From d589f6085401b1833475f8ee81e8bd8877cec677 Mon Sep 17 00:00:00 2001 From: tb <> Date: Tue, 7 Jan 2025 08:30:52 +0000 Subject: Check discriminant directly in EC_GROUP_set_discriminant() After possibly decoding a and b in EC_GROUP_get_curve(), this is a pure calculation in GFp and as such doesn't make use of any method-specifics. Let's perform this calculation directly in the public API implementation rather than redirecting through the methods and remove yet another method handler. ok jsing --- src/lib/libcrypto/ec/ec_lib.c | 50 +++++++++++++++++++++++++++---- src/lib/libcrypto/ec/ec_local.h | 4 +-- src/lib/libcrypto/ec/ecp_methods.c | 61 +------------------------------------- 3 files changed, 47 insertions(+), 68 deletions(-) diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c index 7a82eb23f8..a50b1e5633 100644 --- a/src/lib/libcrypto/ec/ec_lib.c +++ b/src/lib/libcrypto/ec/ec_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_lib.c,v 1.102 2025/01/06 19:23:25 tb Exp $ */ +/* $OpenBSD: ec_lib.c,v 1.103 2025/01/07 08:30:52 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -600,6 +600,7 @@ int EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx_in) { BN_CTX *ctx; + BIGNUM *p, *a, *b, *discriminant; int ret = 0; if ((ctx = ctx_in) == NULL) @@ -607,11 +608,50 @@ EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx_in) if (ctx == NULL) goto err; - if (group->meth->group_check_discriminant == NULL) { - ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + BN_CTX_start(ctx); + + if ((p = BN_CTX_get(ctx)) == NULL) goto err; - } - ret = group->meth->group_check_discriminant(group, ctx); + if ((a = BN_CTX_get(ctx)) == NULL) + goto err; + if ((b = BN_CTX_get(ctx)) == NULL) + goto err; + if ((discriminant = BN_CTX_get(ctx)) == NULL) + goto err; + + if (!EC_GROUP_get_curve(group, p, a, b, ctx)) + goto err; + + /* + * Check that the discriminant 4a^3 + 27b^2 is non-zero modulo p. + */ + + if (BN_is_zero(a) && BN_is_zero(b)) + goto err; + if (BN_is_zero(a) || BN_is_zero(b)) + goto done; + + /* Compute the discriminant: first 4a^3, then 27b^2, then their sum. */ + if (!BN_mod_sqr(discriminant, a, p, ctx)) + goto err; + if (!BN_mod_mul(discriminant, discriminant, a, p, ctx)) + goto err; + if (!BN_lshift(discriminant, discriminant, 2)) + goto err; + + if (!BN_mod_sqr(b, b, p, ctx)) + goto err; + if (!BN_mul_word(b, 27)) + goto err; + + if (!BN_mod_add(discriminant, discriminant, b, p, ctx)) + goto err; + + if (BN_is_zero(discriminant)) + goto err; + + done: + ret = 1; err: if (ctx != ctx_in) diff --git a/src/lib/libcrypto/ec/ec_local.h b/src/lib/libcrypto/ec/ec_local.h index 03fda6876b..49442786e7 100644 --- a/src/lib/libcrypto/ec/ec_local.h +++ b/src/lib/libcrypto/ec/ec_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_local.h,v 1.52 2025/01/06 14:34:47 tb Exp $ */ +/* $OpenBSD: ec_local.h,v 1.53 2025/01/07 08:30:52 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -93,8 +93,6 @@ struct ec_method_st { int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *); - int (*group_check_discriminant)(const EC_GROUP *, BN_CTX *); - int (*point_set_affine_coordinates)(const EC_GROUP *, EC_POINT *, const BIGNUM *x, const BIGNUM *y, BN_CTX *); int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_POINT *, diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c index 8623131ffa..9593428870 100644 --- a/src/lib/libcrypto/ec/ecp_methods.c +++ b/src/lib/libcrypto/ec/ecp_methods.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_methods.c,v 1.25 2025/01/06 18:43:27 tb Exp $ */ +/* $OpenBSD: ecp_methods.c,v 1.26 2025/01/07 08:30:52 tb Exp $ */ /* Includes code written by Lenka Fibikova * for the OpenSSL project. * Includes code written by Bodo Moeller for the OpenSSL project. @@ -166,63 +166,6 @@ ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, return 1; } -static int -ec_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx) -{ - BIGNUM *p, *a, *b, *discriminant; - int ret = 0; - - BN_CTX_start(ctx); - - if ((p = BN_CTX_get(ctx)) == NULL) - goto err; - if ((a = BN_CTX_get(ctx)) == NULL) - goto err; - if ((b = BN_CTX_get(ctx)) == NULL) - goto err; - if ((discriminant = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!EC_GROUP_get_curve(group, p, a, b, ctx)) - goto err; - - /* - * Check that the discriminant 4a^3 + 27b^2 is non-zero modulo p. - */ - - if (BN_is_zero(a) && BN_is_zero(b)) - goto err; - if (BN_is_zero(a) || BN_is_zero(b)) - goto done; - - /* Compute the discriminant: first 4a^3, then 27b^2, then their sum. */ - if (!BN_mod_sqr(discriminant, a, p, ctx)) - goto err; - if (!BN_mod_mul(discriminant, discriminant, a, p, ctx)) - goto err; - if (!BN_lshift(discriminant, discriminant, 2)) - goto err; - - if (!BN_mod_sqr(b, b, p, ctx)) - goto err; - if (!BN_mul_word(b, 27)) - goto err; - - if (!BN_mod_add(discriminant, discriminant, b, p, ctx)) - goto err; - - if (BN_is_zero(discriminant)) - goto err; - - done: - ret = 1; - - err: - BN_CTX_end(ctx); - - return ret; -} - static int ec_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) @@ -1511,7 +1454,6 @@ static const EC_METHOD ec_GFp_simple_method = { .field_type = NID_X9_62_prime_field, .group_set_curve = ec_group_set_curve, .group_get_curve = ec_group_get_curve, - .group_check_discriminant = ec_group_check_discriminant, .point_set_affine_coordinates = ec_point_set_affine_coordinates, .point_get_affine_coordinates = ec_point_get_affine_coordinates, .point_set_compressed_coordinates = ec_set_compressed_coordinates, @@ -1540,7 +1482,6 @@ static const EC_METHOD ec_GFp_mont_method = { .field_type = NID_X9_62_prime_field, .group_set_curve = ec_mont_group_set_curve, .group_get_curve = ec_group_get_curve, - .group_check_discriminant = ec_group_check_discriminant, .point_set_affine_coordinates = ec_point_set_affine_coordinates, .point_get_affine_coordinates = ec_point_get_affine_coordinates, .point_set_compressed_coordinates = ec_set_compressed_coordinates, -- cgit v1.2.3-55-g6feb