OpenCoverage

ec_lcl.h

Absolute File Name:/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/ec/ec_lcl.h
Source codeSwitch to Preprocessed file
LineSourceCount
1/*-
2 * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.-
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved-
4 *-
5 * Licensed under the OpenSSL license (the "License"). You may not use-
6 * this file except in compliance with the License. You can obtain a copy-
7 * in the file LICENSE in the source distribution or at-
8 * https://www.openssl.org/source/license.html-
9 */-
10-
11#include <stdlib.h>-
12-
13#include <openssl/obj_mac.h>-
14#include <openssl/ec.h>-
15#include <openssl/bn.h>-
16#include "internal/refcount.h"-
17#include "internal/ec_int.h"-
18#include "curve448/curve448_lcl.h"-
19-
20#if defined(__SUNPRO_C)-
21# if __SUNPRO_C >= 0x520-
22# pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE)-
23# endif-
24#endif-
25-
26/* Use default functions for poin2oct, oct2point and compressed coordinates */-
27#define EC_FLAGS_DEFAULT_OCT 0x1-
28-
29/* Use custom formats for EC_GROUP, EC_POINT and EC_KEY */-
30#define EC_FLAGS_CUSTOM_CURVE 0x2-
31-
32/* Curve does not support signing operations */-
33#define EC_FLAGS_NO_SIGN 0x4-
34-
35/*-
36 * Structure details are not part of the exported interface, so all this may-
37 * change in future versions.-
38 */-
39-
40struct ec_method_st {-
41 /* Various method flags */-
42 int flags;-
43 /* used by EC_METHOD_get_field_type: */-
44 int field_type; /* a NID */-
45 /*-
46 * used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free,-
47 * EC_GROUP_copy:-
48 */-
49 int (*group_init) (EC_GROUP *);-
50 void (*group_finish) (EC_GROUP *);-
51 void (*group_clear_finish) (EC_GROUP *);-
52 int (*group_copy) (EC_GROUP *, const EC_GROUP *);-
53 /* used by EC_GROUP_set_curve, EC_GROUP_get_curve: */-
54 int (*group_set_curve) (EC_GROUP *, const BIGNUM *p, const BIGNUM *a,-
55 const BIGNUM *b, BN_CTX *);-
56 int (*group_get_curve) (const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b,-
57 BN_CTX *);-
58 /* used by EC_GROUP_get_degree: */-
59 int (*group_get_degree) (const EC_GROUP *);-
60 int (*group_order_bits) (const EC_GROUP *);-
61 /* used by EC_GROUP_check: */-
62 int (*group_check_discriminant) (const EC_GROUP *, BN_CTX *);-
63 /*-
64 * used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free,-
65 * EC_POINT_copy:-
66 */-
67 int (*point_init) (EC_POINT *);-
68 void (*point_finish) (EC_POINT *);-
69 void (*point_clear_finish) (EC_POINT *);-
70 int (*point_copy) (EC_POINT *, const EC_POINT *);-
71 /*--
72 * used by EC_POINT_set_to_infinity,-
73 * EC_POINT_set_Jprojective_coordinates_GFp,-
74 * EC_POINT_get_Jprojective_coordinates_GFp,-
75 * EC_POINT_set_affine_coordinates,-
76 * EC_POINT_get_affine_coordinates,-
77 * EC_POINT_set_compressed_coordinates:-
78 */-
79 int (*point_set_to_infinity) (const EC_GROUP *, EC_POINT *);-
80 int (*point_set_Jprojective_coordinates_GFp) (const EC_GROUP *,-
81 EC_POINT *, const BIGNUM *x,-
82 const BIGNUM *y,-
83 const BIGNUM *z, BN_CTX *);-
84 int (*point_get_Jprojective_coordinates_GFp) (const EC_GROUP *,-
85 const EC_POINT *, BIGNUM *x,-
86 BIGNUM *y, BIGNUM *z,-
87 BN_CTX *);-
88 int (*point_set_affine_coordinates) (const EC_GROUP *, EC_POINT *,-
89 const BIGNUM *x, const BIGNUM *y,-
90 BN_CTX *);-
91 int (*point_get_affine_coordinates) (const EC_GROUP *, const EC_POINT *,-
92 BIGNUM *x, BIGNUM *y, BN_CTX *);-
93 int (*point_set_compressed_coordinates) (const EC_GROUP *, EC_POINT *,-
94 const BIGNUM *x, int y_bit,-
95 BN_CTX *);-
96 /* used by EC_POINT_point2oct, EC_POINT_oct2point: */-
97 size_t (*point2oct) (const EC_GROUP *, const EC_POINT *,-
98 point_conversion_form_t form, unsigned char *buf,-
99 size_t len, BN_CTX *);-
100 int (*oct2point) (const EC_GROUP *, EC_POINT *, const unsigned char *buf,-
101 size_t len, BN_CTX *);-
102 /* used by EC_POINT_add, EC_POINT_dbl, ECP_POINT_invert: */-
103 int (*add) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a,-
104 const EC_POINT *b, BN_CTX *);-
105 int (*dbl) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);-
106 int (*invert) (const EC_GROUP *, EC_POINT *, BN_CTX *);-
107 /*-
108 * used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp:-
109 */-
110 int (*is_at_infinity) (const EC_GROUP *, const EC_POINT *);-
111 int (*is_on_curve) (const EC_GROUP *, const EC_POINT *, BN_CTX *);-
112 int (*point_cmp) (const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,-
113 BN_CTX *);-
114 /* used by EC_POINT_make_affine, EC_POINTs_make_affine: */-
115 int (*make_affine) (const EC_GROUP *, EC_POINT *, BN_CTX *);-
116 int (*points_make_affine) (const EC_GROUP *, size_t num, EC_POINT *[],-
117 BN_CTX *);-
118 /*-
119 * used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult,-
120 * EC_POINT_have_precompute_mult (default implementations are used if the-
121 * 'mul' pointer is 0):-
122 */-
123 /*--
124 * mul() calculates the value-
125 *-
126 * r := generator * scalar-
127 * + points[0] * scalars[0]-
128 * + ...-
129 * + points[num-1] * scalars[num-1].-
130 *-
131 * For a fixed point multiplication (scalar != NULL, num == 0)-
132 * or a variable point multiplication (scalar == NULL, num == 1),-
133 * mul() must use a constant time algorithm: in both cases callers-
134 * should provide an input scalar (either scalar or scalars[0])-
135 * in the range [0, ec_group_order); for robustness, implementers-
136 * should handle the case when the scalar has not been reduced, but-
137 * may treat it as an unusual input, without any constant-timeness-
138 * guarantee.-
139 */-
140 int (*mul) (const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,-
141 size_t num, const EC_POINT *points[], const BIGNUM *scalars[],-
142 BN_CTX *);-
143 int (*precompute_mult) (EC_GROUP *group, BN_CTX *);-
144 int (*have_precompute_mult) (const EC_GROUP *group);-
145 /* internal functions */-
146 /*-
147 * 'field_mul', 'field_sqr', and 'field_div' can be used by 'add' and-
148 * 'dbl' so that the same implementations of point operations can be used-
149 * with different optimized implementations of expensive field-
150 * operations:-
151 */-
152 int (*field_mul) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
153 const BIGNUM *b, BN_CTX *);-
154 int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);-
155 int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
156 const BIGNUM *b, BN_CTX *);-
157 /* e.g. to Montgomery */-
158 int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
159 BN_CTX *);-
160 /* e.g. from Montgomery */-
161 int (*field_decode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
162 BN_CTX *);-
163 int (*field_set_to_one) (const EC_GROUP *, BIGNUM *r, BN_CTX *);-
164 /* private key operations */-
165 size_t (*priv2oct)(const EC_KEY *eckey, unsigned char *buf, size_t len);-
166 int (*oct2priv)(EC_KEY *eckey, const unsigned char *buf, size_t len);-
167 int (*set_private)(EC_KEY *eckey, const BIGNUM *priv_key);-
168 int (*keygen)(EC_KEY *eckey);-
169 int (*keycheck)(const EC_KEY *eckey);-
170 int (*keygenpub)(EC_KEY *eckey);-
171 int (*keycopy)(EC_KEY *dst, const EC_KEY *src);-
172 void (*keyfinish)(EC_KEY *eckey);-
173 /* custom ECDH operation */-
174 int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,-
175 const EC_POINT *pub_key, const EC_KEY *ecdh);-
176 /* Inverse modulo order */-
177 int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r,-
178 const BIGNUM *x, BN_CTX *);-
179 int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);-
180 int (*ladder_pre)(const EC_GROUP *group,-
181 EC_POINT *r, EC_POINT *s,-
182 EC_POINT *p, BN_CTX *ctx);-
183 int (*ladder_step)(const EC_GROUP *group,-
184 EC_POINT *r, EC_POINT *s,-
185 EC_POINT *p, BN_CTX *ctx);-
186 int (*ladder_post)(const EC_GROUP *group,-
187 EC_POINT *r, EC_POINT *s,-
188 EC_POINT *p, BN_CTX *ctx);-
189};-
190-
191/*-
192 * Types and functions to manipulate pre-computed values.-
193 */-
194typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP;-
195typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP;-
196typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP;-
197typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP;-
198typedef struct ec_pre_comp_st EC_PRE_COMP;-
199-
200struct ec_group_st {-
201 const EC_METHOD *meth;-
202 EC_POINT *generator; /* optional */-
203 BIGNUM *order, *cofactor;-
204 int curve_name; /* optional NID for named curve */-
205 int asn1_flag; /* flag to control the asn1 encoding */-
206 point_conversion_form_t asn1_form;-
207 unsigned char *seed; /* optional seed for parameters (appears in-
208 * ASN1) */-
209 size_t seed_len;-
210 /*-
211 * The following members are handled by the method functions, even if-
212 * they appear generic-
213 */-
214 /*-
215 * Field specification. For curves over GF(p), this is the modulus; for-
216 * curves over GF(2^m), this is the irreducible polynomial defining the-
217 * field.-
218 */-
219 BIGNUM *field;-
220 /*-
221 * Field specification for curves over GF(2^m). The irreducible f(t) is-
222 * then of the form: t^poly[0] + t^poly[1] + ... + t^poly[k] where m =-
223 * poly[0] > poly[1] > ... > poly[k] = 0. The array is terminated with-
224 * poly[k+1]=-1. All elliptic curve irreducibles have at most 5 non-zero-
225 * terms.-
226 */-
227 int poly[6];-
228 /*-
229 * Curve coefficients. (Here the assumption is that BIGNUMs can be used-
230 * or abused for all kinds of fields, not just GF(p).) For characteristic-
231 * > 3, the curve is defined by a Weierstrass equation of the form y^2 =-
232 * x^3 + a*x + b. For characteristic 2, the curve is defined by an-
233 * equation of the form y^2 + x*y = x^3 + a*x^2 + b.-
234 */-
235 BIGNUM *a, *b;-
236 /* enable optimized point arithmetics for special case */-
237 int a_is_minus3;-
238 /* method-specific (e.g., Montgomery structure) */-
239 void *field_data1;-
240 /* method-specific */-
241 void *field_data2;-
242 /* method-specific */-
243 int (*field_mod_func) (BIGNUM *, const BIGNUM *, const BIGNUM *,-
244 BN_CTX *);-
245 /* data for ECDSA inverse */-
246 BN_MONT_CTX *mont_data;-
247-
248 /*-
249 * Precomputed values for speed. The PCT_xxx names match the-
250 * pre_comp.xxx union names; see the SETPRECOMP and HAVEPRECOMP-
251 * macros, below.-
252 */-
253 enum {-
254 PCT_none,-
255 PCT_nistp224, PCT_nistp256, PCT_nistp521, PCT_nistz256,-
256 PCT_ec-
257 } pre_comp_type;-
258 union {-
259 NISTP224_PRE_COMP *nistp224;-
260 NISTP256_PRE_COMP *nistp256;-
261 NISTP521_PRE_COMP *nistp521;-
262 NISTZ256_PRE_COMP *nistz256;-
263 EC_PRE_COMP *ec;-
264 } pre_comp;-
265};-
266-
267#define SETPRECOMP(g, type, pre) \-
268 g->pre_comp_type = PCT_##type, g->pre_comp.type = pre-
269#define HAVEPRECOMP(g, type) \-
270 g->pre_comp_type == PCT_##type && g->pre_comp.type != NULL-
271-
272struct ec_key_st {-
273 const EC_KEY_METHOD *meth;-
274 ENGINE *engine;-
275 int version;-
276 EC_GROUP *group;-
277 EC_POINT *pub_key;-
278 BIGNUM *priv_key;-
279 unsigned int enc_flag;-
280 point_conversion_form_t conv_form;-
281 CRYPTO_REF_COUNT references;-
282 int flags;-
283 CRYPTO_EX_DATA ex_data;-
284 CRYPTO_RWLOCK *lock;-
285};-
286-
287struct ec_point_st {-
288 const EC_METHOD *meth;-
289 /* NID for the curve if known */-
290 int curve_name;-
291 /*-
292 * All members except 'meth' are handled by the method functions, even if-
293 * they appear generic-
294 */-
295 BIGNUM *X;-
296 BIGNUM *Y;-
297 BIGNUM *Z; /* Jacobian projective coordinates: * (X, Y,-
298 * Z) represents (X/Z^2, Y/Z^3) if Z != 0 */-
299 int Z_is_one; /* enable optimized point arithmetics for-
300 * special case */-
301};-
302-
303static ossl_inline int ec_point_is_compat(const EC_POINT *point,-
304 const EC_GROUP *group)-
305{-
306 if (group->meth != point->meth
group->meth != point->methDescription
TRUEnever evaluated
FALSEevaluated 1949088 times by 2 tests
Evaluated by:
  • libcrypto.so.1.1
  • sm2_internal_test
0-1949088
307 || (group->curve_name != 0
group->curve_name != 0Description
TRUEevaluated 1702404 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 246684 times by 2 tests
Evaluated by:
  • libcrypto.so.1.1
  • sm2_internal_test
246684-1702404
308 && point->curve_name != 0
point->curve_name != 0Description
TRUEevaluated 1702402 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 2 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
2-1702402
309 && group->curve_name != point->curve_name))
group->curve_n...nt->curve_nameDescription
TRUEnever evaluated
FALSEevaluated 1702402 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-1702402
310 return 0;
never executed: return 0;
0
311-
312 return 1;
executed 1949088 times by 2 tests: return 1;
Executed by:
  • libcrypto.so.1.1
  • sm2_internal_test
1949088
313}-
314-
315NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *);-
316NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *);-
317NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *);-
318NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *);-
319NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *);-
320EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_COMP *);-
321-
322void EC_pre_comp_free(EC_GROUP *group);-
323void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *);-
324void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *);-
325void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *);-
326void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *);-
327void EC_ec_pre_comp_free(EC_PRE_COMP *);-
328-
329/*-
330 * method functions in ec_mult.c (ec_lib.c uses these as defaults if-
331 * group->method->mul is 0)-
332 */-
333int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,-
334 size_t num, const EC_POINT *points[], const BIGNUM *scalars[],-
335 BN_CTX *);-
336int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *);-
337int ec_wNAF_have_precompute_mult(const EC_GROUP *group);-
338-
339/* method functions in ecp_smpl.c */-
340int ec_GFp_simple_group_init(EC_GROUP *);-
341void ec_GFp_simple_group_finish(EC_GROUP *);-
342void ec_GFp_simple_group_clear_finish(EC_GROUP *);-
343int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *);-
344int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p,-
345 const BIGNUM *a, const BIGNUM *b, BN_CTX *);-
346int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,-
347 BIGNUM *b, BN_CTX *);-
348int ec_GFp_simple_group_get_degree(const EC_GROUP *);-
349int ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);-
350int ec_GFp_simple_point_init(EC_POINT *);-
351void ec_GFp_simple_point_finish(EC_POINT *);-
352void ec_GFp_simple_point_clear_finish(EC_POINT *);-
353int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *);-
354int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);-
355int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *,-
356 EC_POINT *, const BIGNUM *x,-
357 const BIGNUM *y,-
358 const BIGNUM *z, BN_CTX *);-
359int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *,-
360 const EC_POINT *, BIGNUM *x,-
361 BIGNUM *y, BIGNUM *z,-
362 BN_CTX *);-
363int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,-
364 const BIGNUM *x,-
365 const BIGNUM *y, BN_CTX *);-
366int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *,-
367 const EC_POINT *, BIGNUM *x,-
368 BIGNUM *y, BN_CTX *);-
369int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,-
370 const BIGNUM *x, int y_bit,-
371 BN_CTX *);-
372size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *,-
373 point_conversion_form_t form,-
374 unsigned char *buf, size_t len, BN_CTX *);-
375int ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *,-
376 const unsigned char *buf, size_t len, BN_CTX *);-
377int ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,-
378 const EC_POINT *b, BN_CTX *);-
379int ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,-
380 BN_CTX *);-
381int ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);-
382int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);-
383int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);-
384int ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,-
385 BN_CTX *);-
386int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);-
387int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num,-
388 EC_POINT *[], BN_CTX *);-
389int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
390 const BIGNUM *b, BN_CTX *);-
391int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
392 BN_CTX *);-
393int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,-
394 BN_CTX *ctx);-
395int ec_GFp_simple_ladder_pre(const EC_GROUP *group,-
396 EC_POINT *r, EC_POINT *s,-
397 EC_POINT *p, BN_CTX *ctx);-
398int ec_GFp_simple_ladder_step(const EC_GROUP *group,-
399 EC_POINT *r, EC_POINT *s,-
400 EC_POINT *p, BN_CTX *ctx);-
401int ec_GFp_simple_ladder_post(const EC_GROUP *group,-
402 EC_POINT *r, EC_POINT *s,-
403 EC_POINT *p, BN_CTX *ctx);-
404-
405/* method functions in ecp_mont.c */-
406int ec_GFp_mont_group_init(EC_GROUP *);-
407int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,-
408 const BIGNUM *b, BN_CTX *);-
409void ec_GFp_mont_group_finish(EC_GROUP *);-
410void ec_GFp_mont_group_clear_finish(EC_GROUP *);-
411int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *);-
412int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
413 const BIGNUM *b, BN_CTX *);-
414int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
415 BN_CTX *);-
416int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
417 BN_CTX *);-
418int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
419 BN_CTX *);-
420int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *);-
421-
422/* method functions in ecp_nist.c */-
423int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);-
424int ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,-
425 const BIGNUM *b, BN_CTX *);-
426int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
427 const BIGNUM *b, BN_CTX *);-
428int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
429 BN_CTX *);-
430-
431/* method functions in ec2_smpl.c */-
432int ec_GF2m_simple_group_init(EC_GROUP *);-
433void ec_GF2m_simple_group_finish(EC_GROUP *);-
434void ec_GF2m_simple_group_clear_finish(EC_GROUP *);-
435int ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *);-
436int ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p,-
437 const BIGNUM *a, const BIGNUM *b,-
438 BN_CTX *);-
439int ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,-
440 BIGNUM *b, BN_CTX *);-
441int ec_GF2m_simple_group_get_degree(const EC_GROUP *);-
442int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);-
443int ec_GF2m_simple_point_init(EC_POINT *);-
444void ec_GF2m_simple_point_finish(EC_POINT *);-
445void ec_GF2m_simple_point_clear_finish(EC_POINT *);-
446int ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *);-
447int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);-
448int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,-
449 const BIGNUM *x,-
450 const BIGNUM *y, BN_CTX *);-
451int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *,-
452 const EC_POINT *, BIGNUM *x,-
453 BIGNUM *y, BN_CTX *);-
454int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,-
455 const BIGNUM *x, int y_bit,-
456 BN_CTX *);-
457size_t ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *,-
458 point_conversion_form_t form,-
459 unsigned char *buf, size_t len, BN_CTX *);-
460int ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *,-
461 const unsigned char *buf, size_t len, BN_CTX *);-
462int ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,-
463 const EC_POINT *b, BN_CTX *);-
464int ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,-
465 BN_CTX *);-
466int ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);-
467int ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);-
468int ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);-
469int ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,-
470 BN_CTX *);-
471int ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);-
472int ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num,-
473 EC_POINT *[], BN_CTX *);-
474int ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
475 const BIGNUM *b, BN_CTX *);-
476int ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
477 BN_CTX *);-
478int ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,-
479 const BIGNUM *b, BN_CTX *);-
480-
481#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128-
482/* method functions in ecp_nistp224.c */-
483int ec_GFp_nistp224_group_init(EC_GROUP *group);-
484int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p,-
485 const BIGNUM *a, const BIGNUM *n,-
486 BN_CTX *);-
487int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group,-
488 const EC_POINT *point,-
489 BIGNUM *x, BIGNUM *y,-
490 BN_CTX *ctx);-
491int ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r,-
492 const BIGNUM *scalar, size_t num,-
493 const EC_POINT *points[], const BIGNUM *scalars[],-
494 BN_CTX *);-
495int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,-
496 const BIGNUM *scalar, size_t num,-
497 const EC_POINT *points[],-
498 const BIGNUM *scalars[], BN_CTX *ctx);-
499int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx);-
500int ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group);-
501-
502/* method functions in ecp_nistp256.c */-
503int ec_GFp_nistp256_group_init(EC_GROUP *group);-
504int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p,-
505 const BIGNUM *a, const BIGNUM *n,-
506 BN_CTX *);-
507int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group,-
508 const EC_POINT *point,-
509 BIGNUM *x, BIGNUM *y,-
510 BN_CTX *ctx);-
511int ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r,-
512 const BIGNUM *scalar, size_t num,-
513 const EC_POINT *points[], const BIGNUM *scalars[],-
514 BN_CTX *);-
515int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,-
516 const BIGNUM *scalar, size_t num,-
517 const EC_POINT *points[],-
518 const BIGNUM *scalars[], BN_CTX *ctx);-
519int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx);-
520int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group);-
521-
522/* method functions in ecp_nistp521.c */-
523int ec_GFp_nistp521_group_init(EC_GROUP *group);-
524int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p,-
525 const BIGNUM *a, const BIGNUM *n,-
526 BN_CTX *);-
527int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group,-
528 const EC_POINT *point,-
529 BIGNUM *x, BIGNUM *y,-
530 BN_CTX *ctx);-
531int ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r,-
532 const BIGNUM *scalar, size_t num,-
533 const EC_POINT *points[], const BIGNUM *scalars[],-
534 BN_CTX *);-
535int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,-
536 const BIGNUM *scalar, size_t num,-
537 const EC_POINT *points[],-
538 const BIGNUM *scalars[], BN_CTX *ctx);-
539int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx);-
540int ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group);-
541-
542/* utility functions in ecp_nistputil.c */-
543void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,-
544 size_t felem_size,-
545 void *tmp_felems,-
546 void (*felem_one) (void *out),-
547 int (*felem_is_zero) (const void-
548 *in),-
549 void (*felem_assign) (void *out,-
550 const void-
551 *in),-
552 void (*felem_square) (void *out,-
553 const void-
554 *in),-
555 void (*felem_mul) (void *out,-
556 const void-
557 *in1,-
558 const void-
559 *in2),-
560 void (*felem_inv) (void *out,-
561 const void-
562 *in),-
563 void (*felem_contract) (void-
564 *out,-
565 const-
566 void-
567 *in));-
568void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign,-
569 unsigned char *digit, unsigned char in);-
570#endif-
571int ec_group_simple_order_bits(const EC_GROUP *group);-
572-
573#ifdef ECP_NISTZ256_ASM-
574/** Returns GFp methods using montgomery multiplication, with x86-64 optimized-
575 * P256. See http://eprint.iacr.org/2013/816.-
576 * \return EC_METHOD object-
577 */-
578const EC_METHOD *EC_GFp_nistz256_method(void);-
579#endif-
580-
581size_t ec_key_simple_priv2oct(const EC_KEY *eckey,-
582 unsigned char *buf, size_t len);-
583int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len);-
584int ec_key_simple_generate_key(EC_KEY *eckey);-
585int ec_key_simple_generate_public_key(EC_KEY *eckey);-
586int ec_key_simple_check_key(const EC_KEY *eckey);-
587-
588/* EC_METHOD definitions */-
589-
590struct ec_key_method_st {-
591 const char *name;-
592 int32_t flags;-
593 int (*init)(EC_KEY *key);-
594 void (*finish)(EC_KEY *key);-
595 int (*copy)(EC_KEY *dest, const EC_KEY *src);-
596 int (*set_group)(EC_KEY *key, const EC_GROUP *grp);-
597 int (*set_private)(EC_KEY *key, const BIGNUM *priv_key);-
598 int (*set_public)(EC_KEY *key, const EC_POINT *pub_key);-
599 int (*keygen)(EC_KEY *key);-
600 int (*compute_key)(unsigned char **pout, size_t *poutlen,-
601 const EC_POINT *pub_key, const EC_KEY *ecdh);-
602 int (*sign)(int type, const unsigned char *dgst, int dlen, unsigned char-
603 *sig, unsigned int *siglen, const BIGNUM *kinv,-
604 const BIGNUM *r, EC_KEY *eckey);-
605 int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,-
606 BIGNUM **rp);-
607 ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgst_len,-
608 const BIGNUM *in_kinv, const BIGNUM *in_r,-
609 EC_KEY *eckey);-
610-
611 int (*verify)(int type, const unsigned char *dgst, int dgst_len,-
612 const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);-
613 int (*verify_sig)(const unsigned char *dgst, int dgst_len,-
614 const ECDSA_SIG *sig, EC_KEY *eckey);-
615};-
616-
617#define EC_KEY_METHOD_DYNAMIC 1-
618-
619int ossl_ec_key_gen(EC_KEY *eckey);-
620int ossl_ecdh_compute_key(unsigned char **pout, size_t *poutlen,-
621 const EC_POINT *pub_key, const EC_KEY *ecdh);-
622int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,-
623 const EC_POINT *pub_key, const EC_KEY *ecdh);-
624-
625struct ECDSA_SIG_st {-
626 BIGNUM *r;-
627 BIGNUM *s;-
628};-
629-
630int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,-
631 BIGNUM **rp);-
632int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,-
633 unsigned char *sig, unsigned int *siglen,-
634 const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey);-
635ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,-
636 const BIGNUM *in_kinv, const BIGNUM *in_r,-
637 EC_KEY *eckey);-
638int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,-
639 const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);-
640int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,-
641 const ECDSA_SIG *sig, EC_KEY *eckey);-
642-
643int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,-
644 const uint8_t public_key[32], const uint8_t private_key[32]);-
645int ED25519_verify(const uint8_t *message, size_t message_len,-
646 const uint8_t signature[64], const uint8_t public_key[32]);-
647void ED25519_public_from_private(uint8_t out_public_key[32],-
648 const uint8_t private_key[32]);-
649-
650int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],-
651 const uint8_t peer_public_value[32]);-
652void X25519_public_from_private(uint8_t out_public_value[32],-
653 const uint8_t private_key[32]);-
654-
655/*--
656 * This functions computes a single point multiplication over the EC group,-
657 * using, at a high level, a Montgomery ladder with conditional swaps, with-
658 * various timing attack defenses.-
659 *-
660 * It performs either a fixed point multiplication-
661 * (scalar * generator)-
662 * when point is NULL, or a variable point multiplication-
663 * (scalar * point)-
664 * when point is not NULL.-
665 *-
666 * `scalar` cannot be NULL and should be in the range [0,n) otherwise all-
667 * constant time bets are off (where n is the cardinality of the EC group).-
668 *-
669 * This function expects `group->order` and `group->cardinality` to be well-
670 * defined and non-zero: it fails with an error code otherwise.-
671 *-
672 * NB: This says nothing about the constant-timeness of the ladder step-
673 * implementation (i.e., the default implementation is based on EC_POINT_add and-
674 * EC_POINT_dbl, which of course are not constant time themselves) or the-
675 * underlying multiprecision arithmetic.-
676 *-
677 * The product is stored in `r`.-
678 *-
679 * This is an internal function: callers are in charge of ensuring that the-
680 * input parameters `group`, `r`, `scalar` and `ctx` are not NULL.-
681 *-
682 * Returns 1 on success, 0 otherwise.-
683 */-
684int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,-
685 const BIGNUM *scalar, const EC_POINT *point,-
686 BN_CTX *ctx);-
687-
688int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);-
689-
690static ossl_inline int ec_point_ladder_pre(const EC_GROUP *group,-
691 EC_POINT *r, EC_POINT *s,-
692 EC_POINT *p, BN_CTX *ctx)-
693{-
694 if (group->meth->ladder_pre != NULL)
group->meth->l...!= ((void *)0)Description
TRUEevaluated 4130 times by 2 tests
Evaluated by:
  • libcrypto.so.1.1
  • sm2_internal_test
FALSEnever evaluated
0-4130
695 return group->meth->ladder_pre(group, r, s, p, ctx);
executed 4130 times by 2 tests: return group->meth->ladder_pre(group, r, s, p, ctx);
Executed by:
  • libcrypto.so.1.1
  • sm2_internal_test
4130
696-
697 if (!EC_POINT_copy(s, p)
!EC_POINT_copy(s, p)Description
TRUEnever evaluated
FALSEnever evaluated
0
698 || !EC_POINT_dbl(group, r, s, ctx))
!EC_POINT_dbl(...up, r, s, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
699 return 0;
never executed: return 0;
0
700-
701 return 1;
never executed: return 1;
0
702}-
703-
704static ossl_inline int ec_point_ladder_step(const EC_GROUP *group,-
705 EC_POINT *r, EC_POINT *s,-
706 EC_POINT *p, BN_CTX *ctx)-
707{-
708 if (group->meth->ladder_step != NULL)
group->meth->l...!= ((void *)0)Description
TRUEevaluated 1193659 times by 2 tests
Evaluated by:
  • libcrypto.so.1.1
  • sm2_internal_test
FALSEnever evaluated
0-1193659
709 return group->meth->ladder_step(group, r, s, p, ctx);
executed 1193659 times by 2 tests: return group->meth->ladder_step(group, r, s, p, ctx);
Executed by:
  • libcrypto.so.1.1
  • sm2_internal_test
1193659
710-
711 if (!EC_POINT_add(group, s, r, s, ctx)
!EC_POINT_add(... s, r, s, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
712 || !EC_POINT_dbl(group, r, r, ctx))
!EC_POINT_dbl(...up, r, r, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
713 return 0;
never executed: return 0;
0
714-
715 return 1;
never executed: return 1;
0
716-
717}-
718-
719static ossl_inline int ec_point_ladder_post(const EC_GROUP *group,-
720 EC_POINT *r, EC_POINT *s,-
721 EC_POINT *p, BN_CTX *ctx)-
722{-
723 if (group->meth->ladder_post != NULL)
group->meth->l...!= ((void *)0)Description
TRUEevaluated 4130 times by 2 tests
Evaluated by:
  • libcrypto.so.1.1
  • sm2_internal_test
FALSEnever evaluated
0-4130
724 return group->meth->ladder_post(group, r, s, p, ctx);
executed 4130 times by 2 tests: return group->meth->ladder_post(group, r, s, p, ctx);
Executed by:
  • libcrypto.so.1.1
  • sm2_internal_test
4130
725-
726 return 1;
never executed: return 1;
0
727}-
Source codeSwitch to Preprocessed file
Generated by Squish Coco 4.2.2