/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
+/*
+ * ECDSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
#include <openssl/err.h>
-#include "internal/bn_int.h"
-#include "ec_lcl.h"
+#include "crypto/bn.h"
+#include "ec_local.h"
#ifndef OPENSSL_NO_EC2M
{
int ret = 0;
BIGNUM *b;
+#ifndef FIPS_MODE
BN_CTX *new_ctx = NULL;
if (ctx == NULL) {
goto err;
}
}
+#endif
BN_CTX_start(ctx);
b = BN_CTX_get(ctx);
if (b == NULL)
ret = 1;
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
+#ifndef FIPS_MODE
BN_CTX_free(new_ctx);
+#endif
return ret;
}
int ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
const EC_POINT *b, BN_CTX *ctx)
{
- BN_CTX *new_ctx = NULL;
BIGNUM *x0, *y0, *x1, *y1, *x2, *y2, *s, *t;
int ret = 0;
+#ifndef FIPS_MODE
+ BN_CTX *new_ctx = NULL;
+#endif
if (EC_POINT_is_at_infinity(group, a)) {
if (!EC_POINT_copy(r, b))
return 1;
}
+#ifndef FIPS_MODE
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
return 0;
}
+#endif
BN_CTX_start(ctx);
x0 = BN_CTX_get(ctx);
if (!BN_copy(y0, a->Y))
goto err;
} else {
- if (!EC_POINT_get_affine_coordinates_GF2m(group, a, x0, y0, ctx))
+ if (!EC_POINT_get_affine_coordinates(group, a, x0, y0, ctx))
goto err;
}
if (b->Z_is_one) {
if (!BN_copy(y1, b->Y))
goto err;
} else {
- if (!EC_POINT_get_affine_coordinates_GF2m(group, b, x1, y1, ctx))
+ if (!EC_POINT_get_affine_coordinates(group, b, x1, y1, ctx))
goto err;
}
if (!BN_GF2m_add(y2, y2, y1))
goto err;
- if (!EC_POINT_set_affine_coordinates_GF2m(group, r, x2, y2, ctx))
+ if (!EC_POINT_set_affine_coordinates(group, r, x2, y2, ctx))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
+#ifndef FIPS_MODE
BN_CTX_free(new_ctx);
+#endif
return ret;
}
BN_CTX *ctx)
{
int ret = -1;
- BN_CTX *new_ctx = NULL;
BIGNUM *lh, *y2;
int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
const BIGNUM *, BN_CTX *);
int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+#ifndef FIPS_MODE
+ BN_CTX *new_ctx = NULL;
+#endif
if (EC_POINT_is_at_infinity(group, point))
return 1;
if (!point->Z_is_one)
return -1;
+#ifndef FIPS_MODE
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
return -1;
}
+#endif
BN_CTX_start(ctx);
y2 = BN_CTX_get(ctx);
err:
BN_CTX_end(ctx);
+#ifndef FIPS_MODE
BN_CTX_free(new_ctx);
+#endif
return ret;
}
const EC_POINT *b, BN_CTX *ctx)
{
BIGNUM *aX, *aY, *bX, *bY;
- BN_CTX *new_ctx = NULL;
int ret = -1;
+#ifndef FIPS_MODE
+ BN_CTX *new_ctx = NULL;
+#endif
if (EC_POINT_is_at_infinity(group, a)) {
return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
return ((BN_cmp(a->X, b->X) == 0) && BN_cmp(a->Y, b->Y) == 0) ? 0 : 1;
}
+#ifndef FIPS_MODE
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
return -1;
}
+#endif
BN_CTX_start(ctx);
aX = BN_CTX_get(ctx);
if (bY == NULL)
goto err;
- if (!EC_POINT_get_affine_coordinates_GF2m(group, a, aX, aY, ctx))
+ if (!EC_POINT_get_affine_coordinates(group, a, aX, aY, ctx))
goto err;
- if (!EC_POINT_get_affine_coordinates_GF2m(group, b, bX, bY, ctx))
+ if (!EC_POINT_get_affine_coordinates(group, b, bX, bY, ctx))
goto err;
ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1;
err:
BN_CTX_end(ctx);
+#ifndef FIPS_MODE
BN_CTX_free(new_ctx);
+#endif
return ret;
}
int ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
BN_CTX *ctx)
{
- BN_CTX *new_ctx = NULL;
BIGNUM *x, *y;
int ret = 0;
+#ifndef FIPS_MODE
+ BN_CTX *new_ctx = NULL;
+#endif
if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
return 1;
+#ifndef FIPS_MODE
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
return 0;
}
+#endif
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
if (y == NULL)
goto err;
- if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx))
+ if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
goto err;
if (!BN_copy(point->X, x))
goto err;
err:
BN_CTX_end(ctx);
+#ifndef FIPS_MODE
BN_CTX_free(new_ctx);
+#endif
return ret;
}
/* s blinding: make sure lambda (s->Z here) is not zero */
do {
- if (!BN_priv_rand(s->Z, BN_num_bits(group->field) - 1,
- BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
+ if (!BN_priv_rand_ex(s->Z, BN_num_bits(group->field) - 1,
+ BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, ctx)) {
ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_PRE, ERR_R_BN_LIB);
return 0;
}
/* r blinding: make sure lambda (r->Y here for storage) is not zero */
do {
- if (!BN_priv_rand(r->Y, BN_num_bits(group->field) - 1,
- BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
+ if (!BN_priv_rand_ex(r->Y, BN_num_bits(group->field) - 1,
+ BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, ctx)) {
ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_PRE, ERR_R_BN_LIB);
return 0;
}
|| !group->meth->field_mul(group, t2, t2, t0, ctx)
|| !BN_GF2m_add(t1, t2, t1)
|| !group->meth->field_mul(group, t2, p->X, t0, ctx)
- || !BN_GF2m_mod_inv(t2, t2, group->field, ctx)
+ || !group->meth->field_inv(group, t2, t2, ctx)
|| !group->meth->field_mul(group, t1, t1, t2, ctx)
|| !group->meth->field_mul(group, r->X, r->Z, t2, ctx)
|| !BN_GF2m_add(t2, p->X, r->X)
return ret;
}
+/*-
+ * Computes the multiplicative inverse of a in GF(2^m), storing the result in r.
+ * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
+ * SCA hardening is with blinding: BN_GF2m_mod_inv does that.
+ */
+static int ec_GF2m_simple_field_inv(const EC_GROUP *group, BIGNUM *r,
+ const BIGNUM *a, BN_CTX *ctx)
+{
+ int ret;
+
+ if (!(ret = BN_GF2m_mod_inv(r, a, group->field, ctx)))
+ ECerr(EC_F_EC_GF2M_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
+ return ret;
+}
+
const EC_METHOD *EC_GF2m_simple_method(void)
{
static const EC_METHOD ret = {
ec_GF2m_simple_point_clear_finish,
ec_GF2m_simple_point_copy,
ec_GF2m_simple_point_set_to_infinity,
- 0, /* set_Jprojective_coordinates_GFp */
- 0, /* get_Jprojective_coordinates_GFp */
ec_GF2m_simple_point_set_affine_coordinates,
ec_GF2m_simple_point_get_affine_coordinates,
0, /* point_set_compressed_coordinates */
ec_GF2m_simple_field_mul,
ec_GF2m_simple_field_sqr,
ec_GF2m_simple_field_div,
+ ec_GF2m_simple_field_inv,
0, /* field_encode */
0, /* field_decode */
0, /* field_set_to_one */
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
+ ecdsa_simple_sign_setup,
+ ecdsa_simple_sign_sig,
+ ecdsa_simple_verify_sig,
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
ec_GF2m_simple_ladder_pre,