_oct2point"},
110{ERR_FUNC(EC_F_EC_POINT_POINT2OCT), "EC_POINT_point2oct"}, 165{ERR_FUNC(EC_F_EC_POINT_POINT2OCT), "EC_POINT_point2oct"},
166{ERR_FUNC(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M), "EC_POINT_set_affine_coordinates_GF2m"},
111{ERR_FUNC(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP), "EC_POINT_set_affine_coordinates_GFp"}, 167{ERR_FUNC(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP), "EC_POINT_set_affine_coordinates_GFp"},
168{ERR_FUNC(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M), "EC_POINT_set_compressed_coordinates_GF2m"},
112{ERR_FUNC(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP), "EC_POINT_set_compressed_coordinates_GFp"}, 169{ERR_FUNC(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP), "EC_POINT_set_compressed_coordinates_GFp"},
113{ERR_FUNC(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP), "EC_POINT_set_Jprojective_coordinates_GFp"}, 170{ERR_FUNC(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP), "EC_POINT_set_Jprojective_coordinates_GFp"},
114{ERR_FUNC(EC_F_EC_POINT_SET_TO_INFINITY), "EC_POINT_set_to_infinity"}, 171{ERR_FUNC(EC_F_EC_POINT_SET_TO_INFINITY), "EC_POINT_set_to_infinity"},
115{ERR_FUNC(EC_F_GFP_MONT_GROUP_SET_CURVE_GFP), "GFP_MONT_GROUP_SET_CURVE_GFP"}, 172{ERR_FUNC(EC_F_EC_PRE_COMP_DUP), "EC_PRE_COMP_DUP"},
173{ERR_FUNC(EC_F_EC_PRE_COMP_NEW), "EC_PRE_COMP_NEW"},
174{ERR_FUNC(EC_F_EC_WNAF_MUL), "ec_wNAF_mul"},
175{ERR_FUNC(EC_F_EC_WNAF_PRECOMPUTE_MULT), "ec_wNAF_precompute_mult"},
176{ERR_FUNC(EC_F_I2D_ECPARAMETERS), "i2d_ECParameters"},
177{ERR_FUNC(EC_F_I2D_ECPKPARAMETERS), "i2d_ECPKParameters"},
178{ERR_FUNC(EC_F_I2D_ECPRIVATEKEY), "i2d_ECPrivateKey"},
179{ERR_FUNC(EC_F_I2O_ECPUBLICKEY), "i2o_ECPublicKey"},
180{ERR_FUNC(EC_F_O2I_ECPUBLICKEY), "o2i_ECPublicKey"},
116{0,NULL} 181{0,NULL}
117 }; 182 };
118 183
119static ERR_STRING_DATA EC_str_reasons[]= 184static ERR_STRING_DATA EC_str_reasons[]=
120 { 185 {
186{ERR_REASON(EC_R_ASN1_ERROR) ,"asn1 error"},
187{ERR_REASON(EC_R_ASN1_UNKNOWN_FIELD) ,"asn1 unknown field"},
121{ERR_REASON(EC_R_BUFFER_TOO_SMALL) ,"buffer too small"}, 188{ERR_REASON(EC_R_BUFFER_TOO_SMALL) ,"buffer too small"},
189{ERR_REASON(EC_R_D2I_ECPKPARAMETERS_FAILURE),"d2i ecpkparameters failure"},
190{ERR_REASON(EC_R_DISCRIMINANT_IS_ZERO) ,"discriminant is zero"},
191{ERR_REASON(EC_R_EC_GROUP_NEW_BY_NAME_FAILURE),"ec group new by name failure"},
192{ERR_REASON(EC_R_FIELD_TOO_LARGE) ,"field too large"},
193{ERR_REASON(EC_R_GROUP2PKPARAMETERS_FAILURE),"group2pkparameters failure"},
194{ERR_REASON(EC_R_I2D_ECPKPARAMETERS_FAILURE),"i2d ecpkparameters failure"},
122{ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS) ,"incompatible objects"}, 195{ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS) ,"incompatible objects"},
123{ERR_REASON(EC_R_INVALID_ARGUMENT) ,"invalid argument"}, 196{ERR_REASON(EC_R_INVALID_ARGUMENT) ,"invalid argument"},
124{ERR_REASON(EC_R_INVALID_COMPRESSED_POINT),"invalid compressed point"}, 197{ERR_REASON(EC_R_INVALID_COMPRESSED_POINT),"invalid compressed point"},
@@ -126,12 +199,28 @@ static ERR_STRING_DATA EC_str_reasons[]=
126{ERR_REASON(EC_R_INVALID_ENCODING) ,"invalid encoding"}, 199{ERR_REASON(EC_R_INVALID_ENCODING) ,"invalid encoding"},
127{ERR_REASON(EC_R_INVALID_FIELD) ,"invalid field"}, 200{ERR_REASON(EC_R_INVALID_FIELD) ,"invalid field"},
128{ERR_REASON(EC_R_INVALID_FORM) ,"invalid form"}, 201{ERR_REASON(EC_R_INVALID_FORM) ,"invalid form"},
202{ERR_REASON(EC_R_INVALID_GROUP_ORDER) ,"invalid group order"},
203{ERR_REASON(EC_R_INVALID_PENTANOMIAL_BASIS),"invalid pentanomial basis"},
204{ERR_REASON(EC_R_INVALID_PRIVATE_KEY) ,"invalid private key"},
205{ERR_REASON(EC_R_INVALID_TRINOMIAL_BASIS),"invalid trinomial basis"},
206{ERR_REASON(EC_R_MISSING_PARAMETERS) ,"missing parameters"},
207{ERR_REASON(EC_R_MISSING_PRIVATE_KEY) ,"missing private key"},
208{ERR_REASON(EC_R_NOT_A_NIST_PRIME) ,"not a NIST prime"},
209{ERR_REASON(EC_R_NOT_A_SUPPORTED_NIST_PRIME),"not a supported NIST prime"},
210{ERR_REASON(EC_R_NOT_IMPLEMENTED) ,"not implemented"},
129{ERR_REASON(EC_R_NOT_INITIALIZED) ,"not initialized"}, 211{ERR_REASON(EC_R_NOT_INITIALIZED) ,"not initialized"},
212{ERR_REASON(EC_R_NO_FIELD_MOD) ,"no field mod"},
213{ERR_REASON(EC_R_PASSED_NULL_PARAMETER) ,"passed null parameter"},
214{ERR_REASON(EC_R_PKPARAMETERS2GROUP_FAILURE),"pkparameters2group failure"},
130{ERR_REASON(EC_R_POINT_AT_INFINITY) ,"point at infinity"}, 215{ERR_REASON(EC_R_POINT_AT_INFINITY) ,"point at infinity"},
131{ERR_REASON(EC_R_POINT_IS_NOT_ON_CURVE) ,"point is not on curve"}, 216{ERR_REASON(EC_R_POINT_IS_NOT_ON_CURVE) ,"point is not on curve"},
132{ERR_REASON(EC_R_SLOT_FULL) ,"slot full"}, 217{ERR_REASON(EC_R_SLOT_FULL) ,"slot full"},
133{ERR_REASON(EC_R_UNDEFINED_GENERATOR) ,"undefined generator"}, 218{ERR_REASON(EC_R_UNDEFINED_GENERATOR) ,"undefined generator"},
219{ERR_REASON(EC_R_UNDEFINED_ORDER) ,"undefined order"},
220{ERR_REASON(EC_R_UNKNOWN_GROUP) ,"unknown group"},
134{ERR_REASON(EC_R_UNKNOWN_ORDER) ,"unknown order"}, 221{ERR_REASON(EC_R_UNKNOWN_ORDER) ,"unknown order"},
222{ERR_REASON(EC_R_UNSUPPORTED_FIELD) ,"unsupported field"},
223{ERR_REASON(EC_R_WRONG_ORDER) ,"wrong order"},
135{0,NULL} 224{0,NULL}
136 }; 225 };
137 226
@@ -139,15 +228,12 @@ static ERR_STRING_DATA EC_str_reasons[]=
139 228
140void ERR_load_EC_strings(void) 229void ERR_load_EC_strings(void)
141 { 230 {
142 static int init=1; 231#ifndef OPENSSL_NO_ERR
143 232
144 if (init) 233 if (ERR_func_error_string(EC_str_functs[0].error) == NULL)
145 { 234 {
146 init=0;
147#ifndef OPENSSL_NO_ERR
148 ERR_load_strings(0,EC_str_functs); 235 ERR_load_strings(0,EC_str_functs);
149 ERR_load_strings(0,EC_str_reasons); 236 ERR_load_strings(0,EC_str_reasons);
150#endif
151
152 } 237 }
238#endif
153 } 239 }
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
new file mode 100644
index 0000000000..3d6c900b95
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -0,0 +1,465 @@
1/* crypto/ec/ec_key.c */
2/*
3 * Written by Nils Larsch for the OpenSSL project.
4 */
5/* ====================================================================
6 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Portions originally developed by SUN MICROSYSTEMS, INC., and
61 * contributed to the OpenSSL project.
62 */
63
64#include <string.h>
65#include "ec_lcl.h"
66#include <openssl/err.h>
67#include <string.h>
68
69EC_KEY *EC_KEY_new(void)
70 {
71 EC_KEY *ret;
72
73 ret=(EC_KEY *)OPENSSL_malloc(sizeof(EC_KEY));
74 if (ret == NULL)
75 {
76 ECerr(EC_F_EC_KEY_NEW, ERR_R_MALLOC_FAILURE);
77 return(NULL);
78 }
79
80 ret->version = 1;
81 ret->group = NULL;
82 ret->pub_key = NULL;
83 ret->priv_key= NULL;
84 ret->enc_flag= 0;
85 ret->conv_form = POINT_CONVERSION_UNCOMPRESSED;
86 ret->references= 1;
87 ret->method_data = NULL;
88 return(ret);
89 }
90
91EC_KEY *EC_KEY_new_by_curve_name(int nid)
92 {
93 EC_KEY *ret = EC_KEY_new();
94 if (ret == NULL)
95 return NULL;
96 ret->group = EC_GROUP_new_by_curve_name(nid);
97 if (ret->group == NULL)
98 {
99 EC_KEY_free(ret);
100 return NULL;
101 }
102 return ret;
103 }
104
105void EC_KEY_free(EC_KEY *r)
106 {
107 int i;
108
109 if (r == NULL) return;
110
111 i=CRYPTO_add(&r->references,-1,CRYPTO_LOCK_EC);
112#ifdef REF_PRINT
113 REF_PRINT("EC_KEY",r);
114#endif
115 if (i > 0) return;
116#ifdef REF_CHECK
117 if (i < 0)
118 {
119 fprintf(stderr,"EC_KEY_free, bad reference count\n");
120 abort();
121 }
122#endif
123
124 if (r->group != NULL)
125 EC_GROUP_free(r->group);
126 if (r->pub_key != NULL)
127 EC_POINT_free(r->pub_key);
128 if (r->priv_key != NULL)
129 BN_clear_free(r->priv_key);
130
131 EC_EX_DATA_free_all_data(&r->method_data);
132
133 OPENSSL_cleanse((void *)r, sizeof(EC_KEY));
134
135 OPENSSL_free(r);
136 }
137
138EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
139 {
140 EC_EXTRA_DATA *d;
141
142 if (dest == NULL || src == NULL)
143 {
144 ECerr(EC_F_EC_KEY_COPY, ERR_R_PASSED_NULL_PARAMETER);
145 return NULL;
146 }
147 /* copy the parameters */
148 if (src->group)
149 {
150 const EC_METHOD *meth = EC_GROUP_method_of(src->group);
151 /* clear the old group */
152 if (dest->group)
153 EC_GROUP_free(dest->group);
154 dest->group = EC_GROUP_new(meth);
155 if (dest->group == NULL)
156 return NULL;
157 if (!EC_GROUP_copy(dest->group, src->group))
158 return NULL;
159 }
160 /* copy the public key */
161 if (src->pub_key && src->group)
162 {
163 if (dest->pub_key)
164 EC_POINT_free(dest->pub_key);
165 dest->pub_key = EC_POINT_new(src->group);
166 if (dest->pub_key == NULL)
167 return NULL;
168 if (!EC_POINT_copy(dest->pub_key, src->pub_key))
169 return NULL;
170 }
171 /* copy the private key */
172 if (src->priv_key)
173 {
174 if (dest->priv_key == NULL)
175 {
176 dest->priv_key = BN_new();
177 if (dest->priv_key == NULL)
178 return NULL;
179 }
180 if (!BN_copy(dest->priv_key, src->priv_key))
181 return NULL;
182 }
183 /* copy method/extra data */
184 EC_EX_DATA_free_all_data(&dest->method_data);
185
186 for (d = src->method_data; d != NULL; d = d->next)
187 {
188 void *t = d->dup_func(d->data);
189
190 if (t == NULL)
191 return 0;
192 if (!EC_EX_DATA_set_data(&dest->method_data, t, d->dup_func, d->free_func, d->clear_free_func))
193 return 0;
194 }
195
196 /* copy the rest */
197 dest->enc_flag = src->enc_flag;
198 dest->conv_form = src->conv_form;
199 dest->version = src->version;
200
201 return dest;
202 }
203
204EC_KEY *EC_KEY_dup(const EC_KEY *ec_key)
205 {
206 EC_KEY *ret = EC_KEY_new();
207 if (ret == NULL)
208 return NULL;
209 if (EC_KEY_copy(ret, ec_key) == NULL)
210 {
211 EC_KEY_free(ret);
212 return NULL;
213 }
214 return ret;
215 }
216
217int EC_KEY_up_ref(EC_KEY *r)
218 {
219 int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_EC);
220#ifdef REF_PRINT
221 REF_PRINT("EC_KEY",r);
222#endif
223#ifdef REF_CHECK
224 if (i < 2)
225 {
226 fprintf(stderr, "EC_KEY_up, bad reference count\n");
227 abort();
228 }
229#endif
230 return ((i > 1) ? 1 : 0);
231 }
232
233int EC_KEY_generate_key(EC_KEY *eckey)
234 {
235 int ok = 0;
236 BN_CTX *ctx = NULL;
237 BIGNUM *priv_key = NULL, *order = NULL;
238 EC_POINT *pub_key = NULL;
239
240 if (!eckey || !eckey->group)
241 {
242 ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
243 return 0;
244 }
245
246 if ((order = BN_new()) == NULL) goto err;
247 if ((ctx = BN_CTX_new()) == NULL) goto err;
248
249 if (eckey->priv_key == NULL)
250 {
251 priv_key = BN_new();
252 if (priv_key == NULL)
253 goto err;
254 }
255 else
256 priv_key = eckey->priv_key;
257
258 if (!EC_GROUP_get_order(eckey->group, order, ctx))
259 goto err;
260
261 do
262 if (!BN_rand_range(priv_key, order))
263 goto err;
264 while (BN_is_zero(priv_key));
265
266 if (eckey->pub_key == NULL)
267 {
268 pub_key = EC_POINT_new(eckey->group);
269 if (pub_key == NULL)
270 goto err;
271 }
272 else
273 pub_key = eckey->pub_key;
274
275 if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
276 goto err;
277
278 eckey->priv_key = priv_key;
279 eckey->pub_key = pub_key;
280
281 ok=1;
282
283err:
284 if (order)
285 BN_free(order);
286 if (pub_key != NULL && eckey->pub_key == NULL)
287 EC_POINT_free(pub_key);
288 if (priv_key != NULL && eckey->priv_key == NULL)
289 BN_free(priv_key);
290 if (ctx != NULL)
291 BN_CTX_free(ctx);
292 return(ok);
293 }
294
295int EC_KEY_check_key(const EC_KEY *eckey)
296 {
297 int ok = 0;
298 BN_CTX *ctx = NULL;
299 BIGNUM *order = NULL;
300 EC_POINT *point = NULL;
301
302 if (!eckey || !eckey->group || !eckey->pub_key)
303 {
304 ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER);
305 return 0;
306 }
307
308 if ((ctx = BN_CTX_new()) == NULL)
309 goto err;
310 if ((order = BN_new()) == NULL)
311 goto err;
312 if ((point = EC_POINT_new(eckey->group)) == NULL)
313 goto err;
314
315 /* testing whether the pub_key is on the elliptic curve */
316 if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx))
317 {
318 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE);
319 goto err;
320 }
321 /* testing whether pub_key * order is the point at infinity */
322 if (!EC_GROUP_get_order(eckey->group, order, ctx))
323 {
324 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_GROUP_ORDER);
325 goto err;
326 }
327 if (!EC_POINT_copy(point, eckey->pub_key))
328 {
329 ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);
330 goto err;
331 }
332 if (!EC_POINT_mul(eckey->group, point, order, NULL, NULL, ctx))
333 {
334 ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);
335 goto err;
336 }
337 if (!EC_POINT_is_at_infinity(eckey->group, point))
338 {
339 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER);
340 goto err;
341 }
342 /* in case the priv_key is present :
343 * check if generator * priv_key == pub_key
344 */
345 if (eckey->priv_key)
346 {
347 if (BN_cmp(eckey->priv_key, order) >= 0)
348 {
349 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER);
350 goto err;
351 }
352 if (!EC_POINT_mul(eckey->group, point, eckey->priv_key,
353 NULL, NULL, ctx))
354 {
355 ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);
356 goto err;
357 }
358 if (EC_POINT_cmp(eckey->group, point, eckey->pub_key,
359 ctx) != 0)
360 {
361 ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY);
362 goto err;
363 }
364 }
365 ok = 1;
366err:
367 if (ctx != NULL)
368 BN_CTX_free(ctx);
369 if (order != NULL)
370 BN_free(order);
371 if (point != NULL)
372 EC_POINT_free(point);
373 return(ok);
374 }
375
376const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key)
377 {
378 return key->group;
379 }
380
381int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group)
382 {
383 if (key->group != NULL)
384 EC_GROUP_free(key->group);
385 key->group = EC_GROUP_dup(group);
386 return (key->group == NULL) ? 0 : 1;
387 }
388
389const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key)
390 {
391 return key->priv_key;
392 }
393
394int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
395 {
396 if (key->priv_key)
397 BN_clear_free(key->priv_key);
398 key->priv_key = BN_dup(priv_key);
399 return (key->priv_key == NULL) ? 0 : 1;
400 }
401
402const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key)
403 {
404 return key->pub_key;
405 }
406
407int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key)
408 {
409 if (key->pub_key != NULL)
410 EC_POINT_free(key->pub_key);
411 key->pub_key = EC_POINT_dup(pub_key, key->group);
412 return (key->pub_key == NULL) ? 0 : 1;
413 }
414
415unsigned int EC_KEY_get_enc_flags(const EC_KEY *key)
416 {
417 return key->enc_flag;
418 }
419
420void EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags)
421 {
422 key->enc_flag = flags;
423 }
424
425point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key)
426 {
427 return key->conv_form;
428 }
429
430void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform)
431 {
432 key->conv_form = cform;
433 if (key->group != NULL)
434 EC_GROUP_set_point_conversion_form(key->group, cform);
435 }
436
437void *EC_KEY_get_key_method_data(EC_KEY *key,
438 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
439 {
440 return EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
441 }
442
443void EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
444 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
445 {
446 EC_EXTRA_DATA *ex_data;
447 CRYPTO_w_lock(CRYPTO_LOCK_EC);
448 ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
449 if (ex_data == NULL)
450 EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func);
451 CRYPTO_w_unlock(CRYPTO_LOCK_EC);
452 }
453
454void EC_KEY_set_asn1_flag(EC_KEY *key, int flag)
455 {
456 if (key->group != NULL)
457 EC_GROUP_set_asn1_flag(key->group, flag);
458 }
459
460int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx)
461 {
462 if (key->group == NULL)
463 return 0;
464 return EC_GROUP_precompute_mult(key->group, ctx);
465 }
diff --git a/src/lib/libcrypto/ec/ec_lcl.h b/src/lib/libcrypto/ec/ec_lcl.h
index cc4cf27755..fdd7aa2755 100644
--- a/src/lib/libcrypto/ec/ec_lcl.h
+++ b/src/lib/libcrypto/ec/ec_lcl.h
@@ -1,6 +1,9 @@
1/* crypto/ec/ec_lcl.h */ 1/* crypto/ec/ec_lcl.h */
2/*
3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */
2/* ==================================================================== 5/* ====================================================================
3 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
4 * 7 *
5 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -52,35 +55,56 @@
52 * Hudson (tjh@cryptsoft.com). 55 * Hudson (tjh@cryptsoft.com).
53 * 56 *
54 */ 57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 *
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
63 *
64 * The Contribution is licensed pursuant to the OpenSSL open source
65 * license provided above.
66 *
67 * The elliptic curve binary polynomial software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
69 *
70 */
55 71
56 72
57#include <stdlib.h> 73#include <stdlib.h>
58 74
75#include <openssl/obj_mac.h>
59#include <openssl/ec.h> 76#include <openssl/ec.h>
77#include <openssl/bn.h>
60 78
79#if defined(__SUNPRO_C)
80# if __SUNPRO_C >= 0x520
81# pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE)
82# endif
83#endif
61 84
62/* Structure details are not part of the exported interface, 85/* Structure details are not part of the exported interface,
63 * so all this may change in future versions. */ 86 * so all this may change in future versions. */
64 87
65struct ec_method_st { 88struct ec_method_st {
89 /* used by EC_METHOD_get_field_type: */
90 int field_type; /* a NID */
91
66 /* used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, EC_GROUP_copy: */ 92 /* used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, EC_GROUP_copy: */
67 int (*group_init)(EC_GROUP *); 93 int (*group_init)(EC_GROUP *);
68 void (*group_finish)(EC_GROUP *); 94 void (*group_finish)(EC_GROUP *);
69 void (*group_clear_finish)(EC_GROUP *); 95 void (*group_clear_finish)(EC_GROUP *);
70 int (*group_copy)(EC_GROUP *, const EC_GROUP *); 96 int (*group_copy)(EC_GROUP *, const EC_GROUP *);
71 97
72 /* used by EC_GROUP_set_curve_GFp and EC_GROUP_get_curve_GFp: */ 98 /* used by EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, */
73 int (*group_set_curve_GFp)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); 99 /* EC_GROUP_set_curve_GF2m, and EC_GROUP_get_curve_GF2m: */
74 int (*group_get_curve_GFp)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *); 100 int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
101 int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
75 102
76 /* used by EC_GROUP_set_generator, EC_GROUP_get0_generator, 103 /* used by EC_GROUP_get_degree: */
77 * EC_GROUP_get_order, EC_GROUP_get_cofactor: 104 int (*group_get_degree)(const EC_GROUP *);
78 */ 105
79 int (*group_set_generator)(EC_GROUP *, const EC_POINT *generator, 106 /* used by EC_GROUP_check: */
80 const BIGNUM *order, const BIGNUM *cofactor); 107 int (*group_check_discriminant)(const EC_GROUP *, BN_CTX *);
81 EC_POINT *(*group_get0_generator)(const EC_GROUP *);
82 int (*group_get_order)(const EC_GROUP *, BIGNUM *order, BN_CTX *);
83 int (*group_get_cofactor)(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
84 108
85 /* used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy: */ 109 /* used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy: */
86 int (*point_init)(EC_POINT *); 110 int (*point_init)(EC_POINT *);
@@ -89,20 +113,22 @@ struct ec_method_st {
89 int (*point_copy)(EC_POINT *, const EC_POINT *); 113 int (*point_copy)(EC_POINT *, const EC_POINT *);
90 114
91 /* used by EC_POINT_set_to_infinity, 115 /* used by EC_POINT_set_to_infinity,
92 * EC_POINT_set_Jprojective_coordinates_GFp, EC_POINT_get_Jprojective_coordinates_GFp, 116 * EC_POINT_set_Jprojective_coordinates_GFp,
93 * EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp, 117 * EC_POINT_get_Jprojective_coordinates_GFp,
94 * EC_POINT_set_compressed_coordinates_GFp: 118 * EC_POINT_set_affine_coordinates_GFp, ..._GF2m,
119 * EC_POINT_get_affine_coordinates_GFp, ..._GF2m,
120 * EC_POINT_set_compressed_coordinates_GFp, ..._GF2m:
95 */ 121 */
96 int (*point_set_to_infinity)(const EC_GROUP *, EC_POINT *); 122 int (*point_set_to_infinity)(const EC_GROUP *, EC_POINT *);
97 int (*point_set_Jprojective_coordinates_GFp)(const EC_GROUP *, EC_POINT *, 123 int (*point_set_Jprojective_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
98 const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *); 124 const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
99 int (*point_get_Jprojective_coordinates_GFp)(const EC_GROUP *, const EC_POINT *, 125 int (*point_get_Jprojective_coordinates_GFp)(const EC_GROUP *, const EC_POINT *,
100 BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *); 126 BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
101 int (*point_set_affine_coordinates_GFp)(const EC_GROUP *, EC_POINT *, 127 int (*point_set_affine_coordinates)(const EC_GROUP *, EC_POINT *,
102 const BIGNUM *x, const BIGNUM *y, BN_CTX *); 128 const BIGNUM *x, const BIGNUM *y, BN_CTX *);
103 int (*point_get_affine_coordinates_GFp)(const EC_GROUP *, const EC_POINT *, 129 int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_POINT *,
104 BIGNUM *x, BIGNUM *y, BN_CTX *); 130 BIGNUM *x, BIGNUM *y, BN_CTX *);
105 int (*point_set_compressed_coordinates_GFp)(const EC_GROUP *, EC_POINT *, 131 int (*point_set_compressed_coordinates)(const EC_GROUP *, EC_POINT *,
106 const BIGNUM *x, int y_bit, BN_CTX *); 132 const BIGNUM *x, int y_bit, BN_CTX *);
107 133
108 /* used by EC_POINT_point2oct, EC_POINT_oct2point: */ 134 /* used by EC_POINT_point2oct, EC_POINT_oct2point: */
@@ -125,34 +151,65 @@ struct ec_method_st {
125 int (*make_affine)(const EC_GROUP *, EC_POINT *, BN_CTX *); 151 int (*make_affine)(const EC_GROUP *, EC_POINT *, BN_CTX *);
126 int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *); 152 int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
127 153
154 /* used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, EC_POINT_have_precompute_mult
155 * (default implementations are used if the 'mul' pointer is 0): */
156 int (*mul)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
157 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
158 int (*precompute_mult)(EC_GROUP *group, BN_CTX *);
159 int (*have_precompute_mult)(const EC_GROUP *group);
160
128 161
129 /* internal functions */ 162 /* internal functions */
130 163
131 /* 'field_mul' and 'field_sqr' can be used by 'add' and 'dbl' so that 164 /* 'field_mul', 'field_sqr', and 'field_div' can be used by 'add' and 'dbl' so that
132 * the same implementations of point operations can be used with different 165 * the same implementations of point operations can be used with different
133 * optimized implementations of expensive field operations: */ 166 * optimized implementations of expensive field operations: */
134 int (*field_mul)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *); 167 int (*field_mul)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
135 int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); 168 int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
169 int (*field_div)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
136 170
137 int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. to Montgomery */ 171 int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. to Montgomery */
138 int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. from Montgomery */ 172 int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. from Montgomery */
139 int (*field_set_to_one)(const EC_GROUP *, BIGNUM *r, BN_CTX *); 173 int (*field_set_to_one)(const EC_GROUP *, BIGNUM *r, BN_CTX *);
140} /* EC_METHOD */; 174} /* EC_METHOD */;
141 175
176typedef struct ec_extra_data_st {
177 struct ec_extra_data_st *next;
178 void *data;
179 void *(*dup_func)(void *);
180 void (*free_func)(void *);
181 void (*clear_free_func)(void *);
182} EC_EXTRA_DATA; /* used in EC_GROUP */
142 183
143struct ec_group_st { 184struct ec_group_st {
144 const EC_METHOD *meth; 185 const EC_METHOD *meth;
145 186
146 void *extra_data; 187 EC_POINT *generator; /* optional */
147 void *(*extra_data_dup_func)(void *); 188 BIGNUM order, cofactor;
148 void (*extra_data_free_func)(void *); 189
149 void (*extra_data_clear_free_func)(void *); 190 int curve_name;/* optional NID for named curve */
191 int asn1_flag; /* flag to control the asn1 encoding */
192 point_conversion_form_t asn1_form;
193
194 unsigned char *seed; /* optional seed for parameters (appears in ASN1) */
195 size_t seed_len;
150 196
151 /* All members except 'meth' and 'extra_data...' are handled by 197 EC_EXTRA_DATA *extra_data; /* linked list */
152 * the method functions, even if they appear generic */ 198
199 /* The following members are handled by the method functions,
200 * even if they appear generic */
153 201
154 BIGNUM field; /* Field specification. 202 BIGNUM field; /* Field specification.
155 * For curves over GF(p), this is the modulus. */ 203 * For curves over GF(p), this is the modulus;
204 * for curves over GF(2^m), this is the
205 * irreducible polynomial defining the field.
206 */
207
208 unsigned int poly[5]; /* Field specification for curves over GF(2^m).
209 * The irreducible f(t) is then of the form:
210 * t^poly[0] + t^poly[1] + ... + t^poly[k]
211 * where m = poly[0] > poly[1] > ... > poly[k] = 0.
212 */
156 213
157 BIGNUM a, b; /* Curve coefficients. 214 BIGNUM a, b; /* Curve coefficients.
158 * (Here the assumption is that BIGNUMs can be used 215 * (Here the assumption is that BIGNUMs can be used
@@ -160,29 +217,49 @@ struct ec_group_st {
160 * For characteristic > 3, the curve is defined 217 * For characteristic > 3, the curve is defined
161 * by a Weierstrass equation of the form 218 * by a Weierstrass equation of the form
162 * y^2 = x^3 + a*x + b. 219 * y^2 = x^3 + a*x + b.
220 * For characteristic 2, the curve is defined by
221 * an equation of the form
222 * y^2 + x*y = x^3 + a*x^2 + b.
163 */ 223 */
164 int a_is_minus3; /* enable optimized point arithmetics for special case */
165 224
166 EC_POINT *generator; /* optional */ 225 int a_is_minus3; /* enable optimized point arithmetics for special case */
167 BIGNUM order, cofactor;
168 226
169 void *field_data1; /* method-specific (e.g., Montgomery structure) */ 227 void *field_data1; /* method-specific (e.g., Montgomery structure) */
170 void *field_data2; /* method-specific */ 228 void *field_data2; /* method-specific */
229 int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); /* method-specific */
171} /* EC_GROUP */; 230} /* EC_GROUP */;
172 231
232struct ec_key_st {
233 int version;
234
235 EC_GROUP *group;
236
237 EC_POINT *pub_key;
238 BIGNUM *priv_key;
239
240 unsigned int enc_flag;
241 point_conversion_form_t conv_form;
173 242
174/* Basically a 'mixin' for extra data, but available for EC_GROUPs only 243 int references;
244
245 EC_EXTRA_DATA *method_data;
246} /* EC_KEY */;
247
248/* Basically a 'mixin' for extra data, but available for EC_GROUPs/EC_KEYs only
175 * (with visibility limited to 'package' level for now). 249 * (with visibility limited to 'package' level for now).
176 * We use the function pointers as index for retrieval; this obviates 250 * We use the function pointers as index for retrieval; this obviates
177 * global ex_data-style index tables. 251 * global ex_data-style index tables.
178 * (Currently, we have one slot only, but is is possible to extend this 252 */
179 * if necessary.) */ 253int EC_EX_DATA_set_data(EC_EXTRA_DATA **, void *data,
180int EC_GROUP_set_extra_data(EC_GROUP *, void *extra_data, void *(*extra_data_dup_func)(void *), 254 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
181 void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *)); 255void *EC_EX_DATA_get_data(const EC_EXTRA_DATA *,
182void *EC_GROUP_get_extra_data(const EC_GROUP *, void *(*extra_data_dup_func)(void *), 256 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
183 void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *)); 257void EC_EX_DATA_free_data(EC_EXTRA_DATA **,
184void EC_GROUP_free_extra_data(EC_GROUP *); 258 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
185void EC_GROUP_clear_free_extra_data(EC_GROUP *); 259void EC_EX_DATA_clear_free_data(EC_EXTRA_DATA **,
260 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
261void EC_EX_DATA_free_all_data(EC_EXTRA_DATA **);
262void EC_EX_DATA_clear_free_all_data(EC_EXTRA_DATA **);
186 263
187 264
188 265
@@ -201,18 +278,23 @@ struct ec_point_st {
201 278
202 279
203 280
281/* method functions in ec_mult.c
282 * (ec_lib.c uses these as defaults if group->method->mul is 0) */
283int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
284 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
285int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *);
286int ec_wNAF_have_precompute_mult(const EC_GROUP *group);
287
288
204/* method functions in ecp_smpl.c */ 289/* method functions in ecp_smpl.c */
205int ec_GFp_simple_group_init(EC_GROUP *); 290int ec_GFp_simple_group_init(EC_GROUP *);
206void ec_GFp_simple_group_finish(EC_GROUP *); 291void ec_GFp_simple_group_finish(EC_GROUP *);
207void ec_GFp_simple_group_clear_finish(EC_GROUP *); 292void ec_GFp_simple_group_clear_finish(EC_GROUP *);
208int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *); 293int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *);
209int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); 294int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
210int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *); 295int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
211int ec_GFp_simple_group_set_generator(EC_GROUP *, const EC_POINT *generator, 296int ec_GFp_simple_group_get_degree(const EC_GROUP *);
212 const BIGNUM *order, const BIGNUM *cofactor); 297int ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);
213EC_POINT *ec_GFp_simple_group_get0_generator(const EC_GROUP *);
214int ec_GFp_simple_group_get_order(const EC_GROUP *, BIGNUM *order, BN_CTX *);
215int ec_GFp_simple_group_get_cofactor(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
216int ec_GFp_simple_point_init(EC_POINT *); 298int ec_GFp_simple_point_init(EC_POINT *);
217void ec_GFp_simple_point_finish(EC_POINT *); 299void ec_GFp_simple_point_finish(EC_POINT *);
218void ec_GFp_simple_point_clear_finish(EC_POINT *); 300void ec_GFp_simple_point_clear_finish(EC_POINT *);
@@ -222,11 +304,11 @@ int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, EC_POINT *,
222 const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *); 304 const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
223int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, const EC_POINT *, 305int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
224 BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *); 306 BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
225int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *, 307int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
226 const BIGNUM *x, const BIGNUM *y, BN_CTX *); 308 const BIGNUM *x, const BIGNUM *y, BN_CTX *);
227int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *, const EC_POINT *, 309int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *, const EC_POINT *,
228 BIGNUM *x, BIGNUM *y, BN_CTX *); 310 BIGNUM *x, BIGNUM *y, BN_CTX *);
229int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *, EC_POINT *, 311int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,
230 const BIGNUM *x, int y_bit, BN_CTX *); 312 const BIGNUM *x, int y_bit, BN_CTX *);
231size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form, 313size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
232 unsigned char *buf, size_t len, BN_CTX *); 314 unsigned char *buf, size_t len, BN_CTX *);
@@ -246,7 +328,7 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX
246 328
247/* method functions in ecp_mont.c */ 329/* method functions in ecp_mont.c */
248int ec_GFp_mont_group_init(EC_GROUP *); 330int ec_GFp_mont_group_init(EC_GROUP *);
249int ec_GFp_mont_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); 331int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
250void ec_GFp_mont_group_finish(EC_GROUP *); 332void ec_GFp_mont_group_finish(EC_GROUP *);
251void ec_GFp_mont_group_clear_finish(EC_GROUP *); 333void ec_GFp_mont_group_clear_finish(EC_GROUP *);
252int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *); 334int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *);
@@ -257,21 +339,52 @@ int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CT
257int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *); 339int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *);
258 340
259 341
260/* method functions in ecp_recp.c */
261int ec_GFp_recp_group_init(EC_GROUP *);
262int ec_GFp_recp_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
263void ec_GFp_recp_group_finish(EC_GROUP *);
264void ec_GFp_recp_group_clear_finish(EC_GROUP *);
265int ec_GFp_recp_group_copy(EC_GROUP *, const EC_GROUP *);
266int ec_GFp_recp_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
267int ec_GFp_recp_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
268
269
270/* method functions in ecp_nist.c */ 342/* method functions in ecp_nist.c */
271int ec_GFp_nist_group_init(EC_GROUP *); 343int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);
272int ec_GFp_nist_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); 344int ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
273void ec_GFp_nist_group_finish(EC_GROUP *);
274void ec_GFp_nist_group_clear_finish(EC_GROUP *);
275int ec_GFp_nist_group_copy(EC_GROUP *, const EC_GROUP *);
276int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *); 345int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
277int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); 346int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
347
348
349/* method functions in ec2_smpl.c */
350int ec_GF2m_simple_group_init(EC_GROUP *);
351void ec_GF2m_simple_group_finish(EC_GROUP *);
352void ec_GF2m_simple_group_clear_finish(EC_GROUP *);
353int ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *);
354int ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
355int ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
356int ec_GF2m_simple_group_get_degree(const EC_GROUP *);
357int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);
358int ec_GF2m_simple_point_init(EC_POINT *);
359void ec_GF2m_simple_point_finish(EC_POINT *);
360void ec_GF2m_simple_point_clear_finish(EC_POINT *);
361int ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *);
362int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
363int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
364 const BIGNUM *x, const BIGNUM *y, BN_CTX *);
365int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *, const EC_POINT *,
366 BIGNUM *x, BIGNUM *y, BN_CTX *);
367int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,
368 const BIGNUM *x, int y_bit, BN_CTX *);
369size_t ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
370 unsigned char *buf, size_t len, BN_CTX *);
371int ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *,
372 const unsigned char *buf, size_t len, BN_CTX *);
373int ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
374int ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
375int ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
376int ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
377int ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
378int ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
379int ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
380int ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
381int ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
382int ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
383int ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
384
385
386/* method functions in ec2_mult.c */
387int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
388 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
389int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
390int ec_GF2m_have_precompute_mult(const EC_GROUP *group);
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index deb522060f..5af84376c6 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,6 +1,9 @@
1/* crypto/ec/ec_lib.c */ 1/* crypto/ec/ec_lib.c */
2/*
3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */
2/* ==================================================================== 5/* ====================================================================
3 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
4 * 7 *
5 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -52,6 +55,11 @@
52 * Hudson (tjh@cryptsoft.com). 55 * Hudson (tjh@cryptsoft.com).
53 * 56 *
54 */ 57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Binary polynomial ECC support in OpenSSL originally developed by
61 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
62 */
55 63
56#include <string.h> 64#include <string.h>
57 65
@@ -90,10 +98,18 @@ EC_GROUP *EC_GROUP_new(const EC_METHOD *meth)
90 ret->meth = meth; 98 ret->meth = meth;
91 99
92 ret->extra_data = NULL; 100 ret->extra_data = NULL;
93 ret->extra_data_dup_func = 0; 101
94 ret->extra_data_free_func = 0; 102 ret->generator = NULL;
95 ret->extra_data_clear_free_func = 0; 103 BN_init(&ret->order);
96 104 BN_init(&ret->cofactor);
105
106 ret->curve_name = 0;
107 ret->asn1_flag = 0;
108 ret->asn1_form = POINT_CONVERSION_UNCOMPRESSED;
109
110 ret->seed = NULL;
111 ret->seed_len = 0;
112
97 if (!meth->group_init(ret)) 113 if (!meth->group_init(ret))
98 { 114 {
99 OPENSSL_free(ret); 115 OPENSSL_free(ret);
@@ -111,7 +127,15 @@ void EC_GROUP_free(EC_GROUP *group)
111 if (group->meth->group_finish != 0) 127 if (group->meth->group_finish != 0)
112 group->meth->group_finish(group); 128 group->meth->group_finish(group);
113 129
114 EC_GROUP_free_extra_data(group); 130 EC_EX_DATA_free_all_data(&group->extra_data);
131
132 if (group->generator != NULL)
133 EC_POINT_free(group->generator);
134 BN_free(&group->order);
135 BN_free(&group->cofactor);
136
137 if (group->seed)
138 OPENSSL_free(group->seed);
115 139
116 OPENSSL_free(group); 140 OPENSSL_free(group);
117 } 141 }
@@ -123,10 +147,21 @@ void EC_GROUP_clear_free(EC_GROUP *group)
123 147
124 if (group->meth->group_clear_finish != 0) 148 if (group->meth->group_clear_finish != 0)
125 group->meth->group_clear_finish(group); 149 group->meth->group_clear_finish(group);
126 else if (group->meth != NULL && group->meth->group_finish != 0) 150 else if (group->meth->group_finish != 0)
127 group->meth->group_finish(group); 151 group->meth->group_finish(group);
128 152
129 EC_GROUP_clear_free_extra_data(group); 153 EC_EX_DATA_clear_free_all_data(&group->extra_data);
154
155 if (group->generator != NULL)
156 EC_POINT_clear_free(group->generator);
157 BN_clear_free(&group->order);
158 BN_clear_free(&group->cofactor);
159
160 if (group->seed)
161 {
162 OPENSSL_cleanse(group->seed, group->seed_len);
163 OPENSSL_free(group->seed);
164 }
130 165
131 OPENSSL_cleanse(group, sizeof *group); 166 OPENSSL_cleanse(group, sizeof *group);
132 OPENSSL_free(group); 167 OPENSSL_free(group);
@@ -135,6 +170,8 @@ void EC_GROUP_clear_free(EC_GROUP *group)
135 170
136int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) 171int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
137 { 172 {
173 EC_EXTRA_DATA *d;
174
138 if (dest->meth->group_copy == 0) 175 if (dest->meth->group_copy == 0)
139 { 176 {
140 ECerr(EC_F_EC_GROUP_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 177 ECerr(EC_F_EC_GROUP_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -148,161 +185,507 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
148 if (dest == src) 185 if (dest == src)
149 return 1; 186 return 1;
150 187
151 EC_GROUP_clear_free_extra_data(dest); 188 EC_EX_DATA_free_all_data(&dest->extra_data);
152 if (src->extra_data_dup_func) 189
190 for (d = src->extra_data; d != NULL; d = d->next)
153 { 191 {
154 if (src->extra_data != NULL) 192 void *t = d->dup_func(d->data);
193
194 if (t == NULL)
195 return 0;
196 if (!EC_EX_DATA_set_data(&dest->extra_data, t, d->dup_func, d->free_func, d->clear_free_func))
197 return 0;
198 }
199
200 if (src->generator != NULL)
201 {
202 if (dest->generator == NULL)
203 {
204 dest->generator = EC_POINT_new(dest);
205 if (dest->generator == NULL) return 0;
206 }
207 if (!EC_POINT_copy(dest->generator, src->generator)) return 0;
208 }
209 else
210 {
211 /* src->generator == NULL */
212 if (dest->generator != NULL)
155 { 213 {
156 dest->extra_data = src->extra_data_dup_func(src->extra_data); 214 EC_POINT_clear_free(dest->generator);
157 if (dest->extra_data == NULL) 215 dest->generator = NULL;
158 return 0;
159 } 216 }
217 }
218
219 if (!BN_copy(&dest->order, &src->order)) return 0;
220 if (!BN_copy(&dest->cofactor, &src->cofactor)) return 0;
160 221
161 dest->extra_data_dup_func = src->extra_data_dup_func; 222 dest->curve_name = src->curve_name;
162 dest->extra_data_free_func = src->extra_data_free_func; 223 dest->asn1_flag = src->asn1_flag;
163 dest->extra_data_clear_free_func = src->extra_data_clear_free_func; 224 dest->asn1_form = src->asn1_form;
225
226 if (src->seed)
227 {
228 if (dest->seed)
229 OPENSSL_free(dest->seed);
230 dest->seed = OPENSSL_malloc(src->seed_len);
231 if (dest->seed == NULL)
232 return 0;
233 if (!memcpy(dest->seed, src->seed, src->seed_len))
234 return 0;
235 dest->seed_len = src->seed_len;
236 }
237 else
238 {
239 if (dest->seed)
240 OPENSSL_free(dest->seed);
241 dest->seed = NULL;
242 dest->seed_len = 0;
164 } 243 }
244
165 245
166 return dest->meth->group_copy(dest, src); 246 return dest->meth->group_copy(dest, src);
167 } 247 }
168 248
169 249
250EC_GROUP *EC_GROUP_dup(const EC_GROUP *a)
251 {
252 EC_GROUP *t = NULL;
253 int ok = 0;
254
255 if (a == NULL) return NULL;
256
257 if ((t = EC_GROUP_new(a->meth)) == NULL) return(NULL);
258 if (!EC_GROUP_copy(t, a)) goto err;
259
260 ok = 1;
261
262 err:
263 if (!ok)
264 {
265 if (t) EC_GROUP_free(t);
266 return NULL;
267 }
268 else return t;
269 }
270
271
170const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group) 272const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group)
171 { 273 {
172 return group->meth; 274 return group->meth;
173 } 275 }
174 276
175 277
278int EC_METHOD_get_field_type(const EC_METHOD *meth)
279 {
280 return meth->field_type;
281 }
282
283
284int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor)
285 {
286 if (generator == NULL)
287 {
288 ECerr(EC_F_EC_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER);
289 return 0 ;
290 }
291
292 if (group->generator == NULL)
293 {
294 group->generator = EC_POINT_new(group);
295 if (group->generator == NULL) return 0;
296 }
297 if (!EC_POINT_copy(group->generator, generator)) return 0;
298
299 if (order != NULL)
300 { if (!BN_copy(&group->order, order)) return 0; }
301 else
302 BN_zero(&group->order);
303
304 if (cofactor != NULL)
305 { if (!BN_copy(&group->cofactor, cofactor)) return 0; }
306 else
307 BN_zero(&group->cofactor);
308
309 return 1;
310 }
311
312
313const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group)
314 {
315 return group->generator;
316 }
317
318
319int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
320 {
321 if (!BN_copy(order, &group->order))
322 return 0;
323
324 return !BN_is_zero(order);
325 }
326
327
328int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
329 {
330 if (!BN_copy(cofactor, &group->cofactor))
331 return 0;
332
333 return !BN_is_zero(&group->cofactor);
334 }
335
336
337void EC_GROUP_set_curve_name(EC_GROUP *group, int nid)
338 {
339 group->curve_name = nid;
340 }
341
342
343int EC_GROUP_get_curve_name(const EC_GROUP *group)
344 {
345 return group->curve_name;
346 }
347
348
349void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag)
350 {
351 group->asn1_flag = flag;
352 }
353
354
355int EC_GROUP_get_asn1_flag(const EC_GROUP *group)
356 {
357 return group->asn1_flag;
358 }
359
360
361void EC_GROUP_set_point_conversion_form(EC_GROUP *group,
362 point_conversion_form_t form)
363 {
364 group->asn1_form = form;
365 }
366
367
368point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *group)
369 {
370 return group->asn1_form;
371 }
372
373
374size_t EC_GROUP_set_seed(EC_GROUP *group, const unsigned char *p, size_t len)
375 {
376 if (group->seed)
377 {
378 OPENSSL_free(group->seed);
379 group->seed = NULL;
380 group->seed_len = 0;
381 }
382
383 if (!len || !p)
384 return 1;
385
386 if ((group->seed = OPENSSL_malloc(len)) == NULL)
387 return 0;
388 memcpy(group->seed, p, len);
389 group->seed_len = len;
390
391 return len;
392 }
393
394
395unsigned char *EC_GROUP_get0_seed(const EC_GROUP *group)
396 {
397 return group->seed;
398 }
399
400
401size_t EC_GROUP_get_seed_len(const EC_GROUP *group)
402 {
403 return group->seed_len;
404 }
405
406
176int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 407int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
177 { 408 {
178 if (group->meth->group_set_curve_GFp == 0) 409 if (group->meth->group_set_curve == 0)
179 { 410 {
180 ECerr(EC_F_EC_GROUP_SET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 411 ECerr(EC_F_EC_GROUP_SET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
181 return 0; 412 return 0;
182 } 413 }
183 return group->meth->group_set_curve_GFp(group, p, a, b, ctx); 414 return group->meth->group_set_curve(group, p, a, b, ctx);
184 } 415 }
185 416
186 417
187int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) 418int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
188 { 419 {
189 if (group->meth->group_get_curve_GFp == 0) 420 if (group->meth->group_get_curve == 0)
190 { 421 {
191 ECerr(EC_F_EC_GROUP_GET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 422 ECerr(EC_F_EC_GROUP_GET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
192 return 0; 423 return 0;
193 } 424 }
194 return group->meth->group_get_curve_GFp(group, p, a, b, ctx); 425 return group->meth->group_get_curve(group, p, a, b, ctx);
195 } 426 }
196 427
197 428
198int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor) 429int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
199 { 430 {
200 if (group->meth->group_set_generator == 0) 431 if (group->meth->group_set_curve == 0)
201 { 432 {
202 ECerr(EC_F_EC_GROUP_SET_GENERATOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 433 ECerr(EC_F_EC_GROUP_SET_CURVE_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
203 return 0; 434 return 0;
204 } 435 }
205 return group->meth->group_set_generator(group, generator, order, cofactor); 436 return group->meth->group_set_curve(group, p, a, b, ctx);
206 } 437 }
207 438
208 439
209EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) 440int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
210 { 441 {
211 if (group->meth->group_get0_generator == 0) 442 if (group->meth->group_get_curve == 0)
212 { 443 {
213 ECerr(EC_F_EC_GROUP_GET0_GENERATOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 444 ECerr(EC_F_EC_GROUP_GET_CURVE_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
214 return 0; 445 return 0;
215 } 446 }
216 return group->meth->group_get0_generator(group); 447 return group->meth->group_get_curve(group, p, a, b, ctx);
217 } 448 }
218 449
219 450
220int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) 451int EC_GROUP_get_degree(const EC_GROUP *group)
221 { 452 {
222 if (group->meth->group_get_order == 0) 453 if (group->meth->group_get_degree == 0)
223 { 454 {
224 ECerr(EC_F_EC_GROUP_GET_ORDER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 455 ECerr(EC_F_EC_GROUP_GET_DEGREE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
225 return 0; 456 return 0;
226 } 457 }
227 return group->meth->group_get_order(group, order, ctx); 458 return group->meth->group_get_degree(group);
228 } 459 }
229 460
230 461
231int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx) 462int EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
232 { 463 {
233 if (group->meth->group_get_cofactor == 0) 464 if (group->meth->group_check_discriminant == 0)
234 { 465 {
235 ECerr(EC_F_EC_GROUP_GET_COFACTOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 466 ECerr(EC_F_EC_GROUP_CHECK_DISCRIMINANT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
236 return 0; 467 return 0;
237 } 468 }
238 return group->meth->group_get_cofactor(group, cofactor, ctx); 469 return group->meth->group_check_discriminant(group, ctx);
239 } 470 }
240 471
241 472
242/* this has 'package' visibility */ 473int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx)
243int EC_GROUP_set_extra_data(EC_GROUP *group, void *extra_data, void *(*extra_data_dup_func)(void *),
244 void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *))
245 { 474 {
246 if ((group->extra_data != NULL) 475 int r = 0;
247 || (group->extra_data_dup_func != 0) 476 BIGNUM *a1, *a2, *a3, *b1, *b2, *b3;
248 || (group->extra_data_free_func != 0) 477 BN_CTX *ctx_new = NULL;
249 || (group->extra_data_clear_free_func != 0)) 478
250 { 479 /* compare the field types*/
251 ECerr(EC_F_EC_GROUP_SET_EXTRA_DATA, EC_R_SLOT_FULL); 480 if (EC_METHOD_get_field_type(EC_GROUP_method_of(a)) !=
481 EC_METHOD_get_field_type(EC_GROUP_method_of(b)))
482 return 1;
483 /* compare the curve name (if present) */
484 if (EC_GROUP_get_curve_name(a) && EC_GROUP_get_curve_name(b) &&
485 EC_GROUP_get_curve_name(a) == EC_GROUP_get_curve_name(b))
252 return 0; 486 return 0;
487
488 if (!ctx)
489 ctx_new = ctx = BN_CTX_new();
490 if (!ctx)
491 return -1;
492
493 BN_CTX_start(ctx);
494 a1 = BN_CTX_get(ctx);
495 a2 = BN_CTX_get(ctx);
496 a3 = BN_CTX_get(ctx);
497 b1 = BN_CTX_get(ctx);
498 b2 = BN_CTX_get(ctx);
499 b3 = BN_CTX_get(ctx);
500 if (!b3)
501 {
502 BN_CTX_end(ctx);
503 if (ctx_new)
504 BN_CTX_free(ctx);
505 return -1;
253 } 506 }
254 507
255 group->extra_data = extra_data; 508 /* XXX This approach assumes that the external representation
256 group->extra_data_dup_func = extra_data_dup_func; 509 * of curves over the same field type is the same.
257 group->extra_data_free_func = extra_data_free_func; 510 */
258 group->extra_data_clear_free_func = extra_data_clear_free_func; 511 if (!a->meth->group_get_curve(a, a1, a2, a3, ctx) ||
259 return 1; 512 !b->meth->group_get_curve(b, b1, b2, b3, ctx))
513 r = 1;
514
515 if (r || BN_cmp(a1, b1) || BN_cmp(a2, b2) || BN_cmp(a3, b3))
516 r = 1;
517
518 /* XXX EC_POINT_cmp() assumes that the methods are equal */
519 if (r || EC_POINT_cmp(a, EC_GROUP_get0_generator(a),
520 EC_GROUP_get0_generator(b), ctx))
521 r = 1;
522
523 if (!r)
524 {
525 /* compare the order and cofactor */
526 if (!EC_GROUP_get_order(a, a1, ctx) ||
527 !EC_GROUP_get_order(b, b1, ctx) ||
528 !EC_GROUP_get_cofactor(a, a2, ctx) ||
529 !EC_GROUP_get_cofactor(b, b2, ctx))
530 {
531 BN_CTX_end(ctx);
532 if (ctx_new)
533 BN_CTX_free(ctx);
534 return -1;
535 }
536 if (BN_cmp(a1, b1) || BN_cmp(a2, b2))
537 r = 1;
538 }
539
540 BN_CTX_end(ctx);
541 if (ctx_new)
542 BN_CTX_free(ctx);
543
544 return r;
260 } 545 }
261 546
262 547
263/* this has 'package' visibility */ 548/* this has 'package' visibility */
264void *EC_GROUP_get_extra_data(const EC_GROUP *group, void *(*extra_data_dup_func)(void *), 549int EC_EX_DATA_set_data(EC_EXTRA_DATA **ex_data, void *data,
265 void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *)) 550 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
266 { 551 {
267 if ((group->extra_data_dup_func != extra_data_dup_func) 552 EC_EXTRA_DATA *d;
268 || (group->extra_data_free_func != extra_data_free_func) 553
269 || (group->extra_data_clear_free_func != extra_data_clear_free_func)) 554 if (ex_data == NULL)
555 return 0;
556
557 for (d = *ex_data; d != NULL; d = d->next)
270 { 558 {
271#if 0 /* this was an error in 0.9.7, but that does not make a lot of sense */ 559 if (d->dup_func == dup_func && d->free_func == free_func && d->clear_free_func == clear_free_func)
272 ECerr(..._F_EC_GROUP_GET_EXTRA_DATA, ..._R_NO_SUCH_EXTRA_DATA); 560 {
273#endif 561 ECerr(EC_F_EC_EX_DATA_SET_DATA, EC_R_SLOT_FULL);
274 return NULL; 562 return 0;
563 }
275 } 564 }
276 565
277 return group->extra_data; 566 if (data == NULL)
567 /* no explicit entry needed */
568 return 1;
569
570 d = OPENSSL_malloc(sizeof *d);
571 if (d == NULL)
572 return 0;
573
574 d->data = data;
575 d->dup_func = dup_func;
576 d->free_func = free_func;
577 d->clear_free_func = clear_free_func;
578
579 d->next = *ex_data;
580 *ex_data = d;
581
582 return 1;
278 } 583 }
279 584
585/* this has 'package' visibility */
586void *EC_EX_DATA_get_data(const EC_EXTRA_DATA *ex_data,
587 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
588 {
589 const EC_EXTRA_DATA *d;
590
591 for (d = ex_data; d != NULL; d = d->next)
592 {
593 if (d->dup_func == dup_func && d->free_func == free_func && d->clear_free_func == clear_free_func)
594 return d->data;
595 }
596
597 return NULL;
598 }
280 599
281/* this has 'package' visibility */ 600/* this has 'package' visibility */
282void EC_GROUP_free_extra_data(EC_GROUP *group) 601void EC_EX_DATA_free_data(EC_EXTRA_DATA **ex_data,
602 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
283 { 603 {
284 if (group->extra_data_free_func) 604 EC_EXTRA_DATA **p;
285 group->extra_data_free_func(group->extra_data); 605
286 group->extra_data = NULL; 606 if (ex_data == NULL)
287 group->extra_data_dup_func = 0; 607 return;
288 group->extra_data_free_func = 0; 608
289 group->extra_data_clear_free_func = 0; 609 for (p = ex_data; *p != NULL; p = &((*p)->next))
610 {
611 if ((*p)->dup_func == dup_func && (*p)->free_func == free_func && (*p)->clear_free_func == clear_free_func)
612 {
613 EC_EXTRA_DATA *next = (*p)->next;
614
615 (*p)->free_func((*p)->data);
616 OPENSSL_free(*p);
617
618 *p = next;
619 return;
620 }
621 }
290 } 622 }
291 623
624/* this has 'package' visibility */
625void EC_EX_DATA_clear_free_data(EC_EXTRA_DATA **ex_data,
626 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
627 {
628 EC_EXTRA_DATA **p;
629
630 if (ex_data == NULL)
631 return;
632
633 for (p = ex_data; *p != NULL; p = &((*p)->next))
634 {
635 if ((*p)->dup_func == dup_func && (*p)->free_func == free_func && (*p)->clear_free_func == clear_free_func)
636 {
637 EC_EXTRA_DATA *next = (*p)->next;
638
639 (*p)->clear_free_func((*p)->data);
640 OPENSSL_free(*p);
641
642 *p = next;
643 return;
644 }
645 }
646 }
292 647
293/* this has 'package' visibility */ 648/* this has 'package' visibility */
294void EC_GROUP_clear_free_extra_data(EC_GROUP *group) 649void EC_EX_DATA_free_all_data(EC_EXTRA_DATA **ex_data)
295 { 650 {
296 if (group->extra_data_clear_free_func) 651 EC_EXTRA_DATA *d;
297 group->extra_data_clear_free_func(group->extra_data); 652
298 else if (group->extra_data_free_func) 653 if (ex_data == NULL)
299 group->extra_data_free_func(group->extra_data); 654 return;
300 group->extra_data = NULL; 655
301 group->extra_data_dup_func = 0; 656 d = *ex_data;
302 group->extra_data_free_func = 0; 657 while (d)
303 group->extra_data_clear_free_func = 0; 658 {
659 EC_EXTRA_DATA *next = d->next;
660
661 d->free_func(d->data);
662 OPENSSL_free(d);
663
664 d = next;
665 }
666 *ex_data = NULL;
304 } 667 }
305 668
669/* this has 'package' visibility */
670void EC_EX_DATA_clear_free_all_data(EC_EXTRA_DATA **ex_data)
671 {
672 EC_EXTRA_DATA *d;
673
674 if (ex_data == NULL)
675 return;
676
677 d = *ex_data;
678 while (d)
679 {
680 EC_EXTRA_DATA *next = d->next;
681
682 d->clear_free_func(d->data);
683 OPENSSL_free(d);
684
685 d = next;
686 }
687 *ex_data = NULL;
688 }
306 689
307 690
308/* functions for EC_POINT objects */ 691/* functions for EC_POINT objects */
@@ -382,6 +765,25 @@ int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src)
382 } 765 }
383 766
384 767
768EC_POINT *EC_POINT_dup(const EC_POINT *a, const EC_GROUP *group)
769 {
770 EC_POINT *t;
771 int r;
772
773 if (a == NULL) return NULL;
774
775 t = EC_POINT_new(group);
776 if (t == NULL) return(NULL);
777 r = EC_POINT_copy(t, a);
778 if (!r)
779 {
780 EC_POINT_free(t);
781 return NULL;
782 }
783 else return t;
784 }
785
786
385const EC_METHOD *EC_POINT_method_of(const EC_POINT *point) 787const EC_METHOD *EC_POINT_method_of(const EC_POINT *point)
386 { 788 {
387 return point->meth; 789 return point->meth;
@@ -441,7 +843,7 @@ int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POI
441int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, 843int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
442 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) 844 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
443 { 845 {
444 if (group->meth->point_set_affine_coordinates_GFp == 0) 846 if (group->meth->point_set_affine_coordinates == 0)
445 { 847 {
446 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 848 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
447 return 0; 849 return 0;
@@ -451,14 +853,31 @@ int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
451 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); 853 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
452 return 0; 854 return 0;
453 } 855 }
454 return group->meth->point_set_affine_coordinates_GFp(group, point, x, y, ctx); 856 return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
857 }
858
859
860int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
861 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
862 {
863 if (group->meth->point_set_affine_coordinates == 0)
864 {
865 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
866 return 0;
867 }
868 if (group->meth != point->meth)
869 {
870 ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS);
871 return 0;
872 }
873 return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
455 } 874 }
456 875
457 876
458int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point, 877int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
459 BIGNUM *x, BIGNUM *y, BN_CTX *ctx) 878 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
460 { 879 {
461 if (group->meth->point_get_affine_coordinates_GFp == 0) 880 if (group->meth->point_get_affine_coordinates == 0)
462 { 881 {
463 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 882 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
464 return 0; 883 return 0;
@@ -468,14 +887,31 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *p
468 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); 887 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
469 return 0; 888 return 0;
470 } 889 }
471 return group->meth->point_get_affine_coordinates_GFp(group, point, x, y, ctx); 890 return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
891 }
892
893
894int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, const EC_POINT *point,
895 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
896 {
897 if (group->meth->point_get_affine_coordinates == 0)
898 {
899 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
900 return 0;
901 }
902 if (group->meth != point->meth)
903 {
904 ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS);
905 return 0;
906 }
907 return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
472 } 908 }
473 909
474 910
475int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, 911int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
476 const BIGNUM *x, int y_bit, BN_CTX *ctx) 912 const BIGNUM *x, int y_bit, BN_CTX *ctx)
477 { 913 {
478 if (group->meth->point_set_compressed_coordinates_GFp == 0) 914 if (group->meth->point_set_compressed_coordinates == 0)
479 { 915 {
480 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 916 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
481 return 0; 917 return 0;
@@ -485,7 +921,24 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *poi
485 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); 921 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
486 return 0; 922 return 0;
487 } 923 }
488 return group->meth->point_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx); 924 return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx);
925 }
926
927
928int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
929 const BIGNUM *x, int y_bit, BN_CTX *ctx)
930 {
931 if (group->meth->point_set_compressed_coordinates == 0)
932 {
933 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
934 return 0;
935 }
936 if (group->meth != point->meth)
937 {
938 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS);
939 return 0;
940 }
941 return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx);
489 } 942 }
490 943
491 944
@@ -559,12 +1012,12 @@ int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx)
559 { 1012 {
560 if (group->meth->dbl == 0) 1013 if (group->meth->dbl == 0)
561 { 1014 {
562 ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1015 ECerr(EC_F_EC_POINT_INVERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
563 return 0; 1016 return 0;
564 } 1017 }
565 if (group->meth != a->meth) 1018 if (group->meth != a->meth)
566 { 1019 {
567 ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS); 1020 ECerr(EC_F_EC_POINT_INVERT, EC_R_INCOMPATIBLE_OBJECTS);
568 return 0; 1021 return 0;
569 } 1022 }
570 return group->meth->invert(group, a, ctx); 1023 return group->meth->invert(group, a, ctx);
@@ -654,3 +1107,58 @@ int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
654 } 1107 }
655 return group->meth->points_make_affine(group, num, points, ctx); 1108 return group->meth->points_make_affine(group, num, points, ctx);
656 } 1109 }
1110
1111
1112/* Functions for point multiplication.
1113 *
1114 * If group->meth->mul is 0, we use the wNAF-based implementations in ec_mult.c;
1115 * otherwise we dispatch through methods.
1116 */
1117
1118int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
1119 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
1120 {
1121 if (group->meth->mul == 0)
1122 /* use default */
1123 return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
1124
1125 return group->meth->mul(group, r, scalar, num, points, scalars, ctx);
1126 }
1127
1128int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
1129 const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx)
1130 {
1131 /* just a convenient interface to EC_POINTs_mul() */
1132
1133 const EC_POINT *points[1];
1134 const BIGNUM *scalars[1];
1135
1136 points[0] = point;
1137 scalars[0] = p_scalar;
1138
1139 return EC_POINTs_mul(group, r, g_scalar, (point != NULL && p_scalar != NULL), points, scalars, ctx);
1140 }
1141
1142int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
1143 {
1144 if (group->meth->mul == 0)
1145 /* use default */
1146 return ec_wNAF_precompute_mult(group, ctx);
1147
1148 if (group->meth->precompute_mult != 0)
1149 return group->meth->precompute_mult(group, ctx);
1150 else
1151 return 1; /* nothing to do, so report success */
1152 }
1153
1154int EC_GROUP_have_precompute_mult(const EC_GROUP *group)
1155 {
1156 if (group->meth->mul == 0)
1157 /* use default */
1158 return ec_wNAF_have_precompute_mult(group);
1159
1160 if (group->meth->have_precompute_mult != 0)
1161 return group->meth->have_precompute_mult(group);
1162 else
1163 return 0; /* cannot tell whether precomputation has been performed */
1164 }
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 16822a73cf..2ba173ef36 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,6 +1,9 @@
1/* crypto/ec/ec_mult.c */ 1/* crypto/ec/ec_mult.c */
2/*
3 * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
4 */
2/* ==================================================================== 5/* ====================================================================
3 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
4 * 7 *
5 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -52,41 +55,161 @@
52 * Hudson (tjh@cryptsoft.com). 55 * Hudson (tjh@cryptsoft.com).
53 * 56 *
54 */ 57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Portions of this software developed by SUN MICROSYSTEMS, INC.,
61 * and contributed to the OpenSSL project.
62 */
63
64#include <string.h>
55 65
56#include <openssl/err.h> 66#include <openssl/err.h>
57 67
58#include "ec_lcl.h" 68#include "ec_lcl.h"
59 69
60 70
61/* TODO: optional precomputation of multiples of the generator */ 71/*
72 * This file implements the wNAF-based interleaving multi-exponentation method
73 * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp>);
74 * for multiplication with precomputation, we use wNAF splitting
75 * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#fastexp>).
76 */
62 77
63 78
64 79
65/* 80
66 * wNAF-based interleaving multi-exponentation method 81/* structure for precomputed multiples of the generator */
67 * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp>) 82typedef struct ec_pre_comp_st {
68 */ 83 const EC_GROUP *group; /* parent EC_GROUP object */
84 size_t blocksize; /* block size for wNAF splitting */
85 size_t numblocks; /* max. number of blocks for which we have precomputation */
86 size_t w; /* window size */
87 EC_POINT **points; /* array with pre-calculated multiples of generator:
88 * 'num' pointers to EC_POINT objects followed by a NULL */
89 size_t num; /* numblocks * 2^(w-1) */
90 int references;
91} EC_PRE_COMP;
92
93/* functions to manage EC_PRE_COMP within the EC_GROUP extra_data framework */
94static void *ec_pre_comp_dup(void *);
95static void ec_pre_comp_free(void *);
96static void ec_pre_comp_clear_free(void *);
97
98static EC_PRE_COMP *ec_pre_comp_new(const EC_GROUP *group)
99 {
100 EC_PRE_COMP *ret = NULL;
101
102 if (!group)
103 return NULL;
104
105 ret = (EC_PRE_COMP *)OPENSSL_malloc(sizeof(EC_PRE_COMP));
106 if (!ret)
107 {
108 ECerr(EC_F_EC_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
109 return ret;
110 }
111 ret->group = group;
112 ret->blocksize = 8; /* default */
113 ret->numblocks = 0;
114 ret->w = 4; /* default */
115 ret->points = NULL;
116 ret->num = 0;
117 ret->references = 1;
118 return ret;
119 }
120
121static void *ec_pre_comp_dup(void *src_)
122 {
123 EC_PRE_COMP *src = src_;
124
125 /* no need to actually copy, these objects never change! */
126
127 CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP);
128
129 return src_;
130 }
131
132static void ec_pre_comp_free(void *pre_)
133 {
134 int i;
135 EC_PRE_COMP *pre = pre_;
136
137 if (!pre)
138 return;
139
140 i = CRYPTO_add(&pre->references, -1, CRYPTO_LOCK_EC_PRE_COMP);
141 if (i > 0)
142 return;
143
144 if (pre->points)
145 {
146 EC_POINT **p;
147
148 for (p = pre->points; *p != NULL; p++)
149 EC_POINT_free(*p);
150 OPENSSL_free(pre->points);
151 }
152 OPENSSL_free(pre);
153 }
154
155static void ec_pre_comp_clear_free(void *pre_)
156 {
157 int i;
158 EC_PRE_COMP *pre = pre_;
159
160 if (!pre)
161 return;
162
163 i = CRYPTO_add(&pre->references, -1, CRYPTO_LOCK_EC_PRE_COMP);
164 if (i > 0)
165 return;
166
167 if (pre->points)
168 {
169 EC_POINT **p;
170
171 for (p = pre->points; *p != NULL; p++)
172 EC_POINT_clear_free(*p);
173 OPENSSL_cleanse(pre->points, sizeof pre->points);
174 OPENSSL_free(pre->points);
175 }
176 OPENSSL_cleanse(pre, sizeof pre);
177 OPENSSL_free(pre);
178 }
179
69 180
70 181
71/* Determine the width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'. 182
183/* Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
72 * This is an array r[] of values that are either zero or odd with an 184 * This is an array r[] of values that are either zero or odd with an
73 * absolute value less than 2^w satisfying 185 * absolute value less than 2^w satisfying
74 * scalar = \sum_j r[j]*2^j 186 * scalar = \sum_j r[j]*2^j
75 * where at most one of any w+1 consecutive digits is non-zero. 187 * where at most one of any w+1 consecutive digits is non-zero
188 * with the exception that the most significant digit may be only
189 * w-1 zeros away from that next non-zero digit.
76 */ 190 */
77static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, BN_CTX *ctx) 191static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
78 { 192 {
79 BIGNUM *c; 193 int window_val;
80 int ok = 0; 194 int ok = 0;
81 signed char *r = NULL; 195 signed char *r = NULL;
82 int sign = 1; 196 int sign = 1;
83 int bit, next_bit, mask; 197 int bit, next_bit, mask;
84 size_t len = 0, j; 198 size_t len = 0, j;
85 199
86 BN_CTX_start(ctx); 200 if (BN_is_zero(scalar))
87 c = BN_CTX_get(ctx); 201 {
88 if (c == NULL) goto err; 202 r = OPENSSL_malloc(1);
89 203 if (!r)
204 {
205 ECerr(EC_F_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE);
206 goto err;
207 }
208 r[0] = 0;
209 *ret_len = 1;
210 return r;
211 }
212
90 if (w <= 0 || w > 7) /* 'signed char' can represent integers with absolute values less than 2^7 */ 213 if (w <= 0 || w > 7) /* 'signed char' can represent integers with absolute values less than 2^7 */
91 { 214 {
92 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR); 215 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
@@ -96,60 +219,90 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, B
96 next_bit = bit << 1; /* at most 256 */ 219 next_bit = bit << 1; /* at most 256 */
97 mask = next_bit - 1; /* at most 255 */ 220 mask = next_bit - 1; /* at most 255 */
98 221
99 if (!BN_copy(c, scalar)) goto err; 222 if (BN_is_negative(scalar))
100 if (c->neg)
101 { 223 {
102 sign = -1; 224 sign = -1;
103 c->neg = 0;
104 } 225 }
105 226
106 len = BN_num_bits(c) + 1; /* wNAF may be one digit longer than binary representation */ 227 len = BN_num_bits(scalar);
107 r = OPENSSL_malloc(len); 228 r = OPENSSL_malloc(len + 1); /* modified wNAF may be one digit longer than binary representation
108 if (r == NULL) goto err; 229 * (*ret_len will be set to the actual length, i.e. at most
230 * BN_num_bits(scalar) + 1) */
231 if (r == NULL)
232 {
233 ECerr(EC_F_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE);
234 goto err;
235 }
109 236
237 if (scalar->d == NULL || scalar->top == 0)
238 {
239 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
240 goto err;
241 }
242 window_val = scalar->d[0] & mask;
110 j = 0; 243 j = 0;
111 while (!BN_is_zero(c)) 244 while ((window_val != 0) || (j + w + 1 < len)) /* if j+w+1 >= len, window_val will not increase */
112 { 245 {
113 int u = 0; 246 int digit = 0;
114 247
115 if (BN_is_odd(c)) 248 /* 0 <= window_val <= 2^(w+1) */
249
250 if (window_val & 1)
116 { 251 {
117 if (c->d == NULL || c->top == 0) 252 /* 0 < window_val < 2^(w+1) */
253
254 if (window_val & bit)
118 { 255 {
119 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR); 256 digit = window_val - next_bit; /* -2^w < digit < 0 */
120 goto err; 257
258#if 1 /* modified wNAF */
259 if (j + w + 1 >= len)
260 {
261 /* special case for generating modified wNAFs:
262 * no new bits will be added into window_val,
263 * so using a positive digit here will decrease
264 * the total length of the representation */
265
266 digit = window_val & (mask >> 1); /* 0 < digit < 2^w */
267 }
268#endif
121 } 269 }
122 u = c->d[0] & mask; 270 else
123 if (u & bit)
124 { 271 {
125 u -= next_bit; 272 digit = window_val; /* 0 < digit < 2^w */
126 /* u < 0 */
127 if (!BN_add_word(c, -u)) goto err;
128 } 273 }
129 else 274
275 if (digit <= -bit || digit >= bit || !(digit & 1))
130 { 276 {
131 /* u > 0 */ 277 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
132 if (!BN_sub_word(c, u)) goto err; 278 goto err;
133 } 279 }
134 280
135 if (u <= -bit || u >= bit || !(u & 1) || c->neg) 281 window_val -= digit;
282
283 /* now window_val is 0 or 2^(w+1) in standard wNAF generation;
284 * for modified window NAFs, it may also be 2^w
285 */
286 if (window_val != 0 && window_val != next_bit && window_val != bit)
136 { 287 {
137 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR); 288 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
138 goto err; 289 goto err;
139 } 290 }
140 } 291 }
141 292
142 r[j++] = sign * u; 293 r[j++] = sign * digit;
143 294
144 if (BN_is_odd(c)) 295 window_val >>= 1;
296 window_val += bit * BN_is_bit_set(scalar, j + w);
297
298 if (window_val > next_bit)
145 { 299 {
146 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR); 300 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
147 goto err; 301 goto err;
148 } 302 }
149 if (!BN_rshift1(c, c)) goto err;
150 } 303 }
151 304
152 if (j > len) 305 if (j > len + 1)
153 { 306 {
154 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR); 307 ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
155 goto err; 308 goto err;
@@ -158,7 +311,6 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, B
158 ok = 1; 311 ok = 1;
159 312
160 err: 313 err:
161 BN_CTX_end(ctx);
162 if (!ok) 314 if (!ok)
163 { 315 {
164 OPENSSL_free(r); 316 OPENSSL_free(r);
@@ -181,7 +333,7 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, B
181 (b) >= 300 ? 4 : \ 333 (b) >= 300 ? 4 : \
182 (b) >= 70 ? 3 : \ 334 (b) >= 70 ? 3 : \
183 (b) >= 20 ? 2 : \ 335 (b) >= 20 ? 2 : \
184 1)) 336 1))
185 337
186/* Compute 338/* Compute
187 * \sum scalars[i]*points[i], 339 * \sum scalars[i]*points[i],
@@ -189,13 +341,15 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, B
189 * scalar*generator 341 * scalar*generator
190 * in the addition if scalar != NULL 342 * in the addition if scalar != NULL
191 */ 343 */
192int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, 344int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
193 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) 345 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
194 { 346 {
195 BN_CTX *new_ctx = NULL; 347 BN_CTX *new_ctx = NULL;
196 EC_POINT *generator = NULL; 348 const EC_POINT *generator = NULL;
197 EC_POINT *tmp = NULL; 349 EC_POINT *tmp = NULL;
198 size_t totalnum; 350 size_t totalnum;
351 size_t blocksize = 0, numblocks = 0; /* for wNAF splitting */
352 size_t pre_points_per_block = 0;
199 size_t i, j; 353 size_t i, j;
200 int k; 354 int k;
201 int r_is_inverted = 0; 355 int r_is_inverted = 0;
@@ -207,12 +361,15 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
207 size_t num_val; 361 size_t num_val;
208 EC_POINT **val = NULL; /* precomputation */ 362 EC_POINT **val = NULL; /* precomputation */
209 EC_POINT **v; 363 EC_POINT **v;
210 EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' */ 364 EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' or 'pre_comp->points' */
365 const EC_PRE_COMP *pre_comp = NULL;
366 int num_scalar = 0; /* flag: will be set to 1 if 'scalar' must be treated like other scalars,
367 * i.e. precomputation is not available */
211 int ret = 0; 368 int ret = 0;
212 369
213 if (group->meth != r->meth) 370 if (group->meth != r->meth)
214 { 371 {
215 ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); 372 ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
216 return 0; 373 return 0;
217 } 374 }
218 375
@@ -221,59 +378,226 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
221 return EC_POINT_set_to_infinity(group, r); 378 return EC_POINT_set_to_infinity(group, r);
222 } 379 }
223 380
224 if (scalar != NULL) 381 for (i = 0; i < num; i++)
225 { 382 {
226 generator = EC_GROUP_get0_generator(group); 383 if (group->meth != points[i]->meth)
227 if (generator == NULL)
228 { 384 {
229 ECerr(EC_F_EC_POINTS_MUL, EC_R_UNDEFINED_GENERATOR); 385 ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
230 return 0; 386 return 0;
231 } 387 }
232 } 388 }
233 389
234 for (i = 0; i < num; i++) 390 if (ctx == NULL)
235 { 391 {
236 if (group->meth != points[i]->meth) 392 ctx = new_ctx = BN_CTX_new();
393 if (ctx == NULL)
394 goto err;
395 }
396
397 if (scalar != NULL)
398 {
399 generator = EC_GROUP_get0_generator(group);
400 if (generator == NULL)
237 { 401 {
238 ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); 402 ECerr(EC_F_EC_WNAF_MUL, EC_R_UNDEFINED_GENERATOR);
239 return 0; 403 goto err;
240 } 404 }
241 } 405
406 /* look if we can use precomputed multiples of generator */
407
408 pre_comp = EC_EX_DATA_get_data(group->extra_data, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free);
409
410 if (pre_comp && pre_comp->numblocks && (EC_POINT_cmp(group, generator, pre_comp->points[0], ctx) == 0))
411 {
412 blocksize = pre_comp->blocksize;
242 413
243 totalnum = num + (scalar != NULL); 414 /* determine maximum number of blocks that wNAF splitting may yield
415 * (NB: maximum wNAF length is bit length plus one) */
416 numblocks = (BN_num_bits(scalar) / blocksize) + 1;
244 417
245 wsize = OPENSSL_malloc(totalnum * sizeof wsize[0]); 418 /* we cannot use more blocks than we have precomputation for */
419 if (numblocks > pre_comp->numblocks)
420 numblocks = pre_comp->numblocks;
421
422 pre_points_per_block = 1u << (pre_comp->w - 1);
423
424 /* check that pre_comp looks sane */
425 if (pre_comp->num != (pre_comp->numblocks * pre_points_per_block))
426 {
427 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
428 goto err;
429 }
430 }
431 else
432 {
433 /* can't use precomputation */
434 pre_comp = NULL;
435 numblocks = 1;
436 num_scalar = 1; /* treat 'scalar' like 'num'-th element of 'scalars' */
437 }
438 }
439
440 totalnum = num + numblocks;
441
442 wsize = OPENSSL_malloc(totalnum * sizeof wsize[0]);
246 wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]); 443 wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]);
247 wNAF = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]); 444 wNAF = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]); /* includes space for pivot */
248 if (wNAF != NULL) 445 val_sub = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
446
447 if (!wsize || !wNAF_len || !wNAF || !val_sub)
249 { 448 {
250 wNAF[0] = NULL; /* preliminary pivot */ 449 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
450 goto err;
251 } 451 }
252 if (wsize == NULL || wNAF_len == NULL || wNAF == NULL) goto err;
253 452
254 /* num_val := total number of points to precompute */ 453 wNAF[0] = NULL; /* preliminary pivot */
454
455 /* num_val will be the total number of temporarily precomputed points */
255 num_val = 0; 456 num_val = 0;
256 for (i = 0; i < totalnum; i++) 457
458 for (i = 0; i < num + num_scalar; i++)
257 { 459 {
258 size_t bits; 460 size_t bits;
259 461
260 bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar); 462 bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
261 wsize[i] = EC_window_bits_for_scalar_size(bits); 463 wsize[i] = EC_window_bits_for_scalar_size(bits);
262 num_val += 1u << (wsize[i] - 1); 464 num_val += 1u << (wsize[i] - 1);
465 wNAF[i + 1] = NULL; /* make sure we always have a pivot */
466 wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]);
467 if (wNAF[i] == NULL)
468 goto err;
469 if (wNAF_len[i] > max_len)
470 max_len = wNAF_len[i];
471 }
472
473 if (numblocks)
474 {
475 /* we go here iff scalar != NULL */
476
477 if (pre_comp == NULL)
478 {
479 if (num_scalar != 1)
480 {
481 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
482 goto err;
483 }
484 /* we have already generated a wNAF for 'scalar' */
485 }
486 else
487 {
488 signed char *tmp_wNAF = NULL;
489 size_t tmp_len = 0;
490
491 if (num_scalar != 0)
492 {
493 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
494 goto err;
495 }
496
497 /* use the window size for which we have precomputation */
498 wsize[num] = pre_comp->w;
499 tmp_wNAF = compute_wNAF(scalar, wsize[num], &tmp_len);
500 if (!tmp_wNAF)
501 goto err;
502
503 if (tmp_len <= max_len)
504 {
505 /* One of the other wNAFs is at least as long
506 * as the wNAF belonging to the generator,
507 * so wNAF splitting will not buy us anything. */
508
509 numblocks = 1;
510 totalnum = num + 1; /* don't use wNAF splitting */
511 wNAF[num] = tmp_wNAF;
512 wNAF[num + 1] = NULL;
513 wNAF_len[num] = tmp_len;
514 if (tmp_len > max_len)
515 max_len = tmp_len;
516 /* pre_comp->points starts with the points that we need here: */
517 val_sub[num] = pre_comp->points;
518 }
519 else
520 {
521 /* don't include tmp_wNAF directly into wNAF array
522 * - use wNAF splitting and include the blocks */
523
524 signed char *pp;
525 EC_POINT **tmp_points;
526
527 if (tmp_len < numblocks * blocksize)
528 {
529 /* possibly we can do with fewer blocks than estimated */
530 numblocks = (tmp_len + blocksize - 1) / blocksize;
531 if (numblocks > pre_comp->numblocks)
532 {
533 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
534 goto err;
535 }
536 totalnum = num + numblocks;
537 }
538
539 /* split wNAF in 'numblocks' parts */
540 pp = tmp_wNAF;
541 tmp_points = pre_comp->points;
542
543 for (i = num; i < totalnum; i++)
544 {
545 if (i < totalnum - 1)
546 {
547 wNAF_len[i] = blocksize;
548 if (tmp_len < blocksize)
549 {
550 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
551 goto err;
552 }
553 tmp_len -= blocksize;
554 }
555 else
556 /* last block gets whatever is left
557 * (this could be more or less than 'blocksize'!) */
558 wNAF_len[i] = tmp_len;
559
560 wNAF[i + 1] = NULL;
561 wNAF[i] = OPENSSL_malloc(wNAF_len[i]);
562 if (wNAF[i] == NULL)
563 {
564 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
565 OPENSSL_free(tmp_wNAF);
566 goto err;
567 }
568 memcpy(wNAF[i], pp, wNAF_len[i]);
569 if (wNAF_len[i] > max_len)
570 max_len = wNAF_len[i];
571
572 if (*tmp_points == NULL)
573 {
574 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
575 OPENSSL_free(tmp_wNAF);
576 goto err;
577 }
578 val_sub[i] = tmp_points;
579 tmp_points += pre_points_per_block;
580 pp += blocksize;
581 }
582 OPENSSL_free(tmp_wNAF);
583 }
584 }
263 } 585 }
264 586
265 /* all precomputed points go into a single array 'val', 587 /* All points we precompute now go into a single array 'val'.
266 * 'val_sub[i]' is a pointer to the subarray for the i-th point */ 588 * 'val_sub[i]' is a pointer to the subarray for the i-th point,
589 * or to a subarray of 'pre_comp->points' if we already have precomputation. */
267 val = OPENSSL_malloc((num_val + 1) * sizeof val[0]); 590 val = OPENSSL_malloc((num_val + 1) * sizeof val[0]);
268 if (val == NULL) goto err; 591 if (val == NULL)
592 {
593 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
594 goto err;
595 }
269 val[num_val] = NULL; /* pivot element */ 596 val[num_val] = NULL; /* pivot element */
270 597
271 val_sub = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
272 if (val_sub == NULL) goto err;
273
274 /* allocate points for precomputation */ 598 /* allocate points for precomputation */
275 v = val; 599 v = val;
276 for (i = 0; i < totalnum; i++) 600 for (i = 0; i < num + num_scalar; i++)
277 { 601 {
278 val_sub[i] = v; 602 val_sub[i] = v;
279 for (j = 0; j < (1u << (wsize[i] - 1)); j++) 603 for (j = 0; j < (1u << (wsize[i] - 1)); j++)
@@ -285,19 +609,12 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
285 } 609 }
286 if (!(v == val + num_val)) 610 if (!(v == val + num_val))
287 { 611 {
288 ECerr(EC_F_EC_POINTS_MUL, ERR_R_INTERNAL_ERROR); 612 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
289 goto err; 613 goto err;
290 } 614 }
291 615
292 if (ctx == NULL) 616 if (!(tmp = EC_POINT_new(group)))
293 { 617 goto err;
294 ctx = new_ctx = BN_CTX_new();
295 if (ctx == NULL)
296 goto err;
297 }
298
299 tmp = EC_POINT_new(group);
300 if (tmp == NULL) goto err;
301 618
302 /* prepare precomputed values: 619 /* prepare precomputed values:
303 * val_sub[i][0] := points[i] 620 * val_sub[i][0] := points[i]
@@ -305,7 +622,7 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
305 * val_sub[i][2] := 5 * points[i] 622 * val_sub[i][2] := 5 * points[i]
306 * ... 623 * ...
307 */ 624 */
308 for (i = 0; i < totalnum; i++) 625 for (i = 0; i < num + num_scalar; i++)
309 { 626 {
310 if (i < num) 627 if (i < num)
311 { 628 {
@@ -324,16 +641,11 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
324 if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) goto err; 641 if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) goto err;
325 } 642 }
326 } 643 }
327
328 wNAF[i + 1] = NULL; /* make sure we always have a pivot */
329 wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i], ctx);
330 if (wNAF[i] == NULL) goto err;
331 if (wNAF_len[i] > max_len)
332 max_len = wNAF_len[i];
333 } 644 }
334 645
335#if 1 /* optional; EC_window_bits_for_scalar_size assumes we do this step */ 646#if 1 /* optional; EC_window_bits_for_scalar_size assumes we do this step */
336 if (!EC_POINTs_make_affine(group, num_val, val, ctx)) goto err; 647 if (!EC_POINTs_make_affine(group, num_val, val, ctx))
648 goto err;
337#endif 649#endif
338 650
339 r_is_at_infinity = 1; 651 r_is_at_infinity = 1;
@@ -429,57 +741,198 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
429 } 741 }
430 742
431 743
432int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx) 744/* ec_wNAF_precompute_mult()
433 { 745 * creates an EC_PRE_COMP object with preprecomputed multiples of the generator
434 const EC_POINT *points[1]; 746 * for use with wNAF splitting as implemented in ec_wNAF_mul().
435 const BIGNUM *scalars[1]; 747 *
436 748 * 'pre_comp->points' is an array of multiples of the generator
437 points[0] = point; 749 * of the following form:
438 scalars[0] = p_scalar; 750 * points[0] = generator;
439 751 * points[1] = 3 * generator;
440 return EC_POINTs_mul(group, r, g_scalar, (point != NULL && p_scalar != NULL), points, scalars, ctx); 752 * ...
441 } 753 * points[2^(w-1)-1] = (2^(w-1)-1) * generator;
442 754 * points[2^(w-1)] = 2^blocksize * generator;
443 755 * points[2^(w-1)+1] = 3 * 2^blocksize * generator;
444int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx) 756 * ...
757 * points[2^(w-1)*(numblocks-1)-1] = (2^(w-1)) * 2^(blocksize*(numblocks-2)) * generator
758 * points[2^(w-1)*(numblocks-1)] = 2^(blocksize*(numblocks-1)) * generator
759 * ...
760 * points[2^(w-1)*numblocks-1] = (2^(w-1)) * 2^(blocksize*(numblocks-1)) * generator
761 * points[2^(w-1)*numblocks] = NULL
762 */
763int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
445 { 764 {
446 const EC_POINT *generator; 765 const EC_POINT *generator;
766 EC_POINT *tmp_point = NULL, *base = NULL, **var;
447 BN_CTX *new_ctx = NULL; 767 BN_CTX *new_ctx = NULL;
448 BIGNUM *order; 768 BIGNUM *order;
769 size_t i, bits, w, pre_points_per_block, blocksize, numblocks, num;
770 EC_POINT **points = NULL;
771 EC_PRE_COMP *pre_comp;
449 int ret = 0; 772 int ret = 0;
450 773
774 /* if there is an old EC_PRE_COMP object, throw it away */
775 EC_EX_DATA_free_data(&group->extra_data, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free);
776
777 if ((pre_comp = ec_pre_comp_new(group)) == NULL)
778 return 0;
779
451 generator = EC_GROUP_get0_generator(group); 780 generator = EC_GROUP_get0_generator(group);
452 if (generator == NULL) 781 if (generator == NULL)
453 { 782 {
454 ECerr(EC_F_EC_GROUP_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR); 783 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR);
455 return 0; 784 goto err;
456 } 785 }
457 786
458 if (ctx == NULL) 787 if (ctx == NULL)
459 { 788 {
460 ctx = new_ctx = BN_CTX_new(); 789 ctx = new_ctx = BN_CTX_new();
461 if (ctx == NULL) 790 if (ctx == NULL)
462 return 0; 791 goto err;
463 } 792 }
464 793
465 BN_CTX_start(ctx); 794 BN_CTX_start(ctx);
466 order = BN_CTX_get(ctx); 795 order = BN_CTX_get(ctx);
467 if (order == NULL) goto err; 796 if (order == NULL) goto err;
468 797
469 if (!EC_GROUP_get_order(group, order, ctx)) return 0; 798 if (!EC_GROUP_get_order(group, order, ctx)) goto err;
470 if (BN_is_zero(order)) 799 if (BN_is_zero(order))
471 { 800 {
472 ECerr(EC_F_EC_GROUP_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER); 801 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER);
473 goto err; 802 goto err;
474 } 803 }
475 804
476 /* TODO */ 805 bits = BN_num_bits(order);
806 /* The following parameters mean we precompute (approximately)
807 * one point per bit.
808 *
809 * TBD: The combination 8, 4 is perfect for 160 bits; for other
810 * bit lengths, other parameter combinations might provide better
811 * efficiency.
812 */
813 blocksize = 8;
814 w = 4;
815 if (EC_window_bits_for_scalar_size(bits) > w)
816 {
817 /* let's not make the window too small ... */
818 w = EC_window_bits_for_scalar_size(bits);
819 }
820
821 numblocks = (bits + blocksize - 1) / blocksize; /* max. number of blocks to use for wNAF splitting */
822
823 pre_points_per_block = 1u << (w - 1);
824 num = pre_points_per_block * numblocks; /* number of points to compute and store */
477 825
478 ret = 1; 826 points = OPENSSL_malloc(sizeof (EC_POINT*)*(num + 1));
827 if (!points)
828 {
829 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE);
830 goto err;
831 }
832
833 var = points;
834 var[num] = NULL; /* pivot */
835 for (i = 0; i < num; i++)
836 {
837 if ((var[i] = EC_POINT_new(group)) == NULL)
838 {
839 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE);
840 goto err;
841 }
842 }
843
844 if (!(tmp_point = EC_POINT_new(group)) || !(base = EC_POINT_new(group)))
845 {
846 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE);
847 goto err;
848 }
849
850 if (!EC_POINT_copy(base, generator))
851 goto err;
852
853 /* do the precomputation */
854 for (i = 0; i < numblocks; i++)
855 {
856 size_t j;
857
858 if (!EC_POINT_dbl(group, tmp_point, base, ctx))
859 goto err;
860
861 if (!EC_POINT_copy(*var++, base))
862 goto err;
863
864 for (j = 1; j < pre_points_per_block; j++, var++)
865 {
866 /* calculate odd multiples of the current base point */
867 if (!EC_POINT_add(group, *var, tmp_point, *(var - 1), ctx))
868 goto err;
869 }
870
871 if (i < numblocks - 1)
872 {
873 /* get the next base (multiply current one by 2^blocksize) */
874 size_t k;
875
876 if (blocksize <= 2)
877 {
878 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_INTERNAL_ERROR);
879 goto err;
880 }
881
882 if (!EC_POINT_dbl(group, base, tmp_point, ctx))
883 goto err;
884 for (k = 2; k < blocksize; k++)
885 {
886 if (!EC_POINT_dbl(group,base,base,ctx))
887 goto err;
888 }
889 }
890 }
891
892 if (!EC_POINTs_make_affine(group, num, points, ctx))
893 goto err;
479 894
895 pre_comp->group = group;
896 pre_comp->blocksize = blocksize;
897 pre_comp->numblocks = numblocks;
898 pre_comp->w = w;
899 pre_comp->points = points;
900 points = NULL;
901 pre_comp->num = num;
902
903 if (!EC_EX_DATA_set_data(&group->extra_data, pre_comp,
904 ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free))
905 goto err;
906 pre_comp = NULL;
907
908 ret = 1;
480 err: 909 err:
481 BN_CTX_end(ctx); 910 if (ctx != NULL)
911 BN_CTX_end(ctx);
482 if (new_ctx != NULL) 912 if (new_ctx != NULL)
483 BN_CTX_free(new_ctx); 913 BN_CTX_free(new_ctx);
914 if (pre_comp)
915 ec_pre_comp_free(pre_comp);
916 if (points)
917 {
918 EC_POINT **p;
919
920 for (p = points; *p != NULL; p++)
921 EC_POINT_free(*p);
922 OPENSSL_free(points);
923 }
924 if (tmp_point)
925 EC_POINT_free(tmp_point);
926 if (base)
927 EC_POINT_free(base);
484 return ret; 928 return ret;
485 } 929 }
930
931
932int ec_wNAF_have_precompute_mult(const EC_GROUP *group)
933 {
934 if (EC_EX_DATA_get_data(group->extra_data, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free) != NULL)
935 return 1;
936 else
937 return 0;
938 }
diff --git a/src/lib/libcrypto/ec/ec_print.c b/src/lib/libcrypto/ec/ec_print.c
new file mode 100644
index 0000000000..f7c8a303ac
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_print.c
@@ -0,0 +1,195 @@
1/* crypto/ec/ec_print.c */
2/* ====================================================================
3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56#include <openssl/crypto.h>
57#include "ec_lcl.h"
58
59BIGNUM *EC_POINT_point2bn(const EC_GROUP *group,
60 const EC_POINT *point,
61 point_conversion_form_t form,
62 BIGNUM *ret,
63 BN_CTX *ctx)
64 {
65 size_t buf_len=0;
66 unsigned char *buf;
67
68 buf_len = EC_POINT_point2oct(group, point, form,
69 NULL, 0, ctx);
70 if (buf_len == 0)
71 return NULL;
72
73 if ((buf = OPENSSL_malloc(buf_len)) == NULL)
74 return NULL;
75
76 if (!EC_POINT_point2oct(group, point, form, buf, buf_len, ctx))
77 {
78 OPENSSL_free(buf);
79 return NULL;
80 }
81
82 ret = BN_bin2bn(buf, buf_len, ret);
83
84 OPENSSL_free(buf);
85
86 return ret;
87}
88
89EC_POINT *EC_POINT_bn2point(const EC_GROUP *group,
90 const BIGNUM *bn,
91 EC_POINT *point,
92 BN_CTX *ctx)
93 {
94 size_t buf_len=0;
95 unsigned char *buf;
96 EC_POINT *ret;
97
98 if ((buf_len = BN_num_bytes(bn)) == 0) return NULL;
99 buf = OPENSSL_malloc(buf_len);
100 if (buf == NULL)
101 return NULL;
102
103 if (!BN_bn2bin(bn, buf))
104 {
105 OPENSSL_free(buf);
106 return NULL;
107 }
108
109 if (point == NULL)
110 {
111 if ((ret = EC_POINT_new(group)) == NULL)
112 {
113 OPENSSL_free(buf);
114 return NULL;
115 }
116 }
117 else
118 ret = point;
119
120 if (!EC_POINT_oct2point(group, ret, buf, buf_len, ctx))
121 {
122 if (point == NULL)
123 EC_POINT_clear_free(ret);
124 OPENSSL_free(buf);
125 return NULL;
126 }
127
128 OPENSSL_free(buf);
129 return ret;
130 }
131
132static const char *HEX_DIGITS = "0123456789ABCDEF";
133
134/* the return value must be freed (using OPENSSL_free()) */
135char *EC_POINT_point2hex(const EC_GROUP *group,
136 const EC_POINT *point,
137 point_conversion_form_t form,
138 BN_CTX *ctx)
139 {
140 char *ret, *p;
141 size_t buf_len=0,i;
142 unsigned char *buf, *pbuf;
143
144 buf_len = EC_POINT_point2oct(group, point, form,
145 NULL, 0, ctx);
146 if (buf_len == 0)
147 return NULL;
148
149 if ((buf = OPENSSL_malloc(buf_len)) == NULL)
150 return NULL;
151
152 if (!EC_POINT_point2oct(group, point, form, buf, buf_len, ctx))
153 {
154 OPENSSL_free(buf);
155 return NULL;
156 }
157
158 ret = (char *)OPENSSL_malloc(buf_len*2+2);
159 if (ret == NULL)
160 {
161 OPENSSL_free(buf);
162 return NULL;
163 }
164 p = ret;
165 pbuf = buf;
166 for (i=buf_len; i > 0; i--)
167 {
168 int v = (int) *(pbuf++);
169 *(p++)=HEX_DIGITS[v>>4];
170 *(p++)=HEX_DIGITS[v&0x0F];
171 }
172 *p='\0';
173
174 OPENSSL_free(buf);
175
176 return ret;
177 }
178
179EC_POINT *EC_POINT_hex2point(const EC_GROUP *group,
180 const char *buf,
181 EC_POINT *point,
182 BN_CTX *ctx)
183 {
184 EC_POINT *ret=NULL;
185 BIGNUM *tmp_bn=NULL;
186
187 if (!BN_hex2bn(&tmp_bn, buf))
188 return NULL;
189
190 ret = EC_POINT_bn2point(group, tmp_bn, point, ctx);
191
192 BN_clear_free(tmp_bn);
193
194 return ret;
195 }
diff --git a/src/lib/libcrypto/ec/ecp_mont.c b/src/lib/libcrypto/ec/ecp_mont.c
index 7b30d4c38a..9fc4a466a5 100644
--- a/src/lib/libcrypto/ec/ecp_mont.c
+++ b/src/lib/libcrypto/ec/ecp_mont.c
@@ -1,4 +1,7 @@
1/* crypto/ec/ecp_mont.c */ 1/* crypto/ec/ecp_mont.c */
2/*
3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */
2/* ==================================================================== 5/* ====================================================================
3 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
4 * 7 *
@@ -52,6 +55,11 @@
52 * Hudson (tjh@cryptsoft.com). 55 * Hudson (tjh@cryptsoft.com).
53 * 56 *
54 */ 57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Portions of this software developed by SUN MICROSYSTEMS, INC.,
61 * and contributed to the OpenSSL project.
62 */
55 63
56#include <openssl/err.h> 64#include <openssl/err.h>
57 65
@@ -61,16 +69,15 @@
61const EC_METHOD *EC_GFp_mont_method(void) 69const EC_METHOD *EC_GFp_mont_method(void)
62 { 70 {
63 static const EC_METHOD ret = { 71 static const EC_METHOD ret = {
72 NID_X9_62_prime_field,
64 ec_GFp_mont_group_init, 73 ec_GFp_mont_group_init,
65 ec_GFp_mont_group_finish, 74 ec_GFp_mont_group_finish,
66 ec_GFp_mont_group_clear_finish, 75 ec_GFp_mont_group_clear_finish,
67 ec_GFp_mont_group_copy, 76 ec_GFp_mont_group_copy,
68 ec_GFp_mont_group_set_curve_GFp, 77 ec_GFp_mont_group_set_curve,
69 ec_GFp_simple_group_get_curve_GFp, 78 ec_GFp_simple_group_get_curve,
70 ec_GFp_simple_group_set_generator, 79 ec_GFp_simple_group_get_degree,
71 ec_GFp_simple_group_get0_generator, 80 ec_GFp_simple_group_check_discriminant,
72 ec_GFp_simple_group_get_order,
73 ec_GFp_simple_group_get_cofactor,
74 ec_GFp_simple_point_init, 81 ec_GFp_simple_point_init,
75 ec_GFp_simple_point_finish, 82 ec_GFp_simple_point_finish,
76 ec_GFp_simple_point_clear_finish, 83 ec_GFp_simple_point_clear_finish,
@@ -78,9 +85,9 @@ const EC_METHOD *EC_GFp_mont_method(void)
78 ec_GFp_simple_point_set_to_infinity, 85 ec_GFp_simple_point_set_to_infinity,
79 ec_GFp_simple_set_Jprojective_coordinates_GFp, 86 ec_GFp_simple_set_Jprojective_coordinates_GFp,
80 ec_GFp_simple_get_Jprojective_coordinates_GFp, 87 ec_GFp_simple_get_Jprojective_coordinates_GFp,
81 ec_GFp_simple_point_set_affine_coordinates_GFp, 88 ec_GFp_simple_point_set_affine_coordinates,
82 ec_GFp_simple_point_get_affine_coordinates_GFp, 89 ec_GFp_simple_point_get_affine_coordinates,
83 ec_GFp_simple_set_compressed_coordinates_GFp, 90 ec_GFp_simple_set_compressed_coordinates,
84 ec_GFp_simple_point2oct, 91 ec_GFp_simple_point2oct,
85 ec_GFp_simple_oct2point, 92 ec_GFp_simple_oct2point,
86 ec_GFp_simple_add, 93 ec_GFp_simple_add,
@@ -91,8 +98,12 @@ const EC_METHOD *EC_GFp_mont_method(void)
91 ec_GFp_simple_cmp, 98 ec_GFp_simple_cmp,
92 ec_GFp_simple_make_affine, 99 ec_GFp_simple_make_affine,
93 ec_GFp_simple_points_make_affine, 100 ec_GFp_simple_points_make_affine,
101 0 /* mul */,
102 0 /* precompute_mult */,
103 0 /* have_precompute_mult */,
94 ec_GFp_mont_field_mul, 104 ec_GFp_mont_field_mul,
95 ec_GFp_mont_field_sqr, 105 ec_GFp_mont_field_sqr,
106 0 /* field_div */,
96 ec_GFp_mont_field_encode, 107 ec_GFp_mont_field_encode,
97 ec_GFp_mont_field_decode, 108 ec_GFp_mont_field_decode,
98 ec_GFp_mont_field_set_to_one }; 109 ec_GFp_mont_field_set_to_one };
@@ -112,66 +123,6 @@ int ec_GFp_mont_group_init(EC_GROUP *group)
112 } 123 }
113 124
114 125
115int ec_GFp_mont_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
116 {
117 BN_CTX *new_ctx = NULL;
118 BN_MONT_CTX *mont = NULL;
119 BIGNUM *one = NULL;
120 int ret = 0;
121
122 if (group->field_data1 != NULL)
123 {
124 BN_MONT_CTX_free(group->field_data1);
125 group->field_data1 = NULL;
126 }
127 if (group->field_data2 != NULL)
128 {
129 BN_free(group->field_data2);
130 group->field_data2 = NULL;
131 }
132
133 if (ctx == NULL)
134 {
135 ctx = new_ctx = BN_CTX_new();
136 if (ctx == NULL)
137 return 0;
138 }
139
140 mont = BN_MONT_CTX_new();
141 if (mont == NULL) goto err;
142 if (!BN_MONT_CTX_set(mont, p, ctx))
143 {
144 ECerr(EC_F_GFP_MONT_GROUP_SET_CURVE_GFP, ERR_R_BN_LIB);
145 goto err;
146 }
147 one = BN_new();
148 if (one == NULL) goto err;
149 if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) goto err;
150
151 group->field_data1 = mont;
152 mont = NULL;
153 group->field_data2 = one;
154 one = NULL;
155
156 ret = ec_GFp_simple_group_set_curve_GFp(group, p, a, b, ctx);
157
158 if (!ret)
159 {
160 BN_MONT_CTX_free(group->field_data1);
161 group->field_data1 = NULL;
162 BN_free(group->field_data2);
163 group->field_data2 = NULL;
164 }
165
166 err:
167 if (new_ctx != NULL)
168 BN_CTX_free(new_ctx);
169 if (mont != NULL)
170 BN_MONT_CTX_free(mont);
171 return ret;
172 }
173
174
175void ec_GFp_mont_group_finish(EC_GROUP *group) 126void ec_GFp_mont_group_finish(EC_GROUP *group)
176 { 127 {
177 if (group->field_data1 != NULL) 128 if (group->field_data1 != NULL)
@@ -243,6 +194,66 @@ int ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src)
243 } 194 }
244 195
245 196
197int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
198 {
199 BN_CTX *new_ctx = NULL;
200 BN_MONT_CTX *mont = NULL;
201 BIGNUM *one = NULL;
202 int ret = 0;
203
204 if (group->field_data1 != NULL)
205 {
206 BN_MONT_CTX_free(group->field_data1);
207 group->field_data1 = NULL;
208 }
209 if (group->field_data2 != NULL)
210 {
211 BN_free(group->field_data2);
212 group->field_data2 = NULL;
213 }
214
215 if (ctx == NULL)
216 {
217 ctx = new_ctx = BN_CTX_new();
218 if (ctx == NULL)
219 return 0;
220 }
221
222 mont = BN_MONT_CTX_new();
223 if (mont == NULL) goto err;
224 if (!BN_MONT_CTX_set(mont, p, ctx))
225 {
226 ECerr(EC_F_EC_GFP_MONT_GROUP_SET_CURVE, ERR_R_BN_LIB);
227 goto err;
228 }
229 one = BN_new();
230 if (one == NULL) goto err;
231 if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) goto err;
232
233 group->field_data1 = mont;
234 mont = NULL;
235 group->field_data2 = one;
236 one = NULL;
237
238 ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
239
240 if (!ret)
241 {
242 BN_MONT_CTX_free(group->field_data1);
243 group->field_data1 = NULL;
244 BN_free(group->field_data2);
245 group->field_data2 = NULL;
246 }
247
248 err:
249 if (new_ctx != NULL)
250 BN_CTX_free(new_ctx);
251 if (mont != NULL)
252 BN_MONT_CTX_free(mont);
253 return ret;
254 }
255
256
246int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 257int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
247 { 258 {
248 if (group->field_data1 == NULL) 259 if (group->field_data1 == NULL)
@@ -295,7 +306,7 @@ int ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, BN_CTX *ctx)
295 { 306 {
296 if (group->field_data2 == NULL) 307 if (group->field_data2 == NULL)
297 { 308 {
298 ECerr(EC_F_EC_GFP_MONT_FIELD_DECODE, EC_R_NOT_INITIALIZED); 309 ECerr(EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE, EC_R_NOT_INITIALIZED);
299 return 0; 310 return 0;
300 } 311 }
301 312
diff --git a/src/lib/libcrypto/ec/ecp_nist.c b/src/lib/libcrypto/ec/ecp_nist.c
index ed07748675..71893d5eab 100644
--- a/src/lib/libcrypto/ec/ecp_nist.c
+++ b/src/lib/libcrypto/ec/ecp_nist.c
@@ -1,6 +1,9 @@
1/* crypto/ec/ecp_nist.c */ 1/* crypto/ec/ecp_nist.c */
2/*
3 * Written by Nils Larsch for the OpenSSL project.
4 */
2/* ==================================================================== 5/* ====================================================================
3 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
4 * 7 *
5 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -52,23 +55,30 @@
52 * Hudson (tjh@cryptsoft.com). 55 * Hudson (tjh@cryptsoft.com).
53 * 56 *
54 */ 57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Portions of this software developed by SUN MICROSYSTEMS, INC.,
61 * and contributed to the OpenSSL project.
62 */
55 63
64#include <limits.h>
65
66#include <openssl/err.h>
67#include <openssl/obj_mac.h>
56#include "ec_lcl.h" 68#include "ec_lcl.h"
57 69
58#if 0
59const EC_METHOD *EC_GFp_nist_method(void) 70const EC_METHOD *EC_GFp_nist_method(void)
60 { 71 {
61 static const EC_METHOD ret = { 72 static const EC_METHOD ret = {
62 ec_GFp_nist_group_init, 73 NID_X9_62_prime_field,
63 ec_GFp_nist_group_finish, 74 ec_GFp_simple_group_init,
64 ec_GFp_nist_group_clear_finish, 75 ec_GFp_simple_group_finish,
76 ec_GFp_simple_group_clear_finish,
65 ec_GFp_nist_group_copy, 77 ec_GFp_nist_group_copy,
66 ec_GFp_nist_group_set_curve_GFp, 78 ec_GFp_nist_group_set_curve,
67 ec_GFp_simple_group_get_curve_GFp, 79 ec_GFp_simple_group_get_curve,
68 ec_GFp_simple_group_set_generator, 80 ec_GFp_simple_group_get_degree,
69 ec_GFp_simple_group_get0_generator, 81 ec_GFp_simple_group_check_discriminant,
70 ec_GFp_simple_group_get_order,
71 ec_GFp_simple_group_get_cofactor,
72 ec_GFp_simple_point_init, 82 ec_GFp_simple_point_init,
73 ec_GFp_simple_point_finish, 83 ec_GFp_simple_point_finish,
74 ec_GFp_simple_point_clear_finish, 84 ec_GFp_simple_point_clear_finish,
@@ -76,9 +86,9 @@ const EC_METHOD *EC_GFp_nist_method(void)
76 ec_GFp_simple_point_set_to_infinity, 86 ec_GFp_simple_point_set_to_infinity,
77 ec_GFp_simple_set_Jprojective_coordinates_GFp, 87 ec_GFp_simple_set_Jprojective_coordinates_GFp,
78 ec_GFp_simple_get_Jprojective_coordinates_GFp, 88 ec_GFp_simple_get_Jprojective_coordinates_GFp,
79 ec_GFp_simple_point_set_affine_coordinates_GFp, 89 ec_GFp_simple_point_set_affine_coordinates,
80 ec_GFp_simple_point_get_affine_coordinates_GFp, 90 ec_GFp_simple_point_get_affine_coordinates,
81 ec_GFp_simple_set_compressed_coordinates_GFp, 91 ec_GFp_simple_set_compressed_coordinates,
82 ec_GFp_simple_point2oct, 92 ec_GFp_simple_point2oct,
83 ec_GFp_simple_oct2point, 93 ec_GFp_simple_oct2point,
84 ec_GFp_simple_add, 94 ec_GFp_simple_add,
@@ -89,46 +99,138 @@ const EC_METHOD *EC_GFp_nist_method(void)
89 ec_GFp_simple_cmp, 99 ec_GFp_simple_cmp,
90 ec_GFp_simple_make_affine, 100 ec_GFp_simple_make_affine,
91 ec_GFp_simple_points_make_affine, 101 ec_GFp_simple_points_make_affine,
102 0 /* mul */,
103 0 /* precompute_mult */,
104 0 /* have_precompute_mult */,
92 ec_GFp_nist_field_mul, 105 ec_GFp_nist_field_mul,
93 ec_GFp_nist_field_sqr, 106 ec_GFp_nist_field_sqr,
107 0 /* field_div */,
94 0 /* field_encode */, 108 0 /* field_encode */,
95 0 /* field_decode */, 109 0 /* field_decode */,
96 0 /* field_set_to_one */ }; 110 0 /* field_set_to_one */ };
97 111
98 return &ret; 112 return &ret;
99 } 113 }
100#endif
101 114
115#if BN_BITS2 == 64
116#define NO_32_BIT_TYPE
117#endif
102 118
103int ec_GFp_nist_group_init(EC_GROUP *group) 119int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src)
104 { 120 {
105 int ok; 121 dest->field_mod_func = src->field_mod_func;
106 122
107 ok = ec_GFp_simple_group_init(group); 123 return ec_GFp_simple_group_copy(dest, src);
108 group->field_data1 = NULL;
109 return ok;
110 } 124 }
111 125
112 126int ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p,
113int ec_GFp_nist_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); 127 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
114/* TODO */ 128 {
115 129 int ret = 0;
116 130 BN_CTX *new_ctx = NULL;
117void ec_GFp_nist_group_finish(EC_GROUP *group); 131 BIGNUM *tmp_bn;
118/* TODO */ 132
119 133 if (ctx == NULL)
120 134 if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0;
121void ec_GFp_nist_group_clear_finish(EC_GROUP *group); 135
122/* TODO */ 136 BN_CTX_start(ctx);
123 137 if ((tmp_bn = BN_CTX_get(ctx)) == NULL) goto err;
124 138
125int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src); 139 if (BN_ucmp(BN_get0_nist_prime_192(), p) == 0)
126/* TODO */ 140 group->field_mod_func = BN_nist_mod_192;
141 else if (BN_ucmp(BN_get0_nist_prime_224(), p) == 0)
142 {
143#ifndef NO_32_BIT_TYPE
144 group->field_mod_func = BN_nist_mod_224;
145#else
146 ECerr(EC_F_EC_GFP_NIST_GROUP_SET_CURVE, EC_R_NOT_A_SUPPORTED_NIST_PRIME);
147 goto err;
148#endif
149 }
150 else if (BN_ucmp(BN_get0_nist_prime_256(), p) == 0)
151 {
152#ifndef NO_32_BIT_TYPE
153 group->field_mod_func = BN_nist_mod_256;
154#else
155 ECerr(EC_F_EC_GFP_NIST_GROUP_SET_CURVE, EC_R_NOT_A_SUPPORTED_NIST_PRIME);
156 goto err;
157#endif
158 }
159 else if (BN_ucmp(BN_get0_nist_prime_384(), p) == 0)
160 {
161#ifndef NO_32_BIT_TYPE
162 group->field_mod_func = BN_nist_mod_384;
163#else
164 ECerr(EC_F_EC_GFP_NIST_GROUP_SET_CURVE, EC_R_NOT_A_SUPPORTED_NIST_PRIME);
165 goto err;
166#endif
167 }
168 else if (BN_ucmp(BN_get0_nist_prime_521(), p) == 0)
169 /* this one works in the NO_32_BIT_TYPE case */
170 group->field_mod_func = BN_nist_mod_521;
171 else
172 {
173 ECerr(EC_F_EC_GFP_NIST_GROUP_SET_CURVE, EC_R_NOT_A_NIST_PRIME);
174 goto err;
175 }
176
177 ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
178
179 err:
180 BN_CTX_end(ctx);
181 if (new_ctx != NULL)
182 BN_CTX_free(new_ctx);
183 return ret;
184 }
127 185
128 186
129int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); 187int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
130/* TODO */ 188 const BIGNUM *b, BN_CTX *ctx)
189 {
190 int ret=0;
191 BN_CTX *ctx_new=NULL;
192
193 if (!group || !r || !a || !b)
194 {
195 ECerr(EC_F_EC_GFP_NIST_FIELD_MUL, ERR_R_PASSED_NULL_PARAMETER);
196 goto err;
197 }
198 if (!ctx)
199 if ((ctx_new = ctx = BN_CTX_new()) == NULL) goto err;
200
201 if (!BN_mul(r, a, b, ctx)) goto err;
202 if (!group->field_mod_func(r, r, &group->field, ctx))
203 goto err;
204
205 ret=1;
206err:
207 if (ctx_new)
208 BN_CTX_free(ctx_new);
209 return ret;
210 }
131 211
132 212
133int ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); 213int ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
134/* TODO */ 214 BN_CTX *ctx)
215 {
216 int ret=0;
217 BN_CTX *ctx_new=NULL;
218
219 if (!group || !r || !a)
220 {
221 ECerr(EC_F_EC_GFP_NIST_FIELD_SQR, EC_R_PASSED_NULL_PARAMETER);
222 goto err;
223 }
224 if (!ctx)
225 if ((ctx_new = ctx = BN_CTX_new()) == NULL) goto err;
226
227 if (!BN_sqr(r, a, ctx)) goto err;
228 if (!group->field_mod_func(r, r, &group->field, ctx))
229 goto err;
230
231 ret=1;
232err:
233 if (ctx_new)
234 BN_CTX_free(ctx_new);
235 return ret;
236 }
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index e9a51fb87a..4d26f8bdf6 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -1,8 +1,10 @@
1/* crypto/ec/ecp_smpl.c */ 1/* crypto/ec/ecp_smpl.c */
2/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> 2/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3 * for the OpenSSL project. */ 3 * for the OpenSSL project.
4 * Includes code written by Bodo Moeller for the OpenSSL project.
5*/
4/* ==================================================================== 6/* ====================================================================
5 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 7 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
6 * 8 *
7 * Redistribution and use in source and binary forms, with or without 9 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions 10 * modification, are permitted provided that the following conditions
@@ -54,25 +56,29 @@
54 * Hudson (tjh@cryptsoft.com). 56 * Hudson (tjh@cryptsoft.com).
55 * 57 *
56 */ 58 */
59/* ====================================================================
60 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61 * Portions of this software developed by SUN MICROSYSTEMS, INC.,
62 * and contributed to the OpenSSL project.
63 */
57 64
58#include <openssl/err.h> 65#include <openssl/err.h>
66#include <openssl/symhacks.h>
59 67
60#include "ec_lcl.h" 68#include "ec_lcl.h"
61 69
62
63const EC_METHOD *EC_GFp_simple_method(void) 70const EC_METHOD *EC_GFp_simple_method(void)
64 { 71 {
65 static const EC_METHOD ret = { 72 static const EC_METHOD ret = {
73 NID_X9_62_prime_field,
66 ec_GFp_simple_group_init, 74 ec_GFp_simple_group_init,
67 ec_GFp_simple_group_finish, 75 ec_GFp_simple_group_finish,
68 ec_GFp_simple_group_clear_finish, 76 ec_GFp_simple_group_clear_finish,
69 ec_GFp_simple_group_copy, 77 ec_GFp_simple_group_copy,
70 ec_GFp_simple_group_set_curve_GFp, 78 ec_GFp_simple_group_set_curve,
71 ec_GFp_simple_group_get_curve_GFp, 79 ec_GFp_simple_group_get_curve,
72 ec_GFp_simple_group_set_generator, 80 ec_GFp_simple_group_get_degree,
73 ec_GFp_simple_group_get0_generator, 81 ec_GFp_simple_group_check_discriminant,
74 ec_GFp_simple_group_get_order,
75 ec_GFp_simple_group_get_cofactor,
76 ec_GFp_simple_point_init, 82 ec_GFp_simple_point_init,
77 ec_GFp_simple_point_finish, 83 ec_GFp_simple_point_finish,
78 ec_GFp_simple_point_clear_finish, 84 ec_GFp_simple_point_clear_finish,
@@ -80,9 +86,9 @@ const EC_METHOD *EC_GFp_simple_method(void)
80 ec_GFp_simple_point_set_to_infinity, 86 ec_GFp_simple_point_set_to_infinity,
81 ec_GFp_simple_set_Jprojective_coordinates_GFp, 87 ec_GFp_simple_set_Jprojective_coordinates_GFp,
82 ec_GFp_simple_get_Jprojective_coordinates_GFp, 88 ec_GFp_simple_get_Jprojective_coordinates_GFp,
83 ec_GFp_simple_point_set_affine_coordinates_GFp, 89 ec_GFp_simple_point_set_affine_coordinates,
84 ec_GFp_simple_point_get_affine_coordinates_GFp, 90 ec_GFp_simple_point_get_affine_coordinates,
85 ec_GFp_simple_set_compressed_coordinates_GFp, 91 ec_GFp_simple_set_compressed_coordinates,
86 ec_GFp_simple_point2oct, 92 ec_GFp_simple_point2oct,
87 ec_GFp_simple_oct2point, 93 ec_GFp_simple_oct2point,
88 ec_GFp_simple_add, 94 ec_GFp_simple_add,
@@ -93,8 +99,12 @@ const EC_METHOD *EC_GFp_simple_method(void)
93 ec_GFp_simple_cmp, 99 ec_GFp_simple_cmp,
94 ec_GFp_simple_make_affine, 100 ec_GFp_simple_make_affine,
95 ec_GFp_simple_points_make_affine, 101 ec_GFp_simple_points_make_affine,
102 0 /* mul */,
103 0 /* precompute_mult */,
104 0 /* have_precompute_mult */,
96 ec_GFp_simple_field_mul, 105 ec_GFp_simple_field_mul,
97 ec_GFp_simple_field_sqr, 106 ec_GFp_simple_field_sqr,
107 0 /* field_div */,
98 0 /* field_encode */, 108 0 /* field_encode */,
99 0 /* field_decode */, 109 0 /* field_decode */,
100 0 /* field_set_to_one */ }; 110 0 /* field_set_to_one */ };
@@ -103,15 +113,26 @@ const EC_METHOD *EC_GFp_simple_method(void)
103 } 113 }
104 114
105 115
116/* Most method functions in this file are designed to work with
117 * non-trivial representations of field elements if necessary
118 * (see ecp_mont.c): while standard modular addition and subtraction
119 * are used, the field_mul and field_sqr methods will be used for
120 * multiplication, and field_encode and field_decode (if defined)
121 * will be used for converting between representations.
122
123 * Functions ec_GFp_simple_points_make_affine() and
124 * ec_GFp_simple_point_get_affine_coordinates() specifically assume
125 * that if a non-trivial representation is used, it is a Montgomery
126 * representation (i.e. 'encoding' means multiplying by some factor R).
127 */
128
129
106int ec_GFp_simple_group_init(EC_GROUP *group) 130int ec_GFp_simple_group_init(EC_GROUP *group)
107 { 131 {
108 BN_init(&group->field); 132 BN_init(&group->field);
109 BN_init(&group->a); 133 BN_init(&group->a);
110 BN_init(&group->b); 134 BN_init(&group->b);
111 group->a_is_minus3 = 0; 135 group->a_is_minus3 = 0;
112 group->generator = NULL;
113 BN_init(&group->order);
114 BN_init(&group->cofactor);
115 return 1; 136 return 1;
116 } 137 }
117 138
@@ -121,10 +142,6 @@ void ec_GFp_simple_group_finish(EC_GROUP *group)
121 BN_free(&group->field); 142 BN_free(&group->field);
122 BN_free(&group->a); 143 BN_free(&group->a);
123 BN_free(&group->b); 144 BN_free(&group->b);
124 if (group->generator != NULL)
125 EC_POINT_free(group->generator);
126 BN_free(&group->order);
127 BN_free(&group->cofactor);
128 } 145 }
129 146
130 147
@@ -133,13 +150,6 @@ void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
133 BN_clear_free(&group->field); 150 BN_clear_free(&group->field);
134 BN_clear_free(&group->a); 151 BN_clear_free(&group->a);
135 BN_clear_free(&group->b); 152 BN_clear_free(&group->b);
136 if (group->generator != NULL)
137 {
138 EC_POINT_clear_free(group->generator);
139 group->generator = NULL;
140 }
141 BN_clear_free(&group->order);
142 BN_clear_free(&group->cofactor);
143 } 153 }
144 154
145 155
@@ -151,33 +161,11 @@ int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
151 161
152 dest->a_is_minus3 = src->a_is_minus3; 162 dest->a_is_minus3 = src->a_is_minus3;
153 163
154 if (src->generator != NULL)
155 {
156 if (dest->generator == NULL)
157 {
158 dest->generator = EC_POINT_new(dest);
159 if (dest->generator == NULL) return 0;
160 }
161 if (!EC_POINT_copy(dest->generator, src->generator)) return 0;
162 }
163 else
164 {
165 /* src->generator == NULL */
166 if (dest->generator != NULL)
167 {
168 EC_POINT_clear_free(dest->generator);
169 dest->generator = NULL;
170 }
171 }
172
173 if (!BN_copy(&dest->order, &src->order)) return 0;
174 if (!BN_copy(&dest->cofactor, &src->cofactor)) return 0;
175
176 return 1; 164 return 1;
177 } 165 }
178 166
179 167
180int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group, 168int ec_GFp_simple_group_set_curve(EC_GROUP *group,
181 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 169 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
182 { 170 {
183 int ret = 0; 171 int ret = 0;
@@ -187,7 +175,7 @@ int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
187 /* p must be a prime > 3 */ 175 /* p must be a prime > 3 */
188 if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) 176 if (BN_num_bits(p) <= 2 || !BN_is_odd(p))
189 { 177 {
190 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP, EC_R_INVALID_FIELD); 178 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD);
191 return 0; 179 return 0;
192 } 180 }
193 181
@@ -204,7 +192,7 @@ int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
204 192
205 /* group->field */ 193 /* group->field */
206 if (!BN_copy(&group->field, p)) goto err; 194 if (!BN_copy(&group->field, p)) goto err;
207 group->field.neg = 0; 195 BN_set_negative(&group->field, 0);
208 196
209 /* group->a */ 197 /* group->a */
210 if (!BN_nnmod(tmp_a, a, p, ctx)) goto err; 198 if (!BN_nnmod(tmp_a, a, p, ctx)) goto err;
@@ -232,7 +220,7 @@ int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
232 } 220 }
233 221
234 222
235int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) 223int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
236 { 224 {
237 int ret = 0; 225 int ret = 0;
238 BN_CTX *new_ctx = NULL; 226 BN_CTX *new_ctx = NULL;
@@ -283,58 +271,76 @@ int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *
283 } 271 }
284 272
285 273
274int ec_GFp_simple_group_get_degree(const EC_GROUP *group)
275 {
276 return BN_num_bits(&group->field);
277 }
278
286 279
287int ec_GFp_simple_group_set_generator(EC_GROUP *group, const EC_POINT *generator, 280int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
288 const BIGNUM *order, const BIGNUM *cofactor)
289 { 281 {
290 if (generator == NULL) 282 int ret = 0;
283 BIGNUM *a,*b,*order,*tmp_1,*tmp_2;
284 const BIGNUM *p = &group->field;
285 BN_CTX *new_ctx = NULL;
286
287 if (ctx == NULL)
291 { 288 {
292 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER); 289 ctx = new_ctx = BN_CTX_new();
293 return 0 ; 290 if (ctx == NULL)
291 {
292 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE);
293 goto err;
294 }
294 } 295 }
296 BN_CTX_start(ctx);
297 a = BN_CTX_get(ctx);
298 b = BN_CTX_get(ctx);
299 tmp_1 = BN_CTX_get(ctx);
300 tmp_2 = BN_CTX_get(ctx);
301 order = BN_CTX_get(ctx);
302 if (order == NULL) goto err;
295 303
296 if (group->generator == NULL) 304 if (group->meth->field_decode)
297 { 305 {
298 group->generator = EC_POINT_new(group); 306 if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
299 if (group->generator == NULL) return 0; 307 if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
300 } 308 }
301 if (!EC_POINT_copy(group->generator, generator)) return 0;
302
303 if (order != NULL)
304 { if (!BN_copy(&group->order, order)) return 0; }
305 else
306 { if (!BN_zero(&group->order)) return 0; }
307
308 if (cofactor != NULL)
309 { if (!BN_copy(&group->cofactor, cofactor)) return 0; }
310 else 309 else
311 { if (!BN_zero(&group->cofactor)) return 0; } 310 {
312 311 if (!BN_copy(a, &group->a)) goto err;
313 return 1; 312 if (!BN_copy(b, &group->b)) goto err;
314 } 313 }
315 314
316 315 /* check the discriminant:
317EC_POINT *ec_GFp_simple_group_get0_generator(const EC_GROUP *group) 316 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
318 { 317 * 0 =< a, b < p */
319 return group->generator; 318 if (BN_is_zero(a))
320 } 319 {
321 320 if (BN_is_zero(b)) goto err;
322 321 }
323int ec_GFp_simple_group_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) 322 else if (!BN_is_zero(b))
324 { 323 {
325 if (!BN_copy(order, &group->order)) 324 if (!BN_mod_sqr(tmp_1, a, p, ctx)) goto err;
326 return 0; 325 if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx)) goto err;
327 326 if (!BN_lshift(tmp_1, tmp_2, 2)) goto err;
328 return !BN_is_zero(&group->order); 327 /* tmp_1 = 4*a^3 */
329 }
330 328
329 if (!BN_mod_sqr(tmp_2, b, p, ctx)) goto err;
330 if (!BN_mul_word(tmp_2, 27)) goto err;
331 /* tmp_2 = 27*b^2 */
331 332
332int ec_GFp_simple_group_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx) 333 if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx)) goto err;
333 { 334 if (BN_is_zero(a)) goto err;
334 if (!BN_copy(cofactor, &group->cofactor)) 335 }
335 return 0; 336 ret = 1;
336 337
337 return !BN_is_zero(&group->cofactor); 338err:
339 if (ctx != NULL)
340 BN_CTX_end(ctx);
341 if (new_ctx != NULL)
342 BN_CTX_free(new_ctx);
343 return ret;
338 } 344 }
339 345
340 346
@@ -380,7 +386,8 @@ int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
380int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point) 386int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
381 { 387 {
382 point->Z_is_one = 0; 388 point->Z_is_one = 0;
383 return (BN_zero(&point->Z)); 389 BN_zero(&point->Z);
390 return 1;
384 } 391 }
385 392
386 393
@@ -497,13 +504,13 @@ int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const E
497 } 504 }
498 505
499 506
500int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, 507int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
501 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) 508 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
502 { 509 {
503 if (x == NULL || y == NULL) 510 if (x == NULL || y == NULL)
504 { 511 {
505 /* unlike for projective coordinates, we do not tolerate this */ 512 /* unlike for projective coordinates, we do not tolerate this */
506 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_PASSED_NULL_PARAMETER); 513 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES, ERR_R_PASSED_NULL_PARAMETER);
507 return 0; 514 return 0;
508 } 515 }
509 516
@@ -511,17 +518,17 @@ int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POI
511 } 518 }
512 519
513 520
514int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point, 521int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
515 BIGNUM *x, BIGNUM *y, BN_CTX *ctx) 522 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
516 { 523 {
517 BN_CTX *new_ctx = NULL; 524 BN_CTX *new_ctx = NULL;
518 BIGNUM *X, *Y, *Z, *Z_1, *Z_2, *Z_3; 525 BIGNUM *Z, *Z_1, *Z_2, *Z_3;
519 const BIGNUM *X_, *Y_, *Z_; 526 const BIGNUM *Z_;
520 int ret = 0; 527 int ret = 0;
521 528
522 if (EC_POINT_is_at_infinity(group, point)) 529 if (EC_POINT_is_at_infinity(group, point))
523 { 530 {
524 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_POINT_AT_INFINITY); 531 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY);
525 return 0; 532 return 0;
526 } 533 }
527 534
@@ -533,8 +540,6 @@ int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const
533 } 540 }
534 541
535 BN_CTX_start(ctx); 542 BN_CTX_start(ctx);
536 X = BN_CTX_get(ctx);
537 Y = BN_CTX_get(ctx);
538 Z = BN_CTX_get(ctx); 543 Z = BN_CTX_get(ctx);
539 Z_1 = BN_CTX_get(ctx); 544 Z_1 = BN_CTX_get(ctx);
540 Z_2 = BN_CTX_get(ctx); 545 Z_2 = BN_CTX_get(ctx);
@@ -545,34 +550,44 @@ int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const
545 550
546 if (group->meth->field_decode) 551 if (group->meth->field_decode)
547 { 552 {
548 if (!group->meth->field_decode(group, X, &point->X, ctx)) goto err;
549 if (!group->meth->field_decode(group, Y, &point->Y, ctx)) goto err;
550 if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err; 553 if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err;
551 X_ = X; Y_ = Y; Z_ = Z; 554 Z_ = Z;
552 } 555 }
553 else 556 else
554 { 557 {
555 X_ = &point->X;
556 Y_ = &point->Y;
557 Z_ = &point->Z; 558 Z_ = &point->Z;
558 } 559 }
559 560
560 if (BN_is_one(Z_)) 561 if (BN_is_one(Z_))
561 { 562 {
562 if (x != NULL) 563 if (group->meth->field_decode)
563 { 564 {
564 if (!BN_copy(x, X_)) goto err; 565 if (x != NULL)
566 {
567 if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
568 }
569 if (y != NULL)
570 {
571 if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
572 }
565 } 573 }
566 if (y != NULL) 574 else
567 { 575 {
568 if (!BN_copy(y, Y_)) goto err; 576 if (x != NULL)
577 {
578 if (!BN_copy(x, &point->X)) goto err;
579 }
580 if (y != NULL)
581 {
582 if (!BN_copy(y, &point->Y)) goto err;
583 }
569 } 584 }
570 } 585 }
571 else 586 else
572 { 587 {
573 if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx)) 588 if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx))
574 { 589 {
575 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_BN_LIB); 590 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);
576 goto err; 591 goto err;
577 } 592 }
578 593
@@ -588,15 +603,8 @@ int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const
588 603
589 if (x != NULL) 604 if (x != NULL)
590 { 605 {
591 if (group->meth->field_encode == 0) 606 /* in the Montgomery case, field_mul will cancel out Montgomery factor in X: */
592 { 607 if (!group->meth->field_mul(group, x, &point->X, Z_2, ctx)) goto err;
593 /* field_mul works on standard representation */
594 if (!group->meth->field_mul(group, x, X_, Z_2, ctx)) goto err;
595 }
596 else
597 {
598 if (!BN_mod_mul(x, X_, Z_2, &group->field, ctx)) goto err;
599 }
600 } 608 }
601 609
602 if (y != NULL) 610 if (y != NULL)
@@ -605,14 +613,14 @@ int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const
605 { 613 {
606 /* field_mul works on standard representation */ 614 /* field_mul works on standard representation */
607 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err; 615 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err;
608 if (!group->meth->field_mul(group, y, Y_, Z_3, ctx)) goto err;
609
610 } 616 }
611 else 617 else
612 { 618 {
613 if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err; 619 if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err;
614 if (!BN_mod_mul(y, Y_, Z_3, &group->field, ctx)) goto err;
615 } 620 }
621
622 /* in the Montgomery case, field_mul will cancel out Montgomery factor in Y: */
623 if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx)) goto err;
616 } 624 }
617 } 625 }
618 626
@@ -626,13 +634,16 @@ int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const
626 } 634 }
627 635
628 636
629int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, 637int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
630 const BIGNUM *x_, int y_bit, BN_CTX *ctx) 638 const BIGNUM *x_, int y_bit, BN_CTX *ctx)
631 { 639 {
632 BN_CTX *new_ctx = NULL; 640 BN_CTX *new_ctx = NULL;
633 BIGNUM *tmp1, *tmp2, *x, *y; 641 BIGNUM *tmp1, *tmp2, *x, *y;
634 int ret = 0; 642 int ret = 0;
635 643
644 /* clear error queue*/
645 ERR_clear_error();
646
636 if (ctx == NULL) 647 if (ctx == NULL)
637 { 648 {
638 ctx = new_ctx = BN_CTX_new(); 649 ctx = new_ctx = BN_CTX_new();
@@ -704,19 +715,17 @@ int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT
704 715
705 if (!BN_mod_sqrt(y, tmp1, &group->field, ctx)) 716 if (!BN_mod_sqrt(y, tmp1, &group->field, ctx))
706 { 717 {
707 unsigned long err = ERR_peek_error(); 718 unsigned long err = ERR_peek_last_error();
708 719
709 if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) 720 if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE)
710 { 721 {
711 (void)ERR_get_error(); 722 ERR_clear_error();
712 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT); 723 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
713 } 724 }
714 else 725 else
715 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_BN_LIB); 726 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB);
716 goto err; 727 goto err;
717 } 728 }
718 /* If tmp1 is not a square (i.e. there is no point on the curve with
719 * our x), then y now is a nonsense value too */
720 729
721 if (y_bit != BN_is_odd(y)) 730 if (y_bit != BN_is_odd(y))
722 { 731 {
@@ -728,16 +737,17 @@ int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT
728 if (kron == -2) goto err; 737 if (kron == -2) goto err;
729 738
730 if (kron == 1) 739 if (kron == 1)
731 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSION_BIT); 740 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSION_BIT);
732 else 741 else
733 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT); 742 /* BN_mod_sqrt() should have cought this error (not a square) */
743 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
734 goto err; 744 goto err;
735 } 745 }
736 if (!BN_usub(y, &group->field, y)) goto err; 746 if (!BN_usub(y, &group->field, y)) goto err;
737 } 747 }
738 if (y_bit != BN_is_odd(y)) 748 if (y_bit != BN_is_odd(y))
739 { 749 {
740 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_INTERNAL_ERROR); 750 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_INTERNAL_ERROR);
741 goto err; 751 goto err;
742 } 752 }
743 753
@@ -1088,7 +1098,7 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, con
1088 else 1098 else
1089 { 1099 {
1090 /* a is the inverse of b */ 1100 /* a is the inverse of b */
1091 if (!BN_zero(&r->Z)) goto end; 1101 BN_zero(&r->Z);
1092 r->Z_is_one = 0; 1102 r->Z_is_one = 0;
1093 ret = 1; 1103 ret = 1;
1094 goto end; 1104 goto end;
@@ -1164,7 +1174,7 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_
1164 1174
1165 if (EC_POINT_is_at_infinity(group, a)) 1175 if (EC_POINT_is_at_infinity(group, a))
1166 { 1176 {
1167 if (!BN_zero(&r->Z)) return 0; 1177 BN_zero(&r->Z);
1168 r->Z_is_one = 0; 1178 r->Z_is_one = 0;
1169 return 1; 1179 return 1;
1170 } 1180 }
@@ -1292,7 +1302,7 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_C
1292 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); 1302 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1293 const BIGNUM *p; 1303 const BIGNUM *p;
1294 BN_CTX *new_ctx = NULL; 1304 BN_CTX *new_ctx = NULL;
1295 BIGNUM *rh, *tmp1, *tmp2, *Z4, *Z6; 1305 BIGNUM *rh, *tmp, *Z4, *Z6;
1296 int ret = -1; 1306 int ret = -1;
1297 1307
1298 if (EC_POINT_is_at_infinity(group, point)) 1308 if (EC_POINT_is_at_infinity(group, point))
@@ -1311,8 +1321,7 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_C
1311 1321
1312 BN_CTX_start(ctx); 1322 BN_CTX_start(ctx);
1313 rh = BN_CTX_get(ctx); 1323 rh = BN_CTX_get(ctx);
1314 tmp1 = BN_CTX_get(ctx); 1324 tmp = BN_CTX_get(ctx);
1315 tmp2 = BN_CTX_get(ctx);
1316 Z4 = BN_CTX_get(ctx); 1325 Z4 = BN_CTX_get(ctx);
1317 Z6 = BN_CTX_get(ctx); 1326 Z6 = BN_CTX_get(ctx);
1318 if (Z6 == NULL) goto err; 1327 if (Z6 == NULL) goto err;
@@ -1326,59 +1335,49 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_C
1326 * To test this, we add up the right-hand side in 'rh'. 1335 * To test this, we add up the right-hand side in 'rh'.
1327 */ 1336 */
1328 1337
1329 /* rh := X^3 */ 1338 /* rh := X^2 */
1330 if (!field_sqr(group, rh, &point->X, ctx)) goto err; 1339 if (!field_sqr(group, rh, &point->X, ctx)) goto err;
1331 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1332 1340
1333 if (!point->Z_is_one) 1341 if (!point->Z_is_one)
1334 { 1342 {
1335 if (!field_sqr(group, tmp1, &point->Z, ctx)) goto err; 1343 if (!field_sqr(group, tmp, &point->Z, ctx)) goto err;
1336 if (!field_sqr(group, Z4, tmp1, ctx)) goto err; 1344 if (!field_sqr(group, Z4, tmp, ctx)) goto err;
1337 if (!field_mul(group, Z6, Z4, tmp1, ctx)) goto err; 1345 if (!field_mul(group, Z6, Z4, tmp, ctx)) goto err;
1338 1346
1339 /* rh := rh + a*X*Z^4 */ 1347 /* rh := (rh + a*Z^4)*X */
1340 if (!field_mul(group, tmp1, &point->X, Z4, ctx)) goto err;
1341 if (group->a_is_minus3) 1348 if (group->a_is_minus3)
1342 { 1349 {
1343 if (!BN_mod_lshift1_quick(tmp2, tmp1, p)) goto err; 1350 if (!BN_mod_lshift1_quick(tmp, Z4, p)) goto err;
1344 if (!BN_mod_add_quick(tmp2, tmp2, tmp1, p)) goto err; 1351 if (!BN_mod_add_quick(tmp, tmp, Z4, p)) goto err;
1345 if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err; 1352 if (!BN_mod_sub_quick(rh, rh, tmp, p)) goto err;
1353 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1346 } 1354 }
1347 else 1355 else
1348 { 1356 {
1349 if (!field_mul(group, tmp2, tmp1, &group->a, ctx)) goto err; 1357 if (!field_mul(group, tmp, Z4, &group->a, ctx)) goto err;
1350 if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err; 1358 if (!BN_mod_add_quick(rh, rh, tmp, p)) goto err;
1359 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1351 } 1360 }
1352 1361
1353 /* rh := rh + b*Z^6 */ 1362 /* rh := rh + b*Z^6 */
1354 if (!field_mul(group, tmp1, &group->b, Z6, ctx)) goto err; 1363 if (!field_mul(group, tmp, &group->b, Z6, ctx)) goto err;
1355 if (!BN_mod_add_quick(rh, rh, tmp1, p)) goto err; 1364 if (!BN_mod_add_quick(rh, rh, tmp, p)) goto err;
1356 } 1365 }
1357 else 1366 else
1358 { 1367 {
1359 /* point->Z_is_one */ 1368 /* point->Z_is_one */
1360 1369
1361 /* rh := rh + a*X */ 1370 /* rh := (rh + a)*X */
1362 if (group->a_is_minus3) 1371 if (!BN_mod_add_quick(rh, rh, &group->a, p)) goto err;
1363 { 1372 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1364 if (!BN_mod_lshift1_quick(tmp2, &point->X, p)) goto err;
1365 if (!BN_mod_add_quick(tmp2, tmp2, &point->X, p)) goto err;
1366 if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
1367 }
1368 else
1369 {
1370 if (!field_mul(group, tmp2, &point->X, &group->a, ctx)) goto err;
1371 if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
1372 }
1373
1374 /* rh := rh + b */ 1373 /* rh := rh + b */
1375 if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err; 1374 if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err;
1376 } 1375 }
1377 1376
1378 /* 'lh' := Y^2 */ 1377 /* 'lh' := Y^2 */
1379 if (!field_sqr(group, tmp1, &point->Y, ctx)) goto err; 1378 if (!field_sqr(group, tmp, &point->Y, ctx)) goto err;
1380 1379
1381 ret = (0 == BN_cmp(tmp1, rh)); 1380 ret = (0 == BN_ucmp(tmp, rh));
1382 1381
1383 err: 1382 err:
1384 BN_CTX_end(ctx); 1383 BN_CTX_end(ctx);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-04 07:41:17 +0000