aboutsummaryrefslogtreecommitdiffstats
path: root/contrib/libs/openssl/crypto/ec
diff options
context:
space:
mode:
authortpashkin <tpashkin@yandex-team.ru>2022-02-10 16:46:42 +0300
committerDaniil Cherednik <dcherednik@yandex-team.ru>2022-02-10 16:46:42 +0300
commit656921707c02b816d730f31c1fdc1d615adbfe00 (patch)
tree49e222ea1c5804306084bb3ae065bb702625360f /contrib/libs/openssl/crypto/ec
parent5475379a04e37df30085bd1724f1c57e3f40996f (diff)
downloadydb-656921707c02b816d730f31c1fdc1d615adbfe00.tar.gz
Restoring authorship annotation for <tpashkin@yandex-team.ru>. Commit 2 of 2.
Diffstat (limited to 'contrib/libs/openssl/crypto/ec')
-rw-r--r--contrib/libs/openssl/crypto/ec/curve25519.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/curve448/arch_32/arch_intrinsics.h8
-rw-r--r--contrib/libs/openssl/crypto/ec/curve448/arch_32/f_impl.h6
-rw-r--r--contrib/libs/openssl/crypto/ec/curve448/curve448.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/curve448/curve448_local.h76
-rw-r--r--contrib/libs/openssl/crypto/ec/curve448/curve448utils.h4
-rw-r--r--contrib/libs/openssl/crypto/ec/curve448/ed448.h6
-rw-r--r--contrib/libs/openssl/crypto/ec/curve448/eddsa.c16
-rw-r--r--contrib/libs/openssl/crypto/ec/curve448/field.h8
-rw-r--r--contrib/libs/openssl/crypto/ec/curve448/point_448.h6
-rw-r--r--contrib/libs/openssl/crypto/ec/curve448/word.h6
-rw-r--r--contrib/libs/openssl/crypto/ec/ec2_oct.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ec2_smpl.c4
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_ameth.c6
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_asn1.c44
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_check.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_curve.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_cvt.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_key.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_kmeth.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_lib.c12
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_local.h1476
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_mult.c42
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_oct.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_pmeth.c4
-rw-r--r--contrib/libs/openssl/crypto/ec/ec_print.c6
-rw-r--r--contrib/libs/openssl/crypto/ec/ecdh_kdf.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ecdh_ossl.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ecdsa_ossl.c6
-rw-r--r--contrib/libs/openssl/crypto/ec/ecdsa_sign.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ecdsa_vrf.c8
-rw-r--r--contrib/libs/openssl/crypto/ec/ecp_mont.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ecp_nist.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ecp_nistp224.c66
-rw-r--r--contrib/libs/openssl/crypto/ec/ecp_nistp256.c50
-rw-r--r--contrib/libs/openssl/crypto/ec/ecp_nistp521.c42
-rw-r--r--contrib/libs/openssl/crypto/ec/ecp_nistputil.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ecp_nistz256.c86
-rw-r--r--contrib/libs/openssl/crypto/ec/ecp_oct.c2
-rw-r--r--contrib/libs/openssl/crypto/ec/ecp_smpl.c338
-rw-r--r--contrib/libs/openssl/crypto/ec/ecx_meth.c10
41 files changed, 1184 insertions, 1184 deletions
diff --git a/contrib/libs/openssl/crypto/ec/curve25519.c b/contrib/libs/openssl/crypto/ec/curve25519.c
index e6e336f216..952da0e653 100644
--- a/contrib/libs/openssl/crypto/ec/curve25519.c
+++ b/contrib/libs/openssl/crypto/ec/curve25519.c
@@ -8,7 +8,7 @@
*/
#include <string.h>
-#include "ec_local.h"
+#include "ec_local.h"
#include <openssl/sha.h>
#if defined(X25519_ASM) && (defined(__x86_64) || defined(__x86_64__) || \
diff --git a/contrib/libs/openssl/crypto/ec/curve448/arch_32/arch_intrinsics.h b/contrib/libs/openssl/crypto/ec/curve448/arch_32/arch_intrinsics.h
index 5366aaee82..5f6389863d 100644
--- a/contrib/libs/openssl/crypto/ec/curve448/arch_32/arch_intrinsics.h
+++ b/contrib/libs/openssl/crypto/ec/curve448/arch_32/arch_intrinsics.h
@@ -10,10 +10,10 @@
* Originally written by Mike Hamburg
*/
-#ifndef OSSL_CRYPTO_EC_CURVE448_ARCH_32_INTRINSICS_H
-# define OSSL_CRYPTO_EC_CURVE448_ARCH_32_INTRINSICS_H
+#ifndef OSSL_CRYPTO_EC_CURVE448_ARCH_32_INTRINSICS_H
+# define OSSL_CRYPTO_EC_CURVE448_ARCH_32_INTRINSICS_H
-#include "internal/constant_time.h"
+#include "internal/constant_time.h"
# define ARCH_WORD_BITS 32
@@ -24,4 +24,4 @@ static ossl_inline uint64_t widemul(uint32_t a, uint32_t b)
return ((uint64_t)a) * b;
}
-#endif /* OSSL_CRYPTO_EC_CURVE448_ARCH_32_INTRINSICS_H */
+#endif /* OSSL_CRYPTO_EC_CURVE448_ARCH_32_INTRINSICS_H */
diff --git a/contrib/libs/openssl/crypto/ec/curve448/arch_32/f_impl.h b/contrib/libs/openssl/crypto/ec/curve448/arch_32/f_impl.h
index 5436df76fe..e1ddddaee0 100644
--- a/contrib/libs/openssl/crypto/ec/curve448/arch_32/f_impl.h
+++ b/contrib/libs/openssl/crypto/ec/curve448/arch_32/f_impl.h
@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
-#ifndef OSSL_CRYPTO_EC_CURVE448_ARCH_32_F_IMPL_H
-# define OSSL_CRYPTO_EC_CURVE448_ARCH_32_F_IMPL_H
+#ifndef OSSL_CRYPTO_EC_CURVE448_ARCH_32_F_IMPL_H
+# define OSSL_CRYPTO_EC_CURVE448_ARCH_32_F_IMPL_H
# define GF_HEADROOM 2
# define LIMB(x) ((x) & ((1 << 28) - 1)), ((x) >> 28)
@@ -57,4 +57,4 @@ void gf_weak_reduce(gf a)
a->limb[0] = (a->limb[0] & mask) + tmp;
}
-#endif /* OSSL_CRYPTO_EC_CURVE448_ARCH_32_F_IMPL_H */
+#endif /* OSSL_CRYPTO_EC_CURVE448_ARCH_32_F_IMPL_H */
diff --git a/contrib/libs/openssl/crypto/ec/curve448/curve448.c b/contrib/libs/openssl/crypto/ec/curve448/curve448.c
index 90ae3f1513..12d97f0679 100644
--- a/contrib/libs/openssl/crypto/ec/curve448/curve448.c
+++ b/contrib/libs/openssl/crypto/ec/curve448/curve448.c
@@ -15,7 +15,7 @@
#include "point_448.h"
#include "ed448.h"
-#include "curve448_local.h"
+#include "curve448_local.h"
#define COFACTOR 4
diff --git a/contrib/libs/openssl/crypto/ec/curve448/curve448_local.h b/contrib/libs/openssl/crypto/ec/curve448/curve448_local.h
index 84fa706ae1..b27770661f 100644
--- a/contrib/libs/openssl/crypto/ec/curve448/curve448_local.h
+++ b/contrib/libs/openssl/crypto/ec/curve448/curve448_local.h
@@ -1,38 +1,38 @@
-/*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-#ifndef OSSL_CRYPTO_EC_CURVE448_LOCAL_H
-# define OSSL_CRYPTO_EC_CURVE448_LOCAL_H
-# include "curve448utils.h"
-
-int X448(uint8_t out_shared_key[56], const uint8_t private_key[56],
- const uint8_t peer_public_value[56]);
-
-void X448_public_from_private(uint8_t out_public_value[56],
- const uint8_t private_key[56]);
-
-int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
- const uint8_t public_key[57], const uint8_t private_key[57],
- const uint8_t *context, size_t context_len);
-
-int ED448_verify(const uint8_t *message, size_t message_len,
- const uint8_t signature[114], const uint8_t public_key[57],
- const uint8_t *context, size_t context_len);
-
-int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64],
- const uint8_t public_key[57], const uint8_t private_key[57],
- const uint8_t *context, size_t context_len);
-
-int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114],
- const uint8_t public_key[57], const uint8_t *context,
- size_t context_len);
-
-int ED448_public_from_private(uint8_t out_public_key[57],
- const uint8_t private_key[57]);
-
-#endif /* OSSL_CRYPTO_EC_CURVE448_LOCAL_H */
+/*
+ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#ifndef OSSL_CRYPTO_EC_CURVE448_LOCAL_H
+# define OSSL_CRYPTO_EC_CURVE448_LOCAL_H
+# include "curve448utils.h"
+
+int X448(uint8_t out_shared_key[56], const uint8_t private_key[56],
+ const uint8_t peer_public_value[56]);
+
+void X448_public_from_private(uint8_t out_public_value[56],
+ const uint8_t private_key[56]);
+
+int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
+ const uint8_t public_key[57], const uint8_t private_key[57],
+ const uint8_t *context, size_t context_len);
+
+int ED448_verify(const uint8_t *message, size_t message_len,
+ const uint8_t signature[114], const uint8_t public_key[57],
+ const uint8_t *context, size_t context_len);
+
+int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64],
+ const uint8_t public_key[57], const uint8_t private_key[57],
+ const uint8_t *context, size_t context_len);
+
+int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114],
+ const uint8_t public_key[57], const uint8_t *context,
+ size_t context_len);
+
+int ED448_public_from_private(uint8_t out_public_key[57],
+ const uint8_t private_key[57]);
+
+#endif /* OSSL_CRYPTO_EC_CURVE448_LOCAL_H */
diff --git a/contrib/libs/openssl/crypto/ec/curve448/curve448utils.h b/contrib/libs/openssl/crypto/ec/curve448/curve448utils.h
index a7f2b7d163..86c258e745 100644
--- a/contrib/libs/openssl/crypto/ec/curve448/curve448utils.h
+++ b/contrib/libs/openssl/crypto/ec/curve448/curve448utils.h
@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
-#ifndef OSSL_CRYPTO_EC_CURVE448UTILS_H
-# define OSSL_CRYPTO_EC_CURVE448UTILS_H
+#ifndef OSSL_CRYPTO_EC_CURVE448UTILS_H
+# define OSSL_CRYPTO_EC_CURVE448UTILS_H
# include <openssl/e_os2.h>
diff --git a/contrib/libs/openssl/crypto/ec/curve448/ed448.h b/contrib/libs/openssl/crypto/ec/curve448/ed448.h
index dab849b3dc..c1e5c2832f 100644
--- a/contrib/libs/openssl/crypto/ec/curve448/ed448.h
+++ b/contrib/libs/openssl/crypto/ec/curve448/ed448.h
@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
-#ifndef OSSL_CRYPTO_EC_CURVE448_ED448_H
-# define OSSL_CRYPTO_EC_CURVE448_ED448_H
+#ifndef OSSL_CRYPTO_EC_CURVE448_ED448_H
+# define OSSL_CRYPTO_EC_CURVE448_ED448_H
# include "point_448.h"
@@ -192,4 +192,4 @@ c448_error_t c448_ed448_convert_private_key_to_x448(
uint8_t x[X448_PRIVATE_BYTES],
const uint8_t ed[EDDSA_448_PRIVATE_BYTES]);
-#endif /* OSSL_CRYPTO_EC_CURVE448_ED448_H */
+#endif /* OSSL_CRYPTO_EC_CURVE448_ED448_H */
diff --git a/contrib/libs/openssl/crypto/ec/curve448/eddsa.c b/contrib/libs/openssl/crypto/ec/curve448/eddsa.c
index f03f11012c..82741f5435 100644
--- a/contrib/libs/openssl/crypto/ec/curve448/eddsa.c
+++ b/contrib/libs/openssl/crypto/ec/curve448/eddsa.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2016 Cryptography Research, Inc.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -12,7 +12,7 @@
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
-#include "curve448_local.h"
+#include "curve448_local.h"
#include "word.h"
#include "ed448.h"
#include "internal/numbers.h"
@@ -50,12 +50,12 @@ static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed,
const uint8_t *context,
size_t context_len)
{
-#ifdef CHARSET_EBCDIC
- const char dom_s[] = {0x53, 0x69, 0x67, 0x45,
- 0x64, 0x34, 0x34, 0x38, 0x00};
-#else
- const char dom_s[] = "SigEd448";
-#endif
+#ifdef CHARSET_EBCDIC
+ const char dom_s[] = {0x53, 0x69, 0x67, 0x45,
+ 0x64, 0x34, 0x34, 0x38, 0x00};
+#else
+ const char dom_s[] = "SigEd448";
+#endif
uint8_t dom[2];
if (context_len > UINT8_MAX)
diff --git a/contrib/libs/openssl/crypto/ec/curve448/field.h b/contrib/libs/openssl/crypto/ec/curve448/field.h
index 6696784dcc..ccd04482d2 100644
--- a/contrib/libs/openssl/crypto/ec/curve448/field.h
+++ b/contrib/libs/openssl/crypto/ec/curve448/field.h
@@ -10,10 +10,10 @@
* Originally written by Mike Hamburg
*/
-#ifndef OSSL_CRYPTO_EC_CURVE448_FIELD_H
-# define OSSL_CRYPTO_EC_CURVE448_FIELD_H
+#ifndef OSSL_CRYPTO_EC_CURVE448_FIELD_H
+# define OSSL_CRYPTO_EC_CURVE448_FIELD_H
-# include "internal/constant_time.h"
+# include "internal/constant_time.h"
# include <string.h>
# include <assert.h>
# include "word.h"
@@ -165,4 +165,4 @@ static ossl_inline void gf_cond_swap(gf x, gf_s * RESTRICT y, mask_t swap)
}
}
-#endif /* OSSL_CRYPTO_EC_CURVE448_FIELD_H */
+#endif /* OSSL_CRYPTO_EC_CURVE448_FIELD_H */
diff --git a/contrib/libs/openssl/crypto/ec/curve448/point_448.h b/contrib/libs/openssl/crypto/ec/curve448/point_448.h
index 8347a2c8e0..93e715fd9c 100644
--- a/contrib/libs/openssl/crypto/ec/curve448/point_448.h
+++ b/contrib/libs/openssl/crypto/ec/curve448/point_448.h
@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
-#ifndef OSSL_CRYPTO_EC_CURVE448_POINT_448_H
-# define OSSL_CRYPTO_EC_CURVE448_POINT_448_H
+#ifndef OSSL_CRYPTO_EC_CURVE448_POINT_448_H
+# define OSSL_CRYPTO_EC_CURVE448_POINT_448_H
# include "curve448utils.h"
# include "field.h"
@@ -298,4 +298,4 @@ void curve448_scalar_destroy(curve448_scalar_t scalar);
/* Overwrite point with zeros. */
void curve448_point_destroy(curve448_point_t point);
-#endif /* OSSL_CRYPTO_EC_CURVE448_POINT_448_H */
+#endif /* OSSL_CRYPTO_EC_CURVE448_POINT_448_H */
diff --git a/contrib/libs/openssl/crypto/ec/curve448/word.h b/contrib/libs/openssl/crypto/ec/curve448/word.h
index 8550a01aef..237cc9b631 100644
--- a/contrib/libs/openssl/crypto/ec/curve448/word.h
+++ b/contrib/libs/openssl/crypto/ec/curve448/word.h
@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
-#ifndef OSSL_CRYPTO_EC_CURVE448_WORD_H
-# define OSSL_CRYPTO_EC_CURVE448_WORD_H
+#ifndef OSSL_CRYPTO_EC_CURVE448_WORD_H
+# define OSSL_CRYPTO_EC_CURVE448_WORD_H
# include <string.h>
# include <assert.h>
@@ -78,4 +78,4 @@ static ossl_inline mask_t bool_to_mask(c448_bool_t m)
return ret;
}
-#endif /* OSSL_CRYPTO_EC_CURVE448_WORD_H */
+#endif /* OSSL_CRYPTO_EC_CURVE448_WORD_H */
diff --git a/contrib/libs/openssl/crypto/ec/ec2_oct.c b/contrib/libs/openssl/crypto/ec/ec2_oct.c
index fc31d36407..788e6501fb 100644
--- a/contrib/libs/openssl/crypto/ec/ec2_oct.c
+++ b/contrib/libs/openssl/crypto/ec/ec2_oct.c
@@ -10,7 +10,7 @@
#include <openssl/err.h>
-#include "ec_local.h"
+#include "ec_local.h"
#ifndef OPENSSL_NO_EC2M
diff --git a/contrib/libs/openssl/crypto/ec/ec2_smpl.c b/contrib/libs/openssl/crypto/ec/ec2_smpl.c
index 3b1e92f2f7..84e5537a03 100644
--- a/contrib/libs/openssl/crypto/ec/ec2_smpl.c
+++ b/contrib/libs/openssl/crypto/ec/ec2_smpl.c
@@ -10,8 +10,8 @@
#include <openssl/err.h>
-#include "crypto/bn.h"
-#include "ec_local.h"
+#include "crypto/bn.h"
+#include "ec_local.h"
#ifndef OPENSSL_NO_EC2M
diff --git a/contrib/libs/openssl/crypto/ec/ec_ameth.c b/contrib/libs/openssl/crypto/ec/ec_ameth.c
index 7c75db57d4..5098bd7a66 100644
--- a/contrib/libs/openssl/crypto/ec/ec_ameth.c
+++ b/contrib/libs/openssl/crypto/ec/ec_ameth.c
@@ -14,9 +14,9 @@
#include <openssl/bn.h>
#include <openssl/cms.h>
#include <openssl/asn1t.h>
-#include "crypto/asn1.h"
-#include "crypto/evp.h"
-#include "ec_local.h"
+#include "crypto/asn1.h"
+#include "crypto/evp.h"
+#include "ec_local.h"
#ifndef OPENSSL_NO_CMS
static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
diff --git a/contrib/libs/openssl/crypto/ec/ec_asn1.c b/contrib/libs/openssl/crypto/ec/ec_asn1.c
index 080b93e9be..c8ee1e6f17 100644
--- a/contrib/libs/openssl/crypto/ec/ec_asn1.c
+++ b/contrib/libs/openssl/crypto/ec/ec_asn1.c
@@ -8,7 +8,7 @@
*/
#include <string.h>
-#include "ec_local.h"
+#include "ec_local.h"
#include <openssl/err.h>
#include <openssl/asn1t.h>
#include <openssl/objects.h>
@@ -452,7 +452,7 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
unsigned char *buffer = NULL;
const EC_POINT *point = NULL;
point_conversion_form_t form;
- ASN1_INTEGER *orig;
+ ASN1_INTEGER *orig;
if (params == NULL) {
if ((ret = ECPARAMETERS_new()) == NULL) {
@@ -503,9 +503,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB);
goto err;
}
- ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order);
+ ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order);
if (ret->order == NULL) {
- ret->order = orig;
+ ret->order = orig;
ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
goto err;
}
@@ -513,9 +513,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
/* set the cofactor (optional) */
tmp = EC_GROUP_get0_cofactor(group);
if (tmp != NULL) {
- ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor);
+ ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor);
if (ret->cofactor == NULL) {
- ret->cofactor = orig;
+ ret->cofactor = orig;
ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
goto err;
}
@@ -866,20 +866,20 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
* serialized using explicit parameters by default.
*/
EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE);
-
- /*
- * If the input params do not contain the optional seed field we make
- * sure it is not added to the returned group.
- *
- * The seed field is not really used inside libcrypto anyway, and
- * adding it to parsed explicit parameter keys would alter their DER
- * encoding output (because of the extra field) which could impact
- * applications fingerprinting keys by their DER encoding.
- */
- if (params->curve->seed == NULL) {
- if (EC_GROUP_set_seed(ret, NULL, 0) != 1)
- goto err;
- }
+
+ /*
+ * If the input params do not contain the optional seed field we make
+ * sure it is not added to the returned group.
+ *
+ * The seed field is not really used inside libcrypto anyway, and
+ * adding it to parsed explicit parameter keys would alter their DER
+ * encoding output (because of the extra field) which could impact
+ * applications fingerprinting keys by their DER encoding.
+ */
+ if (params->curve->seed == NULL) {
+ if (EC_GROUP_set_seed(ret, NULL, 0) != 1)
+ goto err;
+ }
}
ok = 1;
@@ -1322,7 +1322,7 @@ int ECDSA_size(const EC_KEY *r)
i = i2d_ASN1_INTEGER(&bs, NULL);
i += i; /* r and s */
ret = ASN1_object_size(1, i, V_ASN1_SEQUENCE);
- if (ret < 0)
- return 0;
+ if (ret < 0)
+ return 0;
return ret;
}
diff --git a/contrib/libs/openssl/crypto/ec/ec_check.c b/contrib/libs/openssl/crypto/ec/ec_check.c
index 0bddac6142..d0706d2857 100644
--- a/contrib/libs/openssl/crypto/ec/ec_check.c
+++ b/contrib/libs/openssl/crypto/ec/ec_check.c
@@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
-#include "ec_local.h"
+#include "ec_local.h"
#include <openssl/err.h>
int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx)
diff --git a/contrib/libs/openssl/crypto/ec/ec_curve.c b/contrib/libs/openssl/crypto/ec/ec_curve.c
index 0268af0258..8de486cbd7 100644
--- a/contrib/libs/openssl/crypto/ec/ec_curve.c
+++ b/contrib/libs/openssl/crypto/ec/ec_curve.c
@@ -9,7 +9,7 @@
*/
#include <string.h>
-#include "ec_local.h"
+#include "ec_local.h"
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/opensslconf.h>
diff --git a/contrib/libs/openssl/crypto/ec/ec_cvt.c b/contrib/libs/openssl/crypto/ec/ec_cvt.c
index 4db3e0cf1b..944e317d9d 100644
--- a/contrib/libs/openssl/crypto/ec/ec_cvt.c
+++ b/contrib/libs/openssl/crypto/ec/ec_cvt.c
@@ -9,7 +9,7 @@
*/
#include <openssl/err.h>
-#include "ec_local.h"
+#include "ec_local.h"
EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
const BIGNUM *b, BN_CTX *ctx)
diff --git a/contrib/libs/openssl/crypto/ec/ec_key.c b/contrib/libs/openssl/crypto/ec/ec_key.c
index a89d79b053..23efbd015c 100644
--- a/contrib/libs/openssl/crypto/ec/ec_key.c
+++ b/contrib/libs/openssl/crypto/ec/ec_key.c
@@ -10,7 +10,7 @@
#include "internal/cryptlib.h"
#include <string.h>
-#include "ec_local.h"
+#include "ec_local.h"
#include "internal/refcount.h"
#include <openssl/err.h>
#include <openssl/engine.h>
diff --git a/contrib/libs/openssl/crypto/ec/ec_kmeth.c b/contrib/libs/openssl/crypto/ec/ec_kmeth.c
index 86681864c9..53a4a92952 100644
--- a/contrib/libs/openssl/crypto/ec/ec_kmeth.c
+++ b/contrib/libs/openssl/crypto/ec/ec_kmeth.c
@@ -11,7 +11,7 @@
#include <openssl/ec.h>
#include <openssl/engine.h>
#include <openssl/err.h>
-#include "ec_local.h"
+#include "ec_local.h"
static const EC_KEY_METHOD openssl_ec_key_method = {
diff --git a/contrib/libs/openssl/crypto/ec/ec_lib.c b/contrib/libs/openssl/crypto/ec/ec_lib.c
index 8201483f4c..08db89fcee 100644
--- a/contrib/libs/openssl/crypto/ec/ec_lib.c
+++ b/contrib/libs/openssl/crypto/ec/ec_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -13,7 +13,7 @@
#include <openssl/err.h>
#include <openssl/opensslv.h>
-#include "ec_local.h"
+#include "ec_local.h"
/* functions for EC_GROUP objects */
@@ -1012,10 +1012,10 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
-
- if (scalar == NULL && num == 0)
- return EC_POINT_set_to_infinity(group, r);
-
+
+ if (scalar == NULL && num == 0)
+ return EC_POINT_set_to_infinity(group, r);
+
for (i = 0; i < num; i++) {
if (!ec_point_is_compat(points[i], group)) {
ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
diff --git a/contrib/libs/openssl/crypto/ec/ec_local.h b/contrib/libs/openssl/crypto/ec/ec_local.h
index 48e855c068..64725a9c92 100644
--- a/contrib/libs/openssl/crypto/ec/ec_local.h
+++ b/contrib/libs/openssl/crypto/ec/ec_local.h
@@ -1,741 +1,741 @@
-/*
+/*
* Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdlib.h>
-
-#include <openssl/obj_mac.h>
-#include <openssl/ec.h>
-#include <openssl/bn.h>
-#include "internal/refcount.h"
-#include "crypto/ec.h"
-
-#if defined(__SUNPRO_C)
-# if __SUNPRO_C >= 0x520
-# pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE)
-# endif
-#endif
-
-/* Use default functions for poin2oct, oct2point and compressed coordinates */
-#define EC_FLAGS_DEFAULT_OCT 0x1
-
-/* Use custom formats for EC_GROUP, EC_POINT and EC_KEY */
-#define EC_FLAGS_CUSTOM_CURVE 0x2
-
-/* Curve does not support signing operations */
-#define EC_FLAGS_NO_SIGN 0x4
-
-/*
- * Structure details are not part of the exported interface, so all this may
- * change in future versions.
- */
-
-struct ec_method_st {
- /* Various method flags */
- int flags;
- /* used by EC_METHOD_get_field_type: */
- int field_type; /* a NID */
- /*
- * used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free,
- * EC_GROUP_copy:
- */
- int (*group_init) (EC_GROUP *);
- void (*group_finish) (EC_GROUP *);
- void (*group_clear_finish) (EC_GROUP *);
- int (*group_copy) (EC_GROUP *, const EC_GROUP *);
- /* used by EC_GROUP_set_curve, EC_GROUP_get_curve: */
- int (*group_set_curve) (EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
- const BIGNUM *b, BN_CTX *);
- int (*group_get_curve) (const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b,
- BN_CTX *);
- /* used by EC_GROUP_get_degree: */
- int (*group_get_degree) (const EC_GROUP *);
- int (*group_order_bits) (const EC_GROUP *);
- /* used by EC_GROUP_check: */
- int (*group_check_discriminant) (const EC_GROUP *, BN_CTX *);
- /*
- * used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free,
- * EC_POINT_copy:
- */
- int (*point_init) (EC_POINT *);
- void (*point_finish) (EC_POINT *);
- void (*point_clear_finish) (EC_POINT *);
- int (*point_copy) (EC_POINT *, const EC_POINT *);
- /*-
- * used by EC_POINT_set_to_infinity,
- * EC_POINT_set_Jprojective_coordinates_GFp,
- * EC_POINT_get_Jprojective_coordinates_GFp,
- * EC_POINT_set_affine_coordinates,
- * EC_POINT_get_affine_coordinates,
- * EC_POINT_set_compressed_coordinates:
- */
- int (*point_set_to_infinity) (const EC_GROUP *, EC_POINT *);
- int (*point_set_Jprojective_coordinates_GFp) (const EC_GROUP *,
- EC_POINT *, const BIGNUM *x,
- const BIGNUM *y,
- const BIGNUM *z, BN_CTX *);
- int (*point_get_Jprojective_coordinates_GFp) (const EC_GROUP *,
- const EC_POINT *, BIGNUM *x,
- BIGNUM *y, BIGNUM *z,
- BN_CTX *);
- int (*point_set_affine_coordinates) (const EC_GROUP *, EC_POINT *,
- const BIGNUM *x, const BIGNUM *y,
- BN_CTX *);
- int (*point_get_affine_coordinates) (const EC_GROUP *, const EC_POINT *,
- BIGNUM *x, BIGNUM *y, BN_CTX *);
- int (*point_set_compressed_coordinates) (const EC_GROUP *, EC_POINT *,
- const BIGNUM *x, int y_bit,
- BN_CTX *);
- /* used by EC_POINT_point2oct, EC_POINT_oct2point: */
- size_t (*point2oct) (const EC_GROUP *, const EC_POINT *,
- point_conversion_form_t form, unsigned char *buf,
- size_t len, BN_CTX *);
- int (*oct2point) (const EC_GROUP *, EC_POINT *, const unsigned char *buf,
- size_t len, BN_CTX *);
- /* used by EC_POINT_add, EC_POINT_dbl, ECP_POINT_invert: */
- int (*add) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
- const EC_POINT *b, BN_CTX *);
- int (*dbl) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
- int (*invert) (const EC_GROUP *, EC_POINT *, BN_CTX *);
- /*
- * used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp:
- */
- int (*is_at_infinity) (const EC_GROUP *, const EC_POINT *);
- int (*is_on_curve) (const EC_GROUP *, const EC_POINT *, BN_CTX *);
- int (*point_cmp) (const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
- BN_CTX *);
- /* used by EC_POINT_make_affine, EC_POINTs_make_affine: */
- int (*make_affine) (const EC_GROUP *, EC_POINT *, BN_CTX *);
- int (*points_make_affine) (const EC_GROUP *, size_t num, EC_POINT *[],
- BN_CTX *);
- /*
- * used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult,
- * EC_POINT_have_precompute_mult (default implementations are used if the
- * 'mul' pointer is 0):
- */
- /*-
- * mul() calculates the value
- *
- * r := generator * scalar
- * + points[0] * scalars[0]
- * + ...
- * + points[num-1] * scalars[num-1].
- *
- * For a fixed point multiplication (scalar != NULL, num == 0)
- * or a variable point multiplication (scalar == NULL, num == 1),
- * mul() must use a constant time algorithm: in both cases callers
- * should provide an input scalar (either scalar or scalars[0])
- * in the range [0, ec_group_order); for robustness, implementers
- * should handle the case when the scalar has not been reduced, but
- * may treat it as an unusual input, without any constant-timeness
- * guarantee.
- */
- int (*mul) (const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
- size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
- BN_CTX *);
- int (*precompute_mult) (EC_GROUP *group, BN_CTX *);
- int (*have_precompute_mult) (const EC_GROUP *group);
- /* internal functions */
- /*
- * 'field_mul', 'field_sqr', and 'field_div' can be used by 'add' and
- * 'dbl' so that the same implementations of point operations can be used
- * with different optimized implementations of expensive field
- * operations:
- */
- int (*field_mul) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- const BIGNUM *b, BN_CTX *);
- int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
- int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- const BIGNUM *b, BN_CTX *);
- /*-
- * 'field_inv' computes the multiplicative inverse of a in the field,
- * storing the result in r.
- *
- * If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
- */
- int (*field_inv) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
- /* e.g. to Montgomery */
- int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *);
- /* e.g. from Montgomery */
- int (*field_decode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *);
- int (*field_set_to_one) (const EC_GROUP *, BIGNUM *r, BN_CTX *);
- /* private key operations */
- size_t (*priv2oct)(const EC_KEY *eckey, unsigned char *buf, size_t len);
- int (*oct2priv)(EC_KEY *eckey, const unsigned char *buf, size_t len);
- int (*set_private)(EC_KEY *eckey, const BIGNUM *priv_key);
- int (*keygen)(EC_KEY *eckey);
- int (*keycheck)(const EC_KEY *eckey);
- int (*keygenpub)(EC_KEY *eckey);
- int (*keycopy)(EC_KEY *dst, const EC_KEY *src);
- void (*keyfinish)(EC_KEY *eckey);
- /* custom ECDH operation */
- int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,
- const EC_POINT *pub_key, const EC_KEY *ecdh);
- /* Inverse modulo order */
- int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r,
- const BIGNUM *x, BN_CTX *);
- int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
- int (*ladder_pre)(const EC_GROUP *group,
- EC_POINT *r, EC_POINT *s,
- EC_POINT *p, BN_CTX *ctx);
- int (*ladder_step)(const EC_GROUP *group,
- EC_POINT *r, EC_POINT *s,
- EC_POINT *p, BN_CTX *ctx);
- int (*ladder_post)(const EC_GROUP *group,
- EC_POINT *r, EC_POINT *s,
- EC_POINT *p, BN_CTX *ctx);
-};
-
-/*
- * Types and functions to manipulate pre-computed values.
- */
-typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP;
-typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP;
-typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP;
-typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP;
-typedef struct ec_pre_comp_st EC_PRE_COMP;
-
-struct ec_group_st {
- const EC_METHOD *meth;
- EC_POINT *generator; /* optional */
- BIGNUM *order, *cofactor;
- int curve_name; /* optional NID for named curve */
- int asn1_flag; /* flag to control the asn1 encoding */
+ * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdlib.h>
+
+#include <openssl/obj_mac.h>
+#include <openssl/ec.h>
+#include <openssl/bn.h>
+#include "internal/refcount.h"
+#include "crypto/ec.h"
+
+#if defined(__SUNPRO_C)
+# if __SUNPRO_C >= 0x520
+# pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE)
+# endif
+#endif
+
+/* Use default functions for poin2oct, oct2point and compressed coordinates */
+#define EC_FLAGS_DEFAULT_OCT 0x1
+
+/* Use custom formats for EC_GROUP, EC_POINT and EC_KEY */
+#define EC_FLAGS_CUSTOM_CURVE 0x2
+
+/* Curve does not support signing operations */
+#define EC_FLAGS_NO_SIGN 0x4
+
+/*
+ * Structure details are not part of the exported interface, so all this may
+ * change in future versions.
+ */
+
+struct ec_method_st {
+ /* Various method flags */
+ int flags;
+ /* used by EC_METHOD_get_field_type: */
+ int field_type; /* a NID */
+ /*
+ * used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free,
+ * EC_GROUP_copy:
+ */
+ int (*group_init) (EC_GROUP *);
+ void (*group_finish) (EC_GROUP *);
+ void (*group_clear_finish) (EC_GROUP *);
+ int (*group_copy) (EC_GROUP *, const EC_GROUP *);
+ /* used by EC_GROUP_set_curve, EC_GROUP_get_curve: */
+ int (*group_set_curve) (EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
+ const BIGNUM *b, BN_CTX *);
+ int (*group_get_curve) (const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b,
+ BN_CTX *);
+ /* used by EC_GROUP_get_degree: */
+ int (*group_get_degree) (const EC_GROUP *);
+ int (*group_order_bits) (const EC_GROUP *);
+ /* used by EC_GROUP_check: */
+ int (*group_check_discriminant) (const EC_GROUP *, BN_CTX *);
+ /*
+ * used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free,
+ * EC_POINT_copy:
+ */
+ int (*point_init) (EC_POINT *);
+ void (*point_finish) (EC_POINT *);
+ void (*point_clear_finish) (EC_POINT *);
+ int (*point_copy) (EC_POINT *, const EC_POINT *);
+ /*-
+ * used by EC_POINT_set_to_infinity,
+ * EC_POINT_set_Jprojective_coordinates_GFp,
+ * EC_POINT_get_Jprojective_coordinates_GFp,
+ * EC_POINT_set_affine_coordinates,
+ * EC_POINT_get_affine_coordinates,
+ * EC_POINT_set_compressed_coordinates:
+ */
+ int (*point_set_to_infinity) (const EC_GROUP *, EC_POINT *);
+ int (*point_set_Jprojective_coordinates_GFp) (const EC_GROUP *,
+ EC_POINT *, const BIGNUM *x,
+ const BIGNUM *y,
+ const BIGNUM *z, BN_CTX *);
+ int (*point_get_Jprojective_coordinates_GFp) (const EC_GROUP *,
+ const EC_POINT *, BIGNUM *x,
+ BIGNUM *y, BIGNUM *z,
+ BN_CTX *);
+ int (*point_set_affine_coordinates) (const EC_GROUP *, EC_POINT *,
+ const BIGNUM *x, const BIGNUM *y,
+ BN_CTX *);
+ int (*point_get_affine_coordinates) (const EC_GROUP *, const EC_POINT *,
+ BIGNUM *x, BIGNUM *y, BN_CTX *);
+ int (*point_set_compressed_coordinates) (const EC_GROUP *, EC_POINT *,
+ const BIGNUM *x, int y_bit,
+ BN_CTX *);
+ /* used by EC_POINT_point2oct, EC_POINT_oct2point: */
+ size_t (*point2oct) (const EC_GROUP *, const EC_POINT *,
+ point_conversion_form_t form, unsigned char *buf,
+ size_t len, BN_CTX *);
+ int (*oct2point) (const EC_GROUP *, EC_POINT *, const unsigned char *buf,
+ size_t len, BN_CTX *);
+ /* used by EC_POINT_add, EC_POINT_dbl, ECP_POINT_invert: */
+ int (*add) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
+ const EC_POINT *b, BN_CTX *);
+ int (*dbl) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
+ int (*invert) (const EC_GROUP *, EC_POINT *, BN_CTX *);
+ /*
+ * used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp:
+ */
+ int (*is_at_infinity) (const EC_GROUP *, const EC_POINT *);
+ int (*is_on_curve) (const EC_GROUP *, const EC_POINT *, BN_CTX *);
+ int (*point_cmp) (const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
+ BN_CTX *);
+ /* used by EC_POINT_make_affine, EC_POINTs_make_affine: */
+ int (*make_affine) (const EC_GROUP *, EC_POINT *, BN_CTX *);
+ int (*points_make_affine) (const EC_GROUP *, size_t num, EC_POINT *[],
+ BN_CTX *);
+ /*
+ * used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult,
+ * EC_POINT_have_precompute_mult (default implementations are used if the
+ * 'mul' pointer is 0):
+ */
+ /*-
+ * mul() calculates the value
+ *
+ * r := generator * scalar
+ * + points[0] * scalars[0]
+ * + ...
+ * + points[num-1] * scalars[num-1].
+ *
+ * For a fixed point multiplication (scalar != NULL, num == 0)
+ * or a variable point multiplication (scalar == NULL, num == 1),
+ * mul() must use a constant time algorithm: in both cases callers
+ * should provide an input scalar (either scalar or scalars[0])
+ * in the range [0, ec_group_order); for robustness, implementers
+ * should handle the case when the scalar has not been reduced, but
+ * may treat it as an unusual input, without any constant-timeness
+ * guarantee.
+ */
+ int (*mul) (const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+ size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
+ BN_CTX *);
+ int (*precompute_mult) (EC_GROUP *group, BN_CTX *);
+ int (*have_precompute_mult) (const EC_GROUP *group);
+ /* internal functions */
+ /*
+ * 'field_mul', 'field_sqr', and 'field_div' can be used by 'add' and
+ * 'dbl' so that the same implementations of point operations can be used
+ * with different optimized implementations of expensive field
+ * operations:
+ */
+ int (*field_mul) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ const BIGNUM *b, BN_CTX *);
+ int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+ int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ const BIGNUM *b, BN_CTX *);
+ /*-
+ * 'field_inv' computes the multiplicative inverse of a in the field,
+ * storing the result in r.
+ *
+ * If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
+ */
+ int (*field_inv) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+ /* e.g. to Montgomery */
+ int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *);
+ /* e.g. from Montgomery */
+ int (*field_decode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *);
+ int (*field_set_to_one) (const EC_GROUP *, BIGNUM *r, BN_CTX *);
+ /* private key operations */
+ size_t (*priv2oct)(const EC_KEY *eckey, unsigned char *buf, size_t len);
+ int (*oct2priv)(EC_KEY *eckey, const unsigned char *buf, size_t len);
+ int (*set_private)(EC_KEY *eckey, const BIGNUM *priv_key);
+ int (*keygen)(EC_KEY *eckey);
+ int (*keycheck)(const EC_KEY *eckey);
+ int (*keygenpub)(EC_KEY *eckey);
+ int (*keycopy)(EC_KEY *dst, const EC_KEY *src);
+ void (*keyfinish)(EC_KEY *eckey);
+ /* custom ECDH operation */
+ int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,
+ const EC_POINT *pub_key, const EC_KEY *ecdh);
+ /* Inverse modulo order */
+ int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r,
+ const BIGNUM *x, BN_CTX *);
+ int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
+ int (*ladder_pre)(const EC_GROUP *group,
+ EC_POINT *r, EC_POINT *s,
+ EC_POINT *p, BN_CTX *ctx);
+ int (*ladder_step)(const EC_GROUP *group,
+ EC_POINT *r, EC_POINT *s,
+ EC_POINT *p, BN_CTX *ctx);
+ int (*ladder_post)(const EC_GROUP *group,
+ EC_POINT *r, EC_POINT *s,
+ EC_POINT *p, BN_CTX *ctx);
+};
+
+/*
+ * Types and functions to manipulate pre-computed values.
+ */
+typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP;
+typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP;
+typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP;
+typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP;
+typedef struct ec_pre_comp_st EC_PRE_COMP;
+
+struct ec_group_st {
+ const EC_METHOD *meth;
+ EC_POINT *generator; /* optional */
+ BIGNUM *order, *cofactor;
+ int curve_name; /* optional NID for named curve */
+ int asn1_flag; /* flag to control the asn1 encoding */
int decoded_from_explicit_params; /* set if decoded from explicit
* curve parameters encoding */
- point_conversion_form_t asn1_form;
- unsigned char *seed; /* optional seed for parameters (appears in
- * ASN1) */
- size_t seed_len;
- /*
- * The following members are handled by the method functions, even if
- * they appear generic
- */
- /*
- * Field specification. For curves over GF(p), this is the modulus; for
- * curves over GF(2^m), this is the irreducible polynomial defining the
- * field.
- */
- BIGNUM *field;
- /*
- * Field specification for curves over GF(2^m). The irreducible f(t) is
- * then of the form: t^poly[0] + t^poly[1] + ... + t^poly[k] where m =
- * poly[0] > poly[1] > ... > poly[k] = 0. The array is terminated with
- * poly[k+1]=-1. All elliptic curve irreducibles have at most 5 non-zero
- * terms.
- */
- int poly[6];
- /*
- * Curve coefficients. (Here the assumption is that BIGNUMs can be used
- * or abused for all kinds of fields, not just GF(p).) For characteristic
- * > 3, the curve is defined by a Weierstrass equation of the form y^2 =
- * x^3 + a*x + b. For characteristic 2, the curve is defined by an
- * equation of the form y^2 + x*y = x^3 + a*x^2 + b.
- */
- BIGNUM *a, *b;
- /* enable optimized point arithmetics for special case */
- int a_is_minus3;
- /* method-specific (e.g., Montgomery structure) */
- void *field_data1;
- /* method-specific */
- void *field_data2;
- /* method-specific */
- int (*field_mod_func) (BIGNUM *, const BIGNUM *, const BIGNUM *,
- BN_CTX *);
- /* data for ECDSA inverse */
- BN_MONT_CTX *mont_data;
-
- /*
- * Precomputed values for speed. The PCT_xxx names match the
- * pre_comp.xxx union names; see the SETPRECOMP and HAVEPRECOMP
- * macros, below.
- */
- enum {
- PCT_none,
- PCT_nistp224, PCT_nistp256, PCT_nistp521, PCT_nistz256,
- PCT_ec
- } pre_comp_type;
- union {
- NISTP224_PRE_COMP *nistp224;
- NISTP256_PRE_COMP *nistp256;
- NISTP521_PRE_COMP *nistp521;
- NISTZ256_PRE_COMP *nistz256;
- EC_PRE_COMP *ec;
- } pre_comp;
-};
-
-#define SETPRECOMP(g, type, pre) \
- g->pre_comp_type = PCT_##type, g->pre_comp.type = pre
-#define HAVEPRECOMP(g, type) \
- g->pre_comp_type == PCT_##type && g->pre_comp.type != NULL
-
-struct ec_key_st {
- const EC_KEY_METHOD *meth;
- ENGINE *engine;
- int version;
- EC_GROUP *group;
- EC_POINT *pub_key;
- BIGNUM *priv_key;
- unsigned int enc_flag;
- point_conversion_form_t conv_form;
- CRYPTO_REF_COUNT references;
- int flags;
- CRYPTO_EX_DATA ex_data;
- CRYPTO_RWLOCK *lock;
-};
-
-struct ec_point_st {
- const EC_METHOD *meth;
- /* NID for the curve if known */
- int curve_name;
- /*
- * All members except 'meth' are handled by the method functions, even if
- * they appear generic
- */
- BIGNUM *X;
- BIGNUM *Y;
- BIGNUM *Z; /* Jacobian projective coordinates: * (X, Y,
- * Z) represents (X/Z^2, Y/Z^3) if Z != 0 */
- int Z_is_one; /* enable optimized point arithmetics for
- * special case */
-};
-
-static ossl_inline int ec_point_is_compat(const EC_POINT *point,
- const EC_GROUP *group)
-{
- if (group->meth != point->meth
- || (group->curve_name != 0
- && point->curve_name != 0
- && group->curve_name != point->curve_name))
- return 0;
-
- return 1;
-}
-
-NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *);
-NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *);
-NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *);
-NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *);
-NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *);
-EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_COMP *);
-
-void EC_pre_comp_free(EC_GROUP *group);
-void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *);
-void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *);
-void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *);
-void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *);
-void EC_ec_pre_comp_free(EC_PRE_COMP *);
-
-/*
- * method functions in ec_mult.c (ec_lib.c uses these as defaults if
- * group->method->mul is 0)
- */
-int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
- size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
- BN_CTX *);
-int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *);
-int ec_wNAF_have_precompute_mult(const EC_GROUP *group);
-
-/* method functions in ecp_smpl.c */
-int ec_GFp_simple_group_init(EC_GROUP *);
-void ec_GFp_simple_group_finish(EC_GROUP *);
-void ec_GFp_simple_group_clear_finish(EC_GROUP *);
-int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *);
-int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p,
- const BIGNUM *a, const BIGNUM *b, BN_CTX *);
-int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
- BIGNUM *b, BN_CTX *);
-int ec_GFp_simple_group_get_degree(const EC_GROUP *);
-int ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);
-int ec_GFp_simple_point_init(EC_POINT *);
-void ec_GFp_simple_point_finish(EC_POINT *);
-void ec_GFp_simple_point_clear_finish(EC_POINT *);
-int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *);
-int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
-int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *,
- EC_POINT *, const BIGNUM *x,
- const BIGNUM *y,
- const BIGNUM *z, BN_CTX *);
-int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *,
- const EC_POINT *, BIGNUM *x,
- BIGNUM *y, BIGNUM *z,
- BN_CTX *);
-int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
- const BIGNUM *x,
- const BIGNUM *y, BN_CTX *);
-int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *,
- const EC_POINT *, BIGNUM *x,
- BIGNUM *y, BN_CTX *);
-int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,
- const BIGNUM *x, int y_bit,
- BN_CTX *);
-size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *,
- point_conversion_form_t form,
- unsigned char *buf, size_t len, BN_CTX *);
-int ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *,
- const unsigned char *buf, size_t len, BN_CTX *);
-int ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
- const EC_POINT *b, BN_CTX *);
-int ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
- BN_CTX *);
-int ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
-int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
-int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
-int ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
- BN_CTX *);
-int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
-int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num,
- EC_POINT *[], BN_CTX *);
-int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- const BIGNUM *b, BN_CTX *);
-int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *);
-int ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *);
-int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
- BN_CTX *ctx);
-int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
- EC_POINT *r, EC_POINT *s,
- EC_POINT *p, BN_CTX *ctx);
-int ec_GFp_simple_ladder_step(const EC_GROUP *group,
- EC_POINT *r, EC_POINT *s,
- EC_POINT *p, BN_CTX *ctx);
-int ec_GFp_simple_ladder_post(const EC_GROUP *group,
- EC_POINT *r, EC_POINT *s,
- EC_POINT *p, BN_CTX *ctx);
-
-/* method functions in ecp_mont.c */
-int ec_GFp_mont_group_init(EC_GROUP *);
-int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
- const BIGNUM *b, BN_CTX *);
-void ec_GFp_mont_group_finish(EC_GROUP *);
-void ec_GFp_mont_group_clear_finish(EC_GROUP *);
-int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *);
-int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- const BIGNUM *b, BN_CTX *);
-int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *);
-int ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *);
-int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *);
-int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *);
-int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *);
-
-/* method functions in ecp_nist.c */
-int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);
-int ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
- const BIGNUM *b, BN_CTX *);
-int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- const BIGNUM *b, BN_CTX *);
-int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *);
-
-/* method functions in ec2_smpl.c */
-int ec_GF2m_simple_group_init(EC_GROUP *);
-void ec_GF2m_simple_group_finish(EC_GROUP *);
-void ec_GF2m_simple_group_clear_finish(EC_GROUP *);
-int ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *);
-int ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p,
- const BIGNUM *a, const BIGNUM *b,
- BN_CTX *);
-int ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
- BIGNUM *b, BN_CTX *);
-int ec_GF2m_simple_group_get_degree(const EC_GROUP *);
-int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);
-int ec_GF2m_simple_point_init(EC_POINT *);
-void ec_GF2m_simple_point_finish(EC_POINT *);
-void ec_GF2m_simple_point_clear_finish(EC_POINT *);
-int ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *);
-int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
-int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
- const BIGNUM *x,
- const BIGNUM *y, BN_CTX *);
-int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *,
- const EC_POINT *, BIGNUM *x,
- BIGNUM *y, BN_CTX *);
-int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,
- const BIGNUM *x, int y_bit,
- BN_CTX *);
-size_t ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *,
- point_conversion_form_t form,
- unsigned char *buf, size_t len, BN_CTX *);
-int ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *,
- const unsigned char *buf, size_t len, BN_CTX *);
-int ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
- const EC_POINT *b, BN_CTX *);
-int ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
- BN_CTX *);
-int ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
-int ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
-int ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
-int ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
- BN_CTX *);
-int ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
-int ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num,
- EC_POINT *[], BN_CTX *);
-int ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- const BIGNUM *b, BN_CTX *);
-int ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *);
-int ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- const BIGNUM *b, BN_CTX *);
-
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-/* method functions in ecp_nistp224.c */
-int ec_GFp_nistp224_group_init(EC_GROUP *group);
-int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p,
- const BIGNUM *a, const BIGNUM *n,
- BN_CTX *);
-int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group,
- const EC_POINT *point,
- BIGNUM *x, BIGNUM *y,
- BN_CTX *ctx);
-int ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r,
- const BIGNUM *scalar, size_t num,
- const EC_POINT *points[], const BIGNUM *scalars[],
- BN_CTX *);
-int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
- const BIGNUM *scalar, size_t num,
- const EC_POINT *points[],
- const BIGNUM *scalars[], BN_CTX *ctx);
-int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
-int ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group);
-
-/* method functions in ecp_nistp256.c */
-int ec_GFp_nistp256_group_init(EC_GROUP *group);
-int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p,
- const BIGNUM *a, const BIGNUM *n,
- BN_CTX *);
-int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group,
- const EC_POINT *point,
- BIGNUM *x, BIGNUM *y,
- BN_CTX *ctx);
-int ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r,
- const BIGNUM *scalar, size_t num,
- const EC_POINT *points[], const BIGNUM *scalars[],
- BN_CTX *);
-int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
- const BIGNUM *scalar, size_t num,
- const EC_POINT *points[],
- const BIGNUM *scalars[], BN_CTX *ctx);
-int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
-int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group);
-
-/* method functions in ecp_nistp521.c */
-int ec_GFp_nistp521_group_init(EC_GROUP *group);
-int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p,
- const BIGNUM *a, const BIGNUM *n,
- BN_CTX *);
-int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group,
- const EC_POINT *point,
- BIGNUM *x, BIGNUM *y,
- BN_CTX *ctx);
-int ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r,
- const BIGNUM *scalar, size_t num,
- const EC_POINT *points[], const BIGNUM *scalars[],
- BN_CTX *);
-int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
- const BIGNUM *scalar, size_t num,
- const EC_POINT *points[],
- const BIGNUM *scalars[], BN_CTX *ctx);
-int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
-int ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group);
-
-/* utility functions in ecp_nistputil.c */
-void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
- size_t felem_size,
- void *tmp_felems,
- void (*felem_one) (void *out),
- int (*felem_is_zero) (const void
- *in),
- void (*felem_assign) (void *out,
- const void
- *in),
- void (*felem_square) (void *out,
- const void
- *in),
- void (*felem_mul) (void *out,
- const void
- *in1,
- const void
- *in2),
- void (*felem_inv) (void *out,
- const void
- *in),
- void (*felem_contract) (void
- *out,
- const
- void
- *in));
-void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign,
- unsigned char *digit, unsigned char in);
-#endif
-int ec_group_simple_order_bits(const EC_GROUP *group);
-
-#ifdef ECP_NISTZ256_ASM
-/** Returns GFp methods using montgomery multiplication, with x86-64 optimized
- * P256. See http://eprint.iacr.org/2013/816.
- * \return EC_METHOD object
- */
-const EC_METHOD *EC_GFp_nistz256_method(void);
-#endif
-
-size_t ec_key_simple_priv2oct(const EC_KEY *eckey,
- unsigned char *buf, size_t len);
-int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len);
-int ec_key_simple_generate_key(EC_KEY *eckey);
-int ec_key_simple_generate_public_key(EC_KEY *eckey);
-int ec_key_simple_check_key(const EC_KEY *eckey);
-
-int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx);
-
-/* EC_METHOD definitions */
-
-struct ec_key_method_st {
- const char *name;
- int32_t flags;
- int (*init)(EC_KEY *key);
- void (*finish)(EC_KEY *key);
- int (*copy)(EC_KEY *dest, const EC_KEY *src);
- int (*set_group)(EC_KEY *key, const EC_GROUP *grp);
- int (*set_private)(EC_KEY *key, const BIGNUM *priv_key);
- int (*set_public)(EC_KEY *key, const EC_POINT *pub_key);
- int (*keygen)(EC_KEY *key);
- int (*compute_key)(unsigned char **pout, size_t *poutlen,
- const EC_POINT *pub_key, const EC_KEY *ecdh);
- int (*sign)(int type, const unsigned char *dgst, int dlen, unsigned char
- *sig, unsigned int *siglen, const BIGNUM *kinv,
- const BIGNUM *r, EC_KEY *eckey);
- int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
- BIGNUM **rp);
- ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgst_len,
- const BIGNUM *in_kinv, const BIGNUM *in_r,
- EC_KEY *eckey);
-
- int (*verify)(int type, const unsigned char *dgst, int dgst_len,
- const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
- int (*verify_sig)(const unsigned char *dgst, int dgst_len,
- const ECDSA_SIG *sig, EC_KEY *eckey);
-};
-
-#define EC_KEY_METHOD_DYNAMIC 1
-
-int ossl_ec_key_gen(EC_KEY *eckey);
-int ossl_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
- const EC_POINT *pub_key, const EC_KEY *ecdh);
-int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
- const EC_POINT *pub_key, const EC_KEY *ecdh);
-
-struct ECDSA_SIG_st {
- BIGNUM *r;
- BIGNUM *s;
-};
-
-int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
- BIGNUM **rp);
-int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
- unsigned char *sig, unsigned int *siglen,
- const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey);
-ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
- const BIGNUM *in_kinv, const BIGNUM *in_r,
- EC_KEY *eckey);
-int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
- const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
-int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
- const ECDSA_SIG *sig, EC_KEY *eckey);
-
-int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
- const uint8_t public_key[32], const uint8_t private_key[32]);
-int ED25519_verify(const uint8_t *message, size_t message_len,
- const uint8_t signature[64], const uint8_t public_key[32]);
-void ED25519_public_from_private(uint8_t out_public_key[32],
- const uint8_t private_key[32]);
-
-int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
- const uint8_t peer_public_value[32]);
-void X25519_public_from_private(uint8_t out_public_value[32],
- const uint8_t private_key[32]);
-
-/*-
- * This functions computes a single point multiplication over the EC group,
- * using, at a high level, a Montgomery ladder with conditional swaps, with
- * various timing attack defenses.
- *
- * It performs either a fixed point multiplication
- * (scalar * generator)
- * when point is NULL, or a variable point multiplication
- * (scalar * point)
- * when point is not NULL.
- *
- * `scalar` cannot be NULL and should be in the range [0,n) otherwise all
- * constant time bets are off (where n is the cardinality of the EC group).
- *
- * This function expects `group->order` and `group->cardinality` to be well
- * defined and non-zero: it fails with an error code otherwise.
- *
- * NB: This says nothing about the constant-timeness of the ladder step
- * implementation (i.e., the default implementation is based on EC_POINT_add and
- * EC_POINT_dbl, which of course are not constant time themselves) or the
- * underlying multiprecision arithmetic.
- *
- * The product is stored in `r`.
- *
- * This is an internal function: callers are in charge of ensuring that the
- * input parameters `group`, `r`, `scalar` and `ctx` are not NULL.
- *
- * Returns 1 on success, 0 otherwise.
- */
-int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
- const BIGNUM *scalar, const EC_POINT *point,
- BN_CTX *ctx);
-
-int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
-
-static ossl_inline int ec_point_ladder_pre(const EC_GROUP *group,
- EC_POINT *r, EC_POINT *s,
- EC_POINT *p, BN_CTX *ctx)
-{
- if (group->meth->ladder_pre != NULL)
- return group->meth->ladder_pre(group, r, s, p, ctx);
-
- if (!EC_POINT_copy(s, p)
- || !EC_POINT_dbl(group, r, s, ctx))
- return 0;
-
- return 1;
-}
-
-static ossl_inline int ec_point_ladder_step(const EC_GROUP *group,
- EC_POINT *r, EC_POINT *s,
- EC_POINT *p, BN_CTX *ctx)
-{
- if (group->meth->ladder_step != NULL)
- return group->meth->ladder_step(group, r, s, p, ctx);
-
- if (!EC_POINT_add(group, s, r, s, ctx)
- || !EC_POINT_dbl(group, r, r, ctx))
- return 0;
-
- return 1;
-
-}
-
-static ossl_inline int ec_point_ladder_post(const EC_GROUP *group,
- EC_POINT *r, EC_POINT *s,
- EC_POINT *p, BN_CTX *ctx)
-{
- if (group->meth->ladder_post != NULL)
- return group->meth->ladder_post(group, r, s, p, ctx);
-
- return 1;
-}
+ point_conversion_form_t asn1_form;
+ unsigned char *seed; /* optional seed for parameters (appears in
+ * ASN1) */
+ size_t seed_len;
+ /*
+ * The following members are handled by the method functions, even if
+ * they appear generic
+ */
+ /*
+ * Field specification. For curves over GF(p), this is the modulus; for
+ * curves over GF(2^m), this is the irreducible polynomial defining the
+ * field.
+ */
+ BIGNUM *field;
+ /*
+ * Field specification for curves over GF(2^m). The irreducible f(t) is
+ * then of the form: t^poly[0] + t^poly[1] + ... + t^poly[k] where m =
+ * poly[0] > poly[1] > ... > poly[k] = 0. The array is terminated with
+ * poly[k+1]=-1. All elliptic curve irreducibles have at most 5 non-zero
+ * terms.
+ */
+ int poly[6];
+ /*
+ * Curve coefficients. (Here the assumption is that BIGNUMs can be used
+ * or abused for all kinds of fields, not just GF(p).) For characteristic
+ * > 3, the curve is defined by a Weierstrass equation of the form y^2 =
+ * x^3 + a*x + b. For characteristic 2, the curve is defined by an
+ * equation of the form y^2 + x*y = x^3 + a*x^2 + b.
+ */
+ BIGNUM *a, *b;
+ /* enable optimized point arithmetics for special case */
+ int a_is_minus3;
+ /* method-specific (e.g., Montgomery structure) */
+ void *field_data1;
+ /* method-specific */
+ void *field_data2;
+ /* method-specific */
+ int (*field_mod_func) (BIGNUM *, const BIGNUM *, const BIGNUM *,
+ BN_CTX *);
+ /* data for ECDSA inverse */
+ BN_MONT_CTX *mont_data;
+
+ /*
+ * Precomputed values for speed. The PCT_xxx names match the
+ * pre_comp.xxx union names; see the SETPRECOMP and HAVEPRECOMP
+ * macros, below.
+ */
+ enum {
+ PCT_none,
+ PCT_nistp224, PCT_nistp256, PCT_nistp521, PCT_nistz256,
+ PCT_ec
+ } pre_comp_type;
+ union {
+ NISTP224_PRE_COMP *nistp224;
+ NISTP256_PRE_COMP *nistp256;
+ NISTP521_PRE_COMP *nistp521;
+ NISTZ256_PRE_COMP *nistz256;
+ EC_PRE_COMP *ec;
+ } pre_comp;
+};
+
+#define SETPRECOMP(g, type, pre) \
+ g->pre_comp_type = PCT_##type, g->pre_comp.type = pre
+#define HAVEPRECOMP(g, type) \
+ g->pre_comp_type == PCT_##type && g->pre_comp.type != NULL
+
+struct ec_key_st {
+ const EC_KEY_METHOD *meth;
+ ENGINE *engine;
+ int version;
+ EC_GROUP *group;
+ EC_POINT *pub_key;
+ BIGNUM *priv_key;
+ unsigned int enc_flag;
+ point_conversion_form_t conv_form;
+ CRYPTO_REF_COUNT references;
+ int flags;
+ CRYPTO_EX_DATA ex_data;
+ CRYPTO_RWLOCK *lock;
+};
+
+struct ec_point_st {
+ const EC_METHOD *meth;
+ /* NID for the curve if known */
+ int curve_name;
+ /*
+ * All members except 'meth' are handled by the method functions, even if
+ * they appear generic
+ */
+ BIGNUM *X;
+ BIGNUM *Y;
+ BIGNUM *Z; /* Jacobian projective coordinates: * (X, Y,
+ * Z) represents (X/Z^2, Y/Z^3) if Z != 0 */
+ int Z_is_one; /* enable optimized point arithmetics for
+ * special case */
+};
+
+static ossl_inline int ec_point_is_compat(const EC_POINT *point,
+ const EC_GROUP *group)
+{
+ if (group->meth != point->meth
+ || (group->curve_name != 0
+ && point->curve_name != 0
+ && group->curve_name != point->curve_name))
+ return 0;
+
+ return 1;
+}
+
+NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *);
+NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *);
+NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *);
+NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *);
+NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *);
+EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_COMP *);
+
+void EC_pre_comp_free(EC_GROUP *group);
+void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *);
+void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *);
+void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *);
+void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *);
+void EC_ec_pre_comp_free(EC_PRE_COMP *);
+
+/*
+ * method functions in ec_mult.c (ec_lib.c uses these as defaults if
+ * group->method->mul is 0)
+ */
+int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+ size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
+ BN_CTX *);
+int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *);
+int ec_wNAF_have_precompute_mult(const EC_GROUP *group);
+
+/* method functions in ecp_smpl.c */
+int ec_GFp_simple_group_init(EC_GROUP *);
+void ec_GFp_simple_group_finish(EC_GROUP *);
+void ec_GFp_simple_group_clear_finish(EC_GROUP *);
+int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p,
+ const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
+ BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_group_get_degree(const EC_GROUP *);
+int ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);
+int ec_GFp_simple_point_init(EC_POINT *);
+void ec_GFp_simple_point_finish(EC_POINT *);
+void ec_GFp_simple_point_clear_finish(EC_POINT *);
+int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *);
+int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
+int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *,
+ EC_POINT *, const BIGNUM *x,
+ const BIGNUM *y,
+ const BIGNUM *z, BN_CTX *);
+int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *,
+ const EC_POINT *, BIGNUM *x,
+ BIGNUM *y, BIGNUM *z,
+ BN_CTX *);
+int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
+ const BIGNUM *x,
+ const BIGNUM *y, BN_CTX *);
+int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *,
+ const EC_POINT *, BIGNUM *x,
+ BIGNUM *y, BN_CTX *);
+int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,
+ const BIGNUM *x, int y_bit,
+ BN_CTX *);
+size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *,
+ point_conversion_form_t form,
+ unsigned char *buf, size_t len, BN_CTX *);
+int ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *,
+ const unsigned char *buf, size_t len, BN_CTX *);
+int ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
+ const EC_POINT *b, BN_CTX *);
+int ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
+ BN_CTX *);
+int ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
+int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+int ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
+ BN_CTX *);
+int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num,
+ EC_POINT *[], BN_CTX *);
+int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ const BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *);
+int ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *);
+int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
+ BN_CTX *ctx);
+int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
+ EC_POINT *r, EC_POINT *s,
+ EC_POINT *p, BN_CTX *ctx);
+int ec_GFp_simple_ladder_step(const EC_GROUP *group,
+ EC_POINT *r, EC_POINT *s,
+ EC_POINT *p, BN_CTX *ctx);
+int ec_GFp_simple_ladder_post(const EC_GROUP *group,
+ EC_POINT *r, EC_POINT *s,
+ EC_POINT *p, BN_CTX *ctx);
+
+/* method functions in ecp_mont.c */
+int ec_GFp_mont_group_init(EC_GROUP *);
+int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
+ const BIGNUM *b, BN_CTX *);
+void ec_GFp_mont_group_finish(EC_GROUP *);
+void ec_GFp_mont_group_clear_finish(EC_GROUP *);
+int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ const BIGNUM *b, BN_CTX *);
+int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *);
+int ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *);
+int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *);
+int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *);
+int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *);
+
+/* method functions in ecp_nist.c */
+int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);
+int ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
+ const BIGNUM *b, BN_CTX *);
+int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ const BIGNUM *b, BN_CTX *);
+int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *);
+
+/* method functions in ec2_smpl.c */
+int ec_GF2m_simple_group_init(EC_GROUP *);
+void ec_GF2m_simple_group_finish(EC_GROUP *);
+void ec_GF2m_simple_group_clear_finish(EC_GROUP *);
+int ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p,
+ const BIGNUM *a, const BIGNUM *b,
+ BN_CTX *);
+int ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
+ BIGNUM *b, BN_CTX *);
+int ec_GF2m_simple_group_get_degree(const EC_GROUP *);
+int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);
+int ec_GF2m_simple_point_init(EC_POINT *);
+void ec_GF2m_simple_point_finish(EC_POINT *);
+void ec_GF2m_simple_point_clear_finish(EC_POINT *);
+int ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *);
+int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
+int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
+ const BIGNUM *x,
+ const BIGNUM *y, BN_CTX *);
+int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *,
+ const EC_POINT *, BIGNUM *x,
+ BIGNUM *y, BN_CTX *);
+int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,
+ const BIGNUM *x, int y_bit,
+ BN_CTX *);
+size_t ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *,
+ point_conversion_form_t form,
+ unsigned char *buf, size_t len, BN_CTX *);
+int ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *,
+ const unsigned char *buf, size_t len, BN_CTX *);
+int ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
+ const EC_POINT *b, BN_CTX *);
+int ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
+ BN_CTX *);
+int ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
+int ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+int ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
+ BN_CTX *);
+int ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num,
+ EC_POINT *[], BN_CTX *);
+int ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ const BIGNUM *b, BN_CTX *);
+int ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *);
+int ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ const BIGNUM *b, BN_CTX *);
+
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+/* method functions in ecp_nistp224.c */
+int ec_GFp_nistp224_group_init(EC_GROUP *group);
+int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p,
+ const BIGNUM *a, const BIGNUM *n,
+ BN_CTX *);
+int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group,
+ const EC_POINT *point,
+ BIGNUM *x, BIGNUM *y,
+ BN_CTX *ctx);
+int ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r,
+ const BIGNUM *scalar, size_t num,
+ const EC_POINT *points[], const BIGNUM *scalars[],
+ BN_CTX *);
+int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
+ const BIGNUM *scalar, size_t num,
+ const EC_POINT *points[],
+ const BIGNUM *scalars[], BN_CTX *ctx);
+int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
+int ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group);
+
+/* method functions in ecp_nistp256.c */
+int ec_GFp_nistp256_group_init(EC_GROUP *group);
+int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p,
+ const BIGNUM *a, const BIGNUM *n,
+ BN_CTX *);
+int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group,
+ const EC_POINT *point,
+ BIGNUM *x, BIGNUM *y,
+ BN_CTX *ctx);
+int ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r,
+ const BIGNUM *scalar, size_t num,
+ const EC_POINT *points[], const BIGNUM *scalars[],
+ BN_CTX *);
+int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
+ const BIGNUM *scalar, size_t num,
+ const EC_POINT *points[],
+ const BIGNUM *scalars[], BN_CTX *ctx);
+int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
+int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group);
+
+/* method functions in ecp_nistp521.c */
+int ec_GFp_nistp521_group_init(EC_GROUP *group);
+int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p,
+ const BIGNUM *a, const BIGNUM *n,
+ BN_CTX *);
+int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group,
+ const EC_POINT *point,
+ BIGNUM *x, BIGNUM *y,
+ BN_CTX *ctx);
+int ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r,
+ const BIGNUM *scalar, size_t num,
+ const EC_POINT *points[], const BIGNUM *scalars[],
+ BN_CTX *);
+int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
+ const BIGNUM *scalar, size_t num,
+ const EC_POINT *points[],
+ const BIGNUM *scalars[], BN_CTX *ctx);
+int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
+int ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group);
+
+/* utility functions in ecp_nistputil.c */
+void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
+ size_t felem_size,
+ void *tmp_felems,
+ void (*felem_one) (void *out),
+ int (*felem_is_zero) (const void
+ *in),
+ void (*felem_assign) (void *out,
+ const void
+ *in),
+ void (*felem_square) (void *out,
+ const void
+ *in),
+ void (*felem_mul) (void *out,
+ const void
+ *in1,
+ const void
+ *in2),
+ void (*felem_inv) (void *out,
+ const void
+ *in),
+ void (*felem_contract) (void
+ *out,
+ const
+ void
+ *in));
+void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign,
+ unsigned char *digit, unsigned char in);
+#endif
+int ec_group_simple_order_bits(const EC_GROUP *group);
+
+#ifdef ECP_NISTZ256_ASM
+/** Returns GFp methods using montgomery multiplication, with x86-64 optimized
+ * P256. See http://eprint.iacr.org/2013/816.
+ * \return EC_METHOD object
+ */
+const EC_METHOD *EC_GFp_nistz256_method(void);
+#endif
+
+size_t ec_key_simple_priv2oct(const EC_KEY *eckey,
+ unsigned char *buf, size_t len);
+int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len);
+int ec_key_simple_generate_key(EC_KEY *eckey);
+int ec_key_simple_generate_public_key(EC_KEY *eckey);
+int ec_key_simple_check_key(const EC_KEY *eckey);
+
+int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx);
+
+/* EC_METHOD definitions */
+
+struct ec_key_method_st {
+ const char *name;
+ int32_t flags;
+ int (*init)(EC_KEY *key);
+ void (*finish)(EC_KEY *key);
+ int (*copy)(EC_KEY *dest, const EC_KEY *src);
+ int (*set_group)(EC_KEY *key, const EC_GROUP *grp);
+ int (*set_private)(EC_KEY *key, const BIGNUM *priv_key);
+ int (*set_public)(EC_KEY *key, const EC_POINT *pub_key);
+ int (*keygen)(EC_KEY *key);
+ int (*compute_key)(unsigned char **pout, size_t *poutlen,
+ const EC_POINT *pub_key, const EC_KEY *ecdh);
+ int (*sign)(int type, const unsigned char *dgst, int dlen, unsigned char
+ *sig, unsigned int *siglen, const BIGNUM *kinv,
+ const BIGNUM *r, EC_KEY *eckey);
+ int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+ BIGNUM **rp);
+ ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgst_len,
+ const BIGNUM *in_kinv, const BIGNUM *in_r,
+ EC_KEY *eckey);
+
+ int (*verify)(int type, const unsigned char *dgst, int dgst_len,
+ const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
+ int (*verify_sig)(const unsigned char *dgst, int dgst_len,
+ const ECDSA_SIG *sig, EC_KEY *eckey);
+};
+
+#define EC_KEY_METHOD_DYNAMIC 1
+
+int ossl_ec_key_gen(EC_KEY *eckey);
+int ossl_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
+ const EC_POINT *pub_key, const EC_KEY *ecdh);
+int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
+ const EC_POINT *pub_key, const EC_KEY *ecdh);
+
+struct ECDSA_SIG_st {
+ BIGNUM *r;
+ BIGNUM *s;
+};
+
+int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+ BIGNUM **rp);
+int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
+ unsigned char *sig, unsigned int *siglen,
+ const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey);
+ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+ const BIGNUM *in_kinv, const BIGNUM *in_r,
+ EC_KEY *eckey);
+int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
+ const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
+int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
+ const ECDSA_SIG *sig, EC_KEY *eckey);
+
+int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
+ const uint8_t public_key[32], const uint8_t private_key[32]);
+int ED25519_verify(const uint8_t *message, size_t message_len,
+ const uint8_t signature[64], const uint8_t public_key[32]);
+void ED25519_public_from_private(uint8_t out_public_key[32],
+ const uint8_t private_key[32]);
+
+int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
+ const uint8_t peer_public_value[32]);
+void X25519_public_from_private(uint8_t out_public_value[32],
+ const uint8_t private_key[32]);
+
+/*-
+ * This functions computes a single point multiplication over the EC group,
+ * using, at a high level, a Montgomery ladder with conditional swaps, with
+ * various timing attack defenses.
+ *
+ * It performs either a fixed point multiplication
+ * (scalar * generator)
+ * when point is NULL, or a variable point multiplication
+ * (scalar * point)
+ * when point is not NULL.
+ *
+ * `scalar` cannot be NULL and should be in the range [0,n) otherwise all
+ * constant time bets are off (where n is the cardinality of the EC group).
+ *
+ * This function expects `group->order` and `group->cardinality` to be well
+ * defined and non-zero: it fails with an error code otherwise.
+ *
+ * NB: This says nothing about the constant-timeness of the ladder step
+ * implementation (i.e., the default implementation is based on EC_POINT_add and
+ * EC_POINT_dbl, which of course are not constant time themselves) or the
+ * underlying multiprecision arithmetic.
+ *
+ * The product is stored in `r`.
+ *
+ * This is an internal function: callers are in charge of ensuring that the
+ * input parameters `group`, `r`, `scalar` and `ctx` are not NULL.
+ *
+ * Returns 1 on success, 0 otherwise.
+ */
+int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
+ const BIGNUM *scalar, const EC_POINT *point,
+ BN_CTX *ctx);
+
+int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
+
+static ossl_inline int ec_point_ladder_pre(const EC_GROUP *group,
+ EC_POINT *r, EC_POINT *s,
+ EC_POINT *p, BN_CTX *ctx)
+{
+ if (group->meth->ladder_pre != NULL)
+ return group->meth->ladder_pre(group, r, s, p, ctx);
+
+ if (!EC_POINT_copy(s, p)
+ || !EC_POINT_dbl(group, r, s, ctx))
+ return 0;
+
+ return 1;
+}
+
+static ossl_inline int ec_point_ladder_step(const EC_GROUP *group,
+ EC_POINT *r, EC_POINT *s,
+ EC_POINT *p, BN_CTX *ctx)
+{
+ if (group->meth->ladder_step != NULL)
+ return group->meth->ladder_step(group, r, s, p, ctx);
+
+ if (!EC_POINT_add(group, s, r, s, ctx)
+ || !EC_POINT_dbl(group, r, r, ctx))
+ return 0;
+
+ return 1;
+
+}
+
+static ossl_inline int ec_point_ladder_post(const EC_GROUP *group,
+ EC_POINT *r, EC_POINT *s,
+ EC_POINT *p, BN_CTX *ctx)
+{
+ if (group->meth->ladder_post != NULL)
+ return group->meth->ladder_post(group, r, s, p, ctx);
+
+ return 1;
+}
diff --git a/contrib/libs/openssl/crypto/ec/ec_mult.c b/contrib/libs/openssl/crypto/ec/ec_mult.c
index f4d7bca383..9a1e3974ed 100644
--- a/contrib/libs/openssl/crypto/ec/ec_mult.c
+++ b/contrib/libs/openssl/crypto/ec/ec_mult.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -12,8 +12,8 @@
#include <openssl/err.h>
#include "internal/cryptlib.h"
-#include "crypto/bn.h"
-#include "ec_local.h"
+#include "crypto/bn.h"
+#include "ec_local.h"
#include "internal/refcount.h"
/*
@@ -260,10 +260,10 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
goto err;
}
- /* ensure input point is in affine coords for ladder step efficiency */
- if (!p->Z_is_one && !EC_POINT_make_affine(group, p, ctx)) {
- ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_EC_LIB);
- goto err;
+ /* ensure input point is in affine coords for ladder step efficiency */
+ if (!p->Z_is_one && !EC_POINT_make_affine(group, p, ctx)) {
+ ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_EC_LIB);
+ goto err;
}
/* Initialize the Montgomery ladder */
@@ -740,20 +740,20 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
if (r_is_at_infinity) {
if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
goto err;
-
- /*-
- * Apply coordinate blinding for EC_POINT.
- *
- * The underlying EC_METHOD can optionally implement this function:
- * ec_point_blind_coordinates() returns 0 in case of errors or 1 on
- * success or if coordinate blinding is not implemented for this
- * group.
- */
- if (!ec_point_blind_coordinates(group, r, ctx)) {
- ECerr(EC_F_EC_WNAF_MUL, EC_R_POINT_COORDINATES_BLIND_FAILURE);
- goto err;
- }
-
+
+ /*-
+ * Apply coordinate blinding for EC_POINT.
+ *
+ * The underlying EC_METHOD can optionally implement this function:
+ * ec_point_blind_coordinates() returns 0 in case of errors or 1 on
+ * success or if coordinate blinding is not implemented for this
+ * group.
+ */
+ if (!ec_point_blind_coordinates(group, r, ctx)) {
+ ECerr(EC_F_EC_WNAF_MUL, EC_R_POINT_COORDINATES_BLIND_FAILURE);
+ goto err;
+ }
+
r_is_at_infinity = 0;
} else {
if (!EC_POINT_add
diff --git a/contrib/libs/openssl/crypto/ec/ec_oct.c b/contrib/libs/openssl/crypto/ec/ec_oct.c
index 145886ad6b..7ddc86b047 100644
--- a/contrib/libs/openssl/crypto/ec/ec_oct.c
+++ b/contrib/libs/openssl/crypto/ec/ec_oct.c
@@ -13,7 +13,7 @@
#include <openssl/err.h>
#include <openssl/opensslv.h>
-#include "ec_local.h"
+#include "ec_local.h"
int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
const BIGNUM *x, int y_bit, BN_CTX *ctx)
diff --git a/contrib/libs/openssl/crypto/ec/ec_pmeth.c b/contrib/libs/openssl/crypto/ec/ec_pmeth.c
index 01aa12123b..64d2cc93a6 100644
--- a/contrib/libs/openssl/crypto/ec/ec_pmeth.c
+++ b/contrib/libs/openssl/crypto/ec/ec_pmeth.c
@@ -12,9 +12,9 @@
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include <openssl/ec.h>
-#include "ec_local.h"
+#include "ec_local.h"
#include <openssl/evp.h>
-#include "crypto/evp.h"
+#include "crypto/evp.h"
/* EC pkey context structure */
diff --git a/contrib/libs/openssl/crypto/ec/ec_print.c b/contrib/libs/openssl/crypto/ec/ec_print.c
index 0eeded3799..660fc400fb 100644
--- a/contrib/libs/openssl/crypto/ec/ec_print.c
+++ b/contrib/libs/openssl/crypto/ec/ec_print.c
@@ -9,7 +9,7 @@
#include <openssl/crypto.h>
#include <openssl/err.h>
-#include "ec_local.h"
+#include "ec_local.h"
BIGNUM *EC_POINT_point2bn(const EC_GROUP *group,
const EC_POINT *point,
@@ -39,13 +39,13 @@ EC_POINT *EC_POINT_bn2point(const EC_GROUP *group,
EC_POINT *ret;
if ((buf_len = BN_num_bytes(bn)) == 0)
- buf_len = 1;
+ buf_len = 1;
if ((buf = OPENSSL_malloc(buf_len)) == NULL) {
ECerr(EC_F_EC_POINT_BN2POINT, ERR_R_MALLOC_FAILURE);
return NULL;
}
- if (!BN_bn2binpad(bn, buf, buf_len)) {
+ if (!BN_bn2binpad(bn, buf, buf_len)) {
OPENSSL_free(buf);
return NULL;
}
diff --git a/contrib/libs/openssl/crypto/ec/ecdh_kdf.c b/contrib/libs/openssl/crypto/ec/ecdh_kdf.c
index bb55ec0fb8..96efac62f6 100644
--- a/contrib/libs/openssl/crypto/ec/ecdh_kdf.c
+++ b/contrib/libs/openssl/crypto/ec/ecdh_kdf.c
@@ -10,7 +10,7 @@
#include <string.h>
#include <openssl/ec.h>
#include <openssl/evp.h>
-#include "ec_local.h"
+#include "ec_local.h"
/* Key derivation function from X9.63/SECG */
/* Way more than we will ever need */
diff --git a/contrib/libs/openssl/crypto/ec/ecdh_ossl.c b/contrib/libs/openssl/crypto/ec/ecdh_ossl.c
index adc1675421..0be00d43da 100644
--- a/contrib/libs/openssl/crypto/ec/ecdh_ossl.c
+++ b/contrib/libs/openssl/crypto/ec/ecdh_ossl.c
@@ -17,7 +17,7 @@
#include <openssl/bn.h>
#include <openssl/objects.h>
#include <openssl/ec.h>
-#include "ec_local.h"
+#include "ec_local.h"
int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
const EC_POINT *pub_key, const EC_KEY *ecdh)
diff --git a/contrib/libs/openssl/crypto/ec/ecdsa_ossl.c b/contrib/libs/openssl/crypto/ec/ecdsa_ossl.c
index b87cb122ee..1da87bfb5e 100644
--- a/contrib/libs/openssl/crypto/ec/ecdsa_ossl.c
+++ b/contrib/libs/openssl/crypto/ec/ecdsa_ossl.c
@@ -11,8 +11,8 @@
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/rand.h>
-#include "crypto/bn.h"
-#include "ec_local.h"
+#include "crypto/bn.h"
+#include "ec_local.h"
int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
unsigned char *sig, unsigned int *siglen,
@@ -309,7 +309,7 @@ int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
goto err;
ret = ECDSA_do_verify(dgst, dgst_len, s, eckey);
err:
- OPENSSL_free(der);
+ OPENSSL_free(der);
ECDSA_SIG_free(s);
return ret;
}
diff --git a/contrib/libs/openssl/crypto/ec/ecdsa_sign.c b/contrib/libs/openssl/crypto/ec/ecdsa_sign.c
index b42b9f7324..dc79c8c8e3 100644
--- a/contrib/libs/openssl/crypto/ec/ecdsa_sign.c
+++ b/contrib/libs/openssl/crypto/ec/ecdsa_sign.c
@@ -8,7 +8,7 @@
*/
#include <openssl/ec.h>
-#include "ec_local.h"
+#include "ec_local.h"
#include <openssl/err.h>
ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey)
diff --git a/contrib/libs/openssl/crypto/ec/ecdsa_vrf.c b/contrib/libs/openssl/crypto/ec/ecdsa_vrf.c
index e76caa836a..ff597bdc14 100644
--- a/contrib/libs/openssl/crypto/ec/ecdsa_vrf.c
+++ b/contrib/libs/openssl/crypto/ec/ecdsa_vrf.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,7 +8,7 @@
*/
#include <openssl/ec.h>
-#include "ec_local.h"
+#include "ec_local.h"
#include <openssl/err.h>
/*-
@@ -23,7 +23,7 @@ int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
if (eckey->meth->verify_sig != NULL)
return eckey->meth->verify_sig(dgst, dgst_len, sig, eckey);
ECerr(EC_F_ECDSA_DO_VERIFY, EC_R_OPERATION_NOT_SUPPORTED);
- return -1;
+ return -1;
}
/*-
@@ -39,5 +39,5 @@ int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len,
return eckey->meth->verify(type, dgst, dgst_len, sigbuf, sig_len,
eckey);
ECerr(EC_F_ECDSA_VERIFY, EC_R_OPERATION_NOT_SUPPORTED);
- return -1;
+ return -1;
}
diff --git a/contrib/libs/openssl/crypto/ec/ecp_mont.c b/contrib/libs/openssl/crypto/ec/ecp_mont.c
index 4a345e4c44..bdc39d5efb 100644
--- a/contrib/libs/openssl/crypto/ec/ecp_mont.c
+++ b/contrib/libs/openssl/crypto/ec/ecp_mont.c
@@ -10,7 +10,7 @@
#include <openssl/err.h>
-#include "ec_local.h"
+#include "ec_local.h"
const EC_METHOD *EC_GFp_mont_method(void)
{
diff --git a/contrib/libs/openssl/crypto/ec/ecp_nist.c b/contrib/libs/openssl/crypto/ec/ecp_nist.c
index 59a5e45e81..9fd01279a8 100644
--- a/contrib/libs/openssl/crypto/ec/ecp_nist.c
+++ b/contrib/libs/openssl/crypto/ec/ecp_nist.c
@@ -12,7 +12,7 @@
#include <openssl/err.h>
#include <openssl/obj_mac.h>
-#include "ec_local.h"
+#include "ec_local.h"
const EC_METHOD *EC_GFp_nist_method(void)
{
diff --git a/contrib/libs/openssl/crypto/ec/ecp_nistp224.c b/contrib/libs/openssl/crypto/ec/ecp_nistp224.c
index 578f616da6..6f7d66c8be 100644
--- a/contrib/libs/openssl/crypto/ec/ecp_nistp224.c
+++ b/contrib/libs/openssl/crypto/ec/ecp_nistp224.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -38,7 +38,7 @@ NON_EMPTY_TRANSLATION_UNIT
# include <stdint.h>
# include <string.h>
# include <openssl/err.h>
-# include "ec_local.h"
+# include "ec_local.h"
# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
/* even with gcc, the typedef won't work for 32-bit platforms */
@@ -908,7 +908,7 @@ static void point_add(felem x3, felem y3, felem z3,
felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, x_out, y_out, z_out;
widefelem tmp, tmp2;
limb z1_is_zero, z2_is_zero, x_equal, y_equal;
- limb points_equal;
+ limb points_equal;
if (!mixed) {
/* ftmp2 = z2^2 */
@@ -965,41 +965,41 @@ static void point_add(felem x3, felem y3, felem z3,
felem_reduce(ftmp, tmp);
/*
- * The formulae are incorrect if the points are equal, in affine coordinates
- * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this
- * happens.
- *
- * We use bitwise operations to avoid potential side-channels introduced by
- * the short-circuiting behaviour of boolean operators.
+ * The formulae are incorrect if the points are equal, in affine coordinates
+ * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this
+ * happens.
+ *
+ * We use bitwise operations to avoid potential side-channels introduced by
+ * the short-circuiting behaviour of boolean operators.
*/
x_equal = felem_is_zero(ftmp);
y_equal = felem_is_zero(ftmp3);
- /*
- * The special case of either point being the point at infinity (z1 and/or
- * z2 are zero), is handled separately later on in this function, so we
- * avoid jumping to point_double here in those special cases.
- */
+ /*
+ * The special case of either point being the point at infinity (z1 and/or
+ * z2 are zero), is handled separately later on in this function, so we
+ * avoid jumping to point_double here in those special cases.
+ */
z1_is_zero = felem_is_zero(z1);
z2_is_zero = felem_is_zero(z2);
-
- /*
- * Compared to `ecp_nistp256.c` and `ecp_nistp521.c`, in this
- * specific implementation `felem_is_zero()` returns truth as `0x1`
- * (rather than `0xff..ff`).
- *
- * This implies that `~true` in this implementation becomes
- * `0xff..fe` (rather than `0x0`): for this reason, to be used in
- * the if expression, we mask out only the last bit in the next
- * line.
- */
- points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero)) & 1;
-
- if (points_equal) {
- /*
- * This is obviously not constant-time but, as mentioned before, this
- * case never happens during single point multiplication, so there is no
- * timing leak for ECDH or ECDSA signing.
- */
+
+ /*
+ * Compared to `ecp_nistp256.c` and `ecp_nistp521.c`, in this
+ * specific implementation `felem_is_zero()` returns truth as `0x1`
+ * (rather than `0xff..ff`).
+ *
+ * This implies that `~true` in this implementation becomes
+ * `0xff..fe` (rather than `0x0`): for this reason, to be used in
+ * the if expression, we mask out only the last bit in the next
+ * line.
+ */
+ points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero)) & 1;
+
+ if (points_equal) {
+ /*
+ * This is obviously not constant-time but, as mentioned before, this
+ * case never happens during single point multiplication, so there is no
+ * timing leak for ECDH or ECDSA signing.
+ */
point_double(x3, y3, z3, x1, y1, z1);
return;
}
diff --git a/contrib/libs/openssl/crypto/ec/ecp_nistp256.c b/contrib/libs/openssl/crypto/ec/ecp_nistp256.c
index cf89a085ec..e23e9d2a0b 100644
--- a/contrib/libs/openssl/crypto/ec/ecp_nistp256.c
+++ b/contrib/libs/openssl/crypto/ec/ecp_nistp256.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -39,7 +39,7 @@ NON_EMPTY_TRANSLATION_UNIT
# include <stdint.h>
# include <string.h>
# include <openssl/err.h>
-# include "ec_local.h"
+# include "ec_local.h"
# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
/* even with gcc, the typedef won't work for 32-bit platforms */
@@ -74,8 +74,8 @@ static const felem_bytearray nistp256_curve_params[5] = {
{0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, /* a = -3 */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc},
- {0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, /* b */
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc},
+ {0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, /* b */
0xb3, 0xeb, 0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc,
0x65, 0x1d, 0x06, 0xb0, 0xcc, 0x53, 0xb0, 0xf6,
0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b},
@@ -1241,7 +1241,7 @@ static void point_add(felem x3, felem y3, felem z3,
longfelem tmp, tmp2;
smallfelem small1, small2, small3, small4, small5;
limb x_equal, y_equal, z1_is_zero, z2_is_zero;
- limb points_equal;
+ limb points_equal;
felem_shrink(small3, z1);
@@ -1341,26 +1341,26 @@ static void point_add(felem x3, felem y3, felem z3,
felem_shrink(small1, ftmp5);
y_equal = smallfelem_is_zero(small1);
- /*
- * The formulae are incorrect if the points are equal, in affine coordinates
- * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this
- * happens.
- *
- * We use bitwise operations to avoid potential side-channels introduced by
- * the short-circuiting behaviour of boolean operators.
- *
- * The special case of either point being the point at infinity (z1 and/or
- * z2 are zero), is handled separately later on in this function, so we
- * avoid jumping to point_double here in those special cases.
- */
- points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero));
-
- if (points_equal) {
- /*
- * This is obviously not constant-time but, as mentioned before, this
- * case never happens during single point multiplication, so there is no
- * timing leak for ECDH or ECDSA signing.
- */
+ /*
+ * The formulae are incorrect if the points are equal, in affine coordinates
+ * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this
+ * happens.
+ *
+ * We use bitwise operations to avoid potential side-channels introduced by
+ * the short-circuiting behaviour of boolean operators.
+ *
+ * The special case of either point being the point at infinity (z1 and/or
+ * z2 are zero), is handled separately later on in this function, so we
+ * avoid jumping to point_double here in those special cases.
+ */
+ points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero));
+
+ if (points_equal) {
+ /*
+ * This is obviously not constant-time but, as mentioned before, this
+ * case never happens during single point multiplication, so there is no
+ * timing leak for ECDH or ECDSA signing.
+ */
point_double(x3, y3, z3, x1, y1, z1);
return;
}
diff --git a/contrib/libs/openssl/crypto/ec/ecp_nistp521.c b/contrib/libs/openssl/crypto/ec/ecp_nistp521.c
index 38cfcfe3f3..08b3278729 100644
--- a/contrib/libs/openssl/crypto/ec/ecp_nistp521.c
+++ b/contrib/libs/openssl/crypto/ec/ecp_nistp521.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -38,7 +38,7 @@ NON_EMPTY_TRANSLATION_UNIT
# include <string.h>
# include <openssl/err.h>
-# include "ec_local.h"
+# include "ec_local.h"
# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
/* even with gcc, the typedef won't work for 32-bit platforms */
@@ -1159,7 +1159,7 @@ static void point_add(felem x3, felem y3, felem z3,
felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out;
largefelem tmp, tmp2;
limb x_equal, y_equal, z1_is_zero, z2_is_zero;
- limb points_equal;
+ limb points_equal;
z1_is_zero = felem_is_zero(z1);
z2_is_zero = felem_is_zero(z2);
@@ -1244,24 +1244,24 @@ static void point_add(felem x3, felem y3, felem z3,
felem_scalar64(ftmp5, 2);
/* ftmp5[i] < 2^61 */
- /*
- * The formulae are incorrect if the points are equal, in affine coordinates
- * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this
- * happens.
- *
- * We use bitwise operations to avoid potential side-channels introduced by
- * the short-circuiting behaviour of boolean operators.
- *
- * The special case of either point being the point at infinity (z1 and/or
- * z2 are zero), is handled separately later on in this function, so we
- * avoid jumping to point_double here in those special cases.
- *
- * Notice the comment below on the implications of this branching for timing
- * leaks and why it is considered practically irrelevant.
- */
- points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero));
-
- if (points_equal) {
+ /*
+ * The formulae are incorrect if the points are equal, in affine coordinates
+ * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this
+ * happens.
+ *
+ * We use bitwise operations to avoid potential side-channels introduced by
+ * the short-circuiting behaviour of boolean operators.
+ *
+ * The special case of either point being the point at infinity (z1 and/or
+ * z2 are zero), is handled separately later on in this function, so we
+ * avoid jumping to point_double here in those special cases.
+ *
+ * Notice the comment below on the implications of this branching for timing
+ * leaks and why it is considered practically irrelevant.
+ */
+ points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero));
+
+ if (points_equal) {
/*
* This is obviously not constant-time but it will almost-never happen
* for ECDH / ECDSA. The case where it can happen is during scalar-mult
diff --git a/contrib/libs/openssl/crypto/ec/ecp_nistputil.c b/contrib/libs/openssl/crypto/ec/ecp_nistputil.c
index 4171c35f5c..60e1325c34 100644
--- a/contrib/libs/openssl/crypto/ec/ecp_nistputil.c
+++ b/contrib/libs/openssl/crypto/ec/ecp_nistputil.c
@@ -33,7 +33,7 @@ NON_EMPTY_TRANSLATION_UNIT
*/
# include <stddef.h>
-# include "ec_local.h"
+# include "ec_local.h"
/*
* Convert an array of points into affine coordinates. (If the point at
diff --git a/contrib/libs/openssl/crypto/ec/ecp_nistz256.c b/contrib/libs/openssl/crypto/ec/ecp_nistz256.c
index 46a015bff1..4c4839cc13 100644
--- a/contrib/libs/openssl/crypto/ec/ecp_nistz256.c
+++ b/contrib/libs/openssl/crypto/ec/ecp_nistz256.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2014, Intel Corporation. All Rights Reserved.
* Copyright (c) 2015, CloudFlare, Inc.
*
@@ -21,8 +21,8 @@
#include <string.h>
#include "internal/cryptlib.h"
-#include "crypto/bn.h"
-#include "ec_local.h"
+#include "crypto/bn.h"
+#include "ec_local.h"
#include "internal/refcount.h"
#include "sanitizers.h"
@@ -359,47 +359,47 @@ static void ecp_nistz256_point_add(P256_POINT *r,
ecp_nistz256_sub(H, U2, U1); /* H = U2 - U1 */
/*
- * The formulae are incorrect if the points are equal so we check for
- * this and do doubling if this happens.
- *
- * Points here are in Jacobian projective coordinates (Xi, Yi, Zi)
- * that are bound to the affine coordinates (xi, yi) by the following
- * equations:
- * - xi = Xi / (Zi)^2
- * - y1 = Yi / (Zi)^3
- *
- * For the sake of optimization, the algorithm operates over
- * intermediate variables U1, U2 and S1, S2 that are derived from
- * the projective coordinates:
- * - U1 = X1 * (Z2)^2 ; U2 = X2 * (Z1)^2
- * - S1 = Y1 * (Z2)^3 ; S2 = Y2 * (Z1)^3
- *
- * It is easy to prove that is_equal(U1, U2) implies that the affine
- * x-coordinates are equal, or either point is at infinity.
- * Likewise is_equal(S1, S2) implies that the affine y-coordinates are
- * equal, or either point is at infinity.
- *
- * The special case of either point being the point at infinity (Z1 or Z2
- * is zero), is handled separately later on in this function, so we avoid
- * jumping to point_double here in those special cases.
- *
- * When both points are inverse of each other, we know that the affine
- * x-coordinates are equal, and the y-coordinates have different sign.
- * Therefore since U1 = U2, we know H = 0, and therefore Z3 = H*Z1*Z2
- * will equal 0, thus the result is infinity, if we simply let this
- * function continue normally.
- *
- * We use bitwise operations to avoid potential side-channels introduced by
- * the short-circuiting behaviour of boolean operators.
+ * The formulae are incorrect if the points are equal so we check for
+ * this and do doubling if this happens.
+ *
+ * Points here are in Jacobian projective coordinates (Xi, Yi, Zi)
+ * that are bound to the affine coordinates (xi, yi) by the following
+ * equations:
+ * - xi = Xi / (Zi)^2
+ * - y1 = Yi / (Zi)^3
+ *
+ * For the sake of optimization, the algorithm operates over
+ * intermediate variables U1, U2 and S1, S2 that are derived from
+ * the projective coordinates:
+ * - U1 = X1 * (Z2)^2 ; U2 = X2 * (Z1)^2
+ * - S1 = Y1 * (Z2)^3 ; S2 = Y2 * (Z1)^3
+ *
+ * It is easy to prove that is_equal(U1, U2) implies that the affine
+ * x-coordinates are equal, or either point is at infinity.
+ * Likewise is_equal(S1, S2) implies that the affine y-coordinates are
+ * equal, or either point is at infinity.
+ *
+ * The special case of either point being the point at infinity (Z1 or Z2
+ * is zero), is handled separately later on in this function, so we avoid
+ * jumping to point_double here in those special cases.
+ *
+ * When both points are inverse of each other, we know that the affine
+ * x-coordinates are equal, and the y-coordinates have different sign.
+ * Therefore since U1 = U2, we know H = 0, and therefore Z3 = H*Z1*Z2
+ * will equal 0, thus the result is infinity, if we simply let this
+ * function continue normally.
+ *
+ * We use bitwise operations to avoid potential side-channels introduced by
+ * the short-circuiting behaviour of boolean operators.
*/
- if (is_equal(U1, U2) & ~in1infty & ~in2infty & is_equal(S1, S2)) {
- /*
- * This is obviously not constant-time but it should never happen during
- * single point multiplication, so there is no timing leak for ECDH or
- * ECDSA signing.
- */
- ecp_nistz256_point_double(r, a);
- return;
+ if (is_equal(U1, U2) & ~in1infty & ~in2infty & is_equal(S1, S2)) {
+ /*
+ * This is obviously not constant-time but it should never happen during
+ * single point multiplication, so there is no timing leak for ECDH or
+ * ECDSA signing.
+ */
+ ecp_nistz256_point_double(r, a);
+ return;
}
ecp_nistz256_sqr_mont(Rsqr, R); /* R^2 */
diff --git a/contrib/libs/openssl/crypto/ec/ecp_oct.c b/contrib/libs/openssl/crypto/ec/ecp_oct.c
index b4c61a1ed2..9460763256 100644
--- a/contrib/libs/openssl/crypto/ec/ecp_oct.c
+++ b/contrib/libs/openssl/crypto/ec/ecp_oct.c
@@ -11,7 +11,7 @@
#include <openssl/err.h>
#include <openssl/symhacks.h>
-#include "ec_local.h"
+#include "ec_local.h"
int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
EC_POINT *point,
diff --git a/contrib/libs/openssl/crypto/ec/ecp_smpl.c b/contrib/libs/openssl/crypto/ec/ecp_smpl.c
index 6eba0ee39b..b3110ec89d 100644
--- a/contrib/libs/openssl/crypto/ec/ecp_smpl.c
+++ b/contrib/libs/openssl/crypto/ec/ecp_smpl.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -11,7 +11,7 @@
#include <openssl/err.h>
#include <openssl/symhacks.h>
-#include "ec_local.h"
+#include "ec_local.h"
const EC_METHOD *EC_GFp_simple_method(void)
{
@@ -1372,7 +1372,7 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
* Computes the multiplicative inverse of a in GF(p), storing the result in r.
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
* Since we don't have a Mont structure here, SCA hardening is with blinding.
- * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.)
+ * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.)
*/
int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx)
@@ -1432,108 +1432,108 @@ int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
temp = BN_CTX_get(ctx);
if (temp == NULL) {
ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE);
- goto end;
+ goto end;
}
- /*-
- * Make sure lambda is not zero.
- * If the RNG fails, we cannot blind but nevertheless want
- * code to continue smoothly and not clobber the error stack.
- */
+ /*-
+ * Make sure lambda is not zero.
+ * If the RNG fails, we cannot blind but nevertheless want
+ * code to continue smoothly and not clobber the error stack.
+ */
do {
- ERR_set_mark();
- ret = BN_priv_rand_range(lambda, group->field);
- ERR_pop_to_mark();
- if (ret == 0) {
- ret = 1;
- goto end;
+ ERR_set_mark();
+ ret = BN_priv_rand_range(lambda, group->field);
+ ERR_pop_to_mark();
+ if (ret == 0) {
+ ret = 1;
+ goto end;
}
} while (BN_is_zero(lambda));
/* if field_encode defined convert between representations */
- if ((group->meth->field_encode != NULL
- && !group->meth->field_encode(group, lambda, lambda, ctx))
- || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx)
- || !group->meth->field_sqr(group, temp, lambda, ctx)
- || !group->meth->field_mul(group, p->X, p->X, temp, ctx)
- || !group->meth->field_mul(group, temp, temp, lambda, ctx)
- || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
- goto end;
-
+ if ((group->meth->field_encode != NULL
+ && !group->meth->field_encode(group, lambda, lambda, ctx))
+ || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx)
+ || !group->meth->field_sqr(group, temp, lambda, ctx)
+ || !group->meth->field_mul(group, p->X, p->X, temp, ctx)
+ || !group->meth->field_mul(group, temp, temp, lambda, ctx)
+ || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
+ goto end;
+
p->Z_is_one = 0;
ret = 1;
- end:
+ end:
BN_CTX_end(ctx);
return ret;
}
/*-
- * Input:
- * - p: affine coordinates
+ * Input:
+ * - p: affine coordinates
+ *
+ * Output:
+ * - s := p, r := 2p: blinded projective (homogeneous) coordinates
*
- * Output:
- * - s := p, r := 2p: blinded projective (homogeneous) coordinates
- *
* For doubling we use Formula 3 from Izu-Takagi "A fast parallel elliptic curve
- * multiplication resistant against side channel attacks" appendix, described at
+ * multiplication resistant against side channel attacks" appendix, described at
* https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
- * simplified for Z1=1.
+ * simplified for Z1=1.
*
- * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z)
- * for any non-zero \lambda that holds for projective (homogeneous) coords.
+ * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z)
+ * for any non-zero \lambda that holds for projective (homogeneous) coords.
*/
int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
EC_POINT *r, EC_POINT *s,
EC_POINT *p, BN_CTX *ctx)
{
- BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL;
+ BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL;
- t1 = s->Z;
- t2 = r->Z;
+ t1 = s->Z;
+ t2 = r->Z;
t3 = s->X;
t4 = r->X;
t5 = s->Y;
- if (!p->Z_is_one /* r := 2p */
- || !group->meth->field_sqr(group, t3, p->X, ctx)
- || !BN_mod_sub_quick(t4, t3, group->a, group->field)
- || !group->meth->field_sqr(group, t4, t4, ctx)
- || !group->meth->field_mul(group, t5, p->X, group->b, ctx)
- || !BN_mod_lshift_quick(t5, t5, 3, group->field)
+ if (!p->Z_is_one /* r := 2p */
+ || !group->meth->field_sqr(group, t3, p->X, ctx)
+ || !BN_mod_sub_quick(t4, t3, group->a, group->field)
+ || !group->meth->field_sqr(group, t4, t4, ctx)
+ || !group->meth->field_mul(group, t5, p->X, group->b, ctx)
+ || !BN_mod_lshift_quick(t5, t5, 3, group->field)
/* r->X coord output */
- || !BN_mod_sub_quick(r->X, t4, t5, group->field)
- || !BN_mod_add_quick(t1, t3, group->a, group->field)
- || !group->meth->field_mul(group, t2, p->X, t1, ctx)
- || !BN_mod_add_quick(t2, group->b, t2, group->field)
+ || !BN_mod_sub_quick(r->X, t4, t5, group->field)
+ || !BN_mod_add_quick(t1, t3, group->a, group->field)
+ || !group->meth->field_mul(group, t2, p->X, t1, ctx)
+ || !BN_mod_add_quick(t2, group->b, t2, group->field)
/* r->Z coord output */
- || !BN_mod_lshift_quick(r->Z, t2, 2, group->field))
+ || !BN_mod_lshift_quick(r->Z, t2, 2, group->field))
+ return 0;
+
+ /* make sure lambda (r->Y here for storage) is not zero */
+ do {
+ if (!BN_priv_rand_range(r->Y, group->field))
+ return 0;
+ } while (BN_is_zero(r->Y));
+
+ /* make sure lambda (s->Z here for storage) is not zero */
+ do {
+ if (!BN_priv_rand_range(s->Z, group->field))
+ return 0;
+ } while (BN_is_zero(s->Z));
+
+ /* if field_encode defined convert between representations */
+ if (group->meth->field_encode != NULL
+ && (!group->meth->field_encode(group, r->Y, r->Y, ctx)
+ || !group->meth->field_encode(group, s->Z, s->Z, ctx)))
+ return 0;
+
+ /* blind r and s independently */
+ if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)
+ || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx)
+ || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */
return 0;
- /* make sure lambda (r->Y here for storage) is not zero */
- do {
- if (!BN_priv_rand_range(r->Y, group->field))
- return 0;
- } while (BN_is_zero(r->Y));
-
- /* make sure lambda (s->Z here for storage) is not zero */
- do {
- if (!BN_priv_rand_range(s->Z, group->field))
- return 0;
- } while (BN_is_zero(s->Z));
-
- /* if field_encode defined convert between representations */
- if (group->meth->field_encode != NULL
- && (!group->meth->field_encode(group, r->Y, r->Y, ctx)
- || !group->meth->field_encode(group, s->Z, s->Z, ctx)))
- return 0;
-
- /* blind r and s independently */
- if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)
- || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx)
- || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */
- return 0;
-
r->Z_is_one = 0;
s->Z_is_one = 0;
@@ -1541,24 +1541,24 @@ int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
}
/*-
- * Input:
- * - s, r: projective (homogeneous) coordinates
- * - p: affine coordinates
- *
- * Output:
- * - s := r + s, r := 2r: projective (homogeneous) coordinates
- *
- * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
+ * Input:
+ * - s, r: projective (homogeneous) coordinates
+ * - p: affine coordinates
+ *
+ * Output:
+ * - s := r + s, r := 2r: projective (homogeneous) coordinates
+ *
+ * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
* "A fast parallel elliptic curve multiplication resistant against side channel
* attacks", as described at
- * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4
+ * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4
*/
int ec_GFp_simple_ladder_step(const EC_GROUP *group,
EC_POINT *r, EC_POINT *s,
EC_POINT *p, BN_CTX *ctx)
{
int ret = 0;
- BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
+ BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
BN_CTX_start(ctx);
t0 = BN_CTX_get(ctx);
@@ -1569,46 +1569,46 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group,
t5 = BN_CTX_get(ctx);
t6 = BN_CTX_get(ctx);
- if (t6 == NULL
- || !group->meth->field_mul(group, t6, r->X, s->X, ctx)
- || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx)
- || !group->meth->field_mul(group, t4, r->X, s->Z, ctx)
+ if (t6 == NULL
+ || !group->meth->field_mul(group, t6, r->X, s->X, ctx)
+ || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx)
+ || !group->meth->field_mul(group, t4, r->X, s->Z, ctx)
|| !group->meth->field_mul(group, t3, r->Z, s->X, ctx)
- || !group->meth->field_mul(group, t5, group->a, t0, ctx)
- || !BN_mod_add_quick(t5, t6, t5, group->field)
- || !BN_mod_add_quick(t6, t3, t4, group->field)
- || !group->meth->field_mul(group, t5, t6, t5, ctx)
- || !group->meth->field_sqr(group, t0, t0, ctx)
- || !BN_mod_lshift_quick(t2, group->b, 2, group->field)
- || !group->meth->field_mul(group, t0, t2, t0, ctx)
- || !BN_mod_lshift1_quick(t5, t5, group->field)
- || !BN_mod_sub_quick(t3, t4, t3, group->field)
- /* s->Z coord output */
- || !group->meth->field_sqr(group, s->Z, t3, ctx)
- || !group->meth->field_mul(group, t4, s->Z, p->X, ctx)
- || !BN_mod_add_quick(t0, t0, t5, group->field)
- /* s->X coord output */
- || !BN_mod_sub_quick(s->X, t0, t4, group->field)
- || !group->meth->field_sqr(group, t4, r->X, ctx)
- || !group->meth->field_sqr(group, t5, r->Z, ctx)
- || !group->meth->field_mul(group, t6, t5, group->a, ctx)
- || !BN_mod_add_quick(t1, r->X, r->Z, group->field)
+ || !group->meth->field_mul(group, t5, group->a, t0, ctx)
+ || !BN_mod_add_quick(t5, t6, t5, group->field)
+ || !BN_mod_add_quick(t6, t3, t4, group->field)
+ || !group->meth->field_mul(group, t5, t6, t5, ctx)
+ || !group->meth->field_sqr(group, t0, t0, ctx)
+ || !BN_mod_lshift_quick(t2, group->b, 2, group->field)
+ || !group->meth->field_mul(group, t0, t2, t0, ctx)
+ || !BN_mod_lshift1_quick(t5, t5, group->field)
+ || !BN_mod_sub_quick(t3, t4, t3, group->field)
+ /* s->Z coord output */
+ || !group->meth->field_sqr(group, s->Z, t3, ctx)
+ || !group->meth->field_mul(group, t4, s->Z, p->X, ctx)
+ || !BN_mod_add_quick(t0, t0, t5, group->field)
+ /* s->X coord output */
+ || !BN_mod_sub_quick(s->X, t0, t4, group->field)
+ || !group->meth->field_sqr(group, t4, r->X, ctx)
+ || !group->meth->field_sqr(group, t5, r->Z, ctx)
+ || !group->meth->field_mul(group, t6, t5, group->a, ctx)
+ || !BN_mod_add_quick(t1, r->X, r->Z, group->field)
|| !group->meth->field_sqr(group, t1, t1, ctx)
- || !BN_mod_sub_quick(t1, t1, t4, group->field)
- || !BN_mod_sub_quick(t1, t1, t5, group->field)
- || !BN_mod_sub_quick(t3, t4, t6, group->field)
- || !group->meth->field_sqr(group, t3, t3, ctx)
- || !group->meth->field_mul(group, t0, t5, t1, ctx)
- || !group->meth->field_mul(group, t0, t2, t0, ctx)
+ || !BN_mod_sub_quick(t1, t1, t4, group->field)
+ || !BN_mod_sub_quick(t1, t1, t5, group->field)
+ || !BN_mod_sub_quick(t3, t4, t6, group->field)
+ || !group->meth->field_sqr(group, t3, t3, ctx)
+ || !group->meth->field_mul(group, t0, t5, t1, ctx)
+ || !group->meth->field_mul(group, t0, t2, t0, ctx)
/* r->X coord output */
- || !BN_mod_sub_quick(r->X, t3, t0, group->field)
- || !BN_mod_add_quick(t3, t4, t6, group->field)
- || !group->meth->field_sqr(group, t4, t5, ctx)
- || !group->meth->field_mul(group, t4, t4, t2, ctx)
- || !group->meth->field_mul(group, t1, t1, t3, ctx)
- || !BN_mod_lshift1_quick(t1, t1, group->field)
+ || !BN_mod_sub_quick(r->X, t3, t0, group->field)
+ || !BN_mod_add_quick(t3, t4, t6, group->field)
+ || !group->meth->field_sqr(group, t4, t5, ctx)
+ || !group->meth->field_mul(group, t4, t4, t2, ctx)
+ || !group->meth->field_mul(group, t1, t1, t3, ctx)
+ || !BN_mod_lshift1_quick(t1, t1, group->field)
/* r->Z coord output */
- || !BN_mod_add_quick(r->Z, t4, t1, group->field))
+ || !BN_mod_add_quick(r->Z, t4, t1, group->field))
goto err;
ret = 1;
@@ -1619,21 +1619,21 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group,
}
/*-
- * Input:
- * - s, r: projective (homogeneous) coordinates
- * - p: affine coordinates
- *
- * Output:
- * - r := (x,y): affine coordinates
- *
+ * Input:
+ * - s, r: projective (homogeneous) coordinates
+ * - p: affine coordinates
+ *
+ * Output:
+ * - r := (x,y): affine coordinates
+ *
* Recovers the y-coordinate of r using Eq. (8) from Brier-Joye, "Weierstrass
- * Elliptic Curves and Side-Channel Attacks", modified to work in mixed
- * projective coords, i.e. p is affine and (r,s) in projective (homogeneous)
- * coords, and return r in affine coordinates.
+ * Elliptic Curves and Side-Channel Attacks", modified to work in mixed
+ * projective coords, i.e. p is affine and (r,s) in projective (homogeneous)
+ * coords, and return r in affine coordinates.
*
- * X4 = two*Y1*X2*Z3*Z2;
- * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2);
- * Z4 = two*Y1*Z3*SQR(Z2);
+ * X4 = two*Y1*X2*Z3*Z2;
+ * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2);
+ * Z4 = two*Y1*Z3*SQR(Z2);
*
* Z4 != 0 because:
* - Z2==0 implies r is at infinity (handled by the BN_is_zero(r->Z) branch);
@@ -1652,7 +1652,7 @@ int ec_GFp_simple_ladder_post(const EC_GROUP *group,
return EC_POINT_set_to_infinity(group, r);
if (BN_is_zero(s->Z)) {
- if (!EC_POINT_copy(r, p)
+ if (!EC_POINT_copy(r, p)
|| !EC_POINT_invert(group, r, ctx))
return 0;
return 1;
@@ -1668,46 +1668,46 @@ int ec_GFp_simple_ladder_post(const EC_GROUP *group,
t6 = BN_CTX_get(ctx);
if (t6 == NULL
- || !BN_mod_lshift1_quick(t4, p->Y, group->field)
- || !group->meth->field_mul(group, t6, r->X, t4, ctx)
- || !group->meth->field_mul(group, t6, s->Z, t6, ctx)
- || !group->meth->field_mul(group, t5, r->Z, t6, ctx)
- || !BN_mod_lshift1_quick(t1, group->b, group->field)
- || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
+ || !BN_mod_lshift1_quick(t4, p->Y, group->field)
+ || !group->meth->field_mul(group, t6, r->X, t4, ctx)
+ || !group->meth->field_mul(group, t6, s->Z, t6, ctx)
+ || !group->meth->field_mul(group, t5, r->Z, t6, ctx)
+ || !BN_mod_lshift1_quick(t1, group->b, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
|| !group->meth->field_sqr(group, t3, r->Z, ctx)
- || !group->meth->field_mul(group, t2, t3, t1, ctx)
- || !group->meth->field_mul(group, t6, r->Z, group->a, ctx)
- || !group->meth->field_mul(group, t1, p->X, r->X, ctx)
- || !BN_mod_add_quick(t1, t1, t6, group->field)
- || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
- || !group->meth->field_mul(group, t0, p->X, r->Z, ctx)
- || !BN_mod_add_quick(t6, r->X, t0, group->field)
- || !group->meth->field_mul(group, t6, t6, t1, ctx)
- || !BN_mod_add_quick(t6, t6, t2, group->field)
- || !BN_mod_sub_quick(t0, t0, r->X, group->field)
- || !group->meth->field_sqr(group, t0, t0, ctx)
- || !group->meth->field_mul(group, t0, t0, s->X, ctx)
- || !BN_mod_sub_quick(t0, t6, t0, group->field)
- || !group->meth->field_mul(group, t1, s->Z, t4, ctx)
- || !group->meth->field_mul(group, t1, t3, t1, ctx)
- || (group->meth->field_decode != NULL
- && !group->meth->field_decode(group, t1, t1, ctx))
- || !group->meth->field_inv(group, t1, t1, ctx)
- || (group->meth->field_encode != NULL
- && !group->meth->field_encode(group, t1, t1, ctx))
- || !group->meth->field_mul(group, r->X, t5, t1, ctx)
- || !group->meth->field_mul(group, r->Y, t0, t1, ctx))
+ || !group->meth->field_mul(group, t2, t3, t1, ctx)
+ || !group->meth->field_mul(group, t6, r->Z, group->a, ctx)
+ || !group->meth->field_mul(group, t1, p->X, r->X, ctx)
+ || !BN_mod_add_quick(t1, t1, t6, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
+ || !group->meth->field_mul(group, t0, p->X, r->Z, ctx)
+ || !BN_mod_add_quick(t6, r->X, t0, group->field)
+ || !group->meth->field_mul(group, t6, t6, t1, ctx)
+ || !BN_mod_add_quick(t6, t6, t2, group->field)
+ || !BN_mod_sub_quick(t0, t0, r->X, group->field)
+ || !group->meth->field_sqr(group, t0, t0, ctx)
+ || !group->meth->field_mul(group, t0, t0, s->X, ctx)
+ || !BN_mod_sub_quick(t0, t6, t0, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t4, ctx)
+ || !group->meth->field_mul(group, t1, t3, t1, ctx)
+ || (group->meth->field_decode != NULL
+ && !group->meth->field_decode(group, t1, t1, ctx))
+ || !group->meth->field_inv(group, t1, t1, ctx)
+ || (group->meth->field_encode != NULL
+ && !group->meth->field_encode(group, t1, t1, ctx))
+ || !group->meth->field_mul(group, r->X, t5, t1, ctx)
+ || !group->meth->field_mul(group, r->Y, t0, t1, ctx))
goto err;
- if (group->meth->field_set_to_one != NULL) {
- if (!group->meth->field_set_to_one(group, r->Z, ctx))
- goto err;
- } else {
- if (!BN_one(r->Z))
- goto err;
- }
-
- r->Z_is_one = 1;
+ if (group->meth->field_set_to_one != NULL) {
+ if (!group->meth->field_set_to_one(group, r->Z, ctx))
+ goto err;
+ } else {
+ if (!BN_one(r->Z))
+ goto err;
+ }
+
+ r->Z_is_one = 1;
ret = 1;
err:
diff --git a/contrib/libs/openssl/crypto/ec/ecx_meth.c b/contrib/libs/openssl/crypto/ec/ecx_meth.c
index e554d68923..9dc5259e4a 100644
--- a/contrib/libs/openssl/crypto/ec/ecx_meth.c
+++ b/contrib/libs/openssl/crypto/ec/ecx_meth.c
@@ -12,10 +12,10 @@
#include <openssl/x509.h>
#include <openssl/ec.h>
#include <openssl/rand.h>
-#include "crypto/asn1.h"
-#include "crypto/evp.h"
-#include "ec_local.h"
-#include "curve448/curve448_local.h"
+#include "crypto/asn1.h"
+#include "crypto/evp.h"
+#include "ec_local.h"
+#include "curve448/curve448_local.h"
#define X25519_BITS 253
#define X25519_SECURITY_BITS 128
@@ -191,7 +191,7 @@ static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
}
rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, KEY_OP_PRIVATE);
- ASN1_STRING_clear_free(oct);
+ ASN1_STRING_clear_free(oct);
return rv;
}