2014-06-20 20:00:00 +01:00
|
|
|
|
/* Originally written by Bodo Moeller for the OpenSSL project.
|
|
|
|
|
|
* ====================================================================
|
|
|
|
|
|
* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
|
|
|
|
|
|
*
|
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
|
* are met:
|
|
|
|
|
|
*
|
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
|
*
|
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in
|
|
|
|
|
|
* the documentation and/or other materials provided with the
|
|
|
|
|
|
* distribution.
|
|
|
|
|
|
*
|
|
|
|
|
|
* 3. All advertising materials mentioning features or use of this
|
|
|
|
|
|
* software must display the following acknowledgment:
|
|
|
|
|
|
* "This product includes software developed by the OpenSSL Project
|
|
|
|
|
|
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
|
|
|
|
|
*
|
|
|
|
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
|
|
|
|
* endorse or promote products derived from this software without
|
|
|
|
|
|
* prior written permission. For written permission, please contact
|
|
|
|
|
|
* openssl-core@openssl.org.
|
|
|
|
|
|
*
|
|
|
|
|
|
* 5. Products derived from this software may not be called "OpenSSL"
|
|
|
|
|
|
* nor may "OpenSSL" appear in their names without prior written
|
|
|
|
|
|
* permission of the OpenSSL Project.
|
|
|
|
|
|
*
|
|
|
|
|
|
* 6. Redistributions of any form whatsoever must retain the following
|
|
|
|
|
|
* acknowledgment:
|
|
|
|
|
|
* "This product includes software developed by the OpenSSL Project
|
|
|
|
|
|
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
|
|
|
|
|
*
|
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
|
|
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
|
|
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
|
|
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
|
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
|
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
|
|
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
|
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
|
|
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
|
* ====================================================================
|
|
|
|
|
|
*
|
|
|
|
|
|
* This product includes cryptographic software written by Eric Young
|
|
|
|
|
|
* (eay@cryptsoft.com). This product includes software written by Tim
|
|
|
|
|
|
* Hudson (tjh@cryptsoft.com).
|
|
|
|
|
|
*
|
|
|
|
|
|
*/
|
|
|
|
|
|
/* ====================================================================
|
|
|
|
|
|
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
|
|
|
|
|
|
*
|
|
|
|
|
|
* Portions of the attached software ("Contribution") are developed by
|
|
|
|
|
|
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
|
|
|
|
|
|
*
|
|
|
|
|
|
* The Contribution is licensed pursuant to the OpenSSL open source
|
|
|
|
|
|
* license provided above.
|
|
|
|
|
|
*
|
|
|
|
|
|
* The elliptic curve binary polynomial software is originally written by
|
|
|
|
|
|
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
|
|
|
|
|
|
* Laboratories. */
|
|
|
|
|
|
|
|
|
|
|
|
#include <openssl/ec.h>
|
|
|
|
|
|
|
2015-11-03 22:02:04 +00:00
|
|
|
|
#include <assert.h>
|
2015-01-31 01:08:37 +00:00
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
|
#include <openssl/bn.h>
|
|
|
|
|
|
#include <openssl/err.h>
|
|
|
|
|
|
#include <openssl/mem.h>
|
2016-03-25 22:07:11 +00:00
|
|
|
|
#include <openssl/nid.h>
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
|
|
|
#include "internal.h"
|
2017-05-02 22:25:39 +01:00
|
|
|
|
#include "../../internal.h"
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
|
#include "../bn/internal.h"
|
2017-05-02 22:25:39 +01:00
|
|
|
|
#include "../delocate.h"
|
|
|
|
|
|
|
|
|
|
|
|
|
2017-10-26 20:48:18 +01:00
|
|
|
|
static void ec_point_free(EC_POINT *point, int free_group);
|
|
|
|
|
|
|
2017-06-21 19:37:22 +01:00
|
|
|
|
static const uint8_t kP224Params[6 * 28] = {
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// p
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
|
0x00, 0x00, 0x00, 0x01,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// a
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFE,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// b
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,
|
|
|
|
|
|
0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
|
|
|
|
|
|
0x23, 0x55, 0xFF, 0xB4,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// x
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,
|
|
|
|
|
|
0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
|
|
|
|
|
|
0x11, 0x5C, 0x1D, 0x21,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// y
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,
|
|
|
|
|
|
0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
|
|
|
|
|
|
0x85, 0x00, 0x7e, 0x34,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// order
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
|
|
|
|
|
|
0x5C, 0x5C, 0x2A, 0x3D,
|
2017-05-02 22:25:39 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
2017-06-21 19:37:22 +01:00
|
|
|
|
static const uint8_t kP256Params[6 * 32] = {
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// p
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// a
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// b
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
|
|
|
|
|
|
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
|
|
|
|
|
|
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// x
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
|
|
|
|
|
|
0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
|
|
|
|
|
|
0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// y
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
|
|
|
|
|
|
0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
|
|
|
|
|
|
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// order
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
|
|
|
|
|
|
0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51,
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
static const uint8_t kP384Params[6 * 48] = {
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// p
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// a
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// b
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
|
|
|
|
|
|
0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
|
|
|
|
|
|
0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
|
|
|
|
|
|
0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// x
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
|
|
|
|
|
|
0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
|
|
|
|
|
|
0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
|
|
|
|
|
|
0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// y
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
|
|
|
|
|
|
0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
|
|
|
|
|
|
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
|
|
|
|
|
|
0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// order
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
|
|
|
|
|
|
0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73,
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
static const uint8_t kP521Params[6 * 66] = {
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// p
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// a
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// b
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
|
|
|
|
|
|
0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
|
|
|
|
|
|
0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
|
|
|
|
|
|
0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
|
|
|
|
|
|
0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
|
|
|
|
|
|
0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// x
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
|
|
|
|
|
|
0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
|
|
|
|
|
|
0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
|
|
|
|
|
|
0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
|
|
|
|
|
|
0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
|
|
|
|
|
|
0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// y
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
|
|
|
|
|
|
0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
|
|
|
|
|
|
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
|
|
|
|
|
|
0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
|
|
|
|
|
|
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
|
|
|
|
|
|
0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// order
|
2017-06-21 19:37:22 +01:00
|
|
|
|
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
|
|
|
|
|
|
0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
|
|
|
|
|
|
0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
|
|
|
|
|
|
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09,
|
|
|
|
|
|
};
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
2017-05-02 22:25:39 +01:00
|
|
|
|
DEFINE_METHOD_FUNCTION(struct built_in_curves, OPENSSL_built_in_curves) {
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// 1.3.132.0.35
|
2017-05-02 22:25:39 +01:00
|
|
|
|
static const uint8_t kOIDP521[] = {0x2b, 0x81, 0x04, 0x00, 0x23};
|
|
|
|
|
|
out->curves[0].nid = NID_secp521r1;
|
|
|
|
|
|
out->curves[0].oid = kOIDP521;
|
|
|
|
|
|
out->curves[0].oid_len = sizeof(kOIDP521);
|
2017-06-21 19:37:22 +01:00
|
|
|
|
out->curves[0].comment = "NIST P-521";
|
|
|
|
|
|
out->curves[0].param_len = 66;
|
|
|
|
|
|
out->curves[0].params = kP521Params;
|
2017-05-02 22:25:39 +01:00
|
|
|
|
out->curves[0].method = EC_GFp_mont_method();
|
|
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// 1.3.132.0.34
|
2017-05-02 22:25:39 +01:00
|
|
|
|
static const uint8_t kOIDP384[] = {0x2b, 0x81, 0x04, 0x00, 0x22};
|
|
|
|
|
|
out->curves[1].nid = NID_secp384r1;
|
|
|
|
|
|
out->curves[1].oid = kOIDP384;
|
|
|
|
|
|
out->curves[1].oid_len = sizeof(kOIDP384);
|
2017-06-21 19:37:22 +01:00
|
|
|
|
out->curves[1].comment = "NIST P-384";
|
|
|
|
|
|
out->curves[1].param_len = 48;
|
|
|
|
|
|
out->curves[1].params = kP384Params;
|
2017-05-02 22:25:39 +01:00
|
|
|
|
out->curves[1].method = EC_GFp_mont_method();
|
|
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// 1.2.840.10045.3.1.7
|
2017-05-02 22:25:39 +01:00
|
|
|
|
static const uint8_t kOIDP256[] = {0x2a, 0x86, 0x48, 0xce,
|
|
|
|
|
|
0x3d, 0x03, 0x01, 0x07};
|
|
|
|
|
|
out->curves[2].nid = NID_X9_62_prime256v1;
|
|
|
|
|
|
out->curves[2].oid = kOIDP256;
|
|
|
|
|
|
out->curves[2].oid_len = sizeof(kOIDP256);
|
2017-06-21 19:37:22 +01:00
|
|
|
|
out->curves[2].comment = "NIST P-256";
|
|
|
|
|
|
out->curves[2].param_len = 32;
|
|
|
|
|
|
out->curves[2].params = kP256Params;
|
2017-05-02 22:25:39 +01:00
|
|
|
|
out->curves[2].method =
|
2015-11-03 22:02:04 +00:00
|
|
|
|
#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
|
2017-12-08 02:11:24 +00:00
|
|
|
|
!defined(OPENSSL_SMALL)
|
2017-05-02 22:25:39 +01:00
|
|
|
|
EC_GFp_nistz256_method();
|
2015-11-03 22:02:04 +00:00
|
|
|
|
#else
|
2017-05-02 22:25:39 +01:00
|
|
|
|
EC_GFp_nistp256_method();
|
2015-10-07 01:49:40 +01:00
|
|
|
|
#endif
|
2017-05-02 22:25:39 +01:00
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// 1.3.132.0.33
|
2017-05-02 22:25:39 +01:00
|
|
|
|
static const uint8_t kOIDP224[] = {0x2b, 0x81, 0x04, 0x00, 0x21};
|
|
|
|
|
|
out->curves[3].nid = NID_secp224r1;
|
|
|
|
|
|
out->curves[3].oid = kOIDP224;
|
|
|
|
|
|
out->curves[3].oid_len = sizeof(kOIDP224);
|
2017-06-21 19:37:22 +01:00
|
|
|
|
out->curves[3].comment = "NIST P-224";
|
|
|
|
|
|
out->curves[3].param_len = 28;
|
|
|
|
|
|
out->curves[3].params = kP224Params;
|
2017-05-02 22:25:39 +01:00
|
|
|
|
out->curves[3].method =
|
2017-12-08 02:11:24 +00:00
|
|
|
|
#if defined(BORINGSSL_HAS_UINT128) && !defined(OPENSSL_SMALL)
|
2017-05-02 22:25:39 +01:00
|
|
|
|
EC_GFp_nistp224_method();
|
2015-04-14 20:07:44 +01:00
|
|
|
|
#else
|
2017-05-02 22:25:39 +01:00
|
|
|
|
EC_GFp_mont_method();
|
2015-04-14 20:07:44 +01:00
|
|
|
|
#endif
|
2017-05-02 22:25:39 +01:00
|
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
|
|
|
EC_GROUP *ec_group_new(const EC_METHOD *meth) {
|
|
|
|
|
|
EC_GROUP *ret;
|
|
|
|
|
|
|
|
|
|
|
|
if (meth == NULL) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_SLOT_FULL);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (meth->group_init == 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ret = OPENSSL_malloc(sizeof(EC_GROUP));
|
|
|
|
|
|
if (ret == NULL) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
2016-12-13 06:07:13 +00:00
|
|
|
|
OPENSSL_memset(ret, 0, sizeof(EC_GROUP));
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
2017-10-26 19:53:29 +01:00
|
|
|
|
ret->references = 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
ret->meth = meth;
|
|
|
|
|
|
BN_init(&ret->order);
|
|
|
|
|
|
|
|
|
|
|
|
if (!meth->group_init(ret)) {
|
|
|
|
|
|
OPENSSL_free(ret);
|
|
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-10-26 20:48:18 +01:00
|
|
|
|
static void ec_group_set0_generator(EC_GROUP *group, EC_POINT *generator) {
|
|
|
|
|
|
assert(group->generator == NULL);
|
|
|
|
|
|
assert(group == generator->group);
|
|
|
|
|
|
|
|
|
|
|
|
// Avoid a reference cycle. |group->generator| does not maintain an owning
|
|
|
|
|
|
// pointer to |group|.
|
|
|
|
|
|
group->generator = generator;
|
|
|
|
|
|
int is_zero = CRYPTO_refcount_dec_and_test_zero(&group->references);
|
|
|
|
|
|
|
|
|
|
|
|
assert(!is_zero);
|
|
|
|
|
|
(void)is_zero;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2016-03-11 21:08:39 +00:00
|
|
|
|
EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
|
|
|
|
|
|
const BIGNUM *b, BN_CTX *ctx) {
|
2018-11-09 23:14:15 +00:00
|
|
|
|
if (BN_num_bytes(p) > EC_MAX_BYTES) {
|
2017-11-11 03:37:40 +00:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD);
|
|
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-05-02 22:25:39 +01:00
|
|
|
|
EC_GROUP *ret = ec_group_new(EC_GFp_mont_method());
|
2014-06-20 20:00:00 +01:00
|
|
|
|
if (ret == NULL) {
|
|
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (ret->meth->group_set_curve == NULL) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
2017-10-26 20:48:18 +01:00
|
|
|
|
EC_GROUP_free(ret);
|
|
|
|
|
|
return NULL;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
if (!ret->meth->group_set_curve(ret, p, a, b, ctx)) {
|
|
|
|
|
|
EC_GROUP_free(ret);
|
|
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
return ret;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2016-03-11 21:08:39 +00:00
|
|
|
|
int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
|
|
|
|
|
|
const BIGNUM *order, const BIGNUM *cofactor) {
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (group->curve_name != NID_undef || group->generator != NULL ||
|
|
|
|
|
|
generator->group != group) {
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// |EC_GROUP_set_generator| may only be used with |EC_GROUP|s returned by
|
|
|
|
|
|
// |EC_GROUP_new_curve_GFp| and may only used once on each group.
|
2018-11-09 22:46:55 +00:00
|
|
|
|
// |generator| must have been created from |EC_GROUP_new_curve_GFp|, not a
|
|
|
|
|
|
// copy, so that |generator->group->generator| is set correctly.
|
2017-11-11 03:37:40 +00:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-11-09 23:14:15 +00:00
|
|
|
|
if (BN_num_bytes(order) > EC_MAX_BYTES) {
|
2018-04-21 06:27:29 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
|
2016-03-11 21:08:39 +00:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// Require a cofactor of one for custom curves, which implies prime order.
|
2016-06-16 19:58:36 +01:00
|
|
|
|
if (!BN_is_one(cofactor)) {
|
|
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COFACTOR);
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-11-11 03:37:40 +00:00
|
|
|
|
// Require that p < 2×order. This simplifies some ECDSA operations.
|
|
|
|
|
|
//
|
|
|
|
|
|
// Note any curve which did not satisfy this must have been invalid or use a
|
2017-11-14 00:15:28 +00:00
|
|
|
|
// tiny prime (less than 17). See the proof in |field_element_to_scalar| in
|
|
|
|
|
|
// the ECDSA implementation.
|
2018-11-09 22:46:55 +00:00
|
|
|
|
int ret = 0;
|
|
|
|
|
|
EC_POINT *copy = NULL;
|
2017-11-11 03:37:40 +00:00
|
|
|
|
BIGNUM *tmp = BN_new();
|
|
|
|
|
|
if (tmp == NULL ||
|
|
|
|
|
|
!BN_lshift1(tmp, order)) {
|
2018-11-09 22:46:55 +00:00
|
|
|
|
goto err;
|
2017-11-11 03:37:40 +00:00
|
|
|
|
}
|
2018-11-09 22:46:55 +00:00
|
|
|
|
if (BN_cmp(tmp, &group->field) <= 0) {
|
2017-11-11 03:37:40 +00:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
|
2018-11-09 22:46:55 +00:00
|
|
|
|
goto err;
|
2017-11-11 03:37:40 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2018-11-09 22:46:55 +00:00
|
|
|
|
copy = EC_POINT_new(group);
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (copy == NULL ||
|
|
|
|
|
|
!EC_POINT_copy(copy, generator) ||
|
|
|
|
|
|
!BN_copy(&group->order, order)) {
|
2018-11-09 22:46:55 +00:00
|
|
|
|
goto err;
|
2017-10-26 20:48:18 +01:00
|
|
|
|
}
|
2018-01-22 14:28:13 +00:00
|
|
|
|
// Store the order in minimal form, so it can be used with |BN_ULONG| arrays.
|
2018-01-15 10:23:24 +00:00
|
|
|
|
bn_set_minimal_width(&group->order);
|
2017-10-26 20:48:18 +01:00
|
|
|
|
|
2017-11-13 06:55:25 +00:00
|
|
|
|
BN_MONT_CTX_free(group->order_mont);
|
2018-01-23 22:03:26 +00:00
|
|
|
|
group->order_mont = BN_MONT_CTX_new_for_modulus(&group->order, NULL);
|
|
|
|
|
|
if (group->order_mont == NULL) {
|
2018-11-09 22:46:55 +00:00
|
|
|
|
goto err;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
group->field_greater_than_order = BN_cmp(&group->field, &group->order) > 0;
|
|
|
|
|
|
if (group->field_greater_than_order) {
|
|
|
|
|
|
if (!BN_sub(tmp, &group->field, &group->order) ||
|
|
|
|
|
|
!bn_copy_words(group->field_minus_order.words, group->field.width,
|
|
|
|
|
|
tmp)) {
|
|
|
|
|
|
goto err;
|
|
|
|
|
|
}
|
2017-11-13 06:55:25 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-10-26 20:48:18 +01:00
|
|
|
|
ec_group_set0_generator(group, copy);
|
2018-11-09 22:46:55 +00:00
|
|
|
|
copy = NULL;
|
|
|
|
|
|
ret = 1;
|
|
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
|
EC_POINT_free(copy);
|
|
|
|
|
|
BN_free(tmp);
|
|
|
|
|
|
return ret;
|
2016-03-11 21:08:39 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-11-13 06:55:25 +00:00
|
|
|
|
static EC_GROUP *ec_group_new_from_data(const struct built_in_curve *curve) {
|
2014-06-20 20:00:00 +01:00
|
|
|
|
EC_GROUP *group = NULL;
|
|
|
|
|
|
EC_POINT *P = NULL;
|
2015-04-19 03:54:36 +01:00
|
|
|
|
BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL;
|
2015-11-03 22:20:45 +00:00
|
|
|
|
int ok = 0;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
2015-11-03 22:02:04 +00:00
|
|
|
|
BN_CTX *ctx = BN_CTX_new();
|
|
|
|
|
|
if (ctx == NULL) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
goto err;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-06-21 19:37:22 +01:00
|
|
|
|
const unsigned param_len = curve->param_len;
|
|
|
|
|
|
const uint8_t *params = curve->params;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
|
|
|
if (!(p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) ||
|
|
|
|
|
|
!(a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) ||
|
|
|
|
|
|
!(b = BN_bin2bn(params + 2 * param_len, param_len, NULL))) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
goto err;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2016-08-14 21:41:27 +01:00
|
|
|
|
group = ec_group_new(curve->method);
|
|
|
|
|
|
if (group == NULL ||
|
|
|
|
|
|
!group->meth->group_set_curve(group, p, a, b, ctx)) {
|
|
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);
|
|
|
|
|
|
goto err;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if ((P = EC_POINT_new(group)) == NULL) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
goto err;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (!(x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) ||
|
|
|
|
|
|
!(y = BN_bin2bn(params + 4 * param_len, param_len, NULL))) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
goto err;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
goto err;
|
|
|
|
|
|
}
|
2016-06-17 01:40:18 +01:00
|
|
|
|
if (!BN_bin2bn(params + 5 * param_len, param_len, &group->order)) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
goto err;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-11-09 22:46:55 +00:00
|
|
|
|
group->field_greater_than_order = BN_cmp(&group->field, &group->order) > 0;
|
|
|
|
|
|
if (group->field_greater_than_order) {
|
|
|
|
|
|
if (!BN_sub(p, &group->field, &group->order) ||
|
|
|
|
|
|
!bn_copy_words(group->field_minus_order.words, group->field.width, p)) {
|
|
|
|
|
|
goto err;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-01-23 22:03:26 +00:00
|
|
|
|
group->order_mont = BN_MONT_CTX_new_for_modulus(&group->order, ctx);
|
|
|
|
|
|
if (group->order_mont == NULL) {
|
2017-11-13 06:55:25 +00:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
|
|
|
|
|
|
goto err;
|
2015-11-03 22:02:04 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-10-26 20:48:18 +01:00
|
|
|
|
ec_group_set0_generator(group, P);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
P = NULL;
|
|
|
|
|
|
ok = 1;
|
|
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
|
if (!ok) {
|
|
|
|
|
|
EC_GROUP_free(group);
|
|
|
|
|
|
group = NULL;
|
|
|
|
|
|
}
|
2015-04-22 20:08:19 +01:00
|
|
|
|
EC_POINT_free(P);
|
|
|
|
|
|
BN_CTX_free(ctx);
|
|
|
|
|
|
BN_free(p);
|
|
|
|
|
|
BN_free(a);
|
|
|
|
|
|
BN_free(b);
|
|
|
|
|
|
BN_free(x);
|
|
|
|
|
|
BN_free(y);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return group;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-11-13 06:55:25 +00:00
|
|
|
|
// Built-in groups are allocated lazily and static once allocated.
|
|
|
|
|
|
// TODO(davidben): Make these actually static. https://crbug.com/boringssl/20.
|
|
|
|
|
|
struct built_in_groups_st {
|
|
|
|
|
|
EC_GROUP *groups[OPENSSL_NUM_BUILT_IN_CURVES];
|
|
|
|
|
|
};
|
|
|
|
|
|
DEFINE_BSS_GET(struct built_in_groups_st, built_in_groups);
|
|
|
|
|
|
DEFINE_STATIC_MUTEX(built_in_groups_lock);
|
|
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
|
EC_GROUP *EC_GROUP_new_by_curve_name(int nid) {
|
2017-11-13 06:55:25 +00:00
|
|
|
|
struct built_in_groups_st *groups = built_in_groups_bss_get();
|
|
|
|
|
|
EC_GROUP **group_ptr = NULL;
|
2017-05-02 22:25:39 +01:00
|
|
|
|
const struct built_in_curves *const curves = OPENSSL_built_in_curves();
|
2017-11-13 06:55:25 +00:00
|
|
|
|
const struct built_in_curve *curve = NULL;
|
2017-05-02 22:25:39 +01:00
|
|
|
|
for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) {
|
2017-11-13 06:55:25 +00:00
|
|
|
|
if (curves->curves[i].nid == nid) {
|
|
|
|
|
|
curve = &curves->curves[i];
|
|
|
|
|
|
group_ptr = &groups->groups[i];
|
2014-06-20 20:00:00 +01:00
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-11-13 06:55:25 +00:00
|
|
|
|
if (curve == NULL) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-11-13 06:55:25 +00:00
|
|
|
|
CRYPTO_STATIC_MUTEX_lock_read(built_in_groups_lock_bss_get());
|
|
|
|
|
|
EC_GROUP *ret = *group_ptr;
|
|
|
|
|
|
CRYPTO_STATIC_MUTEX_unlock_read(built_in_groups_lock_bss_get());
|
|
|
|
|
|
if (ret != NULL) {
|
|
|
|
|
|
return ret;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ret = ec_group_new_from_data(curve);
|
|
|
|
|
|
if (ret == NULL) {
|
|
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
EC_GROUP *to_free = NULL;
|
|
|
|
|
|
CRYPTO_STATIC_MUTEX_lock_write(built_in_groups_lock_bss_get());
|
|
|
|
|
|
if (*group_ptr == NULL) {
|
|
|
|
|
|
*group_ptr = ret;
|
|
|
|
|
|
// Filling in |ret->curve_name| makes |EC_GROUP_free| and |EC_GROUP_dup|
|
|
|
|
|
|
// into no-ops. At this point, |ret| is considered static.
|
|
|
|
|
|
ret->curve_name = nid;
|
|
|
|
|
|
} else {
|
|
|
|
|
|
to_free = ret;
|
|
|
|
|
|
ret = *group_ptr;
|
|
|
|
|
|
}
|
|
|
|
|
|
CRYPTO_STATIC_MUTEX_unlock_write(built_in_groups_lock_bss_get());
|
|
|
|
|
|
|
|
|
|
|
|
EC_GROUP_free(to_free);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return ret;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void EC_GROUP_free(EC_GROUP *group) {
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (group == NULL ||
|
2017-11-13 06:55:25 +00:00
|
|
|
|
// Built-in curves are static.
|
|
|
|
|
|
group->curve_name != NID_undef ||
|
2017-10-26 19:53:29 +01:00
|
|
|
|
!CRYPTO_refcount_dec_and_test_zero(&group->references)) {
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-10-26 19:53:29 +01:00
|
|
|
|
if (group->meth->group_finish != NULL) {
|
2014-06-20 20:00:00 +01:00
|
|
|
|
group->meth->group_finish(group);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-10-26 20:48:18 +01:00
|
|
|
|
ec_point_free(group->generator, 0 /* don't free group */);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
BN_free(&group->order);
|
2017-11-13 06:55:25 +00:00
|
|
|
|
BN_MONT_CTX_free(group->order_mont);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
|
|
|
OPENSSL_free(group);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
EC_GROUP *EC_GROUP_dup(const EC_GROUP *a) {
|
2017-11-13 06:55:25 +00:00
|
|
|
|
if (a == NULL ||
|
|
|
|
|
|
// Built-in curves are static.
|
|
|
|
|
|
a->curve_name != NID_undef) {
|
|
|
|
|
|
return (EC_GROUP *)a;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-10-26 19:53:29 +01:00
|
|
|
|
// Groups are logically immutable (but for |EC_GROUP_set_generator| which must
|
|
|
|
|
|
// be called early on), so we simply take a reference.
|
|
|
|
|
|
EC_GROUP *group = (EC_GROUP *)a;
|
|
|
|
|
|
CRYPTO_refcount_inc(&group->references);
|
|
|
|
|
|
return group;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2015-02-13 18:47:56 +00:00
|
|
|
|
int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ignored) {
|
2017-10-26 20:48:18 +01:00
|
|
|
|
// Note this function returns 0 if equal and non-zero otherwise.
|
|
|
|
|
|
if (a == b) {
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
if (a->curve_name != b->curve_name) {
|
|
|
|
|
|
return 1;
|
|
|
|
|
|
}
|
|
|
|
|
|
if (a->curve_name != NID_undef) {
|
|
|
|
|
|
// Built-in curves may be compared by curve name alone.
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// |a| and |b| are both custom curves. We compare the entire curve
|
|
|
|
|
|
// structure. If |a| or |b| is incomplete (due to legacy OpenSSL mistakes,
|
|
|
|
|
|
// custom curve construction is sadly done in two parts) but otherwise not the
|
|
|
|
|
|
// same object, we consider them always unequal.
|
Add EC_FELEM for EC_POINTs and related temporaries.
This introduces EC_FELEM, which is analogous to EC_SCALAR. It is used
for EC_POINT's representation in the generic EC_METHOD, as well as
random operations on tuned EC_METHODs that still are implemented
genericly.
Unlike EC_SCALAR, EC_FELEM's exact representation is awkwardly specific
to the EC_METHOD, analogous to how the old values were BIGNUMs but may
or may not have been in Montgomery form. This is kind of a nuisance, but
no more than before. (If p224-64.c were easily convertable to Montgomery
form, we could say |EC_FELEM| is always in Montgomery form. If we
exposed the internal add and double implementations in each of the
curves, we could give |EC_POINT| an |EC_METHOD|-specific representation
and |EC_FELEM| is purely a |EC_GFp_mont_method| type. I'll leave this
for later.)
The generic add and doubling formulas are aligned with the formulas
proved in fiat-crypto. Those only applied to a = -3, so I've proved a
generic one in https://github.com/mit-plv/fiat-crypto/pull/356, in case
someone uses a custom curve. The new formulas are verified,
constant-time, and swap a multiply for a square. As expressed in
fiat-crypto they do use more temporaries, but this seems to be fine with
stack-allocated EC_FELEMs. (We can try to help the compiler later,
but benchamrks below suggest this isn't necessary.)
Unlike BIGNUM, EC_FELEM can be stack-allocated. It also captures the
bounds in the type system and, in particular, that the width is correct,
which will make it easier to select a point in constant-time in the
future. (Indeed the old code did not always have the correct width. Its
point formula involved halving and implemented this in variable time and
variable width.)
Before:
Did 77274 ECDH P-256 operations in 10046087us (7692.0 ops/sec)
Did 5959 ECDH P-384 operations in 10031701us (594.0 ops/sec)
Did 10815 ECDSA P-384 signing operations in 10087892us (1072.1 ops/sec)
Did 8976 ECDSA P-384 verify operations in 10071038us (891.3 ops/sec)
Did 2600 ECDH P-521 operations in 10091688us (257.6 ops/sec)
Did 4590 ECDSA P-521 signing operations in 10055195us (456.5 ops/sec)
Did 3811 ECDSA P-521 verify operations in 10003574us (381.0 ops/sec)
After:
Did 77736 ECDH P-256 operations in 10029858us (7750.5 ops/sec) [+0.8%]
Did 7519 ECDH P-384 operations in 10068076us (746.8 ops/sec) [+25.7%]
Did 13335 ECDSA P-384 signing operations in 10029962us (1329.5 ops/sec) [+24.0%]
Did 11021 ECDSA P-384 verify operations in 10088600us (1092.4 ops/sec) [+22.6%]
Did 2912 ECDH P-521 operations in 10001325us (291.2 ops/sec) [+13.0%]
Did 5150 ECDSA P-521 signing operations in 10027462us (513.6 ops/sec) [+12.5%]
Did 4264 ECDSA P-521 verify operations in 10069694us (423.4 ops/sec) [+11.1%]
This more than pays for removing points_make_affine previously and even
speeds up ECDH P-256 slightly. (The point-on-curve check uses the
generic code.)
Next is to push the stack-allocating up to ec_wNAF_mul, followed by a
constant-time single-point multiplication.
Bug: 239
Change-Id: I44a2dff7c52522e491d0f8cffff64c4ab5cd353c
Reviewed-on: https://boringssl-review.googlesource.com/27668
Reviewed-by: Adam Langley <agl@google.com>
2018-04-23 02:39:34 +01:00
|
|
|
|
return a->meth != b->meth ||
|
|
|
|
|
|
a->generator == NULL ||
|
2017-10-26 20:48:18 +01:00
|
|
|
|
b->generator == NULL ||
|
|
|
|
|
|
BN_cmp(&a->order, &b->order) != 0 ||
|
|
|
|
|
|
BN_cmp(&a->field, &b->field) != 0 ||
|
Add EC_FELEM for EC_POINTs and related temporaries.
This introduces EC_FELEM, which is analogous to EC_SCALAR. It is used
for EC_POINT's representation in the generic EC_METHOD, as well as
random operations on tuned EC_METHODs that still are implemented
genericly.
Unlike EC_SCALAR, EC_FELEM's exact representation is awkwardly specific
to the EC_METHOD, analogous to how the old values were BIGNUMs but may
or may not have been in Montgomery form. This is kind of a nuisance, but
no more than before. (If p224-64.c were easily convertable to Montgomery
form, we could say |EC_FELEM| is always in Montgomery form. If we
exposed the internal add and double implementations in each of the
curves, we could give |EC_POINT| an |EC_METHOD|-specific representation
and |EC_FELEM| is purely a |EC_GFp_mont_method| type. I'll leave this
for later.)
The generic add and doubling formulas are aligned with the formulas
proved in fiat-crypto. Those only applied to a = -3, so I've proved a
generic one in https://github.com/mit-plv/fiat-crypto/pull/356, in case
someone uses a custom curve. The new formulas are verified,
constant-time, and swap a multiply for a square. As expressed in
fiat-crypto they do use more temporaries, but this seems to be fine with
stack-allocated EC_FELEMs. (We can try to help the compiler later,
but benchamrks below suggest this isn't necessary.)
Unlike BIGNUM, EC_FELEM can be stack-allocated. It also captures the
bounds in the type system and, in particular, that the width is correct,
which will make it easier to select a point in constant-time in the
future. (Indeed the old code did not always have the correct width. Its
point formula involved halving and implemented this in variable time and
variable width.)
Before:
Did 77274 ECDH P-256 operations in 10046087us (7692.0 ops/sec)
Did 5959 ECDH P-384 operations in 10031701us (594.0 ops/sec)
Did 10815 ECDSA P-384 signing operations in 10087892us (1072.1 ops/sec)
Did 8976 ECDSA P-384 verify operations in 10071038us (891.3 ops/sec)
Did 2600 ECDH P-521 operations in 10091688us (257.6 ops/sec)
Did 4590 ECDSA P-521 signing operations in 10055195us (456.5 ops/sec)
Did 3811 ECDSA P-521 verify operations in 10003574us (381.0 ops/sec)
After:
Did 77736 ECDH P-256 operations in 10029858us (7750.5 ops/sec) [+0.8%]
Did 7519 ECDH P-384 operations in 10068076us (746.8 ops/sec) [+25.7%]
Did 13335 ECDSA P-384 signing operations in 10029962us (1329.5 ops/sec) [+24.0%]
Did 11021 ECDSA P-384 verify operations in 10088600us (1092.4 ops/sec) [+22.6%]
Did 2912 ECDH P-521 operations in 10001325us (291.2 ops/sec) [+13.0%]
Did 5150 ECDSA P-521 signing operations in 10027462us (513.6 ops/sec) [+12.5%]
Did 4264 ECDSA P-521 verify operations in 10069694us (423.4 ops/sec) [+11.1%]
This more than pays for removing points_make_affine previously and even
speeds up ECDH P-256 slightly. (The point-on-curve check uses the
generic code.)
Next is to push the stack-allocating up to ec_wNAF_mul, followed by a
constant-time single-point multiplication.
Bug: 239
Change-Id: I44a2dff7c52522e491d0f8cffff64c4ab5cd353c
Reviewed-on: https://boringssl-review.googlesource.com/27668
Reviewed-by: Adam Langley <agl@google.com>
2018-04-23 02:39:34 +01:00
|
|
|
|
!ec_felem_equal(a, &a->a, &b->a) ||
|
|
|
|
|
|
!ec_felem_equal(a, &a->b, &b->b) ||
|
2018-04-25 03:53:07 +01:00
|
|
|
|
ec_GFp_simple_cmp(a, &a->generator->raw, &b->generator->raw) != 0;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) {
|
|
|
|
|
|
return group->generator;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2015-11-19 03:07:14 +00:00
|
|
|
|
const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group) {
|
|
|
|
|
|
assert(!BN_is_zero(&group->order));
|
|
|
|
|
|
return &group->order;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
|
int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) {
|
2015-11-19 03:07:14 +00:00
|
|
|
|
if (BN_copy(order, EC_GROUP_get0_order(group)) == NULL) {
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
2015-11-19 03:07:14 +00:00
|
|
|
|
return 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2018-12-19 22:42:26 +00:00
|
|
|
|
int EC_GROUP_order_bits(const EC_GROUP *group) {
|
|
|
|
|
|
return BN_num_bits(&group->order);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
|
int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor,
|
|
|
|
|
|
BN_CTX *ctx) {
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// All |EC_GROUP|s have cofactor 1.
|
2016-06-17 01:40:18 +01:00
|
|
|
|
return BN_set_word(cofactor, 1);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2014-08-22 20:24:16 +01:00
|
|
|
|
int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *out_p, BIGNUM *out_a,
|
|
|
|
|
|
BIGNUM *out_b, BN_CTX *ctx) {
|
Add EC_FELEM for EC_POINTs and related temporaries.
This introduces EC_FELEM, which is analogous to EC_SCALAR. It is used
for EC_POINT's representation in the generic EC_METHOD, as well as
random operations on tuned EC_METHODs that still are implemented
genericly.
Unlike EC_SCALAR, EC_FELEM's exact representation is awkwardly specific
to the EC_METHOD, analogous to how the old values were BIGNUMs but may
or may not have been in Montgomery form. This is kind of a nuisance, but
no more than before. (If p224-64.c were easily convertable to Montgomery
form, we could say |EC_FELEM| is always in Montgomery form. If we
exposed the internal add and double implementations in each of the
curves, we could give |EC_POINT| an |EC_METHOD|-specific representation
and |EC_FELEM| is purely a |EC_GFp_mont_method| type. I'll leave this
for later.)
The generic add and doubling formulas are aligned with the formulas
proved in fiat-crypto. Those only applied to a = -3, so I've proved a
generic one in https://github.com/mit-plv/fiat-crypto/pull/356, in case
someone uses a custom curve. The new formulas are verified,
constant-time, and swap a multiply for a square. As expressed in
fiat-crypto they do use more temporaries, but this seems to be fine with
stack-allocated EC_FELEMs. (We can try to help the compiler later,
but benchamrks below suggest this isn't necessary.)
Unlike BIGNUM, EC_FELEM can be stack-allocated. It also captures the
bounds in the type system and, in particular, that the width is correct,
which will make it easier to select a point in constant-time in the
future. (Indeed the old code did not always have the correct width. Its
point formula involved halving and implemented this in variable time and
variable width.)
Before:
Did 77274 ECDH P-256 operations in 10046087us (7692.0 ops/sec)
Did 5959 ECDH P-384 operations in 10031701us (594.0 ops/sec)
Did 10815 ECDSA P-384 signing operations in 10087892us (1072.1 ops/sec)
Did 8976 ECDSA P-384 verify operations in 10071038us (891.3 ops/sec)
Did 2600 ECDH P-521 operations in 10091688us (257.6 ops/sec)
Did 4590 ECDSA P-521 signing operations in 10055195us (456.5 ops/sec)
Did 3811 ECDSA P-521 verify operations in 10003574us (381.0 ops/sec)
After:
Did 77736 ECDH P-256 operations in 10029858us (7750.5 ops/sec) [+0.8%]
Did 7519 ECDH P-384 operations in 10068076us (746.8 ops/sec) [+25.7%]
Did 13335 ECDSA P-384 signing operations in 10029962us (1329.5 ops/sec) [+24.0%]
Did 11021 ECDSA P-384 verify operations in 10088600us (1092.4 ops/sec) [+22.6%]
Did 2912 ECDH P-521 operations in 10001325us (291.2 ops/sec) [+13.0%]
Did 5150 ECDSA P-521 signing operations in 10027462us (513.6 ops/sec) [+12.5%]
Did 4264 ECDSA P-521 verify operations in 10069694us (423.4 ops/sec) [+11.1%]
This more than pays for removing points_make_affine previously and even
speeds up ECDH P-256 slightly. (The point-on-curve check uses the
generic code.)
Next is to push the stack-allocating up to ec_wNAF_mul, followed by a
constant-time single-point multiplication.
Bug: 239
Change-Id: I44a2dff7c52522e491d0f8cffff64c4ab5cd353c
Reviewed-on: https://boringssl-review.googlesource.com/27668
Reviewed-by: Adam Langley <agl@google.com>
2018-04-23 02:39:34 +01:00
|
|
|
|
return ec_GFp_simple_group_get_curve(group, out_p, out_a, out_b);
|
2014-08-22 20:24:16 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
|
int EC_GROUP_get_curve_name(const EC_GROUP *group) { return group->curve_name; }
|
|
|
|
|
|
|
2015-10-09 04:10:15 +01:00
|
|
|
|
unsigned EC_GROUP_get_degree(const EC_GROUP *group) {
|
2018-11-06 00:55:02 +00:00
|
|
|
|
return BN_num_bits(&group->field);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2018-05-08 01:38:20 +01:00
|
|
|
|
const char *EC_curve_nid2nist(int nid) {
|
|
|
|
|
|
switch (nid) {
|
|
|
|
|
|
case NID_secp224r1:
|
|
|
|
|
|
return "P-224";
|
|
|
|
|
|
case NID_X9_62_prime256v1:
|
|
|
|
|
|
return "P-256";
|
|
|
|
|
|
case NID_secp384r1:
|
|
|
|
|
|
return "P-384";
|
|
|
|
|
|
case NID_secp521r1:
|
|
|
|
|
|
return "P-521";
|
|
|
|
|
|
}
|
|
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-01-25 04:44:22 +00:00
|
|
|
|
int EC_curve_nist2nid(const char *name) {
|
|
|
|
|
|
if (strcmp(name, "P-224") == 0) {
|
|
|
|
|
|
return NID_secp224r1;
|
|
|
|
|
|
}
|
|
|
|
|
|
if (strcmp(name, "P-256") == 0) {
|
|
|
|
|
|
return NID_X9_62_prime256v1;
|
|
|
|
|
|
}
|
|
|
|
|
|
if (strcmp(name, "P-384") == 0) {
|
|
|
|
|
|
return NID_secp384r1;
|
|
|
|
|
|
}
|
|
|
|
|
|
if (strcmp(name, "P-521") == 0) {
|
|
|
|
|
|
return NID_secp521r1;
|
|
|
|
|
|
}
|
|
|
|
|
|
return NID_undef;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
|
EC_POINT *EC_POINT_new(const EC_GROUP *group) {
|
|
|
|
|
|
if (group == NULL) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-24 03:55:35 +01:00
|
|
|
|
EC_POINT *ret = OPENSSL_malloc(sizeof *ret);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
if (ret == NULL) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-10-26 20:48:18 +01:00
|
|
|
|
ret->group = EC_GROUP_dup(group);
|
2018-04-25 03:53:07 +01:00
|
|
|
|
ec_GFp_simple_point_init(&ret->raw);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return ret;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-10-26 20:48:18 +01:00
|
|
|
|
static void ec_point_free(EC_POINT *point, int free_group) {
|
2014-06-20 20:00:00 +01:00
|
|
|
|
if (!point) {
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (free_group) {
|
|
|
|
|
|
EC_GROUP_free(point->group);
|
|
|
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
OPENSSL_free(point);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-10-26 20:48:18 +01:00
|
|
|
|
void EC_POINT_free(EC_POINT *point) {
|
|
|
|
|
|
ec_point_free(point, 1 /* free group */);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-10-27 02:13:16 +01:00
|
|
|
|
void EC_POINT_clear_free(EC_POINT *point) { EC_POINT_free(point); }
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
|
|
|
int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) {
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (EC_GROUP_cmp(dest->group, src->group, NULL) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
if (dest == src) {
|
|
|
|
|
|
return 1;
|
|
|
|
|
|
}
|
2018-04-25 03:53:07 +01:00
|
|
|
|
ec_GFp_simple_point_copy(&dest->raw, &src->raw);
|
Add EC_FELEM for EC_POINTs and related temporaries.
This introduces EC_FELEM, which is analogous to EC_SCALAR. It is used
for EC_POINT's representation in the generic EC_METHOD, as well as
random operations on tuned EC_METHODs that still are implemented
genericly.
Unlike EC_SCALAR, EC_FELEM's exact representation is awkwardly specific
to the EC_METHOD, analogous to how the old values were BIGNUMs but may
or may not have been in Montgomery form. This is kind of a nuisance, but
no more than before. (If p224-64.c were easily convertable to Montgomery
form, we could say |EC_FELEM| is always in Montgomery form. If we
exposed the internal add and double implementations in each of the
curves, we could give |EC_POINT| an |EC_METHOD|-specific representation
and |EC_FELEM| is purely a |EC_GFp_mont_method| type. I'll leave this
for later.)
The generic add and doubling formulas are aligned with the formulas
proved in fiat-crypto. Those only applied to a = -3, so I've proved a
generic one in https://github.com/mit-plv/fiat-crypto/pull/356, in case
someone uses a custom curve. The new formulas are verified,
constant-time, and swap a multiply for a square. As expressed in
fiat-crypto they do use more temporaries, but this seems to be fine with
stack-allocated EC_FELEMs. (We can try to help the compiler later,
but benchamrks below suggest this isn't necessary.)
Unlike BIGNUM, EC_FELEM can be stack-allocated. It also captures the
bounds in the type system and, in particular, that the width is correct,
which will make it easier to select a point in constant-time in the
future. (Indeed the old code did not always have the correct width. Its
point formula involved halving and implemented this in variable time and
variable width.)
Before:
Did 77274 ECDH P-256 operations in 10046087us (7692.0 ops/sec)
Did 5959 ECDH P-384 operations in 10031701us (594.0 ops/sec)
Did 10815 ECDSA P-384 signing operations in 10087892us (1072.1 ops/sec)
Did 8976 ECDSA P-384 verify operations in 10071038us (891.3 ops/sec)
Did 2600 ECDH P-521 operations in 10091688us (257.6 ops/sec)
Did 4590 ECDSA P-521 signing operations in 10055195us (456.5 ops/sec)
Did 3811 ECDSA P-521 verify operations in 10003574us (381.0 ops/sec)
After:
Did 77736 ECDH P-256 operations in 10029858us (7750.5 ops/sec) [+0.8%]
Did 7519 ECDH P-384 operations in 10068076us (746.8 ops/sec) [+25.7%]
Did 13335 ECDSA P-384 signing operations in 10029962us (1329.5 ops/sec) [+24.0%]
Did 11021 ECDSA P-384 verify operations in 10088600us (1092.4 ops/sec) [+22.6%]
Did 2912 ECDH P-521 operations in 10001325us (291.2 ops/sec) [+13.0%]
Did 5150 ECDSA P-521 signing operations in 10027462us (513.6 ops/sec) [+12.5%]
Did 4264 ECDSA P-521 verify operations in 10069694us (423.4 ops/sec) [+11.1%]
This more than pays for removing points_make_affine previously and even
speeds up ECDH P-256 slightly. (The point-on-curve check uses the
generic code.)
Next is to push the stack-allocating up to ec_wNAF_mul, followed by a
constant-time single-point multiplication.
Bug: 239
Change-Id: I44a2dff7c52522e491d0f8cffff64c4ab5cd353c
Reviewed-on: https://boringssl-review.googlesource.com/27668
Reviewed-by: Adam Langley <agl@google.com>
2018-04-23 02:39:34 +01:00
|
|
|
|
return 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
EC_POINT *EC_POINT_dup(const EC_POINT *a, const EC_GROUP *group) {
|
|
|
|
|
|
if (a == NULL) {
|
|
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2016-08-07 18:34:29 +01:00
|
|
|
|
EC_POINT *ret = EC_POINT_new(group);
|
|
|
|
|
|
if (ret == NULL ||
|
|
|
|
|
|
!EC_POINT_copy(ret, a)) {
|
|
|
|
|
|
EC_POINT_free(ret);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return NULL;
|
|
|
|
|
|
}
|
2016-08-07 18:34:29 +01:00
|
|
|
|
|
|
|
|
|
|
return ret;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point) {
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (EC_GROUP_cmp(group, point->group, NULL) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
2018-04-25 03:53:07 +01:00
|
|
|
|
ec_GFp_simple_point_set_to_infinity(group, &point->raw);
|
Add EC_FELEM for EC_POINTs and related temporaries.
This introduces EC_FELEM, which is analogous to EC_SCALAR. It is used
for EC_POINT's representation in the generic EC_METHOD, as well as
random operations on tuned EC_METHODs that still are implemented
genericly.
Unlike EC_SCALAR, EC_FELEM's exact representation is awkwardly specific
to the EC_METHOD, analogous to how the old values were BIGNUMs but may
or may not have been in Montgomery form. This is kind of a nuisance, but
no more than before. (If p224-64.c were easily convertable to Montgomery
form, we could say |EC_FELEM| is always in Montgomery form. If we
exposed the internal add and double implementations in each of the
curves, we could give |EC_POINT| an |EC_METHOD|-specific representation
and |EC_FELEM| is purely a |EC_GFp_mont_method| type. I'll leave this
for later.)
The generic add and doubling formulas are aligned with the formulas
proved in fiat-crypto. Those only applied to a = -3, so I've proved a
generic one in https://github.com/mit-plv/fiat-crypto/pull/356, in case
someone uses a custom curve. The new formulas are verified,
constant-time, and swap a multiply for a square. As expressed in
fiat-crypto they do use more temporaries, but this seems to be fine with
stack-allocated EC_FELEMs. (We can try to help the compiler later,
but benchamrks below suggest this isn't necessary.)
Unlike BIGNUM, EC_FELEM can be stack-allocated. It also captures the
bounds in the type system and, in particular, that the width is correct,
which will make it easier to select a point in constant-time in the
future. (Indeed the old code did not always have the correct width. Its
point formula involved halving and implemented this in variable time and
variable width.)
Before:
Did 77274 ECDH P-256 operations in 10046087us (7692.0 ops/sec)
Did 5959 ECDH P-384 operations in 10031701us (594.0 ops/sec)
Did 10815 ECDSA P-384 signing operations in 10087892us (1072.1 ops/sec)
Did 8976 ECDSA P-384 verify operations in 10071038us (891.3 ops/sec)
Did 2600 ECDH P-521 operations in 10091688us (257.6 ops/sec)
Did 4590 ECDSA P-521 signing operations in 10055195us (456.5 ops/sec)
Did 3811 ECDSA P-521 verify operations in 10003574us (381.0 ops/sec)
After:
Did 77736 ECDH P-256 operations in 10029858us (7750.5 ops/sec) [+0.8%]
Did 7519 ECDH P-384 operations in 10068076us (746.8 ops/sec) [+25.7%]
Did 13335 ECDSA P-384 signing operations in 10029962us (1329.5 ops/sec) [+24.0%]
Did 11021 ECDSA P-384 verify operations in 10088600us (1092.4 ops/sec) [+22.6%]
Did 2912 ECDH P-521 operations in 10001325us (291.2 ops/sec) [+13.0%]
Did 5150 ECDSA P-521 signing operations in 10027462us (513.6 ops/sec) [+12.5%]
Did 4264 ECDSA P-521 verify operations in 10069694us (423.4 ops/sec) [+11.1%]
This more than pays for removing points_make_affine previously and even
speeds up ECDH P-256 slightly. (The point-on-curve check uses the
generic code.)
Next is to push the stack-allocating up to ec_wNAF_mul, followed by a
constant-time single-point multiplication.
Bug: 239
Change-Id: I44a2dff7c52522e491d0f8cffff64c4ab5cd353c
Reviewed-on: https://boringssl-review.googlesource.com/27668
Reviewed-by: Adam Langley <agl@google.com>
2018-04-23 02:39:34 +01:00
|
|
|
|
return 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) {
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (EC_GROUP_cmp(group, point->group, NULL) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
2018-04-25 03:53:07 +01:00
|
|
|
|
return ec_GFp_simple_is_at_infinity(group, &point->raw);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
|
|
|
|
|
|
BN_CTX *ctx) {
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (EC_GROUP_cmp(group, point->group, NULL) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
2018-04-25 03:53:07 +01:00
|
|
|
|
return ec_GFp_simple_is_on_curve(group, &point->raw);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b,
|
|
|
|
|
|
BN_CTX *ctx) {
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (EC_GROUP_cmp(group, a->group, NULL) != 0 ||
|
|
|
|
|
|
EC_GROUP_cmp(group, b->group, NULL) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return -1;
|
|
|
|
|
|
}
|
2018-04-25 03:53:07 +01:00
|
|
|
|
return ec_GFp_simple_cmp(group, &a->raw, &b->raw);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
|
|
|
|
|
|
const EC_POINT *point, BIGNUM *x,
|
|
|
|
|
|
BIGNUM *y, BN_CTX *ctx) {
|
|
|
|
|
|
if (group->meth->point_get_affine_coordinates == 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (EC_GROUP_cmp(group, point->group, NULL) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
2018-11-09 00:31:58 +00:00
|
|
|
|
EC_FELEM x_felem, y_felem;
|
|
|
|
|
|
if (!group->meth->point_get_affine_coordinates(group, &point->raw,
|
|
|
|
|
|
x == NULL ? NULL : &x_felem,
|
|
|
|
|
|
y == NULL ? NULL : &y_felem) ||
|
|
|
|
|
|
(x != NULL && !bn_set_words(x, x_felem.words, group->field.width)) ||
|
|
|
|
|
|
(y != NULL && !bn_set_words(y, y_felem.words, group->field.width))) {
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
return 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
|
|
|
|
|
|
const BIGNUM *x, const BIGNUM *y,
|
|
|
|
|
|
BN_CTX *ctx) {
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (EC_GROUP_cmp(group, point->group, NULL) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
2018-04-25 03:53:07 +01:00
|
|
|
|
if (!ec_GFp_simple_point_set_affine_coordinates(group, &point->raw, x, y)) {
|
2015-09-16 01:28:55 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (!EC_POINT_is_on_curve(group, point, ctx)) {
|
2018-02-04 19:20:14 +00:00
|
|
|
|
// In the event of an error, defend against the caller not checking the
|
|
|
|
|
|
// return value by setting a known safe value: the base point.
|
2018-02-07 22:59:44 +00:00
|
|
|
|
const EC_POINT *generator = EC_GROUP_get0_generator(group);
|
|
|
|
|
|
// The generator can be missing if the caller is in the process of
|
|
|
|
|
|
// constructing an arbitrary group. In this, we give up and hope they're
|
|
|
|
|
|
// checking the return value.
|
|
|
|
|
|
if (generator) {
|
2018-04-25 03:53:07 +01:00
|
|
|
|
ec_GFp_simple_point_copy(&point->raw, &generator->raw);
|
2018-02-07 22:59:44 +00:00
|
|
|
|
}
|
2015-09-16 01:28:55 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_POINT_IS_NOT_ON_CURVE);
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
|
|
|
|
|
|
const EC_POINT *b, BN_CTX *ctx) {
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (EC_GROUP_cmp(group, r->group, NULL) != 0 ||
|
|
|
|
|
|
EC_GROUP_cmp(group, a->group, NULL) != 0 ||
|
|
|
|
|
|
EC_GROUP_cmp(group, b->group, NULL) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
2018-11-05 23:30:28 +00:00
|
|
|
|
group->meth->add(group, &r->raw, &a->raw, &b->raw);
|
Add EC_FELEM for EC_POINTs and related temporaries.
This introduces EC_FELEM, which is analogous to EC_SCALAR. It is used
for EC_POINT's representation in the generic EC_METHOD, as well as
random operations on tuned EC_METHODs that still are implemented
genericly.
Unlike EC_SCALAR, EC_FELEM's exact representation is awkwardly specific
to the EC_METHOD, analogous to how the old values were BIGNUMs but may
or may not have been in Montgomery form. This is kind of a nuisance, but
no more than before. (If p224-64.c were easily convertable to Montgomery
form, we could say |EC_FELEM| is always in Montgomery form. If we
exposed the internal add and double implementations in each of the
curves, we could give |EC_POINT| an |EC_METHOD|-specific representation
and |EC_FELEM| is purely a |EC_GFp_mont_method| type. I'll leave this
for later.)
The generic add and doubling formulas are aligned with the formulas
proved in fiat-crypto. Those only applied to a = -3, so I've proved a
generic one in https://github.com/mit-plv/fiat-crypto/pull/356, in case
someone uses a custom curve. The new formulas are verified,
constant-time, and swap a multiply for a square. As expressed in
fiat-crypto they do use more temporaries, but this seems to be fine with
stack-allocated EC_FELEMs. (We can try to help the compiler later,
but benchamrks below suggest this isn't necessary.)
Unlike BIGNUM, EC_FELEM can be stack-allocated. It also captures the
bounds in the type system and, in particular, that the width is correct,
which will make it easier to select a point in constant-time in the
future. (Indeed the old code did not always have the correct width. Its
point formula involved halving and implemented this in variable time and
variable width.)
Before:
Did 77274 ECDH P-256 operations in 10046087us (7692.0 ops/sec)
Did 5959 ECDH P-384 operations in 10031701us (594.0 ops/sec)
Did 10815 ECDSA P-384 signing operations in 10087892us (1072.1 ops/sec)
Did 8976 ECDSA P-384 verify operations in 10071038us (891.3 ops/sec)
Did 2600 ECDH P-521 operations in 10091688us (257.6 ops/sec)
Did 4590 ECDSA P-521 signing operations in 10055195us (456.5 ops/sec)
Did 3811 ECDSA P-521 verify operations in 10003574us (381.0 ops/sec)
After:
Did 77736 ECDH P-256 operations in 10029858us (7750.5 ops/sec) [+0.8%]
Did 7519 ECDH P-384 operations in 10068076us (746.8 ops/sec) [+25.7%]
Did 13335 ECDSA P-384 signing operations in 10029962us (1329.5 ops/sec) [+24.0%]
Did 11021 ECDSA P-384 verify operations in 10088600us (1092.4 ops/sec) [+22.6%]
Did 2912 ECDH P-521 operations in 10001325us (291.2 ops/sec) [+13.0%]
Did 5150 ECDSA P-521 signing operations in 10027462us (513.6 ops/sec) [+12.5%]
Did 4264 ECDSA P-521 verify operations in 10069694us (423.4 ops/sec) [+11.1%]
This more than pays for removing points_make_affine previously and even
speeds up ECDH P-256 slightly. (The point-on-curve check uses the
generic code.)
Next is to push the stack-allocating up to ec_wNAF_mul, followed by a
constant-time single-point multiplication.
Bug: 239
Change-Id: I44a2dff7c52522e491d0f8cffff64c4ab5cd353c
Reviewed-on: https://boringssl-review.googlesource.com/27668
Reviewed-by: Adam Langley <agl@google.com>
2018-04-23 02:39:34 +01:00
|
|
|
|
return 1;
|
2018-04-01 19:31:44 +01:00
|
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
|
|
|
int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
|
|
|
|
|
|
BN_CTX *ctx) {
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (EC_GROUP_cmp(group, r->group, NULL) != 0 ||
|
|
|
|
|
|
EC_GROUP_cmp(group, a->group, NULL) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
2018-11-05 23:30:28 +00:00
|
|
|
|
group->meth->dbl(group, &r->raw, &a->raw);
|
Add EC_FELEM for EC_POINTs and related temporaries.
This introduces EC_FELEM, which is analogous to EC_SCALAR. It is used
for EC_POINT's representation in the generic EC_METHOD, as well as
random operations on tuned EC_METHODs that still are implemented
genericly.
Unlike EC_SCALAR, EC_FELEM's exact representation is awkwardly specific
to the EC_METHOD, analogous to how the old values were BIGNUMs but may
or may not have been in Montgomery form. This is kind of a nuisance, but
no more than before. (If p224-64.c were easily convertable to Montgomery
form, we could say |EC_FELEM| is always in Montgomery form. If we
exposed the internal add and double implementations in each of the
curves, we could give |EC_POINT| an |EC_METHOD|-specific representation
and |EC_FELEM| is purely a |EC_GFp_mont_method| type. I'll leave this
for later.)
The generic add and doubling formulas are aligned with the formulas
proved in fiat-crypto. Those only applied to a = -3, so I've proved a
generic one in https://github.com/mit-plv/fiat-crypto/pull/356, in case
someone uses a custom curve. The new formulas are verified,
constant-time, and swap a multiply for a square. As expressed in
fiat-crypto they do use more temporaries, but this seems to be fine with
stack-allocated EC_FELEMs. (We can try to help the compiler later,
but benchamrks below suggest this isn't necessary.)
Unlike BIGNUM, EC_FELEM can be stack-allocated. It also captures the
bounds in the type system and, in particular, that the width is correct,
which will make it easier to select a point in constant-time in the
future. (Indeed the old code did not always have the correct width. Its
point formula involved halving and implemented this in variable time and
variable width.)
Before:
Did 77274 ECDH P-256 operations in 10046087us (7692.0 ops/sec)
Did 5959 ECDH P-384 operations in 10031701us (594.0 ops/sec)
Did 10815 ECDSA P-384 signing operations in 10087892us (1072.1 ops/sec)
Did 8976 ECDSA P-384 verify operations in 10071038us (891.3 ops/sec)
Did 2600 ECDH P-521 operations in 10091688us (257.6 ops/sec)
Did 4590 ECDSA P-521 signing operations in 10055195us (456.5 ops/sec)
Did 3811 ECDSA P-521 verify operations in 10003574us (381.0 ops/sec)
After:
Did 77736 ECDH P-256 operations in 10029858us (7750.5 ops/sec) [+0.8%]
Did 7519 ECDH P-384 operations in 10068076us (746.8 ops/sec) [+25.7%]
Did 13335 ECDSA P-384 signing operations in 10029962us (1329.5 ops/sec) [+24.0%]
Did 11021 ECDSA P-384 verify operations in 10088600us (1092.4 ops/sec) [+22.6%]
Did 2912 ECDH P-521 operations in 10001325us (291.2 ops/sec) [+13.0%]
Did 5150 ECDSA P-521 signing operations in 10027462us (513.6 ops/sec) [+12.5%]
Did 4264 ECDSA P-521 verify operations in 10069694us (423.4 ops/sec) [+11.1%]
This more than pays for removing points_make_affine previously and even
speeds up ECDH P-256 slightly. (The point-on-curve check uses the
generic code.)
Next is to push the stack-allocating up to ec_wNAF_mul, followed by a
constant-time single-point multiplication.
Bug: 239
Change-Id: I44a2dff7c52522e491d0f8cffff64c4ab5cd353c
Reviewed-on: https://boringssl-review.googlesource.com/27668
Reviewed-by: Adam Langley <agl@google.com>
2018-04-23 02:39:34 +01:00
|
|
|
|
return 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) {
|
2017-10-26 20:48:18 +01:00
|
|
|
|
if (EC_GROUP_cmp(group, a->group, NULL) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
2018-04-25 03:53:07 +01:00
|
|
|
|
ec_GFp_simple_invert(group, &a->raw);
|
Add EC_FELEM for EC_POINTs and related temporaries.
This introduces EC_FELEM, which is analogous to EC_SCALAR. It is used
for EC_POINT's representation in the generic EC_METHOD, as well as
random operations on tuned EC_METHODs that still are implemented
genericly.
Unlike EC_SCALAR, EC_FELEM's exact representation is awkwardly specific
to the EC_METHOD, analogous to how the old values were BIGNUMs but may
or may not have been in Montgomery form. This is kind of a nuisance, but
no more than before. (If p224-64.c were easily convertable to Montgomery
form, we could say |EC_FELEM| is always in Montgomery form. If we
exposed the internal add and double implementations in each of the
curves, we could give |EC_POINT| an |EC_METHOD|-specific representation
and |EC_FELEM| is purely a |EC_GFp_mont_method| type. I'll leave this
for later.)
The generic add and doubling formulas are aligned with the formulas
proved in fiat-crypto. Those only applied to a = -3, so I've proved a
generic one in https://github.com/mit-plv/fiat-crypto/pull/356, in case
someone uses a custom curve. The new formulas are verified,
constant-time, and swap a multiply for a square. As expressed in
fiat-crypto they do use more temporaries, but this seems to be fine with
stack-allocated EC_FELEMs. (We can try to help the compiler later,
but benchamrks below suggest this isn't necessary.)
Unlike BIGNUM, EC_FELEM can be stack-allocated. It also captures the
bounds in the type system and, in particular, that the width is correct,
which will make it easier to select a point in constant-time in the
future. (Indeed the old code did not always have the correct width. Its
point formula involved halving and implemented this in variable time and
variable width.)
Before:
Did 77274 ECDH P-256 operations in 10046087us (7692.0 ops/sec)
Did 5959 ECDH P-384 operations in 10031701us (594.0 ops/sec)
Did 10815 ECDSA P-384 signing operations in 10087892us (1072.1 ops/sec)
Did 8976 ECDSA P-384 verify operations in 10071038us (891.3 ops/sec)
Did 2600 ECDH P-521 operations in 10091688us (257.6 ops/sec)
Did 4590 ECDSA P-521 signing operations in 10055195us (456.5 ops/sec)
Did 3811 ECDSA P-521 verify operations in 10003574us (381.0 ops/sec)
After:
Did 77736 ECDH P-256 operations in 10029858us (7750.5 ops/sec) [+0.8%]
Did 7519 ECDH P-384 operations in 10068076us (746.8 ops/sec) [+25.7%]
Did 13335 ECDSA P-384 signing operations in 10029962us (1329.5 ops/sec) [+24.0%]
Did 11021 ECDSA P-384 verify operations in 10088600us (1092.4 ops/sec) [+22.6%]
Did 2912 ECDH P-521 operations in 10001325us (291.2 ops/sec) [+13.0%]
Did 5150 ECDSA P-521 signing operations in 10027462us (513.6 ops/sec) [+12.5%]
Did 4264 ECDSA P-521 verify operations in 10069694us (423.4 ops/sec) [+11.1%]
This more than pays for removing points_make_affine previously and even
speeds up ECDH P-256 slightly. (The point-on-curve check uses the
generic code.)
Next is to push the stack-allocating up to ec_wNAF_mul, followed by a
constant-time single-point multiplication.
Bug: 239
Change-Id: I44a2dff7c52522e491d0f8cffff64c4ab5cd353c
Reviewed-on: https://boringssl-review.googlesource.com/27668
Reviewed-by: Adam Langley <agl@google.com>
2018-04-23 02:39:34 +01:00
|
|
|
|
return 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-11-30 13:59:56 +00:00
|
|
|
|
static int arbitrary_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
|
|
|
|
|
|
const BIGNUM *in, BN_CTX *ctx) {
|
2017-11-30 21:05:36 +00:00
|
|
|
|
if (ec_bignum_to_scalar(group, out, in)) {
|
|
|
|
|
|
return 1;
|
2017-11-30 13:59:56 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-11-30 21:05:36 +00:00
|
|
|
|
ERR_clear_error();
|
|
|
|
|
|
|
2018-01-15 10:23:24 +00:00
|
|
|
|
// This is an unusual input, so we do not guarantee constant-time processing.
|
2017-11-30 21:05:36 +00:00
|
|
|
|
const BIGNUM *order = &group->order;
|
|
|
|
|
|
BN_CTX_start(ctx);
|
|
|
|
|
|
BIGNUM *tmp = BN_CTX_get(ctx);
|
|
|
|
|
|
int ok = tmp != NULL &&
|
|
|
|
|
|
BN_nnmod(tmp, in, order, ctx) &&
|
2018-04-06 05:31:41 +01:00
|
|
|
|
ec_bignum_to_scalar(group, out, tmp);
|
2017-11-30 21:05:36 +00:00
|
|
|
|
BN_CTX_end(ctx);
|
|
|
|
|
|
return ok;
|
2017-11-30 13:59:56 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
|
int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
|
2015-11-13 01:05:22 +00:00
|
|
|
|
const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx) {
|
2017-08-18 19:06:02 +01:00
|
|
|
|
// Previously, this function set |r| to the point at infinity if there was
|
|
|
|
|
|
// nothing to multiply. But, nobody should be calling this function with
|
|
|
|
|
|
// nothing to multiply in the first place.
|
2015-11-13 01:05:22 +00:00
|
|
|
|
if ((g_scalar == NULL && p_scalar == NULL) ||
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
|
(p == NULL) != (p_scalar == NULL)) {
|
|
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-11-09 23:06:51 +00:00
|
|
|
|
if (EC_GROUP_cmp(group, r->group, NULL) != 0 ||
|
|
|
|
|
|
(p != NULL && EC_GROUP_cmp(group, p->group, NULL) != 0)) {
|
|
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
|
int ret = 0;
|
|
|
|
|
|
EC_SCALAR g_scalar_storage, p_scalar_storage;
|
|
|
|
|
|
EC_SCALAR *g_scalar_arg = NULL, *p_scalar_arg = NULL;
|
2017-11-30 13:59:56 +00:00
|
|
|
|
BN_CTX *new_ctx = NULL;
|
|
|
|
|
|
if (ctx == NULL) {
|
|
|
|
|
|
new_ctx = BN_CTX_new();
|
|
|
|
|
|
if (new_ctx == NULL) {
|
|
|
|
|
|
goto err;
|
|
|
|
|
|
}
|
|
|
|
|
|
ctx = new_ctx;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
|
if (g_scalar != NULL) {
|
2017-11-30 13:59:56 +00:00
|
|
|
|
if (!arbitrary_bignum_to_scalar(group, &g_scalar_storage, g_scalar, ctx)) {
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
|
goto err;
|
|
|
|
|
|
}
|
|
|
|
|
|
g_scalar_arg = &g_scalar_storage;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (p_scalar != NULL) {
|
2017-11-30 13:59:56 +00:00
|
|
|
|
if (!arbitrary_bignum_to_scalar(group, &p_scalar_storage, p_scalar, ctx)) {
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
|
goto err;
|
|
|
|
|
|
}
|
|
|
|
|
|
p_scalar_arg = &p_scalar_storage;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-11-09 23:06:51 +00:00
|
|
|
|
ret = ec_point_mul_scalar(group, &r->raw, g_scalar_arg,
|
|
|
|
|
|
p == NULL ? NULL : &p->raw, p_scalar_arg);
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
|
|
|
|
|
|
|
err:
|
2017-11-30 13:59:56 +00:00
|
|
|
|
BN_CTX_free(new_ctx);
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
|
OPENSSL_cleanse(&g_scalar_storage, sizeof(g_scalar_storage));
|
|
|
|
|
|
OPENSSL_cleanse(&p_scalar_storage, sizeof(p_scalar_storage));
|
|
|
|
|
|
return ret;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-11-09 23:06:51 +00:00
|
|
|
|
int ec_point_mul_scalar_public(const EC_GROUP *group, EC_RAW_POINT *r,
|
|
|
|
|
|
const EC_SCALAR *g_scalar, const EC_RAW_POINT *p,
|
2018-11-09 18:24:18 +00:00
|
|
|
|
const EC_SCALAR *p_scalar) {
|
ec/p256.c: fiat-crypto field arithmetic (64, 32)
The fiat-crypto-generated code uses the Montgomery form implementation
strategy, for both 32-bit and 64-bit code.
64-bit throughput seems slower, but the difference is smaller than noise between repetitions (-2%?)
32-bit throughput has decreased significantly for ECDH (-40%). I am
attributing this to the change from varibale-time scalar multiplication
to constant-time scalar multiplication. Due to the same bottleneck,
ECDSA verification still uses the old code (otherwise there would have
been a 60% throughput decrease). On the other hand, ECDSA signing
throughput has increased slightly (+10%), perhaps due to the use of a
precomputed table of multiples of the base point.
64-bit benchmarks (Google Cloud Haswell):
with this change:
Did 9126 ECDH P-256 operations in 1009572us (9039.5 ops/sec)
Did 23000 ECDSA P-256 signing operations in 1039832us (22119.0 ops/sec)
Did 8820 ECDSA P-256 verify operations in 1024242us (8611.2 ops/sec)
master (40e8c921cab5cce2bc10722ecf4ebe0e380cf6c8):
Did 9340 ECDH P-256 operations in 1017975us (9175.1 ops/sec)
Did 23000 ECDSA P-256 signing operations in 1039820us (22119.2 ops/sec)
Did 8688 ECDSA P-256 verify operations in 1021108us (8508.4 ops/sec)
benchmarks on ARMv7 (LG Nexus 4):
with this change:
Did 150 ECDH P-256 operations in 1029726us (145.7 ops/sec)
Did 506 ECDSA P-256 signing operations in 1065192us (475.0 ops/sec)
Did 363 ECDSA P-256 verify operations in 1033298us (351.3 ops/sec)
master (2fce1beda0f7e74e2d687860f807cf0b8d8056a4):
Did 245 ECDH P-256 operations in 1017518us (240.8 ops/sec)
Did 473 ECDSA P-256 signing operations in 1086281us (435.4 ops/sec)
Did 360 ECDSA P-256 verify operations in 1003846us (358.6 ops/sec)
64-bit tables converted as follows:
import re, sys, math
p = 2**256 - 2**224 + 2**192 + 2**96 - 1
R = 2**256
def convert(t):
x0, s1, x1, s2, x2, s3, x3 = t.groups()
v = int(x0, 0) + 2**64 * (int(x1, 0) + 2**64*(int(x2,0) + 2**64*(int(x3, 0)) ))
w = v*R%p
y0 = hex(w%(2**64))
y1 = hex((w>>64)%(2**64))
y2 = hex((w>>(2*64))%(2**64))
y3 = hex((w>>(3*64))%(2**64))
ww = int(y0, 0) + 2**64 * (int(y1, 0) + 2**64*(int(y2,0) + 2**64*(int(y3, 0)) ))
if ww != v*R%p:
print(x0,x1,x2,x3)
print(hex(v))
print(y0,y1,y2,y3)
print(hex(w))
print(hex(ww))
assert 0
return '{'+y0+s1+y1+s2+y2+s3+y3+'}'
fe_re = re.compile('{'+r'(\s*,\s*)'.join(r'(\d+|0x[abcdefABCDEF0123456789]+)' for i in range(4)) + '}')
print (re.sub(fe_re, convert, sys.stdin.read()).rstrip('\n'))
32-bit tables converted from 64-bit tables
Change-Id: I52d6e5504fcb6ca2e8b0ee13727f4500c80c1799
Reviewed-on: https://boringssl-review.googlesource.com/23244
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-11-08 20:32:38 +00:00
|
|
|
|
if ((g_scalar == NULL && p_scalar == NULL) ||
|
2018-11-09 23:06:51 +00:00
|
|
|
|
(p == NULL) != (p_scalar == NULL)) {
|
ec/p256.c: fiat-crypto field arithmetic (64, 32)
The fiat-crypto-generated code uses the Montgomery form implementation
strategy, for both 32-bit and 64-bit code.
64-bit throughput seems slower, but the difference is smaller than noise between repetitions (-2%?)
32-bit throughput has decreased significantly for ECDH (-40%). I am
attributing this to the change from varibale-time scalar multiplication
to constant-time scalar multiplication. Due to the same bottleneck,
ECDSA verification still uses the old code (otherwise there would have
been a 60% throughput decrease). On the other hand, ECDSA signing
throughput has increased slightly (+10%), perhaps due to the use of a
precomputed table of multiples of the base point.
64-bit benchmarks (Google Cloud Haswell):
with this change:
Did 9126 ECDH P-256 operations in 1009572us (9039.5 ops/sec)
Did 23000 ECDSA P-256 signing operations in 1039832us (22119.0 ops/sec)
Did 8820 ECDSA P-256 verify operations in 1024242us (8611.2 ops/sec)
master (40e8c921cab5cce2bc10722ecf4ebe0e380cf6c8):
Did 9340 ECDH P-256 operations in 1017975us (9175.1 ops/sec)
Did 23000 ECDSA P-256 signing operations in 1039820us (22119.2 ops/sec)
Did 8688 ECDSA P-256 verify operations in 1021108us (8508.4 ops/sec)
benchmarks on ARMv7 (LG Nexus 4):
with this change:
Did 150 ECDH P-256 operations in 1029726us (145.7 ops/sec)
Did 506 ECDSA P-256 signing operations in 1065192us (475.0 ops/sec)
Did 363 ECDSA P-256 verify operations in 1033298us (351.3 ops/sec)
master (2fce1beda0f7e74e2d687860f807cf0b8d8056a4):
Did 245 ECDH P-256 operations in 1017518us (240.8 ops/sec)
Did 473 ECDSA P-256 signing operations in 1086281us (435.4 ops/sec)
Did 360 ECDSA P-256 verify operations in 1003846us (358.6 ops/sec)
64-bit tables converted as follows:
import re, sys, math
p = 2**256 - 2**224 + 2**192 + 2**96 - 1
R = 2**256
def convert(t):
x0, s1, x1, s2, x2, s3, x3 = t.groups()
v = int(x0, 0) + 2**64 * (int(x1, 0) + 2**64*(int(x2,0) + 2**64*(int(x3, 0)) ))
w = v*R%p
y0 = hex(w%(2**64))
y1 = hex((w>>64)%(2**64))
y2 = hex((w>>(2*64))%(2**64))
y3 = hex((w>>(3*64))%(2**64))
ww = int(y0, 0) + 2**64 * (int(y1, 0) + 2**64*(int(y2,0) + 2**64*(int(y3, 0)) ))
if ww != v*R%p:
print(x0,x1,x2,x3)
print(hex(v))
print(y0,y1,y2,y3)
print(hex(w))
print(hex(ww))
assert 0
return '{'+y0+s1+y1+s2+y2+s3+y3+'}'
fe_re = re.compile('{'+r'(\s*,\s*)'.join(r'(\d+|0x[abcdefABCDEF0123456789]+)' for i in range(4)) + '}')
print (re.sub(fe_re, convert, sys.stdin.read()).rstrip('\n'))
32-bit tables converted from 64-bit tables
Change-Id: I52d6e5504fcb6ca2e8b0ee13727f4500c80c1799
Reviewed-on: https://boringssl-review.googlesource.com/23244
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-11-08 20:32:38 +00:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-11-09 23:06:51 +00:00
|
|
|
|
group->meth->mul_public(group, r, g_scalar, p, p_scalar);
|
2018-04-25 03:53:07 +01:00
|
|
|
|
return 1;
|
ec/p256.c: fiat-crypto field arithmetic (64, 32)
The fiat-crypto-generated code uses the Montgomery form implementation
strategy, for both 32-bit and 64-bit code.
64-bit throughput seems slower, but the difference is smaller than noise between repetitions (-2%?)
32-bit throughput has decreased significantly for ECDH (-40%). I am
attributing this to the change from varibale-time scalar multiplication
to constant-time scalar multiplication. Due to the same bottleneck,
ECDSA verification still uses the old code (otherwise there would have
been a 60% throughput decrease). On the other hand, ECDSA signing
throughput has increased slightly (+10%), perhaps due to the use of a
precomputed table of multiples of the base point.
64-bit benchmarks (Google Cloud Haswell):
with this change:
Did 9126 ECDH P-256 operations in 1009572us (9039.5 ops/sec)
Did 23000 ECDSA P-256 signing operations in 1039832us (22119.0 ops/sec)
Did 8820 ECDSA P-256 verify operations in 1024242us (8611.2 ops/sec)
master (40e8c921cab5cce2bc10722ecf4ebe0e380cf6c8):
Did 9340 ECDH P-256 operations in 1017975us (9175.1 ops/sec)
Did 23000 ECDSA P-256 signing operations in 1039820us (22119.2 ops/sec)
Did 8688 ECDSA P-256 verify operations in 1021108us (8508.4 ops/sec)
benchmarks on ARMv7 (LG Nexus 4):
with this change:
Did 150 ECDH P-256 operations in 1029726us (145.7 ops/sec)
Did 506 ECDSA P-256 signing operations in 1065192us (475.0 ops/sec)
Did 363 ECDSA P-256 verify operations in 1033298us (351.3 ops/sec)
master (2fce1beda0f7e74e2d687860f807cf0b8d8056a4):
Did 245 ECDH P-256 operations in 1017518us (240.8 ops/sec)
Did 473 ECDSA P-256 signing operations in 1086281us (435.4 ops/sec)
Did 360 ECDSA P-256 verify operations in 1003846us (358.6 ops/sec)
64-bit tables converted as follows:
import re, sys, math
p = 2**256 - 2**224 + 2**192 + 2**96 - 1
R = 2**256
def convert(t):
x0, s1, x1, s2, x2, s3, x3 = t.groups()
v = int(x0, 0) + 2**64 * (int(x1, 0) + 2**64*(int(x2,0) + 2**64*(int(x3, 0)) ))
w = v*R%p
y0 = hex(w%(2**64))
y1 = hex((w>>64)%(2**64))
y2 = hex((w>>(2*64))%(2**64))
y3 = hex((w>>(3*64))%(2**64))
ww = int(y0, 0) + 2**64 * (int(y1, 0) + 2**64*(int(y2,0) + 2**64*(int(y3, 0)) ))
if ww != v*R%p:
print(x0,x1,x2,x3)
print(hex(v))
print(y0,y1,y2,y3)
print(hex(w))
print(hex(ww))
assert 0
return '{'+y0+s1+y1+s2+y2+s3+y3+'}'
fe_re = re.compile('{'+r'(\s*,\s*)'.join(r'(\d+|0x[abcdefABCDEF0123456789]+)' for i in range(4)) + '}')
print (re.sub(fe_re, convert, sys.stdin.read()).rstrip('\n'))
32-bit tables converted from 64-bit tables
Change-Id: I52d6e5504fcb6ca2e8b0ee13727f4500c80c1799
Reviewed-on: https://boringssl-review.googlesource.com/23244
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-11-08 20:32:38 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2018-11-09 23:06:51 +00:00
|
|
|
|
int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r,
|
|
|
|
|
|
const EC_SCALAR *g_scalar, const EC_RAW_POINT *p,
|
2018-11-09 18:24:18 +00:00
|
|
|
|
const EC_SCALAR *p_scalar) {
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
|
if ((g_scalar == NULL && p_scalar == NULL) ||
|
2018-11-09 23:06:51 +00:00
|
|
|
|
(p == NULL) != (p_scalar == NULL)) {
|
2015-11-13 01:05:22 +00:00
|
|
|
|
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
|
2015-11-03 22:02:04 +00:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-11-09 23:06:51 +00:00
|
|
|
|
group->meth->mul(group, r, g_scalar, p, p_scalar);
|
2018-04-25 03:53:07 +01:00
|
|
|
|
return 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2018-11-09 01:07:42 +00:00
|
|
|
|
int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
|
|
|
|
|
|
const EC_SCALAR *r) {
|
|
|
|
|
|
return group->meth->cmp_x_coordinate(group, p, r);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
|
|
|
|
|
|
const EC_RAW_POINT *p) {
|
|
|
|
|
|
EC_FELEM x;
|
|
|
|
|
|
// For simplicity, in case of width mismatches between |group->field| and
|
|
|
|
|
|
// |group->order|, zero any untouched words in |x|.
|
|
|
|
|
|
OPENSSL_memset(&x, 0, sizeof(x));
|
|
|
|
|
|
if (!group->meth->point_get_affine_coordinates(group, p, &x, NULL)) {
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
2018-11-06 23:18:56 +00:00
|
|
|
|
|
|
|
|
|
|
// We must have p < 2×order, assuming p is not tiny (p >= 17). Thus rather we
|
|
|
|
|
|
// can reduce by performing at most one subtraction.
|
|
|
|
|
|
//
|
|
|
|
|
|
// Proof: We only work with prime order curves, so the number of points on
|
|
|
|
|
|
// the curve is the order. Thus Hasse's theorem gives:
|
|
|
|
|
|
//
|
|
|
|
|
|
// |order - (p + 1)| <= 2×sqrt(p)
|
|
|
|
|
|
// p + 1 - order <= 2×sqrt(p)
|
|
|
|
|
|
// p + 1 - 2×sqrt(p) <= order
|
|
|
|
|
|
// p + 1 - 2×(p/4) < order (p/4 > sqrt(p) for p >= 17)
|
|
|
|
|
|
// p/2 < p/2 + 1 < order
|
|
|
|
|
|
// p < 2×order
|
|
|
|
|
|
//
|
|
|
|
|
|
// Additionally, one can manually check this property for built-in curves. It
|
|
|
|
|
|
// is enforced for legacy custom curves in |EC_GROUP_set_generator|.
|
2018-11-09 01:07:42 +00:00
|
|
|
|
|
|
|
|
|
|
// The above does not guarantee |group->field| is not one word larger than
|
|
|
|
|
|
// |group->order|, so read one extra carry word.
|
2018-11-09 23:14:15 +00:00
|
|
|
|
BN_ULONG carry =
|
|
|
|
|
|
group->order.width < EC_MAX_WORDS ? x.words[group->order.width] : 0;
|
2018-11-09 01:07:42 +00:00
|
|
|
|
bn_reduce_once(out->words, x.words, carry, group->order.d,
|
|
|
|
|
|
group->order.width);
|
2018-11-06 23:18:56 +00:00
|
|
|
|
return 1;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-11-09 23:36:12 +00:00
|
|
|
|
int ec_point_get_affine_coordinate_bytes(const EC_GROUP *group, uint8_t *out_x,
|
|
|
|
|
|
uint8_t *out_y, size_t *out_len,
|
|
|
|
|
|
size_t max_out,
|
|
|
|
|
|
const EC_RAW_POINT *p) {
|
|
|
|
|
|
size_t len = BN_num_bytes(&group->field);
|
|
|
|
|
|
assert(len <= EC_MAX_BYTES);
|
|
|
|
|
|
if (max_out < len) {
|
|
|
|
|
|
OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
EC_FELEM x, y;
|
|
|
|
|
|
if (!group->meth->point_get_affine_coordinates(
|
|
|
|
|
|
group, p, out_x == NULL ? NULL : &x, out_y == NULL ? NULL : &y)) {
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (out_x != NULL) {
|
|
|
|
|
|
for (size_t i = 0; i < len; i++) {
|
|
|
|
|
|
out_x[i] = x.bytes[len - i - 1];
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
if (out_y != NULL) {
|
|
|
|
|
|
for (size_t i = 0; i < len; i++) {
|
|
|
|
|
|
out_y[i] = y.bytes[len - i - 1];
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
*out_len = len;
|
|
|
|
|
|
return 1;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2015-04-13 22:34:17 +01:00
|
|
|
|
void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) {}
|
|
|
|
|
|
|
|
|
|
|
|
const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group) {
|
2018-05-11 23:20:56 +01:00
|
|
|
|
// This function exists purely to give callers a way to call
|
|
|
|
|
|
// |EC_METHOD_get_field_type|. cryptography.io crashes if |EC_GROUP_method_of|
|
|
|
|
|
|
// returns NULL, so return some other garbage pointer.
|
|
|
|
|
|
return (const EC_METHOD *)0x12340000;
|
2015-04-13 22:34:17 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int EC_METHOD_get_field_type(const EC_METHOD *meth) {
|
|
|
|
|
|
return NID_X9_62_prime_field;
|
|
|
|
|
|
}
|
2015-05-05 01:43:00 +01:00
|
|
|
|
|
|
|
|
|
|
void EC_GROUP_set_point_conversion_form(EC_GROUP *group,
|
|
|
|
|
|
point_conversion_form_t form) {
|
|
|
|
|
|
if (form != POINT_CONVERSION_UNCOMPRESSED) {
|
|
|
|
|
|
abort();
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2016-01-24 23:58:39 +00:00
|
|
|
|
|
|
|
|
|
|
size_t EC_get_builtin_curves(EC_builtin_curve *out_curves,
|
|
|
|
|
|
size_t max_num_curves) {
|
2017-05-02 22:25:39 +01:00
|
|
|
|
const struct built_in_curves *const curves = OPENSSL_built_in_curves();
|
2016-01-24 23:58:39 +00:00
|
|
|
|
|
2017-05-02 22:25:39 +01:00
|
|
|
|
for (size_t i = 0; i < max_num_curves && i < OPENSSL_NUM_BUILT_IN_CURVES;
|
|
|
|
|
|
i++) {
|
2017-06-21 19:37:22 +01:00
|
|
|
|
out_curves[i].comment = curves->curves[i].comment;
|
2017-05-02 22:25:39 +01:00
|
|
|
|
out_curves[i].nid = curves->curves[i].nid;
|
2016-01-24 23:58:39 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-05-02 22:25:39 +01:00
|
|
|
|
return OPENSSL_NUM_BUILT_IN_CURVES;
|
2016-01-24 23:58:39 +00:00
|
|
|
|
}
|
