1/* 2 * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved. 4 * 5 * Licensed under the OpenSSL license (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11#include <openssl/ec.h> 12 13#include <assert.h> 14#include <string.h> 15 16#include <openssl/bn.h> 17#include <openssl/err.h> 18#include <openssl/mem.h> 19#include <openssl/nid.h> 20 21#include "../../internal.h" 22#include "../bn/internal.h" 23#include "../delocate.h" 24#include "internal.h" 25 26#include "builtin_curves.h" 27 28 29static void ec_point_free(EC_POINT *point, int free_group); 30 31static void ec_group_init_static_mont(BN_MONT_CTX *mont, size_t num_words, 32 const BN_ULONG *modulus, 33 const BN_ULONG *rr, uint64_t n0) { 34 bn_set_static_words(&mont->N, modulus, num_words); 35 bn_set_static_words(&mont->RR, rr, num_words); 36#if defined(OPENSSL_64_BIT) 37 mont->n0[0] = n0; 38#elif defined(OPENSSL_32_BIT) 39 mont->n0[0] = (uint32_t)n0; 40 mont->n0[1] = (uint32_t)(n0 >> 32); 41#else 42#error "unknown word length" 43#endif 44} 45 46static void ec_group_set_a_minus3(EC_GROUP *group) { 47 const EC_FELEM *one = ec_felem_one(group); 48 group->a_is_minus3 = 1; 49 ec_felem_neg(group, &group->a, one); 50 ec_felem_sub(group, &group->a, &group->a, one); 51 ec_felem_sub(group, &group->a, &group->a, one); 52} 53 54DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p224) { 55 out->curve_name = NID_secp224r1; 56 out->comment = "NIST P-224"; 57 // 1.3.132.0.33 58 static const uint8_t kOIDP224[] = {0x2b, 0x81, 0x04, 0x00, 0x21}; 59 OPENSSL_memcpy(out->oid, kOIDP224, sizeof(kOIDP224)); 60 out->oid_len = sizeof(kOIDP224); 61 62 ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP224Field), 63 kP224Field, kP224FieldRR, kP224FieldN0); 64 ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP224Order), 65 kP224Order, kP224OrderRR, kP224OrderN0); 66 67#if defined(BORINGSSL_HAS_UINT128) && !defined(OPENSSL_SMALL) 68 out->meth = EC_GFp_nistp224_method(); 69 OPENSSL_memcpy(out->generator.raw.X.words, kP224GX, sizeof(kP224GX)); 70 OPENSSL_memcpy(out->generator.raw.Y.words, kP224GY, sizeof(kP224GY)); 71 out->generator.raw.Z.words[0] = 1; 72 OPENSSL_memcpy(out->b.words, kP224B, sizeof(kP224B)); 73#else 74 out->meth = EC_GFp_mont_method(); 75 OPENSSL_memcpy(out->generator.raw.X.words, kP224MontGX, sizeof(kP224MontGX)); 76 OPENSSL_memcpy(out->generator.raw.Y.words, kP224MontGY, sizeof(kP224MontGY)); 77 OPENSSL_memcpy(out->generator.raw.Z.words, kP224FieldR, sizeof(kP224FieldR)); 78 OPENSSL_memcpy(out->b.words, kP224MontB, sizeof(kP224MontB)); 79#endif 80 out->generator.group = out; 81 82 ec_group_set_a_minus3(out); 83 out->has_order = 1; 84 out->field_greater_than_order = 1; 85} 86 87DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p256) { 88 out->curve_name = NID_X9_62_prime256v1; 89 out->comment = "NIST P-256"; 90 // 1.2.840.10045.3.1.7 91 static const uint8_t kOIDP256[] = {0x2a, 0x86, 0x48, 0xce, 92 0x3d, 0x03, 0x01, 0x07}; 93 OPENSSL_memcpy(out->oid, kOIDP256, sizeof(kOIDP256)); 94 out->oid_len = sizeof(kOIDP256); 95 96 ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP256Field), 97 kP256Field, kP256FieldRR, kP256FieldN0); 98 ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP256Order), 99 kP256Order, kP256OrderRR, kP256OrderN0); 100 101#if !defined(OPENSSL_NO_ASM) && \ 102 (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ 103 !defined(OPENSSL_SMALL) 104 out->meth = EC_GFp_nistz256_method(); 105#else 106 out->meth = EC_GFp_nistp256_method(); 107#endif 108 out->generator.group = out; 109 OPENSSL_memcpy(out->generator.raw.X.words, kP256MontGX, sizeof(kP256MontGX)); 110 OPENSSL_memcpy(out->generator.raw.Y.words, kP256MontGY, sizeof(kP256MontGY)); 111 OPENSSL_memcpy(out->generator.raw.Z.words, kP256FieldR, sizeof(kP256FieldR)); 112 OPENSSL_memcpy(out->b.words, kP256MontB, sizeof(kP256MontB)); 113 114 ec_group_set_a_minus3(out); 115 out->has_order = 1; 116 out->field_greater_than_order = 1; 117} 118 119DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p384) { 120 out->curve_name = NID_secp384r1; 121 out->comment = "NIST P-384"; 122 // 1.3.132.0.34 123 static const uint8_t kOIDP384[] = {0x2b, 0x81, 0x04, 0x00, 0x22}; 124 OPENSSL_memcpy(out->oid, kOIDP384, sizeof(kOIDP384)); 125 out->oid_len = sizeof(kOIDP384); 126 127 ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP384Field), 128 kP384Field, kP384FieldRR, kP384FieldN0); 129 ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP384Order), 130 kP384Order, kP384OrderRR, kP384OrderN0); 131 132 out->meth = EC_GFp_mont_method(); 133 out->generator.group = out; 134 OPENSSL_memcpy(out->generator.raw.X.words, kP384MontGX, sizeof(kP384MontGX)); 135 OPENSSL_memcpy(out->generator.raw.Y.words, kP384MontGY, sizeof(kP384MontGY)); 136 OPENSSL_memcpy(out->generator.raw.Z.words, kP384FieldR, sizeof(kP384FieldR)); 137 OPENSSL_memcpy(out->b.words, kP384MontB, sizeof(kP384MontB)); 138 139 ec_group_set_a_minus3(out); 140 out->has_order = 1; 141 out->field_greater_than_order = 1; 142} 143 144DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p521) { 145 out->curve_name = NID_secp521r1; 146 out->comment = "NIST P-521"; 147 // 1.3.132.0.35 148 static const uint8_t kOIDP521[] = {0x2b, 0x81, 0x04, 0x00, 0x23}; 149 OPENSSL_memcpy(out->oid, kOIDP521, sizeof(kOIDP521)); 150 out->oid_len = sizeof(kOIDP521); 151 152 ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP521Field), 153 kP521Field, kP521FieldRR, kP521FieldN0); 154 ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP521Order), 155 kP521Order, kP521OrderRR, kP521OrderN0); 156 157 out->meth = EC_GFp_mont_method(); 158 out->generator.group = out; 159 OPENSSL_memcpy(out->generator.raw.X.words, kP521MontGX, sizeof(kP521MontGX)); 160 OPENSSL_memcpy(out->generator.raw.Y.words, kP521MontGY, sizeof(kP521MontGY)); 161 OPENSSL_memcpy(out->generator.raw.Z.words, kP521FieldR, sizeof(kP521FieldR)); 162 OPENSSL_memcpy(out->b.words, kP521MontB, sizeof(kP521MontB)); 163 164 ec_group_set_a_minus3(out); 165 out->has_order = 1; 166 out->field_greater_than_order = 1; 167} 168 169EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, 170 const BIGNUM *b, BN_CTX *ctx) { 171 if (BN_num_bytes(p) > EC_MAX_BYTES) { 172 OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD); 173 return NULL; 174 } 175 176 BN_CTX *new_ctx = NULL; 177 if (ctx == NULL) { 178 ctx = new_ctx = BN_CTX_new(); 179 if (ctx == NULL) { 180 return NULL; 181 } 182 } 183 184 // Historically, |a| and |b| were not required to be fully reduced. 185 // TODO(davidben): Can this be removed? 186 EC_GROUP *ret = NULL; 187 BN_CTX_start(ctx); 188 BIGNUM *a_reduced = BN_CTX_get(ctx); 189 BIGNUM *b_reduced = BN_CTX_get(ctx); 190 if (a_reduced == NULL || b_reduced == NULL || 191 !BN_nnmod(a_reduced, a, p, ctx) || !BN_nnmod(b_reduced, b, p, ctx)) { 192 goto err; 193 } 194 195 ret = reinterpret_cast<EC_GROUP *>(OPENSSL_zalloc(sizeof(EC_GROUP))); 196 if (ret == NULL) { 197 return NULL; 198 } 199 ret->references = 1; 200 ret->meth = EC_GFp_mont_method(); 201 bn_mont_ctx_init(&ret->field); 202 bn_mont_ctx_init(&ret->order); 203 ret->generator.group = ret; 204 if (!ec_GFp_simple_group_set_curve(ret, p, a_reduced, b_reduced, ctx)) { 205 EC_GROUP_free(ret); 206 ret = NULL; 207 goto err; 208 } 209 210err: 211 BN_CTX_end(ctx); 212 BN_CTX_free(new_ctx); 213 return ret; 214} 215 216int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, 217 const BIGNUM *order, const BIGNUM *cofactor) { 218 if (group->curve_name != NID_undef || group->has_order || 219 generator->group != group) { 220 // |EC_GROUP_set_generator| may only be used with |EC_GROUP|s returned by 221 // |EC_GROUP_new_curve_GFp| and may only used once on each group. 222 // |generator| must have been created from |EC_GROUP_new_curve_GFp|, not a 223 // copy, so that |generator->group->generator| is set correctly. 224 OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 225 return 0; 226 } 227 228 if (BN_num_bytes(order) > EC_MAX_BYTES) { 229 OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER); 230 return 0; 231 } 232 233 // Require a cofactor of one for custom curves, which implies prime order. 234 if (!BN_is_one(cofactor)) { 235 OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COFACTOR); 236 return 0; 237 } 238 239 // Require that p < 2×order. This simplifies some ECDSA operations. 240 // 241 // Note any curve which did not satisfy this must have been invalid or use a 242 // tiny prime (less than 17). See the proof in |field_element_to_scalar| in 243 // the ECDSA implementation. 244 int ret = 0; 245 BIGNUM *tmp = BN_new(); 246 if (tmp == NULL || !BN_lshift1(tmp, order)) { 247 goto err; 248 } 249 if (BN_cmp(tmp, &group->field.N) <= 0) { 250 OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER); 251 goto err; 252 } 253 254 EC_AFFINE affine; 255 if (!ec_jacobian_to_affine(group, &affine, &generator->raw) || 256 !BN_MONT_CTX_set(&group->order, order, NULL)) { 257 goto err; 258 } 259 260 group->field_greater_than_order = BN_cmp(&group->field.N, order) > 0; 261 group->generator.raw.X = affine.X; 262 group->generator.raw.Y = affine.Y; 263 // |raw.Z| was set to 1 by |EC_GROUP_new_curve_GFp|. 264 group->has_order = 1; 265 ret = 1; 266 267err: 268 BN_free(tmp); 269 return ret; 270} 271 272EC_GROUP *EC_GROUP_new_by_curve_name(int nid) { 273 switch (nid) { 274 case NID_secp224r1: 275 return (EC_GROUP *)EC_group_p224(); 276 case NID_X9_62_prime256v1: 277 return (EC_GROUP *)EC_group_p256(); 278 case NID_secp384r1: 279 return (EC_GROUP *)EC_group_p384(); 280 case NID_secp521r1: 281 return (EC_GROUP *)EC_group_p521(); 282 default: 283 OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP); 284 return NULL; 285 } 286} 287 288void EC_GROUP_free(EC_GROUP *group) { 289 if (group == NULL || 290 // Built-in curves are static. 291 group->curve_name != NID_undef || 292 !CRYPTO_refcount_dec_and_test_zero(&group->references)) { 293 return; 294 } 295 296 bn_mont_ctx_cleanup(&group->order); 297 bn_mont_ctx_cleanup(&group->field); 298 OPENSSL_free(group); 299} 300 301EC_GROUP *EC_GROUP_dup(const EC_GROUP *a) { 302 if (a == NULL || 303 // Built-in curves are static. 304 a->curve_name != NID_undef) { 305 return (EC_GROUP *)a; 306 } 307 308 // Groups are logically immutable (but for |EC_GROUP_set_generator| which must 309 // be called early on), so we simply take a reference. 310 EC_GROUP *group = (EC_GROUP *)a; 311 CRYPTO_refcount_inc(&group->references); 312 return group; 313} 314 315int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ignored) { 316 // Note this function returns 0 if equal and non-zero otherwise. 317 if (a == b) { 318 return 0; 319 } 320 if (a->curve_name != b->curve_name) { 321 return 1; 322 } 323 if (a->curve_name != NID_undef) { 324 // Built-in curves may be compared by curve name alone. 325 return 0; 326 } 327 328 // |a| and |b| are both custom curves. We compare the entire curve 329 // structure. If |a| or |b| is incomplete (due to legacy OpenSSL mistakes, 330 // custom curve construction is sadly done in two parts) but otherwise not the 331 // same object, we consider them always unequal. 332 return a->meth != b->meth || // 333 !a->has_order || !b->has_order || 334 BN_cmp(&a->order.N, &b->order.N) != 0 || 335 BN_cmp(&a->field.N, &b->field.N) != 0 || 336 !ec_felem_equal(a, &a->a, &b->a) || // 337 !ec_felem_equal(a, &a->b, &b->b) || 338 !ec_GFp_simple_points_equal(a, &a->generator.raw, &b->generator.raw); 339} 340 341const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) { 342 return group->has_order ? &group->generator : NULL; 343} 344 345const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group) { 346 assert(group->has_order); 347 return &group->order.N; 348} 349 350int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) { 351 if (BN_copy(order, EC_GROUP_get0_order(group)) == NULL) { 352 return 0; 353 } 354 return 1; 355} 356 357int EC_GROUP_order_bits(const EC_GROUP *group) { 358 return BN_num_bits(&group->order.N); 359} 360 361int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, 362 BN_CTX *ctx) { 363 // All |EC_GROUP|s have cofactor 1. 364 return BN_set_word(cofactor, 1); 365} 366 367int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *out_p, BIGNUM *out_a, 368 BIGNUM *out_b, BN_CTX *ctx) { 369 return ec_GFp_simple_group_get_curve(group, out_p, out_a, out_b); 370} 371 372int EC_GROUP_get_curve_name(const EC_GROUP *group) { return group->curve_name; } 373 374unsigned EC_GROUP_get_degree(const EC_GROUP *group) { 375 return BN_num_bits(&group->field.N); 376} 377 378const char *EC_curve_nid2nist(int nid) { 379 switch (nid) { 380 case NID_secp224r1: 381 return "P-224"; 382 case NID_X9_62_prime256v1: 383 return "P-256"; 384 case NID_secp384r1: 385 return "P-384"; 386 case NID_secp521r1: 387 return "P-521"; 388 } 389 return NULL; 390} 391 392int EC_curve_nist2nid(const char *name) { 393 if (strcmp(name, "P-224") == 0) { 394 return NID_secp224r1; 395 } 396 if (strcmp(name, "P-256") == 0) { 397 return NID_X9_62_prime256v1; 398 } 399 if (strcmp(name, "P-384") == 0) { 400 return NID_secp384r1; 401 } 402 if (strcmp(name, "P-521") == 0) { 403 return NID_secp521r1; 404 } 405 return NID_undef; 406} 407 408EC_POINT *EC_POINT_new(const EC_GROUP *group) { 409 if (group == NULL) { 410 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); 411 return NULL; 412 } 413 414 EC_POINT *ret = reinterpret_cast<EC_POINT *>(OPENSSL_malloc(sizeof *ret)); 415 if (ret == NULL) { 416 return NULL; 417 } 418 419 ret->group = EC_GROUP_dup(group); 420 ec_GFp_simple_point_init(&ret->raw); 421 return ret; 422} 423 424static void ec_point_free(EC_POINT *point, int free_group) { 425 if (!point) { 426 return; 427 } 428 if (free_group) { 429 EC_GROUP_free(point->group); 430 } 431 OPENSSL_free(point); 432} 433 434void EC_POINT_free(EC_POINT *point) { 435 ec_point_free(point, 1 /* free group */); 436} 437 438void EC_POINT_clear_free(EC_POINT *point) { EC_POINT_free(point); } 439 440int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) { 441 if (EC_GROUP_cmp(dest->group, src->group, NULL) != 0) { 442 OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); 443 return 0; 444 } 445 if (dest == src) { 446 return 1; 447 } 448 ec_GFp_simple_point_copy(&dest->raw, &src->raw); 449 return 1; 450} 451 452EC_POINT *EC_POINT_dup(const EC_POINT *a, const EC_GROUP *group) { 453 if (a == NULL) { 454 return NULL; 455 } 456 457 EC_POINT *ret = EC_POINT_new(group); 458 if (ret == NULL || !EC_POINT_copy(ret, a)) { 459 EC_POINT_free(ret); 460 return NULL; 461 } 462 463 return ret; 464} 465 466int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point) { 467 if (EC_GROUP_cmp(group, point->group, NULL) != 0) { 468 OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); 469 return 0; 470 } 471 ec_GFp_simple_point_set_to_infinity(group, &point->raw); 472 return 1; 473} 474 475int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) { 476 if (EC_GROUP_cmp(group, point->group, NULL) != 0) { 477 OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); 478 return 0; 479 } 480 return ec_GFp_simple_is_at_infinity(group, &point->raw); 481} 482 483int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, 484 BN_CTX *ctx) { 485 if (EC_GROUP_cmp(group, point->group, NULL) != 0) { 486 OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); 487 return 0; 488 } 489 return ec_GFp_simple_is_on_curve(group, &point->raw); 490} 491 492int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, 493 BN_CTX *ctx) { 494 if (EC_GROUP_cmp(group, a->group, NULL) != 0 || 495 EC_GROUP_cmp(group, b->group, NULL) != 0) { 496 OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); 497 return -1; 498 } 499 500 // Note |EC_POINT_cmp| returns zero for equality and non-zero for inequality. 501 return ec_GFp_simple_points_equal(group, &a->raw, &b->raw) ? 0 : 1; 502} 503 504int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, 505 const EC_POINT *point, BIGNUM *x, 506 BIGNUM *y, BN_CTX *ctx) { 507 if (group->meth->point_get_affine_coordinates == 0) { 508 OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 509 return 0; 510 } 511 if (EC_GROUP_cmp(group, point->group, NULL) != 0) { 512 OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); 513 return 0; 514 } 515 EC_FELEM x_felem, y_felem; 516 if (!group->meth->point_get_affine_coordinates(group, &point->raw, 517 x == NULL ? NULL : &x_felem, 518 y == NULL ? NULL : &y_felem) || 519 (x != NULL && !ec_felem_to_bignum(group, x, &x_felem)) || 520 (y != NULL && !ec_felem_to_bignum(group, y, &y_felem))) { 521 return 0; 522 } 523 return 1; 524} 525 526int EC_POINT_get_affine_coordinates(const EC_GROUP *group, 527 const EC_POINT *point, BIGNUM *x, BIGNUM *y, 528 BN_CTX *ctx) { 529 return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx); 530} 531 532void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out, 533 const EC_AFFINE *p) { 534 out->X = p->X; 535 out->Y = p->Y; 536 out->Z = *ec_felem_one(group); 537} 538 539int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, 540 const EC_JACOBIAN *p) { 541 return group->meth->point_get_affine_coordinates(group, p, &out->X, &out->Y); 542} 543 544int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out, 545 const EC_JACOBIAN *in, size_t num) { 546 if (group->meth->jacobian_to_affine_batch == NULL) { 547 OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 548 return 0; 549 } 550 return group->meth->jacobian_to_affine_batch(group, out, in, num); 551} 552 553int ec_point_set_affine_coordinates(const EC_GROUP *group, EC_AFFINE *out, 554 const EC_FELEM *x, const EC_FELEM *y) { 555 void (*const felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a, 556 const EC_FELEM *b) = group->meth->felem_mul; 557 void (*const felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a) = 558 group->meth->felem_sqr; 559 560 // Check if the point is on the curve. 561 EC_FELEM lhs, rhs; 562 felem_sqr(group, &lhs, y); // lhs = y^2 563 felem_sqr(group, &rhs, x); // rhs = x^2 564 ec_felem_add(group, &rhs, &rhs, &group->a); // rhs = x^2 + a 565 felem_mul(group, &rhs, &rhs, x); // rhs = x^3 + ax 566 ec_felem_add(group, &rhs, &rhs, &group->b); // rhs = x^3 + ax + b 567 if (!ec_felem_equal(group, &lhs, &rhs)) { 568 OPENSSL_PUT_ERROR(EC, EC_R_POINT_IS_NOT_ON_CURVE); 569 // In the event of an error, defend against the caller not checking the 570 // return value by setting a known safe value. Note this may not be possible 571 // if the caller is in the process of constructing an arbitrary group and 572 // the generator is missing. 573 if (group->has_order) { 574 out->X = group->generator.raw.X; 575 out->Y = group->generator.raw.Y; 576 } 577 return 0; 578 } 579 580 out->X = *x; 581 out->Y = *y; 582 return 1; 583} 584 585int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, 586 const BIGNUM *x, const BIGNUM *y, 587 BN_CTX *ctx) { 588 if (EC_GROUP_cmp(group, point->group, NULL) != 0) { 589 OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); 590 return 0; 591 } 592 593 if (x == NULL || y == NULL) { 594 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); 595 return 0; 596 } 597 598 EC_FELEM x_felem, y_felem; 599 EC_AFFINE affine; 600 if (!ec_bignum_to_felem(group, &x_felem, x) || 601 !ec_bignum_to_felem(group, &y_felem, y) || 602 !ec_point_set_affine_coordinates(group, &affine, &x_felem, &y_felem)) { 603 // In the event of an error, defend against the caller not checking the 604 // return value by setting a known safe value. 605 ec_set_to_safe_point(group, &point->raw); 606 return 0; 607 } 608 609 ec_affine_to_jacobian(group, &point->raw, &affine); 610 return 1; 611} 612 613int EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point, 614 const BIGNUM *x, const BIGNUM *y, 615 BN_CTX *ctx) { 616 return EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx); 617} 618 619int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, 620 const EC_POINT *b, BN_CTX *ctx) { 621 if (EC_GROUP_cmp(group, r->group, NULL) != 0 || 622 EC_GROUP_cmp(group, a->group, NULL) != 0 || 623 EC_GROUP_cmp(group, b->group, NULL) != 0) { 624 OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); 625 return 0; 626 } 627 group->meth->add(group, &r->raw, &a->raw, &b->raw); 628 return 1; 629} 630 631int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, 632 BN_CTX *ctx) { 633 if (EC_GROUP_cmp(group, r->group, NULL) != 0 || 634 EC_GROUP_cmp(group, a->group, NULL) != 0) { 635 OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); 636 return 0; 637 } 638 group->meth->dbl(group, &r->raw, &a->raw); 639 return 1; 640} 641 642 643int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) { 644 if (EC_GROUP_cmp(group, a->group, NULL) != 0) { 645 OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); 646 return 0; 647 } 648 ec_GFp_simple_invert(group, &a->raw); 649 return 1; 650} 651 652static int arbitrary_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, 653 const BIGNUM *in, BN_CTX *ctx) { 654 if (ec_bignum_to_scalar(group, out, in)) { 655 return 1; 656 } 657 658 ERR_clear_error(); 659 660 // This is an unusual input, so we do not guarantee constant-time processing. 661 BN_CTX_start(ctx); 662 BIGNUM *tmp = BN_CTX_get(ctx); 663 int ok = tmp != NULL && BN_nnmod(tmp, in, EC_GROUP_get0_order(group), ctx) && 664 ec_bignum_to_scalar(group, out, tmp); 665 BN_CTX_end(ctx); 666 return ok; 667} 668 669int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, 670 const BIGNUM *g_scalar, const EC_POINT *p, 671 const BIGNUM *p_scalar, BN_CTX *ctx) { 672 // Previously, this function set |r| to the point at infinity if there was 673 // nothing to multiply. But, nobody should be calling this function with 674 // nothing to multiply in the first place. 675 if ((g_scalar == NULL && p_scalar == NULL) || 676 (p == NULL) != (p_scalar == NULL)) { 677 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); 678 return 0; 679 } 680 681 if (EC_GROUP_cmp(group, r->group, NULL) != 0 || 682 (p != NULL && EC_GROUP_cmp(group, p->group, NULL) != 0)) { 683 OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS); 684 return 0; 685 } 686 687 int ret = 0; 688 BN_CTX *new_ctx = NULL; 689 if (ctx == NULL) { 690 new_ctx = BN_CTX_new(); 691 if (new_ctx == NULL) { 692 goto err; 693 } 694 ctx = new_ctx; 695 } 696 697 // If both |g_scalar| and |p_scalar| are non-NULL, 698 // |ec_point_mul_scalar_public| would share the doublings between the two 699 // products, which would be more efficient. However, we conservatively assume 700 // the caller needs a constant-time operation. (ECDSA verification does not 701 // use this function.) 702 // 703 // Previously, the low-level constant-time multiplication function aligned 704 // with this function's calling convention, but this was misleading. Curves 705 // which combined the two multiplications did not avoid the doubling case 706 // in the incomplete addition formula and were not constant-time. 707 708 if (g_scalar != NULL) { 709 EC_SCALAR scalar; 710 if (!arbitrary_bignum_to_scalar(group, &scalar, g_scalar, ctx) || 711 !ec_point_mul_scalar_base(group, &r->raw, &scalar)) { 712 goto err; 713 } 714 } 715 716 if (p_scalar != NULL) { 717 EC_SCALAR scalar; 718 EC_JACOBIAN tmp; 719 if (!arbitrary_bignum_to_scalar(group, &scalar, p_scalar, ctx) || 720 !ec_point_mul_scalar(group, &tmp, &p->raw, &scalar)) { 721 goto err; 722 } 723 if (g_scalar == NULL) { 724 OPENSSL_memcpy(&r->raw, &tmp, sizeof(EC_JACOBIAN)); 725 } else { 726 group->meth->add(group, &r->raw, &r->raw, &tmp); 727 } 728 } 729 730 ret = 1; 731 732err: 733 BN_CTX_free(new_ctx); 734 return ret; 735} 736 737int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, 738 const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx) { 739 boringssl_ensure_ecc_self_test(); 740 741 return ec_point_mul_no_self_test(group, r, g_scalar, p, p_scalar, ctx); 742} 743 744int ec_point_mul_scalar_public(const EC_GROUP *group, EC_JACOBIAN *r, 745 const EC_SCALAR *g_scalar, const EC_JACOBIAN *p, 746 const EC_SCALAR *p_scalar) { 747 if (g_scalar == NULL || p_scalar == NULL || p == NULL) { 748 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); 749 return 0; 750 } 751 752 if (group->meth->mul_public == NULL) { 753 return group->meth->mul_public_batch(group, r, g_scalar, p, p_scalar, 1); 754 } 755 756 group->meth->mul_public(group, r, g_scalar, p, p_scalar); 757 return 1; 758} 759 760int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, 761 const EC_SCALAR *g_scalar, 762 const EC_JACOBIAN *points, 763 const EC_SCALAR *scalars, size_t num) { 764 if (group->meth->mul_public_batch == NULL) { 765 OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 766 return 0; 767 } 768 769 return group->meth->mul_public_batch(group, r, g_scalar, points, scalars, 770 num); 771} 772 773int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r, 774 const EC_JACOBIAN *p, const EC_SCALAR *scalar) { 775 if (p == NULL || scalar == NULL) { 776 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); 777 return 0; 778 } 779 780 group->meth->mul(group, r, p, scalar); 781 782 // Check the result is on the curve to defend against fault attacks or bugs. 783 // This has negligible cost compared to the multiplication. 784 if (!ec_GFp_simple_is_on_curve(group, r)) { 785 OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR); 786 return 0; 787 } 788 789 return 1; 790} 791 792int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r, 793 const EC_SCALAR *scalar) { 794 if (scalar == NULL) { 795 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); 796 return 0; 797 } 798 799 group->meth->mul_base(group, r, scalar); 800 801 // Check the result is on the curve to defend against fault attacks or bugs. 802 // This has negligible cost compared to the multiplication. This can only 803 // happen on bug or CPU fault, so it okay to leak this. The alternative would 804 // be to proceed with bad data. 805 if (!constant_time_declassify_int(ec_GFp_simple_is_on_curve(group, r))) { 806 OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR); 807 return 0; 808 } 809 810 return 1; 811} 812 813int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r, 814 const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, 815 const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, 816 const EC_JACOBIAN *p2, const EC_SCALAR *scalar2) { 817 if (group->meth->mul_batch == NULL) { 818 OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 819 return 0; 820 } 821 822 group->meth->mul_batch(group, r, p0, scalar0, p1, scalar1, p2, scalar2); 823 824 // Check the result is on the curve to defend against fault attacks or bugs. 825 // This has negligible cost compared to the multiplication. 826 if (!ec_GFp_simple_is_on_curve(group, r)) { 827 OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR); 828 return 0; 829 } 830 831 return 1; 832} 833 834int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, 835 const EC_JACOBIAN *p) { 836 if (group->meth->init_precomp == NULL) { 837 OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 838 return 0; 839 } 840 841 return group->meth->init_precomp(group, out, p); 842} 843 844int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r, 845 const EC_PRECOMP *p0, const EC_SCALAR *scalar0, 846 const EC_PRECOMP *p1, const EC_SCALAR *scalar1, 847 const EC_PRECOMP *p2, 848 const EC_SCALAR *scalar2) { 849 if (group->meth->mul_precomp == NULL) { 850 OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 851 return 0; 852 } 853 854 group->meth->mul_precomp(group, r, p0, scalar0, p1, scalar1, p2, scalar2); 855 856 // Check the result is on the curve to defend against fault attacks or bugs. 857 // This has negligible cost compared to the multiplication. 858 if (!ec_GFp_simple_is_on_curve(group, r)) { 859 OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR); 860 return 0; 861 } 862 863 return 1; 864} 865 866void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask, 867 const EC_JACOBIAN *a, const EC_JACOBIAN *b) { 868 ec_felem_select(group, &out->X, mask, &a->X, &b->X); 869 ec_felem_select(group, &out->Y, mask, &a->Y, &b->Y); 870 ec_felem_select(group, &out->Z, mask, &a->Z, &b->Z); 871} 872 873void ec_affine_select(const EC_GROUP *group, EC_AFFINE *out, BN_ULONG mask, 874 const EC_AFFINE *a, const EC_AFFINE *b) { 875 ec_felem_select(group, &out->X, mask, &a->X, &b->X); 876 ec_felem_select(group, &out->Y, mask, &a->Y, &b->Y); 877} 878 879void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask, 880 const EC_PRECOMP *a, const EC_PRECOMP *b) { 881 static_assert(sizeof(out->comb) == sizeof(*out), 882 "out->comb does not span the entire structure"); 883 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(out->comb); i++) { 884 ec_affine_select(group, &out->comb[i], mask, &a->comb[i], &b->comb[i]); 885 } 886} 887 888int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, 889 const EC_SCALAR *r) { 890 return group->meth->cmp_x_coordinate(group, p, r); 891} 892 893int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, 894 const EC_JACOBIAN *p) { 895 uint8_t bytes[EC_MAX_BYTES]; 896 size_t len; 897 if (!ec_get_x_coordinate_as_bytes(group, bytes, &len, sizeof(bytes), p)) { 898 return 0; 899 } 900 901 // The x-coordinate is bounded by p, but we need a scalar, bounded by the 902 // order. These may not have the same size. However, we must have p < 2×order, 903 // assuming p is not tiny (p >= 17). 904 // 905 // Thus |bytes| will fit in |order.width + 1| words, and we can reduce by 906 // performing at most one subtraction. 907 // 908 // Proof: We only work with prime order curves, so the number of points on 909 // the curve is the order. Thus Hasse's theorem gives: 910 // 911 // |order - (p + 1)| <= 2×sqrt(p) 912 // p + 1 - order <= 2×sqrt(p) 913 // p + 1 - 2×sqrt(p) <= order 914 // p + 1 - 2×(p/4) < order (p/4 > sqrt(p) for p >= 17) 915 // p/2 < p/2 + 1 < order 916 // p < 2×order 917 // 918 // Additionally, one can manually check this property for built-in curves. It 919 // is enforced for legacy custom curves in |EC_GROUP_set_generator|. 920 const BIGNUM *order = EC_GROUP_get0_order(group); 921 BN_ULONG words[EC_MAX_WORDS + 1] = {0}; 922 bn_big_endian_to_words(words, order->width + 1, bytes, len); 923 bn_reduce_once(out->words, words, /*carry=*/words[order->width], order->d, 924 order->width); 925 return 1; 926} 927 928int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out, 929 size_t *out_len, size_t max_out, 930 const EC_JACOBIAN *p) { 931 size_t len = BN_num_bytes(&group->field.N); 932 assert(len <= EC_MAX_BYTES); 933 if (max_out < len) { 934 OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL); 935 return 0; 936 } 937 938 EC_FELEM x; 939 if (!group->meth->point_get_affine_coordinates(group, p, &x, NULL)) { 940 return 0; 941 } 942 943 ec_felem_to_bytes(group, out, out_len, &x); 944 *out_len = len; 945 return 1; 946} 947 948void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out) { 949 if (group->has_order) { 950 ec_GFp_simple_point_copy(out, &group->generator.raw); 951 } else { 952 // The generator can be missing if the caller is in the process of 953 // constructing an arbitrary group. In this case, we give up and use the 954 // point at infinity. 955 ec_GFp_simple_point_set_to_infinity(group, out); 956 } 957} 958 959void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) {} 960 961int EC_GROUP_get_asn1_flag(const EC_GROUP *group) { 962 return OPENSSL_EC_NAMED_CURVE; 963} 964 965const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group) { 966 // This function exists purely to give callers a way to call 967 // |EC_METHOD_get_field_type|. cryptography.io crashes if |EC_GROUP_method_of| 968 // returns NULL, so return some other garbage pointer. 969 return (const EC_METHOD *)0x12340000; 970} 971 972int EC_METHOD_get_field_type(const EC_METHOD *meth) { 973 return NID_X9_62_prime_field; 974} 975 976void EC_GROUP_set_point_conversion_form(EC_GROUP *group, 977 point_conversion_form_t form) { 978 if (form != POINT_CONVERSION_UNCOMPRESSED) { 979 abort(); 980 } 981} 982