1 /* crypto/ec/ecp_smpl.c */
2 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3 * for the OpenSSL project. */
4 /* ====================================================================
5 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * openssl-core@openssl.org.
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
33 * 6. Redistributions of any form whatsoever must retain the following
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com).
58 #include <openssl/err.h>
63 const EC_METHOD *EC_GFp_simple_method(void)
65 static const EC_METHOD ret = {
66 ec_GFp_simple_group_init,
67 ec_GFp_simple_group_finish,
68 ec_GFp_simple_group_clear_finish,
69 ec_GFp_simple_group_copy,
70 ec_GFp_simple_group_set_curve_GFp,
71 ec_GFp_simple_group_get_curve_GFp,
72 ec_GFp_simple_group_set_generator,
73 ec_GFp_simple_group_get0_generator,
74 ec_GFp_simple_group_get_order,
75 ec_GFp_simple_group_get_cofactor,
76 ec_GFp_simple_group_check,
77 ec_GFp_simple_point_init,
78 ec_GFp_simple_point_finish,
79 ec_GFp_simple_point_clear_finish,
80 ec_GFp_simple_point_copy,
81 ec_GFp_simple_point_set_to_infinity,
82 ec_GFp_simple_set_Jprojective_coordinates_GFp,
83 ec_GFp_simple_get_Jprojective_coordinates_GFp,
84 ec_GFp_simple_point_set_affine_coordinates_GFp,
85 ec_GFp_simple_point_get_affine_coordinates_GFp,
86 ec_GFp_simple_set_compressed_coordinates_GFp,
87 ec_GFp_simple_point2oct,
88 ec_GFp_simple_oct2point,
92 ec_GFp_simple_is_at_infinity,
93 ec_GFp_simple_is_on_curve,
95 ec_GFp_simple_make_affine,
96 ec_GFp_simple_points_make_affine,
97 ec_GFp_simple_field_mul,
98 ec_GFp_simple_field_sqr,
100 0 /* field_decode */,
101 0 /* field_set_to_one */ };
107 int ec_GFp_simple_group_init(EC_GROUP *group)
109 BN_init(&group->field);
112 group->a_is_minus3 = 0;
113 group->generator = NULL;
114 BN_init(&group->order);
115 BN_init(&group->cofactor);
120 void ec_GFp_simple_group_finish(EC_GROUP *group)
122 BN_free(&group->field);
125 if (group->generator != NULL)
126 EC_POINT_free(group->generator);
127 BN_free(&group->order);
128 BN_free(&group->cofactor);
132 void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
134 BN_clear_free(&group->field);
135 BN_clear_free(&group->a);
136 BN_clear_free(&group->b);
137 if (group->generator != NULL)
139 EC_POINT_clear_free(group->generator);
140 group->generator = NULL;
142 BN_clear_free(&group->order);
143 BN_clear_free(&group->cofactor);
147 int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
149 if (!BN_copy(&dest->field, &src->field)) return 0;
150 if (!BN_copy(&dest->a, &src->a)) return 0;
151 if (!BN_copy(&dest->b, &src->b)) return 0;
153 dest->a_is_minus3 = src->a_is_minus3;
155 if (src->generator != NULL)
157 if (dest->generator == NULL)
159 dest->generator = EC_POINT_new(dest);
160 if (dest->generator == NULL) return 0;
162 if (!EC_POINT_copy(dest->generator, src->generator)) return 0;
166 /* src->generator == NULL */
167 if (dest->generator != NULL)
169 EC_POINT_clear_free(dest->generator);
170 dest->generator = NULL;
174 if (!BN_copy(&dest->order, &src->order)) return 0;
175 if (!BN_copy(&dest->cofactor, &src->cofactor)) return 0;
181 int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
182 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
185 BN_CTX *new_ctx = NULL;
188 /* p must be a prime > 3 */
189 if (BN_num_bits(p) <= 2 || !BN_is_odd(p))
191 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP, EC_R_INVALID_FIELD);
197 ctx = new_ctx = BN_CTX_new();
203 tmp_a = BN_CTX_get(ctx);
204 if (tmp_a == NULL) goto err;
207 if (!BN_copy(&group->field, p)) goto err;
208 group->field.neg = 0;
211 if (!BN_nnmod(tmp_a, a, p, ctx)) goto err;
212 if (group->meth->field_encode)
213 { if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) goto err; }
215 if (!BN_copy(&group->a, tmp_a)) goto err;
218 if (!BN_nnmod(&group->b, b, p, ctx)) goto err;
219 if (group->meth->field_encode)
220 if (!group->meth->field_encode(group, &group->b, &group->b, ctx)) goto err;
222 /* group->a_is_minus3 */
223 if (!BN_add_word(tmp_a, 3)) goto err;
224 group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
231 BN_CTX_free(new_ctx);
236 int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
239 BN_CTX *new_ctx = NULL;
243 if (!BN_copy(p, &group->field)) return 0;
246 if (a != NULL || b != NULL)
248 if (group->meth->field_decode)
252 ctx = new_ctx = BN_CTX_new();
258 if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
262 if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
269 if (!BN_copy(a, &group->a)) goto err;
273 if (!BN_copy(b, &group->b)) goto err;
282 BN_CTX_free(new_ctx);
288 int ec_GFp_simple_group_set_generator(EC_GROUP *group, const EC_POINT *generator,
289 const BIGNUM *order, const BIGNUM *cofactor)
291 if (generator == NULL)
293 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER);
297 if (group->generator == NULL)
299 group->generator = EC_POINT_new(group);
300 if (group->generator == NULL) return 0;
302 if (!EC_POINT_copy(group->generator, generator)) return 0;
305 { if (!BN_copy(&group->order, order)) return 0; }
307 { if (!BN_zero(&group->order)) return 0; }
309 if (cofactor != NULL)
310 { if (!BN_copy(&group->cofactor, cofactor)) return 0; }
312 { if (!BN_zero(&group->cofactor)) return 0; }
318 EC_POINT *ec_GFp_simple_group_get0_generator(const EC_GROUP *group)
320 return group->generator;
324 int ec_GFp_simple_group_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
326 if (!BN_copy(order, &group->order))
329 return !BN_is_zero(&group->order);
333 int ec_GFp_simple_group_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
335 if (!BN_copy(cofactor, &group->cofactor))
338 return !BN_is_zero(&group->cofactor);
342 int ec_GFp_simple_group_check(const EC_GROUP *group, BN_CTX *ctx)
345 BIGNUM *a,*b,*order,*tmp_1,*tmp_2;
346 const BIGNUM *p = &group->field;
347 BN_CTX *new_ctx = NULL;
348 EC_POINT *point = NULL;
352 ctx = new_ctx = BN_CTX_new();
355 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK, ERR_R_MALLOC_FAILURE);
362 tmp_1 = BN_CTX_get(ctx);
363 tmp_2 = BN_CTX_get(ctx);
364 order = BN_CTX_get(ctx);
365 if (order == NULL) goto err;
367 if (group->meth->field_decode)
369 if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
370 if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
374 if (!BN_copy(a, &group->a)) goto err;
375 if (!BN_copy(b, &group->b)) goto err;
378 /* check the discriminant:
379 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
385 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK, EC_R_DISCRIMINANT_IS_ZERO);
389 else if (!BN_is_zero(b))
391 if (!BN_mod_sqr(tmp_1, a, p, ctx)) goto err;
392 if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx)) goto err;
393 if (!BN_lshift(tmp_1, tmp_2, 2)) goto err;
396 if (!BN_mod_sqr(tmp_2, b, p, ctx)) goto err;
397 if (!BN_mul_word(tmp_2, 27)) goto err;
400 if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx)) goto err;
403 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK, EC_R_DISCRIMINANT_IS_ZERO);
408 /* check the generator */
409 if (group->generator == NULL)
411 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK, EC_R_UNDEFINED_GENERATOR);
414 if (!ec_GFp_simple_is_on_curve(group, group->generator, ctx))
416 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK, EC_R_POINT_IS_NOT_ON_CURVE);
420 /* check the order of the generator */
421 if ((point = EC_POINT_new(group)) == NULL) goto err;
422 if (!EC_GROUP_get_order(group, order, ctx)) goto err;
423 if (BN_is_zero(order))
425 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK, EC_R_UNDEFINED_ORDER);
429 if (!EC_POINT_mul(group, point, order, NULL, NULL, ctx)) goto err;
430 if (!EC_POINT_is_at_infinity(group, point))
432 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK, EC_R_INVALID_GROUP_ORDER);
441 BN_CTX_free(new_ctx);
443 EC_POINT_free(point);
448 int ec_GFp_simple_point_init(EC_POINT *point)
459 void ec_GFp_simple_point_finish(EC_POINT *point)
467 void ec_GFp_simple_point_clear_finish(EC_POINT *point)
469 BN_clear_free(&point->X);
470 BN_clear_free(&point->Y);
471 BN_clear_free(&point->Z);
476 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
478 if (!BN_copy(&dest->X, &src->X)) return 0;
479 if (!BN_copy(&dest->Y, &src->Y)) return 0;
480 if (!BN_copy(&dest->Z, &src->Z)) return 0;
481 dest->Z_is_one = src->Z_is_one;
487 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
490 return (BN_zero(&point->Z));
494 int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
495 const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
497 BN_CTX *new_ctx = NULL;
502 ctx = new_ctx = BN_CTX_new();
509 if (!BN_nnmod(&point->X, x, &group->field, ctx)) goto err;
510 if (group->meth->field_encode)
512 if (!group->meth->field_encode(group, &point->X, &point->X, ctx)) goto err;
518 if (!BN_nnmod(&point->Y, y, &group->field, ctx)) goto err;
519 if (group->meth->field_encode)
521 if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx)) goto err;
529 if (!BN_nnmod(&point->Z, z, &group->field, ctx)) goto err;
530 Z_is_one = BN_is_one(&point->Z);
531 if (group->meth->field_encode)
533 if (Z_is_one && (group->meth->field_set_to_one != 0))
535 if (!group->meth->field_set_to_one(group, &point->Z, ctx)) goto err;
539 if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) goto err;
542 point->Z_is_one = Z_is_one;
549 BN_CTX_free(new_ctx);
554 int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
555 BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
557 BN_CTX *new_ctx = NULL;
560 if (group->meth->field_decode != 0)
564 ctx = new_ctx = BN_CTX_new();
571 if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
575 if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
579 if (!group->meth->field_decode(group, z, &point->Z, ctx)) goto err;
586 if (!BN_copy(x, &point->X)) goto err;
590 if (!BN_copy(y, &point->Y)) goto err;
594 if (!BN_copy(z, &point->Z)) goto err;
602 BN_CTX_free(new_ctx);
607 int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
608 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
610 if (x == NULL || y == NULL)
612 /* unlike for projective coordinates, we do not tolerate this */
613 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_PASSED_NULL_PARAMETER);
617 return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
621 int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
622 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
624 BN_CTX *new_ctx = NULL;
625 BIGNUM *X, *Y, *Z, *Z_1, *Z_2, *Z_3;
626 const BIGNUM *X_, *Y_, *Z_;
629 if (EC_POINT_is_at_infinity(group, point))
631 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_POINT_AT_INFINITY);
637 ctx = new_ctx = BN_CTX_new();
646 Z_1 = BN_CTX_get(ctx);
647 Z_2 = BN_CTX_get(ctx);
648 Z_3 = BN_CTX_get(ctx);
649 if (Z_3 == NULL) goto err;
651 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
653 if (group->meth->field_decode)
655 if (!group->meth->field_decode(group, X, &point->X, ctx)) goto err;
656 if (!group->meth->field_decode(group, Y, &point->Y, ctx)) goto err;
657 if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err;
658 X_ = X; Y_ = Y; Z_ = Z;
671 if (!BN_copy(x, X_)) goto err;
675 if (!BN_copy(y, Y_)) goto err;
680 if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx))
682 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_BN_LIB);
686 if (group->meth->field_encode == 0)
688 /* field_sqr works on standard representation */
689 if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) goto err;
693 if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) goto err;
698 if (group->meth->field_encode == 0)
700 /* field_mul works on standard representation */
701 if (!group->meth->field_mul(group, x, X_, Z_2, ctx)) goto err;
705 if (!BN_mod_mul(x, X_, Z_2, &group->field, ctx)) goto err;
711 if (group->meth->field_encode == 0)
713 /* field_mul works on standard representation */
714 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err;
715 if (!group->meth->field_mul(group, y, Y_, Z_3, ctx)) goto err;
720 if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err;
721 if (!BN_mod_mul(y, Y_, Z_3, &group->field, ctx)) goto err;
731 BN_CTX_free(new_ctx);
736 int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
737 const BIGNUM *x_, int y_bit, BN_CTX *ctx)
739 BN_CTX *new_ctx = NULL;
740 BIGNUM *tmp1, *tmp2, *x, *y;
745 ctx = new_ctx = BN_CTX_new();
750 y_bit = (y_bit != 0);
753 tmp1 = BN_CTX_get(ctx);
754 tmp2 = BN_CTX_get(ctx);
757 if (y == NULL) goto err;
759 /* Recover y. We have a Weierstrass equation
760 * y^2 = x^3 + a*x + b,
761 * so y is one of the square roots of x^3 + a*x + b.
765 if (!BN_nnmod(x, x_, &group->field,ctx)) goto err;
766 if (group->meth->field_decode == 0)
768 /* field_{sqr,mul} work on standard representation */
769 if (!group->meth->field_sqr(group, tmp2, x_, ctx)) goto err;
770 if (!group->meth->field_mul(group, tmp1, tmp2, x_, ctx)) goto err;
774 if (!BN_mod_sqr(tmp2, x_, &group->field, ctx)) goto err;
775 if (!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx)) goto err;
778 /* tmp1 := tmp1 + a*x */
779 if (group->a_is_minus3)
781 if (!BN_mod_lshift1_quick(tmp2, x, &group->field)) goto err;
782 if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field)) goto err;
783 if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
787 if (group->meth->field_decode)
789 if (!group->meth->field_decode(group, tmp2, &group->a, ctx)) goto err;
790 if (!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx)) goto err;
794 /* field_mul works on standard representation */
795 if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) goto err;
798 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
801 /* tmp1 := tmp1 + b */
802 if (group->meth->field_decode)
804 if (!group->meth->field_decode(group, tmp2, &group->b, ctx)) goto err;
805 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
809 if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) goto err;
812 if (!BN_mod_sqrt(y, tmp1, &group->field, ctx))
814 unsigned long err = ERR_peek_error();
816 if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE)
818 (void)ERR_get_error();
819 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT);
822 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_BN_LIB);
825 /* If tmp1 is not a square (i.e. there is no point on the curve with
826 * our x), then y now is a nonsense value too */
828 if (y_bit != BN_is_odd(y))
834 kron = BN_kronecker(x, &group->field, ctx);
835 if (kron == -2) goto err;
838 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSION_BIT);
840 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT);
843 if (!BN_usub(y, &group->field, y)) goto err;
845 if (y_bit != BN_is_odd(y))
847 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_INTERNAL_ERROR);
851 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
858 BN_CTX_free(new_ctx);
863 size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
864 unsigned char *buf, size_t len, BN_CTX *ctx)
867 BN_CTX *new_ctx = NULL;
870 size_t field_len, i, skip;
872 if ((form != POINT_CONVERSION_COMPRESSED)
873 && (form != POINT_CONVERSION_UNCOMPRESSED)
874 && (form != POINT_CONVERSION_HYBRID))
876 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
880 if (EC_POINT_is_at_infinity(group, point))
882 /* encodes to a single 0 octet */
887 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
896 /* ret := required output buffer length */
897 field_len = BN_num_bytes(&group->field);
898 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
900 /* if 'buf' is NULL, just return required length */
905 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
911 ctx = new_ctx = BN_CTX_new();
920 if (y == NULL) goto err;
922 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
924 if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y))
931 skip = field_len - BN_num_bytes(x);
932 if (skip > field_len)
934 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
942 skip = BN_bn2bin(x, buf + i);
944 if (i != 1 + field_len)
946 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
950 if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
952 skip = field_len - BN_num_bytes(y);
953 if (skip > field_len)
955 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
963 skip = BN_bn2bin(y, buf + i);
969 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
977 BN_CTX_free(new_ctx);
984 BN_CTX_free(new_ctx);
989 int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
990 const unsigned char *buf, size_t len, BN_CTX *ctx)
992 point_conversion_form_t form;
994 BN_CTX *new_ctx = NULL;
996 size_t field_len, enc_len;
1001 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
1007 if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
1008 && (form != POINT_CONVERSION_UNCOMPRESSED)
1009 && (form != POINT_CONVERSION_HYBRID))
1011 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
1014 if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit)
1016 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
1024 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
1028 return EC_POINT_set_to_infinity(group, point);
1031 field_len = BN_num_bytes(&group->field);
1032 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
1036 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
1042 ctx = new_ctx = BN_CTX_new();
1048 x = BN_CTX_get(ctx);
1049 y = BN_CTX_get(ctx);
1050 if (y == NULL) goto err;
1052 if (!BN_bin2bn(buf + 1, field_len, x)) goto err;
1053 if (BN_ucmp(x, &group->field) >= 0)
1055 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
1059 if (form == POINT_CONVERSION_COMPRESSED)
1061 if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) goto err;
1065 if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
1066 if (BN_ucmp(y, &group->field) >= 0)
1068 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
1071 if (form == POINT_CONVERSION_HYBRID)
1073 if (y_bit != BN_is_odd(y))
1075 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
1080 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1083 if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
1085 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
1093 if (new_ctx != NULL)
1094 BN_CTX_free(new_ctx);
1099 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
1101 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1102 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1104 BN_CTX *new_ctx = NULL;
1105 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
1109 return EC_POINT_dbl(group, r, a, ctx);
1110 if (EC_POINT_is_at_infinity(group, a))
1111 return EC_POINT_copy(r, b);
1112 if (EC_POINT_is_at_infinity(group, b))
1113 return EC_POINT_copy(r, a);
1115 field_mul = group->meth->field_mul;
1116 field_sqr = group->meth->field_sqr;
1121 ctx = new_ctx = BN_CTX_new();
1127 n0 = BN_CTX_get(ctx);
1128 n1 = BN_CTX_get(ctx);
1129 n2 = BN_CTX_get(ctx);
1130 n3 = BN_CTX_get(ctx);
1131 n4 = BN_CTX_get(ctx);
1132 n5 = BN_CTX_get(ctx);
1133 n6 = BN_CTX_get(ctx);
1134 if (n6 == NULL) goto end;
1136 /* Note that in this function we must not read components of 'a' or 'b'
1137 * once we have written the corresponding components of 'r'.
1138 * ('r' might be one of 'a' or 'b'.)
1144 if (!BN_copy(n1, &a->X)) goto end;
1145 if (!BN_copy(n2, &a->Y)) goto end;
1151 if (!field_sqr(group, n0, &b->Z, ctx)) goto end;
1152 if (!field_mul(group, n1, &a->X, n0, ctx)) goto end;
1153 /* n1 = X_a * Z_b^2 */
1155 if (!field_mul(group, n0, n0, &b->Z, ctx)) goto end;
1156 if (!field_mul(group, n2, &a->Y, n0, ctx)) goto end;
1157 /* n2 = Y_a * Z_b^3 */
1163 if (!BN_copy(n3, &b->X)) goto end;
1164 if (!BN_copy(n4, &b->Y)) goto end;
1170 if (!field_sqr(group, n0, &a->Z, ctx)) goto end;
1171 if (!field_mul(group, n3, &b->X, n0, ctx)) goto end;
1172 /* n3 = X_b * Z_a^2 */
1174 if (!field_mul(group, n0, n0, &a->Z, ctx)) goto end;
1175 if (!field_mul(group, n4, &b->Y, n0, ctx)) goto end;
1176 /* n4 = Y_b * Z_a^3 */
1180 if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end;
1181 if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end;
1189 /* a is the same point as b */
1191 ret = EC_POINT_dbl(group, r, a, ctx);
1197 /* a is the inverse of b */
1198 if (!BN_zero(&r->Z)) goto end;
1206 if (!BN_mod_add_quick(n1, n1, n3, p)) goto end;
1207 if (!BN_mod_add_quick(n2, n2, n4, p)) goto end;
1208 /* 'n7' = n1 + n3 */
1209 /* 'n8' = n2 + n4 */
1212 if (a->Z_is_one && b->Z_is_one)
1214 if (!BN_copy(&r->Z, n5)) goto end;
1219 { if (!BN_copy(n0, &b->Z)) goto end; }
1220 else if (b->Z_is_one)
1221 { if (!BN_copy(n0, &a->Z)) goto end; }
1223 { if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) goto end; }
1224 if (!field_mul(group, &r->Z, n0, n5, ctx)) goto end;
1227 /* Z_r = Z_a * Z_b * n5 */
1230 if (!field_sqr(group, n0, n6, ctx)) goto end;
1231 if (!field_sqr(group, n4, n5, ctx)) goto end;
1232 if (!field_mul(group, n3, n1, n4, ctx)) goto end;
1233 if (!BN_mod_sub_quick(&r->X, n0, n3, p)) goto end;
1234 /* X_r = n6^2 - n5^2 * 'n7' */
1237 if (!BN_mod_lshift1_quick(n0, &r->X, p)) goto end;
1238 if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end;
1239 /* n9 = n5^2 * 'n7' - 2 * X_r */
1242 if (!field_mul(group, n0, n0, n6, ctx)) goto end;
1243 if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */
1244 if (!field_mul(group, n1, n2, n5, ctx)) goto end;
1245 if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end;
1247 if (!BN_add(n0, n0, p)) goto end;
1248 /* now 0 <= n0 < 2*p, and n0 is even */
1249 if (!BN_rshift1(&r->Y, n0)) goto end;
1250 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
1255 if (ctx) /* otherwise we already called BN_CTX_end */
1257 if (new_ctx != NULL)
1258 BN_CTX_free(new_ctx);
1263 int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
1265 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1266 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1268 BN_CTX *new_ctx = NULL;
1269 BIGNUM *n0, *n1, *n2, *n3;
1272 if (EC_POINT_is_at_infinity(group, a))
1274 if (!BN_zero(&r->Z)) return 0;
1279 field_mul = group->meth->field_mul;
1280 field_sqr = group->meth->field_sqr;
1285 ctx = new_ctx = BN_CTX_new();
1291 n0 = BN_CTX_get(ctx);
1292 n1 = BN_CTX_get(ctx);
1293 n2 = BN_CTX_get(ctx);
1294 n3 = BN_CTX_get(ctx);
1295 if (n3 == NULL) goto err;
1297 /* Note that in this function we must not read components of 'a'
1298 * once we have written the corresponding components of 'r'.
1299 * ('r' might the same as 'a'.)
1305 if (!field_sqr(group, n0, &a->X, ctx)) goto err;
1306 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
1307 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
1308 if (!BN_mod_add_quick(n1, n0, &group->a, p)) goto err;
1309 /* n1 = 3 * X_a^2 + a_curve */
1311 else if (group->a_is_minus3)
1313 if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
1314 if (!BN_mod_add_quick(n0, &a->X, n1, p)) goto err;
1315 if (!BN_mod_sub_quick(n2, &a->X, n1, p)) goto err;
1316 if (!field_mul(group, n1, n0, n2, ctx)) goto err;
1317 if (!BN_mod_lshift1_quick(n0, n1, p)) goto err;
1318 if (!BN_mod_add_quick(n1, n0, n1, p)) goto err;
1319 /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
1320 * = 3 * X_a^2 - 3 * Z_a^4 */
1324 if (!field_sqr(group, n0, &a->X, ctx)) goto err;
1325 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
1326 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
1327 if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
1328 if (!field_sqr(group, n1, n1, ctx)) goto err;
1329 if (!field_mul(group, n1, n1, &group->a, ctx)) goto err;
1330 if (!BN_mod_add_quick(n1, n1, n0, p)) goto err;
1331 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
1337 if (!BN_copy(n0, &a->Y)) goto err;
1341 if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) goto err;
1343 if (!BN_mod_lshift1_quick(&r->Z, n0, p)) goto err;
1345 /* Z_r = 2 * Y_a * Z_a */
1348 if (!field_sqr(group, n3, &a->Y, ctx)) goto err;
1349 if (!field_mul(group, n2, &a->X, n3, ctx)) goto err;
1350 if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err;
1351 /* n2 = 4 * X_a * Y_a^2 */
1354 if (!BN_mod_lshift1_quick(n0, n2, p)) goto err;
1355 if (!field_sqr(group, &r->X, n1, ctx)) goto err;
1356 if (!BN_mod_sub_quick(&r->X, &r->X, n0, p)) goto err;
1357 /* X_r = n1^2 - 2 * n2 */
1360 if (!field_sqr(group, n0, n3, ctx)) goto err;
1361 if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err;
1362 /* n3 = 8 * Y_a^4 */
1365 if (!BN_mod_sub_quick(n0, n2, &r->X, p)) goto err;
1366 if (!field_mul(group, n0, n1, n0, ctx)) goto err;
1367 if (!BN_mod_sub_quick(&r->Y, n0, n3, p)) goto err;
1368 /* Y_r = n1 * (n2 - X_r) - n3 */
1374 if (new_ctx != NULL)
1375 BN_CTX_free(new_ctx);
1380 int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1382 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
1383 /* point is its own inverse */
1386 return BN_usub(&point->Y, &group->field, &point->Y);
1390 int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
1392 return BN_is_zero(&point->Z);
1396 int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
1398 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1399 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1401 BN_CTX *new_ctx = NULL;
1402 BIGNUM *rh, *tmp1, *tmp2, *Z4, *Z6;
1405 if (EC_POINT_is_at_infinity(group, point))
1408 field_mul = group->meth->field_mul;
1409 field_sqr = group->meth->field_sqr;
1414 ctx = new_ctx = BN_CTX_new();
1420 rh = BN_CTX_get(ctx);
1421 tmp1 = BN_CTX_get(ctx);
1422 tmp2 = BN_CTX_get(ctx);
1423 Z4 = BN_CTX_get(ctx);
1424 Z6 = BN_CTX_get(ctx);
1425 if (Z6 == NULL) goto err;
1427 /* We have a curve defined by a Weierstrass equation
1428 * y^2 = x^3 + a*x + b.
1429 * The point to consider is given in Jacobian projective coordinates
1430 * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
1431 * Substituting this and multiplying by Z^6 transforms the above equation into
1432 * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
1433 * To test this, we add up the right-hand side in 'rh'.
1437 if (!field_sqr(group, rh, &point->X, ctx)) goto err;
1438 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1440 if (!point->Z_is_one)
1442 if (!field_sqr(group, tmp1, &point->Z, ctx)) goto err;
1443 if (!field_sqr(group, Z4, tmp1, ctx)) goto err;
1444 if (!field_mul(group, Z6, Z4, tmp1, ctx)) goto err;
1446 /* rh := rh + a*X*Z^4 */
1447 if (!field_mul(group, tmp1, &point->X, Z4, ctx)) goto err;
1448 if (group->a_is_minus3)
1450 if (!BN_mod_lshift1_quick(tmp2, tmp1, p)) goto err;
1451 if (!BN_mod_add_quick(tmp2, tmp2, tmp1, p)) goto err;
1452 if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
1456 if (!field_mul(group, tmp2, tmp1, &group->a, ctx)) goto err;
1457 if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
1460 /* rh := rh + b*Z^6 */
1461 if (!field_mul(group, tmp1, &group->b, Z6, ctx)) goto err;
1462 if (!BN_mod_add_quick(rh, rh, tmp1, p)) goto err;
1466 /* point->Z_is_one */
1468 /* rh := rh + a*X */
1469 if (group->a_is_minus3)
1471 if (!BN_mod_lshift1_quick(tmp2, &point->X, p)) goto err;
1472 if (!BN_mod_add_quick(tmp2, tmp2, &point->X, p)) goto err;
1473 if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
1477 if (!field_mul(group, tmp2, &point->X, &group->a, ctx)) goto err;
1478 if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
1482 if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err;
1486 if (!field_sqr(group, tmp1, &point->Y, ctx)) goto err;
1488 ret = (0 == BN_cmp(tmp1, rh));
1492 if (new_ctx != NULL)
1493 BN_CTX_free(new_ctx);
1498 int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
1502 * 0 equal (in affine coordinates)
1506 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1507 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1508 BN_CTX *new_ctx = NULL;
1509 BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
1510 const BIGNUM *tmp1_, *tmp2_;
1513 if (EC_POINT_is_at_infinity(group, a))
1515 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
1518 if (a->Z_is_one && b->Z_is_one)
1520 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
1523 field_mul = group->meth->field_mul;
1524 field_sqr = group->meth->field_sqr;
1528 ctx = new_ctx = BN_CTX_new();
1534 tmp1 = BN_CTX_get(ctx);
1535 tmp2 = BN_CTX_get(ctx);
1536 Za23 = BN_CTX_get(ctx);
1537 Zb23 = BN_CTX_get(ctx);
1538 if (Zb23 == NULL) goto end;
1540 /* We have to decide whether
1541 * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
1542 * or equivalently, whether
1543 * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
1548 if (!field_sqr(group, Zb23, &b->Z, ctx)) goto end;
1549 if (!field_mul(group, tmp1, &a->X, Zb23, ctx)) goto end;
1556 if (!field_sqr(group, Za23, &a->Z, ctx)) goto end;
1557 if (!field_mul(group, tmp2, &b->X, Za23, ctx)) goto end;
1563 /* compare X_a*Z_b^2 with X_b*Z_a^2 */
1564 if (BN_cmp(tmp1_, tmp2_) != 0)
1566 ret = 1; /* points differ */
1573 if (!field_mul(group, Zb23, Zb23, &b->Z, ctx)) goto end;
1574 if (!field_mul(group, tmp1, &a->Y, Zb23, ctx)) goto end;
1581 if (!field_mul(group, Za23, Za23, &a->Z, ctx)) goto end;
1582 if (!field_mul(group, tmp2, &b->Y, Za23, ctx)) goto end;
1588 /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
1589 if (BN_cmp(tmp1_, tmp2_) != 0)
1591 ret = 1; /* points differ */
1595 /* points are equal */
1600 if (new_ctx != NULL)
1601 BN_CTX_free(new_ctx);
1606 int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1608 BN_CTX *new_ctx = NULL;
1612 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
1617 ctx = new_ctx = BN_CTX_new();
1623 x = BN_CTX_get(ctx);
1624 y = BN_CTX_get(ctx);
1625 if (y == NULL) goto err;
1627 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1628 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1629 if (!point->Z_is_one)
1631 ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
1639 if (new_ctx != NULL)
1640 BN_CTX_free(new_ctx);
1645 int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
1647 BN_CTX *new_ctx = NULL;
1648 BIGNUM *tmp0, *tmp1;
1650 BIGNUM **heap = NULL;
1659 ctx = new_ctx = BN_CTX_new();
1665 tmp0 = BN_CTX_get(ctx);
1666 tmp1 = BN_CTX_get(ctx);
1667 if (tmp0 == NULL || tmp1 == NULL) goto err;
1669 /* Before converting the individual points, compute inverses of all Z values.
1670 * Modular inversion is rather slow, but luckily we can do with a single
1671 * explicit inversion, plus about 3 multiplications per input value.
1677 /* Now pow2 is the smallest power of 2 satifsying pow2 >= num.
1678 * We need twice that. */
1681 heap = OPENSSL_malloc(pow2 * sizeof heap[0]);
1682 if (heap == NULL) goto err;
1684 /* The array is used as a binary tree, exactly as in heapsort:
1688 * heap[4] heap[5] heap[6] heap[7]
1689 * heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15]
1691 * We put the Z's in the last line;
1692 * then we set each other node to the product of its two child-nodes (where
1693 * empty or 0 entries are treated as ones);
1694 * then we invert heap[1];
1695 * then we invert each other node by replacing it by the product of its
1696 * parent (after inversion) and its sibling (before inversion).
1699 for (i = pow2/2 - 1; i > 0; i--)
1701 for (i = 0; i < num; i++)
1702 heap[pow2/2 + i] = &points[i]->Z;
1703 for (i = pow2/2 + num; i < pow2; i++)
1706 /* set each node to the product of its children */
1707 for (i = pow2/2 - 1; i > 0; i--)
1710 if (heap[i] == NULL) goto err;
1712 if (heap[2*i] != NULL)
1714 if ((heap[2*i + 1] == NULL) || BN_is_zero(heap[2*i + 1]))
1716 if (!BN_copy(heap[i], heap[2*i])) goto err;
1720 if (BN_is_zero(heap[2*i]))
1722 if (!BN_copy(heap[i], heap[2*i + 1])) goto err;
1726 if (!group->meth->field_mul(group, heap[i],
1727 heap[2*i], heap[2*i + 1], ctx)) goto err;
1733 /* invert heap[1] */
1734 if (!BN_is_zero(heap[1]))
1736 if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx))
1738 ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
1742 if (group->meth->field_encode != 0)
1744 /* in the Montgomery case, we just turned R*H (representing H)
1745 * into 1/(R*H), but we need R*(1/H) (representing 1/H);
1746 * i.e. we have need to multiply by the Montgomery factor twice */
1747 if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
1748 if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
1751 /* set other heap[i]'s to their inverses */
1752 for (i = 2; i < pow2/2 + num; i += 2)
1755 if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1]))
1757 if (!group->meth->field_mul(group, tmp0, heap[i/2], heap[i + 1], ctx)) goto err;
1758 if (!group->meth->field_mul(group, tmp1, heap[i/2], heap[i], ctx)) goto err;
1759 if (!BN_copy(heap[i], tmp0)) goto err;
1760 if (!BN_copy(heap[i + 1], tmp1)) goto err;
1764 if (!BN_copy(heap[i], heap[i/2])) goto err;
1768 /* we have replaced all non-zero Z's by their inverses, now fix up all the points */
1769 for (i = 0; i < num; i++)
1771 EC_POINT *p = points[i];
1773 if (!BN_is_zero(&p->Z))
1775 /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
1777 if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx)) goto err;
1778 if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx)) goto err;
1780 if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx)) goto err;
1781 if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx)) goto err;
1783 if (group->meth->field_set_to_one != 0)
1785 if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err;
1789 if (!BN_one(&p->Z)) goto err;
1799 if (new_ctx != NULL)
1800 BN_CTX_free(new_ctx);
1803 /* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */
1804 for (i = pow2/2 - 1; i > 0; i--)
1806 if (heap[i] != NULL)
1807 BN_clear_free(heap[i]);
1815 int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
1817 return BN_mod_mul(r, a, b, &group->field, ctx);
1821 int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
1823 return BN_mod_sqr(r, a, &group->field, ctx);
projects / oweals / openssl.git / blob