]>
Commit | Line | Data |
---|---|---|
35b73a1f | 1 | /* |
33388b44 | 2 | * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. |
aa8f3d76 | 3 | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved |
65e81670 | 4 | * |
a7f182b7 | 5 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
aa6bb135 RS |
6 | * this file except in compliance with the License. You can obtain a copy |
7 | * in the file LICENSE in the source distribution or at | |
8 | * https://www.openssl.org/source/license.html | |
65e81670 | 9 | */ |
aa6bb135 | 10 | |
579422c8 P |
11 | /* |
12 | * ECDSA low level APIs are deprecated for public use, but still ok for | |
13 | * internal use. | |
14 | */ | |
15 | #include "internal/deprecated.h" | |
16 | ||
c4b36ff4 BM |
17 | #include <string.h> |
18 | ||
0657bf9c | 19 | #include <openssl/err.h> |
bb62a8b0 | 20 | #include <openssl/opensslv.h> |
0657bf9c | 21 | |
706457b7 | 22 | #include "ec_local.h" |
0657bf9c | 23 | |
0657bf9c BM |
24 | /* functions for EC_GROUP objects */ |
25 | ||
2da8d4eb MC |
26 | EC_GROUP *ec_group_new_with_libctx(OPENSSL_CTX *libctx, const char *propq, |
27 | const EC_METHOD *meth) | |
0f113f3e MC |
28 | { |
29 | EC_GROUP *ret; | |
30 | ||
31 | if (meth == NULL) { | |
2da8d4eb | 32 | ECerr(0, EC_R_SLOT_FULL); |
0f113f3e MC |
33 | return NULL; |
34 | } | |
35 | if (meth->group_init == 0) { | |
2da8d4eb | 36 | ECerr(0, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
0f113f3e MC |
37 | return NULL; |
38 | } | |
39 | ||
64b25758 | 40 | ret = OPENSSL_zalloc(sizeof(*ret)); |
0f113f3e | 41 | if (ret == NULL) { |
2da8d4eb | 42 | ECerr(0, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
43 | return NULL; |
44 | } | |
45 | ||
a9612d6c | 46 | ret->libctx = libctx; |
2da8d4eb MC |
47 | if (propq != NULL) { |
48 | ret->propq = OPENSSL_strdup(propq); | |
49 | if (ret->propq == NULL) { | |
50 | ECerr(0, ERR_R_MALLOC_FAILURE); | |
51 | goto err; | |
52 | } | |
53 | } | |
0f113f3e | 54 | ret->meth = meth; |
6903e2e7 DSH |
55 | if ((ret->meth->flags & EC_FLAGS_CUSTOM_CURVE) == 0) { |
56 | ret->order = BN_new(); | |
57 | if (ret->order == NULL) | |
58 | goto err; | |
59 | ret->cofactor = BN_new(); | |
60 | if (ret->cofactor == NULL) | |
61 | goto err; | |
62 | } | |
86f300d3 | 63 | ret->asn1_flag = OPENSSL_EC_NAMED_CURVE; |
0f113f3e | 64 | ret->asn1_form = POINT_CONVERSION_UNCOMPRESSED; |
0f113f3e MC |
65 | if (!meth->group_init(ret)) |
66 | goto err; | |
0f113f3e | 67 | return ret; |
64b25758 | 68 | |
0f113f3e | 69 | err: |
23a1d5e9 RS |
70 | BN_free(ret->order); |
71 | BN_free(ret->cofactor); | |
2da8d4eb | 72 | OPENSSL_free(ret->propq); |
0f113f3e MC |
73 | OPENSSL_free(ret); |
74 | return NULL; | |
75 | } | |
0657bf9c | 76 | |
23ccae80 BB |
77 | #ifndef OPENSSL_NO_DEPRECATED_3_0 |
78 | # ifndef FIPS_MODULE | |
a9612d6c MC |
79 | EC_GROUP *EC_GROUP_new(const EC_METHOD *meth) |
80 | { | |
2da8d4eb | 81 | return ec_group_new_with_libctx(NULL, NULL, meth); |
a9612d6c | 82 | } |
23ccae80 | 83 | # endif |
a9612d6c MC |
84 | #endif |
85 | ||
2c52ac9b | 86 | void EC_pre_comp_free(EC_GROUP *group) |
3aef36ff RS |
87 | { |
88 | switch (group->pre_comp_type) { | |
f3b3d7f0 | 89 | case PCT_none: |
3aef36ff | 90 | break; |
66117ab0 | 91 | case PCT_nistz256: |
f3b3d7f0 | 92 | #ifdef ECP_NISTZ256_ASM |
3aef36ff | 93 | EC_nistz256_pre_comp_free(group->pre_comp.nistz256); |
e69aa800 | 94 | #endif |
f3b3d7f0 | 95 | break; |
3aef36ff | 96 | #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 |
66117ab0 | 97 | case PCT_nistp224: |
3aef36ff RS |
98 | EC_nistp224_pre_comp_free(group->pre_comp.nistp224); |
99 | break; | |
66117ab0 | 100 | case PCT_nistp256: |
3aef36ff RS |
101 | EC_nistp256_pre_comp_free(group->pre_comp.nistp256); |
102 | break; | |
66117ab0 | 103 | case PCT_nistp521: |
3aef36ff RS |
104 | EC_nistp521_pre_comp_free(group->pre_comp.nistp521); |
105 | break; | |
f3b3d7f0 RS |
106 | #else |
107 | case PCT_nistp224: | |
108 | case PCT_nistp256: | |
109 | case PCT_nistp521: | |
110 | break; | |
3aef36ff | 111 | #endif |
66117ab0 | 112 | case PCT_ec: |
3aef36ff RS |
113 | EC_ec_pre_comp_free(group->pre_comp.ec); |
114 | break; | |
115 | } | |
116 | group->pre_comp.ec = NULL; | |
117 | } | |
118 | ||
0657bf9c | 119 | void EC_GROUP_free(EC_GROUP *group) |
0f113f3e MC |
120 | { |
121 | if (!group) | |
122 | return; | |
7711de24 | 123 | |
0f113f3e MC |
124 | if (group->meth->group_finish != 0) |
125 | group->meth->group_finish(group); | |
df9cc153 | 126 | |
2c52ac9b | 127 | EC_pre_comp_free(group); |
23a1d5e9 | 128 | BN_MONT_CTX_free(group->mont_data); |
8fdc3734 | 129 | EC_POINT_free(group->generator); |
0f113f3e MC |
130 | BN_free(group->order); |
131 | BN_free(group->cofactor); | |
25aaa98a | 132 | OPENSSL_free(group->seed); |
2da8d4eb | 133 | OPENSSL_free(group->propq); |
0f113f3e MC |
134 | OPENSSL_free(group); |
135 | } | |
0657bf9c | 136 | |
936c2b9e | 137 | #ifndef OPENSSL_NO_DEPRECATED_3_0 |
0657bf9c | 138 | void EC_GROUP_clear_free(EC_GROUP *group) |
0f113f3e MC |
139 | { |
140 | if (!group) | |
141 | return; | |
df9cc153 | 142 | |
0f113f3e MC |
143 | if (group->meth->group_clear_finish != 0) |
144 | group->meth->group_clear_finish(group); | |
145 | else if (group->meth->group_finish != 0) | |
146 | group->meth->group_finish(group); | |
df9cc153 | 147 | |
2c52ac9b | 148 | EC_pre_comp_free(group); |
23a1d5e9 | 149 | BN_MONT_CTX_free(group->mont_data); |
8fdc3734 | 150 | EC_POINT_clear_free(group->generator); |
0f113f3e MC |
151 | BN_clear_free(group->order); |
152 | BN_clear_free(group->cofactor); | |
4b45c6e5 | 153 | OPENSSL_clear_free(group->seed, group->seed_len); |
b4faea50 | 154 | OPENSSL_clear_free(group, sizeof(*group)); |
0f113f3e | 155 | } |
4a7a4972 | 156 | #endif |
0657bf9c BM |
157 | |
158 | int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) | |
0f113f3e | 159 | { |
0f113f3e MC |
160 | if (dest->meth->group_copy == 0) { |
161 | ECerr(EC_F_EC_GROUP_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
162 | return 0; | |
163 | } | |
164 | if (dest->meth != src->meth) { | |
165 | ECerr(EC_F_EC_GROUP_COPY, EC_R_INCOMPATIBLE_OBJECTS); | |
166 | return 0; | |
167 | } | |
168 | if (dest == src) | |
169 | return 1; | |
170 | ||
a9612d6c | 171 | dest->libctx = src->libctx; |
b14e6015 MC |
172 | dest->curve_name = src->curve_name; |
173 | ||
3aef36ff RS |
174 | /* Copy precomputed */ |
175 | dest->pre_comp_type = src->pre_comp_type; | |
176 | switch (src->pre_comp_type) { | |
f3b3d7f0 | 177 | case PCT_none: |
3aef36ff RS |
178 | dest->pre_comp.ec = NULL; |
179 | break; | |
66117ab0 | 180 | case PCT_nistz256: |
f3b3d7f0 | 181 | #ifdef ECP_NISTZ256_ASM |
3aef36ff | 182 | dest->pre_comp.nistz256 = EC_nistz256_pre_comp_dup(src->pre_comp.nistz256); |
e69aa800 | 183 | #endif |
f3b3d7f0 | 184 | break; |
3aef36ff | 185 | #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 |
66117ab0 | 186 | case PCT_nistp224: |
3aef36ff RS |
187 | dest->pre_comp.nistp224 = EC_nistp224_pre_comp_dup(src->pre_comp.nistp224); |
188 | break; | |
66117ab0 | 189 | case PCT_nistp256: |
3aef36ff RS |
190 | dest->pre_comp.nistp256 = EC_nistp256_pre_comp_dup(src->pre_comp.nistp256); |
191 | break; | |
66117ab0 | 192 | case PCT_nistp521: |
3aef36ff RS |
193 | dest->pre_comp.nistp521 = EC_nistp521_pre_comp_dup(src->pre_comp.nistp521); |
194 | break; | |
f3b3d7f0 RS |
195 | #else |
196 | case PCT_nistp224: | |
197 | case PCT_nistp256: | |
198 | case PCT_nistp521: | |
199 | break; | |
3aef36ff | 200 | #endif |
66117ab0 | 201 | case PCT_ec: |
3aef36ff RS |
202 | dest->pre_comp.ec = EC_ec_pre_comp_dup(src->pre_comp.ec); |
203 | break; | |
0f113f3e MC |
204 | } |
205 | ||
206 | if (src->mont_data != NULL) { | |
207 | if (dest->mont_data == NULL) { | |
208 | dest->mont_data = BN_MONT_CTX_new(); | |
209 | if (dest->mont_data == NULL) | |
210 | return 0; | |
211 | } | |
212 | if (!BN_MONT_CTX_copy(dest->mont_data, src->mont_data)) | |
213 | return 0; | |
214 | } else { | |
215 | /* src->generator == NULL */ | |
23a1d5e9 RS |
216 | BN_MONT_CTX_free(dest->mont_data); |
217 | dest->mont_data = NULL; | |
0f113f3e | 218 | } |
0657bf9c | 219 | |
0f113f3e MC |
220 | if (src->generator != NULL) { |
221 | if (dest->generator == NULL) { | |
222 | dest->generator = EC_POINT_new(dest); | |
223 | if (dest->generator == NULL) | |
224 | return 0; | |
225 | } | |
226 | if (!EC_POINT_copy(dest->generator, src->generator)) | |
227 | return 0; | |
228 | } else { | |
229 | /* src->generator == NULL */ | |
8fdc3734 RS |
230 | EC_POINT_clear_free(dest->generator); |
231 | dest->generator = NULL; | |
0f113f3e MC |
232 | } |
233 | ||
6903e2e7 DSH |
234 | if ((src->meth->flags & EC_FLAGS_CUSTOM_CURVE) == 0) { |
235 | if (!BN_copy(dest->order, src->order)) | |
236 | return 0; | |
237 | if (!BN_copy(dest->cofactor, src->cofactor)) | |
238 | return 0; | |
239 | } | |
0f113f3e | 240 | |
0f113f3e MC |
241 | dest->asn1_flag = src->asn1_flag; |
242 | dest->asn1_form = src->asn1_form; | |
243 | ||
244 | if (src->seed) { | |
b548a1f1 | 245 | OPENSSL_free(dest->seed); |
cdb10bae RS |
246 | if ((dest->seed = OPENSSL_malloc(src->seed_len)) == NULL) { |
247 | ECerr(EC_F_EC_GROUP_COPY, ERR_R_MALLOC_FAILURE); | |
0f113f3e | 248 | return 0; |
cdb10bae | 249 | } |
0f113f3e MC |
250 | if (!memcpy(dest->seed, src->seed, src->seed_len)) |
251 | return 0; | |
252 | dest->seed_len = src->seed_len; | |
253 | } else { | |
b548a1f1 | 254 | OPENSSL_free(dest->seed); |
0f113f3e MC |
255 | dest->seed = NULL; |
256 | dest->seed_len = 0; | |
257 | } | |
258 | ||
259 | return dest->meth->group_copy(dest, src); | |
260 | } | |
0657bf9c | 261 | |
7793f30e | 262 | EC_GROUP *EC_GROUP_dup(const EC_GROUP *a) |
0f113f3e MC |
263 | { |
264 | EC_GROUP *t = NULL; | |
265 | int ok = 0; | |
7793f30e | 266 | |
0f113f3e MC |
267 | if (a == NULL) |
268 | return NULL; | |
7793f30e | 269 | |
2da8d4eb | 270 | if ((t = ec_group_new_with_libctx(a->libctx, a->propq, a->meth)) == NULL) |
26a7d938 | 271 | return NULL; |
0f113f3e MC |
272 | if (!EC_GROUP_copy(t, a)) |
273 | goto err; | |
7793f30e | 274 | |
0f113f3e | 275 | ok = 1; |
7793f30e | 276 | |
0f113f3e MC |
277 | err: |
278 | if (!ok) { | |
8fdc3734 | 279 | EC_GROUP_free(t); |
0f113f3e | 280 | return NULL; |
8fdc3734 | 281 | } |
0f113f3e MC |
282 | return t; |
283 | } | |
7793f30e | 284 | |
23ccae80 | 285 | #ifndef OPENSSL_NO_DEPRECATED_3_0 |
48fe4d62 | 286 | const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group) |
0f113f3e MC |
287 | { |
288 | return group->meth; | |
289 | } | |
48fe4d62 | 290 | |
458c2917 | 291 | int EC_METHOD_get_field_type(const EC_METHOD *meth) |
0f113f3e MC |
292 | { |
293 | return meth->field_type; | |
294 | } | |
23ccae80 | 295 | #endif |
0f113f3e | 296 | |
eb791696 AP |
297 | static int ec_precompute_mont_data(EC_GROUP *); |
298 | ||
b783beea BB |
299 | /*- |
300 | * Try computing cofactor from the generator order (n) and field cardinality (q). | |
301 | * This works for all curves of cryptographic interest. | |
302 | * | |
303 | * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q) | |
304 | * h_min = (q + 1 - 2*sqrt(q))/n | |
305 | * h_max = (q + 1 + 2*sqrt(q))/n | |
306 | * h_max - h_min = 4*sqrt(q)/n | |
307 | * So if n > 4*sqrt(q) holds, there is only one possible value for h: | |
308 | * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil | |
309 | * | |
310 | * Otherwise, zero cofactor and return success. | |
311 | */ | |
312 | static int ec_guess_cofactor(EC_GROUP *group) { | |
313 | int ret = 0; | |
314 | BN_CTX *ctx = NULL; | |
315 | BIGNUM *q = NULL; | |
316 | ||
317 | /*- | |
318 | * If the cofactor is too large, we cannot guess it. | |
319 | * The RHS of below is a strict overestimate of lg(4 * sqrt(q)) | |
320 | */ | |
321 | if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) { | |
322 | /* default to 0 */ | |
323 | BN_zero(group->cofactor); | |
324 | /* return success */ | |
325 | return 1; | |
326 | } | |
327 | ||
328 | if ((ctx = BN_CTX_new_ex(group->libctx)) == NULL) | |
329 | return 0; | |
330 | ||
331 | BN_CTX_start(ctx); | |
332 | if ((q = BN_CTX_get(ctx)) == NULL) | |
333 | goto err; | |
334 | ||
335 | /* set q = 2**m for binary fields; q = p otherwise */ | |
336 | if (group->meth->field_type == NID_X9_62_characteristic_two_field) { | |
337 | BN_zero(q); | |
338 | if (!BN_set_bit(q, BN_num_bits(group->field) - 1)) | |
339 | goto err; | |
340 | } else { | |
341 | if (!BN_copy(q, group->field)) | |
342 | goto err; | |
343 | } | |
344 | ||
345 | /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */ | |
346 | if (!BN_rshift1(group->cofactor, group->order) /* n/2 */ | |
347 | || !BN_add(group->cofactor, group->cofactor, q) /* q + n/2 */ | |
348 | /* q + 1 + n/2 */ | |
349 | || !BN_add(group->cofactor, group->cofactor, BN_value_one()) | |
350 | /* (q + 1 + n/2)/n */ | |
351 | || !BN_div(group->cofactor, NULL, group->cofactor, group->order, ctx)) | |
352 | goto err; | |
353 | ret = 1; | |
354 | err: | |
355 | BN_CTX_end(ctx); | |
356 | BN_CTX_free(ctx); | |
357 | return ret; | |
358 | } | |
359 | ||
0f113f3e MC |
360 | int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, |
361 | const BIGNUM *order, const BIGNUM *cofactor) | |
362 | { | |
363 | if (generator == NULL) { | |
364 | ECerr(EC_F_EC_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER); | |
365 | return 0; | |
366 | } | |
367 | ||
b783beea BB |
368 | /* require group->field >= 1 */ |
369 | if (group->field == NULL || BN_is_zero(group->field) | |
370 | || BN_is_negative(group->field)) { | |
371 | ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD); | |
372 | return 0; | |
373 | } | |
374 | ||
375 | /*- | |
376 | * - require order >= 1 | |
377 | * - enforce upper bound due to Hasse thm: order can be no more than one bit | |
378 | * longer than field cardinality | |
379 | */ | |
380 | if (order == NULL || BN_is_zero(order) || BN_is_negative(order) | |
381 | || BN_num_bits(order) > BN_num_bits(group->field) + 1) { | |
382 | ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER); | |
383 | return 0; | |
384 | } | |
385 | ||
386 | /*- | |
387 | * Unfortunately the cofactor is an optional field in many standards. | |
388 | * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor". | |
389 | * So accept cofactor == NULL or cofactor >= 0. | |
390 | */ | |
391 | if (cofactor != NULL && BN_is_negative(cofactor)) { | |
392 | ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR); | |
393 | return 0; | |
394 | } | |
395 | ||
0f113f3e MC |
396 | if (group->generator == NULL) { |
397 | group->generator = EC_POINT_new(group); | |
398 | if (group->generator == NULL) | |
399 | return 0; | |
400 | } | |
401 | if (!EC_POINT_copy(group->generator, generator)) | |
402 | return 0; | |
403 | ||
b783beea BB |
404 | if (!BN_copy(group->order, order)) |
405 | return 0; | |
0f113f3e | 406 | |
b783beea BB |
407 | /* Either take the provided positive cofactor, or try to compute it */ |
408 | if (cofactor != NULL && !BN_is_zero(cofactor)) { | |
0f113f3e MC |
409 | if (!BN_copy(group->cofactor, cofactor)) |
410 | return 0; | |
b783beea | 411 | } else if (!ec_guess_cofactor(group)) { |
0f113f3e | 412 | BN_zero(group->cofactor); |
b783beea | 413 | return 0; |
8402cd5f | 414 | } |
b783beea | 415 | |
0f113f3e | 416 | /* |
3a6a4a93 | 417 | * Some groups have an order with |
0f113f3e MC |
418 | * factors of two, which makes the Montgomery setup fail. |
419 | * |group->mont_data| will be NULL in this case. | |
420 | */ | |
3a6a4a93 BB |
421 | if (BN_is_odd(group->order)) { |
422 | return ec_precompute_mont_data(group); | |
423 | } | |
0f113f3e | 424 | |
3a6a4a93 BB |
425 | BN_MONT_CTX_free(group->mont_data); |
426 | group->mont_data = NULL; | |
0f113f3e MC |
427 | return 1; |
428 | } | |
bb62a8b0 | 429 | |
9dd84053 | 430 | const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) |
0f113f3e MC |
431 | { |
432 | return group->generator; | |
433 | } | |
bb62a8b0 | 434 | |
f54be179 | 435 | BN_MONT_CTX *EC_GROUP_get_mont_data(const EC_GROUP *group) |
0f113f3e MC |
436 | { |
437 | return group->mont_data; | |
438 | } | |
bb62a8b0 | 439 | |
b6db386f | 440 | int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) |
0f113f3e | 441 | { |
be2e334f DSH |
442 | if (group->order == NULL) |
443 | return 0; | |
0f113f3e MC |
444 | if (!BN_copy(order, group->order)) |
445 | return 0; | |
0657bf9c | 446 | |
0f113f3e MC |
447 | return !BN_is_zero(order); |
448 | } | |
0657bf9c | 449 | |
be2e334f DSH |
450 | const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group) |
451 | { | |
452 | return group->order; | |
453 | } | |
454 | ||
455 | int EC_GROUP_order_bits(const EC_GROUP *group) | |
456 | { | |
77470e98 | 457 | return group->meth->group_order_bits(group); |
be2e334f DSH |
458 | } |
459 | ||
0f113f3e MC |
460 | int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, |
461 | BN_CTX *ctx) | |
462 | { | |
be2e334f DSH |
463 | |
464 | if (group->cofactor == NULL) | |
465 | return 0; | |
0f113f3e MC |
466 | if (!BN_copy(cofactor, group->cofactor)) |
467 | return 0; | |
48fe4d62 | 468 | |
0f113f3e MC |
469 | return !BN_is_zero(group->cofactor); |
470 | } | |
48fe4d62 | 471 | |
be2e334f DSH |
472 | const BIGNUM *EC_GROUP_get0_cofactor(const EC_GROUP *group) |
473 | { | |
474 | return group->cofactor; | |
475 | } | |
476 | ||
7dc17a6c | 477 | void EC_GROUP_set_curve_name(EC_GROUP *group, int nid) |
0f113f3e MC |
478 | { |
479 | group->curve_name = nid; | |
480 | } | |
b6db386f | 481 | |
7dc17a6c | 482 | int EC_GROUP_get_curve_name(const EC_GROUP *group) |
0f113f3e MC |
483 | { |
484 | return group->curve_name; | |
485 | } | |
b6db386f | 486 | |
fa1f0306 DA |
487 | const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group) |
488 | { | |
489 | return group->field; | |
490 | } | |
491 | ||
23ccae80 BB |
492 | int EC_GROUP_get_field_type(const EC_GROUP *group) |
493 | { | |
494 | return group->meth->field_type; | |
495 | } | |
496 | ||
458c2917 | 497 | void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) |
0f113f3e MC |
498 | { |
499 | group->asn1_flag = flag; | |
500 | } | |
458c2917 BM |
501 | |
502 | int EC_GROUP_get_asn1_flag(const EC_GROUP *group) | |
0f113f3e MC |
503 | { |
504 | return group->asn1_flag; | |
505 | } | |
458c2917 | 506 | |
0f113f3e | 507 | void EC_GROUP_set_point_conversion_form(EC_GROUP *group, |
254ef80d | 508 | point_conversion_form_t form) |
0f113f3e MC |
509 | { |
510 | group->asn1_form = form; | |
511 | } | |
254ef80d | 512 | |
0f113f3e MC |
513 | point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP |
514 | *group) | |
515 | { | |
516 | return group->asn1_form; | |
517 | } | |
254ef80d | 518 | |
5f3d6f70 | 519 | size_t EC_GROUP_set_seed(EC_GROUP *group, const unsigned char *p, size_t len) |
0f113f3e | 520 | { |
b548a1f1 RS |
521 | OPENSSL_free(group->seed); |
522 | group->seed = NULL; | |
523 | group->seed_len = 0; | |
5f3d6f70 | 524 | |
0f113f3e MC |
525 | if (!len || !p) |
526 | return 1; | |
5f3d6f70 | 527 | |
f06080cb F |
528 | if ((group->seed = OPENSSL_malloc(len)) == NULL) { |
529 | ECerr(EC_F_EC_GROUP_SET_SEED, ERR_R_MALLOC_FAILURE); | |
0f113f3e | 530 | return 0; |
f06080cb | 531 | } |
0f113f3e MC |
532 | memcpy(group->seed, p, len); |
533 | group->seed_len = len; | |
5f3d6f70 | 534 | |
0f113f3e MC |
535 | return len; |
536 | } | |
5f3d6f70 BM |
537 | |
538 | unsigned char *EC_GROUP_get0_seed(const EC_GROUP *group) | |
0f113f3e MC |
539 | { |
540 | return group->seed; | |
541 | } | |
5f3d6f70 BM |
542 | |
543 | size_t EC_GROUP_get_seed_len(const EC_GROUP *group) | |
0f113f3e MC |
544 | { |
545 | return group->seed_len; | |
546 | } | |
547 | ||
8e3cced7 MC |
548 | int EC_GROUP_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, |
549 | const BIGNUM *b, BN_CTX *ctx) | |
0f113f3e MC |
550 | { |
551 | if (group->meth->group_set_curve == 0) { | |
8e3cced7 | 552 | ECerr(EC_F_EC_GROUP_SET_CURVE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
0f113f3e MC |
553 | return 0; |
554 | } | |
555 | return group->meth->group_set_curve(group, p, a, b, ctx); | |
556 | } | |
557 | ||
8e3cced7 MC |
558 | int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, |
559 | BN_CTX *ctx) | |
0f113f3e | 560 | { |
8e3cced7 MC |
561 | if (group->meth->group_get_curve == NULL) { |
562 | ECerr(EC_F_EC_GROUP_GET_CURVE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
0f113f3e MC |
563 | return 0; |
564 | } | |
565 | return group->meth->group_get_curve(group, p, a, b, ctx); | |
566 | } | |
7793f30e | 567 | |
936c2b9e | 568 | #ifndef OPENSSL_NO_DEPRECATED_3_0 |
8e3cced7 MC |
569 | int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, |
570 | const BIGNUM *b, BN_CTX *ctx) | |
571 | { | |
572 | return EC_GROUP_set_curve(group, p, a, b, ctx); | |
573 | } | |
574 | ||
575 | int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, | |
576 | BIGNUM *b, BN_CTX *ctx) | |
577 | { | |
578 | return EC_GROUP_get_curve(group, p, a, b, ctx); | |
579 | } | |
580 | ||
50db8163 | 581 | # ifndef OPENSSL_NO_EC2M |
0f113f3e MC |
582 | int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, |
583 | const BIGNUM *b, BN_CTX *ctx) | |
584 | { | |
8e3cced7 | 585 | return EC_GROUP_set_curve(group, p, a, b, ctx); |
0f113f3e MC |
586 | } |
587 | ||
588 | int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, | |
589 | BIGNUM *b, BN_CTX *ctx) | |
590 | { | |
8e3cced7 | 591 | return EC_GROUP_get_curve(group, p, a, b, ctx); |
0f113f3e | 592 | } |
50db8163 | 593 | # endif |
b3310161 | 594 | #endif |
7793f30e BM |
595 | |
596 | int EC_GROUP_get_degree(const EC_GROUP *group) | |
0f113f3e MC |
597 | { |
598 | if (group->meth->group_get_degree == 0) { | |
599 | ECerr(EC_F_EC_GROUP_GET_DEGREE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
600 | return 0; | |
601 | } | |
602 | return group->meth->group_get_degree(group); | |
603 | } | |
48fe4d62 | 604 | |
17d6bb81 | 605 | int EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx) |
0f113f3e MC |
606 | { |
607 | if (group->meth->group_check_discriminant == 0) { | |
608 | ECerr(EC_F_EC_GROUP_CHECK_DISCRIMINANT, | |
609 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
610 | return 0; | |
611 | } | |
612 | return group->meth->group_check_discriminant(group, ctx); | |
613 | } | |
af28dd6c | 614 | |
ada0e717 | 615 | int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx) |
0f113f3e MC |
616 | { |
617 | int r = 0; | |
618 | BIGNUM *a1, *a2, *a3, *b1, *b2, *b3; | |
f844f9eb | 619 | #ifndef FIPS_MODULE |
0f113f3e | 620 | BN_CTX *ctx_new = NULL; |
a9612d6c | 621 | #endif |
a9612d6c | 622 | |
0f113f3e | 623 | /* compare the field types */ |
23ccae80 | 624 | if (EC_GROUP_get_field_type(a) != EC_GROUP_get_field_type(b)) |
0f113f3e MC |
625 | return 1; |
626 | /* compare the curve name (if present in both) */ | |
627 | if (EC_GROUP_get_curve_name(a) && EC_GROUP_get_curve_name(b) && | |
628 | EC_GROUP_get_curve_name(a) != EC_GROUP_get_curve_name(b)) | |
629 | return 1; | |
6903e2e7 DSH |
630 | if (a->meth->flags & EC_FLAGS_CUSTOM_CURVE) |
631 | return 0; | |
0f113f3e | 632 | |
f844f9eb | 633 | #ifndef FIPS_MODULE |
0e8b6c97 AT |
634 | if (ctx == NULL) |
635 | ctx_new = ctx = BN_CTX_new(); | |
636 | #endif | |
637 | if (ctx == NULL) | |
638 | return -1; | |
639 | ||
0f113f3e MC |
640 | BN_CTX_start(ctx); |
641 | a1 = BN_CTX_get(ctx); | |
642 | a2 = BN_CTX_get(ctx); | |
643 | a3 = BN_CTX_get(ctx); | |
644 | b1 = BN_CTX_get(ctx); | |
645 | b2 = BN_CTX_get(ctx); | |
646 | b3 = BN_CTX_get(ctx); | |
90945fa3 | 647 | if (b3 == NULL) { |
0f113f3e | 648 | BN_CTX_end(ctx); |
f844f9eb | 649 | #ifndef FIPS_MODULE |
23a1d5e9 | 650 | BN_CTX_free(ctx_new); |
a9612d6c | 651 | #endif |
0f113f3e MC |
652 | return -1; |
653 | } | |
654 | ||
655 | /* | |
656 | * XXX This approach assumes that the external representation of curves | |
657 | * over the same field type is the same. | |
658 | */ | |
659 | if (!a->meth->group_get_curve(a, a1, a2, a3, ctx) || | |
660 | !b->meth->group_get_curve(b, b1, b2, b3, ctx)) | |
661 | r = 1; | |
662 | ||
8402cd5f SL |
663 | /* return 1 if the curve parameters are different */ |
664 | if (r || BN_cmp(a1, b1) != 0 || BN_cmp(a2, b2) != 0 || BN_cmp(a3, b3) != 0) | |
0f113f3e MC |
665 | r = 1; |
666 | ||
ac2b52c6 | 667 | /* XXX EC_POINT_cmp() assumes that the methods are equal */ |
8402cd5f | 668 | /* return 1 if the generators are different */ |
0f113f3e | 669 | if (r || EC_POINT_cmp(a, EC_GROUP_get0_generator(a), |
8402cd5f | 670 | EC_GROUP_get0_generator(b), ctx) != 0) |
0f113f3e MC |
671 | r = 1; |
672 | ||
673 | if (!r) { | |
be2e334f | 674 | const BIGNUM *ao, *bo, *ac, *bc; |
ac2b52c6 | 675 | /* compare the orders */ |
be2e334f DSH |
676 | ao = EC_GROUP_get0_order(a); |
677 | bo = EC_GROUP_get0_order(b); | |
be2e334f | 678 | if (ao == NULL || bo == NULL) { |
8402cd5f SL |
679 | /* return an error if either order is NULL */ |
680 | r = -1; | |
681 | goto end; | |
682 | } | |
683 | if (BN_cmp(ao, bo) != 0) { | |
684 | /* return 1 if orders are different */ | |
685 | r = 1; | |
686 | goto end; | |
0f113f3e | 687 | } |
8402cd5f SL |
688 | /* |
689 | * It gets here if the curve parameters and generator matched. | |
690 | * Now check the optional cofactors (if both are present). | |
691 | */ | |
692 | ac = EC_GROUP_get0_cofactor(a); | |
693 | bc = EC_GROUP_get0_cofactor(b); | |
694 | /* Returns 1 (mismatch) if both cofactors are specified and different */ | |
695 | if (!BN_is_zero(ac) && !BN_is_zero(bc) && BN_cmp(ac, bc) != 0) | |
0f113f3e | 696 | r = 1; |
8402cd5f | 697 | /* Returns 0 if the parameters matched */ |
0f113f3e | 698 | } |
8402cd5f | 699 | end: |
0f113f3e | 700 | BN_CTX_end(ctx); |
f844f9eb | 701 | #ifndef FIPS_MODULE |
23a1d5e9 | 702 | BN_CTX_free(ctx_new); |
a9612d6c | 703 | #endif |
0f113f3e MC |
704 | return r; |
705 | } | |
ada0e717 | 706 | |
0657bf9c BM |
707 | /* functions for EC_POINT objects */ |
708 | ||
709 | EC_POINT *EC_POINT_new(const EC_GROUP *group) | |
0f113f3e MC |
710 | { |
711 | EC_POINT *ret; | |
712 | ||
713 | if (group == NULL) { | |
714 | ECerr(EC_F_EC_POINT_NEW, ERR_R_PASSED_NULL_PARAMETER); | |
715 | return NULL; | |
716 | } | |
f06080cb | 717 | if (group->meth->point_init == NULL) { |
0f113f3e MC |
718 | ECerr(EC_F_EC_POINT_NEW, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
719 | return NULL; | |
720 | } | |
721 | ||
1b4cf96f | 722 | ret = OPENSSL_zalloc(sizeof(*ret)); |
0f113f3e MC |
723 | if (ret == NULL) { |
724 | ECerr(EC_F_EC_POINT_NEW, ERR_R_MALLOC_FAILURE); | |
725 | return NULL; | |
726 | } | |
727 | ||
728 | ret->meth = group->meth; | |
b14e6015 | 729 | ret->curve_name = group->curve_name; |
0f113f3e MC |
730 | |
731 | if (!ret->meth->point_init(ret)) { | |
732 | OPENSSL_free(ret); | |
733 | return NULL; | |
734 | } | |
735 | ||
736 | return ret; | |
737 | } | |
0657bf9c BM |
738 | |
739 | void EC_POINT_free(EC_POINT *point) | |
0f113f3e | 740 | { |
12a765a5 | 741 | if (point == NULL) |
0f113f3e | 742 | return; |
7711de24 | 743 | |
0f113f3e MC |
744 | if (point->meth->point_finish != 0) |
745 | point->meth->point_finish(point); | |
746 | OPENSSL_free(point); | |
747 | } | |
0657bf9c BM |
748 | |
749 | void EC_POINT_clear_free(EC_POINT *point) | |
0f113f3e | 750 | { |
12a765a5 | 751 | if (point == NULL) |
0f113f3e MC |
752 | return; |
753 | ||
754 | if (point->meth->point_clear_finish != 0) | |
755 | point->meth->point_clear_finish(point); | |
756 | else if (point->meth->point_finish != 0) | |
757 | point->meth->point_finish(point); | |
b4faea50 | 758 | OPENSSL_clear_free(point, sizeof(*point)); |
0f113f3e | 759 | } |
0657bf9c BM |
760 | |
761 | int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) | |
0f113f3e MC |
762 | { |
763 | if (dest->meth->point_copy == 0) { | |
764 | ECerr(EC_F_EC_POINT_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
765 | return 0; | |
766 | } | |
b14e6015 MC |
767 | if (dest->meth != src->meth |
768 | || (dest->curve_name != src->curve_name | |
8402cd5f SL |
769 | && dest->curve_name != 0 |
770 | && src->curve_name != 0)) { | |
0f113f3e MC |
771 | ECerr(EC_F_EC_POINT_COPY, EC_R_INCOMPATIBLE_OBJECTS); |
772 | return 0; | |
773 | } | |
774 | if (dest == src) | |
775 | return 1; | |
776 | return dest->meth->point_copy(dest, src); | |
777 | } | |
0657bf9c | 778 | |
7793f30e | 779 | EC_POINT *EC_POINT_dup(const EC_POINT *a, const EC_GROUP *group) |
0f113f3e MC |
780 | { |
781 | EC_POINT *t; | |
782 | int r; | |
783 | ||
784 | if (a == NULL) | |
785 | return NULL; | |
786 | ||
787 | t = EC_POINT_new(group); | |
788 | if (t == NULL) | |
26a7d938 | 789 | return NULL; |
0f113f3e MC |
790 | r = EC_POINT_copy(t, a); |
791 | if (!r) { | |
792 | EC_POINT_free(t); | |
793 | return NULL; | |
8fdc3734 RS |
794 | } |
795 | return t; | |
0f113f3e | 796 | } |
7793f30e | 797 | |
23ccae80 | 798 | #ifndef OPENSSL_NO_DEPRECATED_3_0 |
48fe4d62 | 799 | const EC_METHOD *EC_POINT_method_of(const EC_POINT *point) |
0f113f3e MC |
800 | { |
801 | return point->meth; | |
802 | } | |
23ccae80 | 803 | #endif |
48fe4d62 | 804 | |
226cc7de | 805 | int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point) |
0f113f3e MC |
806 | { |
807 | if (group->meth->point_set_to_infinity == 0) { | |
808 | ECerr(EC_F_EC_POINT_SET_TO_INFINITY, | |
809 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
810 | return 0; | |
811 | } | |
812 | if (group->meth != point->meth) { | |
813 | ECerr(EC_F_EC_POINT_SET_TO_INFINITY, EC_R_INCOMPATIBLE_OBJECTS); | |
814 | return 0; | |
815 | } | |
816 | return group->meth->point_set_to_infinity(group, point); | |
817 | } | |
818 | ||
07caec83 | 819 | #ifndef OPENSSL_NO_DEPRECATED_3_0 |
0f113f3e MC |
820 | int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, |
821 | EC_POINT *point, const BIGNUM *x, | |
822 | const BIGNUM *y, const BIGNUM *z, | |
823 | BN_CTX *ctx) | |
824 | { | |
07caec83 | 825 | if (group->meth->field_type != NID_X9_62_prime_field) { |
0f113f3e MC |
826 | ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, |
827 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
828 | return 0; | |
829 | } | |
b14e6015 | 830 | if (!ec_point_is_compat(point, group)) { |
0f113f3e MC |
831 | ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, |
832 | EC_R_INCOMPATIBLE_OBJECTS); | |
833 | return 0; | |
834 | } | |
07caec83 | 835 | return ec_GFp_simple_set_Jprojective_coordinates_GFp(group, point, x, y, z, ctx); |
0f113f3e MC |
836 | } |
837 | ||
838 | int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, | |
839 | const EC_POINT *point, BIGNUM *x, | |
840 | BIGNUM *y, BIGNUM *z, | |
841 | BN_CTX *ctx) | |
842 | { | |
07caec83 | 843 | if (group->meth->field_type != NID_X9_62_prime_field) { |
0f113f3e MC |
844 | ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, |
845 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
846 | return 0; | |
847 | } | |
b14e6015 | 848 | if (!ec_point_is_compat(point, group)) { |
0f113f3e MC |
849 | ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, |
850 | EC_R_INCOMPATIBLE_OBJECTS); | |
851 | return 0; | |
852 | } | |
07caec83 | 853 | return ec_GFp_simple_get_Jprojective_coordinates_GFp(group, point, x, y, z, ctx); |
0f113f3e | 854 | } |
07caec83 | 855 | #endif |
0f113f3e | 856 | |
8e3cced7 MC |
857 | int EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point, |
858 | const BIGNUM *x, const BIGNUM *y, | |
859 | BN_CTX *ctx) | |
0f113f3e | 860 | { |
8e3cced7 MC |
861 | if (group->meth->point_set_affine_coordinates == NULL) { |
862 | ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES, | |
0f113f3e MC |
863 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
864 | return 0; | |
865 | } | |
b14e6015 | 866 | if (!ec_point_is_compat(point, group)) { |
8e3cced7 | 867 | ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES, EC_R_INCOMPATIBLE_OBJECTS); |
0f113f3e MC |
868 | return 0; |
869 | } | |
1e2012b7 EK |
870 | if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) |
871 | return 0; | |
872 | ||
873 | if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { | |
8e3cced7 | 874 | ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES, EC_R_POINT_IS_NOT_ON_CURVE); |
1e2012b7 EK |
875 | return 0; |
876 | } | |
877 | return 1; | |
0f113f3e | 878 | } |
226cc7de | 879 | |
936c2b9e | 880 | #ifndef OPENSSL_NO_DEPRECATED_3_0 |
8e3cced7 MC |
881 | int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, |
882 | EC_POINT *point, const BIGNUM *x, | |
883 | const BIGNUM *y, BN_CTX *ctx) | |
884 | { | |
885 | return EC_POINT_set_affine_coordinates(group, point, x, y, ctx); | |
886 | } | |
887 | ||
50db8163 | 888 | # ifndef OPENSSL_NO_EC2M |
0f113f3e MC |
889 | int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, |
890 | EC_POINT *point, const BIGNUM *x, | |
891 | const BIGNUM *y, BN_CTX *ctx) | |
892 | { | |
8e3cced7 MC |
893 | return EC_POINT_set_affine_coordinates(group, point, x, y, ctx); |
894 | } | |
50db8163 | 895 | # endif |
8e3cced7 MC |
896 | #endif |
897 | ||
898 | int EC_POINT_get_affine_coordinates(const EC_GROUP *group, | |
899 | const EC_POINT *point, BIGNUM *x, BIGNUM *y, | |
900 | BN_CTX *ctx) | |
901 | { | |
902 | if (group->meth->point_get_affine_coordinates == NULL) { | |
903 | ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES, | |
0f113f3e MC |
904 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
905 | return 0; | |
906 | } | |
b14e6015 | 907 | if (!ec_point_is_compat(point, group)) { |
8e3cced7 | 908 | ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES, EC_R_INCOMPATIBLE_OBJECTS); |
1e2012b7 EK |
909 | return 0; |
910 | } | |
bfb10b97 BB |
911 | if (EC_POINT_is_at_infinity(group, point)) { |
912 | ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY); | |
913 | return 0; | |
914 | } | |
8e3cced7 | 915 | return group->meth->point_get_affine_coordinates(group, point, x, y, ctx); |
0f113f3e | 916 | } |
7793f30e | 917 | |
936c2b9e | 918 | #ifndef OPENSSL_NO_DEPRECATED_3_0 |
0f113f3e MC |
919 | int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, |
920 | const EC_POINT *point, BIGNUM *x, | |
921 | BIGNUM *y, BN_CTX *ctx) | |
922 | { | |
8e3cced7 | 923 | return EC_POINT_get_affine_coordinates(group, point, x, y, ctx); |
0f113f3e | 924 | } |
7793f30e | 925 | |
50db8163 | 926 | # ifndef OPENSSL_NO_EC2M |
0f113f3e MC |
927 | int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, |
928 | const EC_POINT *point, BIGNUM *x, | |
929 | BIGNUM *y, BN_CTX *ctx) | |
930 | { | |
8e3cced7 | 931 | return EC_POINT_get_affine_coordinates(group, point, x, y, ctx); |
0f113f3e | 932 | } |
50db8163 | 933 | # endif |
b3310161 | 934 | #endif |
7793f30e | 935 | |
0f113f3e MC |
936 | int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, |
937 | const EC_POINT *b, BN_CTX *ctx) | |
938 | { | |
939 | if (group->meth->add == 0) { | |
940 | ECerr(EC_F_EC_POINT_ADD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
941 | return 0; | |
942 | } | |
b14e6015 MC |
943 | if (!ec_point_is_compat(r, group) || !ec_point_is_compat(a, group) |
944 | || !ec_point_is_compat(b, group)) { | |
0f113f3e MC |
945 | ECerr(EC_F_EC_POINT_ADD, EC_R_INCOMPATIBLE_OBJECTS); |
946 | return 0; | |
947 | } | |
948 | return group->meth->add(group, r, a, b, ctx); | |
949 | } | |
950 | ||
951 | int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, | |
952 | BN_CTX *ctx) | |
953 | { | |
954 | if (group->meth->dbl == 0) { | |
955 | ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
956 | return 0; | |
957 | } | |
b14e6015 | 958 | if (!ec_point_is_compat(r, group) || !ec_point_is_compat(a, group)) { |
0f113f3e MC |
959 | ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS); |
960 | return 0; | |
961 | } | |
962 | return group->meth->dbl(group, r, a, ctx); | |
963 | } | |
0657bf9c | 964 | |
1d5bd6cf | 965 | int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) |
0f113f3e MC |
966 | { |
967 | if (group->meth->invert == 0) { | |
968 | ECerr(EC_F_EC_POINT_INVERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
969 | return 0; | |
970 | } | |
b14e6015 | 971 | if (!ec_point_is_compat(a, group)) { |
0f113f3e MC |
972 | ECerr(EC_F_EC_POINT_INVERT, EC_R_INCOMPATIBLE_OBJECTS); |
973 | return 0; | |
974 | } | |
975 | return group->meth->invert(group, a, ctx); | |
976 | } | |
1d5bd6cf | 977 | |
0657bf9c | 978 | int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) |
0f113f3e MC |
979 | { |
980 | if (group->meth->is_at_infinity == 0) { | |
981 | ECerr(EC_F_EC_POINT_IS_AT_INFINITY, | |
982 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
983 | return 0; | |
984 | } | |
b14e6015 | 985 | if (!ec_point_is_compat(point, group)) { |
0f113f3e MC |
986 | ECerr(EC_F_EC_POINT_IS_AT_INFINITY, EC_R_INCOMPATIBLE_OBJECTS); |
987 | return 0; | |
988 | } | |
989 | return group->meth->is_at_infinity(group, point); | |
990 | } | |
991 | ||
68886be7 MC |
992 | /* |
993 | * Check whether an EC_POINT is on the curve or not. Note that the return | |
994 | * value for this function should NOT be treated as a boolean. Return values: | |
995 | * 1: The point is on the curve | |
996 | * 0: The point is not on the curve | |
997 | * -1: An error occurred | |
998 | */ | |
0f113f3e MC |
999 | int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, |
1000 | BN_CTX *ctx) | |
1001 | { | |
1002 | if (group->meth->is_on_curve == 0) { | |
1003 | ECerr(EC_F_EC_POINT_IS_ON_CURVE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
1004 | return 0; | |
1005 | } | |
b14e6015 | 1006 | if (!ec_point_is_compat(point, group)) { |
0f113f3e MC |
1007 | ECerr(EC_F_EC_POINT_IS_ON_CURVE, EC_R_INCOMPATIBLE_OBJECTS); |
1008 | return 0; | |
1009 | } | |
1010 | return group->meth->is_on_curve(group, point, ctx); | |
1011 | } | |
1012 | ||
1013 | int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, | |
1014 | BN_CTX *ctx) | |
1015 | { | |
1016 | if (group->meth->point_cmp == 0) { | |
1017 | ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
1018 | return -1; | |
1019 | } | |
b14e6015 | 1020 | if (!ec_point_is_compat(a, group) || !ec_point_is_compat(b, group)) { |
0f113f3e MC |
1021 | ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS); |
1022 | return -1; | |
1023 | } | |
1024 | return group->meth->point_cmp(group, a, b, ctx); | |
1025 | } | |
1d5bd6cf | 1026 | |
c2f2db9b | 1027 | #ifndef OPENSSL_NO_DEPRECATED_3_0 |
e869d4bd | 1028 | int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) |
0f113f3e MC |
1029 | { |
1030 | if (group->meth->make_affine == 0) { | |
1031 | ECerr(EC_F_EC_POINT_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
1032 | return 0; | |
1033 | } | |
b14e6015 | 1034 | if (!ec_point_is_compat(point, group)) { |
0f113f3e MC |
1035 | ECerr(EC_F_EC_POINT_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS); |
1036 | return 0; | |
1037 | } | |
1038 | return group->meth->make_affine(group, point, ctx); | |
1039 | } | |
1040 | ||
1041 | int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, | |
1042 | EC_POINT *points[], BN_CTX *ctx) | |
1043 | { | |
1044 | size_t i; | |
1045 | ||
1046 | if (group->meth->points_make_affine == 0) { | |
1047 | ECerr(EC_F_EC_POINTS_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |
1048 | return 0; | |
1049 | } | |
1050 | for (i = 0; i < num; i++) { | |
b14e6015 | 1051 | if (!ec_point_is_compat(points[i], group)) { |
0f113f3e MC |
1052 | ECerr(EC_F_EC_POINTS_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS); |
1053 | return 0; | |
1054 | } | |
1055 | } | |
1056 | return group->meth->points_make_affine(group, num, points, ctx); | |
1057 | } | |
c2f2db9b | 1058 | #endif |
0f113f3e MC |
1059 | |
1060 | /* | |
1061 | * Functions for point multiplication. If group->meth->mul is 0, we use the | |
1062 | * wNAF-based implementations in ec_mult.c; otherwise we dispatch through | |
1063 | * methods. | |
37c660ff BM |
1064 | */ |
1065 | ||
4fcd15c1 | 1066 | #ifndef OPENSSL_NO_DEPRECATED_3_0 |
37c660ff | 1067 | int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, |
0f113f3e MC |
1068 | size_t num, const EC_POINT *points[], |
1069 | const BIGNUM *scalars[], BN_CTX *ctx) | |
1070 | { | |
01ad66f8 NT |
1071 | int ret = 0; |
1072 | size_t i = 0; | |
f844f9eb | 1073 | #ifndef FIPS_MODULE |
01ad66f8 | 1074 | BN_CTX *new_ctx = NULL; |
a9612d6c | 1075 | #endif |
a9612d6c | 1076 | |
01ad66f8 NT |
1077 | if (!ec_point_is_compat(r, group)) { |
1078 | ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); | |
1079 | return 0; | |
1080 | } | |
1eb9b54a BE |
1081 | |
1082 | if (scalar == NULL && num == 0) | |
1083 | return EC_POINT_set_to_infinity(group, r); | |
1084 | ||
01ad66f8 NT |
1085 | for (i = 0; i < num; i++) { |
1086 | if (!ec_point_is_compat(points[i], group)) { | |
1087 | ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); | |
1088 | return 0; | |
1089 | } | |
1090 | } | |
1091 | ||
f844f9eb | 1092 | #ifndef FIPS_MODULE |
0e8b6c97 AT |
1093 | if (ctx == NULL) |
1094 | ctx = new_ctx = BN_CTX_secure_new(); | |
1095 | #endif | |
1096 | if (ctx == NULL) { | |
1097 | ECerr(EC_F_EC_POINTS_MUL, ERR_R_INTERNAL_ERROR); | |
1098 | return 0; | |
1099 | } | |
1100 | ||
01ad66f8 NT |
1101 | if (group->meth->mul != NULL) |
1102 | ret = group->meth->mul(group, r, scalar, num, points, scalars, ctx); | |
1103 | else | |
0f113f3e | 1104 | /* use default */ |
01ad66f8 | 1105 | ret = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); |
37c660ff | 1106 | |
f844f9eb | 1107 | #ifndef FIPS_MODULE |
01ad66f8 | 1108 | BN_CTX_free(new_ctx); |
a9612d6c | 1109 | #endif |
01ad66f8 | 1110 | return ret; |
0f113f3e | 1111 | } |
4fcd15c1 | 1112 | #endif |
37c660ff BM |
1113 | |
1114 | int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, | |
0f113f3e MC |
1115 | const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx) |
1116 | { | |
4fcd15c1 | 1117 | int ret = 0; |
9c47a338 | 1118 | size_t num; |
4fcd15c1 BB |
1119 | #ifndef FIPS_MODULE |
1120 | BN_CTX *new_ctx = NULL; | |
1121 | #endif | |
37c660ff | 1122 | |
4fcd15c1 BB |
1123 | if (!ec_point_is_compat(r, group) |
1124 | || (point != NULL && !ec_point_is_compat(point, group))) { | |
1125 | ECerr(EC_F_EC_POINT_MUL, EC_R_INCOMPATIBLE_OBJECTS); | |
1126 | return 0; | |
1127 | } | |
37c660ff | 1128 | |
4fcd15c1 BB |
1129 | if (g_scalar == NULL && p_scalar == NULL) |
1130 | return EC_POINT_set_to_infinity(group, r); | |
37c660ff | 1131 | |
4fcd15c1 BB |
1132 | #ifndef FIPS_MODULE |
1133 | if (ctx == NULL) | |
1134 | ctx = new_ctx = BN_CTX_secure_new(); | |
1135 | #endif | |
1136 | if (ctx == NULL) { | |
1137 | ECerr(EC_F_EC_POINT_MUL, ERR_R_INTERNAL_ERROR); | |
1138 | return 0; | |
1139 | } | |
1140 | ||
9c47a338 | 1141 | num = (point != NULL && p_scalar != NULL) ? 1 : 0; |
4fcd15c1 | 1142 | if (group->meth->mul != NULL) |
9c47a338 | 1143 | ret = group->meth->mul(group, r, g_scalar, num, &point, &p_scalar, ctx); |
4fcd15c1 BB |
1144 | else |
1145 | /* use default */ | |
9c47a338 | 1146 | ret = ec_wNAF_mul(group, r, g_scalar, num, &point, &p_scalar, ctx); |
4fcd15c1 BB |
1147 | |
1148 | #ifndef FIPS_MODULE | |
1149 | BN_CTX_free(new_ctx); | |
1150 | #endif | |
1151 | return ret; | |
0f113f3e | 1152 | } |
37c660ff | 1153 | |
6b4eb933 | 1154 | #ifndef OPENSSL_NO_DEPRECATED_3_0 |
37c660ff | 1155 | int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx) |
0f113f3e MC |
1156 | { |
1157 | if (group->meth->mul == 0) | |
1158 | /* use default */ | |
1159 | return ec_wNAF_precompute_mult(group, ctx); | |
37c660ff | 1160 | |
0f113f3e MC |
1161 | if (group->meth->precompute_mult != 0) |
1162 | return group->meth->precompute_mult(group, ctx); | |
1163 | else | |
1164 | return 1; /* nothing to do, so report success */ | |
1165 | } | |
37c660ff BM |
1166 | |
1167 | int EC_GROUP_have_precompute_mult(const EC_GROUP *group) | |
0f113f3e MC |
1168 | { |
1169 | if (group->meth->mul == 0) | |
1170 | /* use default */ | |
1171 | return ec_wNAF_have_precompute_mult(group); | |
1172 | ||
1173 | if (group->meth->have_precompute_mult != 0) | |
1174 | return group->meth->have_precompute_mult(group); | |
1175 | else | |
1176 | return 0; /* cannot tell whether precomputation has | |
1177 | * been performed */ | |
1178 | } | |
6b4eb933 | 1179 | #endif |
0f113f3e MC |
1180 | |
1181 | /* | |
1182 | * ec_precompute_mont_data sets |group->mont_data| from |group->order| and | |
1183 | * returns one on success. On error it returns zero. | |
1184 | */ | |
eb791696 | 1185 | static int ec_precompute_mont_data(EC_GROUP *group) |
0f113f3e | 1186 | { |
a9612d6c | 1187 | BN_CTX *ctx = BN_CTX_new_ex(group->libctx); |
0f113f3e MC |
1188 | int ret = 0; |
1189 | ||
23a1d5e9 RS |
1190 | BN_MONT_CTX_free(group->mont_data); |
1191 | group->mont_data = NULL; | |
0f113f3e MC |
1192 | |
1193 | if (ctx == NULL) | |
1194 | goto err; | |
1195 | ||
1196 | group->mont_data = BN_MONT_CTX_new(); | |
90945fa3 | 1197 | if (group->mont_data == NULL) |
0f113f3e MC |
1198 | goto err; |
1199 | ||
1200 | if (!BN_MONT_CTX_set(group->mont_data, group->order, ctx)) { | |
1201 | BN_MONT_CTX_free(group->mont_data); | |
1202 | group->mont_data = NULL; | |
1203 | goto err; | |
1204 | } | |
1205 | ||
1206 | ret = 1; | |
1207 | ||
1208 | err: | |
1209 | ||
23a1d5e9 | 1210 | BN_CTX_free(ctx); |
0f113f3e MC |
1211 | return ret; |
1212 | } | |
3aef36ff | 1213 | |
f844f9eb | 1214 | #ifndef FIPS_MODULE |
3aef36ff RS |
1215 | int EC_KEY_set_ex_data(EC_KEY *key, int idx, void *arg) |
1216 | { | |
1217 | return CRYPTO_set_ex_data(&key->ex_data, idx, arg); | |
1218 | } | |
1219 | ||
1220 | void *EC_KEY_get_ex_data(const EC_KEY *key, int idx) | |
1221 | { | |
1222 | return CRYPTO_get_ex_data(&key->ex_data, idx); | |
1223 | } | |
a9612d6c | 1224 | #endif |
77470e98 DSH |
1225 | |
1226 | int ec_group_simple_order_bits(const EC_GROUP *group) | |
1227 | { | |
1228 | if (group->order == NULL) | |
1229 | return 0; | |
1230 | return BN_num_bits(group->order); | |
1231 | } | |
eb791696 | 1232 | |
c11d372b | 1233 | static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, |
792546eb | 1234 | const BIGNUM *x, BN_CTX *ctx) |
c11d372b | 1235 | { |
262dccc0 | 1236 | BIGNUM *e = NULL; |
c11d372b | 1237 | int ret = 0; |
f844f9eb | 1238 | #ifndef FIPS_MODULE |
a9612d6c | 1239 | BN_CTX *new_ctx = NULL; |
0e8b6c97 AT |
1240 | #endif |
1241 | ||
1242 | if (group->mont_data == NULL) | |
1243 | return 0; | |
c11d372b | 1244 | |
f844f9eb | 1245 | #ifndef FIPS_MODULE |
a9612d6c MC |
1246 | if (ctx == NULL) |
1247 | ctx = new_ctx = BN_CTX_secure_new(); | |
1248 | #endif | |
1249 | if (ctx == NULL) | |
792546eb BB |
1250 | return 0; |
1251 | ||
c11d372b | 1252 | BN_CTX_start(ctx); |
262dccc0 | 1253 | if ((e = BN_CTX_get(ctx)) == NULL) |
c11d372b BB |
1254 | goto err; |
1255 | ||
792546eb BB |
1256 | /*- |
1257 | * We want inverse in constant time, therefore we utilize the fact | |
1258 | * order must be prime and use Fermats Little Theorem instead. | |
1259 | */ | |
1260 | if (!BN_set_word(e, 2)) | |
1261 | goto err; | |
1262 | if (!BN_sub(e, group->order, e)) | |
1263 | goto err; | |
1264 | /*- | |
1265 | * Exponent e is public. | |
1266 | * No need for scatter-gather or BN_FLG_CONSTTIME. | |
1267 | */ | |
1268 | if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) | |
1269 | goto err; | |
c11d372b | 1270 | |
792546eb | 1271 | ret = 1; |
c11d372b BB |
1272 | |
1273 | err: | |
ce1415ed | 1274 | BN_CTX_end(ctx); |
f844f9eb | 1275 | #ifndef FIPS_MODULE |
c11d372b | 1276 | BN_CTX_free(new_ctx); |
a9612d6c | 1277 | #endif |
c11d372b BB |
1278 | return ret; |
1279 | } | |
1280 | ||
792546eb BB |
1281 | /*- |
1282 | * Default behavior, if group->meth->field_inverse_mod_ord is NULL: | |
1283 | * - When group->order is even, this function returns an error. | |
1284 | * - When group->order is otherwise composite, the correctness | |
1285 | * of the output is not guaranteed. | |
1286 | * - When x is outside the range [1, group->order), the correctness | |
1287 | * of the output is not guaranteed. | |
1288 | * - Otherwise, this function returns the multiplicative inverse in the | |
1289 | * range [1, group->order). | |
1290 | * | |
1291 | * EC_METHODs must implement their own field_inverse_mod_ord for | |
1292 | * other functionality. | |
1293 | */ | |
1294 | int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res, | |
1295 | const BIGNUM *x, BN_CTX *ctx) | |
eb791696 AP |
1296 | { |
1297 | if (group->meth->field_inverse_mod_ord != NULL) | |
1298 | return group->meth->field_inverse_mod_ord(group, res, x, ctx); | |
1299 | else | |
c11d372b | 1300 | return ec_field_inverse_mod_ord(group, res, x, ctx); |
eb791696 | 1301 | } |
f667820c SH |
1302 | |
1303 | /*- | |
1304 | * Coordinate blinding for EC_POINT. | |
1305 | * | |
1306 | * The underlying EC_METHOD can optionally implement this function: | |
1307 | * underlying implementations should return 0 on errors, or 1 on | |
1308 | * success. | |
1309 | * | |
1310 | * This wrapper returns 1 in case the underlying EC_METHOD does not | |
1311 | * support coordinate blinding. | |
1312 | */ | |
1313 | int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx) | |
1314 | { | |
1315 | if (group->meth->blind_coordinates == NULL) | |
1316 | return 1; /* ignore if not implemented */ | |
1317 | ||
1318 | return group->meth->blind_coordinates(group, p, ctx); | |
1319 | } |