1/* 2 * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11#include <stdlib.h> 12 13#include <openssl/obj_mac.h> 14#include <openssl/ec.h> 15#include <openssl/bn.h> 16#include "internal/refcount.h" 17#include "crypto/ec.h" 18 19#if defined(__SUNPRO_C) 20# if __SUNPRO_C >= 0x520 21# pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE) 22# endif 23#endif 24 25/* Use default functions for poin2oct, oct2point and compressed coordinates */ 26#define EC_FLAGS_DEFAULT_OCT 0x1 27 28/* Use custom formats for EC_GROUP, EC_POINT and EC_KEY */ 29#define EC_FLAGS_CUSTOM_CURVE 0x2 30 31/* Curve does not support signing operations */ 32#define EC_FLAGS_NO_SIGN 0x4 33 34#ifdef OPENSSL_NO_DEPRECATED_3_0 35typedef struct ec_method_st EC_METHOD; 36#endif 37 38/* 39 * Structure details are not part of the exported interface, so all this may 40 * change in future versions. 41 */ 42 43struct ec_method_st { 44 /* Various method flags */ 45 int flags; 46 /* used by EC_METHOD_get_field_type: */ 47 int field_type; /* a NID */ 48 /* 49 * used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, 50 * EC_GROUP_copy: 51 */ 52 int (*group_init) (EC_GROUP *); 53 void (*group_finish) (EC_GROUP *); 54 void (*group_clear_finish) (EC_GROUP *); 55 int (*group_copy) (EC_GROUP *, const EC_GROUP *); 56 /* used by EC_GROUP_set_curve, EC_GROUP_get_curve: */ 57 int (*group_set_curve) (EC_GROUP *, const BIGNUM *p, const BIGNUM *a, 58 const BIGNUM *b, BN_CTX *); 59 int (*group_get_curve) (const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, 60 BN_CTX *); 61 /* used by EC_GROUP_get_degree: */ 62 int (*group_get_degree) (const EC_GROUP *); 63 int (*group_order_bits) (const EC_GROUP *); 64 /* used by EC_GROUP_check: */ 65 int (*group_check_discriminant) (const EC_GROUP *, BN_CTX *); 66 /* 67 * used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, 68 * EC_POINT_copy: 69 */ 70 int (*point_init) (EC_POINT *); 71 void (*point_finish) (EC_POINT *); 72 void (*point_clear_finish) (EC_POINT *); 73 int (*point_copy) (EC_POINT *, const EC_POINT *); 74 /*- 75 * used by EC_POINT_set_to_infinity, 76 * EC_POINT_set_Jprojective_coordinates_GFp, 77 * EC_POINT_get_Jprojective_coordinates_GFp, 78 * EC_POINT_set_affine_coordinates, 79 * EC_POINT_get_affine_coordinates, 80 * EC_POINT_set_compressed_coordinates: 81 */ 82 int (*point_set_to_infinity) (const EC_GROUP *, EC_POINT *); 83 int (*point_set_affine_coordinates) (const EC_GROUP *, EC_POINT *, 84 const BIGNUM *x, const BIGNUM *y, 85 BN_CTX *); 86 int (*point_get_affine_coordinates) (const EC_GROUP *, const EC_POINT *, 87 BIGNUM *x, BIGNUM *y, BN_CTX *); 88 int (*point_set_compressed_coordinates) (const EC_GROUP *, EC_POINT *, 89 const BIGNUM *x, int y_bit, 90 BN_CTX *); 91 /* used by EC_POINT_point2oct, EC_POINT_oct2point: */ 92 size_t (*point2oct) (const EC_GROUP *, const EC_POINT *, 93 point_conversion_form_t form, unsigned char *buf, 94 size_t len, BN_CTX *); 95 int (*oct2point) (const EC_GROUP *, EC_POINT *, const unsigned char *buf, 96 size_t len, BN_CTX *); 97 /* used by EC_POINT_add, EC_POINT_dbl, ECP_POINT_invert: */ 98 int (*add) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a, 99 const EC_POINT *b, BN_CTX *); 100 int (*dbl) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *); 101 int (*invert) (const EC_GROUP *, EC_POINT *, BN_CTX *); 102 /* 103 * used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp: 104 */ 105 int (*is_at_infinity) (const EC_GROUP *, const EC_POINT *); 106 int (*is_on_curve) (const EC_GROUP *, const EC_POINT *, BN_CTX *); 107 int (*point_cmp) (const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, 108 BN_CTX *); 109 /* used by EC_POINT_make_affine, EC_POINTs_make_affine: */ 110 int (*make_affine) (const EC_GROUP *, EC_POINT *, BN_CTX *); 111 int (*points_make_affine) (const EC_GROUP *, size_t num, EC_POINT *[], 112 BN_CTX *); 113 /* 114 * used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, 115 * EC_POINT_have_precompute_mult (default implementations are used if the 116 * 'mul' pointer is 0): 117 */ 118 /*- 119 * mul() calculates the value 120 * 121 * r := generator * scalar 122 * + points[0] * scalars[0] 123 * + ... 124 * + points[num-1] * scalars[num-1]. 125 * 126 * For a fixed point multiplication (scalar != NULL, num == 0) 127 * or a variable point multiplication (scalar == NULL, num == 1), 128 * mul() must use a constant time algorithm: in both cases callers 129 * should provide an input scalar (either scalar or scalars[0]) 130 * in the range [0, ec_group_order); for robustness, implementers 131 * should handle the case when the scalar has not been reduced, but 132 * may treat it as an unusual input, without any constant-timeness 133 * guarantee. 134 */ 135 int (*mul) (const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, 136 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], 137 BN_CTX *); 138 int (*precompute_mult) (EC_GROUP *group, BN_CTX *); 139 int (*have_precompute_mult) (const EC_GROUP *group); 140 /* internal functions */ 141 /* 142 * 'field_mul', 'field_sqr', and 'field_div' can be used by 'add' and 143 * 'dbl' so that the same implementations of point operations can be used 144 * with different optimized implementations of expensive field 145 * operations: 146 */ 147 int (*field_mul) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 148 const BIGNUM *b, BN_CTX *); 149 int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); 150 int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 151 const BIGNUM *b, BN_CTX *); 152 /*- 153 * 'field_inv' computes the multiplicative inverse of a in the field, 154 * storing the result in r. 155 * 156 * If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error. 157 */ 158 int (*field_inv) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); 159 /* e.g. to Montgomery */ 160 int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 161 BN_CTX *); 162 /* e.g. from Montgomery */ 163 int (*field_decode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 164 BN_CTX *); 165 int (*field_set_to_one) (const EC_GROUP *, BIGNUM *r, BN_CTX *); 166 /* private key operations */ 167 size_t (*priv2oct)(const EC_KEY *eckey, unsigned char *buf, size_t len); 168 int (*oct2priv)(EC_KEY *eckey, const unsigned char *buf, size_t len); 169 int (*set_private)(EC_KEY *eckey, const BIGNUM *priv_key); 170 int (*keygen)(EC_KEY *eckey); 171 int (*keycheck)(const EC_KEY *eckey); 172 int (*keygenpub)(EC_KEY *eckey); 173 int (*keycopy)(EC_KEY *dst, const EC_KEY *src); 174 void (*keyfinish)(EC_KEY *eckey); 175 /* custom ECDH operation */ 176 int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen, 177 const EC_POINT *pub_key, const EC_KEY *ecdh); 178 /* custom ECDSA */ 179 int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinvp, 180 BIGNUM **rp); 181 ECDSA_SIG *(*ecdsa_sign_sig)(const unsigned char *dgst, int dgstlen, 182 const BIGNUM *kinv, const BIGNUM *r, 183 EC_KEY *eckey); 184 int (*ecdsa_verify_sig)(const unsigned char *dgst, int dgstlen, 185 const ECDSA_SIG *sig, EC_KEY *eckey); 186 /* Inverse modulo order */ 187 int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r, 188 const BIGNUM *x, BN_CTX *); 189 int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); 190 int (*ladder_pre)(const EC_GROUP *group, 191 EC_POINT *r, EC_POINT *s, 192 EC_POINT *p, BN_CTX *ctx); 193 int (*ladder_step)(const EC_GROUP *group, 194 EC_POINT *r, EC_POINT *s, 195 EC_POINT *p, BN_CTX *ctx); 196 int (*ladder_post)(const EC_GROUP *group, 197 EC_POINT *r, EC_POINT *s, 198 EC_POINT *p, BN_CTX *ctx); 199}; 200 201/* 202 * Types and functions to manipulate pre-computed values. 203 */ 204typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP; 205typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP; 206typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP; 207typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP; 208typedef struct ec_pre_comp_st EC_PRE_COMP; 209 210struct ec_group_st { 211 const EC_METHOD *meth; 212 EC_POINT *generator; /* optional */ 213 BIGNUM *order, *cofactor; 214 int curve_name; /* optional NID for named curve */ 215 int asn1_flag; /* flag to control the asn1 encoding */ 216 int decoded_from_explicit_params; /* set if decoded from explicit 217 * curve parameters encoding */ 218 point_conversion_form_t asn1_form; 219 unsigned char *seed; /* optional seed for parameters (appears in 220 * ASN1) */ 221 size_t seed_len; 222 /* 223 * The following members are handled by the method functions, even if 224 * they appear generic 225 */ 226 /* 227 * Field specification. For curves over GF(p), this is the modulus; for 228 * curves over GF(2^m), this is the irreducible polynomial defining the 229 * field. 230 */ 231 BIGNUM *field; 232 /* 233 * Field specification for curves over GF(2^m). The irreducible f(t) is 234 * then of the form: t^poly[0] + t^poly[1] + ... + t^poly[k] where m = 235 * poly[0] > poly[1] > ... > poly[k] = 0. The array is terminated with 236 * poly[k+1]=-1. All elliptic curve irreducibles have at most 5 non-zero 237 * terms. 238 */ 239 int poly[6]; 240 /* 241 * Curve coefficients. (Here the assumption is that BIGNUMs can be used 242 * or abused for all kinds of fields, not just GF(p).) For characteristic 243 * > 3, the curve is defined by a Weierstrass equation of the form y^2 = 244 * x^3 + a*x + b. For characteristic 2, the curve is defined by an 245 * equation of the form y^2 + x*y = x^3 + a*x^2 + b. 246 */ 247 BIGNUM *a, *b; 248 /* enable optimized point arithmetics for special case */ 249 int a_is_minus3; 250 /* method-specific (e.g., Montgomery structure) */ 251 void *field_data1; 252 /* method-specific */ 253 void *field_data2; 254 /* method-specific */ 255 int (*field_mod_func) (BIGNUM *, const BIGNUM *, const BIGNUM *, 256 BN_CTX *); 257 /* data for ECDSA inverse */ 258 BN_MONT_CTX *mont_data; 259 260 /* 261 * Precomputed values for speed. The PCT_xxx names match the 262 * pre_comp.xxx union names; see the SETPRECOMP and HAVEPRECOMP 263 * macros, below. 264 */ 265 enum { 266 PCT_none, 267 PCT_nistp224, PCT_nistp256, PCT_nistp521, PCT_nistz256, 268 PCT_ec 269 } pre_comp_type; 270 union { 271 NISTP224_PRE_COMP *nistp224; 272 NISTP256_PRE_COMP *nistp256; 273 NISTP521_PRE_COMP *nistp521; 274 NISTZ256_PRE_COMP *nistz256; 275 EC_PRE_COMP *ec; 276 } pre_comp; 277 278 OSSL_LIB_CTX *libctx; 279 char *propq; 280}; 281 282#define SETPRECOMP(g, type, pre) \ 283 g->pre_comp_type = PCT_##type, g->pre_comp.type = pre 284#define HAVEPRECOMP(g, type) \ 285 g->pre_comp_type == PCT_##type && g->pre_comp.type != NULL 286 287struct ec_key_st { 288 const EC_KEY_METHOD *meth; 289 ENGINE *engine; 290 int version; 291 EC_GROUP *group; 292 EC_POINT *pub_key; 293 BIGNUM *priv_key; 294 unsigned int enc_flag; 295 point_conversion_form_t conv_form; 296 CRYPTO_REF_COUNT references; 297 int flags; 298#ifndef FIPS_MODULE 299 CRYPTO_EX_DATA ex_data; 300#endif 301 CRYPTO_RWLOCK *lock; 302 OSSL_LIB_CTX *libctx; 303 char *propq; 304 305 /* Provider data */ 306 size_t dirty_cnt; /* If any key material changes, increment this */ 307}; 308 309struct ec_point_st { 310 const EC_METHOD *meth; 311 /* NID for the curve if known */ 312 int curve_name; 313 /* 314 * All members except 'meth' are handled by the method functions, even if 315 * they appear generic 316 */ 317 BIGNUM *X; 318 BIGNUM *Y; 319 BIGNUM *Z; /* Jacobian projective coordinates: * (X, Y, 320 * Z) represents (X/Z^2, Y/Z^3) if Z != 0 */ 321 int Z_is_one; /* enable optimized point arithmetics for 322 * special case */ 323}; 324 325static ossl_inline int ec_point_is_compat(const EC_POINT *point, 326 const EC_GROUP *group) 327{ 328 return group->meth == point->meth 329 && (group->curve_name == 0 330 || point->curve_name == 0 331 || group->curve_name == point->curve_name); 332} 333 334NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); 335NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); 336NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); 337NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *); 338NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); 339EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_COMP *); 340 341void EC_pre_comp_free(EC_GROUP *group); 342void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *); 343void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *); 344void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *); 345void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *); 346void EC_ec_pre_comp_free(EC_PRE_COMP *); 347 348/* 349 * method functions in ec_mult.c (ec_lib.c uses these as defaults if 350 * group->method->mul is 0) 351 */ 352int ossl_ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, 353 size_t num, const EC_POINT *points[], 354 const BIGNUM *scalars[], BN_CTX *); 355int ossl_ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *); 356int ossl_ec_wNAF_have_precompute_mult(const EC_GROUP *group); 357 358/* method functions in ecp_smpl.c */ 359int ossl_ec_GFp_simple_group_init(EC_GROUP *); 360void ossl_ec_GFp_simple_group_finish(EC_GROUP *); 361void ossl_ec_GFp_simple_group_clear_finish(EC_GROUP *); 362int ossl_ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *); 363int ossl_ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, 364 const BIGNUM *a, const BIGNUM *b, 365 BN_CTX *); 366int ossl_ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, 367 BIGNUM *b, BN_CTX *); 368int ossl_ec_GFp_simple_group_get_degree(const EC_GROUP *); 369int ossl_ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); 370int ossl_ec_GFp_simple_point_init(EC_POINT *); 371void ossl_ec_GFp_simple_point_finish(EC_POINT *); 372void ossl_ec_GFp_simple_point_clear_finish(EC_POINT *); 373int ossl_ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *); 374int ossl_ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); 375int ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, 376 EC_POINT *, 377 const BIGNUM *x, 378 const BIGNUM *y, 379 const BIGNUM *z, 380 BN_CTX *); 381int ossl_ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, 382 const EC_POINT *, 383 BIGNUM *x, 384 BIGNUM *y, BIGNUM *z, 385 BN_CTX *); 386int ossl_ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *, 387 const BIGNUM *x, 388 const BIGNUM *y, BN_CTX *); 389int ossl_ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *, 390 const EC_POINT *, BIGNUM *x, 391 BIGNUM *y, BN_CTX *); 392int ossl_ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, 393 const BIGNUM *x, int y_bit, 394 BN_CTX *); 395size_t ossl_ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, 396 point_conversion_form_t form, 397 unsigned char *buf, size_t len, BN_CTX *); 398int ossl_ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *, 399 const unsigned char *buf, size_t len, BN_CTX *); 400int ossl_ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, 401 const EC_POINT *b, BN_CTX *); 402int ossl_ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, 403 BN_CTX *); 404int ossl_ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); 405int ossl_ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); 406int ossl_ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); 407int ossl_ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, 408 const EC_POINT *b, BN_CTX *); 409int ossl_ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); 410int ossl_ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, 411 EC_POINT *[], BN_CTX *); 412int ossl_ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 413 const BIGNUM *b, BN_CTX *); 414int ossl_ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 415 BN_CTX *); 416int ossl_ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 417 BN_CTX *); 418int ossl_ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, 419 BN_CTX *ctx); 420int ossl_ec_GFp_simple_ladder_pre(const EC_GROUP *group, 421 EC_POINT *r, EC_POINT *s, 422 EC_POINT *p, BN_CTX *ctx); 423int ossl_ec_GFp_simple_ladder_step(const EC_GROUP *group, 424 EC_POINT *r, EC_POINT *s, 425 EC_POINT *p, BN_CTX *ctx); 426int ossl_ec_GFp_simple_ladder_post(const EC_GROUP *group, 427 EC_POINT *r, EC_POINT *s, 428 EC_POINT *p, BN_CTX *ctx); 429 430/* method functions in ecp_mont.c */ 431int ossl_ec_GFp_mont_group_init(EC_GROUP *); 432int ossl_ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, 433 const BIGNUM *a, 434 const BIGNUM *b, BN_CTX *); 435void ossl_ec_GFp_mont_group_finish(EC_GROUP *); 436void ossl_ec_GFp_mont_group_clear_finish(EC_GROUP *); 437int ossl_ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *); 438int ossl_ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 439 const BIGNUM *b, BN_CTX *); 440int ossl_ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 441 BN_CTX *); 442int ossl_ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 443 BN_CTX *); 444int ossl_ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 445 BN_CTX *); 446int ossl_ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 447 BN_CTX *); 448int ossl_ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *); 449 450/* method functions in ecp_nist.c */ 451int ossl_ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src); 452int ossl_ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, 453 const BIGNUM *a, const BIGNUM *b, BN_CTX *); 454int ossl_ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 455 const BIGNUM *b, BN_CTX *); 456int ossl_ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 457 BN_CTX *); 458 459/* method functions in ec2_smpl.c */ 460int ossl_ec_GF2m_simple_group_init(EC_GROUP *); 461void ossl_ec_GF2m_simple_group_finish(EC_GROUP *); 462void ossl_ec_GF2m_simple_group_clear_finish(EC_GROUP *); 463int ossl_ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *); 464int ossl_ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, 465 const BIGNUM *a, const BIGNUM *b, 466 BN_CTX *); 467int ossl_ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, 468 BIGNUM *b, BN_CTX *); 469int ossl_ec_GF2m_simple_group_get_degree(const EC_GROUP *); 470int ossl_ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); 471int ossl_ec_GF2m_simple_point_init(EC_POINT *); 472void ossl_ec_GF2m_simple_point_finish(EC_POINT *); 473void ossl_ec_GF2m_simple_point_clear_finish(EC_POINT *); 474int ossl_ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *); 475int ossl_ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); 476int ossl_ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, 477 EC_POINT *, 478 const BIGNUM *x, 479 const BIGNUM *y, BN_CTX *); 480int ossl_ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *, 481 const EC_POINT *, BIGNUM *x, 482 BIGNUM *y, BN_CTX *); 483int ossl_ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, 484 const BIGNUM *x, int y_bit, 485 BN_CTX *); 486size_t ossl_ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *, 487 point_conversion_form_t form, 488 unsigned char *buf, size_t len, BN_CTX *); 489int ossl_ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *, 490 const unsigned char *buf, size_t len, BN_CTX *); 491int ossl_ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, 492 const EC_POINT *b, BN_CTX *); 493int ossl_ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, 494 BN_CTX *); 495int ossl_ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); 496int ossl_ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); 497int ossl_ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); 498int ossl_ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, 499 const EC_POINT *b, BN_CTX *); 500int ossl_ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); 501int ossl_ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num, 502 EC_POINT *[], BN_CTX *); 503int ossl_ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 504 const BIGNUM *b, BN_CTX *); 505int ossl_ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 506 BN_CTX *); 507int ossl_ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, 508 const BIGNUM *b, BN_CTX *); 509 510#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 511# ifdef B_ENDIAN 512# error "Can not enable ec_nistp_64_gcc_128 on big-endian systems" 513# endif 514 515/* method functions in ecp_nistp224.c */ 516int ossl_ec_GFp_nistp224_group_init(EC_GROUP *group); 517int ossl_ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, 518 const BIGNUM *a, const BIGNUM *n, 519 BN_CTX *); 520int ossl_ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, 521 const EC_POINT *point, 522 BIGNUM *x, BIGNUM *y, 523 BN_CTX *ctx); 524int ossl_ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r, 525 const BIGNUM *scalar, size_t num, 526 const EC_POINT *points[], const BIGNUM *scalars[], 527 BN_CTX *); 528int ossl_ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, 529 const BIGNUM *scalar, size_t num, 530 const EC_POINT *points[], 531 const BIGNUM *scalars[], BN_CTX *ctx); 532int ossl_ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx); 533int ossl_ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group); 534 535/* method functions in ecp_nistp256.c */ 536int ossl_ec_GFp_nistp256_group_init(EC_GROUP *group); 537int ossl_ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, 538 const BIGNUM *a, const BIGNUM *n, 539 BN_CTX *); 540int ossl_ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, 541 const EC_POINT *point, 542 BIGNUM *x, BIGNUM *y, 543 BN_CTX *ctx); 544int ossl_ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r, 545 const BIGNUM *scalar, size_t num, 546 const EC_POINT *points[], const BIGNUM *scalars[], 547 BN_CTX *); 548int ossl_ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, 549 const BIGNUM *scalar, size_t num, 550 const EC_POINT *points[], 551 const BIGNUM *scalars[], BN_CTX *ctx); 552int ossl_ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx); 553int ossl_ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); 554 555/* method functions in ecp_nistp521.c */ 556int ossl_ec_GFp_nistp521_group_init(EC_GROUP *group); 557int ossl_ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, 558 const BIGNUM *a, const BIGNUM *n, 559 BN_CTX *); 560int ossl_ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, 561 const EC_POINT *point, 562 BIGNUM *x, BIGNUM *y, 563 BN_CTX *ctx); 564int ossl_ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r, 565 const BIGNUM *scalar, size_t num, 566 const EC_POINT *points[], const BIGNUM *scalars[], 567 BN_CTX *); 568int ossl_ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, 569 const BIGNUM *scalar, size_t num, 570 const EC_POINT *points[], 571 const BIGNUM *scalars[], BN_CTX *ctx); 572int ossl_ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx); 573int ossl_ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group); 574 575/* utility functions in ecp_nistputil.c */ 576void ossl_ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, 577 size_t felem_size, 578 void *tmp_felems, 579 void (*felem_one) (void *out), 580 int (*felem_is_zero) 581 (const void *in), 582 void (*felem_assign) 583 (void *out, const void *in), 584 void (*felem_square) 585 (void *out, const void *in), 586 void (*felem_mul) 587 (void *out, 588 const void *in1, 589 const void *in2), 590 void (*felem_inv) 591 (void *out, const void *in), 592 void (*felem_contract) 593 (void *out, const void *in)); 594void ossl_ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, 595 unsigned char *digit, 596 unsigned char in); 597#endif 598int ossl_ec_group_simple_order_bits(const EC_GROUP *group); 599 600/** 601 * Creates a new EC_GROUP object 602 * \param libctx The associated library context or NULL for the default 603 * library context 604 * \param propq Any property query string 605 * \param meth EC_METHOD to use 606 * \return newly created EC_GROUP object or NULL in case of an error. 607 */ 608EC_GROUP *ossl_ec_group_new_ex(OSSL_LIB_CTX *libctx, const char *propq, 609 const EC_METHOD *meth); 610 611#ifdef ECP_NISTZ256_ASM 612/** Returns GFp methods using montgomery multiplication, with x86-64 optimized 613 * P256. See http://eprint.iacr.org/2013/816. 614 * \return EC_METHOD object 615 */ 616const EC_METHOD *EC_GFp_nistz256_method(void); 617#endif 618#ifdef S390X_EC_ASM 619const EC_METHOD *EC_GFp_s390x_nistp256_method(void); 620const EC_METHOD *EC_GFp_s390x_nistp384_method(void); 621const EC_METHOD *EC_GFp_s390x_nistp521_method(void); 622#endif 623 624size_t ossl_ec_key_simple_priv2oct(const EC_KEY *eckey, 625 unsigned char *buf, size_t len); 626int ossl_ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, 627 size_t len); 628int ossl_ec_key_simple_generate_key(EC_KEY *eckey); 629int ossl_ec_key_simple_generate_public_key(EC_KEY *eckey); 630int ossl_ec_key_simple_check_key(const EC_KEY *eckey); 631 632int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx); 633 634/* EC_METHOD definitions */ 635 636struct ec_key_method_st { 637 const char *name; 638 int32_t flags; 639 int (*init)(EC_KEY *key); 640 void (*finish)(EC_KEY *key); 641 int (*copy)(EC_KEY *dest, const EC_KEY *src); 642 int (*set_group)(EC_KEY *key, const EC_GROUP *grp); 643 int (*set_private)(EC_KEY *key, const BIGNUM *priv_key); 644 int (*set_public)(EC_KEY *key, const EC_POINT *pub_key); 645 int (*keygen)(EC_KEY *key); 646 int (*compute_key)(unsigned char **pout, size_t *poutlen, 647 const EC_POINT *pub_key, const EC_KEY *ecdh); 648 int (*sign)(int type, const unsigned char *dgst, int dlen, unsigned char 649 *sig, unsigned int *siglen, const BIGNUM *kinv, 650 const BIGNUM *r, EC_KEY *eckey); 651 int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 652 BIGNUM **rp); 653 ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgst_len, 654 const BIGNUM *in_kinv, const BIGNUM *in_r, 655 EC_KEY *eckey); 656 657 int (*verify)(int type, const unsigned char *dgst, int dgst_len, 658 const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); 659 int (*verify_sig)(const unsigned char *dgst, int dgst_len, 660 const ECDSA_SIG *sig, EC_KEY *eckey); 661}; 662 663#define EC_KEY_METHOD_DYNAMIC 1 664 665EC_KEY *ossl_ec_key_new_method_int(OSSL_LIB_CTX *libctx, const char *propq, 666 ENGINE *engine); 667 668int ossl_ec_key_gen(EC_KEY *eckey); 669int ossl_ecdh_compute_key(unsigned char **pout, size_t *poutlen, 670 const EC_POINT *pub_key, const EC_KEY *ecdh); 671int ossl_ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, 672 const EC_POINT *pub_key, const EC_KEY *ecdh); 673 674struct ECDSA_SIG_st { 675 BIGNUM *r; 676 BIGNUM *s; 677}; 678 679int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 680 BIGNUM **rp); 681int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, 682 unsigned char *sig, unsigned int *siglen, 683 const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey); 684ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, 685 const BIGNUM *in_kinv, const BIGNUM *in_r, 686 EC_KEY *eckey); 687int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, 688 const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); 689int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, 690 const ECDSA_SIG *sig, EC_KEY *eckey); 691int ossl_ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 692 BIGNUM **rp); 693ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, 694 const BIGNUM *in_kinv, const BIGNUM *in_r, 695 EC_KEY *eckey); 696int ossl_ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, 697 const ECDSA_SIG *sig, EC_KEY *eckey); 698 699 700/*- 701 * This functions computes a single point multiplication over the EC group, 702 * using, at a high level, a Montgomery ladder with conditional swaps, with 703 * various timing attack defenses. 704 * 705 * It performs either a fixed point multiplication 706 * (scalar * generator) 707 * when point is NULL, or a variable point multiplication 708 * (scalar * point) 709 * when point is not NULL. 710 * 711 * `scalar` cannot be NULL and should be in the range [0,n) otherwise all 712 * constant time bets are off (where n is the cardinality of the EC group). 713 * 714 * This function expects `group->order` and `group->cardinality` to be well 715 * defined and non-zero: it fails with an error code otherwise. 716 * 717 * NB: This says nothing about the constant-timeness of the ladder step 718 * implementation (i.e., the default implementation is based on EC_POINT_add and 719 * EC_POINT_dbl, which of course are not constant time themselves) or the 720 * underlying multiprecision arithmetic. 721 * 722 * The product is stored in `r`. 723 * 724 * This is an internal function: callers are in charge of ensuring that the 725 * input parameters `group`, `r`, `scalar` and `ctx` are not NULL. 726 * 727 * Returns 1 on success, 0 otherwise. 728 */ 729int ossl_ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, 730 const BIGNUM *scalar, const EC_POINT *point, 731 BN_CTX *ctx); 732 733int ossl_ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, 734 BN_CTX *ctx); 735 736static ossl_inline int ec_point_ladder_pre(const EC_GROUP *group, 737 EC_POINT *r, EC_POINT *s, 738 EC_POINT *p, BN_CTX *ctx) 739{ 740 if (group->meth->ladder_pre != NULL) 741 return group->meth->ladder_pre(group, r, s, p, ctx); 742 743 if (!EC_POINT_copy(s, p) 744 || !EC_POINT_dbl(group, r, s, ctx)) 745 return 0; 746 747 return 1; 748} 749 750static ossl_inline int ec_point_ladder_step(const EC_GROUP *group, 751 EC_POINT *r, EC_POINT *s, 752 EC_POINT *p, BN_CTX *ctx) 753{ 754 if (group->meth->ladder_step != NULL) 755 return group->meth->ladder_step(group, r, s, p, ctx); 756 757 if (!EC_POINT_add(group, s, r, s, ctx) 758 || !EC_POINT_dbl(group, r, r, ctx)) 759 return 0; 760 761 return 1; 762 763} 764 765static ossl_inline int ec_point_ladder_post(const EC_GROUP *group, 766 EC_POINT *r, EC_POINT *s, 767 EC_POINT *p, BN_CTX *ctx) 768{ 769 if (group->meth->ladder_post != NULL) 770 return group->meth->ladder_post(group, r, s, p, ctx); 771 772 return 1; 773} 774