ag/cpython-source-deps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Imported OpenSSL 1.1.1b

Browse Source
This commit is contained in:
Steve Dower
2019-03-07 09:36:23 -08:00
parent d6b2cd4920
commit 8f99635588
389 changed files with 7946 additions and 4431 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
crypto/ec/asm/ecp_nistz256-armv8.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -119,6 +119,7 @@ $code.=<<___;
.type ecp_nistz256_to_mont,%function
.align 6
ecp_nistz256_to_mont:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-32]!
add x29,sp,#0
stp x19,x20,[sp,#16]
@@ -134,6 +135,7 @@ ecp_nistz256_to_mont:
ldp x19,x20,[sp,#16]
ldp x29,x30,[sp],#32
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont
@@ -142,6 +144,7 @@ ecp_nistz256_to_mont:
.type ecp_nistz256_from_mont,%function
.align 4
ecp_nistz256_from_mont:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-32]!
add x29,sp,#0
stp x19,x20,[sp,#16]
@@ -157,6 +160,7 @@ ecp_nistz256_from_mont:
ldp x19,x20,[sp,#16]
ldp x29,x30,[sp],#32
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont
@@ -166,6 +170,7 @@ ecp_nistz256_from_mont:
.type ecp_nistz256_mul_mont,%function
.align 4
ecp_nistz256_mul_mont:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-32]!
add x29,sp,#0
stp x19,x20,[sp,#16]
@@ -180,6 +185,7 @@ ecp_nistz256_mul_mont:
ldp x19,x20,[sp,#16]
ldp x29,x30,[sp],#32
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont
@@ -188,6 +194,7 @@ ecp_nistz256_mul_mont:
.type ecp_nistz256_sqr_mont,%function
.align 4
ecp_nistz256_sqr_mont:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-32]!
add x29,sp,#0
stp x19,x20,[sp,#16]
@@ -201,6 +208,7 @@ ecp_nistz256_sqr_mont:
ldp x19,x20,[sp,#16]
ldp x29,x30,[sp],#32
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont
@@ -210,6 +218,7 @@ ecp_nistz256_sqr_mont:
.type ecp_nistz256_add,%function
.align 4
ecp_nistz256_add:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-16]!
add x29,sp,#0
@@ -223,6 +232,7 @@ ecp_nistz256_add:
bl __ecp_nistz256_add
ldp x29,x30,[sp],#16
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_add,.-ecp_nistz256_add
@@ -231,6 +241,7 @@ ecp_nistz256_add:
.type ecp_nistz256_div_by_2,%function
.align 4
ecp_nistz256_div_by_2:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-16]!
add x29,sp,#0
@@ -242,6 +253,7 @@ ecp_nistz256_div_by_2:
bl __ecp_nistz256_div_by_2
ldp x29,x30,[sp],#16
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2
@@ -250,6 +262,7 @@ ecp_nistz256_div_by_2:
.type ecp_nistz256_mul_by_2,%function
.align 4
ecp_nistz256_mul_by_2:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-16]!
add x29,sp,#0
@@ -265,6 +278,7 @@ ecp_nistz256_mul_by_2:
bl __ecp_nistz256_add // ret = a+a // 2*a
ldp x29,x30,[sp],#16
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2
@@ -273,6 +287,7 @@ ecp_nistz256_mul_by_2:
.type ecp_nistz256_mul_by_3,%function
.align 4
ecp_nistz256_mul_by_3:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-16]!
add x29,sp,#0
@@ -299,6 +314,7 @@ ecp_nistz256_mul_by_3:
bl __ecp_nistz256_add // ret += a // 2*a+a=3*a
ldp x29,x30,[sp],#16
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3
@@ -308,6 +324,7 @@ ecp_nistz256_mul_by_3:
.type ecp_nistz256_sub,%function
.align 4
ecp_nistz256_sub:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-16]!
add x29,sp,#0
@@ -319,6 +336,7 @@ ecp_nistz256_sub:
bl __ecp_nistz256_sub_from
ldp x29,x30,[sp],#16
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_sub,.-ecp_nistz256_sub
@@ -327,6 +345,7 @@ ecp_nistz256_sub:
.type ecp_nistz256_neg,%function
.align 4
ecp_nistz256_neg:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-16]!
add x29,sp,#0
@@ -341,6 +360,7 @@ ecp_nistz256_neg:
bl __ecp_nistz256_sub_from
ldp x29,x30,[sp],#16
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_neg,.-ecp_nistz256_neg
@@ -701,6 +721,7 @@ $code.=<<___;
.type ecp_nistz256_point_double,%function
.align 5
ecp_nistz256_point_double:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-80]!
add x29,sp,#0
stp x19,x20,[sp,#16]
@@ -835,6 +856,7 @@ ecp_nistz256_point_double:
ldp x19,x20,[x29,#16]
ldp x21,x22,[x29,#32]
ldp x29,x30,[sp],#80
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_point_double,.-ecp_nistz256_point_double
___
@@ -857,6 +879,7 @@ $code.=<<___;
.type ecp_nistz256_point_add,%function
.align 5
ecp_nistz256_point_add:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-80]!
add x29,sp,#0
stp x19,x20,[sp,#16]
@@ -1094,12 +1117,13 @@ $code.=<<___;
stp $acc2,$acc3,[$rp_real,#$i+16]
.Ladd_done:
add sp,x29,#0 // destroy frame
add sp,x29,#0 // destroy frame
ldp x19,x20,[x29,#16]
ldp x21,x22,[x29,#32]
ldp x23,x24,[x29,#48]
ldp x25,x26,[x29,#64]
ldp x29,x30,[sp],#80
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_point_add,.-ecp_nistz256_point_add
___
@@ -1121,6 +1145,7 @@ $code.=<<___;
.type ecp_nistz256_point_add_affine,%function
.align 5
ecp_nistz256_point_add_affine:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-80]!
add x29,sp,#0
stp x19,x20,[sp,#16]
@@ -1309,6 +1334,7 @@ $code.=<<___;
ldp x23,x24,[x29,#48]
ldp x25,x26,[x29,#64]
ldp x29,x30,[sp],#80
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine
___

36
crypto/ec/asm/ecp_nistz256-x86_64.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright (c) 2014, Intel Corporation. All Rights Reserved.
# Copyright (c) 2015 CloudFlare, Inc.
#
@@ -1674,6 +1674,7 @@ $code.=<<___;
.type __ecp_nistz256_mul_montq,\@abi-omnipotent
.align 32
__ecp_nistz256_mul_montq:
.cfi_startproc
########################################################################
# Multiply a by b[0]
mov %rax, $t1
@@ -1885,6 +1886,7 @@ __ecp_nistz256_mul_montq:
mov $acc1, 8*3($r_ptr)
ret
.cfi_endproc
.size __ecp_nistz256_mul_montq,.-__ecp_nistz256_mul_montq
################################################################################
@@ -1968,6 +1970,7 @@ $code.=<<___;
.type __ecp_nistz256_sqr_montq,\@abi-omnipotent
.align 32
__ecp_nistz256_sqr_montq:
.cfi_startproc
mov %rax, $acc5
mulq $acc6 # a[1]*a[0]
mov %rax, $acc1
@@ -2125,6 +2128,7 @@ __ecp_nistz256_sqr_montq:
mov $acc7, 8*3($r_ptr)
ret
.cfi_endproc
.size __ecp_nistz256_sqr_montq,.-__ecp_nistz256_sqr_montq
___
@@ -2133,6 +2137,7 @@ $code.=<<___;
.type __ecp_nistz256_mul_montx,\@abi-omnipotent
.align 32
__ecp_nistz256_mul_montx:
.cfi_startproc
########################################################################
# Multiply by b[0]
mulx $acc1, $acc0, $acc1
@@ -2295,11 +2300,13 @@ __ecp_nistz256_mul_montx:
mov $acc1, 8*3($r_ptr)
ret
.cfi_endproc
.size __ecp_nistz256_mul_montx,.-__ecp_nistz256_mul_montx
.type __ecp_nistz256_sqr_montx,\@abi-omnipotent
.align 32
__ecp_nistz256_sqr_montx:
.cfi_startproc
mulx $acc6, $acc1, $acc2 # a[0]*a[1]
mulx $acc7, $t0, $acc3 # a[0]*a[2]
xor %eax, %eax
@@ -2423,6 +2430,7 @@ __ecp_nistz256_sqr_montx:
mov $acc7, 8*3($r_ptr)
ret
.cfi_endproc
.size __ecp_nistz256_sqr_montx,.-__ecp_nistz256_sqr_montx
___
}
@@ -2578,6 +2586,7 @@ ecp_nistz256_scatter_w5:
.type ecp_nistz256_gather_w5,\@abi-omnipotent
.align 32
ecp_nistz256_gather_w5:
.cfi_startproc
___
$code.=<<___ if ($avx>1);
mov OPENSSL_ia32cap_P+8(%rip), %eax
@@ -2666,6 +2675,7 @@ $code.=<<___ if ($win64);
___
$code.=<<___;
ret
.cfi_endproc
.LSEH_end_ecp_nistz256_gather_w5:
.size ecp_nistz256_gather_w5,.-ecp_nistz256_gather_w5
@@ -2694,6 +2704,7 @@ ecp_nistz256_scatter_w7:
.type ecp_nistz256_gather_w7,\@abi-omnipotent
.align 32
ecp_nistz256_gather_w7:
.cfi_startproc
___
$code.=<<___ if ($avx>1);
mov OPENSSL_ia32cap_P+8(%rip), %eax
@@ -2771,6 +2782,7 @@ $code.=<<___ if ($win64);
___
$code.=<<___;
ret
.cfi_endproc
.LSEH_end_ecp_nistz256_gather_w7:
.size ecp_nistz256_gather_w7,.-ecp_nistz256_gather_w7
___
@@ -2787,6 +2799,7 @@ $code.=<<___;
.type ecp_nistz256_avx2_gather_w5,\@abi-omnipotent
.align 32
ecp_nistz256_avx2_gather_w5:
.cfi_startproc
.Lavx2_gather_w5:
vzeroupper
___
@@ -2874,6 +2887,7 @@ $code.=<<___ if ($win64);
___
$code.=<<___;
ret
.cfi_endproc
.LSEH_end_ecp_nistz256_avx2_gather_w5:
.size ecp_nistz256_avx2_gather_w5,.-ecp_nistz256_avx2_gather_w5
___
@@ -2893,6 +2907,7 @@ $code.=<<___;
.type ecp_nistz256_avx2_gather_w7,\@abi-omnipotent
.align 32
ecp_nistz256_avx2_gather_w7:
.cfi_startproc
.Lavx2_gather_w7:
vzeroupper
___
@@ -2995,6 +3010,7 @@ $code.=<<___ if ($win64);
___
$code.=<<___;
ret
.cfi_endproc
.LSEH_end_ecp_nistz256_avx2_gather_w7:
.size ecp_nistz256_avx2_gather_w7,.-ecp_nistz256_avx2_gather_w7
___
@@ -3064,6 +3080,7 @@ $code.=<<___;
.type __ecp_nistz256_add_toq,\@abi-omnipotent
.align 32
__ecp_nistz256_add_toq:
.cfi_startproc
xor $t4,$t4
add 8*0($b_ptr), $a0
adc 8*1($b_ptr), $a1
@@ -3091,11 +3108,13 @@ __ecp_nistz256_add_toq:
mov $a3, 8*3($r_ptr)
ret
.cfi_endproc
.size __ecp_nistz256_add_toq,.-__ecp_nistz256_add_toq
.type __ecp_nistz256_sub_fromq,\@abi-omnipotent
.align 32
__ecp_nistz256_sub_fromq:
.cfi_startproc
sub 8*0($b_ptr), $a0
sbb 8*1($b_ptr), $a1
mov $a0, $t0
@@ -3122,11 +3141,13 @@ __ecp_nistz256_sub_fromq:
mov $a3, 8*3($r_ptr)
ret
.cfi_endproc
.size __ecp_nistz256_sub_fromq,.-__ecp_nistz256_sub_fromq
.type __ecp_nistz256_subq,\@abi-omnipotent
.align 32
__ecp_nistz256_subq:
.cfi_startproc
sub $a0, $t0
sbb $a1, $t1
mov $t0, $a0
@@ -3149,11 +3170,13 @@ __ecp_nistz256_subq:
cmovnz $t3, $a3
ret
.cfi_endproc
.size __ecp_nistz256_subq,.-__ecp_nistz256_subq
.type __ecp_nistz256_mul_by_2q,\@abi-omnipotent
.align 32
__ecp_nistz256_mul_by_2q:
.cfi_startproc
xor $t4, $t4
add $a0, $a0 # a0:a3+a0:a3
adc $a1, $a1
@@ -3181,6 +3204,7 @@ __ecp_nistz256_mul_by_2q:
mov $a3, 8*3($r_ptr)
ret
.cfi_endproc
.size __ecp_nistz256_mul_by_2q,.-__ecp_nistz256_mul_by_2q
___
}
@@ -3620,7 +3644,9 @@ $code.=<<___;
movq %xmm1, $a_ptr # restore $a_ptr
movq %xmm0, $r_ptr # restore $r_ptr
add \$`32*(18-5)`, %rsp # difference in frame sizes
.cfi_adjust_cfa_offset `-32*(18-5)`
jmp .Lpoint_double_shortcut$x
.cfi_adjust_cfa_offset `32*(18-5)`
.align 32
.Ladd_proceed$x:
@@ -4156,6 +4182,7 @@ $code.=<<___;
.type __ecp_nistz256_add_tox,\@abi-omnipotent
.align 32
__ecp_nistz256_add_tox:
.cfi_startproc
xor $t4, $t4
adc 8*0($b_ptr), $a0
adc 8*1($b_ptr), $a1
@@ -4184,11 +4211,13 @@ __ecp_nistz256_add_tox:
mov $a3, 8*3($r_ptr)
ret
.cfi_endproc
.size __ecp_nistz256_add_tox,.-__ecp_nistz256_add_tox
.type __ecp_nistz256_sub_fromx,\@abi-omnipotent
.align 32
__ecp_nistz256_sub_fromx:
.cfi_startproc
xor $t4, $t4
sbb 8*0($b_ptr), $a0
sbb 8*1($b_ptr), $a1
@@ -4217,11 +4246,13 @@ __ecp_nistz256_sub_fromx:
mov $a3, 8*3($r_ptr)
ret
.cfi_endproc
.size __ecp_nistz256_sub_fromx,.-__ecp_nistz256_sub_fromx
.type __ecp_nistz256_subx,\@abi-omnipotent
.align 32
__ecp_nistz256_subx:
.cfi_startproc
xor $t4, $t4
sbb $a0, $t0
sbb $a1, $t1
@@ -4246,11 +4277,13 @@ __ecp_nistz256_subx:
cmovc $t3, $a3
ret
.cfi_endproc
.size __ecp_nistz256_subx,.-__ecp_nistz256_subx
.type __ecp_nistz256_mul_by_2x,\@abi-omnipotent
.align 32
__ecp_nistz256_mul_by_2x:
.cfi_startproc
xor $t4, $t4
adc $a0, $a0 # a0:a3+a0:a3
adc $a1, $a1
@@ -4279,6 +4312,7 @@ __ecp_nistz256_mul_by_2x:
mov $a3, 8*3($r_ptr)
ret
.cfi_endproc
.size __ecp_nistz256_mul_by_2x,.-__ecp_nistz256_mul_by_2x
___
}

4335
crypto/ec/curve25519.c
View File

File diff suppressed because it is too large Load Diff

30
crypto/ec/curve448/eddsa.c
View File

@@ -246,10 +246,36 @@ c448_error_t c448_ed448_verify(
uint8_t context_len)
{
curve448_point_t pk_point, r_point;
c448_error_t error =
curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
c448_error_t error;
curve448_scalar_t challenge_scalar;
curve448_scalar_t response_scalar;
/* Order in little endian format */
static const uint8_t order[] = {
0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
};
int i;
/*
* Check that s (second 57 bytes of the sig) is less than the order. Both
* s and the order are in little-endian format. This can be done in
* variable time, since if this is not the case the signature if publicly
* invalid.
*/
for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
return C448_FAILURE;
if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
break;
}
if (i < 0)
return C448_FAILURE;
error =
curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
if (C448_SUCCESS != error)
return error;

16
crypto/ec/curve448/point_448.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2016 Cryptography Research, Inc.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -116,7 +116,7 @@ void curve448_scalar_encode(unsigned char ser[C448_SCALAR_BYTES],
/*
* Add two scalars. |a|, |b| and |out| may alias each other.
*
*
* a (in): One scalar.
* b (in): Another scalar.
* out (out): a+b.
@@ -135,7 +135,7 @@ void curve448_scalar_sub(curve448_scalar_t out,
/*
* Multiply two scalars. |a|, |b| and |out| may alias each other.
*
*
* a (in): One scalar.
* b (in): Another scalar.
* out (out): a*b.
@@ -145,7 +145,7 @@ void curve448_scalar_mul(curve448_scalar_t out,
/*
* Halve a scalar. |a| and |out| may alias each other.
*
*
* a (in): A scalar.
* out (out): a/2.
*/
@@ -154,7 +154,7 @@ void curve448_scalar_halve(curve448_scalar_t out, const curve448_scalar_t a);
/*
* Copy a scalar. The scalars may alias each other, in which case this
* function does nothing.
*
*
* a (in): A scalar.
* out (out): Will become a copy of a.
*/
@@ -183,7 +183,7 @@ static ossl_inline void curve448_point_copy(curve448_point_t a,
*
* a (in): A point.
* b (in): Another point.
*
*
* Returns:
* C448_TRUE: The points are equal.
* C448_FALSE: The points are not equal.
@@ -243,7 +243,7 @@ void curve448_point_mul_by_ratio_and_encode_like_x448(
/*
* RFC 7748 Diffie-Hellman base point scalarmul. This function uses a different
* (non-Decaf) encoding.
*
*
* out (out): The scaled point base*scalar
* scalar (in): The scalar to multiply by.
*/
@@ -273,7 +273,7 @@ void curve448_precomputed_scalarmul(curve448_point_t scaled,
* base2 (in): A second point to be scaled.
* scalar2 (in) A second scalar to multiply by.
*
* Warning: This function takes variable time, and may leak the scalars used.
* Warning: This function takes variable time, and may leak the scalars used.
* It is designed for signature verification.
*/
void curve448_base_double_scalarmul_non_secret(curve448_point_t combo,

20
crypto/ec/ec2_smpl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -810,7 +810,7 @@ int ec_GF2m_simple_ladder_post(const EC_GROUP *group,
|| !group->meth->field_mul(group, t2, t2, t0, ctx)
|| !BN_GF2m_add(t1, t2, t1)
|| !group->meth->field_mul(group, t2, p->X, t0, ctx)
|| !BN_GF2m_mod_inv(t2, t2, group->field, ctx)
|| !group->meth->field_inv(group, t2, t2, ctx)
|| !group->meth->field_mul(group, t1, t1, t2, ctx)
|| !group->meth->field_mul(group, r->X, r->Z, t2, ctx)
|| !BN_GF2m_add(t2, p->X, r->X)
@@ -889,6 +889,21 @@ int ec_GF2m_simple_points_mul(const EC_GROUP *group, EC_POINT *r,
return ret;
}
/*-
* Computes the multiplicative inverse of a in GF(2^m), storing the result in r.
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
* SCA hardening is with blinding: BN_GF2m_mod_inv does that.
*/
static int ec_GF2m_simple_field_inv(const EC_GROUP *group, BIGNUM *r,
const BIGNUM *a, BN_CTX *ctx)
{
int ret;
if (!(ret = BN_GF2m_mod_inv(r, a, group->field, ctx)))
ECerr(EC_F_EC_GF2M_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
return ret;
}
const EC_METHOD *EC_GF2m_simple_method(void)
{
static const EC_METHOD ret = {
@@ -929,6 +944,7 @@ const EC_METHOD *EC_GF2m_simple_method(void)
ec_GF2m_simple_field_mul,
ec_GF2m_simple_field_sqr,
ec_GF2m_simple_field_div,
ec_GF2m_simple_field_inv,
0, /* field_encode */
0, /* field_decode */
0, /* field_set_to_one */

2
crypto/ec/ec_ameth.c
View File

@@ -505,7 +505,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
*(int *)arg2 = NID_sha256;
return 2;
return 1;
case ASN1_PKEY_CTRL_SET1_TLS_ENCPT:
return EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(pkey), arg2, arg1, NULL);

9
crypto/ec/ec_err.c
View File

@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -66,6 +66,8 @@ static const ERR_STRING_DATA EC_str_functs[] = {
"ec_asn1_group2fieldid"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY, 0),
"ec_GF2m_montgomery_point_multiply"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_FIELD_INV, 0),
"ec_GF2m_simple_field_inv"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT, 0),
"ec_GF2m_simple_group_check_discriminant"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, 0),
@@ -90,6 +92,8 @@ static const ERR_STRING_DATA EC_str_functs[] = {
"ec_GFp_mont_field_decode"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_ENCODE, 0),
"ec_GFp_mont_field_encode"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_INV, 0),
"ec_GFp_mont_field_inv"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_MUL, 0),
"ec_GFp_mont_field_mul"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE, 0),
@@ -124,6 +128,8 @@ static const ERR_STRING_DATA EC_str_functs[] = {
"ec_GFp_nist_group_set_curve"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, 0),
"ec_GFp_simple_blind_coordinates"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_FIELD_INV, 0),
"ec_GFp_simple_field_inv"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, 0),
"ec_GFp_simple_group_check_discriminant"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, 0),
@@ -287,6 +293,7 @@ static const ERR_STRING_DATA EC_str_reasons[] = {
{ERR_PACK(ERR_LIB_EC, 0, EC_R_BAD_SIGNATURE), "bad signature"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_BIGNUM_OUT_OF_RANGE), "bignum out of range"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_BUFFER_TOO_SMALL), "buffer too small"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_CANNOT_INVERT), "cannot invert"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_COORDINATES_OUT_OF_RANGE),
"coordinates out of range"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH),

14
crypto/ec/ec_lcl.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -15,7 +15,6 @@
#include <openssl/bn.h>
#include "internal/refcount.h"
#include "internal/ec_int.h"
#include "curve448/curve448_lcl.h"
#if defined(__SUNPRO_C)
# if __SUNPRO_C >= 0x520
@@ -154,6 +153,13 @@ struct ec_method_st {
int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
/*-
* 'field_inv' computes the multipicative inverse of a in the field,
* storing the result in r.
*
* If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
*/
int (*field_inv) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
/* e.g. to Montgomery */
int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
@@ -390,6 +396,8 @@ int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
BN_CTX *ctx);
int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
@@ -413,6 +421,8 @@ int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,

51
crypto/ec/ecp_mont.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -50,6 +50,7 @@ const EC_METHOD *EC_GFp_mont_method(void)
ec_GFp_mont_field_mul,
ec_GFp_mont_field_sqr,
0 /* field_div */ ,
ec_GFp_mont_field_inv,
ec_GFp_mont_field_encode,
ec_GFp_mont_field_decode,
ec_GFp_mont_field_set_to_one,
@@ -206,6 +207,54 @@ int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
}
/*-
* Computes the multiplicative inverse of a in GF(p), storing the result in r.
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
* We have a Mont structure, so SCA hardening is FLT inversion.
*/
int ec_GFp_mont_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx)
{
BIGNUM *e = NULL;
BN_CTX *new_ctx = NULL;
int ret = 0;
if (group->field_data1 == NULL)
return 0;
if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
return 0;
BN_CTX_start(ctx);
if ((e = BN_CTX_get(ctx)) == NULL)
goto err;
/* Inverse in constant time with Fermats Little Theorem */
if (!BN_set_word(e, 2))
goto err;
if (!BN_sub(e, group->field, e))
goto err;
/*-
* Exponent e is public.
* No need for scatter-gather or BN_FLG_CONSTTIME.
*/
if (!BN_mod_exp_mont(r, a, e, group->field, ctx, group->field_data1))
goto err;
/* throw an error on zero */
if (BN_is_zero(r)) {
ECerr(EC_F_EC_GFP_MONT_FIELD_INV, EC_R_CANNOT_INVERT);
goto err;
}
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r,
const BIGNUM *a, BN_CTX *ctx)
{

3
crypto/ec/ecp_nist.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -52,6 +52,7 @@ const EC_METHOD *EC_GFp_nist_method(void)
ec_GFp_nist_field_mul,
ec_GFp_nist_field_sqr,
0 /* field_div */ ,
ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */

3
crypto/ec/ecp_nistp224.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -279,6 +279,7 @@ const EC_METHOD *EC_GFp_nistp224_method(void)
ec_GFp_nist_field_mul,
ec_GFp_nist_field_sqr,
0 /* field_div */ ,
ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */

3
crypto/ec/ecp_nistp256.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1810,6 +1810,7 @@ const EC_METHOD *EC_GFp_nistp256_method(void)
ec_GFp_nist_field_mul,
ec_GFp_nist_field_sqr,
0 /* field_div */ ,
ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */

3
crypto/ec/ecp_nistp521.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1647,6 +1647,7 @@ const EC_METHOD *EC_GFp_nistp521_method(void)
ec_GFp_nist_field_mul,
ec_GFp_nist_field_sqr,
0 /* field_div */ ,
ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */

3
crypto/ec/ecp_nistz256.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2014, Intel Corporation. All Rights Reserved.
* Copyright (c) 2015, CloudFlare, Inc.
*
@@ -1677,6 +1677,7 @@ const EC_METHOD *EC_GFp_nistz256_method(void)
ec_GFp_mont_field_mul,
ec_GFp_mont_field_sqr,
0, /* field_div */
ec_GFp_mont_field_inv,
ec_GFp_mont_field_encode,
ec_GFp_mont_field_decode,
ec_GFp_mont_field_set_to_one,

51
crypto/ec/ecp_smpl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -51,6 +51,7 @@ const EC_METHOD *EC_GFp_simple_method(void)
ec_GFp_simple_field_mul,
ec_GFp_simple_field_sqr,
0 /* field_div */ ,
ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
@@ -553,7 +554,7 @@ int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
}
}
} else {
if (!BN_mod_inverse(Z_1, Z_, group->field, ctx)) {
if (!group->meth->field_inv(group, Z_1, Z_, ctx)) {
ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES,
ERR_R_BN_LIB);
goto err;
@@ -1266,7 +1267,7 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
* points[i]->Z by its inverse.
*/
if (!BN_mod_inverse(tmp, prod_Z[num - 1], group->field, ctx)) {
if (!group->meth->field_inv(group, tmp, prod_Z[num - 1], ctx)) {
ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
goto err;
}
@@ -1369,6 +1370,50 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
return BN_mod_sqr(r, a, group->field, ctx);
}
/*-
* Computes the multiplicative inverse of a in GF(p), storing the result in r.
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
* Since we don't have a Mont structure here, SCA hardening is with blinding.
*/
int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx)
{
BIGNUM *e = NULL;
BN_CTX *new_ctx = NULL;
int ret = 0;
if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
return 0;
BN_CTX_start(ctx);
if ((e = BN_CTX_get(ctx)) == NULL)
goto err;
do {
if (!BN_priv_rand_range(e, group->field))
goto err;
} while (BN_is_zero(e));
/* r := a * e */
if (!group->meth->field_mul(group, r, a, e, ctx))
goto err;
/* r := 1/(a * e) */
if (!BN_mod_inverse(r, r, group->field, ctx)) {
ECerr(EC_F_EC_GFP_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
goto err;
}
/* r := e/(a * e) = 1/a */
if (!group->meth->field_mul(group, r, r, e, ctx))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
/*-
* Apply randomization of EC point projective coordinates:
*

3
crypto/ec/ecx_meth.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -15,6 +15,7 @@
#include "internal/asn1_int.h"
#include "internal/evp_int.h"
#include "ec_lcl.h"
#include "curve448/curve448_lcl.h"
#define X25519_BITS 253
#define X25519_SECURITY_BITS 128