diff options
| author | BoringSSL Robot <178796648329-compute@developer.gserviceaccount.com> | 2023-07-12 23:08:47 +0000 |
|---|---|---|
| committer | BoringSSL Robot <178796648329-compute@developer.gserviceaccount.com> | 2023-07-12 23:08:47 +0000 |
| commit | b69f4d27a75dcf4b94138790883b44274fab56c2 (patch) | |
| tree | 4d610e92d2bd2c23687a2768f2abd62bc0b0d6f4 /src/crypto/fipsmodule/ec | |
| parent | 4a2b00ebed57781bf47516a80d86daea9fe25003 (diff) | |
| parent | dd5219451c3ce26221762a15d867edf43b463bb2 (diff) | |
| download | boringssl-b69f4d27a75dcf4b94138790883b44274fab56c2.zip boringssl-b69f4d27a75dcf4b94138790883b44274fab56c2.tar.gz boringssl-b69f4d27a75dcf4b94138790883b44274fab56c2.tar.bz2 | |
update chromium-stable-with-bazel from chromium-stable branch
Diffstat (limited to 'src/crypto/fipsmodule/ec')
| -rw-r--r-- | src/crypto/fipsmodule/ec/asm/p256-armv8-asm.pl | 72 | ||||
| -rwxr-xr-x | src/crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl | 2 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/ec.c | 48 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/ec_key.c | 7 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/ec_montgomery.c | 14 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/ec_test.cc | 7 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/internal.h | 148 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/make_tables.go | 2 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/oct.c | 3 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/p224-64.c | 22 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/p256-nistz.c | 24 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/p256-nistz_test.cc | 13 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/p256.c | 29 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/p256_table.h | 2 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/simple.c | 20 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/simple_mul.c | 46 | ||||
| -rw-r--r-- | src/crypto/fipsmodule/ec/wnaf.c | 26 |
17 files changed, 259 insertions, 226 deletions
diff --git a/src/crypto/fipsmodule/ec/asm/p256-armv8-asm.pl b/src/crypto/fipsmodule/ec/asm/p256-armv8-asm.pl index d4e3a7c..95dc4c8 100644 --- a/src/crypto/fipsmodule/ec/asm/p256-armv8-asm.pl +++ b/src/crypto/fipsmodule/ec/asm/p256-armv8-asm.pl @@ -56,7 +56,7 @@ my ($acc6,$acc7)=($ap,$bp); # used in __ecp_nistz256_sqr_mont $code.=<<___; #include "openssl/arm_arch.h" -.text +.section .rodata .align 5 .Lpoly: .quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001 @@ -71,6 +71,7 @@ $code.=<<___; .LordK: .quad 0xccd1c8aaee00bc4f .asciz "ECP_NISTZ256 for ARMv8, CRYPTOGAMS by <appro\@openssl.org>" +.text // void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4], // const BN_ULONG x2[4]); @@ -86,8 +87,10 @@ ecp_nistz256_mul_mont: ldr $bi,[$bp] // bp[0] ldp $a0,$a1,[$ap] ldp $a2,$a3,[$ap,#16] - ldr $poly1,.Lpoly+8 - ldr $poly3,.Lpoly+24 + adrp $poly3,:pg_hi21:.Lpoly + add $poly3,$poly3,:lo12:.Lpoly + ldr $poly1,[$poly3,#8] + ldr $poly3,[$poly3,#24] bl __ecp_nistz256_mul_mont @@ -109,8 +112,10 @@ ecp_nistz256_sqr_mont: ldp $a0,$a1,[$ap] ldp $a2,$a3,[$ap,#16] - ldr $poly1,.Lpoly+8 - ldr $poly3,.Lpoly+24 + adrp $poly3,:pg_hi21:.Lpoly + add $poly3,$poly3,:lo12:.Lpoly + ldr $poly1,[$poly3,#8] + ldr $poly3,[$poly3,#24] bl __ecp_nistz256_sqr_mont @@ -131,8 +136,10 @@ ecp_nistz256_div_by_2: ldp $acc0,$acc1,[$ap] ldp $acc2,$acc3,[$ap,#16] - ldr $poly1,.Lpoly+8 - ldr $poly3,.Lpoly+24 + adrp $poly3,:pg_hi21:.Lpoly + add $poly3,$poly3,:lo12:.Lpoly + ldr $poly1,[$poly3,#8] + ldr $poly3,[$poly3,#24] bl __ecp_nistz256_div_by_2 @@ -152,8 +159,10 @@ ecp_nistz256_mul_by_2: ldp $acc0,$acc1,[$ap] ldp $acc2,$acc3,[$ap,#16] - ldr $poly1,.Lpoly+8 - ldr $poly3,.Lpoly+24 + adrp $poly3,:pg_hi21:.Lpoly + add $poly3,$poly3,:lo12:.Lpoly + ldr $poly1,[$poly3,#8] + ldr $poly3,[$poly3,#24] mov $t0,$acc0 mov $t1,$acc1 mov $t2,$acc2 @@ -177,8 +186,10 @@ ecp_nistz256_mul_by_3: ldp $acc0,$acc1,[$ap] ldp $acc2,$acc3,[$ap,#16] - ldr $poly1,.Lpoly+8 - ldr $poly3,.Lpoly+24 + adrp $poly3,:pg_hi21:.Lpoly + add $poly3,$poly3,:lo12:.Lpoly + ldr $poly1,[$poly3,#8] + ldr $poly3,[$poly3,#24] mov $t0,$acc0 mov $t1,$acc1 mov $t2,$acc2 @@ -214,8 +225,10 @@ ecp_nistz256_sub: ldp $acc0,$acc1,[$ap] ldp $acc2,$acc3,[$ap,#16] - ldr $poly1,.Lpoly+8 - ldr $poly3,.Lpoly+24 + adrp $poly3,:pg_hi21:.Lpoly + add $poly3,$poly3,:lo12:.Lpoly + ldr $poly1,[$poly3,#8] + ldr $poly3,[$poly3,#24] bl __ecp_nistz256_sub_from @@ -238,8 +251,10 @@ ecp_nistz256_neg: mov $acc1,xzr mov $acc2,xzr mov $acc3,xzr - ldr $poly1,.Lpoly+8 - ldr $poly3,.Lpoly+24 + adrp $poly3,:pg_hi21:.Lpoly + add $poly3,$poly3,:lo12:.Lpoly + ldr $poly1,[$poly3,#8] + ldr $poly3,[$poly3,#24] bl __ecp_nistz256_sub_from @@ -617,9 +632,11 @@ ecp_nistz256_point_double: mov $rp_real,$rp ldp $acc2,$acc3,[$ap,#48] mov $ap_real,$ap - ldr $poly1,.Lpoly+8 + adrp $poly3,:pg_hi21:.Lpoly + add $poly3,$poly3,:lo12:.Lpoly + ldr $poly1,[$poly3,#8] mov $t0,$acc0 - ldr $poly3,.Lpoly+24 + ldr $poly3,[$poly3,#24] mov $t1,$acc1 ldp $a0,$a1,[$ap_real,#64] // forward load for p256_sqr_mont mov $t2,$acc2 @@ -778,8 +795,10 @@ ecp_nistz256_point_add: mov $rp_real,$rp mov $ap_real,$ap mov $bp_real,$bp - ldr $poly1,.Lpoly+8 - ldr $poly3,.Lpoly+24 + adrp $poly3,:pg_hi21:.Lpoly + add $poly3,$poly3,:lo12:.Lpoly + ldr $poly1,[$poly3,#8] + ldr $poly3,[$poly3,#24] orr $t0,$a0,$a1 orr $t2,$a2,$a3 orr $in2infty,$t0,$t2 @@ -1032,8 +1051,10 @@ ecp_nistz256_point_add_affine: mov $rp_real,$rp mov $ap_real,$ap mov $bp_real,$bp - ldr $poly1,.Lpoly+8 - ldr $poly3,.Lpoly+24 + adrp $poly3,:pg_hi21:.Lpoly + add $poly3,$poly3,:lo12:.Lpoly + ldr $poly1,[$poly3,#8] + ldr $poly3,[$poly3,#24] ldp $a0,$a1,[$ap,#64] // in1_z ldp $a2,$a3,[$ap,#64+16] @@ -1184,7 +1205,8 @@ $code.=<<___; stp $acc2,$acc3,[$rp_real,#$i+16] ___ $code.=<<___ if ($i == 0); - adr $bp_real,.Lone_mont-64 + adrp $bp_real,:pg_hi21:.Lone_mont-64 + add $bp_real,$bp_real,:lo12:.Lone_mont-64 ___ } $code.=<<___; @@ -1235,7 +1257,8 @@ ecp_nistz256_ord_mul_mont: stp x21,x22,[sp,#32] stp x23,x24,[sp,#48] - adr $ordk,.Lord + adrp $ordk,:pg_hi21:.Lord + add $ordk,$ordk,:lo12:.Lord ldr $bi,[$bp] // bp[0] ldp $a0,$a1,[$ap] ldp $a2,$a3,[$ap,#16] @@ -1378,7 +1401,8 @@ ecp_nistz256_ord_sqr_mont: stp x21,x22,[sp,#32] stp x23,x24,[sp,#48] - adr $ordk,.Lord + adrp $ordk,:pg_hi21:.Lord + add $ordk,$ordk,:lo12:.Lord ldp $a0,$a1,[$ap] ldp $a2,$a3,[$ap,#16] diff --git a/src/crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl b/src/crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl index c75d784..0701996 100755 --- a/src/crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl +++ b/src/crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl @@ -62,6 +62,7 @@ $code.=<<___; .extern OPENSSL_ia32cap_P # The polynomial +.section .rodata .align 64 .Lpoly: .quad 0xffffffffffffffff, 0x00000000ffffffff, 0x0000000000000000, 0xffffffff00000001 @@ -80,6 +81,7 @@ $code.=<<___; .quad 0xf3b9cac2fc632551, 0xbce6faada7179e84, 0xffffffffffffffff, 0xffffffff00000000 .LordK: .quad 0xccd1c8aaee00bc4f +.text ___ { diff --git a/src/crypto/fipsmodule/ec/ec.c b/src/crypto/fipsmodule/ec/ec.c index 61ecc1f..2195d06 100644 --- a/src/crypto/fipsmodule/ec/ec.c +++ b/src/crypto/fipsmodule/ec/ec.c @@ -801,7 +801,7 @@ int EC_POINT_get_affine_coordinates(const EC_GROUP *group, return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx); } -void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out, +void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out, const EC_AFFINE *p) { out->X = p->X; out->Y = p->Y; @@ -809,12 +809,12 @@ void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out, } int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, - const EC_RAW_POINT *p) { + const EC_JACOBIAN *p) { return group->meth->point_get_affine_coordinates(group, p, &out->X, &out->Y); } int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out, - const EC_RAW_POINT *in, size_t num) { + const EC_JACOBIAN *in, size_t num) { if (group->meth->jacobian_to_affine_batch == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; @@ -990,13 +990,13 @@ int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, if (p_scalar != NULL) { EC_SCALAR scalar; - EC_RAW_POINT tmp; + EC_JACOBIAN tmp; if (!arbitrary_bignum_to_scalar(group, &scalar, p_scalar, ctx) || !ec_point_mul_scalar(group, &tmp, &p->raw, &scalar)) { goto err; } if (g_scalar == NULL) { - OPENSSL_memcpy(&r->raw, &tmp, sizeof(EC_RAW_POINT)); + OPENSSL_memcpy(&r->raw, &tmp, sizeof(EC_JACOBIAN)); } else { group->meth->add(group, &r->raw, &r->raw, &tmp); } @@ -1016,8 +1016,8 @@ int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, return ec_point_mul_no_self_test(group, r, g_scalar, p, p_scalar, ctx); } -int ec_point_mul_scalar_public(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_SCALAR *g_scalar, const EC_RAW_POINT *p, +int ec_point_mul_scalar_public(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_SCALAR *g_scalar, const EC_JACOBIAN *p, const EC_SCALAR *p_scalar) { if (g_scalar == NULL || p_scalar == NULL || p == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); @@ -1032,9 +1032,9 @@ int ec_point_mul_scalar_public(const EC_GROUP *group, EC_RAW_POINT *r, return 1; } -int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_RAW_POINT *r, +int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *g_scalar, - const EC_RAW_POINT *points, + const EC_JACOBIAN *points, const EC_SCALAR *scalars, size_t num) { if (group->meth->mul_public_batch == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); @@ -1045,8 +1045,8 @@ int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_RAW_POINT *r, num); } -int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *p, const EC_SCALAR *scalar) { +int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p, const EC_SCALAR *scalar) { if (p == NULL || scalar == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); return 0; @@ -1064,7 +1064,7 @@ int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r, return 1; } -int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r, +int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *scalar) { if (scalar == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); @@ -1083,10 +1083,10 @@ int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r, return 1; } -int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *p0, const EC_SCALAR *scalar0, - const EC_RAW_POINT *p1, const EC_SCALAR *scalar1, - const EC_RAW_POINT *p2, +int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, + const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, + const EC_JACOBIAN *p2, const EC_SCALAR *scalar2) { if (group->meth->mul_batch == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); @@ -1106,7 +1106,7 @@ int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_RAW_POINT *r, } int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, - const EC_RAW_POINT *p) { + const EC_JACOBIAN *p) { if (group->meth->init_precomp == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; @@ -1115,7 +1115,7 @@ int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, return group->meth->init_precomp(group, out, p); } -int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r, +int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r, const EC_PRECOMP *p0, const EC_SCALAR *scalar0, const EC_PRECOMP *p1, const EC_SCALAR *scalar1, const EC_PRECOMP *p2, @@ -1137,8 +1137,8 @@ int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r, return 1; } -void ec_point_select(const EC_GROUP *group, EC_RAW_POINT *out, BN_ULONG mask, - const EC_RAW_POINT *a, const EC_RAW_POINT *b) { +void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask, + const EC_JACOBIAN *a, const EC_JACOBIAN *b) { ec_felem_select(group, &out->X, mask, &a->X, &b->X); ec_felem_select(group, &out->Y, mask, &a->Y, &b->Y); ec_felem_select(group, &out->Z, mask, &a->Z, &b->Z); @@ -1159,13 +1159,13 @@ void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask, } } -int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p, +int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, const EC_SCALAR *r) { return group->meth->cmp_x_coordinate(group, p, r); } int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, - const EC_RAW_POINT *p) { + const EC_JACOBIAN *p) { uint8_t bytes[EC_MAX_BYTES]; size_t len; if (!ec_get_x_coordinate_as_bytes(group, bytes, &len, sizeof(bytes), p)) { @@ -1201,7 +1201,7 @@ int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, size_t max_out, - const EC_RAW_POINT *p) { + const EC_JACOBIAN *p) { size_t len = BN_num_bytes(&group->field); assert(len <= EC_MAX_BYTES); if (max_out < len) { @@ -1219,7 +1219,7 @@ int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out, return 1; } -void ec_set_to_safe_point(const EC_GROUP *group, EC_RAW_POINT *out) { +void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out) { if (group->generator != NULL) { ec_GFp_simple_point_copy(out, &group->generator->raw); } else { diff --git a/src/crypto/fipsmodule/ec/ec_key.c b/src/crypto/fipsmodule/ec/ec_key.c index f391a61..84a29ab 100644 --- a/src/crypto/fipsmodule/ec/ec_key.c +++ b/src/crypto/fipsmodule/ec/ec_key.c @@ -244,8 +244,9 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) { if (scalar == NULL) { return 0; } - if (!ec_bignum_to_scalar(key->group, &scalar->scalar, priv_key)) { - OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER); + if (!ec_bignum_to_scalar(key->group, &scalar->scalar, priv_key) || + ec_scalar_is_zero(key->group, &scalar->scalar)) { + OPENSSL_PUT_ERROR(EC, EC_R_INVALID_PRIVATE_KEY); ec_wrapped_scalar_free(scalar); return 0; } @@ -310,7 +311,7 @@ int EC_KEY_check_key(const EC_KEY *eckey) { // NOTE: this is a FIPS pair-wise consistency check for the ECDH case. See SP // 800-56Ar3, page 36. if (eckey->priv_key != NULL) { - EC_RAW_POINT point; + EC_JACOBIAN point; if (!ec_point_mul_scalar_base(eckey->group, &point, &eckey->priv_key->scalar)) { OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); diff --git a/src/crypto/fipsmodule/ec/ec_montgomery.c b/src/crypto/fipsmodule/ec/ec_montgomery.c index f458df9..eeaee64 100644 --- a/src/crypto/fipsmodule/ec/ec_montgomery.c +++ b/src/crypto/fipsmodule/ec/ec_montgomery.c @@ -175,7 +175,7 @@ void ec_GFp_mont_felem_exp(const EC_GROUP *group, EC_FELEM *out, } static int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group, - const EC_RAW_POINT *point, + const EC_JACOBIAN *point, EC_FELEM *x, EC_FELEM *y) { if (ec_GFp_simple_is_at_infinity(group, point)) { OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY); @@ -202,7 +202,7 @@ static int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group, static int ec_GFp_mont_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out, - const EC_RAW_POINT *in, + const EC_JACOBIAN *in, size_t num) { if (num == 0) { return 1; @@ -246,8 +246,8 @@ static int ec_GFp_mont_jacobian_to_affine_batch(const EC_GROUP *group, return 1; } -void ec_GFp_mont_add(const EC_GROUP *group, EC_RAW_POINT *out, - const EC_RAW_POINT *a, const EC_RAW_POINT *b) { +void ec_GFp_mont_add(const EC_GROUP *group, EC_JACOBIAN *out, + const EC_JACOBIAN *a, const EC_JACOBIAN *b) { if (a == b) { ec_GFp_mont_dbl(group, out, a); return; @@ -357,8 +357,8 @@ void ec_GFp_mont_add(const EC_GROUP *group, EC_RAW_POINT *out, ec_felem_select(group, &out->Z, z2nz, &z_out, &a->Z); } -void ec_GFp_mont_dbl(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *a) { +void ec_GFp_mont_dbl(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *a) { if (group->a_is_minus3) { // The method is taken from: // http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b @@ -453,7 +453,7 @@ void ec_GFp_mont_dbl(const EC_GROUP *group, EC_RAW_POINT *r, } static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group, - const EC_RAW_POINT *p, + const EC_JACOBIAN *p, const EC_SCALAR *r) { if (!group->field_greater_than_order || group->field.width != group->order.width) { diff --git a/src/crypto/fipsmodule/ec/ec_test.cc b/src/crypto/fipsmodule/ec/ec_test.cc index 571ea58..a40dd16 100644 --- a/src/crypto/fipsmodule/ec/ec_test.cc +++ b/src/crypto/fipsmodule/ec/ec_test.cc @@ -856,6 +856,11 @@ TEST_P(ECCurveTest, SetInvalidPrivateKey) { EXPECT_FALSE(EC_KEY_set_private_key(key.get(), bn.get())) << "Unexpectedly set a key of the group order."; ERR_clear_error(); + + BN_zero(bn.get()); + EXPECT_FALSE(EC_KEY_set_private_key(key.get(), bn.get())) + << "Unexpectedly set a key of 0"; + ERR_clear_error(); } TEST_P(ECCurveTest, IgnoreOct2PointReturnValue) { @@ -1338,7 +1343,7 @@ TEST(ECTest, HashToCurve) { ASSERT_TRUE(p224); bssl::UniquePtr<EC_GROUP> p384(EC_GROUP_new_by_curve_name(NID_secp384r1)); ASSERT_TRUE(p384); - EC_RAW_POINT raw; + EC_JACOBIAN raw; bssl::UniquePtr<EC_POINT> p_p384(EC_POINT_new(p384.get())); ASSERT_TRUE(p_p384); bssl::UniquePtr<EC_POINT> p_p224(EC_POINT_new(p224.get())); diff --git a/src/crypto/fipsmodule/ec/internal.h b/src/crypto/fipsmodule/ec/internal.h index 846431f..8532026 100644 --- a/src/crypto/fipsmodule/ec/internal.h +++ b/src/crypto/fipsmodule/ec/internal.h @@ -91,6 +91,8 @@ extern "C" { // be the largest fields anyone plausibly uses. #define EC_MAX_BYTES 66 #define EC_MAX_WORDS ((EC_MAX_BYTES + BN_BYTES - 1) / BN_BYTES) +#define EC_MAX_COMPRESSED (EC_MAX_BYTES + 1) +#define EC_MAX_UNCOMPRESSED (2 * EC_MAX_BYTES + 1) static_assert(EC_MAX_WORDS <= BN_SMALL_MAX_WORDS, "bn_*_small functions not usable"); @@ -119,8 +121,8 @@ OPENSSL_EXPORT void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, // ec_scalar_from_bytes deserializes |in| and stores the resulting scalar over // group |group| to |out|. It returns one on success and zero if |in| is // invalid. -int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, - const uint8_t *in, size_t len); +OPENSSL_EXPORT int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, + const uint8_t *in, size_t len); // ec_scalar_reduce sets |out| to |words|, reduced modulo the group order. // |words| must be less than order^2. |num| must be at most twice the width of @@ -241,16 +243,14 @@ int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a, const EC_FELEM *b); // Points. // // Points may represented in affine coordinates as |EC_AFFINE| or Jacobian -// coordinates as |EC_RAW_POINT|. Affine coordinates directly represent a +// coordinates as |EC_JACOBIAN|. Affine coordinates directly represent a // point on the curve, but point addition over affine coordinates requires // costly field inversions, so arithmetic is done in Jacobian coordinates. // Converting from affine to Jacobian is cheap, while converting from Jacobian // to affine costs a field inversion. (Jacobian coordinates amortize the field // inversions needed in a sequence of point operations.) -// -// TODO(davidben): Rename |EC_RAW_POINT| to |EC_JACOBIAN|. -// An EC_RAW_POINT represents an elliptic curve point in Jacobian coordinates. +// An EC_JACOBIAN represents an elliptic curve point in Jacobian coordinates. // Unlike |EC_POINT|, it is a plain struct which can be stack-allocated and // needs no cleanup. It is specific to an |EC_GROUP| and must not be mixed // between groups. @@ -258,7 +258,7 @@ typedef struct { // X, Y, and Z are Jacobian projective coordinates. They represent // (X/Z^2, Y/Z^3) if Z != 0 and the point at infinity otherwise. EC_FELEM X, Y, Z; -} EC_RAW_POINT; +} EC_JACOBIAN; // An EC_AFFINE represents an elliptic curve point in affine coordinates. // coordinates. Note the point at infinity cannot be represented in affine @@ -269,7 +269,7 @@ typedef struct { // ec_affine_to_jacobian converts |p| to Jacobian form and writes the result to // |*out|. This operation is very cheap and only costs a few copies. -void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out, +void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out, const EC_AFFINE *p); // ec_jacobian_to_affine converts |p| to affine form and writes the result to @@ -279,8 +279,8 @@ void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out, // // If only extracting the x-coordinate, use |ec_get_x_coordinate_*| which is // slightly faster. -int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, - const EC_RAW_POINT *p); +OPENSSL_EXPORT int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, + const EC_JACOBIAN *p); // ec_jacobian_to_affine_batch converts |num| points in |in| from Jacobian // coordinates to affine coordinates and writes the results to |out|. It returns @@ -289,7 +289,7 @@ int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, // This function is not implemented for all curves. Add implementations as // needed. int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out, - const EC_RAW_POINT *in, size_t num); + const EC_JACOBIAN *in, size_t num); // ec_point_set_affine_coordinates sets |out|'s to a point with affine // coordinates |x| and |y|. It returns one if the point is on the curve and @@ -307,12 +307,12 @@ int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, // ec_point_mul_scalar sets |r| to |p| * |scalar|. Both inputs are considered // secret. -int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *p, const EC_SCALAR *scalar); +int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p, const EC_SCALAR *scalar); // ec_point_mul_scalar_base sets |r| to generator * |scalar|. |scalar| is // treated as secret. -int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r, +int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *scalar); // ec_point_mul_scalar_batch sets |r| to |p0| * |scalar0| + |p1| * |scalar1| + @@ -333,10 +333,10 @@ int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r, // none. If generalizing to tuned curves, this may be useful. However, we still // must double up to the least efficient input, so precomputed tables can only // save table setup and allow a wider window size. -int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *p0, const EC_SCALAR *scalar0, - const EC_RAW_POINT *p1, const EC_SCALAR *scalar1, - const EC_RAW_POINT *p2, const EC_SCALAR *scalar2); +int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, + const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, + const EC_JACOBIAN *p2, const EC_SCALAR *scalar2); #define EC_MONT_PRECOMP_COMB_SIZE 5 @@ -355,7 +355,7 @@ typedef union { // This function is not implemented for all curves. Add implementations as // needed. int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, - const EC_RAW_POINT *p); + const EC_JACOBIAN *p); // ec_point_mul_scalar_precomp sets |r| to |p0| * |scalar0| + |p1| * |scalar1| + // |p2| * |scalar2|. |p1| or |p2| may be NULL to skip the corresponding term. @@ -379,7 +379,7 @@ int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, // none. If generalizing to tuned curves, we should add a parameter for the base // point and arrange for the generic implementation to have base point tables // available. -int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r, +int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r, const EC_PRECOMP *p0, const EC_SCALAR *scalar0, const EC_PRECOMP *p1, const EC_SCALAR *scalar1, const EC_PRECOMP *p2, const EC_SCALAR *scalar2); @@ -388,9 +388,9 @@ int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r, // generator * |g_scalar| + |p| * |p_scalar|. It assumes that the inputs are // public so there is no concern about leaking their values through timing. OPENSSL_EXPORT int ec_point_mul_scalar_public(const EC_GROUP *group, - EC_RAW_POINT *r, + EC_JACOBIAN *r, const EC_SCALAR *g_scalar, - const EC_RAW_POINT *p, + const EC_JACOBIAN *p, const EC_SCALAR *p_scalar); // ec_point_mul_scalar_public_batch sets |r| to the sum of generator * @@ -401,15 +401,15 @@ OPENSSL_EXPORT int ec_point_mul_scalar_public(const EC_GROUP *group, // // This function is not implemented for all curves. Add implementations as // needed. -int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_RAW_POINT *r, +int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *g_scalar, - const EC_RAW_POINT *points, + const EC_JACOBIAN *points, const EC_SCALAR *scalars, size_t num); // ec_point_select, in constant time, sets |out| to |a| if |mask| is all ones // and |b| if |mask| is all zeros. -void ec_point_select(const EC_GROUP *group, EC_RAW_POINT *out, BN_ULONG mask, - const EC_RAW_POINT *a, const EC_RAW_POINT *b); +void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask, + const EC_JACOBIAN *a, const EC_JACOBIAN *b); // ec_affine_select behaves like |ec_point_select| but acts on affine points. void ec_affine_select(const EC_GROUP *group, EC_AFFINE *out, BN_ULONG mask, @@ -422,14 +422,14 @@ void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask, // ec_cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group // order, with |r|. It returns one if the values match and zero if |p| is the // point at infinity of the values do not match. -int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p, +int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, const EC_SCALAR *r); // ec_get_x_coordinate_as_scalar sets |*out| to |p|'s x-coordinate, modulo // |group->order|. It returns one on success and zero if |p| is the point at // infinity. int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, - const EC_RAW_POINT *p); + const EC_JACOBIAN *p); // ec_get_x_coordinate_as_bytes writes |p|'s affine x-coordinate to |out|, which // must have at must |max_out| bytes. It sets |*out_len| to the number of bytes @@ -437,7 +437,7 @@ int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, // field. This function returns one on success and zero on failure. int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, size_t max_out, - const EC_RAW_POINT *p); + const EC_JACOBIAN *p); // ec_point_byte_len returns the number of bytes in the byte representation of // a non-infinity point in |group|, encoded according to |form|, or zero if @@ -461,12 +461,12 @@ int ec_point_from_uncompressed(const EC_GROUP *group, EC_AFFINE *out, // ec_set_to_safe_point sets |out| to an arbitrary point on |group|, either the // generator or the point at infinity. This is used to guard against callers of // external APIs not checking the return value. -void ec_set_to_safe_point(const EC_GROUP *group, EC_RAW_POINT *out); +void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out); // ec_affine_jacobian_equal returns one if |a| and |b| represent the same point // and zero otherwise. It treats both inputs as secret. int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a, - const EC_RAW_POINT *b); + const EC_JACOBIAN *b); // Implementation details. @@ -480,48 +480,48 @@ struct ec_method_st { // point_get_affine_coordinates sets |*x| and |*y| to the affine coordinates // of |p|. Either |x| or |y| may be NULL to omit it. It returns one on success // and zero if |p| is the point at infinity. - int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_RAW_POINT *p, + int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_JACOBIAN *p, EC_FELEM *x, EC_FELEM *y); // jacobian_to_affine_batch implements |ec_jacobian_to_affine_batch|. int (*jacobian_to_affine_batch)(const EC_GROUP *group, EC_AFFINE *out, - const EC_RAW_POINT *in, size_t num); + const EC_JACOBIAN *in, size_t num); // add sets |r| to |a| + |b|. - void (*add)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *a, - const EC_RAW_POINT *b); + void (*add)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *a, + const EC_JACOBIAN *b); // dbl sets |r| to |a| + |a|. - void (*dbl)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *a); + void (*dbl)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *a); // mul sets |r| to |scalar|*|p|. - void (*mul)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *p, + void (*mul)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p, const EC_SCALAR *scalar); // mul_base sets |r| to |scalar|*generator. - void (*mul_base)(const EC_GROUP *group, EC_RAW_POINT *r, + void (*mul_base)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *scalar); // mul_batch implements |ec_mul_scalar_batch|. - void (*mul_batch)(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *p0, const EC_SCALAR *scalar0, - const EC_RAW_POINT *p1, const EC_SCALAR *scalar1, - const EC_RAW_POINT *p2, const EC_SCALAR *scalar2); + void (*mul_batch)(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, + const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, + const EC_JACOBIAN *p2, const EC_SCALAR *scalar2); // mul_public sets |r| to |g_scalar|*generator + |p_scalar|*|p|. It assumes // that the inputs are public so there is no concern about leaking their // values through timing. // // This function may be omitted if |mul_public_batch| is provided. - void (*mul_public)(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_SCALAR *g_scalar, const EC_RAW_POINT *p, + void (*mul_public)(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_SCALAR *g_scalar, const EC_JACOBIAN *p, const EC_SCALAR *p_scalar); // mul_public_batch implements |ec_point_mul_scalar_public_batch|. - int (*mul_public_batch)(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_SCALAR *g_scalar, const EC_RAW_POINT *points, + int (*mul_public_batch)(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_SCALAR *g_scalar, const EC_JACOBIAN *points, const EC_SCALAR *scalars, size_t num); // init_precomp implements |ec_init_precomp|. int (*init_precomp)(const EC_GROUP *group, EC_PRECOMP *out, - const EC_RAW_POINT *p); + const EC_JACOBIAN *p); // mul_precomp implements |ec_point_mul_scalar_precomp|. - void (*mul_precomp)(const EC_GROUP *group, EC_RAW_POINT *r, + void (*mul_precomp)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_PRECOMP *p0, const EC_SCALAR *scalar0, const EC_PRECOMP *p1, const EC_SCALAR *scalar1, const EC_PRECOMP *p2, const EC_SCALAR *scalar2); @@ -581,7 +581,7 @@ struct ec_method_st { // cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group // order, with |r|. It returns one if the values match and zero if |p| is the // point at infinity of the values do not match. - int (*cmp_x_coordinate)(const EC_GROUP *group, const EC_RAW_POINT *p, + int (*cmp_x_coordinate)(const EC_GROUP *group, const EC_JACOBIAN *p, const EC_SCALAR *r); } /* EC_METHOD */; @@ -635,24 +635,24 @@ struct ec_point_st { EC_GROUP *group; // raw is the group-specific point data. Functions that take |EC_POINT| // typically check consistency with |EC_GROUP| while functions that take - // |EC_RAW_POINT| do not. Thus accesses to this field should be externally + // |EC_JACOBIAN| do not. Thus accesses to this field should be externally // checked for consistency. - EC_RAW_POINT raw; + EC_JACOBIAN raw; } /* EC_POINT */; EC_GROUP *ec_group_new(const EC_METHOD *meth); -void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *p, const EC_SCALAR *scalar); -void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_RAW_POINT *r, +void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p, const EC_SCALAR *scalar); +void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *scalar); -void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *p0, const EC_SCALAR *scalar0, - const EC_RAW_POINT *p1, const EC_SCALAR *scalar1, - const EC_RAW_POINT *p2, const EC_SCALAR *scalar2); +void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, + const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, + const EC_JACOBIAN *p2, const EC_SCALAR *scalar2); int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, - const EC_RAW_POINT *p); -void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_RAW_POINT *r, + const EC_JACOBIAN *p); +void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r, const EC_PRECOMP *p0, const EC_SCALAR *scalar0, const EC_PRECOMP *p1, const EC_SCALAR *scalar1, const EC_PRECOMP *p2, const EC_SCALAR *scalar2); @@ -673,9 +673,9 @@ void ec_GFp_mont_felem_exp(const EC_GROUP *group, EC_FELEM *out, void ec_compute_wNAF(const EC_GROUP *group, int8_t *out, const EC_SCALAR *scalar, size_t bits, int w); -int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r, +int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *g_scalar, - const EC_RAW_POINT *points, + const EC_JACOBIAN *points, const EC_SCALAR *scalars, size_t num); // method functions in simple.c @@ -685,17 +685,17 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b); -void ec_GFp_simple_point_init(EC_RAW_POINT *); -void ec_GFp_simple_point_copy(EC_RAW_POINT *, const EC_RAW_POINT *); -void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_RAW_POINT *); -void ec_GFp_mont_add(const EC_GROUP *, EC_RAW_POINT *r, const EC_RAW_POINT *a, - const EC_RAW_POINT *b); -void ec_GFp_mont_dbl(const EC_GROUP *, EC_RAW_POINT *r, const EC_RAW_POINT *a); -void ec_GFp_simple_invert(const EC_GROUP *, EC_RAW_POINT *); -int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_RAW_POINT *); -int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_RAW_POINT *); -int ec_GFp_simple_points_equal(const EC_GROUP *, const EC_RAW_POINT *a, - const EC_RAW_POINT *b); +void ec_GFp_simple_point_init(EC_JACOBIAN *); +void ec_GFp_simple_point_copy(EC_JACOBIAN *, const EC_JACOBIAN *); +void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_JACOBIAN *); +void ec_GFp_mont_add(const EC_GROUP *, EC_JACOBIAN *r, const EC_JACOBIAN *a, + const EC_JACOBIAN *b); +void ec_GFp_mont_dbl(const EC_GROUP *, EC_JACOBIAN *r, const EC_JACOBIAN *a); +void ec_GFp_simple_invert(const EC_GROUP *, EC_JACOBIAN *); +int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_JACOBIAN *); +int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_JACOBIAN *); +int ec_GFp_simple_points_equal(const EC_GROUP *, const EC_JACOBIAN *a, + const EC_JACOBIAN *b); void ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a); @@ -703,7 +703,7 @@ int ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a); -int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p, +int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, const EC_SCALAR *r); void ec_GFp_simple_felem_to_bytes(const EC_GROUP *group, uint8_t *out, diff --git a/src/crypto/fipsmodule/ec/make_tables.go b/src/crypto/fipsmodule/ec/make_tables.go index ef7ac64..120c40b 100644 --- a/src/crypto/fipsmodule/ec/make_tables.go +++ b/src/crypto/fipsmodule/ec/make_tables.go @@ -153,7 +153,7 @@ func writeP256Table(path string) error { // Tables for other points have table[i] = iG for i in 0 .. 16. // fiat_p256_g_pre_comp is the table of precomputed base points -#if defined(BORINGSSL_NISTP256_64BIT) +#if defined(OPENSSL_64_BIT) static const fiat_p256_felem fiat_p256_g_pre_comp[2][15][2] = ` if _, err := f.WriteString(fileHeader); err != nil { return err diff --git a/src/crypto/fipsmodule/ec/oct.c b/src/crypto/fipsmodule/ec/oct.c index 3f0c0d6..eb77643 100644 --- a/src/crypto/fipsmodule/ec/oct.c +++ b/src/crypto/fipsmodule/ec/oct.c @@ -320,8 +320,7 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, } if (!BN_mod_sqrt(y, tmp1, &group->field, ctx)) { - unsigned long err = ERR_peek_last_error(); - + uint32_t err = ERR_peek_last_error(); if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) { ERR_clear_error(); diff --git a/src/crypto/fipsmodule/ec/p224-64.c b/src/crypto/fipsmodule/ec/p224-64.c index 0f51970..ef83b29 100644 --- a/src/crypto/fipsmodule/ec/p224-64.c +++ b/src/crypto/fipsmodule/ec/p224-64.c @@ -860,7 +860,7 @@ static crypto_word_t p224_get_bit(const EC_SCALAR *in, size_t i) { // Takes the Jacobian coordinates (X, Y, Z) of a point and returns // (X', Y') = (X/Z^2, Y/Z^3) static int ec_GFp_nistp224_point_get_affine_coordinates( - const EC_GROUP *group, const EC_RAW_POINT *point, EC_FELEM *x, + const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x, EC_FELEM *y) { if (ec_GFp_simple_is_at_infinity(group, point)) { OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY); @@ -895,8 +895,8 @@ static int ec_GFp_nistp224_point_get_affine_coordinates( return 1; } -static void ec_GFp_nistp224_add(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *a, const EC_RAW_POINT *b) { +static void ec_GFp_nistp224_add(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *a, const EC_JACOBIAN *b) { p224_felem x1, y1, z1, x2, y2, z2; p224_generic_to_felem(x1, &a->X); p224_generic_to_felem(y1, &a->Y); @@ -911,8 +911,8 @@ static void ec_GFp_nistp224_add(const EC_GROUP *group, EC_RAW_POINT *r, p224_felem_to_generic(&r->Z, z1); } -static void ec_GFp_nistp224_dbl(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *a) { +static void ec_GFp_nistp224_dbl(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *a) { p224_felem x, y, z; p224_generic_to_felem(x, &a->X); p224_generic_to_felem(y, &a->Y); @@ -925,7 +925,7 @@ static void ec_GFp_nistp224_dbl(const EC_GROUP *group, EC_RAW_POINT *r, } static void ec_GFp_nistp224_make_precomp(p224_felem out[17][3], - const EC_RAW_POINT *p) { + const EC_JACOBIAN *p) { OPENSSL_memset(out[0], 0, sizeof(p224_felem) * 3); p224_generic_to_felem(out[1][0], &p->X); @@ -943,8 +943,8 @@ static void ec_GFp_nistp224_make_precomp(p224_felem out[17][3], } } -static void ec_GFp_nistp224_point_mul(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *p, +static void ec_GFp_nistp224_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p, const EC_SCALAR *scalar) { p224_felem p_pre_comp[17][3]; ec_GFp_nistp224_make_precomp(p_pre_comp, p); @@ -992,7 +992,7 @@ static void ec_GFp_nistp224_point_mul(const EC_GROUP *group, EC_RAW_POINT *r, } static void ec_GFp_nistp224_point_mul_base(const EC_GROUP *group, - EC_RAW_POINT *r, + EC_JACOBIAN *r, const EC_SCALAR *scalar) { // Set nq to the point at infinity. p224_felem nq[3], tmp[3]; @@ -1039,9 +1039,9 @@ static void ec_GFp_nistp224_point_mul_base(const EC_GROUP *group, } static void ec_GFp_nistp224_point_mul_public(const EC_GROUP *group, - EC_RAW_POINT *r, + EC_JACOBIAN *r, const EC_SCALAR *g_scalar, - const EC_RAW_POINT *p, + const EC_JACOBIAN *p, const EC_SCALAR *p_scalar) { // TODO(davidben): If P-224 ECDSA verify performance ever matters, using // |ec_compute_wNAF| for |p_scalar| would likely be an easy improvement. diff --git a/src/crypto/fipsmodule/ec/p256-nistz.c b/src/crypto/fipsmodule/ec/p256-nistz.c index c56222b..dfde2f4 100644 --- a/src/crypto/fipsmodule/ec/p256-nistz.c +++ b/src/crypto/fipsmodule/ec/p256-nistz.c @@ -187,7 +187,7 @@ static void ecp_nistz256_mod_inverse_sqr_mont(BN_ULONG r[P256_LIMBS], // r = p * p_scalar static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, - const EC_RAW_POINT *p, + const EC_JACOBIAN *p, const EC_SCALAR *p_scalar) { assert(p != NULL); assert(p_scalar != NULL); @@ -299,8 +299,8 @@ static crypto_word_t calc_wvalue(size_t *index, const uint8_t p_str[33]) { return booth_recode_w7(wvalue); } -static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *p, +static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p, const EC_SCALAR *scalar) { alignas(32) P256_POINT out; ecp_nistz256_windowed_mul(group, &out, p, scalar); @@ -311,7 +311,7 @@ static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r, OPENSSL_memcpy(r->Z.words, out.Z, P256_LIMBS * sizeof(BN_ULONG)); } -static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_RAW_POINT *r, +static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *scalar) { uint8_t p_str[33]; OPENSSL_memcpy(p_str, scalar->words, 32); @@ -356,9 +356,9 @@ static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_RAW_POINT *r, } static void ecp_nistz256_points_mul_public(const EC_GROUP *group, - EC_RAW_POINT *r, + EC_JACOBIAN *r, const EC_SCALAR *g_scalar, - const EC_RAW_POINT *p_, + const EC_JACOBIAN *p_, const EC_SCALAR *p_scalar) { assert(p_ != NULL && p_scalar != NULL && g_scalar != NULL); @@ -420,7 +420,7 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group, } static int ecp_nistz256_get_affine(const EC_GROUP *group, - const EC_RAW_POINT *point, EC_FELEM *x, + const EC_JACOBIAN *point, EC_FELEM *x, EC_FELEM *y) { if (ec_GFp_simple_is_at_infinity(group, point)) { OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY); @@ -444,8 +444,8 @@ static int ecp_nistz256_get_affine(const EC_GROUP *group, return 1; } -static void ecp_nistz256_add(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *a_, const EC_RAW_POINT *b_) { +static void ecp_nistz256_add(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *a_, const EC_JACOBIAN *b_) { P256_POINT a, b; OPENSSL_memcpy(a.X, a_->X.words, P256_LIMBS * sizeof(BN_ULONG)); OPENSSL_memcpy(a.Y, a_->Y.words, P256_LIMBS * sizeof(BN_ULONG)); @@ -459,8 +459,8 @@ static void ecp_nistz256_add(const EC_GROUP *group, EC_RAW_POINT *r, OPENSSL_memcpy(r->Z.words, a.Z, P256_LIMBS * sizeof(BN_ULONG)); } -static void ecp_nistz256_dbl(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *a_) { +static void ecp_nistz256_dbl(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *a_) { P256_POINT a; OPENSSL_memcpy(a.X, a_->X.words, P256_LIMBS * sizeof(BN_ULONG)); OPENSSL_memcpy(a.Y, a_->Y.words, P256_LIMBS * sizeof(BN_ULONG)); @@ -573,7 +573,7 @@ static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, } static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group, - const EC_RAW_POINT *p, + const EC_JACOBIAN *p, const EC_SCALAR *r) { if (ec_GFp_simple_is_at_infinity(group, p)) { return 0; diff --git a/src/crypto/fipsmodule/ec/p256-nistz_test.cc b/src/crypto/fipsmodule/ec/p256-nistz_test.cc index 6aa51e8..a53d94e 100644 --- a/src/crypto/fipsmodule/ec/p256-nistz_test.cc +++ b/src/crypto/fipsmodule/ec/p256-nistz_test.cc @@ -43,9 +43,11 @@ TEST(P256_NistzTest, SelectW5) { // Fill a table with some garbage input. alignas(64) P256_POINT table[16]; for (size_t i = 0; i < 16; i++) { - OPENSSL_memset(table[i].X, 3 * i, sizeof(table[i].X)); - OPENSSL_memset(table[i].Y, 3 * i + 1, sizeof(table[i].Y)); - OPENSSL_memset(table[i].Z, 3 * i + 2, sizeof(table[i].Z)); + OPENSSL_memset(table[i].X, static_cast<uint8_t>(3 * i), sizeof(table[i].X)); + OPENSSL_memset(table[i].Y, static_cast<uint8_t>(3 * i + 1), + sizeof(table[i].Y)); + OPENSSL_memset(table[i].Z, static_cast<uint8_t>(3 * i + 2), + sizeof(table[i].Z)); } for (int i = 0; i <= 16; i++) { @@ -73,8 +75,9 @@ TEST(P256_NistzTest, SelectW7) { // Fill a table with some garbage input. alignas(64) P256_POINT_AFFINE table[64]; for (size_t i = 0; i < 64; i++) { - OPENSSL_memset(table[i].X, 2 * i, sizeof(table[i].X)); - OPENSSL_memset(table[i].Y, 2 * i + 1, sizeof(table[i].Y)); + OPENSSL_memset(table[i].X, static_cast<uint8_t>(2 * i), sizeof(table[i].X)); + OPENSSL_memset(table[i].Y, static_cast<uint8_t>(2 * i + 1), + sizeof(table[i].Y)); } for (int i = 0; i <= 64; i++) { diff --git a/src/crypto/fipsmodule/ec/p256.c b/src/crypto/fipsmodule/ec/p256.c index d67f6c0..af211be 100644 --- a/src/crypto/fipsmodule/ec/p256.c +++ b/src/crypto/fipsmodule/ec/p256.c @@ -31,8 +31,9 @@ #include "./internal.h" #if defined(BORINGSSL_HAS_UINT128) -#define BORINGSSL_NISTP256_64BIT 1 #include "../../../third_party/fiat/p256_64.h" +#elif defined(OPENSSL_64_BIT) +#include "../../../third_party/fiat/p256_64_msvc.h" #else #include "../../../third_party/fiat/p256_32.h" #endif @@ -40,7 +41,7 @@ // utility functions, handwritten -#if defined(BORINGSSL_NISTP256_64BIT) +#if defined(OPENSSL_64_BIT) #define FIAT_P256_NLIMBS 4 typedef uint64_t fiat_p256_limb_t; typedef uint64_t fiat_p256_felem[FIAT_P256_NLIMBS]; @@ -413,7 +414,7 @@ static crypto_word_t fiat_p256_get_bit(const EC_SCALAR *in, int i) { // Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') = // (X/Z^2, Y/Z^3). static int ec_GFp_nistp256_point_get_affine_coordinates( - const EC_GROUP *group, const EC_RAW_POINT *point, EC_FELEM *x_out, + const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x_out, EC_FELEM *y_out) { if (ec_GFp_simple_is_at_infinity(group, point)) { OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY); @@ -443,8 +444,8 @@ static int ec_GFp_nistp256_point_get_affine_coordinates( return 1; } -static void ec_GFp_nistp256_add(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *a, const EC_RAW_POINT *b) { +static void ec_GFp_nistp256_add(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *a, const EC_JACOBIAN *b) { fiat_p256_felem x1, y1, z1, x2, y2, z2; fiat_p256_from_generic(x1, &a->X); fiat_p256_from_generic(y1, &a->Y); @@ -459,8 +460,8 @@ static void ec_GFp_nistp256_add(const EC_GROUP *group, EC_RAW_POINT *r, fiat_p256_to_generic(&r->Z, z1); } -static void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *a) { +static void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *a) { fiat_p256_felem x, y, z; fiat_p256_from_generic(x, &a->X); fiat_p256_from_generic(y, &a->Y); @@ -471,8 +472,8 @@ static void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_RAW_POINT *r, fiat_p256_to_generic(&r->Z, z); } -static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *p, +static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p, const EC_SCALAR *scalar) { fiat_p256_felem p_pre_comp[17][3]; OPENSSL_memset(&p_pre_comp, 0, sizeof(p_pre_comp)); @@ -539,7 +540,7 @@ static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r, } static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group, - EC_RAW_POINT *r, + EC_JACOBIAN *r, const EC_SCALAR *scalar) { // Set nq to the point at infinity. fiat_p256_felem nq[3] = {{0}, {0}, {0}}, tmp[3]; @@ -587,9 +588,9 @@ static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group, } static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group, - EC_RAW_POINT *r, + EC_JACOBIAN *r, const EC_SCALAR *g_scalar, - const EC_RAW_POINT *p, + const EC_JACOBIAN *p, const EC_SCALAR *p_scalar) { #define P256_WSIZE_PUBLIC 4 // Precompute multiples of |p|. p_pre_comp[i] is (2*i+1) * |p|. @@ -679,7 +680,7 @@ static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group, } static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group, - const EC_RAW_POINT *p, + const EC_JACOBIAN *p, const EC_SCALAR *r) { if (ec_GFp_simple_is_at_infinity(group, p)) { return 0; @@ -748,5 +749,3 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) { ec_simple_scalar_to_montgomery_inv_vartime; out->cmp_x_coordinate = ec_GFp_nistp256_cmp_x_coordinate; } - -#undef BORINGSSL_NISTP256_64BIT diff --git a/src/crypto/fipsmodule/ec/p256_table.h b/src/crypto/fipsmodule/ec/p256_table.h index 14129a3..d823d37 100644 --- a/src/crypto/fipsmodule/ec/p256_table.h +++ b/src/crypto/fipsmodule/ec/p256_table.h @@ -50,7 +50,7 @@ // Tables for other points have table[i] = iG for i in 0 .. 16. // fiat_p256_g_pre_comp is the table of precomputed base points -#if defined(BORINGSSL_NISTP256_64BIT) +#if defined(OPENSSL_64_BIT) static const fiat_p256_felem fiat_p256_g_pre_comp[2][15][2] = { {{{0x79e730d418a9143c, 0x75ba95fc5fedb601, 0x79fb732b77622510, 0x18905f76a53755c6}, diff --git a/src/crypto/fipsmodule/ec/simple.c b/src/crypto/fipsmodule/ec/simple.c index 58d8121..6498bdc 100644 --- a/src/crypto/fipsmodule/ec/simple.c +++ b/src/crypto/fipsmodule/ec/simple.c @@ -152,36 +152,36 @@ int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, return 1; } -void ec_GFp_simple_point_init(EC_RAW_POINT *point) { +void ec_GFp_simple_point_init(EC_JACOBIAN *point) { OPENSSL_memset(&point->X, 0, sizeof(EC_FELEM)); OPENSSL_memset(&point->Y, 0, sizeof(EC_FELEM)); OPENSSL_memset(&point->Z, 0, sizeof(EC_FELEM)); } -void ec_GFp_simple_point_copy(EC_RAW_POINT *dest, const EC_RAW_POINT *src) { +void ec_GFp_simple_point_copy(EC_JACOBIAN *dest, const EC_JACOBIAN *src) { OPENSSL_memcpy(&dest->X, &src->X, sizeof(EC_FELEM)); OPENSSL_memcpy(&dest->Y, &src->Y, sizeof(EC_FELEM)); OPENSSL_memcpy(&dest->Z, &src->Z, sizeof(EC_FELEM)); } void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, - EC_RAW_POINT *point) { + EC_JACOBIAN *point) { // Although it is strictly only necessary to zero Z, we zero the entire point // in case |point| was stack-allocated and yet to be initialized. ec_GFp_simple_point_init(point); } -void ec_GFp_simple_invert(const EC_GROUP *group, EC_RAW_POINT *point) { +void ec_GFp_simple_invert(const EC_GROUP *group, EC_JACOBIAN *point) { ec_felem_neg(group, &point->Y, &point->Y); } int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, - const EC_RAW_POINT *point) { + const EC_JACOBIAN *point) { return ec_felem_non_zero_mask(group, &point->Z) == 0; } int ec_GFp_simple_is_on_curve(const EC_GROUP *group, - const EC_RAW_POINT *point) { + const EC_JACOBIAN *point) { // We have a curve defined by a Weierstrass equation // y^2 = x^3 + a*x + b. // The point to consider is given in Jacobian projective coordinates @@ -237,8 +237,8 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, return 1 & ~(not_infinity & not_equal); } -int ec_GFp_simple_points_equal(const EC_GROUP *group, const EC_RAW_POINT *a, - const EC_RAW_POINT *b) { +int ec_GFp_simple_points_equal(const EC_GROUP *group, const EC_JACOBIAN *a, + const EC_JACOBIAN *b) { // This function is implemented in constant-time for two reasons. First, // although EC points are usually public, their Jacobian Z coordinates may be // secret, or at least are not obviously public. Second, more complex @@ -285,7 +285,7 @@ int ec_GFp_simple_points_equal(const EC_GROUP *group, const EC_RAW_POINT *a, } int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a, - const EC_RAW_POINT *b) { + const EC_JACOBIAN *b) { // If |b| is not infinity, we have to decide whether // (X_a, Y_a) = (X_b/Z_b^2, Y_b/Z_b^3), // or equivalently, whether @@ -314,7 +314,7 @@ int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a, return equal & 1; } -int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p, +int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, const EC_SCALAR *r) { if (ec_GFp_simple_is_at_infinity(group, p)) { // |ec_get_x_coordinate_as_scalar| will check this internally, but this way diff --git a/src/crypto/fipsmodule/ec/simple_mul.c b/src/crypto/fipsmodule/ec/simple_mul.c index 024155d..9a72a66 100644 --- a/src/crypto/fipsmodule/ec/simple_mul.c +++ b/src/crypto/fipsmodule/ec/simple_mul.c @@ -21,14 +21,14 @@ #include "../../internal.h" -void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *p, const EC_SCALAR *scalar) { +void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p, const EC_SCALAR *scalar) { // This is a generic implementation for uncommon curves that not do not // warrant a tuned one. It uses unsigned digits so that the doubling case in // |ec_GFp_mont_add| is always unreachable, erring on safety and simplicity. // Compute a table of the first 32 multiples of |p| (including infinity). - EC_RAW_POINT precomp[32]; + EC_JACOBIAN precomp[32]; ec_GFp_simple_point_set_to_infinity(group, &precomp[0]); ec_GFp_simple_point_copy(&precomp[1], p); for (size_t j = 2; j < OPENSSL_ARRAY_SIZE(precomp); j++) { @@ -56,8 +56,8 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r, window |= bn_is_bit_set_words(scalar->words, width, i); // Select the entry in constant-time. - EC_RAW_POINT tmp; - OPENSSL_memset(&tmp, 0, sizeof(EC_RAW_POINT)); + EC_JACOBIAN tmp; + OPENSSL_memset(&tmp, 0, sizeof(EC_JACOBIAN)); for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) { BN_ULONG mask = constant_time_eq_w(j, window); ec_point_select(group, &tmp, mask, &precomp[j], &tmp); @@ -76,13 +76,13 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r, } } -void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_RAW_POINT *r, +void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *scalar) { ec_GFp_mont_mul(group, r, &group->generator->raw, scalar); } -static void ec_GFp_mont_batch_precomp(const EC_GROUP *group, EC_RAW_POINT *out, - size_t num, const EC_RAW_POINT *p) { +static void ec_GFp_mont_batch_precomp(const EC_GROUP *group, EC_JACOBIAN *out, + size_t num, const EC_JACOBIAN *p) { assert(num > 1); ec_GFp_simple_point_set_to_infinity(group, &out[0]); ec_GFp_simple_point_copy(&out[1], p); @@ -96,8 +96,8 @@ static void ec_GFp_mont_batch_precomp(const EC_GROUP *group, EC_RAW_POINT *out, } static void ec_GFp_mont_batch_get_window(const EC_GROUP *group, - EC_RAW_POINT *out, - const EC_RAW_POINT precomp[17], + EC_JACOBIAN *out, + const EC_JACOBIAN precomp[17], const EC_SCALAR *scalar, unsigned i) { const size_t width = group->order.width; uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 5; @@ -112,7 +112,7 @@ static void ec_GFp_mont_batch_get_window(const EC_GROUP *group, ec_GFp_nistp_recode_scalar_bits(&sign, &digit, window); // Select the entry in constant-time. - OPENSSL_memset(out, 0, sizeof(EC_RAW_POINT)); + OPENSSL_memset(out, 0, sizeof(EC_JACOBIAN)); for (size_t j = 0; j < 17; j++) { BN_ULONG mask = constant_time_eq_w(j, digit); ec_point_select(group, out, mask, &precomp[j], out); @@ -126,11 +126,11 @@ static void ec_GFp_mont_batch_get_window(const EC_GROUP *group, ec_felem_select(group, &out->Y, sign_mask, &neg_Y, &out->Y); } -void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_RAW_POINT *r, - const EC_RAW_POINT *p0, const EC_SCALAR *scalar0, - const EC_RAW_POINT *p1, const EC_SCALAR *scalar1, - const EC_RAW_POINT *p2, const EC_SCALAR *scalar2) { - EC_RAW_POINT precomp[3][17]; +void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, + const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, + const EC_JACOBIAN *p2, const EC_SCALAR *scalar2) { + EC_JACOBIAN precomp[3][17]; ec_GFp_mont_batch_precomp(group, precomp[0], 17, p0); ec_GFp_mont_batch_precomp(group, precomp[1], 17, p1); if (p2 != NULL) { @@ -145,7 +145,7 @@ void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_RAW_POINT *r, ec_GFp_mont_dbl(group, r, r); } if (i % 5 == 0) { - EC_RAW_POINT tmp; + EC_JACOBIAN tmp; ec_GFp_mont_batch_get_window(group, &tmp, precomp[0], scalar0, i); if (r_is_at_infinity) { ec_GFp_simple_point_copy(r, &tmp); @@ -174,13 +174,13 @@ static unsigned ec_GFp_mont_comb_stride(const EC_GROUP *group) { } int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, - const EC_RAW_POINT *p) { + const EC_JACOBIAN *p) { // comb[i - 1] stores the ith element of the comb. That is, if i is // b4 * 2^4 + b3 * 2^3 + ... + b0 * 2^0, it stores k * |p|, where k is // b4 * 2^(4*stride) + b3 * 2^(3*stride) + ... + b0 * 2^(0*stride). stride // here is |ec_GFp_mont_comb_stride|. We store at index i - 1 because the 0th // comb entry is always infinity. - EC_RAW_POINT comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1]; + EC_JACOBIAN comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1]; unsigned stride = ec_GFp_mont_comb_stride(group); // We compute the comb sequentially by the highest set bit. Initially, all @@ -209,7 +209,7 @@ int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, } static void ec_GFp_mont_get_comb_window(const EC_GROUP *group, - EC_RAW_POINT *out, + EC_JACOBIAN *out, const EC_PRECOMP *precomp, const EC_SCALAR *scalar, unsigned i) { const size_t width = group->order.width; @@ -223,7 +223,7 @@ static void ec_GFp_mont_get_comb_window(const EC_GROUP *group, // Select precomp->comb[window - 1]. If |window| is zero, |match| will always // be zero, which will leave |out| at infinity. - OPENSSL_memset(out, 0, sizeof(EC_RAW_POINT)); + OPENSSL_memset(out, 0, sizeof(EC_JACOBIAN)); for (unsigned j = 0; j < OPENSSL_ARRAY_SIZE(precomp->comb); j++) { BN_ULONG match = constant_time_eq_w(window, j + 1); ec_felem_select(group, &out->X, match, &precomp->comb[j].X, &out->X); @@ -233,7 +233,7 @@ static void ec_GFp_mont_get_comb_window(const EC_GROUP *group, ec_felem_select(group, &out->Z, is_infinity, &out->Z, &group->one); } -void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_RAW_POINT *r, +void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r, const EC_PRECOMP *p0, const EC_SCALAR *scalar0, const EC_PRECOMP *p1, const EC_SCALAR *scalar1, const EC_PRECOMP *p2, const EC_SCALAR *scalar2) { @@ -244,7 +244,7 @@ void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_RAW_POINT *r, ec_GFp_mont_dbl(group, r, r); } - EC_RAW_POINT tmp; + EC_JACOBIAN tmp; ec_GFp_mont_get_comb_window(group, &tmp, p0, scalar0, i); if (r_is_at_infinity) { ec_GFp_simple_point_copy(r, &tmp); diff --git a/src/crypto/fipsmodule/ec/wnaf.c b/src/crypto/fipsmodule/ec/wnaf.c index ce0d4b8..beb9295 100644 --- a/src/crypto/fipsmodule/ec/wnaf.c +++ b/src/crypto/fipsmodule/ec/wnaf.c @@ -148,18 +148,18 @@ void ec_compute_wNAF(const EC_GROUP *group, int8_t *out, } // compute_precomp sets |out[i]| to (2*i+1)*p, for i from 0 to |len|. -static void compute_precomp(const EC_GROUP *group, EC_RAW_POINT *out, - const EC_RAW_POINT *p, size_t len) { +static void compute_precomp(const EC_GROUP *group, EC_JACOBIAN *out, + const EC_JACOBIAN *p, size_t len) { ec_GFp_simple_point_copy(&out[0], p); - EC_RAW_POINT two_p; + EC_JACOBIAN two_p; ec_GFp_mont_dbl(group, &two_p, p); for (size_t i = 1; i < len; i++) { ec_GFp_mont_add(group, &out[i], &out[i - 1], &two_p); } } -static void lookup_precomp(const EC_GROUP *group, EC_RAW_POINT *out, - const EC_RAW_POINT *precomp, int digit) { +static void lookup_precomp(const EC_GROUP *group, EC_JACOBIAN *out, + const EC_JACOBIAN *precomp, int digit) { if (digit < 0) { digit = -digit; ec_GFp_simple_point_copy(out, &precomp[digit >> 1]); @@ -179,9 +179,9 @@ static void lookup_precomp(const EC_GROUP *group, EC_RAW_POINT *out, // avoid a malloc. #define EC_WNAF_STACK 3 -int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r, +int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *g_scalar, - const EC_RAW_POINT *points, + const EC_JACOBIAN *points, const EC_SCALAR *scalars, size_t num) { size_t bits = BN_num_bits(&group->order); size_t wNAF_len = bits + 1; @@ -190,9 +190,9 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r, int8_t wNAF_stack[EC_WNAF_STACK][EC_MAX_BYTES * 8 + 1]; int8_t (*wNAF_alloc)[EC_MAX_BYTES * 8 + 1] = NULL; int8_t (*wNAF)[EC_MAX_BYTES * 8 + 1]; - EC_RAW_POINT precomp_stack[EC_WNAF_STACK][EC_WNAF_TABLE_SIZE]; - EC_RAW_POINT (*precomp_alloc)[EC_WNAF_TABLE_SIZE] = NULL; - EC_RAW_POINT (*precomp)[EC_WNAF_TABLE_SIZE]; + EC_JACOBIAN precomp_stack[EC_WNAF_STACK][EC_WNAF_TABLE_SIZE]; + EC_JACOBIAN (*precomp_alloc)[EC_WNAF_TABLE_SIZE] = NULL; + EC_JACOBIAN (*precomp)[EC_WNAF_TABLE_SIZE]; if (num <= EC_WNAF_STACK) { wNAF = wNAF_stack; precomp = precomp_stack; @@ -212,9 +212,9 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r, } int8_t g_wNAF[EC_MAX_BYTES * 8 + 1]; - EC_RAW_POINT g_precomp[EC_WNAF_TABLE_SIZE]; + EC_JACOBIAN g_precomp[EC_WNAF_TABLE_SIZE]; assert(wNAF_len <= OPENSSL_ARRAY_SIZE(g_wNAF)); - const EC_RAW_POINT *g = &group->generator->raw; + const EC_JACOBIAN *g = &group->generator->raw; if (g_scalar != NULL) { ec_compute_wNAF(group, g_wNAF, g_scalar, bits, EC_WNAF_WINDOW_BITS); compute_precomp(group, g_precomp, g, EC_WNAF_TABLE_SIZE); @@ -226,7 +226,7 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r, compute_precomp(group, precomp[i], &points[i], EC_WNAF_TABLE_SIZE); } - EC_RAW_POINT tmp; + EC_JACOBIAN tmp; int r_is_at_infinity = 1; for (size_t k = wNAF_len - 1; k < wNAF_len; k--) { if (!r_is_at_infinity) { |