cryptlib  3.4.1
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Properties Macros
ecp_smpl.c
Go to the documentation of this file.
1 /* crypto/ec/ecp_smpl.c */
2 /* Includes code written by Lenka Fibikova <[email protected]>
3  * for the OpenSSL project.
4  * Includes code written by Bodo Moeller for the OpenSSL project.
5 */
6 /* ====================================================================
7  * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  * notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  * notice, this list of conditions and the following disclaimer in
18  * the documentation and/or other materials provided with the
19  * distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  * software must display the following acknowledgment:
23  * "This product includes software developed by the OpenSSL Project
24  * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  * endorse or promote products derived from this software without
28  * prior written permission. For written permission, please contact
29  * [email protected].
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  * nor may "OpenSSL" appear in their names without prior written
33  * permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  * acknowledgment:
37  * "This product includes software developed by the OpenSSL Project
38  * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * ([email protected]). This product includes software written by Tim
56  * Hudson ([email protected]).
57  *
58  */
59 /* ====================================================================
60  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61  * Portions of this software developed by SUN MICROSYSTEMS, INC.,
62  * and contributed to the OpenSSL project.
63  */
64 
65 #if defined( INC_ALL ) /* pcg */
66  #include "ec_lcl.h"
67 #else
68  #include "bn/ec_lcl.h"
69 #endif /* Compiler-specific includes */
70 
71 #ifdef _MSC_VER /* For sizeof <-> int conversion - pcg */
72  #pragma warning( disable: 4267 )
73 #endif /* _MSC_VER */
74 
75 #if defined( USE_ECDH ) || defined( USE_ECDSA )
76 
77 /* Normally defined in /crypto/objects/obj_mac.h - pcg */
78 
79 #define NID_X9_62_prime_field 406
80 #define NID_X9_62_characteristic_two_field 407
81 
82 const EC_METHOD *EC_GFp_simple_method(void)
83  {
84  static const EC_METHOD ret = {
85  NID_X9_62_prime_field,
86  ec_GFp_simple_group_init,
87  ec_GFp_simple_group_finish,
88  ec_GFp_simple_group_clear_finish,
89  ec_GFp_simple_group_copy,
90  ec_GFp_simple_group_set_curve,
91  ec_GFp_simple_group_get_curve,
92  ec_GFp_simple_group_get_degree,
93  ec_GFp_simple_group_check_discriminant,
94  ec_GFp_simple_point_init,
95  ec_GFp_simple_point_finish,
96  ec_GFp_simple_point_clear_finish,
97  ec_GFp_simple_point_copy,
98  ec_GFp_simple_point_set_to_infinity,
99  ec_GFp_simple_set_Jprojective_coordinates_GFp,
100  ec_GFp_simple_get_Jprojective_coordinates_GFp,
101  ec_GFp_simple_point_set_affine_coordinates,
102  ec_GFp_simple_point_get_affine_coordinates,
103  ec_GFp_simple_set_compressed_coordinates,
104  ec_GFp_simple_point2oct,
105  ec_GFp_simple_oct2point,
106  ec_GFp_simple_add,
107  ec_GFp_simple_dbl,
108  ec_GFp_simple_invert,
109  ec_GFp_simple_is_at_infinity,
110  ec_GFp_simple_is_on_curve,
111  ec_GFp_simple_cmp,
112  ec_GFp_simple_make_affine,
113  ec_GFp_simple_points_make_affine,
114  0 /* mul */,
115  0 /* precompute_mult */,
116  0 /* have_precompute_mult */,
117  ec_GFp_simple_field_mul,
118  ec_GFp_simple_field_sqr,
119  0 /* field_div */,
120  0 /* field_encode */,
121  0 /* field_decode */,
122  0 /* field_set_to_one */ };
123 
124  return &ret;
125  }
126 
127 /* Most method functions in this file are designed to work with
128  * non-trivial representations of field elements if necessary
129  * (see ecp_mont.c): while standard modular addition and subtraction
130  * are used, the field_mul and field_sqr methods will be used for
131  * multiplication, and field_encode and field_decode (if defined)
132  * will be used for converting between representations.
133 
134  * Functions ec_GFp_simple_points_make_affine() and
135  * ec_GFp_simple_point_get_affine_coordinates() specifically assume
136  * that if a non-trivial representation is used, it is a Montgomery
137  * representation (i.e. 'encoding' means multiplying by some factor R).
138  */
139 
140 
141 int ec_GFp_simple_group_init(EC_GROUP *group)
142  {
143  BN_init(&group->field);
144  BN_init(&group->a);
145  BN_init(&group->b);
146  group->a_is_minus3 = 0;
147  return 1;
148  }
149 
150 
151 void ec_GFp_simple_group_finish(EC_GROUP *group)
152  {
153  BN_free(&group->field);
154  BN_free(&group->a);
155  BN_free(&group->b);
156  }
157 
158 
159 void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
160  {
161  BN_clear_free(&group->field);
162  BN_clear_free(&group->a);
163  BN_clear_free(&group->b);
164  }
165 
166 
167 int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
168  {
169  if (!BN_copy(&dest->field, &src->field)) return 0;
170  if (!BN_copy(&dest->a, &src->a)) return 0;
171  if (!BN_copy(&dest->b, &src->b)) return 0;
172 
173  dest->a_is_minus3 = src->a_is_minus3;
174 
175  return 1;
176  }
177 
178 
179 int ec_GFp_simple_group_set_curve(EC_GROUP *group,
180  const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
181  {
182  int ret = 0;
183  BN_CTX *new_ctx = NULL;
184  BIGNUM *tmp_a;
185 
186  /* p must be a prime > 3 */
187  if (BN_num_bits(p) <= 2 || !BN_is_odd(p))
188  {
189  ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD);
190  return 0;
191  }
192 
193  if (ctx == NULL)
194  {
195  ctx = new_ctx = BN_CTX_new();
196  if (ctx == NULL)
197  return 0;
198  }
199 
200  BN_CTX_start(ctx);
201  tmp_a = BN_CTX_get(ctx);
202  if (tmp_a == NULL) goto err;
203 
204  /* group->field */
205  if (!BN_copy(&group->field, p)) goto err;
206  BN_set_negative(&group->field, 0);
207 
208  /* group->a */
209  if (!BN_nnmod(tmp_a, a, p, ctx)) goto err;
210  if (group->meth->field_encode)
211  { if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) goto err; }
212  else
213  if (!BN_copy(&group->a, tmp_a)) goto err;
214 
215  /* group->b */
216  if (!BN_nnmod(&group->b, b, p, ctx)) goto err;
217  if (group->meth->field_encode)
218  if (!group->meth->field_encode(group, &group->b, &group->b, ctx)) goto err;
219 
220  /* group->a_is_minus3 */
221  if (!BN_add_word(tmp_a, 3)) goto err;
222  group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
223 
224  ret = 1;
225 
226  err:
227  BN_CTX_end(ctx);
228  if (new_ctx != NULL)
229  BN_CTX_free(new_ctx);
230  return ret;
231  }
232 
233 
234 int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
235  {
236  int ret = 0;
237  BN_CTX *new_ctx = NULL;
238 
239  if (p != NULL)
240  {
241  if (!BN_copy(p, &group->field)) return 0;
242  }
243 
244  if (a != NULL || b != NULL)
245  {
246  if (group->meth->field_decode)
247  {
248  if (ctx == NULL)
249  {
250  ctx = new_ctx = BN_CTX_new();
251  if (ctx == NULL)
252  return 0;
253  }
254  if (a != NULL)
255  {
256  if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
257  }
258  if (b != NULL)
259  {
260  if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
261  }
262  }
263  else
264  {
265  if (a != NULL)
266  {
267  if (!BN_copy(a, &group->a)) goto err;
268  }
269  if (b != NULL)
270  {
271  if (!BN_copy(b, &group->b)) goto err;
272  }
273  }
274  }
275 
276  ret = 1;
277 
278  err:
279  if (new_ctx)
280  BN_CTX_free(new_ctx);
281  return ret;
282  }
283 
284 
285 int ec_GFp_simple_group_get_degree(const EC_GROUP *group)
286  {
287  return BN_num_bits(&group->field);
288  }
289 
290 
291 int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
292  {
293  int ret = 0;
294  BIGNUM *a,*b,*order,*tmp_1,*tmp_2;
295  const BIGNUM *p = &group->field;
296  BN_CTX *new_ctx = NULL;
297 
298  if (ctx == NULL)
299  {
300  ctx = new_ctx = BN_CTX_new();
301  if (ctx == NULL)
302  {
303  ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE);
304  goto err;
305  }
306  }
307  BN_CTX_start(ctx);
308  a = BN_CTX_get(ctx);
309  b = BN_CTX_get(ctx);
310  tmp_1 = BN_CTX_get(ctx);
311  tmp_2 = BN_CTX_get(ctx);
312  order = BN_CTX_get(ctx);
313  if (order == NULL) goto err;
314 
315  if (group->meth->field_decode)
316  {
317  if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
318  if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
319  }
320  else
321  {
322  if (!BN_copy(a, &group->a)) goto err;
323  if (!BN_copy(b, &group->b)) goto err;
324  }
325 
326  /* check the discriminant:
327  * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
328  * 0 =< a, b < p */
329  if (BN_is_zero(a))
330  {
331  if (BN_is_zero(b)) goto err;
332  }
333  else if (!BN_is_zero(b))
334  {
335  if (!BN_mod_sqr(tmp_1, a, p, ctx)) goto err;
336  if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx)) goto err;
337  if (!BN_lshift(tmp_1, tmp_2, 2)) goto err;
338  /* tmp_1 = 4*a^3 */
339 
340  if (!BN_mod_sqr(tmp_2, b, p, ctx)) goto err;
341  if (!BN_mul_word(tmp_2, 27)) goto err;
342  /* tmp_2 = 27*b^2 */
343 
344  if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx)) goto err;
345  if (BN_is_zero(a)) goto err;
346  }
347  ret = 1;
348 
349 err:
350  if (ctx != NULL)
351  BN_CTX_end(ctx);
352  if (new_ctx != NULL)
353  BN_CTX_free(new_ctx);
354  return ret;
355  }
356 
357 
358 int ec_GFp_simple_point_init(EC_POINT *point)
359  {
360  BN_init(&point->X);
361  BN_init(&point->Y);
362  BN_init(&point->Z);
363  point->Z_is_one = 0;
364 
365  return 1;
366  }
367 
368 
369 void ec_GFp_simple_point_finish(EC_POINT *point)
370  {
371  BN_free(&point->X);
372  BN_free(&point->Y);
373  BN_free(&point->Z);
374  }
375 
376 
377 void ec_GFp_simple_point_clear_finish(EC_POINT *point)
378  {
379  BN_clear_free(&point->X);
380  BN_clear_free(&point->Y);
381  BN_clear_free(&point->Z);
382  point->Z_is_one = 0;
383  }
384 
385 
386 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
387  {
388  if (!BN_copy(&dest->X, &src->X)) return 0;
389  if (!BN_copy(&dest->Y, &src->Y)) return 0;
390  if (!BN_copy(&dest->Z, &src->Z)) return 0;
391  dest->Z_is_one = src->Z_is_one;
392 
393  return 1;
394  }
395 
396 
397 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
398  {
399  point->Z_is_one = 0;
400  BN_zero(&point->Z);
401  return 1;
402  }
403 
404 
405 int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
406  const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
407  {
408  BN_CTX *new_ctx = NULL;
409  int ret = 0;
410 
411  if (ctx == NULL)
412  {
413  ctx = new_ctx = BN_CTX_new();
414  if (ctx == NULL)
415  return 0;
416  }
417 
418  if (x != NULL)
419  {
420  if (!BN_nnmod(&point->X, x, &group->field, ctx)) goto err;
421  if (group->meth->field_encode)
422  {
423  if (!group->meth->field_encode(group, &point->X, &point->X, ctx)) goto err;
424  }
425  }
426 
427  if (y != NULL)
428  {
429  if (!BN_nnmod(&point->Y, y, &group->field, ctx)) goto err;
430  if (group->meth->field_encode)
431  {
432  if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx)) goto err;
433  }
434  }
435 
436  if (z != NULL)
437  {
438  int Z_is_one;
439 
440  if (!BN_nnmod(&point->Z, z, &group->field, ctx)) goto err;
441  Z_is_one = BN_is_one(&point->Z);
442  if (group->meth->field_encode)
443  {
444  if (Z_is_one && (group->meth->field_set_to_one != 0))
445  {
446  if (!group->meth->field_set_to_one(group, &point->Z, ctx)) goto err;
447  }
448  else
449  {
450  if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) goto err;
451  }
452  }
453  point->Z_is_one = Z_is_one;
454  }
455 
456  ret = 1;
457 
458  err:
459  if (new_ctx != NULL)
460  BN_CTX_free(new_ctx);
461  return ret;
462  }
463 
464 
465 int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
466  BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
467  {
468  BN_CTX *new_ctx = NULL;
469  int ret = 0;
470 
471  if (group->meth->field_decode != 0)
472  {
473  if (ctx == NULL)
474  {
475  ctx = new_ctx = BN_CTX_new();
476  if (ctx == NULL)
477  return 0;
478  }
479 
480  if (x != NULL)
481  {
482  if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
483  }
484  if (y != NULL)
485  {
486  if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
487  }
488  if (z != NULL)
489  {
490  if (!group->meth->field_decode(group, z, &point->Z, ctx)) goto err;
491  }
492  }
493  else
494  {
495  if (x != NULL)
496  {
497  if (!BN_copy(x, &point->X)) goto err;
498  }
499  if (y != NULL)
500  {
501  if (!BN_copy(y, &point->Y)) goto err;
502  }
503  if (z != NULL)
504  {
505  if (!BN_copy(z, &point->Z)) goto err;
506  }
507  }
508 
509  ret = 1;
510 
511  err:
512  if (new_ctx != NULL)
513  BN_CTX_free(new_ctx);
514  return ret;
515  }
516 
517 
518 int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
519  const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
520  {
521  if (x == NULL || y == NULL)
522  {
523  /* unlike for projective coordinates, we do not tolerate this */
524  ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES, ERR_R_PASSED_NULL_PARAMETER);
525  return 0;
526  }
527 
528  return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
529  }
530 
531 
532 int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
533  BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
534  {
535  BN_CTX *new_ctx = NULL;
536  BIGNUM *Z, *Z_1, *Z_2, *Z_3;
537  const BIGNUM *Z_;
538  int ret = 0;
539 
540  if (EC_POINT_is_at_infinity(group, point))
541  {
542  ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY);
543  return 0;
544  }
545 
546  if (ctx == NULL)
547  {
548  ctx = new_ctx = BN_CTX_new();
549  if (ctx == NULL)
550  return 0;
551  }
552 
553  BN_CTX_start(ctx);
554  Z = BN_CTX_get(ctx);
555  Z_1 = BN_CTX_get(ctx);
556  Z_2 = BN_CTX_get(ctx);
557  Z_3 = BN_CTX_get(ctx);
558  if (Z_3 == NULL) goto err;
559 
560  /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
561 
562  if (group->meth->field_decode)
563  {
564  if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err;
565  Z_ = Z;
566  }
567  else
568  {
569  Z_ = &point->Z;
570  }
571 
572  if (BN_is_one(Z_))
573  {
574  if (group->meth->field_decode)
575  {
576  if (x != NULL)
577  {
578  if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
579  }
580  if (y != NULL)
581  {
582  if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
583  }
584  }
585  else
586  {
587  if (x != NULL)
588  {
589  if (!BN_copy(x, &point->X)) goto err;
590  }
591  if (y != NULL)
592  {
593  if (!BN_copy(y, &point->Y)) goto err;
594  }
595  }
596  }
597  else
598  {
599  if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx))
600  {
601  ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);
602  goto err;
603  }
604 
605  if (group->meth->field_encode == 0)
606  {
607  /* field_sqr works on standard representation */
608  if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) goto err;
609  }
610  else
611  {
612  if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) goto err;
613  }
614 
615  if (x != NULL)
616  {
617  /* in the Montgomery case, field_mul will cancel out Montgomery factor in X: */
618  if (!group->meth->field_mul(group, x, &point->X, Z_2, ctx)) goto err;
619  }
620 
621  if (y != NULL)
622  {
623  if (group->meth->field_encode == 0)
624  {
625  /* field_mul works on standard representation */
626  if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err;
627  }
628  else
629  {
630  if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err;
631  }
632 
633  /* in the Montgomery case, field_mul will cancel out Montgomery factor in Y: */
634  if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx)) goto err;
635  }
636  }
637 
638  ret = 1;
639 
640  err:
641  BN_CTX_end(ctx);
642  if (new_ctx != NULL)
643  BN_CTX_free(new_ctx);
644  return ret;
645  }
646 
647 
648 int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
649  const BIGNUM *x_, int y_bit, BN_CTX *ctx)
650  {
651  BN_CTX *new_ctx = NULL;
652  BIGNUM *tmp1, *tmp2, *x, *y;
653  int ret = 0;
654 
655  /* clear error queue*/
656  ERR_clear_error();
657 
658  if (ctx == NULL)
659  {
660  ctx = new_ctx = BN_CTX_new();
661  if (ctx == NULL)
662  return 0;
663  }
664 
665  y_bit = (y_bit != 0);
666 
667  BN_CTX_start(ctx);
668  tmp1 = BN_CTX_get(ctx);
669  tmp2 = BN_CTX_get(ctx);
670  x = BN_CTX_get(ctx);
671  y = BN_CTX_get(ctx);
672  if (y == NULL) goto err;
673 
674  /* Recover y. We have a Weierstrass equation
675  * y^2 = x^3 + a*x + b,
676  * so y is one of the square roots of x^3 + a*x + b.
677  */
678 
679  /* tmp1 := x^3 */
680  if (!BN_nnmod(x, x_, &group->field,ctx)) goto err;
681  if (group->meth->field_decode == 0)
682  {
683  /* field_{sqr,mul} work on standard representation */
684  if (!group->meth->field_sqr(group, tmp2, x_, ctx)) goto err;
685  if (!group->meth->field_mul(group, tmp1, tmp2, x_, ctx)) goto err;
686  }
687  else
688  {
689  if (!BN_mod_sqr(tmp2, x_, &group->field, ctx)) goto err;
690  if (!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx)) goto err;
691  }
692 
693  /* tmp1 := tmp1 + a*x */
694  if (group->a_is_minus3)
695  {
696  if (!BN_mod_lshift1_quick(tmp2, x, &group->field)) goto err;
697  if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field)) goto err;
698  if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
699  }
700  else
701  {
702  if (group->meth->field_decode)
703  {
704  if (!group->meth->field_decode(group, tmp2, &group->a, ctx)) goto err;
705  if (!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx)) goto err;
706  }
707  else
708  {
709  /* field_mul works on standard representation */
710  if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) goto err;
711  }
712 
713  if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
714  }
715 
716  /* tmp1 := tmp1 + b */
717  if (group->meth->field_decode)
718  {
719  if (!group->meth->field_decode(group, tmp2, &group->b, ctx)) goto err;
720  if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
721  }
722  else
723  {
724  if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) goto err;
725  }
726 
727  if (!BN_mod_sqrt(y, tmp1, &group->field, ctx))
728  {
729  if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE)
730  {
731  ERR_clear_error();
732  ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
733  }
734  else
735  ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB);
736  goto err;
737  }
738 
739  if (y_bit != BN_is_odd(y))
740  {
741  if (BN_is_zero(y))
742  {
743  int kron;
744 
745  kron = BN_kronecker(x, &group->field, ctx);
746  if (kron == -2) goto err;
747 
748  if (kron == 1)
749  ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSION_BIT);
750  else
751  /* BN_mod_sqrt() should have cought this error (not a square) */
752  ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
753  goto err;
754  }
755  if (!BN_usub(y, &group->field, y)) goto err;
756  }
757  if (y_bit != BN_is_odd(y))
758  {
759  ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_INTERNAL_ERROR);
760  goto err;
761  }
762 
763  if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
764 
765  ret = 1;
766 
767  err:
768  BN_CTX_end(ctx);
769  if (new_ctx != NULL)
770  BN_CTX_free(new_ctx);
771  return ret;
772  }
773 
774 
775 size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
776  unsigned char *buf, size_t len, BN_CTX *ctx)
777  {
778  size_t ret;
779  BN_CTX *new_ctx = NULL;
780  int used_ctx = 0;
781  BIGNUM *x, *y;
782  size_t field_len, i, skip;
783 
784  if ((form != POINT_CONVERSION_COMPRESSED)
785  && (form != POINT_CONVERSION_UNCOMPRESSED)
786  && (form != POINT_CONVERSION_HYBRID))
787  {
788  ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
789  goto err;
790  }
791 
792  if (EC_POINT_is_at_infinity(group, point))
793  {
794  /* encodes to a single 0 octet */
795  if (buf != NULL)
796  {
797  if (len < 1)
798  {
799  ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
800  return 0;
801  }
802  buf[0] = 0;
803  }
804  return 1;
805  }
806 
807 
808  /* ret := required output buffer length */
809  field_len = BN_num_bytes(&group->field);
810  ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
811 
812  /* if 'buf' is NULL, just return required length */
813  if (buf != NULL)
814  {
815  if (len < ret)
816  {
817  ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
818  goto err;
819  }
820 
821  if (ctx == NULL)
822  {
823  ctx = new_ctx = BN_CTX_new();
824  if (ctx == NULL)
825  return 0;
826  }
827 
828  BN_CTX_start(ctx);
829  used_ctx = 1;
830  x = BN_CTX_get(ctx);
831  y = BN_CTX_get(ctx);
832  if (y == NULL) goto err;
833 
834  if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
835 
836  if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y))
837  buf[0] = form + 1;
838  else
839  buf[0] = form;
840 
841  i = 1;
842 
843  skip = field_len - BN_num_bytes(x);
844  if (skip > field_len)
845  {
846  ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
847  goto err;
848  }
849  while (skip > 0)
850  {
851  buf[i++] = 0;
852  skip--;
853  }
854  skip = BN_bn2bin(x, buf + i);
855  i += skip;
856  if (i != 1 + field_len)
857  {
858  ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
859  goto err;
860  }
861 
862  if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
863  {
864  skip = field_len - BN_num_bytes(y);
865  if (skip > field_len)
866  {
867  ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
868  goto err;
869  }
870  while (skip > 0)
871  {
872  buf[i++] = 0;
873  skip--;
874  }
875  skip = BN_bn2bin(y, buf + i);
876  i += skip;
877  }
878 
879  if (i != ret)
880  {
881  ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
882  goto err;
883  }
884  }
885 
886  if (used_ctx)
887  BN_CTX_end(ctx);
888  if (new_ctx != NULL)
889  BN_CTX_free(new_ctx);
890  return ret;
891 
892  err:
893  if (used_ctx)
894  BN_CTX_end(ctx);
895  if (new_ctx != NULL)
896  BN_CTX_free(new_ctx);
897  return 0;
898  }
899 
900 
901 int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
902  const unsigned char *buf, size_t len, BN_CTX *ctx)
903  {
904  point_conversion_form_t form;
905  int y_bit;
906  BN_CTX *new_ctx = NULL;
907  BIGNUM *x, *y;
908  size_t field_len, enc_len;
909  int ret = 0;
910 
911  if (len == 0)
912  {
913  ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
914  return 0;
915  }
916  form = buf[0];
917  y_bit = form & 1;
918  form = form & ~1U;
919  if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
920  && (form != POINT_CONVERSION_UNCOMPRESSED)
921  && (form != POINT_CONVERSION_HYBRID))
922  {
923  ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
924  return 0;
925  }
926  if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit)
927  {
928  ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
929  return 0;
930  }
931 
932  if (form == 0)
933  {
934  if (len != 1)
935  {
936  ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
937  return 0;
938  }
939 
940  return EC_POINT_set_to_infinity(group, point);
941  }
942 
943  field_len = BN_num_bytes(&group->field);
944  enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
945 
946  if (len != enc_len)
947  {
948  ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
949  return 0;
950  }
951 
952  if (ctx == NULL)
953  {
954  ctx = new_ctx = BN_CTX_new();
955  if (ctx == NULL)
956  return 0;
957  }
958 
959  BN_CTX_start(ctx);
960  x = BN_CTX_get(ctx);
961  y = BN_CTX_get(ctx);
962  if (y == NULL) goto err;
963 
964  if (!BN_bin2bn(buf + 1, field_len, x)) goto err;
965  if (BN_ucmp(x, &group->field) >= 0)
966  {
967  ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
968  goto err;
969  }
970 
971  if (form == POINT_CONVERSION_COMPRESSED)
972  {
973  if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) goto err;
974  }
975  else
976  {
977  if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
978  if (BN_ucmp(y, &group->field) >= 0)
979  {
980  ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
981  goto err;
982  }
983  if (form == POINT_CONVERSION_HYBRID)
984  {
985  if (y_bit != BN_is_odd(y))
986  {
987  ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
988  goto err;
989  }
990  }
991 
992  if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
993  }
994 
995  if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
996  {
997  ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
998  goto err;
999  }
1000 
1001  ret = 1;
1002 
1003  err:
1004  BN_CTX_end(ctx);
1005  if (new_ctx != NULL)
1006  BN_CTX_free(new_ctx);
1007  return ret;
1008  }
1009 
1010 
1011 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
1012  {
1013  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1014  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1015  const BIGNUM *p;
1016  BN_CTX *new_ctx = NULL;
1017  BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
1018  int ret = 0;
1019 
1020  if (a == b)
1021  return EC_POINT_dbl(group, r, a, ctx);
1022  if (EC_POINT_is_at_infinity(group, a))
1023  return EC_POINT_copy(r, b);
1024  if (EC_POINT_is_at_infinity(group, b))
1025  return EC_POINT_copy(r, a);
1026 
1027  field_mul = group->meth->field_mul;
1028  field_sqr = group->meth->field_sqr;
1029  p = &group->field;
1030 
1031  if (ctx == NULL)
1032  {
1033  ctx = new_ctx = BN_CTX_new();
1034  if (ctx == NULL)
1035  return 0;
1036  }
1037 
1038  BN_CTX_start(ctx);
1039  n0 = BN_CTX_get(ctx);
1040  n1 = BN_CTX_get(ctx);
1041  n2 = BN_CTX_get(ctx);
1042  n3 = BN_CTX_get(ctx);
1043  n4 = BN_CTX_get(ctx);
1044  n5 = BN_CTX_get(ctx);
1045  n6 = BN_CTX_get(ctx);
1046  if (n6 == NULL) goto end;
1047 
1048  /* Note that in this function we must not read components of 'a' or 'b'
1049  * once we have written the corresponding components of 'r'.
1050  * ('r' might be one of 'a' or 'b'.)
1051  */
1052 
1053  /* n1, n2 */
1054  if (b->Z_is_one)
1055  {
1056  if (!BN_copy(n1, &a->X)) goto end;
1057  if (!BN_copy(n2, &a->Y)) goto end;
1058  /* n1 = X_a */
1059  /* n2 = Y_a */
1060  }
1061  else
1062  {
1063  if (!field_sqr(group, n0, &b->Z, ctx)) goto end;
1064  if (!field_mul(group, n1, &a->X, n0, ctx)) goto end;
1065  /* n1 = X_a * Z_b^2 */
1066 
1067  if (!field_mul(group, n0, n0, &b->Z, ctx)) goto end;
1068  if (!field_mul(group, n2, &a->Y, n0, ctx)) goto end;
1069  /* n2 = Y_a * Z_b^3 */
1070  }
1071 
1072  /* n3, n4 */
1073  if (a->Z_is_one)
1074  {
1075  if (!BN_copy(n3, &b->X)) goto end;
1076  if (!BN_copy(n4, &b->Y)) goto end;
1077  /* n3 = X_b */
1078  /* n4 = Y_b */
1079  }
1080  else
1081  {
1082  if (!field_sqr(group, n0, &a->Z, ctx)) goto end;
1083  if (!field_mul(group, n3, &b->X, n0, ctx)) goto end;
1084  /* n3 = X_b * Z_a^2 */
1085 
1086  if (!field_mul(group, n0, n0, &a->Z, ctx)) goto end;
1087  if (!field_mul(group, n4, &b->Y, n0, ctx)) goto end;
1088  /* n4 = Y_b * Z_a^3 */
1089  }
1090 
1091  /* n5, n6 */
1092  if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end;
1093  if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end;
1094  /* n5 = n1 - n3 */
1095  /* n6 = n2 - n4 */
1096 
1097  if (BN_is_zero(n5))
1098  {
1099  if (BN_is_zero(n6))
1100  {
1101  /* a is the same point as b */
1102  BN_CTX_end(ctx);
1103  ret = EC_POINT_dbl(group, r, a, ctx);
1104  ctx = NULL;
1105  goto end;
1106  }
1107  else
1108  {
1109  /* a is the inverse of b */
1110  BN_zero(&r->Z);
1111  r->Z_is_one = 0;
1112  ret = 1;
1113  goto end;
1114  }
1115  }
1116 
1117  /* 'n7', 'n8' */
1118  if (!BN_mod_add_quick(n1, n1, n3, p)) goto end;
1119  if (!BN_mod_add_quick(n2, n2, n4, p)) goto end;
1120  /* 'n7' = n1 + n3 */
1121  /* 'n8' = n2 + n4 */
1122 
1123  /* Z_r */
1124  if (a->Z_is_one && b->Z_is_one)
1125  {
1126  if (!BN_copy(&r->Z, n5)) goto end;
1127  }
1128  else
1129  {
1130  if (a->Z_is_one)
1131  { if (!BN_copy(n0, &b->Z)) goto end; }
1132  else if (b->Z_is_one)
1133  { if (!BN_copy(n0, &a->Z)) goto end; }
1134  else
1135  { if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) goto end; }
1136  if (!field_mul(group, &r->Z, n0, n5, ctx)) goto end;
1137  }
1138  r->Z_is_one = 0;
1139  /* Z_r = Z_a * Z_b * n5 */
1140 
1141  /* X_r */
1142  if (!field_sqr(group, n0, n6, ctx)) goto end;
1143  if (!field_sqr(group, n4, n5, ctx)) goto end;
1144  if (!field_mul(group, n3, n1, n4, ctx)) goto end;
1145  if (!BN_mod_sub_quick(&r->X, n0, n3, p)) goto end;
1146  /* X_r = n6^2 - n5^2 * 'n7' */
1147 
1148  /* 'n9' */
1149  if (!BN_mod_lshift1_quick(n0, &r->X, p)) goto end;
1150  if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end;
1151  /* n9 = n5^2 * 'n7' - 2 * X_r */
1152 
1153  /* Y_r */
1154  if (!field_mul(group, n0, n0, n6, ctx)) goto end;
1155  if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */
1156  if (!field_mul(group, n1, n2, n5, ctx)) goto end;
1157  if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end;
1158  if (BN_is_odd(n0))
1159  if (!BN_add(n0, n0, p)) goto end;
1160  /* now 0 <= n0 < 2*p, and n0 is even */
1161  if (!BN_rshift1(&r->Y, n0)) goto end;
1162  /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
1163 
1164  ret = 1;
1165 
1166  end:
1167  if (ctx) /* otherwise we already called BN_CTX_end */
1168  BN_CTX_end(ctx);
1169  if (new_ctx != NULL)
1170  BN_CTX_free(new_ctx);
1171  return ret;
1172  }
1173 
1174 
1175 int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
1176  {
1177  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1178  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1179  const BIGNUM *p;
1180  BN_CTX *new_ctx = NULL;
1181  BIGNUM *n0, *n1, *n2, *n3;
1182  int ret = 0;
1183 
1184  if (EC_POINT_is_at_infinity(group, a))
1185  {
1186  BN_zero(&r->Z);
1187  r->Z_is_one = 0;
1188  return 1;
1189  }
1190 
1191  field_mul = group->meth->field_mul;
1192  field_sqr = group->meth->field_sqr;
1193  p = &group->field;
1194 
1195  if (ctx == NULL)
1196  {
1197  ctx = new_ctx = BN_CTX_new();
1198  if (ctx == NULL)
1199  return 0;
1200  }
1201 
1202  BN_CTX_start(ctx);
1203  n0 = BN_CTX_get(ctx);
1204  n1 = BN_CTX_get(ctx);
1205  n2 = BN_CTX_get(ctx);
1206  n3 = BN_CTX_get(ctx);
1207  if (n3 == NULL) goto err;
1208 
1209  /* Note that in this function we must not read components of 'a'
1210  * once we have written the corresponding components of 'r'.
1211  * ('r' might the same as 'a'.)
1212  */
1213 
1214  /* n1 */
1215  if (a->Z_is_one)
1216  {
1217  if (!field_sqr(group, n0, &a->X, ctx)) goto err;
1218  if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
1219  if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
1220  if (!BN_mod_add_quick(n1, n0, &group->a, p)) goto err;
1221  /* n1 = 3 * X_a^2 + a_curve */
1222  }
1223  else if (group->a_is_minus3)
1224  {
1225  if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
1226  if (!BN_mod_add_quick(n0, &a->X, n1, p)) goto err;
1227  if (!BN_mod_sub_quick(n2, &a->X, n1, p)) goto err;
1228  if (!field_mul(group, n1, n0, n2, ctx)) goto err;
1229  if (!BN_mod_lshift1_quick(n0, n1, p)) goto err;
1230  if (!BN_mod_add_quick(n1, n0, n1, p)) goto err;
1231  /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
1232  * = 3 * X_a^2 - 3 * Z_a^4 */
1233  }
1234  else
1235  {
1236  if (!field_sqr(group, n0, &a->X, ctx)) goto err;
1237  if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
1238  if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
1239  if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
1240  if (!field_sqr(group, n1, n1, ctx)) goto err;
1241  if (!field_mul(group, n1, n1, &group->a, ctx)) goto err;
1242  if (!BN_mod_add_quick(n1, n1, n0, p)) goto err;
1243  /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
1244  }
1245 
1246  /* Z_r */
1247  if (a->Z_is_one)
1248  {
1249  if (!BN_copy(n0, &a->Y)) goto err;
1250  }
1251  else
1252  {
1253  if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) goto err;
1254  }
1255  if (!BN_mod_lshift1_quick(&r->Z, n0, p)) goto err;
1256  r->Z_is_one = 0;
1257  /* Z_r = 2 * Y_a * Z_a */
1258 
1259  /* n2 */
1260  if (!field_sqr(group, n3, &a->Y, ctx)) goto err;
1261  if (!field_mul(group, n2, &a->X, n3, ctx)) goto err;
1262  if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err;
1263  /* n2 = 4 * X_a * Y_a^2 */
1264 
1265  /* X_r */
1266  if (!BN_mod_lshift1_quick(n0, n2, p)) goto err;
1267  if (!field_sqr(group, &r->X, n1, ctx)) goto err;
1268  if (!BN_mod_sub_quick(&r->X, &r->X, n0, p)) goto err;
1269  /* X_r = n1^2 - 2 * n2 */
1270 
1271  /* n3 */
1272  if (!field_sqr(group, n0, n3, ctx)) goto err;
1273  if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err;
1274  /* n3 = 8 * Y_a^4 */
1275 
1276  /* Y_r */
1277  if (!BN_mod_sub_quick(n0, n2, &r->X, p)) goto err;
1278  if (!field_mul(group, n0, n1, n0, ctx)) goto err;
1279  if (!BN_mod_sub_quick(&r->Y, n0, n3, p)) goto err;
1280  /* Y_r = n1 * (n2 - X_r) - n3 */
1281 
1282  ret = 1;
1283 
1284  err:
1285  BN_CTX_end(ctx);
1286  if (new_ctx != NULL)
1287  BN_CTX_free(new_ctx);
1288  return ret;
1289  }
1290 
1291 
1292 int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1293  {
1294  if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
1295  /* point is its own inverse */
1296  return 1;
1297 
1298  return BN_usub(&point->Y, &group->field, &point->Y);
1299  }
1300 
1301 
1302 int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
1303  {
1304  return BN_is_zero(&point->Z);
1305  }
1306 
1307 
1308 int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
1309  {
1310  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1311  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1312  const BIGNUM *p;
1313  BN_CTX *new_ctx = NULL;
1314  BIGNUM *rh, *tmp, *Z4, *Z6;
1315  int ret = -1;
1316 
1317  if (EC_POINT_is_at_infinity(group, point))
1318  return 1;
1319 
1320  field_mul = group->meth->field_mul;
1321  field_sqr = group->meth->field_sqr;
1322  p = &group->field;
1323 
1324  if (ctx == NULL)
1325  {
1326  ctx = new_ctx = BN_CTX_new();
1327  if (ctx == NULL)
1328  return -1;
1329  }
1330 
1331  BN_CTX_start(ctx);
1332  rh = BN_CTX_get(ctx);
1333  tmp = BN_CTX_get(ctx);
1334  Z4 = BN_CTX_get(ctx);
1335  Z6 = BN_CTX_get(ctx);
1336  if (Z6 == NULL) goto err;
1337 
1338  /* We have a curve defined by a Weierstrass equation
1339  * y^2 = x^3 + a*x + b.
1340  * The point to consider is given in Jacobian projective coordinates
1341  * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
1342  * Substituting this and multiplying by Z^6 transforms the above equation into
1343  * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
1344  * To test this, we add up the right-hand side in 'rh'.
1345  */
1346 
1347  /* rh := X^2 */
1348  if (!field_sqr(group, rh, &point->X, ctx)) goto err;
1349 
1350  if (!point->Z_is_one)
1351  {
1352  if (!field_sqr(group, tmp, &point->Z, ctx)) goto err;
1353  if (!field_sqr(group, Z4, tmp, ctx)) goto err;
1354  if (!field_mul(group, Z6, Z4, tmp, ctx)) goto err;
1355 
1356  /* rh := (rh + a*Z^4)*X */
1357  if (group->a_is_minus3)
1358  {
1359  if (!BN_mod_lshift1_quick(tmp, Z4, p)) goto err;
1360  if (!BN_mod_add_quick(tmp, tmp, Z4, p)) goto err;
1361  if (!BN_mod_sub_quick(rh, rh, tmp, p)) goto err;
1362  if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1363  }
1364  else
1365  {
1366  if (!field_mul(group, tmp, Z4, &group->a, ctx)) goto err;
1367  if (!BN_mod_add_quick(rh, rh, tmp, p)) goto err;
1368  if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1369  }
1370 
1371  /* rh := rh + b*Z^6 */
1372  if (!field_mul(group, tmp, &group->b, Z6, ctx)) goto err;
1373  if (!BN_mod_add_quick(rh, rh, tmp, p)) goto err;
1374  }
1375  else
1376  {
1377  /* point->Z_is_one */
1378 
1379  /* rh := (rh + a)*X */
1380  if (!BN_mod_add_quick(rh, rh, &group->a, p)) goto err;
1381  if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1382  /* rh := rh + b */
1383  if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err;
1384  }
1385 
1386  /* 'lh' := Y^2 */
1387  if (!field_sqr(group, tmp, &point->Y, ctx)) goto err;
1388 
1389  ret = (0 == BN_ucmp(tmp, rh));
1390 
1391  err:
1392  BN_CTX_end(ctx);
1393  if (new_ctx != NULL)
1394  BN_CTX_free(new_ctx);
1395  return ret;
1396  }
1397 
1398 
1399 int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
1400  {
1401  /* return values:
1402  * -1 error
1403  * 0 equal (in affine coordinates)
1404  * 1 not equal
1405  */
1406 
1407  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1408  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1409  BN_CTX *new_ctx = NULL;
1410  BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
1411  const BIGNUM *tmp1_, *tmp2_;
1412  int ret = -1;
1413 
1414  if (EC_POINT_is_at_infinity(group, a))
1415  {
1416  return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
1417  }
1418 
1419  if (a->Z_is_one && b->Z_is_one)
1420  {
1421  return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
1422  }
1423 
1424  field_mul = group->meth->field_mul;
1425  field_sqr = group->meth->field_sqr;
1426 
1427  if (ctx == NULL)
1428  {
1429  ctx = new_ctx = BN_CTX_new();
1430  if (ctx == NULL)
1431  return -1;
1432  }
1433 
1434  BN_CTX_start(ctx);
1435  tmp1 = BN_CTX_get(ctx);
1436  tmp2 = BN_CTX_get(ctx);
1437  Za23 = BN_CTX_get(ctx);
1438  Zb23 = BN_CTX_get(ctx);
1439  if (Zb23 == NULL) goto end;
1440 
1441  /* We have to decide whether
1442  * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
1443  * or equivalently, whether
1444  * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
1445  */
1446 
1447  if (!b->Z_is_one)
1448  {
1449  if (!field_sqr(group, Zb23, &b->Z, ctx)) goto end;
1450  if (!field_mul(group, tmp1, &a->X, Zb23, ctx)) goto end;
1451  tmp1_ = tmp1;
1452  }
1453  else
1454  tmp1_ = &a->X;
1455  if (!a->Z_is_one)
1456  {
1457  if (!field_sqr(group, Za23, &a->Z, ctx)) goto end;
1458  if (!field_mul(group, tmp2, &b->X, Za23, ctx)) goto end;
1459  tmp2_ = tmp2;
1460  }
1461  else
1462  tmp2_ = &b->X;
1463 
1464  /* compare X_a*Z_b^2 with X_b*Z_a^2 */
1465  if (BN_cmp(tmp1_, tmp2_) != 0)
1466  {
1467  ret = 1; /* points differ */
1468  goto end;
1469  }
1470 
1471 
1472  if (!b->Z_is_one)
1473  {
1474  if (!field_mul(group, Zb23, Zb23, &b->Z, ctx)) goto end;
1475  if (!field_mul(group, tmp1, &a->Y, Zb23, ctx)) goto end;
1476  /* tmp1_ = tmp1 */
1477  }
1478  else
1479  tmp1_ = &a->Y;
1480  if (!a->Z_is_one)
1481  {
1482  if (!field_mul(group, Za23, Za23, &a->Z, ctx)) goto end;
1483  if (!field_mul(group, tmp2, &b->Y, Za23, ctx)) goto end;
1484  /* tmp2_ = tmp2 */
1485  }
1486  else
1487  tmp2_ = &b->Y;
1488 
1489  /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
1490  if (BN_cmp(tmp1_, tmp2_) != 0)
1491  {
1492  ret = 1; /* points differ */
1493  goto end;
1494  }
1495 
1496  /* points are equal */
1497  ret = 0;
1498 
1499  end:
1500  BN_CTX_end(ctx);
1501  if (new_ctx != NULL)
1502  BN_CTX_free(new_ctx);
1503  return ret;
1504  }
1505 
1506 
1507 int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1508  {
1509  BN_CTX *new_ctx = NULL;
1510  BIGNUM *x, *y;
1511  int ret = 0;
1512 
1513  if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
1514  return 1;
1515 
1516  if (ctx == NULL)
1517  {
1518  ctx = new_ctx = BN_CTX_new();
1519  if (ctx == NULL)
1520  return 0;
1521  }
1522 
1523  BN_CTX_start(ctx);
1524  x = BN_CTX_get(ctx);
1525  y = BN_CTX_get(ctx);
1526  if (y == NULL) goto err;
1527 
1528  if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1529  if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1530  if (!point->Z_is_one)
1531  {
1532  ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
1533  goto err;
1534  }
1535 
1536  ret = 1;
1537 
1538  err:
1539  BN_CTX_end(ctx);
1540  if (new_ctx != NULL)
1541  BN_CTX_free(new_ctx);
1542  return ret;
1543  }
1544 
1545 
1546 int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
1547  {
1548  BN_CTX *new_ctx = NULL;
1549  BIGNUM *tmp0, *tmp1;
1550  size_t pow2 = 0;
1551  BIGNUM **heap = NULL;
1552  size_t i;
1553  int ret = 0;
1554 
1555  if (num == 0)
1556  return 1;
1557 
1558  if (ctx == NULL)
1559  {
1560  ctx = new_ctx = BN_CTX_new();
1561  if (ctx == NULL)
1562  return 0;
1563  }
1564 
1565  BN_CTX_start(ctx);
1566  tmp0 = BN_CTX_get(ctx);
1567  tmp1 = BN_CTX_get(ctx);
1568  if (tmp0 == NULL || tmp1 == NULL) goto err;
1569 
1570  /* Before converting the individual points, compute inverses of all Z values.
1571  * Modular inversion is rather slow, but luckily we can do with a single
1572  * explicit inversion, plus about 3 multiplications per input value.
1573  */
1574 
1575  pow2 = 1;
1576  while (num > pow2)
1577  pow2 <<= 1;
1578  /* Now pow2 is the smallest power of 2 satifsying pow2 >= num.
1579  * We need twice that. */
1580  pow2 <<= 1;
1581 
1582  heap = clBnAlloc("ec_GFp_simple_points_make_affine", pow2 * sizeof heap[0]);
1583  if (heap == NULL) goto err;
1584 
1585  /* The array is used as a binary tree, exactly as in heapsort:
1586  *
1587  * heap[1]
1588  * heap[2] heap[3]
1589  * heap[4] heap[5] heap[6] heap[7]
1590  * heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15]
1591  *
1592  * We put the Z's in the last line;
1593  * then we set each other node to the product of its two child-nodes (where
1594  * empty or 0 entries are treated as ones);
1595  * then we invert heap[1];
1596  * then we invert each other node by replacing it by the product of its
1597  * parent (after inversion) and its sibling (before inversion).
1598  */
1599  heap[0] = NULL;
1600  for (i = pow2/2 - 1; i > 0; i--)
1601  heap[i] = NULL;
1602  for (i = 0; i < num; i++)
1603  heap[pow2/2 + i] = &points[i]->Z;
1604  for (i = pow2/2 + num; i < pow2; i++)
1605  heap[i] = NULL;
1606 
1607  /* set each node to the product of its children */
1608  for (i = pow2/2 - 1; i > 0; i--)
1609  {
1610  heap[i] = BN_new();
1611  if (heap[i] == NULL) goto err;
1612 
1613  if (heap[2*i] != NULL)
1614  {
1615  if ((heap[2*i + 1] == NULL) || BN_is_zero(heap[2*i + 1]))
1616  {
1617  if (!BN_copy(heap[i], heap[2*i])) goto err;
1618  }
1619  else
1620  {
1621  if (BN_is_zero(heap[2*i]))
1622  {
1623  if (!BN_copy(heap[i], heap[2*i + 1])) goto err;
1624  }
1625  else
1626  {
1627  if (!group->meth->field_mul(group, heap[i],
1628  heap[2*i], heap[2*i + 1], ctx)) goto err;
1629  }
1630  }
1631  }
1632  }
1633 
1634  /* invert heap[1] */
1635  if (!BN_is_zero(heap[1]))
1636  {
1637  if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx))
1638  {
1639  ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
1640  goto err;
1641  }
1642  }
1643  if (group->meth->field_encode != 0)
1644  {
1645  /* in the Montgomery case, we just turned R*H (representing H)
1646  * into 1/(R*H), but we need R*(1/H) (representing 1/H);
1647  * i.e. we have need to multiply by the Montgomery factor twice */
1648  if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
1649  if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
1650  }
1651 
1652  /* set other heap[i]'s to their inverses */
1653  for (i = 2; i < pow2/2 + num; i += 2)
1654  {
1655  /* i is even */
1656  if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1]))
1657  {
1658  if (!group->meth->field_mul(group, tmp0, heap[i/2], heap[i + 1], ctx)) goto err;
1659  if (!group->meth->field_mul(group, tmp1, heap[i/2], heap[i], ctx)) goto err;
1660  if (!BN_copy(heap[i], tmp0)) goto err;
1661  if (!BN_copy(heap[i + 1], tmp1)) goto err;
1662  }
1663  else
1664  {
1665  if (!BN_copy(heap[i], heap[i/2])) goto err;
1666  }
1667  }
1668 
1669  /* we have replaced all non-zero Z's by their inverses, now fix up all the points */
1670  for (i = 0; i < num; i++)
1671  {
1672  EC_POINT *p = points[i];
1673 
1674  if (!BN_is_zero(&p->Z))
1675  {
1676  /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
1677 
1678  if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx)) goto err;
1679  if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx)) goto err;
1680 
1681  if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx)) goto err;
1682  if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx)) goto err;
1683 
1684  if (group->meth->field_set_to_one != 0)
1685  {
1686  if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err;
1687  }
1688  else
1689  {
1690  if (!BN_one(&p->Z)) goto err;
1691  }
1692  p->Z_is_one = 1;
1693  }
1694  }
1695 
1696  ret = 1;
1697 
1698  err:
1699  BN_CTX_end(ctx);
1700  if (new_ctx != NULL)
1701  BN_CTX_free(new_ctx);
1702  if (heap != NULL)
1703  {
1704  /* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */
1705  for (i = pow2/2 - 1; i > 0; i--)
1706  {
1707  if (heap[i] != NULL)
1708  BN_clear_free(heap[i]);
1709  }
1710  OPENSSL_free(heap);
1711  }
1712  return ret;
1713  }
1714 
1715 
1716 int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
1717  {
1718  return BN_mod_mul(r, a, b, &group->field, ctx);
1719  }
1720 
1721 
1722 int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
1723  {
1724  return BN_mod_sqr(r, a, &group->field, ctx);
1725  }
1726 
1727 #endif /* USE_ECDH || USE_ECDSA */
Generated on Thu Jan 10 2013 10:00:43 for cryptlib by   doxygen 1.8.2