diff options
Diffstat (limited to 'openssl/crypto/ec')
| -rw-r--r-- | openssl/crypto/ec/Makefile | 2 | ||||
| -rwxr-xr-x | openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl | 28 | ||||
| -rw-r--r-- | openssl/crypto/ec/ec.h | 11 | ||||
| -rw-r--r-- | openssl/crypto/ec/ec2_oct.c | 2 | ||||
| -rw-r--r-- | openssl/crypto/ec/ec_asn1.c | 20 | ||||
| -rw-r--r-- | openssl/crypto/ec/ec_check.c | 2 | ||||
| -rw-r--r-- | openssl/crypto/ec/ec_err.c | 15 | ||||
| -rw-r--r-- | openssl/crypto/ec/ec_key.c | 2 | ||||
| -rw-r--r-- | openssl/crypto/ec/ec_lcl.h | 8 | ||||
| -rw-r--r-- | openssl/crypto/ec/ec_lib.c | 7 | ||||
| -rw-r--r-- | openssl/crypto/ec/eck_prn.c | 4 | ||||
| -rwxr-xr-x | openssl/crypto/ec/ecp_nistz256.c | 135 | ||||
| -rw-r--r-- | openssl/crypto/ec/ecp_oct.c | 2 | ||||
| -rw-r--r-- | openssl/crypto/ec/ectest.c | 24 |
14 files changed, 160 insertions, 102 deletions
diff --git a/openssl/crypto/ec/Makefile b/openssl/crypto/ec/Makefile index 0d9f3ab25..359ef4e40 100644 --- a/openssl/crypto/ec/Makefile +++ b/openssl/crypto/ec/Makefile @@ -78,6 +78,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl b/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl index 5b21574a2..84379fce1 100755 --- a/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl +++ b/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl @@ -30,20 +30,24 @@ # Further optimization by <appro@openssl.org>: # -# this/original -# Opteron +12-49% -# Bulldozer +14-45% -# P4 +18-46% -# Westmere +12-34% -# Sandy Bridge +9-35% -# Ivy Bridge +9-35% -# Haswell +8-37% -# Broadwell +18-58% -# Atom +15-50% -# VIA Nano +43-160% +# this/original with/without -DECP_NISTZ256_ASM(*) +# Opteron +12-49% +110-150% +# Bulldozer +14-45% +175-210% +# P4 +18-46% n/a :-( +# Westmere +12-34% +80-87% +# Sandy Bridge +9-35% +110-120% +# Ivy Bridge +9-35% +110-125% +# Haswell +8-37% +140-160% +# Broadwell +18-58% +145-210% +# Atom +15-50% +130-180% +# VIA Nano +43-160% +300-480% +# +# (*) "without -DECP_NISTZ256_ASM" refers to build with +# "enable-ec_nistp_64_gcc_128"; # # Ranges denote minimum and maximum improvement coefficients depending -# on benchmark. +# on benchmark. Lower coefficients are for ECDSA sign, relatively fastest +# server-side operation. Keep in mind that +100% means 2x improvement. $flavour = shift; $output = shift; diff --git a/openssl/crypto/ec/ec.h b/openssl/crypto/ec/ec.h index 98edfdf8b..6d3178f60 100644 --- a/openssl/crypto/ec/ec.h +++ b/openssl/crypto/ec/ec.h @@ -1097,6 +1097,12 @@ void ERR_load_EC_strings(void); # define EC_F_ECPARAMETERS_PRINT_FP 148 # define EC_F_ECPKPARAMETERS_PRINT 149 # define EC_F_ECPKPARAMETERS_PRINT_FP 150 +# define EC_F_ECP_NISTZ256_GET_AFFINE 240 +# define EC_F_ECP_NISTZ256_MULT_PRECOMPUTE 243 +# define EC_F_ECP_NISTZ256_POINTS_MUL 241 +# define EC_F_ECP_NISTZ256_PRE_COMP_NEW 244 +# define EC_F_ECP_NISTZ256_SET_WORDS 245 +# define EC_F_ECP_NISTZ256_WINDOWED_MUL 242 # define EC_F_ECP_NIST_MOD_192 203 # define EC_F_ECP_NIST_MOD_224 204 # define EC_F_ECP_NIST_MOD_256 205 @@ -1208,11 +1214,6 @@ void ERR_load_EC_strings(void); # define EC_F_NISTP224_PRE_COMP_NEW 227 # define EC_F_NISTP256_PRE_COMP_NEW 236 # define EC_F_NISTP521_PRE_COMP_NEW 237 -# define EC_F_ECP_NISTZ256_GET_AFFINE 240 -# define EC_F_ECP_NISTZ256_POINTS_MUL 241 -# define EC_F_ECP_NISTZ256_WINDOWED_MUL 242 -# define EC_F_ECP_NISTZ256_MULT_PRECOMPUTE 243 -# define EC_F_ECP_NISTZ256_PRE_COMP_NEW 244 # define EC_F_O2I_ECPUBLICKEY 152 # define EC_F_OLD_EC_PRIV_DECODE 222 # define EC_F_PKEY_EC_CTRL 197 diff --git a/openssl/crypto/ec/ec2_oct.c b/openssl/crypto/ec/ec2_oct.c index c245d886d..0d04cc692 100644 --- a/openssl/crypto/ec/ec2_oct.c +++ b/openssl/crypto/ec/ec2_oct.c @@ -387,7 +387,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } /* test required by X9.62 */ - if (!EC_POINT_is_on_curve(group, point, ctx)) { + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); goto err; } diff --git a/openssl/crypto/ec/ec_asn1.c b/openssl/crypto/ec/ec_asn1.c index b4b0e9f3b..4ad849498 100644 --- a/openssl/crypto/ec/ec_asn1.c +++ b/openssl/crypto/ec/ec_asn1.c @@ -1114,7 +1114,7 @@ int i2d_ECPrivateKey(EC_KEY *a, unsigned char **out) { int ret = 0, ok = 0; unsigned char *buffer = NULL; - size_t buf_len = 0, tmp_len; + size_t buf_len = 0, tmp_len, bn_len; EC_PRIVATEKEY *priv_key = NULL; if (a == NULL || a->group == NULL || a->priv_key == NULL || @@ -1130,18 +1130,32 @@ int i2d_ECPrivateKey(EC_KEY *a, unsigned char **out) priv_key->version = a->version; - buf_len = (size_t)BN_num_bytes(a->priv_key); + bn_len = (size_t)BN_num_bytes(a->priv_key); + + /* Octetstring may need leading zeros if BN is to short */ + + buf_len = (EC_GROUP_get_degree(a->group) + 7) / 8; + + if (bn_len > buf_len) { + ECerr(EC_F_I2D_ECPRIVATEKEY, EC_R_BUFFER_TOO_SMALL); + goto err; + } + buffer = OPENSSL_malloc(buf_len); if (buffer == NULL) { ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE); goto err; } - if (!BN_bn2bin(a->priv_key, buffer)) { + if (!BN_bn2bin(a->priv_key, buffer + buf_len - bn_len)) { ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_BN_LIB); goto err; } + if (buf_len - bn_len > 0) { + memset(buffer, 0, buf_len - bn_len); + } + if (!M_ASN1_OCTET_STRING_set(priv_key->privateKey, buffer, buf_len)) { ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_ASN1_LIB); goto err; diff --git a/openssl/crypto/ec/ec_check.c b/openssl/crypto/ec/ec_check.c index d3f534999..dd6f0ac40 100644 --- a/openssl/crypto/ec/ec_check.c +++ b/openssl/crypto/ec/ec_check.c @@ -85,7 +85,7 @@ int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx) ECerr(EC_F_EC_GROUP_CHECK, EC_R_UNDEFINED_GENERATOR); goto err; } - if (!EC_POINT_is_on_curve(group, group->generator, ctx)) { + if (EC_POINT_is_on_curve(group, group->generator, ctx) <= 0) { ECerr(EC_F_EC_GROUP_CHECK, EC_R_POINT_IS_NOT_ON_CURVE); goto err; } diff --git a/openssl/crypto/ec/ec_err.c b/openssl/crypto/ec/ec_err.c index 13b32c78a..6fe5baafd 100644 --- a/openssl/crypto/ec/ec_err.c +++ b/openssl/crypto/ec/ec_err.c @@ -1,6 +1,6 @@ /* crypto/ec/ec_err.c */ /* ==================================================================== - * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -89,6 +89,13 @@ static ERR_STRING_DATA EC_str_functs[] = { {ERR_FUNC(EC_F_ECPARAMETERS_PRINT_FP), "ECParameters_print_fp"}, {ERR_FUNC(EC_F_ECPKPARAMETERS_PRINT), "ECPKParameters_print"}, {ERR_FUNC(EC_F_ECPKPARAMETERS_PRINT_FP), "ECPKParameters_print_fp"}, + {ERR_FUNC(EC_F_ECP_NISTZ256_GET_AFFINE), "ecp_nistz256_get_affine"}, + {ERR_FUNC(EC_F_ECP_NISTZ256_MULT_PRECOMPUTE), + "ecp_nistz256_mult_precompute"}, + {ERR_FUNC(EC_F_ECP_NISTZ256_POINTS_MUL), "ecp_nistz256_points_mul"}, + {ERR_FUNC(EC_F_ECP_NISTZ256_PRE_COMP_NEW), "ecp_nistz256_pre_comp_new"}, + {ERR_FUNC(EC_F_ECP_NISTZ256_SET_WORDS), "ecp_nistz256_set_words"}, + {ERR_FUNC(EC_F_ECP_NISTZ256_WINDOWED_MUL), "ecp_nistz256_windowed_mul"}, {ERR_FUNC(EC_F_ECP_NIST_MOD_192), "ECP_NIST_MOD_192"}, {ERR_FUNC(EC_F_ECP_NIST_MOD_224), "ECP_NIST_MOD_224"}, {ERR_FUNC(EC_F_ECP_NIST_MOD_256), "ECP_NIST_MOD_256"}, @@ -239,12 +246,6 @@ static ERR_STRING_DATA EC_str_functs[] = { {ERR_FUNC(EC_F_NISTP224_PRE_COMP_NEW), "NISTP224_PRE_COMP_NEW"}, {ERR_FUNC(EC_F_NISTP256_PRE_COMP_NEW), "NISTP256_PRE_COMP_NEW"}, {ERR_FUNC(EC_F_NISTP521_PRE_COMP_NEW), "NISTP521_PRE_COMP_NEW"}, - {ERR_FUNC(EC_F_ECP_NISTZ256_GET_AFFINE), "ecp_nistz256_get_affine"}, - {ERR_FUNC(EC_F_ECP_NISTZ256_POINTS_MUL), "ecp_nistz256_points_mul"}, - {ERR_FUNC(EC_F_ECP_NISTZ256_WINDOWED_MUL), "ecp_nistz256_windowed_mul"}, - {ERR_FUNC(EC_F_ECP_NISTZ256_MULT_PRECOMPUTE), - "ecp_nistz256_mult_precompute"}, - {ERR_FUNC(EC_F_ECP_NISTZ256_PRE_COMP_NEW), "ecp_nistz256_pre_comp_new"}, {ERR_FUNC(EC_F_O2I_ECPUBLICKEY), "o2i_ECPublicKey"}, {ERR_FUNC(EC_F_OLD_EC_PRIV_DECODE), "OLD_EC_PRIV_DECODE"}, {ERR_FUNC(EC_F_PKEY_EC_CTRL), "PKEY_EC_CTRL"}, diff --git a/openssl/crypto/ec/ec_key.c b/openssl/crypto/ec/ec_key.c index ebdffc821..55ce3fe9b 100644 --- a/openssl/crypto/ec/ec_key.c +++ b/openssl/crypto/ec/ec_key.c @@ -314,7 +314,7 @@ int EC_KEY_check_key(const EC_KEY *eckey) goto err; /* testing whether the pub_key is on the elliptic curve */ - if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx)) { + if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) { ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE); goto err; } diff --git a/openssl/crypto/ec/ec_lcl.h b/openssl/crypto/ec/ec_lcl.h index 697eeb528..969fd147e 100644 --- a/openssl/crypto/ec/ec_lcl.h +++ b/openssl/crypto/ec/ec_lcl.h @@ -459,14 +459,6 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx); int ec_GF2m_have_precompute_mult(const EC_GROUP *group); -/* method functions in ec2_mult.c */ -int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, size_t num, - const EC_POINT *points[], const BIGNUM *scalars[], - BN_CTX *); -int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -int ec_GF2m_have_precompute_mult(const EC_GROUP *group); - #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 /* method functions in ecp_nistp224.c */ int ec_GFp_nistp224_group_init(EC_GROUP *group); diff --git a/openssl/crypto/ec/ec_lib.c b/openssl/crypto/ec/ec_lib.c index 6ffd9fc16..3ffa112cc 100644 --- a/openssl/crypto/ec/ec_lib.c +++ b/openssl/crypto/ec/ec_lib.c @@ -970,6 +970,13 @@ int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) return group->meth->is_at_infinity(group, point); } +/* + * Check whether an EC_POINT is on the curve or not. Note that the return + * value for this function should NOT be treated as a boolean. Return values: + * 1: The point is on the curve + * 0: The point is not on the curve + * -1: An error occurred + */ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx) { diff --git a/openssl/crypto/ec/eck_prn.c b/openssl/crypto/ec/eck_prn.c index 515b26238..df9b37a75 100644 --- a/openssl/crypto/ec/eck_prn.c +++ b/openssl/crypto/ec/eck_prn.c @@ -346,12 +346,14 @@ static int print_bin(BIO *fp, const char *name, const unsigned char *buf, if (buf == NULL) return 1; - if (off) { + if (off > 0) { if (off > 128) off = 128; memset(str, ' ', off); if (BIO_write(fp, str, off) <= 0) return 0; + } else { + off = 0; } if (BIO_printf(fp, "%s", name) <= 0) diff --git a/openssl/crypto/ec/ecp_nistz256.c b/openssl/crypto/ec/ecp_nistz256.c index 2cd6599d8..ca44d0aae 100755 --- a/openssl/crypto/ec/ecp_nistz256.c +++ b/openssl/crypto/ec/ecp_nistz256.c @@ -222,6 +222,18 @@ static BN_ULONG is_one(const BN_ULONG a[P256_LIMBS]) return is_zero(res); } +static int ecp_nistz256_set_words(BIGNUM *a, BN_ULONG words[P256_LIMBS]) + { + if (bn_wexpand(a, P256_LIMBS) == NULL) { + ECerr(EC_F_ECP_NISTZ256_SET_WORDS, ERR_R_MALLOC_FAILURE); + return 0; + } + memcpy(a->d, words, sizeof(BN_ULONG) * P256_LIMBS); + a->top = P256_LIMBS; + bn_correct_top(a); + return 1; +} + #ifndef ECP_NISTZ256_REFERENCE_IMPLEMENTATION void ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a); void ecp_nistz256_point_add(P256_POINT *r, @@ -557,13 +569,14 @@ static int ecp_nistz256_bignum_to_field_elem(BN_ULONG out[P256_LIMBS], } /* r = sum(scalar[i]*point[i]) */ -static void ecp_nistz256_windowed_mul(const EC_GROUP *group, +static int ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, const BIGNUM **scalar, const EC_POINT **point, int num, BN_CTX *ctx) { - int i, j; + + int i, j, ret = 0; unsigned int index; unsigned char (*p_str)[33] = NULL; const unsigned int window_size = 5; @@ -589,6 +602,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, for (i = 0; i < num; i++) { P256_POINT *row = table[i]; + /* This is an unusual input, we don't guarantee constant-timeness. */ if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) { BIGNUM *mod; @@ -697,6 +711,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, ecp_nistz256_point_add(r, r, &h); } + ret = 1; err: if (table_storage) OPENSSL_free(table_storage); @@ -704,6 +719,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, OPENSSL_free(p_str); if (scalars) OPENSSL_free(scalars); + return ret; } /* Coordinates of G, for which we have precomputed tables */ @@ -742,6 +758,7 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) EC_POINT *P = NULL, *T = NULL; const EC_POINT *generator; EC_PRE_COMP *pre_comp; + BN_CTX *new_ctx = NULL; int i, j, k, ret = 0; size_t w; @@ -771,7 +788,7 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) return 0; if (ctx == NULL) { - ctx = BN_CTX_new(); + ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) goto err; } @@ -802,30 +819,41 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) P = EC_POINT_new(group); T = EC_POINT_new(group); + if (P == NULL || T == NULL) + goto err; /* * The zero entry is implicitly infinity, and we skip it, storing other * values with -1 offset. */ - EC_POINT_copy(T, generator); + if (!EC_POINT_copy(T, generator)) + goto err; for (k = 0; k < 64; k++) { - EC_POINT_copy(P, T); + if (!EC_POINT_copy(P, T)) + goto err; for (j = 0; j < 37; j++) { /* - * It would be faster to use - * ec_GFp_simple_points_make_affine and make multiple - * points affine at the same time. + * It would be faster to use EC_POINTs_make_affine and + * make multiple points affine at the same time. */ - ec_GFp_simple_make_affine(group, P, ctx); - ecp_nistz256_bignum_to_field_elem(preComputedTable[j] - [k].X, &P->X); - ecp_nistz256_bignum_to_field_elem(preComputedTable[j] - [k].Y, &P->Y); - for (i = 0; i < 7; i++) - ec_GFp_simple_dbl(group, P, P, ctx); + if (!EC_POINT_make_affine(group, P, ctx)) + goto err; + if (!ecp_nistz256_bignum_to_field_elem(preComputedTable[j][k].X, + &P->X) || + !ecp_nistz256_bignum_to_field_elem(preComputedTable[j][k].Y, + &P->Y)) { + ECerr(EC_F_ECP_NISTZ256_MULT_PRECOMPUTE, + EC_R_COORDINATES_OUT_OF_RANGE); + goto err; + } + for (i = 0; i < 7; i++) { + if (!EC_POINT_dbl(group, P, P, ctx)) + goto err; + } } - ec_GFp_simple_add(group, T, T, generator, ctx); + if (!EC_POINT_add(group, T, T, generator, ctx)) + goto err; } pre_comp->group = group; @@ -849,6 +877,8 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) err: if (ctx != NULL) BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + if (pre_comp) ecp_nistz256_pre_comp_free(pre_comp); if (precomp_storage) @@ -1102,6 +1132,9 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, const EC_PRE_COMP *pre_comp = NULL; const EC_POINT *generator = NULL; unsigned int index = 0; + BN_CTX *new_ctx = NULL; + const BIGNUM **new_scalars = NULL; + const EC_POINT **new_points = NULL; const unsigned int window_size = 7; const unsigned int mask = (1 << (window_size + 1)) - 1; unsigned int wvalue; @@ -1115,6 +1148,7 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } + if ((scalar == NULL) && (num == 0)) return EC_POINT_set_to_infinity(group, r); @@ -1125,13 +1159,13 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, } } - /* Need 256 bits for space for all coordinates. */ - bn_wexpand(&r->X, P256_LIMBS); - bn_wexpand(&r->Y, P256_LIMBS); - bn_wexpand(&r->Z, P256_LIMBS); - r->X.top = P256_LIMBS; - r->Y.top = P256_LIMBS; - r->Z.top = P256_LIMBS; + if (ctx == NULL) { + ctx = new_ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + } + + BN_CTX_start(ctx); if (scalar) { generator = EC_GROUP_get0_generator(group); @@ -1156,8 +1190,10 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, goto err; if (!ecp_nistz256_set_from_affine - (pre_comp_generator, group, pre_comp->precomp[0], ctx)) + (pre_comp_generator, group, pre_comp->precomp[0], ctx)) { + EC_POINT_free(pre_comp_generator); goto err; + } if (0 == EC_POINT_cmp(group, generator, pre_comp_generator, ctx)) preComputedTable = (const PRECOMP256_ROW *)pre_comp->precomp; @@ -1255,20 +1291,16 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, * Without a precomputed table for the generator, it has to be * handled like a normal point. */ - const BIGNUM **new_scalars; - const EC_POINT **new_points; - new_scalars = OPENSSL_malloc((num + 1) * sizeof(BIGNUM *)); if (!new_scalars) { ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } new_points = OPENSSL_malloc((num + 1) * sizeof(EC_POINT *)); if (!new_points) { - OPENSSL_free(new_scalars); ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } memcpy(new_scalars, scalars, num * sizeof(BIGNUM *)); @@ -1286,27 +1318,31 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, if (p_is_infinity) out = &p.p; - ecp_nistz256_windowed_mul(group, out, scalars, points, num, ctx); + if (!ecp_nistz256_windowed_mul(group, out, scalars, points, num, ctx)) + goto err; if (!p_is_infinity) ecp_nistz256_point_add(&p.p, &p.p, out); } - if (no_precomp_for_generator) { - OPENSSL_free(points); - OPENSSL_free(scalars); + /* Not constant-time, but we're only operating on the public output. */ + if (!ecp_nistz256_set_words(&r->X, p.p.X) || + !ecp_nistz256_set_words(&r->Y, p.p.Y) || + !ecp_nistz256_set_words(&r->Z, p.p.Z)) { + goto err; } - - memcpy(r->X.d, p.p.X, sizeof(p.p.X)); - memcpy(r->Y.d, p.p.Y, sizeof(p.p.Y)); - memcpy(r->Z.d, p.p.Z, sizeof(p.p.Z)); - bn_correct_top(&r->X); - bn_correct_top(&r->Y); - bn_correct_top(&r->Z); + r->Z_is_one = is_one(p.p.Z) & 1; ret = 1; - err: +err: + if (ctx) + BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + if (new_points) + OPENSSL_free(new_points); + if (new_scalars) + OPENSSL_free(new_scalars); return ret; } @@ -1319,6 +1355,7 @@ static int ecp_nistz256_get_affine(const EC_GROUP *group, BN_ULONG x_aff[P256_LIMBS]; BN_ULONG y_aff[P256_LIMBS]; BN_ULONG point_x[P256_LIMBS], point_y[P256_LIMBS], point_z[P256_LIMBS]; + BN_ULONG x_ret[P256_LIMBS], y_ret[P256_LIMBS]; if (EC_POINT_is_at_infinity(group, point)) { ECerr(EC_F_ECP_NISTZ256_GET_AFFINE, EC_R_POINT_AT_INFINITY); @@ -1337,19 +1374,17 @@ static int ecp_nistz256_get_affine(const EC_GROUP *group, ecp_nistz256_mul_mont(x_aff, z_inv2, point_x); if (x != NULL) { - bn_wexpand(x, P256_LIMBS); - x->top = P256_LIMBS; - ecp_nistz256_from_mont(x->d, x_aff); - bn_correct_top(x); + ecp_nistz256_from_mont(x_ret, x_aff); + if (!ecp_nistz256_set_words(x, x_ret)) + return 0; } if (y != NULL) { ecp_nistz256_mul_mont(z_inv3, z_inv3, z_inv2); ecp_nistz256_mul_mont(y_aff, z_inv3, point_y); - bn_wexpand(y, P256_LIMBS); - y->top = P256_LIMBS; - ecp_nistz256_from_mont(y->d, y_aff); - bn_correct_top(y); + ecp_nistz256_from_mont(y_ret, y_aff); + if (!ecp_nistz256_set_words(y, y_ret)) + return 0; } return 1; diff --git a/openssl/crypto/ec/ecp_oct.c b/openssl/crypto/ec/ecp_oct.c index e5cec8be8..1bc3f39ad 100644 --- a/openssl/crypto/ec/ecp_oct.c +++ b/openssl/crypto/ec/ecp_oct.c @@ -413,7 +413,7 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } /* test required by X9.62 */ - if (!EC_POINT_is_on_curve(group, point, ctx)) { + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); goto err; } diff --git a/openssl/crypto/ec/ectest.c b/openssl/crypto/ec/ectest.c index a18b32761..fede530bc 100644 --- a/openssl/crypto/ec/ectest.c +++ b/openssl/crypto/ec/ectest.c @@ -412,7 +412,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, Q, ctx)) { + if (EC_POINT_is_on_curve(group, Q, ctx) <= 0) { if (!EC_POINT_get_affine_coordinates_GFp(group, Q, x, y, ctx)) ABORT; fprintf(stderr, "Point is not on curve: x = 0x"); @@ -544,7 +544,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "0100000000000000000001F4C8F927AED3CA752257")) ABORT; @@ -593,7 +593,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) ABORT; @@ -646,7 +646,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn (&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) @@ -705,7 +705,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E" "84F3B9CAC2FC632551")) @@ -761,7 +761,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) @@ -820,7 +820,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5" @@ -864,7 +864,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_dbl(group, P, P, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */ @@ -1008,7 +1008,7 @@ static void prime_field_tests(void) # define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ if (!BN_hex2bn(&x, _x)) ABORT; \ if (!EC_POINT_set_compressed_coordinates_GF2m(group, P, x, _y_bit, ctx)) ABORT; \ - if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; \ + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \ if (!BN_hex2bn(&z, _order)) ABORT; \ if (!BN_hex2bn(&cof, _cof)) ABORT; \ if (!EC_GROUP_set_generator(group, P, z, cof)) ABORT; \ @@ -1026,7 +1026,7 @@ static void prime_field_tests(void) if (!BN_hex2bn(&x, _x)) ABORT; \ if (!BN_hex2bn(&y, _y)) ABORT; \ if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT; \ - if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; \ + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \ if (!BN_hex2bn(&z, _order)) ABORT; \ if (!BN_hex2bn(&cof, _cof)) ABORT; \ if (!EC_GROUP_set_generator(group, P, z, cof)) ABORT; \ @@ -1157,7 +1157,7 @@ static void char2_field_tests(void) if (!EC_POINT_set_affine_coordinates_GF2m(group, Q, x, y, ctx)) ABORT; # endif - if (!EC_POINT_is_on_curve(group, Q, ctx)) { + if (EC_POINT_is_on_curve(group, Q, ctx) <= 0) { /* Change test based on whether binary point compression is enabled or not. */ # ifdef OPENSSL_EC_BIN_PT_COMP if (!EC_POINT_get_affine_coordinates_GF2m(group, Q, x, y, ctx)) @@ -1378,7 +1378,7 @@ static void char2_field_tests(void) ABORT; if (!EC_POINT_dbl(group, P, P, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */ |