Home Explore Help
Sign In
mirror
/
grpc-swift
mirror of https://github.com/grpc/grpc-swift.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: b798520a3c
Branches Tags
grpc-swift
/
Sources
/
BoringSSL
/
crypto
/
ec
/
simple.c

simple.c 31 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237 
  1. /* Originally written by Bodo Moeller for the OpenSSL project.
    2. 

  2.  * ====================================================================
    3. 

  3.  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
    4. 

  4.  *
    5. 

  5.  * Redistribution and use in source and binary forms, with or without
    6. 

  6.  * modification, are permitted provided that the following conditions
    7. 

  7.  * are met:
    8. 

  8.  *
    9. 

  9.  * 1. Redistributions of source code must retain the above copyright
    10. 

  10.  *    notice, this list of conditions and the following disclaimer.
    11. 

  11.  *
    12. 

  12.  * 2. Redistributions in binary form must reproduce the above copyright
    13. 

  13.  *    notice, this list of conditions and the following disclaimer in
    14. 

  14.  *    the documentation and/or other materials provided with the
    15. 

  15.  *    distribution.
    16. 

  16.  *
    17. 

  17.  * 3. All advertising materials mentioning features or use of this
    18. 

  18.  *    software must display the following acknowledgment:
    19. 

  19.  *    "This product includes software developed by the OpenSSL Project
    20. 

  20.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
    21. 

  21.  *
    22. 

  22.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
    23. 

  23.  *    endorse or promote products derived from this software without
    24. 

  24.  *    prior written permission. For written permission, please contact
    25. 

  25.  *    openssl-core@openssl.org.
    26. 

  26.  *
    27. 

  27.  * 5. Products derived from this software may not be called "OpenSSL"
    28. 

  28.  *    nor may "OpenSSL" appear in their names without prior written
    29. 

  29.  *    permission of the OpenSSL Project.
    30. 

  30.  *
    31. 

  31.  * 6. Redistributions of any form whatsoever must retain the following
    32. 

  32.  *    acknowledgment:
    33. 

  33.  *    "This product includes software developed by the OpenSSL Project
    34. 

  34.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
    35. 

  35.  *
    36. 

  36.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
    37. 

  37.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    38. 

  38.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    39. 

  39.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
    40. 

  40.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
    41. 

  41.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
    42. 

  42.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
    43. 

  43.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    44. 

  44.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    45. 

  45.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    46. 

  46.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    47. 

  47.  * OF THE POSSIBILITY OF SUCH DAMAGE.
    48. 

  48.  * ====================================================================
    49. 

  49.  *
    50. 

  50.  * This product includes cryptographic software written by Eric Young
    51. 

  51.  * (eay@cryptsoft.com).  This product includes software written by Tim
    52. 

  52.  * Hudson (tjh@cryptsoft.com).
    53. 

  53.  *
    54. 

  54.  */
    55. 

  55. /* ====================================================================
    56. 

  56.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
    57. 

  57.  *
    58. 

  58.  * Portions of the attached software ("Contribution") are developed by
    59. 

  59.  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
    60. 

  60.  *
    61. 

  61.  * The Contribution is licensed pursuant to the OpenSSL open source
    62. 

  62.  * license provided above.
    63. 

  63.  *
    64. 

  64.  * The elliptic curve binary polynomial software is originally written by
    65. 

  65.  * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
    66. 

  66.  * Laboratories. */
    67. 

  67. 

  68. #include <openssl/ec.h>
    69. 

  69. 

  70. #include <string.h>
    71. 

  71. 

  72. #include <openssl/bn.h>
    73. 

  73. #include <openssl/err.h>
    74. 

  74. #include <openssl/mem.h>
    75. 

  75. 

  76. #include "internal.h"
    77. 

  77. 

  78. 

  79. /* Most method functions in this file are designed to work with non-trivial
    80. 

  80.  * representations of field elements if necessary (see ecp_mont.c): while
    81. 

  81.  * standard modular addition and subtraction are used, the field_mul and
    82. 

  82.  * field_sqr methods will be used for multiplication, and field_encode and
    83. 

  83.  * field_decode (if defined) will be used for converting between
    84. 

  84.  * representations.
    85. 

  85. 

  86.  * Functions ec_GFp_simple_points_make_affine() and
    87. 

  87.  * ec_GFp_simple_point_get_affine_coordinates() specifically assume that if a
    88. 

  88.  * non-trivial representation is used, it is a Montgomery representation (i.e.
    89. 

  89.  * 'encoding' means multiplying by some factor R). */
    90. 

  90. 

  91. int ec_GFp_simple_group_init(EC_GROUP *group) {
    92. 

  92.   BN_init(&group->field);
    93. 

  93.   BN_init(&group->a);
    94. 

  94.   BN_init(&group->b);
    95. 

  95.   group->a_is_minus3 = 0;
    96. 

  96.   return 1;
    97. 

  97. }
    98. 

  98. 

  99. void ec_GFp_simple_group_finish(EC_GROUP *group) {
    100. 

  100.   BN_free(&group->field);
    101. 

  101.   BN_free(&group->a);
    102. 

  102.   BN_free(&group->b);
    103. 

  103. }
    104. 

  104. 

  105. int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src) {
    106. 

  106.   if (!BN_copy(&dest->field, &src->field) ||
    107. 

  107.       !BN_copy(&dest->a, &src->a) ||
    108. 

  108.       !BN_copy(&dest->b, &src->b)) {
    109. 

  109.     return 0;
    110. 

  110.   }
    111. 

  111. 

  112.   dest->a_is_minus3 = src->a_is_minus3;
    113. 

  113.   return 1;
    114. 

  114. }
    115. 

  115. 

  116. int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
    117. 

  117.                                   const BIGNUM *a, const BIGNUM *b,
    118. 

  118.                                   BN_CTX *ctx) {
    119. 

  119.   int ret = 0;
    120. 

  120.   BN_CTX *new_ctx = NULL;
    121. 

  121.   BIGNUM *tmp_a;
    122. 

  122. 

  123.   /* p must be a prime > 3 */
    124. 

  124.   if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
    125. 

  125.     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD);
    126. 

  126.     return 0;
    127. 

  127.   }
    128. 

  128. 

  129.   if (ctx == NULL) {
    130. 

  130.     ctx = new_ctx = BN_CTX_new();
    131. 

  131.     if (ctx == NULL) {
    132. 

  132.       return 0;
    133. 

  133.     }
    134. 

  134.   }
    135. 

  135. 

  136.   BN_CTX_start(ctx);
    137. 

  137.   tmp_a = BN_CTX_get(ctx);
    138. 

  138.   if (tmp_a == NULL) {
    139. 

  139.     goto err;
    140. 

  140.   }
    141. 

  141. 

  142.   /* group->field */
    143. 

  143.   if (!BN_copy(&group->field, p)) {
    144. 

  144.     goto err;
    145. 

  145.   }
    146. 

  146.   BN_set_negative(&group->field, 0);
    147. 

  147. 

  148.   /* group->a */
    149. 

  149.   if (!BN_nnmod(tmp_a, a, p, ctx)) {
    150. 

  150.     goto err;
    151. 

  151.   }
    152. 

  152.   if (group->meth->field_encode) {
    153. 

  153.     if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) {
    154. 

  154.       goto err;
    155. 

  155.     }
    156. 

  156.   } else if (!BN_copy(&group->a, tmp_a)) {
    157. 

  157.     goto err;
    158. 

  158.   }
    159. 

  159. 

  160.   /* group->b */
    161. 

  161.   if (!BN_nnmod(&group->b, b, p, ctx)) {
    162. 

  162.     goto err;
    163. 

  163.   }
    164. 

  164.   if (group->meth->field_encode &&
    165. 

  165.       !group->meth->field_encode(group, &group->b, &group->b, ctx)) {
    166. 

  166.     goto err;
    167. 

  167.   }
    168. 

  168. 

  169.   /* group->a_is_minus3 */
    170. 

  170.   if (!BN_add_word(tmp_a, 3)) {
    171. 

  171.     goto err;
    172. 

  172.   }
    173. 

  173.   group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
    174. 

  174. 

  175.   ret = 1;
    176. 

  176. 

  177. err:
    178. 

  178.   BN_CTX_end(ctx);
    179. 

  179.   BN_CTX_free(new_ctx);
    180. 

  180.   return ret;
    181. 

  181. }
    182. 

  182. 

  183. int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
    184. 

  184.                                   BIGNUM *b, BN_CTX *ctx) {
    185. 

  185.   int ret = 0;
    186. 

  186.   BN_CTX *new_ctx = NULL;
    187. 

  187. 

  188.   if (p != NULL && !BN_copy(p, &group->field)) {
    189. 

  189.     return 0;
    190. 

  190.   }
    191. 

  191. 

  192.   if (a != NULL || b != NULL) {
    193. 

  193.     if (group->meth->field_decode) {
    194. 

  194.       if (ctx == NULL) {
    195. 

  195.         ctx = new_ctx = BN_CTX_new();
    196. 

  196.         if (ctx == NULL) {
    197. 

  197.           return 0;
    198. 

  198.         }
    199. 

  199.       }
    200. 

  200.       if (a != NULL && !group->meth->field_decode(group, a, &group->a, ctx)) {
    201. 

  201.         goto err;
    202. 

  202.       }
    203. 

  203.       if (b != NULL && !group->meth->field_decode(group, b, &group->b, ctx)) {
    204. 

  204.         goto err;
    205. 

  205.       }
    206. 

  206.     } else {
    207. 

  207.       if (a != NULL && !BN_copy(a, &group->a)) {
    208. 

  208.         goto err;
    209. 

  209.       }
    210. 

  210.       if (b != NULL && !BN_copy(b, &group->b)) {
    211. 

  211.         goto err;
    212. 

  212.       }
    213. 

  213.     }
    214. 

  214.   }
    215. 

  215. 

  216.   ret = 1;
    217. 

  217. 

  218. err:
    219. 

  219.   BN_CTX_free(new_ctx);
    220. 

  220.   return ret;
    221. 

  221. }
    222. 

  222. 

  223. unsigned ec_GFp_simple_group_get_degree(const EC_GROUP *group) {
    224. 

  224.   return BN_num_bits(&group->field);
    225. 

  225. }
    226. 

  226. 

  227. int ec_GFp_simple_point_init(EC_POINT *point) {
    228. 

  228.   BN_init(&point->X);
    229. 

  229.   BN_init(&point->Y);
    230. 

  230.   BN_init(&point->Z);
    231. 

  231.   point->Z_is_one = 0;
    232. 

  232. 

  233.   return 1;
    234. 

  234. }
    235. 

  235. 

  236. void ec_GFp_simple_point_finish(EC_POINT *point) {
    237. 

  237.   BN_free(&point->X);
    238. 

  238.   BN_free(&point->Y);
    239. 

  239.   BN_free(&point->Z);
    240. 

  240. }
    241. 

  241. 

  242. void ec_GFp_simple_point_clear_finish(EC_POINT *point) {
    243. 

  243.   BN_clear_free(&point->X);
    244. 

  244.   BN_clear_free(&point->Y);
    245. 

  245.   BN_clear_free(&point->Z);
    246. 

  246.   point->Z_is_one = 0;
    247. 

  247. }
    248. 

  248. 

  249. int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) {
    250. 

  250.   if (!BN_copy(&dest->X, &src->X) ||
    251. 

  251.       !BN_copy(&dest->Y, &src->Y) ||
    252. 

  252.       !BN_copy(&dest->Z, &src->Z)) {
    253. 

  253.     return 0;
    254. 

  254.   }
    255. 

  255.   dest->Z_is_one = src->Z_is_one;
    256. 

  256. 

  257.   return 1;
    258. 

  258. }
    259. 

  259. 

  260. int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,
    261. 

  261.                                         EC_POINT *point) {
    262. 

  262.   point->Z_is_one = 0;
    263. 

  263.   BN_zero(&point->Z);
    264. 

  264.   return 1;
    265. 

  265. }
    266. 

  266. 

  267. int ec_GFp_simple_set_Jprojective_coordinates_GFp(
    268. 

  268.     const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, const BIGNUM *y,
    269. 

  269.     const BIGNUM *z, BN_CTX *ctx) {
    270. 

  270.   BN_CTX *new_ctx = NULL;
    271. 

  271.   int ret = 0;
    272. 

  272. 

  273.   if (ctx == NULL) {
    274. 

  274.     ctx = new_ctx = BN_CTX_new();
    275. 

  275.     if (ctx == NULL) {
    276. 

  276.       return 0;
    277. 

  277.     }
    278. 

  278.   }
    279. 

  279. 

  280.   if (x != NULL) {
    281. 

  281.     if (!BN_nnmod(&point->X, x, &group->field, ctx)) {
    282. 

  282.       goto err;
    283. 

  283.     }
    284. 

  284.     if (group->meth->field_encode &&
    285. 

  285.         !group->meth->field_encode(group, &point->X, &point->X, ctx)) {
    286. 

  286.       goto err;
    287. 

  287.     }
    288. 

  288.   }
    289. 

  289. 

  290.   if (y != NULL) {
    291. 

  291.     if (!BN_nnmod(&point->Y, y, &group->field, ctx)) {
    292. 

  292.       goto err;
    293. 

  293.     }
    294. 

  294.     if (group->meth->field_encode &&
    295. 

  295.         !group->meth->field_encode(group, &point->Y, &point->Y, ctx)) {
    296. 

  296.       goto err;
    297. 

  297.     }
    298. 

  298.   }
    299. 

  299. 

  300.   if (z != NULL) {
    301. 

  301.     int Z_is_one;
    302. 

  302. 

  303.     if (!BN_nnmod(&point->Z, z, &group->field, ctx)) {
    304. 

  304.       goto err;
    305. 

  305.     }
    306. 

  306.     Z_is_one = BN_is_one(&point->Z);
    307. 

  307.     if (group->meth->field_encode) {
    308. 

  308.       if (Z_is_one && (group->meth->field_set_to_one != 0)) {
    309. 

  309.         if (!group->meth->field_set_to_one(group, &point->Z, ctx)) {
    310. 

  310.           goto err;
    311. 

  311.         }
    312. 

  312.       } else if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) {
    313. 

  313.         goto err;
    314. 

  314.       }
    315. 

  315.     }
    316. 

  316.     point->Z_is_one = Z_is_one;
    317. 

  317.   }
    318. 

  318. 

  319.   ret = 1;
    320. 

  320. 

  321. err:
    322. 

  322.   BN_CTX_free(new_ctx);
    323. 

  323.   return ret;
    324. 

  324. }
    325. 

  325. 

  326. int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
    327. 

  327.                                                   const EC_POINT *point,
    328. 

  328.                                                   BIGNUM *x, BIGNUM *y,
    329. 

  329.                                                   BIGNUM *z, BN_CTX *ctx) {
    330. 

  330.   BN_CTX *new_ctx = NULL;
    331. 

  331.   int ret = 0;
    332. 

  332. 

  333.   if (group->meth->field_decode != 0) {
    334. 

  334.     if (ctx == NULL) {
    335. 

  335.       ctx = new_ctx = BN_CTX_new();
    336. 

  336.       if (ctx == NULL) {
    337. 

  337.         return 0;
    338. 

  338.       }
    339. 

  339.     }
    340. 

  340. 

  341.     if (x != NULL && !group->meth->field_decode(group, x, &point->X, ctx)) {
    342. 

  342.       goto err;
    343. 

  343.     }
    344. 

  344.     if (y != NULL && !group->meth->field_decode(group, y, &point->Y, ctx)) {
    345. 

  345.       goto err;
    346. 

  346.     }
    347. 

  347.     if (z != NULL && !group->meth->field_decode(group, z, &point->Z, ctx)) {
    348. 

  348.       goto err;
    349. 

  349.     }
    350. 

  350.   } else {
    351. 

  351.     if (x != NULL && !BN_copy(x, &point->X)) {
    352. 

  352.       goto err;
    353. 

  353.     }
    354. 

  354.     if (y != NULL && !BN_copy(y, &point->Y)) {
    355. 

  355.       goto err;
    356. 

  356.     }
    357. 

  357.     if (z != NULL && !BN_copy(z, &point->Z)) {
    358. 

  358.       goto err;
    359. 

  359.     }
    360. 

  360.   }
    361. 

  361. 

  362.   ret = 1;
    363. 

  363. 

  364. err:
    365. 

  365.   BN_CTX_free(new_ctx);
    366. 

  366.   return ret;
    367. 

  367. }
    368. 

  368. 

  369. int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group,
    370. 

  370.                                                EC_POINT *point, const BIGNUM *x,
    371. 

  371.                                                const BIGNUM *y, BN_CTX *ctx) {
    372. 

  372.   if (x == NULL || y == NULL) {
    373. 

  373.     /* unlike for projective coordinates, we do not tolerate this */
    374. 

  374.     OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
    375. 

  375.     return 0;
    376. 

  376.   }
    377. 

  377. 

  378.   return ec_point_set_Jprojective_coordinates_GFp(group, point, x, y,
    379. 

  379.                                                   BN_value_one(), ctx);
    380. 

  380. }
    381. 

  381. 

  382. int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
    383. 

  383.                                                const EC_POINT *point, BIGNUM *x,
    384. 

  384.                                                BIGNUM *y, BN_CTX *ctx) {
    385. 

  385.   BN_CTX *new_ctx = NULL;
    386. 

  386.   BIGNUM *Z, *Z_1, *Z_2, *Z_3;
    387. 

  387.   const BIGNUM *Z_;
    388. 

  388.   int ret = 0;
    389. 

  389. 

  390.   if (EC_POINT_is_at_infinity(group, point)) {
    391. 

  391.     OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
    392. 

  392.     return 0;
    393. 

  393.   }
    394. 

  394. 

  395.   if (ctx == NULL) {
    396. 

  396.     ctx = new_ctx = BN_CTX_new();
    397. 

  397.     if (ctx == NULL) {
    398. 

  398.       return 0;
    399. 

  399.     }
    400. 

  400.   }
    401. 

  401. 

  402.   BN_CTX_start(ctx);
    403. 

  403.   Z = BN_CTX_get(ctx);
    404. 

  404.   Z_1 = BN_CTX_get(ctx);
    405. 

  405.   Z_2 = BN_CTX_get(ctx);
    406. 

  406.   Z_3 = BN_CTX_get(ctx);
    407. 

  407.   if (Z == NULL || Z_1 == NULL || Z_2 == NULL || Z_3 == NULL) {
    408. 

  408.     goto err;
    409. 

  409.   }
    410. 

  410. 

  411.   /* transform  (X, Y, Z)  into  (x, y) := (X/Z^2, Y/Z^3) */
    412. 

  412. 

  413.   if (group->meth->field_decode) {
    414. 

  414.     if (!group->meth->field_decode(group, Z, &point->Z, ctx)) {
    415. 

  415.       goto err;
    416. 

  416.     }
    417. 

  417.     Z_ = Z;
    418. 

  418.   } else {
    419. 

  419.     Z_ = &point->Z;
    420. 

  420.   }
    421. 

  421. 

  422.   if (BN_is_one(Z_)) {
    423. 

  423.     if (group->meth->field_decode) {
    424. 

  424.       if (x != NULL && !group->meth->field_decode(group, x, &point->X, ctx)) {
    425. 

  425.         goto err;
    426. 

  426.       }
    427. 

  427.       if (y != NULL && !group->meth->field_decode(group, y, &point->Y, ctx)) {
    428. 

  428.         goto err;
    429. 

  429.       }
    430. 

  430.     } else {
    431. 

  431.       if (x != NULL && !BN_copy(x, &point->X)) {
    432. 

  432.         goto err;
    433. 

  433.       }
    434. 

  434.       if (y != NULL && !BN_copy(y, &point->Y)) {
    435. 

  435.         goto err;
    436. 

  436.       }
    437. 

  437.     }
    438. 

  438.   } else {
    439. 

  439.     if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx)) {
    440. 

  440.       OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
    441. 

  441.       goto err;
    442. 

  442.     }
    443. 

  443. 

  444.     if (group->meth->field_encode == 0) {
    445. 

  445.       /* field_sqr works on standard representation */
    446. 

  446.       if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) {
    447. 

  447.         goto err;
    448. 

  448.       }
    449. 

  449.     } else if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) {
    450. 

  450.       goto err;
    451. 

  451.     }
    452. 

  452. 

  453.     /* in the Montgomery case, field_mul will cancel out Montgomery factor in
    454. 

  454.      * X: */
    455. 

  455.     if (x != NULL && !group->meth->field_mul(group, x, &point->X, Z_2, ctx)) {
    456. 

  456.       goto err;
    457. 

  457.     }
    458. 

  458. 

  459.     if (y != NULL) {
    460. 

  460.       if (group->meth->field_encode == 0) {
    461. 

  461.         /* field_mul works on standard representation */
    462. 

  462.         if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) {
    463. 

  463.           goto err;
    464. 

  464.         }
    465. 

  465.       } else if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) {
    466. 

  466.         goto err;
    467. 

  467.       }
    468. 

  468. 

  469.       /* in the Montgomery case, field_mul will cancel out Montgomery factor in
    470. 

  470.        * Y: */
    471. 

  471.       if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx)) {
    472. 

  472.         goto err;
    473. 

  473.       }
    474. 

  474.     }
    475. 

  475.   }
    476. 

  476. 

  477.   ret = 1;
    478. 

  478. 

  479. err:
    480. 

  480.   BN_CTX_end(ctx);
    481. 

  481.   BN_CTX_free(new_ctx);
    482. 

  482.   return ret;
    483. 

  483. }
    484. 

  484. 

  485. int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
    486. 

  486.                       const EC_POINT *b, BN_CTX *ctx) {
    487. 

  487.   int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
    488. 

  488.                    BN_CTX *);
    489. 

  489.   int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
    490. 

  490.   const BIGNUM *p;
    491. 

  491.   BN_CTX *new_ctx = NULL;
    492. 

  492.   BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
    493. 

  493.   int ret = 0;
    494. 

  494. 

  495.   if (a == b) {
    496. 

  496.     return EC_POINT_dbl(group, r, a, ctx);
    497. 

  497.   }
    498. 

  498.   if (EC_POINT_is_at_infinity(group, a)) {
    499. 

  499.     return EC_POINT_copy(r, b);
    500. 

  500.   }
    501. 

  501.   if (EC_POINT_is_at_infinity(group, b)) {
    502. 

  502.     return EC_POINT_copy(r, a);
    503. 

  503.   }
    504. 

  504. 

  505.   field_mul = group->meth->field_mul;
    506. 

  506.   field_sqr = group->meth->field_sqr;
    507. 

  507.   p = &group->field;
    508. 

  508. 

  509.   if (ctx == NULL) {
    510. 

  510.     ctx = new_ctx = BN_CTX_new();
    511. 

  511.     if (ctx == NULL) {
    512. 

  512.       return 0;
    513. 

  513.     }
    514. 

  514.   }
    515. 

  515. 

  516.   BN_CTX_start(ctx);
    517. 

  517.   n0 = BN_CTX_get(ctx);
    518. 

  518.   n1 = BN_CTX_get(ctx);
    519. 

  519.   n2 = BN_CTX_get(ctx);
    520. 

  520.   n3 = BN_CTX_get(ctx);
    521. 

  521.   n4 = BN_CTX_get(ctx);
    522. 

  522.   n5 = BN_CTX_get(ctx);
    523. 

  523.   n6 = BN_CTX_get(ctx);
    524. 

  524.   if (n6 == NULL) {
    525. 

  525.     goto end;
    526. 

  526.   }
    527. 

  527. 

  528.   /* Note that in this function we must not read components of 'a' or 'b'
    529. 

  529.    * once we have written the corresponding components of 'r'.
    530. 

  530.    * ('r' might be one of 'a' or 'b'.)
    531. 

  531.    */
    532. 

  532. 

  533.   /* n1, n2 */
    534. 

  534.   if (b->Z_is_one) {
    535. 

  535.     if (!BN_copy(n1, &a->X) || !BN_copy(n2, &a->Y)) {
    536. 

  536.       goto end;
    537. 

  537.     }
    538. 

  538.     /* n1 = X_a */
    539. 

  539.     /* n2 = Y_a */
    540. 

  540.   } else {
    541. 

  541.     if (!field_sqr(group, n0, &b->Z, ctx) ||
    542. 

  542.         !field_mul(group, n1, &a->X, n0, ctx)) {
    543. 

  543.       goto end;
    544. 

  544.     }
    545. 

  545.     /* n1 = X_a * Z_b^2 */
    546. 

  546. 

  547.     if (!field_mul(group, n0, n0, &b->Z, ctx) ||
    548. 

  548.         !field_mul(group, n2, &a->Y, n0, ctx)) {
    549. 

  549.       goto end;
    550. 

  550.     }
    551. 

  551.     /* n2 = Y_a * Z_b^3 */
    552. 

  552.   }
    553. 

  553. 

  554.   /* n3, n4 */
    555. 

  555.   if (a->Z_is_one) {
    556. 

  556.     if (!BN_copy(n3, &b->X) || !BN_copy(n4, &b->Y)) {
    557. 

  557.       goto end;
    558. 

  558.     }
    559. 

  559.     /* n3 = X_b */
    560. 

  560.     /* n4 = Y_b */
    561. 

  561.   } else {
    562. 

  562.     if (!field_sqr(group, n0, &a->Z, ctx) ||
    563. 

  563.         !field_mul(group, n3, &b->X, n0, ctx)) {
    564. 

  564.       goto end;
    565. 

  565.     }
    566. 

  566.     /* n3 = X_b * Z_a^2 */
    567. 

  567. 

  568.     if (!field_mul(group, n0, n0, &a->Z, ctx) ||
    569. 

  569.         !field_mul(group, n4, &b->Y, n0, ctx)) {
    570. 

  570.       goto end;
    571. 

  571.     }
    572. 

  572.     /* n4 = Y_b * Z_a^3 */
    573. 

  573.   }
    574. 

  574. 

  575.   /* n5, n6 */
    576. 

  576.   if (!BN_mod_sub_quick(n5, n1, n3, p) ||
    577. 

  577.       !BN_mod_sub_quick(n6, n2, n4, p)) {
    578. 

  578.     goto end;
    579. 

  579.   }
    580. 

  580.   /* n5 = n1 - n3 */
    581. 

  581.   /* n6 = n2 - n4 */
    582. 

  582. 

  583.   if (BN_is_zero(n5)) {
    584. 

  584.     if (BN_is_zero(n6)) {
    585. 

  585.       /* a is the same point as b */
    586. 

  586.       BN_CTX_end(ctx);
    587. 

  587.       ret = EC_POINT_dbl(group, r, a, ctx);
    588. 

  588.       ctx = NULL;
    589. 

  589.       goto end;
    590. 

  590.     } else {
    591. 

  591.       /* a is the inverse of b */
    592. 

  592.       BN_zero(&r->Z);
    593. 

  593.       r->Z_is_one = 0;
    594. 

  594.       ret = 1;
    595. 

  595.       goto end;
    596. 

  596.     }
    597. 

  597.   }
    598. 

  598. 

  599.   /* 'n7', 'n8' */
    600. 

  600.   if (!BN_mod_add_quick(n1, n1, n3, p) ||
    601. 

  601.       !BN_mod_add_quick(n2, n2, n4, p)) {
    602. 

  602.     goto end;
    603. 

  603.   }
    604. 

  604.   /* 'n7' = n1 + n3 */
    605. 

  605.   /* 'n8' = n2 + n4 */
    606. 

  606. 

  607.   /* Z_r */
    608. 

  608.   if (a->Z_is_one && b->Z_is_one) {
    609. 

  609.     if (!BN_copy(&r->Z, n5)) {
    610. 

  610.       goto end;
    611. 

  611.     }
    612. 

  612.   } else {
    613. 

  613.     if (a->Z_is_one) {
    614. 

  614.       if (!BN_copy(n0, &b->Z)) {
    615. 

  615.         goto end;
    616. 

  616.       }
    617. 

  617.     } else if (b->Z_is_one) {
    618. 

  618.       if (!BN_copy(n0, &a->Z)) {
    619. 

  619.         goto end;
    620. 

  620.       }
    621. 

  621.     } else if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) {
    622. 

  622.       goto end;
    623. 

  623.     }
    624. 

  624.     if (!field_mul(group, &r->Z, n0, n5, ctx)) {
    625. 

  625.       goto end;
    626. 

  626.     }
    627. 

  627.   }
    628. 

  628.   r->Z_is_one = 0;
    629. 

  629.   /* Z_r = Z_a * Z_b * n5 */
    630. 

  630. 

  631.   /* X_r */
    632. 

  632.   if (!field_sqr(group, n0, n6, ctx) ||
    633. 

  633.       !field_sqr(group, n4, n5, ctx) ||
    634. 

  634.       !field_mul(group, n3, n1, n4, ctx) ||
    635. 

  635.       !BN_mod_sub_quick(&r->X, n0, n3, p)) {
    636. 

  636.     goto end;
    637. 

  637.   }
    638. 

  638.   /* X_r = n6^2 - n5^2 * 'n7' */
    639. 

  639. 

  640.   /* 'n9' */
    641. 

  641.   if (!BN_mod_lshift1_quick(n0, &r->X, p) ||
    642. 

  642.       !BN_mod_sub_quick(n0, n3, n0, p)) {
    643. 

  643.     goto end;
    644. 

  644.   }
    645. 

  645.   /* n9 = n5^2 * 'n7' - 2 * X_r */
    646. 

  646. 

  647.   /* Y_r */
    648. 

  648.   if (!field_mul(group, n0, n0, n6, ctx) ||
    649. 

  649.       !field_mul(group, n5, n4, n5, ctx)) {
    650. 

  650.     goto end; /* now n5 is n5^3 */
    651. 

  651.   }
    652. 

  652.   if (!field_mul(group, n1, n2, n5, ctx) ||
    653. 

  653.       !BN_mod_sub_quick(n0, n0, n1, p)) {
    654. 

  654.     goto end;
    655. 

  655.   }
    656. 

  656.   if (BN_is_odd(n0) && !BN_add(n0, n0, p)) {
    657. 

  657.     goto end;
    658. 

  658.   }
    659. 

  659.   /* now  0 <= n0 < 2*p,  and n0 is even */
    660. 

  660.   if (!BN_rshift1(&r->Y, n0)) {
    661. 

  661.     goto end;
    662. 

  662.   }
    663. 

  663.   /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
    664. 

  664. 

  665.   ret = 1;
    666. 

  666. 

  667. end:
    668. 

  668.   if (ctx) {
    669. 

  669.     /* otherwise we already called BN_CTX_end */
    670. 

  670.     BN_CTX_end(ctx);
    671. 

  671.   }
    672. 

  672.   BN_CTX_free(new_ctx);
    673. 

  673.   return ret;
    674. 

  674. }
    675. 

  675. 

  676. int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
    677. 

  677.                       BN_CTX *ctx) {
    678. 

  678.   int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
    679. 

  679.                    BN_CTX *);
    680. 

  680.   int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
    681. 

  681.   const BIGNUM *p;
    682. 

  682.   BN_CTX *new_ctx = NULL;
    683. 

  683.   BIGNUM *n0, *n1, *n2, *n3;
    684. 

  684.   int ret = 0;
    685. 

  685. 

  686.   if (EC_POINT_is_at_infinity(group, a)) {
    687. 

  687.     BN_zero(&r->Z);
    688. 

  688.     r->Z_is_one = 0;
    689. 

  689.     return 1;
    690. 

  690.   }
    691. 

  691. 

  692.   field_mul = group->meth->field_mul;
    693. 

  693.   field_sqr = group->meth->field_sqr;
    694. 

  694.   p = &group->field;
    695. 

  695. 

  696.   if (ctx == NULL) {
    697. 

  697.     ctx = new_ctx = BN_CTX_new();
    698. 

  698.     if (ctx == NULL) {
    699. 

  699.       return 0;
    700. 

  700.     }
    701. 

  701.   }
    702. 

  702. 

  703.   BN_CTX_start(ctx);
    704. 

  704.   n0 = BN_CTX_get(ctx);
    705. 

  705.   n1 = BN_CTX_get(ctx);
    706. 

  706.   n2 = BN_CTX_get(ctx);
    707. 

  707.   n3 = BN_CTX_get(ctx);
    708. 

  708.   if (n3 == NULL) {
    709. 

  709.     goto err;
    710. 

  710.   }
    711. 

  711. 

  712.   /* Note that in this function we must not read components of 'a'
    713. 

  713.    * once we have written the corresponding components of 'r'.
    714. 

  714.    * ('r' might the same as 'a'.)
    715. 

  715.    */
    716. 

  716. 

  717.   /* n1 */
    718. 

  718.   if (a->Z_is_one) {
    719. 

  719.     if (!field_sqr(group, n0, &a->X, ctx) ||
    720. 

  720.         !BN_mod_lshift1_quick(n1, n0, p) ||
    721. 

  721.         !BN_mod_add_quick(n0, n0, n1, p) ||
    722. 

  722.         !BN_mod_add_quick(n1, n0, &group->a, p)) {
    723. 

  723.       goto err;
    724. 

  724.     }
    725. 

  725.     /* n1 = 3 * X_a^2 + a_curve */
    726. 

  726.   } else if (group->a_is_minus3) {
    727. 

  727.     if (!field_sqr(group, n1, &a->Z, ctx) ||
    728. 

  728.         !BN_mod_add_quick(n0, &a->X, n1, p) ||
    729. 

  729.         !BN_mod_sub_quick(n2, &a->X, n1, p) ||
    730. 

  730.         !field_mul(group, n1, n0, n2, ctx) ||
    731. 

  731.         !BN_mod_lshift1_quick(n0, n1, p) ||
    732. 

  732.         !BN_mod_add_quick(n1, n0, n1, p)) {
    733. 

  733.       goto err;
    734. 

  734.     }
    735. 

  735.     /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
    736. 

  736.      *    = 3 * X_a^2 - 3 * Z_a^4 */
    737. 

  737.   } else {
    738. 

  738.     if (!field_sqr(group, n0, &a->X, ctx) ||
    739. 

  739.         !BN_mod_lshift1_quick(n1, n0, p) ||
    740. 

  740.         !BN_mod_add_quick(n0, n0, n1, p) ||
    741. 

  741.         !field_sqr(group, n1, &a->Z, ctx) ||
    742. 

  742.         !field_sqr(group, n1, n1, ctx) ||
    743. 

  743.         !field_mul(group, n1, n1, &group->a, ctx) ||
    744. 

  744.         !BN_mod_add_quick(n1, n1, n0, p)) {
    745. 

  745.       goto err;
    746. 

  746.     }
    747. 

  747.     /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
    748. 

  748.   }
    749. 

  749. 

  750.   /* Z_r */
    751. 

  751.   if (a->Z_is_one) {
    752. 

  752.     if (!BN_copy(n0, &a->Y)) {
    753. 

  753.       goto err;
    754. 

  754.     }
    755. 

  755.   } else if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) {
    756. 

  756.     goto err;
    757. 

  757.   }
    758. 

  758.   if (!BN_mod_lshift1_quick(&r->Z, n0, p)) {
    759. 

  759.     goto err;
    760. 

  760.   }
    761. 

  761.   r->Z_is_one = 0;
    762. 

  762.   /* Z_r = 2 * Y_a * Z_a */
    763. 

  763. 

  764.   /* n2 */
    765. 

  765.   if (!field_sqr(group, n3, &a->Y, ctx) ||
    766. 

  766.       !field_mul(group, n2, &a->X, n3, ctx) ||
    767. 

  767.       !BN_mod_lshift_quick(n2, n2, 2, p)) {
    768. 

  768.     goto err;
    769. 

  769.   }
    770. 

  770.   /* n2 = 4 * X_a * Y_a^2 */
    771. 

  771. 

  772.   /* X_r */
    773. 

  773.   if (!BN_mod_lshift1_quick(n0, n2, p) ||
    774. 

  774.       !field_sqr(group, &r->X, n1, ctx) ||
    775. 

  775.       !BN_mod_sub_quick(&r->X, &r->X, n0, p)) {
    776. 

  776.     goto err;
    777. 

  777.   }
    778. 

  778.   /* X_r = n1^2 - 2 * n2 */
    779. 

  779. 

  780.   /* n3 */
    781. 

  781.   if (!field_sqr(group, n0, n3, ctx) ||
    782. 

  782.       !BN_mod_lshift_quick(n3, n0, 3, p)) {
    783. 

  783.     goto err;
    784. 

  784.   }
    785. 

  785.   /* n3 = 8 * Y_a^4 */
    786. 

  786. 

  787.   /* Y_r */
    788. 

  788.   if (!BN_mod_sub_quick(n0, n2, &r->X, p) ||
    789. 

  789.       !field_mul(group, n0, n1, n0, ctx) ||
    790. 

  790.       !BN_mod_sub_quick(&r->Y, n0, n3, p)) {
    791. 

  791.     goto err;
    792. 

  792.   }
    793. 

  793.   /* Y_r = n1 * (n2 - X_r) - n3 */
    794. 

  794. 

  795.   ret = 1;
    796. 

  796. 

  797. err:
    798. 

  798.   BN_CTX_end(ctx);
    799. 

  799.   BN_CTX_free(new_ctx);
    800. 

  800.   return ret;
    801. 

  801. }
    802. 

  802. 

  803. int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) {
    804. 

  804.   if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y)) {
    805. 

  805.     /* point is its own inverse */
    806. 

  806.     return 1;
    807. 

  807.   }
    808. 

  808. 

  809.   return BN_usub(&point->Y, &group->field, &point->Y);
    810. 

  810. }
    811. 

  811. 

  812. int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) {
    813. 

  813.   return !point->Z_is_one && BN_is_zero(&point->Z);
    814. 

  814. }
    815. 

  815. 

  816. int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
    817. 

  817.                               BN_CTX *ctx) {
    818. 

  818.   int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
    819. 

  819.                    BN_CTX *);
    820. 

  820.   int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
    821. 

  821.   const BIGNUM *p;
    822. 

  822.   BN_CTX *new_ctx = NULL;
    823. 

  823.   BIGNUM *rh, *tmp, *Z4, *Z6;
    824. 

  824.   int ret = -1;
    825. 

  825. 

  826.   if (EC_POINT_is_at_infinity(group, point)) {
    827. 

  827.     return 1;
    828. 

  828.   }
    829. 

  829. 

  830.   field_mul = group->meth->field_mul;
    831. 

  831.   field_sqr = group->meth->field_sqr;
    832. 

  832.   p = &group->field;
    833. 

  833. 

  834.   if (ctx == NULL) {
    835. 

  835.     ctx = new_ctx = BN_CTX_new();
    836. 

  836.     if (ctx == NULL) {
    837. 

  837.       return -1;
    838. 

  838.     }
    839. 

  839.   }
    840. 

  840. 

  841.   BN_CTX_start(ctx);
    842. 

  842.   rh = BN_CTX_get(ctx);
    843. 

  843.   tmp = BN_CTX_get(ctx);
    844. 

  844.   Z4 = BN_CTX_get(ctx);
    845. 

  845.   Z6 = BN_CTX_get(ctx);
    846. 

  846.   if (Z6 == NULL) {
    847. 

  847.     goto err;
    848. 

  848.   }
    849. 

  849. 

  850.   /* We have a curve defined by a Weierstrass equation
    851. 

  851.    *      y^2 = x^3 + a*x + b.
    852. 

  852.    * The point to consider is given in Jacobian projective coordinates
    853. 

  853.    * where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3).
    854. 

  854.    * Substituting this and multiplying by  Z^6  transforms the above equation
    855. 

  855.    * into
    856. 

  856.    *      Y^2 = X^3 + a*X*Z^4 + b*Z^6.
    857. 

  857.    * To test this, we add up the right-hand side in 'rh'.
    858. 

  858.    */
    859. 

  859. 

  860.   /* rh := X^2 */
    861. 

  861.   if (!field_sqr(group, rh, &point->X, ctx)) {
    862. 

  862.     goto err;
    863. 

  863.   }
    864. 

  864. 

  865.   if (!point->Z_is_one) {
    866. 

  866.     if (!field_sqr(group, tmp, &point->Z, ctx) ||
    867. 

  867.         !field_sqr(group, Z4, tmp, ctx) ||
    868. 

  868.         !field_mul(group, Z6, Z4, tmp, ctx)) {
    869. 

  869.       goto err;
    870. 

  870.     }
    871. 

  871. 

  872.     /* rh := (rh + a*Z^4)*X */
    873. 

  873.     if (group->a_is_minus3) {
    874. 

  874.       if (!BN_mod_lshift1_quick(tmp, Z4, p) ||
    875. 

  875.           !BN_mod_add_quick(tmp, tmp, Z4, p) ||
    876. 

  876.           !BN_mod_sub_quick(rh, rh, tmp, p) ||
    877. 

  877.           !field_mul(group, rh, rh, &point->X, ctx)) {
    878. 

  878.         goto err;
    879. 

  879.       }
    880. 

  880.     } else {
    881. 

  881.       if (!field_mul(group, tmp, Z4, &group->a, ctx) ||
    882. 

  882.           !BN_mod_add_quick(rh, rh, tmp, p) ||
    883. 

  883.           !field_mul(group, rh, rh, &point->X, ctx)) {
    884. 

  884.         goto err;
    885. 

  885.       }
    886. 

  886.     }
    887. 

  887. 

  888.     /* rh := rh + b*Z^6 */
    889. 

  889.     if (!field_mul(group, tmp, &group->b, Z6, ctx) ||
    890. 

  890.         !BN_mod_add_quick(rh, rh, tmp, p)) {
    891. 

  891.       goto err;
    892. 

  892.     }
    893. 

  893.   } else {
    894. 

  894.     /* point->Z_is_one */
    895. 

  895. 

  896.     /* rh := (rh + a)*X */
    897. 

  897.     if (!BN_mod_add_quick(rh, rh, &group->a, p) ||
    898. 

  898.         !field_mul(group, rh, rh, &point->X, ctx)) {
    899. 

  899.       goto err;
    900. 

  900.     }
    901. 

  901.     /* rh := rh + b */
    902. 

  902.     if (!BN_mod_add_quick(rh, rh, &group->b, p)) {
    903. 

  903.       goto err;
    904. 

  904.     }
    905. 

  905.   }
    906. 

  906. 

  907.   /* 'lh' := Y^2 */
    908. 

  908.   if (!field_sqr(group, tmp, &point->Y, ctx)) {
    909. 

  909.     goto err;
    910. 

  910.   }
    911. 

  911. 

  912.   ret = (0 == BN_ucmp(tmp, rh));
    913. 

  913. 

  914. err:
    915. 

  915.   BN_CTX_end(ctx);
    916. 

  916.   BN_CTX_free(new_ctx);
    917. 

  917.   return ret;
    918. 

  918. }
    919. 

  919. 

  920. int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
    921. 

  921.                       const EC_POINT *b, BN_CTX *ctx) {
    922. 

  922.   /* return values:
    923. 

  923.    *  -1   error
    924. 

  924.    *   0   equal (in affine coordinates)
    925. 

  925.    *   1   not equal
    926. 

  926.    */
    927. 

  927. 

  928.   int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
    929. 

  929.                    BN_CTX *);
    930. 

  930.   int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
    931. 

  931.   BN_CTX *new_ctx = NULL;
    932. 

  932.   BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
    933. 

  933.   const BIGNUM *tmp1_, *tmp2_;
    934. 

  934.   int ret = -1;
    935. 

  935. 

  936.   if (EC_POINT_is_at_infinity(group, a)) {
    937. 

  937.     return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
    938. 

  938.   }
    939. 

  939. 

  940.   if (EC_POINT_is_at_infinity(group, b)) {
    941. 

  941.     return 1;
    942. 

  942.   }
    943. 

  943. 

  944.   if (a->Z_is_one && b->Z_is_one) {
    945. 

  945.     return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
    946. 

  946.   }
    947. 

  947. 

  948.   field_mul = group->meth->field_mul;
    949. 

  949.   field_sqr = group->meth->field_sqr;
    950. 

  950. 

  951.   if (ctx == NULL) {
    952. 

  952.     ctx = new_ctx = BN_CTX_new();
    953. 

  953.     if (ctx == NULL) {
    954. 

  954.       return -1;
    955. 

  955.     }
    956. 

  956.   }
    957. 

  957. 

  958.   BN_CTX_start(ctx);
    959. 

  959.   tmp1 = BN_CTX_get(ctx);
    960. 

  960.   tmp2 = BN_CTX_get(ctx);
    961. 

  961.   Za23 = BN_CTX_get(ctx);
    962. 

  962.   Zb23 = BN_CTX_get(ctx);
    963. 

  963.   if (Zb23 == NULL) {
    964. 

  964.     goto end;
    965. 

  965.   }
    966. 

  966. 

  967.   /* We have to decide whether
    968. 

  968.    *     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
    969. 

  969.    * or equivalently, whether
    970. 

  970.    *     (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
    971. 

  971.    */
    972. 

  972. 

  973.   if (!b->Z_is_one) {
    974. 

  974.     if (!field_sqr(group, Zb23, &b->Z, ctx) ||
    975. 

  975.         !field_mul(group, tmp1, &a->X, Zb23, ctx)) {
    976. 

  976.       goto end;
    977. 

  977.     }
    978. 

  978.     tmp1_ = tmp1;
    979. 

  979.   } else {
    980. 

  980.     tmp1_ = &a->X;
    981. 

  981.   }
    982. 

  982.   if (!a->Z_is_one) {
    983. 

  983.     if (!field_sqr(group, Za23, &a->Z, ctx) ||
    984. 

  984.         !field_mul(group, tmp2, &b->X, Za23, ctx)) {
    985. 

  985.       goto end;
    986. 

  986.     }
    987. 

  987.     tmp2_ = tmp2;
    988. 

  988.   } else {
    989. 

  989.     tmp2_ = &b->X;
    990. 

  990.   }
    991. 

  991. 

  992.   /* compare  X_a*Z_b^2  with  X_b*Z_a^2 */
    993. 

  993.   if (BN_cmp(tmp1_, tmp2_) != 0) {
    994. 

  994.     ret = 1; /* points differ */
    995. 

  995.     goto end;
    996. 

  996.   }
    997. 

  997. 

  998. 

  999.   if (!b->Z_is_one) {
    1000. 

  1000.     if (!field_mul(group, Zb23, Zb23, &b->Z, ctx) ||
    1001. 

  1001.         !field_mul(group, tmp1, &a->Y, Zb23, ctx)) {
    1002. 

  1002.       goto end;
    1003. 

  1003.     }
    1004. 

  1004.     /* tmp1_ = tmp1 */
    1005. 

  1005.   } else {
    1006. 

  1006.     tmp1_ = &a->Y;
    1007. 

  1007.   }
    1008. 

  1008.   if (!a->Z_is_one) {
    1009. 

  1009.     if (!field_mul(group, Za23, Za23, &a->Z, ctx) ||
    1010. 

  1010.         !field_mul(group, tmp2, &b->Y, Za23, ctx)) {
    1011. 

  1011.       goto end;
    1012. 

  1012.     }
    1013. 

  1013.     /* tmp2_ = tmp2 */
    1014. 

  1014.   } else {
    1015. 

  1015.     tmp2_ = &b->Y;
    1016. 

  1016.   }
    1017. 

  1017. 

  1018.   /* compare  Y_a*Z_b^3  with  Y_b*Z_a^3 */
    1019. 

  1019.   if (BN_cmp(tmp1_, tmp2_) != 0) {
    1020. 

  1020.     ret = 1; /* points differ */
    1021. 

  1021.     goto end;
    1022. 

  1022.   }
    1023. 

  1023. 

  1024.   /* points are equal */
    1025. 

  1025.   ret = 0;
    1026. 

  1026. 

  1027. end:
    1028. 

  1028.   BN_CTX_end(ctx);
    1029. 

  1029.   BN_CTX_free(new_ctx);
    1030. 

  1030.   return ret;
    1031. 

  1031. }
    1032. 

  1032. 

  1033. int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
    1034. 

  1034.                               BN_CTX *ctx) {
    1035. 

  1035.   BN_CTX *new_ctx = NULL;
    1036. 

  1036.   BIGNUM *x, *y;
    1037. 

  1037.   int ret = 0;
    1038. 

  1038. 

  1039.   if (point->Z_is_one || EC_POINT_is_at_infinity(group, point)) {
    1040. 

  1040.     return 1;
    1041. 

  1041.   }
    1042. 

  1042. 

  1043.   if (ctx == NULL) {
    1044. 

  1044.     ctx = new_ctx = BN_CTX_new();
    1045. 

  1045.     if (ctx == NULL) {
    1046. 

  1046.       return 0;
    1047. 

  1047.     }
    1048. 

  1048.   }
    1049. 

  1049. 

  1050.   BN_CTX_start(ctx);
    1051. 

  1051.   x = BN_CTX_get(ctx);
    1052. 

  1052.   y = BN_CTX_get(ctx);
    1053. 

  1053.   if (y == NULL) {
    1054. 

  1054.     goto err;
    1055. 

  1055.   }
    1056. 

  1056. 

  1057.   if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx) ||
    1058. 

  1058.       !EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
    1059. 

  1059.     goto err;
    1060. 

  1060.   }
    1061. 

  1061.   if (!point->Z_is_one) {
    1062. 

  1062.     OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
    1063. 

  1063.     goto err;
    1064. 

  1064.   }
    1065. 

  1065. 

  1066.   ret = 1;
    1067. 

  1067. 

  1068. err:
    1069. 

  1069.   BN_CTX_end(ctx);
    1070. 

  1070.   BN_CTX_free(new_ctx);
    1071. 

  1071.   return ret;
    1072. 

  1072. }
    1073. 

  1073. 

  1074. int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
    1075. 

  1075.                                      EC_POINT *points[], BN_CTX *ctx) {
    1076. 

  1076.   BN_CTX *new_ctx = NULL;
    1077. 

  1077.   BIGNUM *tmp, *tmp_Z;
    1078. 

  1078.   BIGNUM **prod_Z = NULL;
    1079. 

  1079.   size_t i;
    1080. 

  1080.   int ret = 0;
    1081. 

  1081. 

  1082.   if (num == 0) {
    1083. 

  1083.     return 1;
    1084. 

  1084.   }
    1085. 

  1085. 

  1086.   if (ctx == NULL) {
    1087. 

  1087.     ctx = new_ctx = BN_CTX_new();
    1088. 

  1088.     if (ctx == NULL) {
    1089. 

  1089.       return 0;
    1090. 

  1090.     }
    1091. 

  1091.   }
    1092. 

  1092. 

  1093.   BN_CTX_start(ctx);
    1094. 

  1094.   tmp = BN_CTX_get(ctx);
    1095. 

  1095.   tmp_Z = BN_CTX_get(ctx);
    1096. 

  1096.   if (tmp == NULL || tmp_Z == NULL) {
    1097. 

  1097.     goto err;
    1098. 

  1098.   }
    1099. 

  1099. 

  1100.   prod_Z = OPENSSL_malloc(num * sizeof(prod_Z[0]));
    1101. 

  1101.   if (prod_Z == NULL) {
    1102. 

  1102.     goto err;
    1103. 

  1103.   }
    1104. 

  1104.   memset(prod_Z, 0, num * sizeof(prod_Z[0]));
    1105. 

  1105.   for (i = 0; i < num; i++) {
    1106. 

  1106.     prod_Z[i] = BN_new();
    1107. 

  1107.     if (prod_Z[i] == NULL) {
    1108. 

  1108.       goto err;
    1109. 

  1109.     }
    1110. 

  1110.   }
    1111. 

  1111. 

  1112.   /* Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
    1113. 

  1113.    * skipping any zero-valued inputs (pretend that they're 1). */
    1114. 

  1114. 

  1115.   if (!BN_is_zero(&points[0]->Z)) {
    1116. 

  1116.     if (!BN_copy(prod_Z[0], &points[0]->Z)) {
    1117. 

  1117.       goto err;
    1118. 

  1118.     }
    1119. 

  1119.   } else {
    1120. 

  1120.     if (group->meth->field_set_to_one != 0) {
    1121. 

  1121.       if (!group->meth->field_set_to_one(group, prod_Z[0], ctx)) {
    1122. 

  1122.         goto err;
    1123. 

  1123.       }
    1124. 

  1124.     } else {
    1125. 

  1125.       if (!BN_one(prod_Z[0])) {
    1126. 

  1126.         goto err;
    1127. 

  1127.       }
    1128. 

  1128.     }
    1129. 

  1129.   }
    1130. 

  1130. 

  1131.   for (i = 1; i < num; i++) {
    1132. 

  1132.     if (!BN_is_zero(&points[i]->Z)) {
    1133. 

  1133.       if (!group->meth->field_mul(group, prod_Z[i], prod_Z[i - 1],
    1134. 

  1134.                                   &points[i]->Z, ctx)) {
    1135. 

  1135.         goto err;
    1136. 

  1136.       }
    1137. 

  1137.     } else {
    1138. 

  1138.       if (!BN_copy(prod_Z[i], prod_Z[i - 1])) {
    1139. 

  1139.         goto err;
    1140. 

  1140.       }
    1141. 

  1141.     }
    1142. 

  1142.   }
    1143. 

  1143. 

  1144.   /* Now use a single explicit inversion to replace every
    1145. 

  1145.    * non-zero points[i]->Z by its inverse. */
    1146. 

  1146. 

  1147.   if (!BN_mod_inverse(tmp, prod_Z[num - 1], &group->field, ctx)) {
    1148. 

  1148.     OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
    1149. 

  1149.     goto err;
    1150. 

  1150.   }
    1151. 

  1151. 

  1152.   if (group->meth->field_encode != NULL) {
    1153. 

  1153.     /* In the Montgomery case, we just turned R*H (representing H)
    1154. 

  1154.      * into 1/(R*H), but we need R*(1/H) (representing 1/H);
    1155. 

  1155.      * i.e. we need to multiply by the Montgomery factor twice. */
    1156. 

  1156.     if (!group->meth->field_encode(group, tmp, tmp, ctx) ||
    1157. 

  1157.         !group->meth->field_encode(group, tmp, tmp, ctx)) {
    1158. 

  1158.       goto err;
    1159. 

  1159.     }
    1160. 

  1160.   }
    1161. 

  1161. 

  1162.   for (i = num - 1; i > 0; --i) {
    1163. 

  1163.     /* Loop invariant: tmp is the product of the inverses of
    1164. 

  1164.      * points[0]->Z .. points[i]->Z (zero-valued inputs skipped). */
    1165. 

  1165.     if (BN_is_zero(&points[i]->Z)) {
    1166. 

  1166.       continue;
    1167. 

  1167.     }
    1168. 

  1168. 

  1169.     /* Set tmp_Z to the inverse of points[i]->Z (as product
    1170. 

  1170.      * of Z inverses 0 .. i, Z values 0 .. i - 1). */
    1171. 

  1171.     if (!group->meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx) ||
    1172. 

  1172.         /* Update tmp to satisfy the loop invariant for i - 1. */
    1173. 

  1173.         !group->meth->field_mul(group, tmp, tmp, &points[i]->Z, ctx) ||
    1174. 

  1174.         /* Replace points[i]->Z by its inverse. */
    1175. 

  1175.         !BN_copy(&points[i]->Z, tmp_Z)) {
    1176. 

  1176.       goto err;
    1177. 

  1177.     }
    1178. 

  1178.   }
    1179. 

  1179. 

  1180.   /* Replace points[0]->Z by its inverse. */
    1181. 

  1181.   if (!BN_is_zero(&points[0]->Z) && !BN_copy(&points[0]->Z, tmp)) {
    1182. 

  1182.     goto err;
    1183. 

  1183.   }
    1184. 

  1184. 

  1185.   /* Finally, fix up the X and Y coordinates for all points. */
    1186. 

  1186.   for (i = 0; i < num; i++) {
    1187. 

  1187.     EC_POINT *p = points[i];
    1188. 

  1188. 

  1189.     if (!BN_is_zero(&p->Z)) {
    1190. 

  1190.       /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1). */
    1191. 

  1191.       if (!group->meth->field_sqr(group, tmp, &p->Z, ctx) ||
    1192. 

  1192.           !group->meth->field_mul(group, &p->X, &p->X, tmp, ctx) ||
    1193. 

  1193.           !group->meth->field_mul(group, tmp, tmp, &p->Z, ctx) ||
    1194. 

  1194.           !group->meth->field_mul(group, &p->Y, &p->Y, tmp, ctx)) {
    1195. 

  1195.         goto err;
    1196. 

  1196.       }
    1197. 

  1197. 

  1198.       if (group->meth->field_set_to_one != NULL) {
    1199. 

  1199.         if (!group->meth->field_set_to_one(group, &p->Z, ctx)) {
    1200. 

  1200.           goto err;
    1201. 

  1201.         }
    1202. 

  1202.       } else {
    1203. 

  1203.         if (!BN_one(&p->Z)) {
    1204. 

  1204.           goto err;
    1205. 

  1205.         }
    1206. 

  1206.       }
    1207. 

  1207.       p->Z_is_one = 1;
    1208. 

  1208.     }
    1209. 

  1209.   }
    1210. 

  1210. 

  1211.   ret = 1;
    1212. 

  1212. 

  1213. err:
    1214. 

  1214.   BN_CTX_end(ctx);
    1215. 

  1215.   BN_CTX_free(new_ctx);
    1216. 

  1216.   if (prod_Z != NULL) {
    1217. 

  1217.     for (i = 0; i < num; i++) {
    1218. 

  1218.       if (prod_Z[i] == NULL) {
    1219. 

  1219.         break;
    1220. 

  1220.       }
    1221. 

  1221.       BN_clear_free(prod_Z[i]);
    1222. 

  1222.     }
    1223. 

  1223.     OPENSSL_free(prod_Z);
    1224. 

  1224.   }
    1225. 

  1225. 

  1226.   return ret;
    1227. 

  1227. }
    1228. 

  1228. 

  1229. int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
    1230. 

  1230.                             const BIGNUM *b, BN_CTX *ctx) {
    1231. 

  1231.   return BN_mod_mul(r, a, b, &group->field, ctx);
    1232. 

  1232. }
    1233. 

  1233. 

  1234. int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
    1235. 

  1235.                             BN_CTX *ctx) {
    1236. 

  1236.   return BN_mod_sqr(r, a, &group->field, ctx);
    1237. 

  1237. }
    1238.