diff options
| author | tpashkin <tpashkin@yandex-team.ru> | 2022-02-10 16:46:42 +0300 |
|---|---|---|
| committer | Daniil Cherednik <dcherednik@yandex-team.ru> | 2022-02-10 16:46:42 +0300 |
| commit | 656921707c02b816d730f31c1fdc1d615adbfe00 (patch) | |
| tree | 49e222ea1c5804306084bb3ae065bb702625360f /contrib/libs/openssl/crypto/ec/ecp_smpl.c | |
| parent | 5475379a04e37df30085bd1724f1c57e3f40996f (diff) | |
| download | ydb-656921707c02b816d730f31c1fdc1d615adbfe00.tar.gz | |
Restoring authorship annotation for <tpashkin@yandex-team.ru>. Commit 2 of 2.
Diffstat (limited to 'contrib/libs/openssl/crypto/ec/ecp_smpl.c')
| -rw-r--r-- | contrib/libs/openssl/crypto/ec/ecp_smpl.c | 338 |
1 files changed, 169 insertions, 169 deletions
diff --git a/contrib/libs/openssl/crypto/ec/ecp_smpl.c b/contrib/libs/openssl/crypto/ec/ecp_smpl.c index 6eba0ee39b..b3110ec89d 100644 --- a/contrib/libs/openssl/crypto/ec/ecp_smpl.c +++ b/contrib/libs/openssl/crypto/ec/ecp_smpl.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -11,7 +11,7 @@ #include <openssl/err.h> #include <openssl/symhacks.h> -#include "ec_local.h" +#include "ec_local.h" const EC_METHOD *EC_GFp_simple_method(void) { @@ -1372,7 +1372,7 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, * Computes the multiplicative inverse of a in GF(p), storing the result in r. * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error. * Since we don't have a Mont structure here, SCA hardening is with blinding. - * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.) + * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.) */ int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) @@ -1432,108 +1432,108 @@ int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, temp = BN_CTX_get(ctx); if (temp == NULL) { ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE); - goto end; + goto end; } - /*- - * Make sure lambda is not zero. - * If the RNG fails, we cannot blind but nevertheless want - * code to continue smoothly and not clobber the error stack. - */ + /*- + * Make sure lambda is not zero. + * If the RNG fails, we cannot blind but nevertheless want + * code to continue smoothly and not clobber the error stack. + */ do { - ERR_set_mark(); - ret = BN_priv_rand_range(lambda, group->field); - ERR_pop_to_mark(); - if (ret == 0) { - ret = 1; - goto end; + ERR_set_mark(); + ret = BN_priv_rand_range(lambda, group->field); + ERR_pop_to_mark(); + if (ret == 0) { + ret = 1; + goto end; } } while (BN_is_zero(lambda)); /* if field_encode defined convert between representations */ - if ((group->meth->field_encode != NULL - && !group->meth->field_encode(group, lambda, lambda, ctx)) - || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx) - || !group->meth->field_sqr(group, temp, lambda, ctx) - || !group->meth->field_mul(group, p->X, p->X, temp, ctx) - || !group->meth->field_mul(group, temp, temp, lambda, ctx) - || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx)) - goto end; - + if ((group->meth->field_encode != NULL + && !group->meth->field_encode(group, lambda, lambda, ctx)) + || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx) + || !group->meth->field_sqr(group, temp, lambda, ctx) + || !group->meth->field_mul(group, p->X, p->X, temp, ctx) + || !group->meth->field_mul(group, temp, temp, lambda, ctx) + || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx)) + goto end; + p->Z_is_one = 0; ret = 1; - end: + end: BN_CTX_end(ctx); return ret; } /*- - * Input: - * - p: affine coordinates + * Input: + * - p: affine coordinates + * + * Output: + * - s := p, r := 2p: blinded projective (homogeneous) coordinates * - * Output: - * - s := p, r := 2p: blinded projective (homogeneous) coordinates - * * For doubling we use Formula 3 from Izu-Takagi "A fast parallel elliptic curve - * multiplication resistant against side channel attacks" appendix, described at + * multiplication resistant against side channel attacks" appendix, described at * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2 - * simplified for Z1=1. + * simplified for Z1=1. * - * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z) - * for any non-zero \lambda that holds for projective (homogeneous) coords. + * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z) + * for any non-zero \lambda that holds for projective (homogeneous) coords. */ int ec_GFp_simple_ladder_pre(const EC_GROUP *group, EC_POINT *r, EC_POINT *s, EC_POINT *p, BN_CTX *ctx) { - BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL; + BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL; - t1 = s->Z; - t2 = r->Z; + t1 = s->Z; + t2 = r->Z; t3 = s->X; t4 = r->X; t5 = s->Y; - if (!p->Z_is_one /* r := 2p */ - || !group->meth->field_sqr(group, t3, p->X, ctx) - || !BN_mod_sub_quick(t4, t3, group->a, group->field) - || !group->meth->field_sqr(group, t4, t4, ctx) - || !group->meth->field_mul(group, t5, p->X, group->b, ctx) - || !BN_mod_lshift_quick(t5, t5, 3, group->field) + if (!p->Z_is_one /* r := 2p */ + || !group->meth->field_sqr(group, t3, p->X, ctx) + || !BN_mod_sub_quick(t4, t3, group->a, group->field) + || !group->meth->field_sqr(group, t4, t4, ctx) + || !group->meth->field_mul(group, t5, p->X, group->b, ctx) + || !BN_mod_lshift_quick(t5, t5, 3, group->field) /* r->X coord output */ - || !BN_mod_sub_quick(r->X, t4, t5, group->field) - || !BN_mod_add_quick(t1, t3, group->a, group->field) - || !group->meth->field_mul(group, t2, p->X, t1, ctx) - || !BN_mod_add_quick(t2, group->b, t2, group->field) + || !BN_mod_sub_quick(r->X, t4, t5, group->field) + || !BN_mod_add_quick(t1, t3, group->a, group->field) + || !group->meth->field_mul(group, t2, p->X, t1, ctx) + || !BN_mod_add_quick(t2, group->b, t2, group->field) /* r->Z coord output */ - || !BN_mod_lshift_quick(r->Z, t2, 2, group->field)) + || !BN_mod_lshift_quick(r->Z, t2, 2, group->field)) + return 0; + + /* make sure lambda (r->Y here for storage) is not zero */ + do { + if (!BN_priv_rand_range(r->Y, group->field)) + return 0; + } while (BN_is_zero(r->Y)); + + /* make sure lambda (s->Z here for storage) is not zero */ + do { + if (!BN_priv_rand_range(s->Z, group->field)) + return 0; + } while (BN_is_zero(s->Z)); + + /* if field_encode defined convert between representations */ + if (group->meth->field_encode != NULL + && (!group->meth->field_encode(group, r->Y, r->Y, ctx) + || !group->meth->field_encode(group, s->Z, s->Z, ctx))) + return 0; + + /* blind r and s independently */ + if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx) + || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx) + || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */ return 0; - /* make sure lambda (r->Y here for storage) is not zero */ - do { - if (!BN_priv_rand_range(r->Y, group->field)) - return 0; - } while (BN_is_zero(r->Y)); - - /* make sure lambda (s->Z here for storage) is not zero */ - do { - if (!BN_priv_rand_range(s->Z, group->field)) - return 0; - } while (BN_is_zero(s->Z)); - - /* if field_encode defined convert between representations */ - if (group->meth->field_encode != NULL - && (!group->meth->field_encode(group, r->Y, r->Y, ctx) - || !group->meth->field_encode(group, s->Z, s->Z, ctx))) - return 0; - - /* blind r and s independently */ - if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx) - || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx) - || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */ - return 0; - r->Z_is_one = 0; s->Z_is_one = 0; @@ -1541,24 +1541,24 @@ int ec_GFp_simple_ladder_pre(const EC_GROUP *group, } /*- - * Input: - * - s, r: projective (homogeneous) coordinates - * - p: affine coordinates - * - * Output: - * - s := r + s, r := 2r: projective (homogeneous) coordinates - * - * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi + * Input: + * - s, r: projective (homogeneous) coordinates + * - p: affine coordinates + * + * Output: + * - s := r + s, r := 2r: projective (homogeneous) coordinates + * + * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi * "A fast parallel elliptic curve multiplication resistant against side channel * attacks", as described at - * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4 + * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4 */ int ec_GFp_simple_ladder_step(const EC_GROUP *group, EC_POINT *r, EC_POINT *s, EC_POINT *p, BN_CTX *ctx) { int ret = 0; - BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL; + BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL; BN_CTX_start(ctx); t0 = BN_CTX_get(ctx); @@ -1569,46 +1569,46 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group, t5 = BN_CTX_get(ctx); t6 = BN_CTX_get(ctx); - if (t6 == NULL - || !group->meth->field_mul(group, t6, r->X, s->X, ctx) - || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx) - || !group->meth->field_mul(group, t4, r->X, s->Z, ctx) + if (t6 == NULL + || !group->meth->field_mul(group, t6, r->X, s->X, ctx) + || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx) + || !group->meth->field_mul(group, t4, r->X, s->Z, ctx) || !group->meth->field_mul(group, t3, r->Z, s->X, ctx) - || !group->meth->field_mul(group, t5, group->a, t0, ctx) - || !BN_mod_add_quick(t5, t6, t5, group->field) - || !BN_mod_add_quick(t6, t3, t4, group->field) - || !group->meth->field_mul(group, t5, t6, t5, ctx) - || !group->meth->field_sqr(group, t0, t0, ctx) - || !BN_mod_lshift_quick(t2, group->b, 2, group->field) - || !group->meth->field_mul(group, t0, t2, t0, ctx) - || !BN_mod_lshift1_quick(t5, t5, group->field) - || !BN_mod_sub_quick(t3, t4, t3, group->field) - /* s->Z coord output */ - || !group->meth->field_sqr(group, s->Z, t3, ctx) - || !group->meth->field_mul(group, t4, s->Z, p->X, ctx) - || !BN_mod_add_quick(t0, t0, t5, group->field) - /* s->X coord output */ - || !BN_mod_sub_quick(s->X, t0, t4, group->field) - || !group->meth->field_sqr(group, t4, r->X, ctx) - || !group->meth->field_sqr(group, t5, r->Z, ctx) - || !group->meth->field_mul(group, t6, t5, group->a, ctx) - || !BN_mod_add_quick(t1, r->X, r->Z, group->field) + || !group->meth->field_mul(group, t5, group->a, t0, ctx) + || !BN_mod_add_quick(t5, t6, t5, group->field) + || !BN_mod_add_quick(t6, t3, t4, group->field) + || !group->meth->field_mul(group, t5, t6, t5, ctx) + || !group->meth->field_sqr(group, t0, t0, ctx) + || !BN_mod_lshift_quick(t2, group->b, 2, group->field) + || !group->meth->field_mul(group, t0, t2, t0, ctx) + || !BN_mod_lshift1_quick(t5, t5, group->field) + || !BN_mod_sub_quick(t3, t4, t3, group->field) + /* s->Z coord output */ + || !group->meth->field_sqr(group, s->Z, t3, ctx) + || !group->meth->field_mul(group, t4, s->Z, p->X, ctx) + || !BN_mod_add_quick(t0, t0, t5, group->field) + /* s->X coord output */ + || !BN_mod_sub_quick(s->X, t0, t4, group->field) + || !group->meth->field_sqr(group, t4, r->X, ctx) + || !group->meth->field_sqr(group, t5, r->Z, ctx) + || !group->meth->field_mul(group, t6, t5, group->a, ctx) + || !BN_mod_add_quick(t1, r->X, r->Z, group->field) || !group->meth->field_sqr(group, t1, t1, ctx) - || !BN_mod_sub_quick(t1, t1, t4, group->field) - || !BN_mod_sub_quick(t1, t1, t5, group->field) - || !BN_mod_sub_quick(t3, t4, t6, group->field) - || !group->meth->field_sqr(group, t3, t3, ctx) - || !group->meth->field_mul(group, t0, t5, t1, ctx) - || !group->meth->field_mul(group, t0, t2, t0, ctx) + || !BN_mod_sub_quick(t1, t1, t4, group->field) + || !BN_mod_sub_quick(t1, t1, t5, group->field) + || !BN_mod_sub_quick(t3, t4, t6, group->field) + || !group->meth->field_sqr(group, t3, t3, ctx) + || !group->meth->field_mul(group, t0, t5, t1, ctx) + || !group->meth->field_mul(group, t0, t2, t0, ctx) /* r->X coord output */ - || !BN_mod_sub_quick(r->X, t3, t0, group->field) - || !BN_mod_add_quick(t3, t4, t6, group->field) - || !group->meth->field_sqr(group, t4, t5, ctx) - || !group->meth->field_mul(group, t4, t4, t2, ctx) - || !group->meth->field_mul(group, t1, t1, t3, ctx) - || !BN_mod_lshift1_quick(t1, t1, group->field) + || !BN_mod_sub_quick(r->X, t3, t0, group->field) + || !BN_mod_add_quick(t3, t4, t6, group->field) + || !group->meth->field_sqr(group, t4, t5, ctx) + || !group->meth->field_mul(group, t4, t4, t2, ctx) + || !group->meth->field_mul(group, t1, t1, t3, ctx) + || !BN_mod_lshift1_quick(t1, t1, group->field) /* r->Z coord output */ - || !BN_mod_add_quick(r->Z, t4, t1, group->field)) + || !BN_mod_add_quick(r->Z, t4, t1, group->field)) goto err; ret = 1; @@ -1619,21 +1619,21 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group, } /*- - * Input: - * - s, r: projective (homogeneous) coordinates - * - p: affine coordinates - * - * Output: - * - r := (x,y): affine coordinates - * + * Input: + * - s, r: projective (homogeneous) coordinates + * - p: affine coordinates + * + * Output: + * - r := (x,y): affine coordinates + * * Recovers the y-coordinate of r using Eq. (8) from Brier-Joye, "Weierstrass - * Elliptic Curves and Side-Channel Attacks", modified to work in mixed - * projective coords, i.e. p is affine and (r,s) in projective (homogeneous) - * coords, and return r in affine coordinates. + * Elliptic Curves and Side-Channel Attacks", modified to work in mixed + * projective coords, i.e. p is affine and (r,s) in projective (homogeneous) + * coords, and return r in affine coordinates. * - * X4 = two*Y1*X2*Z3*Z2; - * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2); - * Z4 = two*Y1*Z3*SQR(Z2); + * X4 = two*Y1*X2*Z3*Z2; + * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2); + * Z4 = two*Y1*Z3*SQR(Z2); * * Z4 != 0 because: * - Z2==0 implies r is at infinity (handled by the BN_is_zero(r->Z) branch); @@ -1652,7 +1652,7 @@ int ec_GFp_simple_ladder_post(const EC_GROUP *group, return EC_POINT_set_to_infinity(group, r); if (BN_is_zero(s->Z)) { - if (!EC_POINT_copy(r, p) + if (!EC_POINT_copy(r, p) || !EC_POINT_invert(group, r, ctx)) return 0; return 1; @@ -1668,46 +1668,46 @@ int ec_GFp_simple_ladder_post(const EC_GROUP *group, t6 = BN_CTX_get(ctx); if (t6 == NULL - || !BN_mod_lshift1_quick(t4, p->Y, group->field) - || !group->meth->field_mul(group, t6, r->X, t4, ctx) - || !group->meth->field_mul(group, t6, s->Z, t6, ctx) - || !group->meth->field_mul(group, t5, r->Z, t6, ctx) - || !BN_mod_lshift1_quick(t1, group->b, group->field) - || !group->meth->field_mul(group, t1, s->Z, t1, ctx) + || !BN_mod_lshift1_quick(t4, p->Y, group->field) + || !group->meth->field_mul(group, t6, r->X, t4, ctx) + || !group->meth->field_mul(group, t6, s->Z, t6, ctx) + || !group->meth->field_mul(group, t5, r->Z, t6, ctx) + || !BN_mod_lshift1_quick(t1, group->b, group->field) + || !group->meth->field_mul(group, t1, s->Z, t1, ctx) || !group->meth->field_sqr(group, t3, r->Z, ctx) - || !group->meth->field_mul(group, t2, t3, t1, ctx) - || !group->meth->field_mul(group, t6, r->Z, group->a, ctx) - || !group->meth->field_mul(group, t1, p->X, r->X, ctx) - || !BN_mod_add_quick(t1, t1, t6, group->field) - || !group->meth->field_mul(group, t1, s->Z, t1, ctx) - || !group->meth->field_mul(group, t0, p->X, r->Z, ctx) - || !BN_mod_add_quick(t6, r->X, t0, group->field) - || !group->meth->field_mul(group, t6, t6, t1, ctx) - || !BN_mod_add_quick(t6, t6, t2, group->field) - || !BN_mod_sub_quick(t0, t0, r->X, group->field) - || !group->meth->field_sqr(group, t0, t0, ctx) - || !group->meth->field_mul(group, t0, t0, s->X, ctx) - || !BN_mod_sub_quick(t0, t6, t0, group->field) - || !group->meth->field_mul(group, t1, s->Z, t4, ctx) - || !group->meth->field_mul(group, t1, t3, t1, ctx) - || (group->meth->field_decode != NULL - && !group->meth->field_decode(group, t1, t1, ctx)) - || !group->meth->field_inv(group, t1, t1, ctx) - || (group->meth->field_encode != NULL - && !group->meth->field_encode(group, t1, t1, ctx)) - || !group->meth->field_mul(group, r->X, t5, t1, ctx) - || !group->meth->field_mul(group, r->Y, t0, t1, ctx)) + || !group->meth->field_mul(group, t2, t3, t1, ctx) + || !group->meth->field_mul(group, t6, r->Z, group->a, ctx) + || !group->meth->field_mul(group, t1, p->X, r->X, ctx) + || !BN_mod_add_quick(t1, t1, t6, group->field) + || !group->meth->field_mul(group, t1, s->Z, t1, ctx) + || !group->meth->field_mul(group, t0, p->X, r->Z, ctx) + || !BN_mod_add_quick(t6, r->X, t0, group->field) + || !group->meth->field_mul(group, t6, t6, t1, ctx) + || !BN_mod_add_quick(t6, t6, t2, group->field) + || !BN_mod_sub_quick(t0, t0, r->X, group->field) + || !group->meth->field_sqr(group, t0, t0, ctx) + || !group->meth->field_mul(group, t0, t0, s->X, ctx) + || !BN_mod_sub_quick(t0, t6, t0, group->field) + || !group->meth->field_mul(group, t1, s->Z, t4, ctx) + || !group->meth->field_mul(group, t1, t3, t1, ctx) + || (group->meth->field_decode != NULL + && !group->meth->field_decode(group, t1, t1, ctx)) + || !group->meth->field_inv(group, t1, t1, ctx) + || (group->meth->field_encode != NULL + && !group->meth->field_encode(group, t1, t1, ctx)) + || !group->meth->field_mul(group, r->X, t5, t1, ctx) + || !group->meth->field_mul(group, r->Y, t0, t1, ctx)) goto err; - if (group->meth->field_set_to_one != NULL) { - if (!group->meth->field_set_to_one(group, r->Z, ctx)) - goto err; - } else { - if (!BN_one(r->Z)) - goto err; - } - - r->Z_is_one = 1; + if (group->meth->field_set_to_one != NULL) { + if (!group->meth->field_set_to_one(group, r->Z, ctx)) + goto err; + } else { + if (!BN_one(r->Z)) + goto err; + } + + r->Z_is_one = 1; ret = 1; err: |