Chiebot-Mirror
/
boringssl
mirror of https://gitee.com/mirrors/boringssl.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Rename EC_RAW_POINT to EC_JACOBIAN

Browse Source 
EC_RAW_POINT is a confusing name. It's mostly about whether this is
stack-allocated EC_POINT without the EC_GROUP pointer. Now that we have
EC_AFFINE, EC_JACOBIAN captures what it's doing a bit better.

Fixed: 326
Change-Id: I5b71a387e899a94c79be8cd5e0b54b8432f7d5da
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59565
Reviewed-by: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
chromium-stable
David Benjamin 2 years ago committed by Boringssl LUCI CQ
parent 2e565ef29f
commit 5e988c4055
19 changed files with 291 additions and 293 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 12
      crypto/ec_extra/hash_to_curve.c
  2. 14
      crypto/ec_extra/internal.h
  3. 2
      crypto/ecdh_extra/ecdh_extra.c
  4. 48
      crypto/fipsmodule/ec/ec.c
  5. 2
      crypto/fipsmodule/ec/ec_key.c
  6. 14
      crypto/fipsmodule/ec/ec_montgomery.c
  7. 2
      crypto/fipsmodule/ec/ec_test.cc
  8. 140
      crypto/fipsmodule/ec/internal.h
  9. 22
      crypto/fipsmodule/ec/p224-64.c
  10. 24
      crypto/fipsmodule/ec/p256-nistz.c
  11. 22
      crypto/fipsmodule/ec/p256.c
  12. 20
      crypto/fipsmodule/ec/simple.c
  13. 46
      crypto/fipsmodule/ec/simple_mul.c
  14. 26
      crypto/fipsmodule/ec/wnaf.c
  15. 2
      crypto/fipsmodule/ecdh/ecdh.c
  16. 4
      crypto/fipsmodule/ecdsa/ecdsa.c
  17. 92
      crypto/trust_token/pmbtoken.c
  18. 88
      crypto/trust_token/voprf.c
  19. 4
      tool/speed.cc

12
crypto/ec_extra/hash_to_curve.c
Unescape View File

@ -273,7 +273,7 @@ static BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z,
// in appendix F.2.
static void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z,
const BN_ULONG *c1, size_t num_c1,
const EC_FELEM *c2, EC_RAW_POINT *out,
const EC_FELEM *c2, EC_JACOBIAN *out,
const EC_FELEM *u) {
// This function requires the prime be 3 mod 4, and that A = -3.
assert(is_3mod4(group));
@ -344,7 +344,7 @@ static void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z,
static int hash_to_curve(const EC_GROUP *group, const EVP_MD *md,
const EC_FELEM *Z, const EC_FELEM *c2, unsigned k,
EC_RAW_POINT *out, const uint8_t *dst, size_t dst_len,
EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
const uint8_t *msg, size_t msg_len) {
EC_FELEM u0, u1;
if (!hash_to_field2(group, md, &u0, &u1, dst, dst_len, k, msg, msg_len)) {
@ -359,7 +359,7 @@ static int hash_to_curve(const EC_GROUP *group, const EVP_MD *md,
}
bn_rshift_words(c1, c1, /*shift=*/2, /*num=*/num_c1);
EC_RAW_POINT Q0, Q1;
EC_JACOBIAN Q0, Q1;
map_to_curve_simple_swu(group, Z, c1, num_c1, c2, &Q0, &u0);
map_to_curve_simple_swu(group, Z, c1, num_c1, c2, &Q1, &u1);
@ -401,7 +401,7 @@ static const uint8_t kP384Sqrt12[] = {
0xa8, 0x0f, 0x7e, 0x19, 0x14, 0xe2, 0xec, 0x69, 0xf5, 0xa6, 0x26, 0xb3};
int ec_hash_to_curve_p256_xmd_sha256_sswu(const EC_GROUP *group,
EC_RAW_POINT *out, const uint8_t *dst,
EC_JACOBIAN *out, const uint8_t *dst,
size_t dst_len, const uint8_t *msg,
size_t msg_len) {
// See section 8.3 of draft-irtf-cfrg-hash-to-curve-16.
@ -434,7 +434,7 @@ int EC_hash_to_curve_p256_xmd_sha256_sswu(const EC_GROUP *group, EC_POINT *out,
}
int ec_hash_to_curve_p384_xmd_sha384_sswu(const EC_GROUP *group,
EC_RAW_POINT *out, const uint8_t *dst,
EC_JACOBIAN *out, const uint8_t *dst,
size_t dst_len, const uint8_t *msg,
size_t msg_len) {
// See section 8.3 of draft-irtf-cfrg-hash-to-curve-16.
@ -479,7 +479,7 @@ int ec_hash_to_scalar_p384_xmd_sha384(
}
int ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst,
size_t dst_len, const uint8_t *msg, size_t msg_len) {
// See section 8.3 of draft-irtf-cfrg-hash-to-curve-07.
if (EC_GROUP_get_curve_name(group) != NID_secp384r1) {

14
crypto/ec_extra/internal.h
Unescape View File

@ -26,23 +26,23 @@ extern "C" {
// Hash-to-curve.
//
// Internal |EC_RAW_POINT| versions of the corresponding public APIs.
// Internal |EC_JACOBIAN| versions of the corresponding public APIs.
// ec_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and
// writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite
// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
// error.
OPENSSL_EXPORT int ec_hash_to_curve_p256_xmd_sha256_sswu(
const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
size_t dst_len, const uint8_t *msg, size_t msg_len);
const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
const uint8_t *msg, size_t msg_len);
// ec_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and
// writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite
// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
// error.
OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha384_sswu(
const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
size_t dst_len, const uint8_t *msg, size_t msg_len);
const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
const uint8_t *msg, size_t msg_len);
// ec_hash_to_scalar_p384_xmd_sha384 hashes |msg| to a scalar on |group|
// and writes the result to |out|, using the hash_to_field operation from the
@ -59,8 +59,8 @@ OPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha384(
//
// TODO(https://crbug.com/1414562): Migrate this to the final version.
OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
size_t dst_len, const uint8_t *msg, size_t msg_len);
const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
const uint8_t *msg, size_t msg_len);
// ec_hash_to_scalar_p384_xmd_sha512_draft07 hashes |msg| to a scalar on |group|
// and writes the result to |out|, using the hash_to_field operation from the

2
crypto/ecdh_extra/ecdh_extra.c
Unescape View File

@ -92,7 +92,7 @@ int ECDH_compute_key(void *out, size_t out_len, const EC_POINT *pub_key,
return -1;
}
EC_RAW_POINT shared_point;
EC_JACOBIAN shared_point;
uint8_t buf[EC_MAX_BYTES];
size_t buf_len;
if (!ec_point_mul_scalar(group, &shared_point, &pub_key->raw, priv) ||

48
crypto/fipsmodule/ec/ec.c
Unescape View File

@ -801,7 +801,7 @@ int EC_POINT_get_affine_coordinates(const EC_GROUP *group,
return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
}
void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out,
void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *p) {
out->X = p->X;
out->Y = p->Y;
@ -809,12 +809,12 @@ void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out,
}
int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out,
const EC_RAW_POINT *p) {
const EC_JACOBIAN *p) {
return group->meth->point_get_affine_coordinates(group, p, &out->X, &out->Y);
}
int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out,
const EC_RAW_POINT *in, size_t num) {
const EC_JACOBIAN *in, size_t num) {
if (group->meth->jacobian_to_affine_batch == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
@ -990,13 +990,13 @@ int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r,
if (p_scalar != NULL) {
EC_SCALAR scalar;
EC_RAW_POINT tmp;
EC_JACOBIAN tmp;
if (!arbitrary_bignum_to_scalar(group, &scalar, p_scalar, ctx) ||
!ec_point_mul_scalar(group, &tmp, &p->raw, &scalar)) {
goto err;
}
if (g_scalar == NULL) {
OPENSSL_memcpy(&r->raw, &tmp, sizeof(EC_RAW_POINT));
OPENSSL_memcpy(&r->raw, &tmp, sizeof(EC_JACOBIAN));
} else {
group->meth->add(group, &r->raw, &r->raw, &tmp);
}
@ -1016,8 +1016,8 @@ int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
return ec_point_mul_no_self_test(group, r, g_scalar, p, p_scalar, ctx);
}
int ec_point_mul_scalar_public(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_SCALAR *g_scalar, const EC_RAW_POINT *p,
int ec_point_mul_scalar_public(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar, const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar) {
if (g_scalar == NULL || p_scalar == NULL || p == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
@ -1032,9 +1032,9 @@ int ec_point_mul_scalar_public(const EC_GROUP *group, EC_RAW_POINT *r,
return 1;
}
int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
const EC_RAW_POINT *points,
const EC_JACOBIAN *points,
const EC_SCALAR *scalars, size_t num) {
if (group->meth->mul_public_batch == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@ -1045,8 +1045,8 @@ int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
num);
}
int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *p, const EC_SCALAR *scalar) {
int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p, const EC_SCALAR *scalar) {
if (p == NULL || scalar == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
return 0;
@ -1064,7 +1064,7 @@ int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r,
return 1;
}
int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r,
int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar) {
if (scalar == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
@ -1083,10 +1083,10 @@ int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r,
return 1;
}
int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
const EC_RAW_POINT *p2,
int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
const EC_JACOBIAN *p2,
const EC_SCALAR *scalar2) {
if (group->meth->mul_batch == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@ -1106,7 +1106,7 @@ int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_RAW_POINT *r,
}
int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
const EC_RAW_POINT *p) {
const EC_JACOBIAN *p) {
if (group->meth->init_precomp == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
@ -1115,7 +1115,7 @@ int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
return group->meth->init_precomp(group, out, p);
}
int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
const EC_PRECOMP *p2,
@ -1137,8 +1137,8 @@ int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
return 1;
}
void ec_point_select(const EC_GROUP *group, EC_RAW_POINT *out, BN_ULONG mask,
const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask,
const EC_JACOBIAN *a, const EC_JACOBIAN *b) {
ec_felem_select(group, &out->X, mask, &a->X, &b->X);
ec_felem_select(group, &out->Y, mask, &a->Y, &b->Y);
ec_felem_select(group, &out->Z, mask, &a->Z, &b->Z);
@ -1159,13 +1159,13 @@ void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask,
}
}
int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
const EC_SCALAR *r) {
return group->meth->cmp_x_coordinate(group, p, r);
}
int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
const EC_RAW_POINT *p) {
const EC_JACOBIAN *p) {
uint8_t bytes[EC_MAX_BYTES];
size_t len;
if (!ec_get_x_coordinate_as_bytes(group, bytes, &len, sizeof(bytes), p)) {
@ -1201,7 +1201,7 @@ int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out,
size_t *out_len, size_t max_out,
const EC_RAW_POINT *p) {
const EC_JACOBIAN *p) {
size_t len = BN_num_bytes(&group->field);
assert(len <= EC_MAX_BYTES);
if (max_out < len) {
@ -1219,7 +1219,7 @@ int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out,
return 1;
}
void ec_set_to_safe_point(const EC_GROUP *group, EC_RAW_POINT *out) {
void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out) {
if (group->generator != NULL) {
ec_GFp_simple_point_copy(out, &group->generator->raw);
} else {

2
crypto/fipsmodule/ec/ec_key.c
Unescape View File

@ -311,7 +311,7 @@ int EC_KEY_check_key(const EC_KEY *eckey) {
// NOTE: this is a FIPS pair-wise consistency check for the ECDH case. See SP
// 800-56Ar3, page 36.
if (eckey->priv_key != NULL) {
EC_RAW_POINT point;
EC_JACOBIAN point;
if (!ec_point_mul_scalar_base(eckey->group, &point,
&eckey->priv_key->scalar)) {
OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);

14
crypto/fipsmodule/ec/ec_montgomery.c
Unescape View File

@ -175,7 +175,7 @@ void ec_GFp_mont_felem_exp(const EC_GROUP *group, EC_FELEM *out,
}
static int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group,
const EC_RAW_POINT *point,
const EC_JACOBIAN *point,
EC_FELEM *x, EC_FELEM *y) {
if (ec_GFp_simple_is_at_infinity(group, point)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
@ -202,7 +202,7 @@ static int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group,
static int ec_GFp_mont_jacobian_to_affine_batch(const EC_GROUP *group,
EC_AFFINE *out,
const EC_RAW_POINT *in,
const EC_JACOBIAN *in,
size_t num) {
if (num == 0) {
return 1;
@ -246,8 +246,8 @@ static int ec_GFp_mont_jacobian_to_affine_batch(const EC_GROUP *group,
return 1;
}
void ec_GFp_mont_add(const EC_GROUP *group, EC_RAW_POINT *out,
const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
void ec_GFp_mont_add(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_JACOBIAN *a, const EC_JACOBIAN *b) {
if (a == b) {
ec_GFp_mont_dbl(group, out, a);
return;
@ -357,8 +357,8 @@ void ec_GFp_mont_add(const EC_GROUP *group, EC_RAW_POINT *out,
ec_felem_select(group, &out->Z, z2nz, &z_out, &a->Z);
}
void ec_GFp_mont_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *a) {
void ec_GFp_mont_dbl(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *a) {
if (group->a_is_minus3) {
// The method is taken from:
// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
@ -453,7 +453,7 @@ void ec_GFp_mont_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
}
static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,
const EC_RAW_POINT *p,
const EC_JACOBIAN *p,
const EC_SCALAR *r) {
if (!group->field_greater_than_order ||
group->field.width != group->order.width) {

2
crypto/fipsmodule/ec/ec_test.cc
Unescape View File

@ -1343,7 +1343,7 @@ TEST(ECTest, HashToCurve) {
ASSERT_TRUE(p224);
bssl::UniquePtr<EC_GROUP> p384(EC_GROUP_new_by_curve_name(NID_secp384r1));
ASSERT_TRUE(p384);
EC_RAW_POINT raw;
EC_JACOBIAN raw;
bssl::UniquePtr<EC_POINT> p_p384(EC_POINT_new(p384.get()));
ASSERT_TRUE(p_p384);
bssl::UniquePtr<EC_POINT> p_p224(EC_POINT_new(p224.get()));

140
crypto/fipsmodule/ec/internal.h
Unescape View File

@ -243,16 +243,14 @@ int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a, const EC_FELEM *b);
// Points.
//
// Points may represented in affine coordinates as |EC_AFFINE| or Jacobian
// coordinates as |EC_RAW_POINT|. Affine coordinates directly represent a
// coordinates as |EC_JACOBIAN|. Affine coordinates directly represent a
// point on the curve, but point addition over affine coordinates requires
// costly field inversions, so arithmetic is done in Jacobian coordinates.
// Converting from affine to Jacobian is cheap, while converting from Jacobian
// to affine costs a field inversion. (Jacobian coordinates amortize the field
// inversions needed in a sequence of point operations.)
//
// TODO(davidben): Rename |EC_RAW_POINT| to |EC_JACOBIAN|.
// An EC_RAW_POINT represents an elliptic curve point in Jacobian coordinates.
// An EC_JACOBIAN represents an elliptic curve point in Jacobian coordinates.
// Unlike |EC_POINT|, it is a plain struct which can be stack-allocated and
// needs no cleanup. It is specific to an |EC_GROUP| and must not be mixed
// between groups.
@ -260,7 +258,7 @@ typedef struct {
// X, Y, and Z are Jacobian projective coordinates. They represent
// (X/Z^2, Y/Z^3) if Z != 0 and the point at infinity otherwise.
EC_FELEM X, Y, Z;
} EC_RAW_POINT;
} EC_JACOBIAN;
// An EC_AFFINE represents an elliptic curve point in affine coordinates.
// coordinates. Note the point at infinity cannot be represented in affine
@ -271,7 +269,7 @@ typedef struct {
// ec_affine_to_jacobian converts |p| to Jacobian form and writes the result to
// |*out|. This operation is very cheap and only costs a few copies.
void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out,
void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *p);
// ec_jacobian_to_affine converts |p| to affine form and writes the result to
@ -282,7 +280,7 @@ void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out,
// If only extracting the x-coordinate, use |ec_get_x_coordinate_*| which is
// slightly faster.
OPENSSL_EXPORT int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out,
const EC_RAW_POINT *p);
const EC_JACOBIAN *p);
// ec_jacobian_to_affine_batch converts |num| points in |in| from Jacobian
// coordinates to affine coordinates and writes the results to |out|. It returns
@ -291,7 +289,7 @@ OPENSSL_EXPORT int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out,
// This function is not implemented for all curves. Add implementations as
// needed.
int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out,
const EC_RAW_POINT *in, size_t num);
const EC_JACOBIAN *in, size_t num);
// ec_point_set_affine_coordinates sets |out|'s to a point with affine
// coordinates |x| and |y|. It returns one if the point is on the curve and
@ -309,12 +307,12 @@ int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r,
// ec_point_mul_scalar sets |r| to |p| * |scalar|. Both inputs are considered
// secret.
int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *p, const EC_SCALAR *scalar);
int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p, const EC_SCALAR *scalar);
// ec_point_mul_scalar_base sets |r| to generator * |scalar|. |scalar| is
// treated as secret.
int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r,
int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar);
// ec_point_mul_scalar_batch sets |r| to |p0| * |scalar0| + |p1| * |scalar1| +
@ -335,10 +333,10 @@ int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r,
// none. If generalizing to tuned curves, this may be useful. However, we still
// must double up to the least efficient input, so precomputed tables can only
// save table setup and allow a wider window size.
int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
const EC_RAW_POINT *p2, const EC_SCALAR *scalar2);
int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
const EC_JACOBIAN *p2, const EC_SCALAR *scalar2);
#define EC_MONT_PRECOMP_COMB_SIZE 5
@ -357,7 +355,7 @@ typedef union {
// This function is not implemented for all curves. Add implementations as
// needed.
int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
const EC_RAW_POINT *p);
const EC_JACOBIAN *p);
// ec_point_mul_scalar_precomp sets |r| to |p0| * |scalar0| + |p1| * |scalar1| +
// |p2| * |scalar2|. |p1| or |p2| may be NULL to skip the corresponding term.
@ -381,7 +379,7 @@ int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
// none. If generalizing to tuned curves, we should add a parameter for the base
// point and arrange for the generic implementation to have base point tables
// available.
int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
const EC_PRECOMP *p2, const EC_SCALAR *scalar2);
@ -390,9 +388,9 @@ int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
// generator * |g_scalar| + |p| * |p_scalar|. It assumes that the inputs are
// public so there is no concern about leaking their values through timing.
OPENSSL_EXPORT int ec_point_mul_scalar_public(const EC_GROUP *group,
EC_RAW_POINT *r,
EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
const EC_RAW_POINT *p,
const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar);
// ec_point_mul_scalar_public_batch sets |r| to the sum of generator *
@ -403,15 +401,15 @@ OPENSSL_EXPORT int ec_point_mul_scalar_public(const EC_GROUP *group,
//
// This function is not implemented for all curves. Add implementations as
// needed.
int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
const EC_RAW_POINT *points,
const EC_JACOBIAN *points,
const EC_SCALAR *scalars, size_t num);
// ec_point_select, in constant time, sets |out| to |a| if |mask| is all ones
// and |b| if |mask| is all zeros.
void ec_point_select(const EC_GROUP *group, EC_RAW_POINT *out, BN_ULONG mask,
const EC_RAW_POINT *a, const EC_RAW_POINT *b);
void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask,
const EC_JACOBIAN *a, const EC_JACOBIAN *b);
// ec_affine_select behaves like |ec_point_select| but acts on affine points.
void ec_affine_select(const EC_GROUP *group, EC_AFFINE *out, BN_ULONG mask,
@ -424,14 +422,14 @@ void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask,
// ec_cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group
// order, with |r|. It returns one if the values match and zero if |p| is the
// point at infinity of the values do not match.
int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
const EC_SCALAR *r);
// ec_get_x_coordinate_as_scalar sets |*out| to |p|'s x-coordinate, modulo
// |group->order|. It returns one on success and zero if |p| is the point at
// infinity.
int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
const EC_RAW_POINT *p);
const EC_JACOBIAN *p);
// ec_get_x_coordinate_as_bytes writes |p|'s affine x-coordinate to |out|, which
// must have at must |max_out| bytes. It sets |*out_len| to the number of bytes
@ -439,7 +437,7 @@ int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
// field. This function returns one on success and zero on failure.
int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out,
size_t *out_len, size_t max_out,
const EC_RAW_POINT *p);
const EC_JACOBIAN *p);
// ec_point_byte_len returns the number of bytes in the byte representation of
// a non-infinity point in |group|, encoded according to |form|, or zero if
@ -463,12 +461,12 @@ int ec_point_from_uncompressed(const EC_GROUP *group, EC_AFFINE *out,
// ec_set_to_safe_point sets |out| to an arbitrary point on |group|, either the
// generator or the point at infinity. This is used to guard against callers of
// external APIs not checking the return value.
void ec_set_to_safe_point(const EC_GROUP *group, EC_RAW_POINT *out);
void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out);
// ec_affine_jacobian_equal returns one if |a| and |b| represent the same point
// and zero otherwise. It treats both inputs as secret.
int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a,
const EC_RAW_POINT *b);
const EC_JACOBIAN *b);
// Implementation details.
@ -482,48 +480,48 @@ struct ec_method_st {
// point_get_affine_coordinates sets |*x| and |*y| to the affine coordinates
// of |p|. Either |x| or |y| may be NULL to omit it. It returns one on success
// and zero if |p| is the point at infinity.
int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_RAW_POINT *p,
int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_JACOBIAN *p,
EC_FELEM *x, EC_FELEM *y);
// jacobian_to_affine_batch implements |ec_jacobian_to_affine_batch|.
int (*jacobian_to_affine_batch)(const EC_GROUP *group, EC_AFFINE *out,
const EC_RAW_POINT *in, size_t num);
const EC_JACOBIAN *in, size_t num);
// add sets |r| to |a| + |b|.
void (*add)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *a,
const EC_RAW_POINT *b);
void (*add)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *a,
const EC_JACOBIAN *b);
// dbl sets |r| to |a| + |a|.
void (*dbl)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *a);
void (*dbl)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *a);
// mul sets |r| to |scalar|*|p|.
void (*mul)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *p,
void (*mul)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p,
const EC_SCALAR *scalar);
// mul_base sets |r| to |scalar|*generator.
void (*mul_base)(const EC_GROUP *group, EC_RAW_POINT *r,
void (*mul_base)(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar);
// mul_batch implements |ec_mul_scalar_batch|.
void (*mul_batch)(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
const EC_RAW_POINT *p2, const EC_SCALAR *scalar2);
void (*mul_batch)(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
const EC_JACOBIAN *p2, const EC_SCALAR *scalar2);
// mul_public sets |r| to |g_scalar|*generator + |p_scalar|*|p|. It assumes
// that the inputs are public so there is no concern about leaking their
// values through timing.
//
// This function may be omitted if |mul_public_batch| is provided.
void (*mul_public)(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_SCALAR *g_scalar, const EC_RAW_POINT *p,
void (*mul_public)(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar, const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar);
// mul_public_batch implements |ec_point_mul_scalar_public_batch|.
int (*mul_public_batch)(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_SCALAR *g_scalar, const EC_RAW_POINT *points,
int (*mul_public_batch)(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar, const EC_JACOBIAN *points,
const EC_SCALAR *scalars, size_t num);
// init_precomp implements |ec_init_precomp|.
int (*init_precomp)(const EC_GROUP *group, EC_PRECOMP *out,
const EC_RAW_POINT *p);
const EC_JACOBIAN *p);
// mul_precomp implements |ec_point_mul_scalar_precomp|.
void (*mul_precomp)(const EC_GROUP *group, EC_RAW_POINT *r,
void (*mul_precomp)(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
const EC_PRECOMP *p2, const EC_SCALAR *scalar2);
@ -583,7 +581,7 @@ struct ec_method_st {
// cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group
// order, with |r|. It returns one if the values match and zero if |p| is the
// point at infinity of the values do not match.
int (*cmp_x_coordinate)(const EC_GROUP *group, const EC_RAW_POINT *p,
int (*cmp_x_coordinate)(const EC_GROUP *group, const EC_JACOBIAN *p,
const EC_SCALAR *r);
} /* EC_METHOD */;
@ -637,24 +635,24 @@ struct ec_point_st {
EC_GROUP *group;
// raw is the group-specific point data. Functions that take |EC_POINT|
// typically check consistency with |EC_GROUP| while functions that take
// |EC_RAW_POINT| do not. Thus accesses to this field should be externally
// |EC_JACOBIAN| do not. Thus accesses to this field should be externally
// checked for consistency.
EC_RAW_POINT raw;
EC_JACOBIAN raw;
} /* EC_POINT */;
EC_GROUP *ec_group_new(const EC_METHOD *meth);
void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *p, const EC_SCALAR *scalar);
void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p, const EC_SCALAR *scalar);
void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar);
void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
const EC_RAW_POINT *p2, const EC_SCALAR *scalar2);
void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
const EC_JACOBIAN *p2, const EC_SCALAR *scalar2);
int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
const EC_RAW_POINT *p);
void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_JACOBIAN *p);
void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
const EC_PRECOMP *p2, const EC_SCALAR *scalar2);
@ -675,9 +673,9 @@ void ec_GFp_mont_felem_exp(const EC_GROUP *group, EC_FELEM *out,
void ec_compute_wNAF(const EC_GROUP *group, int8_t *out,
const EC_SCALAR *scalar, size_t bits, int w);
int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
const EC_RAW_POINT *points,
const EC_JACOBIAN *points,
const EC_SCALAR *scalars, size_t num);
// method functions in simple.c
@ -687,17 +685,17 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
BIGNUM *b);
void ec_GFp_simple_point_init(EC_RAW_POINT *);
void ec_GFp_simple_point_copy(EC_RAW_POINT *, const EC_RAW_POINT *);
void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_RAW_POINT *);
void ec_GFp_mont_add(const EC_GROUP *, EC_RAW_POINT *r, const EC_RAW_POINT *a,
const EC_RAW_POINT *b);
void ec_GFp_mont_dbl(const EC_GROUP *, EC_RAW_POINT *r, const EC_RAW_POINT *a);
void ec_GFp_simple_invert(const EC_GROUP *, EC_RAW_POINT *);
int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_RAW_POINT *);
int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_RAW_POINT *);
int ec_GFp_simple_points_equal(const EC_GROUP *, const EC_RAW_POINT *a,
const EC_RAW_POINT *b);
void ec_GFp_simple_point_init(EC_JACOBIAN *);
void ec_GFp_simple_point_copy(EC_JACOBIAN *, const EC_JACOBIAN *);
void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_JACOBIAN *);
void ec_GFp_mont_add(const EC_GROUP *, EC_JACOBIAN *r, const EC_JACOBIAN *a,
const EC_JACOBIAN *b);
void ec_GFp_mont_dbl(const EC_GROUP *, EC_JACOBIAN *r, const EC_JACOBIAN *a);
void ec_GFp_simple_invert(const EC_GROUP *, EC_JACOBIAN *);
int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_JACOBIAN *);
int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_JACOBIAN *);
int ec_GFp_simple_points_equal(const EC_GROUP *, const EC_JACOBIAN *a,
const EC_JACOBIAN *b);
void ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r,
const EC_SCALAR *a);
@ -705,7 +703,7 @@ int ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,
EC_SCALAR *r,
const EC_SCALAR *a);
int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
const EC_SCALAR *r);
void ec_GFp_simple_felem_to_bytes(const EC_GROUP *group, uint8_t *out,

22
crypto/fipsmodule/ec/p224-64.c
Unescape View File

@ -860,7 +860,7 @@ static crypto_word_t p224_get_bit(const EC_SCALAR *in, size_t i) {
// Takes the Jacobian coordinates (X, Y, Z) of a point and returns
// (X', Y') = (X/Z^2, Y/Z^3)
static int ec_GFp_nistp224_point_get_affine_coordinates(
const EC_GROUP *group, const EC_RAW_POINT *point, EC_FELEM *x,
const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x,
EC_FELEM *y) {
if (ec_GFp_simple_is_at_infinity(group, point)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
@ -895,8 +895,8 @@ static int ec_GFp_nistp224_point_get_affine_coordinates(
return 1;
}
static void ec_GFp_nistp224_add(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
static void ec_GFp_nistp224_add(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *a, const EC_JACOBIAN *b) {
p224_felem x1, y1, z1, x2, y2, z2;
p224_generic_to_felem(x1, &a->X);
p224_generic_to_felem(y1, &a->Y);
@ -911,8 +911,8 @@ static void ec_GFp_nistp224_add(const EC_GROUP *group, EC_RAW_POINT *r,
p224_felem_to_generic(&r->Z, z1);
}
static void ec_GFp_nistp224_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *a) {
static void ec_GFp_nistp224_dbl(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *a) {
p224_felem x, y, z;
p224_generic_to_felem(x, &a->X);
p224_generic_to_felem(y, &a->Y);
@ -925,7 +925,7 @@ static void ec_GFp_nistp224_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
}
static void ec_GFp_nistp224_make_precomp(p224_felem out[17][3],
const EC_RAW_POINT *p) {
const EC_JACOBIAN *p) {
OPENSSL_memset(out[0], 0, sizeof(p224_felem) * 3);
p224_generic_to_felem(out[1][0], &p->X);
@ -943,8 +943,8 @@ static void ec_GFp_nistp224_make_precomp(p224_felem out[17][3],
}
}
static void ec_GFp_nistp224_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *p,
static void ec_GFp_nistp224_point_mul(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p,
const EC_SCALAR *scalar) {
p224_felem p_pre_comp[17][3];
ec_GFp_nistp224_make_precomp(p_pre_comp, p);
@ -992,7 +992,7 @@ static void ec_GFp_nistp224_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
}
static void ec_GFp_nistp224_point_mul_base(const EC_GROUP *group,
EC_RAW_POINT *r,
EC_JACOBIAN *r,
const EC_SCALAR *scalar) {
// Set nq to the point at infinity.
p224_felem nq[3], tmp[3];
@ -1039,9 +1039,9 @@ static void ec_GFp_nistp224_point_mul_base(const EC_GROUP *group,
}
static void ec_GFp_nistp224_point_mul_public(const EC_GROUP *group,
EC_RAW_POINT *r,
EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
const EC_RAW_POINT *p,
const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar) {
// TODO(davidben): If P-224 ECDSA verify performance ever matters, using
// |ec_compute_wNAF| for |p_scalar| would likely be an easy improvement.

24
crypto/fipsmodule/ec/p256-nistz.c
Unescape View File

@ -187,7 +187,7 @@ static void ecp_nistz256_mod_inverse_sqr_mont(BN_ULONG r[P256_LIMBS],
// r = p * p_scalar
static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,
const EC_RAW_POINT *p,
const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar) {
assert(p != NULL);
assert(p_scalar != NULL);
@ -299,8 +299,8 @@ static crypto_word_t calc_wvalue(size_t *index, const uint8_t p_str[33]) {
return booth_recode_w7(wvalue);
}
static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *p,
static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p,
const EC_SCALAR *scalar) {
alignas(32) P256_POINT out;
ecp_nistz256_windowed_mul(group, &out, p, scalar);
@ -311,7 +311,7 @@ static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
OPENSSL_memcpy(r->Z.words, out.Z, P256_LIMBS * sizeof(BN_ULONG));
}
static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar) {
uint8_t p_str[33];
OPENSSL_memcpy(p_str, scalar->words, 32);
@ -356,9 +356,9 @@ static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
}
static void ecp_nistz256_points_mul_public(const EC_GROUP *group,
EC_RAW_POINT *r,
EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
const EC_RAW_POINT *p_,
const EC_JACOBIAN *p_,
const EC_SCALAR *p_scalar) {
assert(p_ != NULL && p_scalar != NULL && g_scalar != NULL);
@ -420,7 +420,7 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group,
}
static int ecp_nistz256_get_affine(const EC_GROUP *group,
const EC_RAW_POINT *point, EC_FELEM *x,
const EC_JACOBIAN *point, EC_FELEM *x,
EC_FELEM *y) {
if (ec_GFp_simple_is_at_infinity(group, point)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
@ -444,8 +444,8 @@ static int ecp_nistz256_get_affine(const EC_GROUP *group,
return 1;
}
static void ecp_nistz256_add(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *a_, const EC_RAW_POINT *b_) {
static void ecp_nistz256_add(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *a_, const EC_JACOBIAN *b_) {
P256_POINT a, b;
OPENSSL_memcpy(a.X, a_->X.words, P256_LIMBS * sizeof(BN_ULONG));
OPENSSL_memcpy(a.Y, a_->Y.words, P256_LIMBS * sizeof(BN_ULONG));
@ -459,8 +459,8 @@ static void ecp_nistz256_add(const EC_GROUP *group, EC_RAW_POINT *r,
OPENSSL_memcpy(r->Z.words, a.Z, P256_LIMBS * sizeof(BN_ULONG));
}
static void ecp_nistz256_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *a_) {
static void ecp_nistz256_dbl(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *a_) {
P256_POINT a;
OPENSSL_memcpy(a.X, a_->X.words, P256_LIMBS * sizeof(BN_ULONG));
OPENSSL_memcpy(a.Y, a_->Y.words, P256_LIMBS * sizeof(BN_ULONG));
@ -573,7 +573,7 @@ static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,
}
static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group,
const EC_RAW_POINT *p,
const EC_JACOBIAN *p,
const EC_SCALAR *r) {
if (ec_GFp_simple_is_at_infinity(group, p)) {
return 0;

22
crypto/fipsmodule/ec/p256.c
Unescape View File

@ -414,7 +414,7 @@ static crypto_word_t fiat_p256_get_bit(const EC_SCALAR *in, int i) {
// Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') =
// (X/Z^2, Y/Z^3).
static int ec_GFp_nistp256_point_get_affine_coordinates(
const EC_GROUP *group, const EC_RAW_POINT *point, EC_FELEM *x_out,
const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x_out,
EC_FELEM *y_out) {
if (ec_GFp_simple_is_at_infinity(group, point)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
@ -444,8 +444,8 @@ static int ec_GFp_nistp256_point_get_affine_coordinates(
return 1;
}
static void ec_GFp_nistp256_add(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
static void ec_GFp_nistp256_add(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *a, const EC_JACOBIAN *b) {
fiat_p256_felem x1, y1, z1, x2, y2, z2;
fiat_p256_from_generic(x1, &a->X);
fiat_p256_from_generic(y1, &a->Y);
@ -460,8 +460,8 @@ static void ec_GFp_nistp256_add(const EC_GROUP *group, EC_RAW_POINT *r,
fiat_p256_to_generic(&r->Z, z1);
}
static void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *a) {
static void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *a) {
fiat_p256_felem x, y, z;
fiat_p256_from_generic(x, &a->X);
fiat_p256_from_generic(y, &a->Y);
@ -472,8 +472,8 @@ static void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
fiat_p256_to_generic(&r->Z, z);
}
static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *p,
static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p,
const EC_SCALAR *scalar) {
fiat_p256_felem p_pre_comp[17][3];
OPENSSL_memset(&p_pre_comp, 0, sizeof(p_pre_comp));
@ -540,7 +540,7 @@ static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
}
static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group,
EC_RAW_POINT *r,
EC_JACOBIAN *r,
const EC_SCALAR *scalar) {
// Set nq to the point at infinity.
fiat_p256_felem nq[3] = {{0}, {0}, {0}}, tmp[3];
@ -588,9 +588,9 @@ static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group,
}
static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group,
EC_RAW_POINT *r,
EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
const EC_RAW_POINT *p,
const EC_JACOBIAN *p,
const EC_SCALAR *p_scalar) {
#define P256_WSIZE_PUBLIC 4
// Precompute multiples of |p|. p_pre_comp[i] is (2*i+1) * |p|.
@ -680,7 +680,7 @@ static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group,
}
static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group,
const EC_RAW_POINT *p,
const EC_JACOBIAN *p,
const EC_SCALAR *r) {
if (ec_GFp_simple_is_at_infinity(group, p)) {
return 0;

20
crypto/fipsmodule/ec/simple.c
Unescape View File

@ -152,36 +152,36 @@ int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
return 1;
}
void ec_GFp_simple_point_init(EC_RAW_POINT *point) {
void ec_GFp_simple_point_init(EC_JACOBIAN *point) {
OPENSSL_memset(&point->X, 0, sizeof(EC_FELEM));
OPENSSL_memset(&point->Y, 0, sizeof(EC_FELEM));
OPENSSL_memset(&point->Z, 0, sizeof(EC_FELEM));
}
void ec_GFp_simple_point_copy(EC_RAW_POINT *dest, const EC_RAW_POINT *src) {
void ec_GFp_simple_point_copy(EC_JACOBIAN *dest, const EC_JACOBIAN *src) {
OPENSSL_memcpy(&dest->X, &src->X, sizeof(EC_FELEM));
OPENSSL_memcpy(&dest->Y, &src->Y, sizeof(EC_FELEM));
OPENSSL_memcpy(&dest->Z, &src->Z, sizeof(EC_FELEM));
}
void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,
EC_RAW_POINT *point) {
EC_JACOBIAN *point) {
// Although it is strictly only necessary to zero Z, we zero the entire point
// in case |point| was stack-allocated and yet to be initialized.
ec_GFp_simple_point_init(point);
}
void ec_GFp_simple_invert(const EC_GROUP *group, EC_RAW_POINT *point) {
void ec_GFp_simple_invert(const EC_GROUP *group, EC_JACOBIAN *point) {
ec_felem_neg(group, &point->Y, &point->Y);
}
int ec_GFp_simple_is_at_infinity(const EC_GROUP *group,
const EC_RAW_POINT *point) {
const EC_JACOBIAN *point) {
return ec_felem_non_zero_mask(group, &point->Z) == 0;
}
int ec_GFp_simple_is_on_curve(const EC_GROUP *group,
const EC_RAW_POINT *point) {
const EC_JACOBIAN *point) {
// We have a curve defined by a Weierstrass equation
// y^2 = x^3 + a*x + b.
// The point to consider is given in Jacobian projective coordinates
@ -237,8 +237,8 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group,
return 1 & ~(not_infinity & not_equal);
}
int ec_GFp_simple_points_equal(const EC_GROUP *group, const EC_RAW_POINT *a,
const EC_RAW_POINT *b) {
int ec_GFp_simple_points_equal(const EC_GROUP *group, const EC_JACOBIAN *a,
const EC_JACOBIAN *b) {
// This function is implemented in constant-time for two reasons. First,
// although EC points are usually public, their Jacobian Z coordinates may be
// secret, or at least are not obviously public. Second, more complex
@ -285,7 +285,7 @@ int ec_GFp_simple_points_equal(const EC_GROUP *group, const EC_RAW_POINT *a,
}
int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a,
const EC_RAW_POINT *b) {
const EC_JACOBIAN *b) {
// If |b| is not infinity, we have to decide whether
// (X_a, Y_a) = (X_b/Z_b^2, Y_b/Z_b^3),
// or equivalently, whether
@ -314,7 +314,7 @@ int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a,
return equal & 1;
}
int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
const EC_SCALAR *r) {
if (ec_GFp_simple_is_at_infinity(group, p)) {
// |ec_get_x_coordinate_as_scalar| will check this internally, but this way

46
crypto/fipsmodule/ec/simple_mul.c
Unescape View File

@ -21,14 +21,14 @@
#include "../../internal.h"
void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *p, const EC_SCALAR *scalar) {
void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p, const EC_SCALAR *scalar) {
// This is a generic implementation for uncommon curves that not do not
// warrant a tuned one. It uses unsigned digits so that the doubling case in
// |ec_GFp_mont_add| is always unreachable, erring on safety and simplicity.
// Compute a table of the first 32 multiples of |p| (including infinity).
EC_RAW_POINT precomp[32];
EC_JACOBIAN precomp[32];
ec_GFp_simple_point_set_to_infinity(group, &precomp[0]);
ec_GFp_simple_point_copy(&precomp[1], p);
for (size_t j = 2; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
@ -56,8 +56,8 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r,
window |= bn_is_bit_set_words(scalar->words, width, i);
// Select the entry in constant-time.
EC_RAW_POINT tmp;
OPENSSL_memset(&tmp, 0, sizeof(EC_RAW_POINT));
EC_JACOBIAN tmp;
OPENSSL_memset(&tmp, 0, sizeof(EC_JACOBIAN));
for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
BN_ULONG mask = constant_time_eq_w(j, window);
ec_point_select(group, &tmp, mask, &precomp[j], &tmp);
@ -76,13 +76,13 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r,
}
}
void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *scalar) {
ec_GFp_mont_mul(group, r, &group->generator->raw, scalar);
}
static void ec_GFp_mont_batch_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
size_t num, const EC_RAW_POINT *p) {
static void ec_GFp_mont_batch_precomp(const EC_GROUP *group, EC_JACOBIAN *out,
size_t num, const EC_JACOBIAN *p) {
assert(num > 1);
ec_GFp_simple_point_set_to_infinity(group, &out[0]);
ec_GFp_simple_point_copy(&out[1], p);
@ -96,8 +96,8 @@ static void ec_GFp_mont_batch_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
}
static void ec_GFp_mont_batch_get_window(const EC_GROUP *group,
EC_RAW_POINT *out,
const EC_RAW_POINT precomp[17],
EC_JACOBIAN *out,
const EC_JACOBIAN precomp[17],
const EC_SCALAR *scalar, unsigned i) {
const size_t width = group->order.width;
uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 5;
@ -112,7 +112,7 @@ static void ec_GFp_mont_batch_get_window(const EC_GROUP *group,
ec_GFp_nistp_recode_scalar_bits(&sign, &digit, window);
// Select the entry in constant-time.
OPENSSL_memset(out, 0, sizeof(EC_RAW_POINT));
OPENSSL_memset(out, 0, sizeof(EC_JACOBIAN));
for (size_t j = 0; j < 17; j++) {
BN_ULONG mask = constant_time_eq_w(j, digit);
ec_point_select(group, out, mask, &precomp[j], out);
@ -126,11 +126,11 @@ static void ec_GFp_mont_batch_get_window(const EC_GROUP *group,
ec_felem_select(group, &out->Y, sign_mask, &neg_Y, &out->Y);
}
void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_RAW_POINT *r,
const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
const EC_RAW_POINT *p2, const EC_SCALAR *scalar2) {
EC_RAW_POINT precomp[3][17];
void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
const EC_JACOBIAN *p2, const EC_SCALAR *scalar2) {
EC_JACOBIAN precomp[3][17];
ec_GFp_mont_batch_precomp(group, precomp[0], 17, p0);
ec_GFp_mont_batch_precomp(group, precomp[1], 17, p1);
if (p2 != NULL) {
@ -145,7 +145,7 @@ void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_RAW_POINT *r,
ec_GFp_mont_dbl(group, r, r);
}
if (i % 5 == 0) {
EC_RAW_POINT tmp;
EC_JACOBIAN tmp;
ec_GFp_mont_batch_get_window(group, &tmp, precomp[0], scalar0, i);
if (r_is_at_infinity) {
ec_GFp_simple_point_copy(r, &tmp);
@ -174,13 +174,13 @@ static unsigned ec_GFp_mont_comb_stride(const EC_GROUP *group) {
}
int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
const EC_RAW_POINT *p) {
const EC_JACOBIAN *p) {
// comb[i - 1] stores the ith element of the comb. That is, if i is
// b4 * 2^4 + b3 * 2^3 + ... + b0 * 2^0, it stores k * |p|, where k is
// b4 * 2^(4*stride) + b3 * 2^(3*stride) + ... + b0 * 2^(0*stride). stride
// here is |ec_GFp_mont_comb_stride|. We store at index i - 1 because the 0th
// comb entry is always infinity.
EC_RAW_POINT comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1];
EC_JACOBIAN comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1];
unsigned stride = ec_GFp_mont_comb_stride(group);
// We compute the comb sequentially by the highest set bit. Initially, all
@ -209,7 +209,7 @@ int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
}
static void ec_GFp_mont_get_comb_window(const EC_GROUP *group,
EC_RAW_POINT *out,
EC_JACOBIAN *out,
const EC_PRECOMP *precomp,
const EC_SCALAR *scalar, unsigned i) {
const size_t width = group->order.width;
@ -223,7 +223,7 @@ static void ec_GFp_mont_get_comb_window(const EC_GROUP *group,
// Select precomp->comb[window - 1]. If |window| is zero, |match| will always
// be zero, which will leave |out| at infinity.
OPENSSL_memset(out, 0, sizeof(EC_RAW_POINT));
OPENSSL_memset(out, 0, sizeof(EC_JACOBIAN));
for (unsigned j = 0; j < OPENSSL_ARRAY_SIZE(precomp->comb); j++) {
BN_ULONG match = constant_time_eq_w(window, j + 1);
ec_felem_select(group, &out->X, match, &precomp->comb[j].X, &out->X);
@ -233,7 +233,7 @@ static void ec_GFp_mont_get_comb_window(const EC_GROUP *group,
ec_felem_select(group, &out->Z, is_infinity, &out->Z, &group->one);
}
void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
const EC_PRECOMP *p2, const EC_SCALAR *scalar2) {
@ -244,7 +244,7 @@ void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
ec_GFp_mont_dbl(group, r, r);
}
EC_RAW_POINT tmp;
EC_JACOBIAN tmp;
ec_GFp_mont_get_comb_window(group, &tmp, p0, scalar0, i);
if (r_is_at_infinity) {
ec_GFp_simple_point_copy(r, &tmp);

26
crypto/fipsmodule/ec/wnaf.c
Unescape View File

@ -148,18 +148,18 @@ void ec_compute_wNAF(const EC_GROUP *group, int8_t *out,
}
// compute_precomp sets |out[i]| to (2*i+1)*p, for i from 0 to |len|.
static void compute_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
const EC_RAW_POINT *p, size_t len) {
static void compute_precomp(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_JACOBIAN *p, size_t len) {
ec_GFp_simple_point_copy(&out[0], p);
EC_RAW_POINT two_p;
EC_JACOBIAN two_p;
ec_GFp_mont_dbl(group, &two_p, p);
for (size_t i = 1; i < len; i++) {
ec_GFp_mont_add(group, &out[i], &out[i - 1], &two_p);
}
}
static void lookup_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
const EC_RAW_POINT *precomp, int digit) {
static void lookup_precomp(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_JACOBIAN *precomp, int digit) {
if (digit < 0) {
digit = -digit;
ec_GFp_simple_point_copy(out, &precomp[digit >> 1]);
@ -179,9 +179,9 @@ static void lookup_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
// avoid a malloc.
#define EC_WNAF_STACK 3
int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
const EC_RAW_POINT *points,
const EC_JACOBIAN *points,
const EC_SCALAR *scalars, size_t num) {
size_t bits = BN_num_bits(&group->order);
size_t wNAF_len = bits + 1;
@ -190,9 +190,9 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
int8_t wNAF_stack[EC_WNAF_STACK][EC_MAX_BYTES * 8 + 1];
int8_t (*wNAF_alloc)[EC_MAX_BYTES * 8 + 1] = NULL;
int8_t (*wNAF)[EC_MAX_BYTES * 8 + 1];
EC_RAW_POINT precomp_stack[EC_WNAF_STACK][EC_WNAF_TABLE_SIZE];
EC_RAW_POINT (*precomp_alloc)[EC_WNAF_TABLE_SIZE] = NULL;
EC_RAW_POINT (*precomp)[EC_WNAF_TABLE_SIZE];
EC_JACOBIAN precomp_stack[EC_WNAF_STACK][EC_WNAF_TABLE_SIZE];
EC_JACOBIAN (*precomp_alloc)[EC_WNAF_TABLE_SIZE] = NULL;
EC_JACOBIAN (*precomp)[EC_WNAF_TABLE_SIZE];
if (num <= EC_WNAF_STACK) {
wNAF = wNAF_stack;
precomp = precomp_stack;
@ -212,9 +212,9 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
}
int8_t g_wNAF[EC_MAX_BYTES * 8 + 1];
EC_RAW_POINT g_precomp[EC_WNAF_TABLE_SIZE];
EC_JACOBIAN g_precomp[EC_WNAF_TABLE_SIZE];
assert(wNAF_len <= OPENSSL_ARRAY_SIZE(g_wNAF));
const EC_RAW_POINT *g = &group->generator->raw;
const EC_JACOBIAN *g = &group->generator->raw;
if (g_scalar != NULL) {
ec_compute_wNAF(group, g_wNAF, g_scalar, bits, EC_WNAF_WINDOW_BITS);
compute_precomp(group, g_precomp, g, EC_WNAF_TABLE_SIZE);
@ -226,7 +226,7 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
compute_precomp(group, precomp[i], &points[i], EC_WNAF_TABLE_SIZE);
}
EC_RAW_POINT tmp;
EC_JACOBIAN tmp;
int r_is_at_infinity = 1;
for (size_t k = wNAF_len - 1; k < wNAF_len; k--) {
if (!r_is_at_infinity) {

2
crypto/fipsmodule/ecdh/ecdh.c
Unescape View File

@ -94,7 +94,7 @@ int ECDH_compute_key_fips(uint8_t *out, size_t out_len, const EC_POINT *pub_key,
return 0;
}
EC_RAW_POINT shared_point;
EC_JACOBIAN shared_point;
uint8_t buf[EC_MAX_BYTES];
size_t buflen;
if (!ec_point_mul_scalar(group, &shared_point, &pub_key->raw, priv) ||

4
crypto/fipsmodule/ecdsa/ecdsa.c
Unescape View File

@ -181,7 +181,7 @@ int ecdsa_do_verify_no_self_test(const uint8_t *digest, size_t digest_len,
ec_scalar_mul_montgomery(group, &u1, &m, &s_inv_mont);
ec_scalar_mul_montgomery(group, &u2, &r, &s_inv_mont);
EC_RAW_POINT point;
EC_JACOBIAN point;
if (!ec_point_mul_scalar_public(group, &point, &u1, &pub_key->raw, &u2)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
return 0;
@ -216,7 +216,7 @@ static ECDSA_SIG *ecdsa_sign_impl(const EC_GROUP *group, int *out_retry,
}
// Compute r, the x-coordinate of k * generator.
EC_RAW_POINT tmp_point;
EC_JACOBIAN tmp_point;
EC_SCALAR r;
if (!ec_point_mul_scalar_base(group, &tmp_point, k) ||
!ec_get_x_coordinate_as_scalar(group, &r, &tmp_point)) {

92
crypto/trust_token/pmbtoken.c
Unescape View File

@ -30,9 +30,9 @@
#include "internal.h"
typedef int (*hash_t_func_t)(const EC_GROUP *group, EC_RAW_POINT *out,
typedef int (*hash_t_func_t)(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]);
typedef int (*hash_s_func_t)(const EC_GROUP *group, EC_RAW_POINT *out,
typedef int (*hash_s_func_t)(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *t,
const uint8_t s[TRUST_TOKEN_NONCE_SIZE]);
typedef int (*hash_c_func_t)(const EC_GROUP *group, EC_SCALAR *out,
@ -44,7 +44,7 @@ typedef struct {
const EC_GROUP *group;
EC_PRECOMP g_precomp;
EC_PRECOMP h_precomp;
EC_RAW_POINT h;
EC_JACOBIAN h;
// hash_t implements the H_t operation in PMBTokens. It returns one on success
// and zero on error.
hash_t_func_t hash_t;
@ -173,11 +173,11 @@ static int cbs_get_prefixed_point(CBS *cbs, const EC_GROUP *group,
return 1;
}
static int mul_public_3(const EC_GROUP *group, EC_RAW_POINT *out,
const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
const EC_RAW_POINT *p2, const EC_SCALAR *scalar2) {
EC_RAW_POINT points[3] = {*p0, *p1, *p2};
static int mul_public_3(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
const EC_JACOBIAN *p2, const EC_SCALAR *scalar2) {
EC_JACOBIAN points[3] = {*p0, *p1, *p2};
EC_SCALAR scalars[3] = {*scalar0, *scalar1, *scalar2};
return ec_point_mul_scalar_public_batch(group, out, /*g_scalar=*/NULL, points,
scalars, 3);
@ -189,7 +189,7 @@ static int pmbtoken_compute_keys(const PMBTOKEN_METHOD *method,
const EC_SCALAR *x1, const EC_SCALAR *y1,
const EC_SCALAR *xs, const EC_SCALAR *ys) {
const EC_GROUP *group = method->group;
EC_RAW_POINT pub[3];
EC_JACOBIAN pub[3];
if (!ec_point_mul_scalar_precomp(group, &pub[0], &method->g_precomp,
x0, &method->h_precomp, y0, NULL, NULL) ||
!ec_point_mul_scalar_precomp(group, &pub[1], &method->g_precomp,
@ -303,7 +303,7 @@ static int pmbtoken_issuer_key_from_bytes(const PMBTOKEN_METHOD *method,
}
// Recompute the public key.
EC_RAW_POINT pub[3];
EC_JACOBIAN pub[3];
EC_AFFINE pub_affine[3];
if (!ec_point_mul_scalar_precomp(group, &pub[0], &method->g_precomp, &key->x0,
&method->h_precomp, &key->y0, NULL, NULL) ||
@ -367,7 +367,7 @@ static STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_blind(
ec_scalar_from_montgomery(group, &pretoken->r, &pretoken->r);
ec_scalar_from_montgomery(group, &rinv, &rinv);
EC_RAW_POINT T, Tp;
EC_JACOBIAN T, Tp;
if (!method->hash_t(group, &T, pretoken->t) ||
!ec_point_mul_scalar(group, &Tp, &T, &rinv) ||
!ec_jacobian_to_affine(group, &pretoken->Tp, &Tp)) {
@ -516,8 +516,8 @@ err:
static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb,
const TRUST_TOKEN_ISSUER_KEY *priv,
const EC_RAW_POINT *T, const EC_RAW_POINT *S,
const EC_RAW_POINT *W, const EC_RAW_POINT *Ws,
const EC_JACOBIAN *T, const EC_JACOBIAN *S,
const EC_JACOBIAN *W, const EC_JACOBIAN *Ws,
uint8_t private_metadata) {
const EC_GROUP *group = method->group;
@ -537,7 +537,7 @@ static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb,
idx_Ko1,
num_idx,
};
EC_RAW_POINT jacobians[num_idx];
EC_JACOBIAN jacobians[num_idx];
// Setup the DLEQ proof.
EC_SCALAR ks0, ks1;
@ -675,11 +675,11 @@ static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb,
}
static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs,
const TRUST_TOKEN_CLIENT_KEY *pub, const EC_RAW_POINT *T,
const EC_RAW_POINT *S, const EC_RAW_POINT *W,
const EC_RAW_POINT *Ws) {
const TRUST_TOKEN_CLIENT_KEY *pub, const EC_JACOBIAN *T,
const EC_JACOBIAN *S, const EC_JACOBIAN *W,
const EC_JACOBIAN *Ws) {
const EC_GROUP *group = method->group;
const EC_RAW_POINT *g = &group->generator->raw;
const EC_JACOBIAN *g = &group->generator->raw;
// We verify a DLEQ proof for the validity token and a DLEQOR2 proof for the
// private metadata token. To allow amortizing Jacobian-to-affine conversions,
@ -699,7 +699,7 @@ static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs,
idx_K11,
num_idx,
};
EC_RAW_POINT jacobians[num_idx];
EC_JACOBIAN jacobians[num_idx];
// Decode the DLEQ proof.
EC_SCALAR cs, us, vs;
@ -711,7 +711,7 @@ static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs,
}
// Ks = us*(G;T) + vs*(H;S) - cs*(pubs;Ws)
EC_RAW_POINT pubs;
EC_JACOBIAN pubs;
ec_affine_to_jacobian(group, &pubs, &pub->pubs);
EC_SCALAR minus_cs;
ec_scalar_neg(group, &minus_cs, &cs);
@ -734,7 +734,7 @@ static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs,
return 0;
}
EC_RAW_POINT pub0, pub1;
EC_JACOBIAN pub0, pub1;
ec_affine_to_jacobian(group, &pub0, &pub->pub0);
ec_affine_to_jacobian(group, &pub1, &pub->pub1);
EC_SCALAR minus_c0, minus_c1;
@ -803,17 +803,17 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method,
return 0;
}
if (num_to_issue > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
return 0;
}
int ret = 0;
EC_RAW_POINT *Tps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
EC_RAW_POINT *Sps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
EC_RAW_POINT *Wps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
EC_RAW_POINT *Wsps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
EC_JACOBIAN *Tps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
EC_JACOBIAN *Sps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
EC_JACOBIAN *Wps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
EC_JACOBIAN *Wsps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
EC_SCALAR *es = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR));
CBB batch_cbb;
CBB_zero(&batch_cbb);
@ -831,7 +831,7 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method,
for (size_t i = 0; i < num_to_issue; i++) {
EC_AFFINE Tp_affine;
EC_RAW_POINT Tp;
EC_JACOBIAN Tp;
if (!cbs_get_prefixed_point(cbs, group, &Tp_affine, method->prefix_point)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
goto err;
@ -846,7 +846,7 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method,
uint8_t s[TRUST_TOKEN_NONCE_SIZE];
RAND_bytes(s, TRUST_TOKEN_NONCE_SIZE);
// The |jacobians| and |affines| contain Sp, Wp, and Wsp.
EC_RAW_POINT jacobians[3];
EC_JACOBIAN jacobians[3];
EC_AFFINE affines[3];
if (!method->hash_s(group, &jacobians[0], &Tp_affine, s) ||
!ec_point_mul_scalar_batch(group, &jacobians[1], &Tp, &xb,
@ -887,7 +887,7 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method,
}
}
EC_RAW_POINT Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
EC_JACOBIAN Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
if (!ec_point_mul_scalar_public_batch(group, &Tp_batch,
/*g_scalar=*/NULL, Tps, es,
num_to_issue) ||
@ -944,7 +944,7 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind(
return NULL;
}
if (count > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
count > ((size_t)-1) / sizeof(EC_SCALAR)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
return NULL;
@ -952,10 +952,10 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind(
int ok = 0;
STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null();
EC_RAW_POINT *Tps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
EC_RAW_POINT *Sps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
EC_RAW_POINT *Wps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
EC_RAW_POINT *Wsps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
EC_JACOBIAN *Tps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
EC_JACOBIAN *Sps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
EC_JACOBIAN *Wps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
EC_JACOBIAN *Wsps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
EC_SCALAR *es = OPENSSL_malloc(count * sizeof(EC_SCALAR));
CBB batch_cbb;
CBB_zero(&batch_cbb);
@ -1003,7 +1003,7 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind(
}
// Unblind the token.
EC_RAW_POINT jacobians[3];
EC_JACOBIAN jacobians[3];
EC_AFFINE affines[3];
if (!ec_point_mul_scalar(group, &jacobians[0], &Sps[i], &pretoken->r) ||
!ec_point_mul_scalar(group, &jacobians[1], &Wps[i], &pretoken->r) ||
@ -1050,7 +1050,7 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind(
}
}
EC_RAW_POINT Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
EC_JACOBIAN Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
if (!ec_point_mul_scalar_public_batch(group, &Tp_batch,
/*g_scalar=*/NULL, Tps, es, count) ||
!ec_point_mul_scalar_public_batch(group, &Sp_batch,
@ -1116,14 +1116,14 @@ static int pmbtoken_read(const PMBTOKEN_METHOD *method,
OPENSSL_memcpy(out_nonce, CBS_data(&salt), CBS_len(&salt));
}
EC_RAW_POINT T;
EC_JACOBIAN T;
if (!method->hash_t(group, &T, out_nonce)) {
return 0;
}
// We perform three multiplications with S and T. This is enough that it is
// worth using |ec_point_mul_scalar_precomp|.
EC_RAW_POINT S_jacobian;
EC_JACOBIAN S_jacobian;
EC_PRECOMP S_precomp, T_precomp;
ec_affine_to_jacobian(group, &S_jacobian, &S);
if (!ec_init_precomp(group, &S_precomp, &S_jacobian) ||
@ -1131,7 +1131,7 @@ static int pmbtoken_read(const PMBTOKEN_METHOD *method,
return 0;
}
EC_RAW_POINT Ws_calculated;
EC_JACOBIAN Ws_calculated;
// Check the validity of the token.
if (!ec_point_mul_scalar_precomp(group, &Ws_calculated, &T_precomp, &key->xs,
&S_precomp, &key->ys, NULL, NULL) ||
@ -1140,7 +1140,7 @@ static int pmbtoken_read(const PMBTOKEN_METHOD *method,
return 0;
}
EC_RAW_POINT W0, W1;
EC_JACOBIAN W0, W1;
if (!ec_point_mul_scalar_precomp(group, &W0, &T_precomp, &key->x0, &S_precomp,
&key->y0, NULL, NULL) ||
!ec_point_mul_scalar_precomp(group, &W1, &T_precomp, &key->x1, &S_precomp,
@ -1164,14 +1164,14 @@ static int pmbtoken_read(const PMBTOKEN_METHOD *method,
// PMBTokens experiment v1.
static int pmbtoken_exp1_hash_t(const EC_GROUP *group, EC_RAW_POINT *out,
static int pmbtoken_exp1_hash_t(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashTLabel[] = "PMBTokens Experiment V1 HashT";
return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);
}
static int pmbtoken_exp1_hash_s(const EC_GROUP *group, EC_RAW_POINT *out,
static int pmbtoken_exp1_hash_s(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *t,
const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashSLabel[] = "PMBTokens Experiment V1 HashS";
@ -1337,14 +1337,14 @@ int pmbtoken_exp1_get_h_for_testing(uint8_t out[97]) {
// PMBTokens experiment v2.
static int pmbtoken_exp2_hash_t(const EC_GROUP *group, EC_RAW_POINT *out,
static int pmbtoken_exp2_hash_t(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashTLabel[] = "PMBTokens Experiment V2 HashT";
return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);
}
static int pmbtoken_exp2_hash_s(const EC_GROUP *group, EC_RAW_POINT *out,
static int pmbtoken_exp2_hash_s(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *t,
const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashSLabel[] = "PMBTokens Experiment V2 HashS";
@ -1511,14 +1511,14 @@ int pmbtoken_exp2_get_h_for_testing(uint8_t out[97]) {
// PMBTokens PST v1.
static int pmbtoken_pst1_hash_t(const EC_GROUP *group, EC_RAW_POINT *out,
static int pmbtoken_pst1_hash_t(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashTLabel[] = "PMBTokens PST V1 HashT";
return ec_hash_to_curve_p384_xmd_sha384_sswu(
group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);
}
static int pmbtoken_pst1_hash_s(const EC_GROUP *group, EC_RAW_POINT *out,
static int pmbtoken_pst1_hash_s(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_AFFINE *t,
const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashSLabel[] = "PMBTokens PST V1 HashS";

88
crypto/trust_token/voprf.c
Unescape View File

@ -29,7 +29,7 @@
#include "internal.h"
typedef int (*hash_to_group_func_t)(const EC_GROUP *group, EC_RAW_POINT *out,
typedef int (*hash_to_group_func_t)(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]);
typedef int (*hash_to_scalar_func_t)(const EC_GROUP *group, EC_SCALAR *out,
uint8_t *buf, size_t len);
@ -118,7 +118,7 @@ static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) {
static int voprf_calculate_key(const VOPRF_METHOD *method, CBB *out_private,
CBB *out_public, const EC_SCALAR *priv) {
const EC_GROUP *group = method->group;
EC_RAW_POINT pub;
EC_JACOBIAN pub;
EC_AFFINE pub_affine;
if (!ec_point_mul_scalar_base(group, &pub, priv) ||
!ec_jacobian_to_affine(group, &pub_affine, &pub)) {
@ -197,7 +197,7 @@ static int voprf_issuer_key_from_bytes(const VOPRF_METHOD *method,
}
// Recompute the public key.
EC_RAW_POINT pub;
EC_JACOBIAN pub;
if (!ec_point_mul_scalar_base(group, &pub, &key->xs) ||
!ec_jacobian_to_affine(group, &key->pubs, &pub)) {
return 0;
@ -255,7 +255,7 @@ static STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_blind(const VOPRF_METHOD *method,
ec_scalar_from_montgomery(group, &pretoken->r, &pretoken->r);
// Tp is the blinded token in the VOPRF protocol.
EC_RAW_POINT P, Tp;
EC_JACOBIAN P, Tp;
if (!method->hash_to_group(group, &P, pretoken->t) ||
!ec_point_mul_scalar(group, &Tp, &P, &r) ||
!ec_jacobian_to_affine(group, &pretoken->Tp, &Tp)) {
@ -362,7 +362,7 @@ err:
static int dleq_generate(const VOPRF_METHOD *method, CBB *cbb,
const TRUST_TOKEN_ISSUER_KEY *priv,
const EC_RAW_POINT *T, const EC_RAW_POINT *W) {
const EC_JACOBIAN *T, const EC_JACOBIAN *W) {
const EC_GROUP *group = method->group;
enum {
@ -372,7 +372,7 @@ static int dleq_generate(const VOPRF_METHOD *method, CBB *cbb,
idx_k1,
num_idx,
};
EC_RAW_POINT jacobians[num_idx];
EC_JACOBIAN jacobians[num_idx];
// Setup the DLEQ proof.
EC_SCALAR r;
@ -417,18 +417,18 @@ static int dleq_generate(const VOPRF_METHOD *method, CBB *cbb,
return 1;
}
static int mul_public_2(const EC_GROUP *group, EC_RAW_POINT *out,
const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
const EC_RAW_POINT *p1, const EC_SCALAR *scalar1) {
EC_RAW_POINT points[2] = {*p0, *p1};
static int mul_public_2(const EC_GROUP *group, EC_JACOBIAN *out,
const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
const EC_JACOBIAN *p1, const EC_SCALAR *scalar1) {
EC_JACOBIAN points[2] = {*p0, *p1};
EC_SCALAR scalars[2] = {*scalar0, *scalar1};
return ec_point_mul_scalar_public_batch(group, out, /*g_scalar=*/NULL, points,
scalars, 2);
}
static int dleq_verify(const VOPRF_METHOD *method, CBS *cbs,
const TRUST_TOKEN_CLIENT_KEY *pub, const EC_RAW_POINT *T,
const EC_RAW_POINT *W) {
const TRUST_TOKEN_CLIENT_KEY *pub, const EC_JACOBIAN *T,
const EC_JACOBIAN *W) {
const EC_GROUP *group = method->group;
@ -439,7 +439,7 @@ static int dleq_verify(const VOPRF_METHOD *method, CBS *cbs,
idx_k1,
num_idx,
};
EC_RAW_POINT jacobians[num_idx];
EC_JACOBIAN jacobians[num_idx];
// Decode the DLEQ proof.
EC_SCALAR c, u;
@ -450,7 +450,7 @@ static int dleq_verify(const VOPRF_METHOD *method, CBS *cbs,
}
// k0;k1 = u*(G;T) - c*(pub;W)
EC_RAW_POINT pubs;
EC_JACOBIAN pubs;
ec_affine_to_jacobian(group, &pubs, &pub->pubs);
EC_SCALAR minus_c;
ec_scalar_neg(group, &minus_c, &c);
@ -494,15 +494,15 @@ static int voprf_sign_tt(const VOPRF_METHOD *method,
return 0;
}
if (num_to_issue > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
return 0;
}
int ret = 0;
EC_RAW_POINT *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
EC_RAW_POINT *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
EC_JACOBIAN *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
EC_JACOBIAN *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
EC_SCALAR *es = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR));
CBB batch_cbb;
CBB_zero(&batch_cbb);
@ -516,7 +516,7 @@ static int voprf_sign_tt(const VOPRF_METHOD *method,
for (size_t i = 0; i < num_to_issue; i++) {
EC_AFFINE BT_affine, Z_affine;
EC_RAW_POINT BT, Z;
EC_JACOBIAN BT, Z;
if (!cbs_get_point(cbs, group, &BT_affine)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
goto err;
@ -549,7 +549,7 @@ static int voprf_sign_tt(const VOPRF_METHOD *method,
}
}
EC_RAW_POINT BT_batch, Z_batch;
EC_JACOBIAN BT_batch, Z_batch;
if (!ec_point_mul_scalar_public_batch(group, &BT_batch,
/*g_scalar=*/NULL, BTs, es,
num_to_issue) ||
@ -593,7 +593,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt(
return NULL;
}
if (count > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
count > ((size_t)-1) / sizeof(EC_SCALAR)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
return NULL;
@ -601,8 +601,8 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt(
int ok = 0;
STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null();
EC_RAW_POINT *BTs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
EC_RAW_POINT *Zs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
EC_JACOBIAN *BTs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
EC_JACOBIAN *Zs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
EC_SCALAR *es = OPENSSL_malloc(count * sizeof(EC_SCALAR));
CBB batch_cbb;
CBB_zero(&batch_cbb);
@ -635,7 +635,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt(
// Unblind the token.
// pretoken->r is rinv.
EC_RAW_POINT N;
EC_JACOBIAN N;
EC_AFFINE N_affine;
if (!ec_point_mul_scalar(group, &N, &Zs[i], &pretoken->r) ||
!ec_jacobian_to_affine(group, &N_affine, &N)) {
@ -674,7 +674,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt(
}
}
EC_RAW_POINT BT_batch, Z_batch;
EC_JACOBIAN BT_batch, Z_batch;
if (!ec_point_mul_scalar_public_batch(group, &BT_batch,
/*g_scalar=*/NULL, BTs, es, count) ||
!ec_point_mul_scalar_public_batch(group, &Z_batch,
@ -767,8 +767,8 @@ static int compute_composite_element(const VOPRF_METHOD *method,
static int generate_proof(const VOPRF_METHOD *method, CBB *cbb,
const TRUST_TOKEN_ISSUER_KEY *priv,
const EC_SCALAR *r, const EC_RAW_POINT *M,
const EC_RAW_POINT *Z) {
const EC_SCALAR *r, const EC_JACOBIAN *M,
const EC_JACOBIAN *Z) {
const EC_GROUP *group = method->group;
enum {
@ -778,7 +778,7 @@ static int generate_proof(const VOPRF_METHOD *method, CBB *cbb,
idx_t3,
num_idx,
};
EC_RAW_POINT jacobians[num_idx];
EC_JACOBIAN jacobians[num_idx];
if (!ec_point_mul_scalar_base(group, &jacobians[idx_t2], r) ||
!ec_point_mul_scalar(group, &jacobians[idx_t3], M, r)) {
@ -819,7 +819,7 @@ static int generate_proof(const VOPRF_METHOD *method, CBB *cbb,
static int verify_proof(const VOPRF_METHOD *method, CBS *cbs,
const TRUST_TOKEN_CLIENT_KEY *pub,
const EC_RAW_POINT *M, const EC_RAW_POINT *Z) {
const EC_JACOBIAN *M, const EC_JACOBIAN *Z) {
const EC_GROUP *group = method->group;
enum {
@ -829,7 +829,7 @@ static int verify_proof(const VOPRF_METHOD *method, CBS *cbs,
idx_t3,
num_idx,
};
EC_RAW_POINT jacobians[num_idx];
EC_JACOBIAN jacobians[num_idx];
EC_SCALAR c, s;
if (!scalar_from_cbs(cbs, group, &c) ||
@ -838,7 +838,7 @@ static int verify_proof(const VOPRF_METHOD *method, CBS *cbs,
return 0;
}
EC_RAW_POINT pubs;
EC_JACOBIAN pubs;
ec_affine_to_jacobian(group, &pubs, &pub->pubs);
if (!ec_point_mul_scalar_public(group, &jacobians[idx_t2], &s, &pubs,
&c) ||
@ -879,15 +879,15 @@ static int voprf_sign_impl(const VOPRF_METHOD *method,
return 0;
}
if (num_to_issue > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
return 0;
}
int ret = 0;
EC_RAW_POINT *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
EC_RAW_POINT *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
EC_JACOBIAN *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
EC_JACOBIAN *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN));
EC_SCALAR *dis = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR));
if (!BTs || !Zs || !dis) {
goto err;
@ -905,7 +905,7 @@ static int voprf_sign_impl(const VOPRF_METHOD *method,
// the proof generation.
for (size_t i = 0; i < num_to_issue; i++) {
EC_AFFINE BT_affine, Z_affine;
EC_RAW_POINT BT, Z;
EC_JACOBIAN BT, Z;
if (!cbs_get_point(cbs, group, &BT_affine)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
goto err;
@ -928,7 +928,7 @@ static int voprf_sign_impl(const VOPRF_METHOD *method,
}
}
EC_RAW_POINT M, Z;
EC_JACOBIAN M, Z;
if (!ec_point_mul_scalar_public_batch(group, &M,
/*g_scalar=*/NULL, BTs, dis,
num_to_issue) ||
@ -995,7 +995,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind(
return NULL;
}
if (count > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) ||
count > ((size_t)-1) / sizeof(EC_SCALAR)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
return NULL;
@ -1003,8 +1003,8 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind(
int ok = 0;
STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null();
EC_RAW_POINT *BTs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
EC_RAW_POINT *Zs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
EC_JACOBIAN *BTs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
EC_JACOBIAN *Zs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN));
EC_SCALAR *dis = OPENSSL_malloc(count * sizeof(EC_SCALAR));
if (ret == NULL || !BTs || !Zs || !dis) {
goto err;
@ -1034,7 +1034,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind(
// Unblind the token.
// pretoken->r is rinv.
EC_RAW_POINT N;
EC_JACOBIAN N;
EC_AFFINE N_affine;
if (!ec_point_mul_scalar(group, &N, &Zs[i], &pretoken->r) ||
!ec_jacobian_to_affine(group, &N_affine, &N)) {
@ -1064,7 +1064,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind(
}
}
EC_RAW_POINT M, Z;
EC_JACOBIAN M, Z;
if (!ec_point_mul_scalar_public_batch(group, &M,
/*g_scalar=*/NULL, BTs, dis,
count) ||
@ -1122,12 +1122,12 @@ static int voprf_read(const VOPRF_METHOD *method,
}
EC_RAW_POINT T;
EC_JACOBIAN T;
if (!method->hash_to_group(group, &T, out_nonce)) {
return 0;
}
EC_RAW_POINT Ws_calculated;
EC_JACOBIAN Ws_calculated;
if (!ec_point_mul_scalar(group, &Ws_calculated, &T, &key->xs) ||
!ec_affine_jacobian_equal(group, &Ws, &Ws_calculated)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BAD_VALIDITY_CHECK);
@ -1140,7 +1140,7 @@ static int voprf_read(const VOPRF_METHOD *method,
// VOPRF experiment v2.
static int voprf_exp2_hash_to_group(const EC_GROUP *group, EC_RAW_POINT *out,
static int voprf_exp2_hash_to_group(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashTLabel[] = "TrustToken VOPRF Experiment V2 HashToGroup";
return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
@ -1254,7 +1254,7 @@ int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key,
// VOPRF PST v1.
static int voprf_pst1_hash_to_group(const EC_GROUP *group, EC_RAW_POINT *out,
static int voprf_pst1_hash_to_group(const EC_GROUP *group, EC_JACOBIAN *out,
const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {
const uint8_t kHashTLabel[] = "HashToGroup-OPRFV1-\x01-P384-SHA384";
return ec_hash_to_curve_p384_xmd_sha384_sswu(group, out, kHashTLabel,

4
tool/speed.cc
Unescape View File

@ -1024,7 +1024,7 @@ static bool SpeedHashToCurve(const std::string &selected) {
return false;
}
if (!TimeFunction(&results, [&]() -> bool {
EC_RAW_POINT out;
EC_JACOBIAN out;
return ec_hash_to_curve_p256_xmd_sha256_sswu(
p256, &out, kLabel, sizeof(kLabel), input, sizeof(input));
})) {
@ -1038,7 +1038,7 @@ static bool SpeedHashToCurve(const std::string &selected) {
return false;
}
if (!TimeFunction(&results, [&]() -> bool {
EC_RAW_POINT out;
EC_JACOBIAN out;
return ec_hash_to_curve_p384_xmd_sha384_sswu(
p384, &out, kLabel, sizeof(kLabel), input, sizeof(input));
})) {

Write Preview
Loading…
Cancel
Save