ag/cpython-source-deps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Import OpenSSL 1.1.0i

Browse Source
This commit is contained in:
Steve Dower
2018-08-14 08:22:53 -07:00
parent 807cee26df
commit 6960e8d7c7
282 changed files with 5215 additions and 2261 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
crypto/ec/asm/ecp_nistz256-armv4.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -894,13 +894,13 @@ ecp_nistz256_scatter_w7:
.Loop_scatter_w7:
ldr $mask,[$inp],#4
subs $index,$index,#1
strb $mask,[$out,#64*0-1]
strb $mask,[$out,#64*0]
mov $mask,$mask,lsr#8
strb $mask,[$out,#64*1-1]
strb $mask,[$out,#64*1]
mov $mask,$mask,lsr#8
strb $mask,[$out,#64*2-1]
strb $mask,[$out,#64*2]
mov $mask,$mask,lsr#8
strb $mask,[$out,#64*3-1]
strb $mask,[$out,#64*3]
add $out,$out,#64*4
bne .Loop_scatter_w7
@@ -1633,7 +1633,7 @@ ___
$code.=<<___;
.Ladd_done:
add sp,sp,#32*18+16+16 @ +16 means "skip even over saved r0-r3"
#if __ARM_ARCH__>=5 || defined(__thumb__)
#if __ARM_ARCH__>=5 || !defined(__thumb__)
ldmia sp!,{r4-r12,pc}
#else
ldmia sp!,{r4-r12,lr}

18
crypto/ec/asm/ecp_nistz256-armv8.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1477,21 +1477,21 @@ ecp_nistz256_scatter_w7:
prfm pstl1strm,[$out,#4096+64*5]
prfm pstl1strm,[$out,#4096+64*6]
prfm pstl1strm,[$out,#4096+64*7]
strb w3,[$out,#64*0-1]
strb w3,[$out,#64*0]
lsr x3,x3,#8
strb w3,[$out,#64*1-1]
strb w3,[$out,#64*1]
lsr x3,x3,#8
strb w3,[$out,#64*2-1]
strb w3,[$out,#64*2]
lsr x3,x3,#8
strb w3,[$out,#64*3-1]
strb w3,[$out,#64*3]
lsr x3,x3,#8
strb w3,[$out,#64*4-1]
strb w3,[$out,#64*4]
lsr x3,x3,#8
strb w3,[$out,#64*5-1]
strb w3,[$out,#64*5]
lsr x3,x3,#8
strb w3,[$out,#64*6-1]
strb w3,[$out,#64*6]
lsr x3,x3,#8
strb w3,[$out,#64*7-1]
strb w3,[$out,#64*7]
add $out,$out,#64*8
b.ne .Loop_scatter_w7

4
crypto/ec/asm/ecp_nistz256-avx2.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -67,7 +67,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
$addx = ($1>=12);
}
if (!$addx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) {
if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) {
my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
$avx = ($ver>=3.0) + ($ver>=3.01);
$addx = ($ver>=3.03);

10
crypto/ec/asm/ecp_nistz256-sparcv9.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1531,13 +1531,13 @@ ecp_nistz256_scatter_w7:
ld [$inp],%l0
add $inp,4,$inp
subcc $index,1,$index
stb %l0,[$out+64*0-1]
stb %l0,[$out+64*0]
srl %l0,8,%l1
stb %l1,[$out+64*1-1]
stb %l1,[$out+64*1]
srl %l0,16,%l2
stb %l2,[$out+64*2-1]
stb %l2,[$out+64*2]
srl %l0,24,%l3
stb %l3,[$out+64*3-1]
stb %l3,[$out+64*3]
bne .Loop_scatter_w7
add $out,64*4,$out

4
crypto/ec/asm/ecp_nistz256-x86.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1179,7 +1179,7 @@ for ($i=0;$i<7;$i++) {
&mov ("esi",&wparam(1));
&mov ("ebp",&wparam(2));
&lea ("edi",&DWP(-1,"edi","ebp"));
&lea ("edi",&DWP(0,"edi","ebp"));
&mov ("ebp",64/4);
&set_label("scatter_w7_loop");
&mov ("eax",&DWP(0,"esi"));

3
crypto/ec/ec2_smpl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -330,6 +330,7 @@ int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
if (!BN_copy(dest->Z, src->Z))
return 0;
dest->Z_is_one = src->Z_is_one;
dest->curve_name = src->curve_name;
return 1;
}

13
crypto/ec/ec_ameth.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -92,19 +92,19 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
static EC_KEY *eckey_type2param(int ptype, const void *pval)
{
EC_KEY *eckey = NULL;
EC_GROUP *group = NULL;
if (ptype == V_ASN1_SEQUENCE) {
const ASN1_STRING *pstr = pval;
const unsigned char *pm = NULL;
int pmlen;
pm = pstr->data;
pmlen = pstr->length;
const unsigned char *pm = pstr->data;
int pmlen = pstr->length;
if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) {
ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR);
goto ecerr;
}
} else if (ptype == V_ASN1_OBJECT) {
const ASN1_OBJECT *poid = pval;
EC_GROUP *group;
/*
* type == V_ASN1_OBJECT => the parameters are given by an asn1 OID
@@ -129,6 +129,7 @@ static EC_KEY *eckey_type2param(int ptype, const void *pval)
ecerr:
EC_KEY_free(eckey);
EC_GROUP_free(group);
return NULL;
}

6
crypto/ec/ec_curve.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -3036,6 +3036,8 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
}
#endif
EC_GROUP_set_curve_name(group, curve.nid);
if ((P = EC_POINT_new(group)) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
goto err;
@@ -3101,8 +3103,6 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
return NULL;
}
EC_GROUP_set_curve_name(ret, nid);
return ret;
}

18
crypto/ec/ec_lcl.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -269,6 +269,8 @@ struct ec_key_st {
struct ec_point_st {
const EC_METHOD *meth;
/* NID for the curve if known */
int curve_name;
/*
* All members except 'meth' are handled by the method functions, even if
* they appear generic
@@ -281,6 +283,20 @@ struct ec_point_st {
* special case */
};
static ossl_inline int ec_point_is_compat(const EC_POINT *point,
const EC_GROUP *group)
{
if (group->meth != point->meth
|| (group->curve_name != 0
&& point->curve_name != 0
&& group->curve_name != point->curve_name))
return 0;
return 1;
}
NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *);
NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *);
NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *);

41
crypto/ec/ec_lib.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -140,6 +140,8 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
if (dest == src)
return 1;
dest->curve_name = src->curve_name;
/* Copy precomputed */
dest->pre_comp_type = src->pre_comp_type;
switch (src->pre_comp_type) {
@@ -202,7 +204,6 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
return 0;
}
dest->curve_name = src->curve_name;
dest->asn1_flag = src->asn1_flag;
dest->asn1_form = src->asn1_form;
@@ -563,6 +564,7 @@ EC_POINT *EC_POINT_new(const EC_GROUP *group)
}
ret->meth = group->meth;
ret->curve_name = group->curve_name;
if (!ret->meth->point_init(ret)) {
OPENSSL_free(ret);
@@ -600,7 +602,10 @@ int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src)
ECerr(EC_F_EC_POINT_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (dest->meth != src->meth) {
if (dest->meth != src->meth
|| (dest->curve_name != src->curve_name
&& dest->curve_name != 0
&& src->curve_name != 0)) {
ECerr(EC_F_EC_POINT_COPY, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
@@ -657,7 +662,7 @@ int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group,
ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP,
EC_R_INCOMPATIBLE_OBJECTS);
return 0;
@@ -676,7 +681,7 @@ int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP,
EC_R_INCOMPATIBLE_OBJECTS);
return 0;
@@ -694,7 +699,7 @@ int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group,
ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP,
EC_R_INCOMPATIBLE_OBJECTS);
return 0;
@@ -720,7 +725,7 @@ int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group,
ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M,
EC_R_INCOMPATIBLE_OBJECTS);
return 0;
@@ -746,7 +751,7 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP,
EC_R_INCOMPATIBLE_OBJECTS);
return 0;
@@ -764,7 +769,7 @@ int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,
ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M,
EC_R_INCOMPATIBLE_OBJECTS);
return 0;
@@ -780,8 +785,8 @@ int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
ECerr(EC_F_EC_POINT_ADD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if ((group->meth != r->meth) || (r->meth != a->meth)
|| (a->meth != b->meth)) {
if (!ec_point_is_compat(r, group) || !ec_point_is_compat(a, group)
|| !ec_point_is_compat(b, group)) {
ECerr(EC_F_EC_POINT_ADD, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
@@ -795,7 +800,7 @@ int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if ((group->meth != r->meth) || (r->meth != a->meth)) {
if (!ec_point_is_compat(r, group) || !ec_point_is_compat(a, group)) {
ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
@@ -808,7 +813,7 @@ int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx)
ECerr(EC_F_EC_POINT_INVERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != a->meth) {
if (!ec_point_is_compat(a, group)) {
ECerr(EC_F_EC_POINT_INVERT, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
@@ -822,7 +827,7 @@ int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_IS_AT_INFINITY, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
@@ -843,7 +848,7 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
ECerr(EC_F_EC_POINT_IS_ON_CURVE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_IS_ON_CURVE, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
@@ -857,7 +862,7 @@ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b,
ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return -1;
}
if ((group->meth != a->meth) || (a->meth != b->meth)) {
if (!ec_point_is_compat(a, group) || !ec_point_is_compat(b, group)) {
ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS);
return -1;
}
@@ -870,7 +875,7 @@ int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
ECerr(EC_F_EC_POINT_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
@@ -887,7 +892,7 @@ int EC_POINTs_make_affine(const EC_GROUP *group, size_t num,
return 0;
}
for (i = 0; i < num; i++) {
if (group->meth != points[i]->meth) {
if (!ec_point_is_compat(points[i], group)) {
ECerr(EC_F_EC_POINTS_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}

250
crypto/ec/ec_mult.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -105,6 +105,224 @@ void EC_ec_pre_comp_free(EC_PRE_COMP *pre)
OPENSSL_free(pre);
}
#define EC_POINT_BN_set_flags(P, flags) do { \
BN_set_flags((P)->X, (flags)); \
BN_set_flags((P)->Y, (flags)); \
BN_set_flags((P)->Z, (flags)); \
} while(0)
/*-
* This functions computes (in constant time) a point multiplication over the
* EC group.
*
* At a high level, it is Montgomery ladder with conditional swaps.
*
* It performs either a fixed scalar point multiplication
* (scalar * generator)
* when point is NULL, or a generic scalar point multiplication
* (scalar * point)
* when point is not NULL.
*
* scalar should be in the range [0,n) otherwise all constant time bets are off.
*
* NB: This says nothing about EC_POINT_add and EC_POINT_dbl,
* which of course are not constant time themselves.
*
* The product is stored in r.
*
* Returns 1 on success, 0 otherwise.
*/
static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
const BIGNUM *scalar, const EC_POINT *point,
BN_CTX *ctx)
{
int i, cardinality_bits, group_top, kbit, pbit, Z_is_one;
EC_POINT *s = NULL;
BIGNUM *k = NULL;
BIGNUM *lambda = NULL;
BIGNUM *cardinality = NULL;
BN_CTX *new_ctx = NULL;
int ret = 0;
if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
return 0;
BN_CTX_start(ctx);
s = EC_POINT_new(group);
if (s == NULL)
goto err;
if (point == NULL) {
if (!EC_POINT_copy(s, group->generator))
goto err;
} else {
if (!EC_POINT_copy(s, point))
goto err;
}
EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME);
cardinality = BN_CTX_get(ctx);
lambda = BN_CTX_get(ctx);
k = BN_CTX_get(ctx);
if (k == NULL || !BN_mul(cardinality, group->order, group->cofactor, ctx))
goto err;
/*
* Group cardinalities are often on a word boundary.
* So when we pad the scalar, some timing diff might
* pop if it needs to be expanded due to carries.
* So expand ahead of time.
*/
cardinality_bits = BN_num_bits(cardinality);
group_top = bn_get_top(cardinality);
if ((bn_wexpand(k, group_top + 1) == NULL)
|| (bn_wexpand(lambda, group_top + 1) == NULL))
goto err;
if (!BN_copy(k, scalar))
goto err;
BN_set_flags(k, BN_FLG_CONSTTIME);
if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) {
/*-
* this is an unusual input, and we don't guarantee
* constant-timeness
*/
if (!BN_nnmod(k, k, cardinality, ctx))
goto err;
}
if (!BN_add(lambda, k, cardinality))
goto err;
BN_set_flags(lambda, BN_FLG_CONSTTIME);
if (!BN_add(k, lambda, cardinality))
goto err;
/*
* lambda := scalar + cardinality
* k := scalar + 2*cardinality
*/
kbit = BN_is_bit_set(lambda, cardinality_bits);
BN_consttime_swap(kbit, k, lambda, group_top + 1);
group_top = bn_get_top(group->field);
if ((bn_wexpand(s->X, group_top) == NULL)
|| (bn_wexpand(s->Y, group_top) == NULL)
|| (bn_wexpand(s->Z, group_top) == NULL)
|| (bn_wexpand(r->X, group_top) == NULL)
|| (bn_wexpand(r->Y, group_top) == NULL)
|| (bn_wexpand(r->Z, group_top) == NULL))
goto err;
/* top bit is a 1, in a fixed pos */
if (!EC_POINT_copy(r, s))
goto err;
EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME);
if (!EC_POINT_dbl(group, s, s, ctx))
goto err;
pbit = 0;
#define EC_POINT_CSWAP(c, a, b, w, t) do { \
BN_consttime_swap(c, (a)->X, (b)->X, w); \
BN_consttime_swap(c, (a)->Y, (b)->Y, w); \
BN_consttime_swap(c, (a)->Z, (b)->Z, w); \
t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \
(a)->Z_is_one ^= (t); \
(b)->Z_is_one ^= (t); \
} while(0)
/*-
* The ladder step, with branches, is
*
* k[i] == 0: S = add(R, S), R = dbl(R)
* k[i] == 1: R = add(S, R), S = dbl(S)
*
* Swapping R, S conditionally on k[i] leaves you with state
*
* k[i] == 0: T, U = R, S
* k[i] == 1: T, U = S, R
*
* Then perform the ECC ops.
*
* U = add(T, U)
* T = dbl(T)
*
* Which leaves you with state
*
* k[i] == 0: U = add(R, S), T = dbl(R)
* k[i] == 1: U = add(S, R), T = dbl(S)
*
* Swapping T, U conditionally on k[i] leaves you with state
*
* k[i] == 0: R, S = T, U
* k[i] == 1: R, S = U, T
*
* Which leaves you with state
*
* k[i] == 0: S = add(R, S), R = dbl(R)
* k[i] == 1: R = add(S, R), S = dbl(S)
*
* So we get the same logic, but instead of a branch it's a
* conditional swap, followed by ECC ops, then another conditional swap.
*
* Optimization: The end of iteration i and start of i-1 looks like
*
* ...
* CSWAP(k[i], R, S)
* ECC
* CSWAP(k[i], R, S)
* (next iteration)
* CSWAP(k[i-1], R, S)
* ECC
* CSWAP(k[i-1], R, S)
* ...
*
* So instead of two contiguous swaps, you can merge the condition
* bits and do a single swap.
*
* k[i] k[i-1] Outcome
* 0 0 No Swap
* 0 1 Swap
* 1 0 Swap
* 1 1 No Swap
*
* This is XOR. pbit tracks the previous bit of k.
*/
for (i = cardinality_bits - 1; i >= 0; i--) {
kbit = BN_is_bit_set(k, i) ^ pbit;
EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one);
if (!EC_POINT_add(group, s, r, s, ctx))
goto err;
if (!EC_POINT_dbl(group, r, r, ctx))
goto err;
/*
* pbit logic merges this cswap with that of the
* next iteration
*/
pbit ^= kbit;
}
/* one final cswap to move the right value into r */
EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one);
#undef EC_POINT_CSWAP
ret = 1;
err:
EC_POINT_free(s);
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
#undef EC_POINT_BN_set_flags
/*
* TODO: table should be optimised for the wNAF-based implementation,
* sometimes smaller windows will give better performance (thus the
@@ -155,7 +373,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
* precomputation is not available */
int ret = 0;
if (group->meth != r->meth) {
if (!ec_point_is_compat(r, group)) {
ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
@@ -164,8 +382,34 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
return EC_POINT_set_to_infinity(group, r);
}
/*-
* Handle the common cases where the scalar is secret, enforcing a constant
* time scalar multiplication algorithm.
*/
if ((scalar != NULL) && (num == 0)) {
/*-
* In this case we want to compute scalar * GeneratorPoint: this
* codepath is reached most prominently by (ephemeral) key generation
* of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH
* keygen/first half), where the scalar is always secret. This is why
* we ignore if BN_FLG_CONSTTIME is actually set and we always call the
* constant time version.
*/
return ec_mul_consttime(group, r, scalar, NULL, ctx);
}
if ((scalar == NULL) && (num == 1)) {
/*-
* In this case we want to compute scalar * GenericPoint: this codepath
* is reached most prominently by the second half of ECDH, where the
* secret scalar is multiplied by the peer's public point. To protect
* the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and
* we always call the constant time version.
*/
return ec_mul_consttime(group, r, scalars[0], points[0], ctx);
}
for (i = 0; i < num; i++) {
if (group->meth != points[i]->meth) {
if (!ec_point_is_compat(points[i], group)) {
ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}

10
crypto/ec/ec_oct.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -30,7 +30,7 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group,
ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP,
EC_R_INCOMPATIBLE_OBJECTS);
return 0;
@@ -66,7 +66,7 @@ int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group,
ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M,
EC_R_INCOMPATIBLE_OBJECTS);
return 0;
@@ -93,7 +93,7 @@ size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point,
ECerr(EC_F_EC_POINT_POINT2OCT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_POINT2OCT, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
@@ -123,7 +123,7 @@ int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,
ECerr(EC_F_EC_POINT_OCT2POINT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (group->meth != point->meth) {
if (!ec_point_is_compat(point, group)) {
ECerr(EC_F_EC_POINT_OCT2POINT, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}

80
crypto/ec/ecdsa_ossl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -10,9 +10,8 @@
#include <string.h>
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/bn.h>
#include <openssl/rand.h>
#include <openssl/ec.h>
#include "internal/bn_int.h"
#include "ec_lcl.h"
int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
@@ -53,13 +52,12 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
return 0;
}
if (ctx_in == NULL) {
if ((ctx = ctx_in) == NULL) {
if ((ctx = BN_CTX_new()) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
return 0;
}
} else
ctx = ctx_in;
}
k = BN_new(); /* this value is later returned in *kinvp */
r = BN_new(); /* this value is later returned in *rp */
@@ -73,10 +71,6 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
goto err;
}
order = EC_GROUP_get0_order(group);
if (order == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
/* Preallocate space */
order_bits = BN_num_bits(order);
@@ -87,23 +81,23 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
do {
/* get random k */
do
do {
if (dgst != NULL) {
if (!BN_generate_dsa_nonce
(k, order, EC_KEY_get0_private_key(eckey), dgst, dlen,
ctx)) {
if (!BN_generate_dsa_nonce(k, order,
EC_KEY_get0_private_key(eckey),
dgst, dlen, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP,
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
} else {
if (!BN_rand_range(k, order)) {
ECerr(EC_F_ECDSA_SIGN_SETUP,
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
}
while (BN_is_zero(k));
} while (BN_is_zero(k));
/*
* We do not want timing information to leak the length of k, so we
@@ -129,18 +123,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp
(group, tmp_point, X, NULL, ctx)) {
if (!EC_POINT_get_affine_coordinates_GFp(group, tmp_point, X,
NULL, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
}
#ifndef OPENSSL_NO_EC2M
else { /* NID_X9_62_characteristic_two_field */
if (!EC_POINT_get_affine_coordinates_GF2m(group,
tmp_point, X, NULL,
ctx)) {
if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp_point, X,
NULL, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
@@ -150,8 +142,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
}
while (BN_is_zero(r));
} while (BN_is_zero(r));
/* compute the inverse of k */
if (EC_GROUP_get_mont_data(group) != NULL) {
@@ -210,7 +201,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
EC_KEY *eckey)
{
int ok = 0, i;
BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL;
BIGNUM *kinv = NULL, *s, *m = NULL;
const BIGNUM *order, *ckinv;
BN_CTX *ctx = NULL;
const EC_GROUP *group;
@@ -243,17 +234,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
}
s = ret->s;
if ((ctx = BN_CTX_new()) == NULL ||
(tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
if ((ctx = BN_CTX_new()) == NULL
|| (m = BN_new()) == NULL) {
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
goto err;
}
order = EC_GROUP_get0_order(group);
if (order == NULL) {
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_EC_LIB);
goto err;
}
i = BN_num_bits(order);
/*
* Need to truncate digest if it is too long: first truncate whole bytes.
@@ -264,7 +251,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
goto err;
}
/* If still too long truncate remaining bits with a shift */
/* If still too long, truncate remaining bits with a shift */
if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
goto err;
@@ -284,18 +271,32 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
}
}
if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
/*
* With only one multiplicant being in Montgomery domain
* multiplication yields real result without post-conversion.
* Also note that all operations but last are performed with
* zero-padded vectors. Last operation, BN_mod_mul_montgomery
* below, returns user-visible value with removed zero padding.
*/
if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx)
|| !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) {
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
goto err;
}
if (!BN_mod_add_quick(s, tmp, m, order)) {
if (!bn_mod_add_fixed_top(s, s, m, order)) {
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
goto err;
}
if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
/*
* |s| can still be larger than modulus, because |m| can be. In
* such case we count on Montgomery reduction to tie it up.
*/
if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx)
|| !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) {
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
goto err;
}
if (BN_is_zero(s)) {
/*
* if kinv and r have been supplied by the caller don't to
@@ -305,11 +306,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES);
goto err;
}
} else
} else {
/* s != 0 => we have a valid signature */
break;
}
while (1);
}
} while (1);
ok = 1;
err:
@@ -319,7 +320,6 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
}
BN_CTX_free(ctx);
BN_clear_free(m);
BN_clear_free(tmp);
BN_clear_free(kinv);
return ret;
}

34
crypto/ec/ecp_nistz256.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1110,28 +1110,12 @@ __owur static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *gr
const P256_POINT_AFFINE *in,
BN_CTX *ctx)
{
BIGNUM *x, *y;
BN_ULONG d_x[P256_LIMBS], d_y[P256_LIMBS];
int ret = 0;
x = BN_new();
if (x == NULL)
return 0;
y = BN_new();
if (y == NULL) {
BN_free(x);
return 0;
}
memcpy(d_x, in->X, sizeof(d_x));
bn_set_static_words(x, d_x, P256_LIMBS);
memcpy(d_y, in->Y, sizeof(d_y));
bn_set_static_words(y, d_y, P256_LIMBS);
ret = EC_POINT_set_affine_coordinates_GFp(group, out, x, y, ctx);
BN_free(x);
BN_free(y);
if ((ret = bn_set_words(out->X, in->X, P256_LIMBS))
&& (ret = bn_set_words(out->Y, in->Y, P256_LIMBS))
&& (ret = bn_set_words(out->Z, ONE, P256_LIMBS)))
out->Z_is_one = 1;
return ret;
}
@@ -1168,7 +1152,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group,
return 0;
}
if (group->meth != r->meth) {
if (!ec_point_is_compat(r, group)) {
ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
@@ -1177,7 +1161,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group,
return EC_POINT_set_to_infinity(group, r);
for (j = 0; j < num; j++) {
if (group->meth != points[j]->meth) {
if (!ec_point_is_compat(points[j], group)) {
ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
@@ -1210,9 +1194,9 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group,
if (pre_comp_generator == NULL)
goto err;
ecp_nistz256_gather_w7(&p.a, pre_comp->precomp[0], 1);
if (!ecp_nistz256_set_from_affine(pre_comp_generator,
group, pre_comp->precomp[0],
ctx)) {
group, &p.a, ctx)) {
EC_POINT_free(pre_comp_generator);
goto err;
}

3
crypto/ec/ecp_smpl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -352,6 +352,7 @@ int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
if (!BN_copy(dest->Z, src->Z))
return 0;
dest->Z_is_one = src->Z_is_one;
dest->curve_name = src->curve_name;
return 1;
}