kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
87 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Struktur: 89b73fbafa
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „89b73fbafa“
${ noResults }
boringssl/crypto/ec/ec.c

873 Zeilen
28 KiB
Originalformat Blame Verlauf 

  1. /* Originally written by Bodo Moeller for the OpenSSL project.

  2.  * ====================================================================

  3.  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.

  4.  *

  5.  * Redistribution and use in source and binary forms, with or without

  6.  * modification, are permitted provided that the following conditions

  7.  * are met:

  8.  *

  9.  * 1. Redistributions of source code must retain the above copyright

  10.  *    notice, this list of conditions and the following disclaimer.

  11.  *

  12.  * 2. Redistributions in binary form must reproduce the above copyright

  13.  *    notice, this list of conditions and the following disclaimer in

  14.  *    the documentation and/or other materials provided with the

  15.  *    distribution.

  16.  *

  17.  * 3. All advertising materials mentioning features or use of this

  18.  *    software must display the following acknowledgment:

  19.  *    "This product includes software developed by the OpenSSL Project

  20.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  21.  *

  22.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  23.  *    endorse or promote products derived from this software without

  24.  *    prior written permission. For written permission, please contact

  25.  *    openssl-core@openssl.org.

  26.  *

  27.  * 5. Products derived from this software may not be called "OpenSSL"

  28.  *    nor may "OpenSSL" appear in their names without prior written

  29.  *    permission of the OpenSSL Project.

  30.  *

  31.  * 6. Redistributions of any form whatsoever must retain the following

  32.  *    acknowledgment:

  33.  *    "This product includes software developed by the OpenSSL Project

  34.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  35.  *

  36.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  37.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  38.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  39.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  40.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  41.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  42.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  43.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  44.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  45.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  46.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  47.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  48.  * ====================================================================

  49.  *

  50.  * This product includes cryptographic software written by Eric Young

  51.  * (eay@cryptsoft.com).  This product includes software written by Tim

  52.  * Hudson (tjh@cryptsoft.com).

  53.  *

  54.  */

  55. /* ====================================================================

  56.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  57.  *

  58.  * Portions of the attached software ("Contribution") are developed by

  59.  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.

  60.  *

  61.  * The Contribution is licensed pursuant to the OpenSSL open source

  62.  * license provided above.

  63.  *

  64.  * The elliptic curve binary polynomial software is originally written by

  65.  * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems

  66.  * Laboratories. */

  67. 

  68. #include <openssl/ec.h>

  69. 

  70. #include <openssl/bn.h>

  71. #include <openssl/err.h>

  72. #include <openssl/mem.h>

  73. #include <openssl/obj.h>

  74. 

  75. #include "internal.h"

  76. 

  77. 

  78. /* curve_data contains data about a built-in elliptic curve. */

  79. struct curve_data {

  80.   /* comment is a human-readable string describing the curve. */

  81.   const char *comment;

  82.   /* param_len is the number of bytes needed to store a field element. */

  83.   uint8_t param_len;

  84.   /* cofactor is the cofactor of the group (i.e. the number of elements in the

  85.    * group divided by the size of the main subgroup. */

  86.   uint8_t cofactor; /* promoted to BN_ULONG */

  87.   /* data points to an array of 6*|param_len| bytes which hold the field

  88.    * elements of the following (in big-endian order): prime, a, b, generator x,

  89.    * generator y, order. */

  90.   const uint8_t data[];

  91. };

  92. 

  93. static const struct curve_data P224 = {

  94.     "NIST P-224",

  95.     28,

  96.     1,

  97.     {/* p */

  98.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  99.      0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

  100.      0x00, 0x00, 0x00, 0x01,

  101.      /* a */

  102.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  103.      0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  104.      0xFF, 0xFF, 0xFF, 0xFE,

  105.      /* b */

  106.      0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,

  107.      0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,

  108.      0x23, 0x55, 0xFF, 0xB4,

  109.      /* x */

  110.      0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,

  111.      0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,

  112.      0x11, 0x5C, 0x1D, 0x21,

  113.      /* y */

  114.      0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,

  115.      0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,

  116.      0x85, 0x00, 0x7e, 0x34,

  117.      /* order */

  118.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  119.      0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,

  120.      0x5C, 0x5C, 0x2A, 0x3D,

  121.     }};

  122. 

  123. static const struct curve_data P256 = {

  124.     "NIST P-256",

  125.     32,

  126.     1,

  127.     {/* p */

  128.      0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,

  129.      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,

  130.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  131.      /* a */

  132.      0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,

  133.      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,

  134.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,

  135.      /* b */

  136.      0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,

  137.      0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,

  138.      0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,

  139.      /* x */

  140.      0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,

  141.      0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,

  142.      0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,

  143.      /* y */

  144.      0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,

  145.      0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,

  146.      0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,

  147.      /* order */

  148.      0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,

  149.      0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,

  150.      0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51}};

  151. 

  152. static const struct curve_data P384 = {

  153.     "NIST P-384",

  154.     48,

  155.     1,

  156.     {/* p */

  157.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  158.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  159.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,

  160.      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,

  161.      /* a */

  162.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  163.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  164.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,

  165.      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,

  166.      /* b */

  167.      0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,

  168.      0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,

  169.      0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,

  170.      0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,

  171.      /* x */

  172.      0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,

  173.      0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,

  174.      0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,

  175.      0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,

  176.      /* y */

  177.      0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,

  178.      0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,

  179.      0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,

  180.      0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,

  181.      /* order */

  182.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  183.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  184.      0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,

  185.      0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73}};

  186. 

  187. static const struct curve_data P521 = {

  188.     "NIST P-521",

  189.     66,

  190.     1,

  191.     {/* p */

  192.      0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  193.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  194.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  195.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  196.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  197.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  198.      /* a */

  199.      0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  200.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  201.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  202.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  203.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  204.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,

  205.      /* b */

  206.      0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,

  207.      0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,

  208.      0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,

  209.      0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,

  210.      0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,

  211.      0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,

  212.      /* x */

  213.      0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,

  214.      0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,

  215.      0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,

  216.      0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,

  217.      0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,

  218.      0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,

  219.      /* y */

  220.      0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,

  221.      0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,

  222.      0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,

  223.      0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,

  224.      0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,

  225.      0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,

  226.      /* order */

  227.      0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  228.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

  229.      0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,

  230.      0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,

  231.      0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,

  232.      0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09}};

  233. 

  234. struct built_in_curve {

  235.   int nid;

  236.   const struct curve_data *data;

  237.   const EC_METHOD *(*method)(void);

  238. };

  239. 

  240. static const struct built_in_curve built_in_curves[] = {

  241.   {NID_secp224r1, &P224, 0},

  242.   {NID_X9_62_prime256v1, &P256, 0},

  243.   {NID_secp384r1, &P384, 0},

  244.   {NID_secp521r1, &P521, 0},

  245.   {NID_undef, 0, 0},

  246. };

  247. 

  248. EC_GROUP *ec_group_new(const EC_METHOD *meth) {

  249.   EC_GROUP *ret;

  250. 

  251.   if (meth == NULL) {

  252.     OPENSSL_PUT_ERROR(EC, ec_group_new, EC_R_SLOT_FULL);

  253.     return NULL;

  254.   }

  255. 

  256.   if (meth->group_init == 0) {

  257.     OPENSSL_PUT_ERROR(EC, ec_group_new, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  258.     return NULL;

  259.   }

  260. 

  261.   ret = OPENSSL_malloc(sizeof(EC_GROUP));

  262.   if (ret == NULL) {

  263.     OPENSSL_PUT_ERROR(EC, ec_group_new, ERR_R_MALLOC_FAILURE);

  264.     return NULL;

  265.   }

  266.   memset(ret, 0, sizeof(EC_GROUP));

  267. 

  268.   ret->meth = meth;

  269.   BN_init(&ret->order);

  270.   BN_init(&ret->cofactor);

  271.   ret->asn1_form = POINT_CONVERSION_UNCOMPRESSED;

  272. 

  273.   if (!meth->group_init(ret)) {

  274.     OPENSSL_free(ret);

  275.     return NULL;

  276.   }

  277. 

  278.   return ret;

  279. }

  280. 

  281. static EC_GROUP *ec_group_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,

  282.                                         const BIGNUM *b, BN_CTX *ctx) {

  283.   const EC_METHOD *meth = EC_GFp_mont_method();

  284.   EC_GROUP *ret;

  285. 

  286.   ret = ec_group_new(meth);

  287.   if (ret == NULL) {

  288.     return NULL;

  289.   }

  290. 

  291.   if (ret->meth->group_set_curve == 0) {

  292.     OPENSSL_PUT_ERROR(EC, ec_group_new_curve_GFp,

  293.                       ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  294.     return 0;

  295.   }

  296.   if (!ret->meth->group_set_curve(ret, p, a, b, ctx)) {

  297.     EC_GROUP_free(ret);

  298.     return NULL;

  299.   }

  300.   return ret;

  301. }

  302. 

  303. static EC_GROUP *ec_group_new_from_data(const struct built_in_curve *curve) {

  304.   EC_GROUP *group = NULL;

  305.   EC_POINT *P = NULL;

  306.   BN_CTX *ctx = NULL;

  307.   BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order = NULL;

  308.   int ok = 0;

  309.   unsigned param_len;

  310.   const EC_METHOD *meth;

  311.   const struct curve_data *data;

  312.   const uint8_t *params;

  313. 

  314.   if ((ctx = BN_CTX_new()) == NULL) {

  315.     OPENSSL_PUT_ERROR(EC, ec_group_new_from_data, ERR_R_MALLOC_FAILURE);

  316.     goto err;

  317.   }

  318. 

  319.   data = curve->data;

  320.   param_len = data->param_len;

  321.   params = data->data;

  322. 

  323.   if (!(p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) ||

  324.       !(a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) ||

  325.       !(b = BN_bin2bn(params + 2 * param_len, param_len, NULL))) {

  326.     OPENSSL_PUT_ERROR(EC, ec_group_new_from_data, ERR_R_BN_LIB);

  327.     goto err;

  328.   }

  329. 

  330.   if (curve->method != 0) {

  331.     meth = curve->method();

  332.     if (((group = ec_group_new(meth)) == NULL) ||

  333.         (!(group->meth->group_set_curve(group, p, a, b, ctx)))) {

  334.       OPENSSL_PUT_ERROR(EC, ec_group_new_from_data, ERR_R_EC_LIB);

  335.       goto err;

  336.     }

  337.   } else {

  338.     if ((group = ec_group_new_curve_GFp(p, a, b, ctx)) == NULL) {

  339.       OPENSSL_PUT_ERROR(EC, ec_group_new_from_data, ERR_R_EC_LIB);

  340.       goto err;

  341.     }

  342.   }

  343. 

  344.   if ((P = EC_POINT_new(group)) == NULL) {

  345.     OPENSSL_PUT_ERROR(EC, ec_group_new_from_data, ERR_R_EC_LIB);

  346.     goto err;

  347.   }

  348. 

  349.   if (!(x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) ||

  350.       !(y = BN_bin2bn(params + 4 * param_len, param_len, NULL))) {

  351.     OPENSSL_PUT_ERROR(EC, ec_group_new_from_data, ERR_R_BN_LIB);

  352.     goto err;

  353.   }

  354. 

  355.   if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) {

  356.     OPENSSL_PUT_ERROR(EC, ec_group_new_from_data, ERR_R_EC_LIB);

  357.     goto err;

  358.   }

  359.   if (!(order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) ||

  360.       !BN_set_word(x, (BN_ULONG)data->cofactor)) {

  361.     OPENSSL_PUT_ERROR(EC, ec_group_new_from_data, ERR_R_BN_LIB);

  362.     goto err;

  363.   }

  364. 

  365.   group->generator = P;

  366.   P = NULL;

  367.   if (!BN_copy(&group->order, order) ||

  368.       !BN_set_word(&group->cofactor, (BN_ULONG)data->cofactor)) {

  369.     OPENSSL_PUT_ERROR(EC, ec_group_new_from_data, ERR_R_BN_LIB);

  370.     goto err;

  371.   }

  372. 

  373.   ok = 1;

  374. 

  375. err:

  376.   if (!ok) {

  377.     EC_GROUP_free(group);

  378.     group = NULL;

  379.   }

  380.   if (P)

  381.     EC_POINT_free(P);

  382.   if (ctx)

  383.     BN_CTX_free(ctx);

  384.   if (p)

  385.     BN_free(p);

  386.   if (a)

  387.     BN_free(a);

  388.   if (b)

  389.     BN_free(b);

  390.   if (order)

  391.     BN_free(order);

  392.   if (x)

  393.     BN_free(x);

  394.   if (y)

  395.     BN_free(y);

  396.   return group;

  397. }

  398. 

  399. EC_GROUP *EC_GROUP_new_by_curve_name(int nid) {

  400.   unsigned i;

  401.   const struct built_in_curve *curve;

  402.   EC_GROUP *ret = NULL;

  403. 

  404.   for (i = 0; built_in_curves[i].nid != NID_undef; i++) {

  405.     curve = &built_in_curves[i];

  406.     if (curve->nid == nid) {

  407.       ret = ec_group_new_from_data(curve);

  408.       break;

  409.     }

  410.   }

  411. 

  412.   if (ret == NULL) {

  413.     OPENSSL_PUT_ERROR(EC, EC_GROUP_new_by_curve_name, EC_R_UNKNOWN_GROUP);

  414.     return NULL;

  415.   }

  416. 

  417.   ret->curve_name = nid;

  418.   return ret;

  419. }

  420. 

  421. void EC_GROUP_free(EC_GROUP *group) {

  422.   if (!group) {

  423.     return;

  424.   }

  425. 

  426.   if (group->meth->group_finish != 0) {

  427.     group->meth->group_finish(group);

  428.   }

  429. 

  430.   ec_pre_comp_free(group->pre_comp);

  431. 

  432.   if (group->generator != NULL) {

  433.     EC_POINT_free(group->generator);

  434.   }

  435.   BN_free(&group->order);

  436.   BN_free(&group->cofactor);

  437. 

  438.   OPENSSL_free(group);

  439. }

  440. 

  441. int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) {

  442.   if (dest->meth->group_copy == 0) {

  443.     OPENSSL_PUT_ERROR(EC, EC_GROUP_copy, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  444.     return 0;

  445.   }

  446.   if (dest->meth != src->meth) {

  447.     OPENSSL_PUT_ERROR(EC, EC_GROUP_copy, EC_R_INCOMPATIBLE_OBJECTS);

  448.     return 0;

  449.   }

  450.   if (dest == src) {

  451.     return 1;

  452.   }

  453. 

  454.   ec_pre_comp_free(dest->pre_comp);

  455.   dest->pre_comp = ec_pre_comp_dup(src->pre_comp);

  456. 

  457.   if (src->generator != NULL) {

  458.     if (dest->generator == NULL) {

  459.       dest->generator = EC_POINT_new(dest);

  460.       if (dest->generator == NULL) {

  461.         return 0;

  462.       }

  463.     }

  464.     if (!EC_POINT_copy(dest->generator, src->generator)) {

  465.       return 0;

  466.     }

  467.   } else {

  468.     /* src->generator == NULL */

  469.     if (dest->generator != NULL) {

  470.       EC_POINT_clear_free(dest->generator);

  471.       dest->generator = NULL;

  472.     }

  473.   }

  474. 

  475.   if (!BN_copy(&dest->order, &src->order) ||

  476.       !BN_copy(&dest->cofactor, &src->cofactor)) {

  477.     return 0;

  478.   }

  479. 

  480.   dest->curve_name = src->curve_name;

  481.   dest->asn1_form = src->asn1_form;

  482. 

  483.   return dest->meth->group_copy(dest, src);

  484. }

  485. 

  486. EC_GROUP *EC_GROUP_dup(const EC_GROUP *a) {

  487.   EC_GROUP *t = NULL;

  488.   int ok = 0;

  489. 

  490.   if (a == NULL) {

  491.     return NULL;

  492.   }

  493. 

  494.   t = ec_group_new(a->meth);

  495.   if (t == NULL) {

  496.     return NULL;

  497.   }

  498.   if (!EC_GROUP_copy(t, a)) {

  499.     goto err;

  500.   }

  501. 

  502.   ok = 1;

  503. 

  504. err:

  505.   if (!ok) {

  506.     if (t) {

  507.       EC_GROUP_free(t);

  508.     }

  509.     return NULL;

  510.   } else {

  511.     return t;

  512.   }

  513. }

  514. 

  515. int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b) {

  516.   if (a->curve_name == NID_undef || b->curve_name == NID_undef) {

  517.     return 0;

  518.   }

  519.   return a->curve_name == b->curve_name;

  520. }

  521. 

  522. const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) {

  523.   return group->generator;

  524. }

  525. 

  526. int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) {

  527.   if (!BN_copy(order, &group->order)) {

  528.     return 0;

  529.   }

  530. 

  531.   return !BN_is_zero(order);

  532. }

  533. 

  534. int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor,

  535.                           BN_CTX *ctx) {

  536.   if (!BN_copy(cofactor, &group->cofactor)) {

  537.     return 0;

  538.   }

  539. 

  540.   return !BN_is_zero(&group->cofactor);

  541. }

  542. 

  543. int EC_GROUP_get_curve_name(const EC_GROUP *group) { return group->curve_name; }

  544. 

  545. int EC_GROUP_get_degree(const EC_GROUP *group) {

  546.   if (group->meth->group_get_degree == 0) {

  547.     OPENSSL_PUT_ERROR(EC, EC_GROUP_get_degree,

  548.                       ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  549.     return 0;

  550.   }

  551.   return group->meth->group_get_degree(group);

  552. }

  553. 

  554. void EC_GROUP_set_point_conversion_form(EC_GROUP *group,

  555.                                         point_conversion_form_t form) {

  556.   group->asn1_form = form;

  557. }

  558. 

  559. int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx) {

  560.   if (group->meth->mul == 0) {

  561.     /* use default */

  562.     return ec_wNAF_precompute_mult(group, ctx);

  563.   }

  564. 

  565.   if (group->meth->precompute_mult != 0) {

  566.     return group->meth->precompute_mult(group, ctx);

  567.   }

  568. 

  569.   return 1; /* nothing to do, so report success */

  570. }

  571. 

  572. int EC_GROUP_have_precompute_mult(const EC_GROUP *group) {

  573.   if (group->meth->mul == 0) {

  574.     /* use default */

  575.     return ec_wNAF_have_precompute_mult(group);

  576.   }

  577. 

  578.   if (group->meth->have_precompute_mult != 0) {

  579.     return group->meth->have_precompute_mult(group);

  580.   }

  581. 

  582.   return 0; /* cannot tell whether precomputation has been performed */

  583. }

  584. 

  585. EC_POINT *EC_POINT_new(const EC_GROUP *group) {

  586.   EC_POINT *ret;

  587. 

  588.   if (group == NULL) {

  589.     OPENSSL_PUT_ERROR(EC, EC_POINT_new, ERR_R_PASSED_NULL_PARAMETER);

  590.     return NULL;

  591.   }

  592.   if (group->meth->point_init == 0) {

  593.     OPENSSL_PUT_ERROR(EC, EC_POINT_new, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  594.     return NULL;

  595.   }

  596. 

  597.   ret = OPENSSL_malloc(sizeof *ret);

  598.   if (ret == NULL) {

  599.     OPENSSL_PUT_ERROR(EC, EC_POINT_new, ERR_R_MALLOC_FAILURE);

  600.     return NULL;

  601.   }

  602. 

  603.   ret->meth = group->meth;

  604. 

  605.   if (!ret->meth->point_init(ret)) {

  606.     OPENSSL_free(ret);

  607.     return NULL;

  608.   }

  609. 

  610.   return ret;

  611. }

  612. 

  613. void EC_POINT_free(EC_POINT *point) {

  614.   if (!point) {

  615.     return;

  616.   }

  617. 

  618.   if (point->meth->point_finish != 0) {

  619.     point->meth->point_finish(point);

  620.   }

  621.   OPENSSL_free(point);

  622. }

  623. 

  624. void EC_POINT_clear_free(EC_POINT *point) {

  625.   if (!point) {

  626.     return;

  627.   }

  628. 

  629.   if (point->meth->point_clear_finish != 0) {

  630.     point->meth->point_clear_finish(point);

  631.   } else if (point->meth->point_finish != 0) {

  632.     point->meth->point_finish(point);

  633.   }

  634.   OPENSSL_cleanse(point, sizeof *point);

  635.   OPENSSL_free(point);

  636. }

  637. 

  638. int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) {

  639.   if (dest->meth->point_copy == 0) {

  640.     OPENSSL_PUT_ERROR(EC, EC_POINT_copy, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  641.     return 0;

  642.   }

  643.   if (dest->meth != src->meth) {

  644.     OPENSSL_PUT_ERROR(EC, EC_POINT_copy, EC_R_INCOMPATIBLE_OBJECTS);

  645.     return 0;

  646.   }

  647.   if (dest == src) {

  648.     return 1;

  649.   }

  650.   return dest->meth->point_copy(dest, src);

  651. }

  652. 

  653. EC_POINT *EC_POINT_dup(const EC_POINT *a, const EC_GROUP *group) {

  654.   EC_POINT *t;

  655.   int r;

  656. 

  657.   if (a == NULL) {

  658.     return NULL;

  659.   }

  660. 

  661.   t = EC_POINT_new(group);

  662.   if (t == NULL) {

  663.     OPENSSL_PUT_ERROR(EC, EC_POINT_dup, ERR_R_MALLOC_FAILURE);

  664.     return NULL;

  665.   }

  666.   r = EC_POINT_copy(t, a);

  667.   if (!r) {

  668.     EC_POINT_free(t);

  669.     return NULL;

  670.   } else {

  671.     return t;

  672.   }

  673. }

  674. 

  675. int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point) {

  676.   if (group->meth->point_set_to_infinity == 0) {

  677.     OPENSSL_PUT_ERROR(EC, EC_POINT_set_to_infinity,

  678.                       ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  679.     return 0;

  680.   }

  681.   if (group->meth != point->meth) {

  682.     OPENSSL_PUT_ERROR(EC, EC_POINT_set_to_infinity, EC_R_INCOMPATIBLE_OBJECTS);

  683.     return 0;

  684.   }

  685.   return group->meth->point_set_to_infinity(group, point);

  686. }

  687. 

  688. int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) {

  689.   if (group->meth->is_at_infinity == 0) {

  690.     OPENSSL_PUT_ERROR(EC, EC_POINT_is_at_infinity,

  691.                       ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  692.     return 0;

  693.   }

  694.   if (group->meth != point->meth) {

  695.     OPENSSL_PUT_ERROR(EC, EC_POINT_is_at_infinity, EC_R_INCOMPATIBLE_OBJECTS);

  696.     return 0;

  697.   }

  698.   return group->meth->is_at_infinity(group, point);

  699. }

  700. 

  701. int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point,

  702.                          BN_CTX *ctx) {

  703.   if (group->meth->is_on_curve == 0) {

  704.     OPENSSL_PUT_ERROR(EC, EC_POINT_is_on_curve,

  705.                       ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  706.     return 0;

  707.   }

  708.   if (group->meth != point->meth) {

  709.     OPENSSL_PUT_ERROR(EC, EC_POINT_is_on_curve, EC_R_INCOMPATIBLE_OBJECTS);

  710.     return 0;

  711.   }

  712.   return group->meth->is_on_curve(group, point, ctx);

  713. }

  714. 

  715. int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b,

  716.                  BN_CTX *ctx) {

  717.   if (group->meth->point_cmp == 0) {

  718.     OPENSSL_PUT_ERROR(EC, EC_POINT_cmp, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  719.     return -1;

  720.   }

  721.   if ((group->meth != a->meth) || (a->meth != b->meth)) {

  722.     OPENSSL_PUT_ERROR(EC, EC_POINT_cmp, EC_R_INCOMPATIBLE_OBJECTS);

  723.     return -1;

  724.   }

  725.   return group->meth->point_cmp(group, a, b, ctx);

  726. }

  727. 

  728. int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) {

  729.   if (group->meth->make_affine == 0) {

  730.     OPENSSL_PUT_ERROR(EC, EC_POINT_make_affine,

  731.                       ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  732.     return 0;

  733.   }

  734.   if (group->meth != point->meth) {

  735.     OPENSSL_PUT_ERROR(EC, EC_POINT_make_affine, EC_R_INCOMPATIBLE_OBJECTS);

  736.     return 0;

  737.   }

  738.   return group->meth->make_affine(group, point, ctx);

  739. }

  740. 

  741. int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],

  742.                           BN_CTX *ctx) {

  743.   size_t i;

  744. 

  745.   if (group->meth->points_make_affine == 0) {

  746.     OPENSSL_PUT_ERROR(EC, EC_POINTs_make_affine,

  747.                       ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  748.     return 0;

  749.   }

  750.   for (i = 0; i < num; i++) {

  751.     if (group->meth != points[i]->meth) {

  752.       OPENSSL_PUT_ERROR(EC, EC_POINTs_make_affine, EC_R_INCOMPATIBLE_OBJECTS);

  753.       return 0;

  754.     }

  755.   }

  756.   return group->meth->points_make_affine(group, num, points, ctx);

  757. }

  758. 

  759. int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,

  760.                                         const EC_POINT *point, BIGNUM *x,

  761.                                         BIGNUM *y, BN_CTX *ctx) {

  762.   if (group->meth->point_get_affine_coordinates == 0) {

  763.     OPENSSL_PUT_ERROR(EC, EC_POINT_get_affine_coordinates_GFp,

  764.                       ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  765.     return 0;

  766.   }

  767.   if (group->meth != point->meth) {

  768.     OPENSSL_PUT_ERROR(EC, EC_POINT_get_affine_coordinates_GFp,

  769.                       EC_R_INCOMPATIBLE_OBJECTS);

  770.     return 0;

  771.   }

  772.   return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);

  773. }

  774. 

  775. int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,

  776.                                         const BIGNUM *x, const BIGNUM *y,

  777.                                         BN_CTX *ctx) {

  778.   if (group->meth->point_set_affine_coordinates == 0) {

  779.     OPENSSL_PUT_ERROR(EC, EC_POINT_set_affine_coordinates_GFp,

  780.                       ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  781.     return 0;

  782.   }

  783.   if (group->meth != point->meth) {

  784.     OPENSSL_PUT_ERROR(EC, EC_POINT_set_affine_coordinates_GFp,

  785.                       EC_R_INCOMPATIBLE_OBJECTS);

  786.     return 0;

  787.   }

  788.   return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);

  789. }

  790. 

  791. int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,

  792.                  const EC_POINT *b, BN_CTX *ctx) {

  793.   if (group->meth->add == 0) {

  794.     OPENSSL_PUT_ERROR(EC, EC_POINT_add, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  795.     return 0;

  796.   }

  797.   if ((group->meth != r->meth) || (r->meth != a->meth) ||

  798.       (a->meth != b->meth)) {

  799.     OPENSSL_PUT_ERROR(EC, EC_POINT_add, EC_R_INCOMPATIBLE_OBJECTS);

  800.     return 0;

  801.   }

  802.   return group->meth->add(group, r, a, b, ctx);

  803. }

  804. 

  805. 

  806. int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,

  807.                  BN_CTX *ctx) {

  808.   if (group->meth->dbl == 0) {

  809.     OPENSSL_PUT_ERROR(EC, EC_POINT_dbl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  810.     return 0;

  811.   }

  812.   if ((group->meth != r->meth) || (r->meth != a->meth)) {

  813.     OPENSSL_PUT_ERROR(EC, EC_POINT_dbl, EC_R_INCOMPATIBLE_OBJECTS);

  814.     return 0;

  815.   }

  816.   return group->meth->dbl(group, r, a, ctx);

  817. }

  818. 

  819. 

  820. int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) {

  821.   if (group->meth->dbl == 0) {

  822.     OPENSSL_PUT_ERROR(EC, EC_POINT_invert, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  823.     return 0;

  824.   }

  825.   if (group->meth != a->meth) {

  826.     OPENSSL_PUT_ERROR(EC, EC_POINT_invert, EC_R_INCOMPATIBLE_OBJECTS);

  827.     return 0;

  828.   }

  829.   return group->meth->invert(group, a, ctx);

  830. }

  831. 

  832. int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,

  833.                  const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx) {

  834.   /* just a convenient interface to EC_POINTs_mul() */

  835. 

  836.   const EC_POINT *points[1];

  837.   const BIGNUM *scalars[1];

  838. 

  839.   points[0] = point;

  840.   scalars[0] = p_scalar;

  841. 

  842.   return EC_POINTs_mul(group, r, g_scalar, (point != NULL && p_scalar != NULL),

  843.                        points, scalars, ctx);

  844. }

  845. 

  846. int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,

  847.                   size_t num, const EC_POINT *points[], const BIGNUM *scalars[],

  848.                   BN_CTX *ctx) {

  849.   if (group->meth->mul == 0) {

  850.     /* use default. Warning, not constant-time. */

  851.     return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);

  852.   }

  853. 

  854.   return group->meth->mul(group, r, scalar, num, points, scalars, ctx);

  855. }

  856. 

  857. int ec_point_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,

  858.                                              const BIGNUM *x, const BIGNUM *y,

  859.                                              const BIGNUM *z, BN_CTX *ctx) {

  860.   if (group->meth->point_set_Jprojective_coordinates_GFp == 0) {

  861.     OPENSSL_PUT_ERROR(EC, ec_point_set_Jprojective_coordinates_GFp,

  862.                       ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  863.     return 0;

  864.   }

  865.   if (group->meth != point->meth) {

  866.     OPENSSL_PUT_ERROR(EC, ec_point_set_Jprojective_coordinates_GFp,

  867.                       EC_R_INCOMPATIBLE_OBJECTS);

  868.     return 0;

  869.   }

  870.   return group->meth->point_set_Jprojective_coordinates_GFp(group, point, x, y,

  871.                                                             z, ctx);

  872. }