diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/ec/ecp_methods.c | 71 |
1 files changed, 34 insertions, 37 deletions
diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c index 69eab8120f..443b382380 100644 --- a/src/lib/libcrypto/ec/ecp_methods.c +++ b/src/lib/libcrypto/ec/ecp_methods.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ecp_methods.c,v 1.37 2025/01/17 10:41:31 tb Exp $ */ | 1 | /* $OpenBSD: ecp_methods.c,v 1.38 2025/01/17 10:54:03 tb Exp $ */ |
| 2 | /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> | 2 | /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> |
| 3 | * for the OpenSSL project. | 3 | * for the OpenSSL project. |
| 4 | * Includes code written by Bodo Moeller for the OpenSSL project. | 4 | * Includes code written by Bodo Moeller for the OpenSSL project. |
| @@ -182,7 +182,6 @@ ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, | |||
| 182 | static int | 182 | static int |
| 183 | ec_point_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx) | 183 | ec_point_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx) |
| 184 | { | 184 | { |
| 185 | const BIGNUM *p = group->p; | ||
| 186 | BIGNUM *rh, *tmp, *Z4, *Z6; | 185 | BIGNUM *rh, *tmp, *Z4, *Z6; |
| 187 | int ret = -1; | 186 | int ret = -1; |
| 188 | 187 | ||
| @@ -221,18 +220,18 @@ ec_point_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx) | |||
| 221 | 220 | ||
| 222 | /* rh := (rh + a*Z^4)*X */ | 221 | /* rh := (rh + a*Z^4)*X */ |
| 223 | if (group->a_is_minus3) { | 222 | if (group->a_is_minus3) { |
| 224 | if (!BN_mod_lshift1_quick(tmp, Z4, p)) | 223 | if (!BN_mod_lshift1_quick(tmp, Z4, group->p)) |
| 225 | goto err; | 224 | goto err; |
| 226 | if (!BN_mod_add_quick(tmp, tmp, Z4, p)) | 225 | if (!BN_mod_add_quick(tmp, tmp, Z4, group->p)) |
| 227 | goto err; | 226 | goto err; |
| 228 | if (!BN_mod_sub_quick(rh, rh, tmp, p)) | 227 | if (!BN_mod_sub_quick(rh, rh, tmp, group->p)) |
| 229 | goto err; | 228 | goto err; |
| 230 | if (!ec_field_mul(group, rh, rh, point->X, ctx)) | 229 | if (!ec_field_mul(group, rh, rh, point->X, ctx)) |
| 231 | goto err; | 230 | goto err; |
| 232 | } else { | 231 | } else { |
| 233 | if (!ec_field_mul(group, tmp, Z4, group->a, ctx)) | 232 | if (!ec_field_mul(group, tmp, Z4, group->a, ctx)) |
| 234 | goto err; | 233 | goto err; |
| 235 | if (!BN_mod_add_quick(rh, rh, tmp, p)) | 234 | if (!BN_mod_add_quick(rh, rh, tmp, group->p)) |
| 236 | goto err; | 235 | goto err; |
| 237 | if (!ec_field_mul(group, rh, rh, point->X, ctx)) | 236 | if (!ec_field_mul(group, rh, rh, point->X, ctx)) |
| 238 | goto err; | 237 | goto err; |
| @@ -241,18 +240,18 @@ ec_point_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx) | |||
| 241 | /* rh := rh + b*Z^6 */ | 240 | /* rh := rh + b*Z^6 */ |
| 242 | if (!ec_field_mul(group, tmp, group->b, Z6, ctx)) | 241 | if (!ec_field_mul(group, tmp, group->b, Z6, ctx)) |
| 243 | goto err; | 242 | goto err; |
| 244 | if (!BN_mod_add_quick(rh, rh, tmp, p)) | 243 | if (!BN_mod_add_quick(rh, rh, tmp, group->p)) |
| 245 | goto err; | 244 | goto err; |
| 246 | } else { | 245 | } else { |
| 247 | /* point->Z_is_one */ | 246 | /* point->Z_is_one */ |
| 248 | 247 | ||
| 249 | /* rh := (rh + a)*X */ | 248 | /* rh := (rh + a)*X */ |
| 250 | if (!BN_mod_add_quick(rh, rh, group->a, p)) | 249 | if (!BN_mod_add_quick(rh, rh, group->a, group->p)) |
| 251 | goto err; | 250 | goto err; |
| 252 | if (!ec_field_mul(group, rh, rh, point->X, ctx)) | 251 | if (!ec_field_mul(group, rh, rh, point->X, ctx)) |
| 253 | goto err; | 252 | goto err; |
| 254 | /* rh := rh + b */ | 253 | /* rh := rh + b */ |
| 255 | if (!BN_mod_add_quick(rh, rh, group->b, p)) | 254 | if (!BN_mod_add_quick(rh, rh, group->b, group->p)) |
| 256 | goto err; | 255 | goto err; |
| 257 | } | 256 | } |
| 258 | 257 | ||
| @@ -604,7 +603,6 @@ static int | |||
| 604 | ec_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, | 603 | ec_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, |
| 605 | BN_CTX *ctx) | 604 | BN_CTX *ctx) |
| 606 | { | 605 | { |
| 607 | const BIGNUM *p = group->p; | ||
| 608 | BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6; | 606 | BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6; |
| 609 | int ret = 0; | 607 | int ret = 0; |
| 610 | 608 | ||
| @@ -683,9 +681,9 @@ ec_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, | |||
| 683 | } | 681 | } |
| 684 | 682 | ||
| 685 | /* n5, n6 */ | 683 | /* n5, n6 */ |
| 686 | if (!BN_mod_sub_quick(n5, n1, n3, p)) | 684 | if (!BN_mod_sub_quick(n5, n1, n3, group->p)) |
| 687 | goto end; | 685 | goto end; |
| 688 | if (!BN_mod_sub_quick(n6, n2, n4, p)) | 686 | if (!BN_mod_sub_quick(n6, n2, n4, group->p)) |
| 689 | goto end; | 687 | goto end; |
| 690 | /* n5 = n1 - n3 */ | 688 | /* n5 = n1 - n3 */ |
| 691 | /* n6 = n2 - n4 */ | 689 | /* n6 = n2 - n4 */ |
| @@ -706,9 +704,9 @@ ec_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, | |||
| 706 | } | 704 | } |
| 707 | } | 705 | } |
| 708 | /* 'n7', 'n8' */ | 706 | /* 'n7', 'n8' */ |
| 709 | if (!BN_mod_add_quick(n1, n1, n3, p)) | 707 | if (!BN_mod_add_quick(n1, n1, n3, group->p)) |
| 710 | goto end; | 708 | goto end; |
| 711 | if (!BN_mod_add_quick(n2, n2, n4, p)) | 709 | if (!BN_mod_add_quick(n2, n2, n4, group->p)) |
| 712 | goto end; | 710 | goto end; |
| 713 | /* 'n7' = n1 + n3 */ | 711 | /* 'n7' = n1 + n3 */ |
| 714 | /* 'n8' = n2 + n4 */ | 712 | /* 'n8' = n2 + n4 */ |
| @@ -741,14 +739,14 @@ ec_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, | |||
| 741 | goto end; | 739 | goto end; |
| 742 | if (!ec_field_mul(group, n3, n1, n4, ctx)) | 740 | if (!ec_field_mul(group, n3, n1, n4, ctx)) |
| 743 | goto end; | 741 | goto end; |
| 744 | if (!BN_mod_sub_quick(r->X, n0, n3, p)) | 742 | if (!BN_mod_sub_quick(r->X, n0, n3, group->p)) |
| 745 | goto end; | 743 | goto end; |
| 746 | /* X_r = n6^2 - n5^2 * 'n7' */ | 744 | /* X_r = n6^2 - n5^2 * 'n7' */ |
| 747 | 745 | ||
| 748 | /* 'n9' */ | 746 | /* 'n9' */ |
| 749 | if (!BN_mod_lshift1_quick(n0, r->X, p)) | 747 | if (!BN_mod_lshift1_quick(n0, r->X, group->p)) |
| 750 | goto end; | 748 | goto end; |
| 751 | if (!BN_mod_sub_quick(n0, n3, n0, p)) | 749 | if (!BN_mod_sub_quick(n0, n3, n0, group->p)) |
| 752 | goto end; | 750 | goto end; |
| 753 | /* n9 = n5^2 * 'n7' - 2 * X_r */ | 751 | /* n9 = n5^2 * 'n7' - 2 * X_r */ |
| 754 | 752 | ||
| @@ -759,10 +757,10 @@ ec_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, | |||
| 759 | goto end; /* now n5 is n5^3 */ | 757 | goto end; /* now n5 is n5^3 */ |
| 760 | if (!ec_field_mul(group, n1, n2, n5, ctx)) | 758 | if (!ec_field_mul(group, n1, n2, n5, ctx)) |
| 761 | goto end; | 759 | goto end; |
| 762 | if (!BN_mod_sub_quick(n0, n0, n1, p)) | 760 | if (!BN_mod_sub_quick(n0, n0, n1, group->p)) |
| 763 | goto end; | 761 | goto end; |
| 764 | if (BN_is_odd(n0)) | 762 | if (BN_is_odd(n0)) |
| 765 | if (!BN_add(n0, n0, p)) | 763 | if (!BN_add(n0, n0, group->p)) |
| 766 | goto end; | 764 | goto end; |
| 767 | /* now 0 <= n0 < 2*p, and n0 is even */ | 765 | /* now 0 <= n0 < 2*p, and n0 is even */ |
| 768 | if (!BN_rshift1(r->Y, n0)) | 766 | if (!BN_rshift1(r->Y, n0)) |
| @@ -780,7 +778,6 @@ ec_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, | |||
| 780 | static int | 778 | static int |
| 781 | ec_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) | 779 | ec_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) |
| 782 | { | 780 | { |
| 783 | const BIGNUM *p = group->p; | ||
| 784 | BIGNUM *n0, *n1, *n2, *n3; | 781 | BIGNUM *n0, *n1, *n2, *n3; |
| 785 | int ret = 0; | 782 | int ret = 0; |
| 786 | 783 | ||
| @@ -808,25 +805,25 @@ ec_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) | |||
| 808 | if (a->Z_is_one) { | 805 | if (a->Z_is_one) { |
| 809 | if (!ec_field_sqr(group, n0, a->X, ctx)) | 806 | if (!ec_field_sqr(group, n0, a->X, ctx)) |
| 810 | goto err; | 807 | goto err; |
| 811 | if (!BN_mod_lshift1_quick(n1, n0, p)) | 808 | if (!BN_mod_lshift1_quick(n1, n0, group->p)) |
| 812 | goto err; | 809 | goto err; |
| 813 | if (!BN_mod_add_quick(n0, n0, n1, p)) | 810 | if (!BN_mod_add_quick(n0, n0, n1, group->p)) |
| 814 | goto err; | 811 | goto err; |
| 815 | if (!BN_mod_add_quick(n1, n0, group->a, p)) | 812 | if (!BN_mod_add_quick(n1, n0, group->a, group->p)) |
| 816 | goto err; | 813 | goto err; |
| 817 | /* n1 = 3 * X_a^2 + a_curve */ | 814 | /* n1 = 3 * X_a^2 + a_curve */ |
| 818 | } else if (group->a_is_minus3) { | 815 | } else if (group->a_is_minus3) { |
| 819 | if (!ec_field_sqr(group, n1, a->Z, ctx)) | 816 | if (!ec_field_sqr(group, n1, a->Z, ctx)) |
| 820 | goto err; | 817 | goto err; |
| 821 | if (!BN_mod_add_quick(n0, a->X, n1, p)) | 818 | if (!BN_mod_add_quick(n0, a->X, n1, group->p)) |
| 822 | goto err; | 819 | goto err; |
| 823 | if (!BN_mod_sub_quick(n2, a->X, n1, p)) | 820 | if (!BN_mod_sub_quick(n2, a->X, n1, group->p)) |
| 824 | goto err; | 821 | goto err; |
| 825 | if (!ec_field_mul(group, n1, n0, n2, ctx)) | 822 | if (!ec_field_mul(group, n1, n0, n2, ctx)) |
| 826 | goto err; | 823 | goto err; |
| 827 | if (!BN_mod_lshift1_quick(n0, n1, p)) | 824 | if (!BN_mod_lshift1_quick(n0, n1, group->p)) |
| 828 | goto err; | 825 | goto err; |
| 829 | if (!BN_mod_add_quick(n1, n0, n1, p)) | 826 | if (!BN_mod_add_quick(n1, n0, n1, group->p)) |
| 830 | goto err; | 827 | goto err; |
| 831 | /* | 828 | /* |
| 832 | * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2) = 3 * X_a^2 - 3 * | 829 | * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2) = 3 * X_a^2 - 3 * |
| @@ -835,9 +832,9 @@ ec_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) | |||
| 835 | } else { | 832 | } else { |
| 836 | if (!ec_field_sqr(group, n0, a->X, ctx)) | 833 | if (!ec_field_sqr(group, n0, a->X, ctx)) |
| 837 | goto err; | 834 | goto err; |
| 838 | if (!BN_mod_lshift1_quick(n1, n0, p)) | 835 | if (!BN_mod_lshift1_quick(n1, n0, group->p)) |
| 839 | goto err; | 836 | goto err; |
| 840 | if (!BN_mod_add_quick(n0, n0, n1, p)) | 837 | if (!BN_mod_add_quick(n0, n0, n1, group->p)) |
| 841 | goto err; | 838 | goto err; |
| 842 | if (!ec_field_sqr(group, n1, a->Z, ctx)) | 839 | if (!ec_field_sqr(group, n1, a->Z, ctx)) |
| 843 | goto err; | 840 | goto err; |
| @@ -845,7 +842,7 @@ ec_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) | |||
| 845 | goto err; | 842 | goto err; |
| 846 | if (!ec_field_mul(group, n1, n1, group->a, ctx)) | 843 | if (!ec_field_mul(group, n1, n1, group->a, ctx)) |
| 847 | goto err; | 844 | goto err; |
| 848 | if (!BN_mod_add_quick(n1, n1, n0, p)) | 845 | if (!BN_mod_add_quick(n1, n1, n0, group->p)) |
| 849 | goto err; | 846 | goto err; |
| 850 | /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */ | 847 | /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */ |
| 851 | } | 848 | } |
| @@ -858,7 +855,7 @@ ec_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) | |||
| 858 | if (!ec_field_mul(group, n0, a->Y, a->Z, ctx)) | 855 | if (!ec_field_mul(group, n0, a->Y, a->Z, ctx)) |
| 859 | goto err; | 856 | goto err; |
| 860 | } | 857 | } |
| 861 | if (!BN_mod_lshift1_quick(r->Z, n0, p)) | 858 | if (!BN_mod_lshift1_quick(r->Z, n0, group->p)) |
| 862 | goto err; | 859 | goto err; |
| 863 | r->Z_is_one = 0; | 860 | r->Z_is_one = 0; |
| 864 | /* Z_r = 2 * Y_a * Z_a */ | 861 | /* Z_r = 2 * Y_a * Z_a */ |
| @@ -868,32 +865,32 @@ ec_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) | |||
| 868 | goto err; | 865 | goto err; |
| 869 | if (!ec_field_mul(group, n2, a->X, n3, ctx)) | 866 | if (!ec_field_mul(group, n2, a->X, n3, ctx)) |
| 870 | goto err; | 867 | goto err; |
| 871 | if (!BN_mod_lshift_quick(n2, n2, 2, p)) | 868 | if (!BN_mod_lshift_quick(n2, n2, 2, group->p)) |
| 872 | goto err; | 869 | goto err; |
| 873 | /* n2 = 4 * X_a * Y_a^2 */ | 870 | /* n2 = 4 * X_a * Y_a^2 */ |
| 874 | 871 | ||
| 875 | /* X_r */ | 872 | /* X_r */ |
| 876 | if (!BN_mod_lshift1_quick(n0, n2, p)) | 873 | if (!BN_mod_lshift1_quick(n0, n2, group->p)) |
| 877 | goto err; | 874 | goto err; |
| 878 | if (!ec_field_sqr(group, r->X, n1, ctx)) | 875 | if (!ec_field_sqr(group, r->X, n1, ctx)) |
| 879 | goto err; | 876 | goto err; |
| 880 | if (!BN_mod_sub_quick(r->X, r->X, n0, p)) | 877 | if (!BN_mod_sub_quick(r->X, r->X, n0, group->p)) |
| 881 | goto err; | 878 | goto err; |
| 882 | /* X_r = n1^2 - 2 * n2 */ | 879 | /* X_r = n1^2 - 2 * n2 */ |
| 883 | 880 | ||
| 884 | /* n3 */ | 881 | /* n3 */ |
| 885 | if (!ec_field_sqr(group, n0, n3, ctx)) | 882 | if (!ec_field_sqr(group, n0, n3, ctx)) |
| 886 | goto err; | 883 | goto err; |
| 887 | if (!BN_mod_lshift_quick(n3, n0, 3, p)) | 884 | if (!BN_mod_lshift_quick(n3, n0, 3, group->p)) |
| 888 | goto err; | 885 | goto err; |
| 889 | /* n3 = 8 * Y_a^4 */ | 886 | /* n3 = 8 * Y_a^4 */ |
| 890 | 887 | ||
| 891 | /* Y_r */ | 888 | /* Y_r */ |
| 892 | if (!BN_mod_sub_quick(n0, n2, r->X, p)) | 889 | if (!BN_mod_sub_quick(n0, n2, r->X, group->p)) |
| 893 | goto err; | 890 | goto err; |
| 894 | if (!ec_field_mul(group, n0, n1, n0, ctx)) | 891 | if (!ec_field_mul(group, n0, n1, n0, ctx)) |
| 895 | goto err; | 892 | goto err; |
| 896 | if (!BN_mod_sub_quick(r->Y, n0, n3, p)) | 893 | if (!BN_mod_sub_quick(r->Y, n0, n3, group->p)) |
| 897 | goto err; | 894 | goto err; |
| 898 | /* Y_r = n1 * (n2 - X_r) - n3 */ | 895 | /* Y_r = n1 * (n2 - X_r) - n3 */ |
| 899 | 896 | ||