Don't store a redundant copy of the order in EC_GROUP
BN_MONT_CTX already has the modulus, so just use it. This is one less value to initialize statically. Bug: 20 Change-Id: I78f73994ab595b795e99d67851bdff3b73fc3dd6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60926 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
4e88a3557f
commit
6f13380d27
@ -55,7 +55,8 @@ EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, const uint8_t *secret,
|
||||
}
|
||||
|
||||
uint8_t derived[EC_KEY_DERIVE_EXTRA_BYTES + EC_MAX_BYTES];
|
||||
size_t derived_len = BN_num_bytes(&group->order) + EC_KEY_DERIVE_EXTRA_BYTES;
|
||||
size_t derived_len =
|
||||
BN_num_bytes(EC_GROUP_get0_order(group)) + EC_KEY_DERIVE_EXTRA_BYTES;
|
||||
assert(derived_len <= sizeof(derived));
|
||||
if (!HKDF(derived, derived_len, EVP_sha256(), secret, secret_len,
|
||||
/*salt=*/NULL, /*salt_len=*/0, (const uint8_t *)info,
|
||||
@ -74,10 +75,10 @@ EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, const uint8_t *secret,
|
||||
// enough. 2^(num_bytes(order)) < 2^8 * order, so:
|
||||
//
|
||||
// priv < 2^8 * order * 2^128 < order * order < order * R
|
||||
!BN_from_montgomery(priv, priv, group->order_mont, ctx) ||
|
||||
!BN_from_montgomery(priv, priv, group->order, ctx) ||
|
||||
// Multiply by R^2 and do another Montgomery reduction to compute
|
||||
// priv * R^-1 * R^2 * R^-1 = priv mod order.
|
||||
!BN_to_montgomery(priv, priv, group->order_mont, ctx) ||
|
||||
!BN_to_montgomery(priv, priv, group->order, ctx) ||
|
||||
!EC_POINT_mul(group, pub, priv, NULL, NULL, ctx) ||
|
||||
!EC_KEY_set_group(key, group) || !EC_KEY_set_public_key(key, pub) ||
|
||||
!EC_KEY_set_private_key(key, priv)) {
|
||||
|
@ -197,15 +197,16 @@ static int hash_to_field2(const EC_GROUP *group, const EVP_MD *md,
|
||||
static int hash_to_scalar(const EC_GROUP *group, const EVP_MD *md,
|
||||
EC_SCALAR *out, const uint8_t *dst, size_t dst_len,
|
||||
unsigned k, const uint8_t *msg, size_t msg_len) {
|
||||
const BIGNUM *order = EC_GROUP_get0_order(group);
|
||||
size_t L;
|
||||
uint8_t buf[EC_MAX_BYTES * 2];
|
||||
if (!num_bytes_to_derive(&L, &group->order, k) ||
|
||||
if (!num_bytes_to_derive(&L, order, k) ||
|
||||
!expand_message_xmd(md, buf, L, msg, msg_len, dst, dst_len)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
BN_ULONG words[2 * EC_MAX_WORDS];
|
||||
size_t num_words = 2 * group->order.width;
|
||||
size_t num_words = 2 * order->width;
|
||||
big_endian_to_words(words, num_words, buf, L);
|
||||
ec_scalar_reduce(group, out, words, num_words);
|
||||
return 1;
|
||||
|
@ -215,7 +215,7 @@ static int ec_bits(const EVP_PKEY *pkey) {
|
||||
ERR_clear_error();
|
||||
return 0;
|
||||
}
|
||||
return BN_num_bits(EC_GROUP_get0_order(group));
|
||||
return EC_GROUP_order_bits(group);
|
||||
}
|
||||
|
||||
static int ec_missing_parameters(const EVP_PKEY *pkey) {
|
||||
|
@ -291,7 +291,6 @@ EC_GROUP *ec_group_new(const EC_METHOD *meth) {
|
||||
|
||||
ret->references = 1;
|
||||
ret->meth = meth;
|
||||
BN_init(&ret->order);
|
||||
|
||||
if (!meth->group_init(ret)) {
|
||||
OPENSSL_free(ret);
|
||||
@ -305,15 +304,9 @@ static int ec_group_set_generator(EC_GROUP *group, const EC_AFFINE *generator,
|
||||
const BIGNUM *order) {
|
||||
assert(group->generator == NULL);
|
||||
|
||||
if (!BN_copy(&group->order, order)) {
|
||||
return 0;
|
||||
}
|
||||
// Store the order in minimal form, so it can be used with |BN_ULONG| arrays.
|
||||
bn_set_minimal_width(&group->order);
|
||||
|
||||
BN_MONT_CTX_free(group->order_mont);
|
||||
group->order_mont = BN_MONT_CTX_new_for_modulus(&group->order, NULL);
|
||||
if (group->order_mont == NULL) {
|
||||
BN_MONT_CTX_free(group->order);
|
||||
group->order = BN_MONT_CTX_new_for_modulus(order, NULL);
|
||||
if (group->order == NULL) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -562,8 +555,7 @@ void EC_GROUP_free(EC_GROUP *group) {
|
||||
}
|
||||
|
||||
ec_point_free(group->generator, 0 /* don't free group */);
|
||||
BN_free(&group->order);
|
||||
BN_MONT_CTX_free(group->order_mont);
|
||||
BN_MONT_CTX_free(group->order);
|
||||
|
||||
OPENSSL_free(group);
|
||||
}
|
||||
@ -602,7 +594,7 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ignored) {
|
||||
return a->meth != b->meth ||
|
||||
a->generator == NULL ||
|
||||
b->generator == NULL ||
|
||||
BN_cmp(&a->order, &b->order) != 0 ||
|
||||
BN_cmp(&a->order->N, &b->order->N) != 0 ||
|
||||
BN_cmp(&a->field, &b->field) != 0 ||
|
||||
!ec_felem_equal(a, &a->a, &b->a) ||
|
||||
!ec_felem_equal(a, &a->b, &b->b) ||
|
||||
@ -614,8 +606,8 @@ const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) {
|
||||
}
|
||||
|
||||
const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group) {
|
||||
assert(!BN_is_zero(&group->order));
|
||||
return &group->order;
|
||||
assert(group->order != NULL);
|
||||
return &group->order->N;
|
||||
}
|
||||
|
||||
int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) {
|
||||
@ -626,7 +618,7 @@ int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) {
|
||||
}
|
||||
|
||||
int EC_GROUP_order_bits(const EC_GROUP *group) {
|
||||
return BN_num_bits(&group->order);
|
||||
return BN_num_bits(&group->order->N);
|
||||
}
|
||||
|
||||
int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor,
|
||||
@ -931,11 +923,10 @@ static int arbitrary_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
|
||||
ERR_clear_error();
|
||||
|
||||
// This is an unusual input, so we do not guarantee constant-time processing.
|
||||
const BIGNUM *order = &group->order;
|
||||
BN_CTX_start(ctx);
|
||||
BIGNUM *tmp = BN_CTX_get(ctx);
|
||||
int ok = tmp != NULL &&
|
||||
BN_nnmod(tmp, in, order, ctx) &&
|
||||
BN_nnmod(tmp, in, EC_GROUP_get0_order(group), ctx) &&
|
||||
ec_bignum_to_scalar(group, out, tmp);
|
||||
BN_CTX_end(ctx);
|
||||
return ok;
|
||||
@ -1193,7 +1184,7 @@ int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
|
||||
//
|
||||
// Additionally, one can manually check this property for built-in curves. It
|
||||
// is enforced for legacy custom curves in |EC_GROUP_set_generator|.
|
||||
const BIGNUM *order = &group->order;
|
||||
const BIGNUM *order = EC_GROUP_get0_order(group);
|
||||
BN_ULONG words[EC_MAX_WORDS + 1] = {0};
|
||||
bn_big_endian_to_words(words, order->width + 1, bytes, len);
|
||||
bn_reduce_once(out->words, words, /*carry=*/words[order->width], order->d,
|
||||
|
@ -93,8 +93,8 @@ static EC_WRAPPED_SCALAR *ec_wrapped_scalar_new(const EC_GROUP *group) {
|
||||
|
||||
OPENSSL_memset(wrapped, 0, sizeof(EC_WRAPPED_SCALAR));
|
||||
wrapped->bignum.d = wrapped->scalar.words;
|
||||
wrapped->bignum.width = group->order.width;
|
||||
wrapped->bignum.dmax = group->order.width;
|
||||
wrapped->bignum.width = group->order->N.width;
|
||||
wrapped->bignum.dmax = group->order->N.width;
|
||||
wrapped->bignum.flags = BN_FLG_STATIC_DATA;
|
||||
return wrapped;
|
||||
}
|
||||
@ -485,7 +485,7 @@ int EC_KEY_generate_key(EC_KEY *key) {
|
||||
}
|
||||
|
||||
// Check that the group order is FIPS compliant (FIPS 186-4 B.4.2).
|
||||
if (BN_num_bits(EC_GROUP_get0_order(key->group)) < 160) {
|
||||
if (EC_GROUP_order_bits(key->group) < 160) {
|
||||
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
|
||||
return 0;
|
||||
}
|
||||
|
@ -457,7 +457,7 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,
|
||||
const EC_JACOBIAN *p,
|
||||
const EC_SCALAR *r) {
|
||||
if (!group->field_greater_than_order ||
|
||||
group->field.width != group->order.width) {
|
||||
group->field.width != group->order->N.width) {
|
||||
// Do not bother optimizing this case. p > order in all commonly-used
|
||||
// curves.
|
||||
return ec_GFp_simple_cmp_x_coordinate(group, p, r);
|
||||
@ -488,7 +488,7 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,
|
||||
if (bn_less_than_words(r->words, group->field_minus_order.words,
|
||||
group->field.width)) {
|
||||
// We can ignore the carry because: r + group_order < p < 2^256.
|
||||
bn_add_words(r_Z2.words, r->words, group->order.d, group->field.width);
|
||||
bn_add_words(r_Z2.words, r->words, group->order->N.d, group->field.width);
|
||||
ec_GFp_mont_felem_mul(group, &r_Z2, &r_Z2, &Z2_mont);
|
||||
if (ec_felem_equal(group, &r_Z2, &X)) {
|
||||
return 1;
|
||||
|
@ -595,11 +595,10 @@ struct ec_group_st {
|
||||
// to avoid a reference cycle. Additionally, Z is guaranteed to be one, so X
|
||||
// and Y are suitable for use as an |EC_AFFINE|.
|
||||
EC_POINT *generator;
|
||||
BIGNUM order;
|
||||
|
||||
int curve_name; // optional NID for named curve
|
||||
|
||||
BN_MONT_CTX *order_mont; // data for ECDSA inverse
|
||||
BN_MONT_CTX *order;
|
||||
|
||||
// The following members are handled by the method functions,
|
||||
// even if they appear generic
|
||||
|
@ -563,8 +563,8 @@ static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,
|
||||
}
|
||||
#endif
|
||||
|
||||
assert(group->order.width == P256_LIMBS);
|
||||
if (!beeu_mod_inverse_vartime(out->words, in->words, group->order.d)) {
|
||||
assert(group->order->N.width == P256_LIMBS);
|
||||
if (!beeu_mod_inverse_vartime(out->words, in->words, group->order->N.d)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -580,7 +580,7 @@ static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group,
|
||||
return 0;
|
||||
}
|
||||
|
||||
assert(group->order.width == P256_LIMBS);
|
||||
assert(group->order->N.width == P256_LIMBS);
|
||||
assert(group->field.width == P256_LIMBS);
|
||||
|
||||
// We wish to compare X/Z^2 with r. This is equivalent to comparing X with
|
||||
@ -602,7 +602,7 @@ static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group,
|
||||
if (bn_less_than_words(r->words, group->field_minus_order.words,
|
||||
P256_LIMBS)) {
|
||||
// We can ignore the carry because: r + group_order < p < 2^256.
|
||||
bn_add_words(r_Z2, r->words, group->order.d, P256_LIMBS);
|
||||
bn_add_words(r_Z2, r->words, group->order->N.d, P256_LIMBS);
|
||||
ecp_nistz256_mul_mont(r_Z2, r_Z2, Z2_mont);
|
||||
if (OPENSSL_memcmp(r_Z2, X, sizeof(r_Z2)) == 0) {
|
||||
return 1;
|
||||
|
@ -710,12 +710,12 @@ static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group,
|
||||
// Therefore there is a small possibility, less than 1/2^128, that group_order
|
||||
// < p.x < P. in that case we need not only to compare against |r| but also to
|
||||
// compare against r+group_order.
|
||||
assert(group->field.width == group->order.width);
|
||||
assert(group->field.width == group->order->N.width);
|
||||
if (bn_less_than_words(r->words, group->field_minus_order.words,
|
||||
group->field.width)) {
|
||||
// We can ignore the carry because: r + group_order < p < 2^256.
|
||||
EC_FELEM tmp;
|
||||
bn_add_words(tmp.words, r->words, group->order.d, group->order.width);
|
||||
bn_add_words(tmp.words, r->words, group->order->N.d, group->order->N.width);
|
||||
fiat_p256_from_generic(r_Z2, &tmp);
|
||||
fiat_p256_mul(r_Z2, r_Z2, Z2_mont);
|
||||
if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) {
|
||||
|
@ -23,8 +23,9 @@
|
||||
|
||||
int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
|
||||
const BIGNUM *in) {
|
||||
if (!bn_copy_words(out->words, group->order.width, in) ||
|
||||
!bn_less_than_words(out->words, group->order.d, group->order.width)) {
|
||||
if (!bn_copy_words(out->words, group->order->N.width, in) ||
|
||||
!bn_less_than_words(out->words, group->order->N.d,
|
||||
group->order->N.width)) {
|
||||
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
|
||||
return 0;
|
||||
}
|
||||
@ -34,12 +35,12 @@ int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
|
||||
int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a,
|
||||
const EC_SCALAR *b) {
|
||||
return OPENSSL_memcmp(a->words, b->words,
|
||||
group->order.width * sizeof(BN_ULONG)) == 0;
|
||||
group->order->N.width * sizeof(BN_ULONG)) == 0;
|
||||
}
|
||||
|
||||
int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) {
|
||||
BN_ULONG mask = 0;
|
||||
for (int i = 0; i < group->order.width; i++) {
|
||||
for (int i = 0; i < group->order->N.width; i++) {
|
||||
mask |= a->words[i];
|
||||
}
|
||||
return mask == 0;
|
||||
@ -47,27 +48,28 @@ int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) {
|
||||
|
||||
int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,
|
||||
const uint8_t additional_data[32]) {
|
||||
return bn_rand_range_words(out->words, 1, group->order.d, group->order.width,
|
||||
additional_data);
|
||||
return bn_rand_range_words(out->words, 1, group->order->N.d,
|
||||
group->order->N.width, additional_data);
|
||||
}
|
||||
|
||||
void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len,
|
||||
const EC_SCALAR *in) {
|
||||
size_t len = BN_num_bytes(&group->order);
|
||||
bn_words_to_big_endian(out, len, in->words, group->order.width);
|
||||
size_t len = BN_num_bytes(&group->order->N);
|
||||
bn_words_to_big_endian(out, len, in->words, group->order->N.width);
|
||||
*out_len = len;
|
||||
}
|
||||
|
||||
int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out,
|
||||
const uint8_t *in, size_t len) {
|
||||
if (len != BN_num_bytes(&group->order)) {
|
||||
if (len != BN_num_bytes(&group->order->N)) {
|
||||
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
bn_big_endian_to_words(out->words, group->order.width, in, len);
|
||||
bn_big_endian_to_words(out->words, group->order->N.width, in, len);
|
||||
|
||||
if (!bn_less_than_words(out->words, group->order.d, group->order.width)) {
|
||||
if (!bn_less_than_words(out->words, group->order->N.d,
|
||||
group->order->N.width)) {
|
||||
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
|
||||
return 0;
|
||||
}
|
||||
@ -78,15 +80,15 @@ int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out,
|
||||
void ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out,
|
||||
const BN_ULONG *words, size_t num) {
|
||||
// Convert "from" Montgomery form so the value is reduced modulo the order.
|
||||
bn_from_montgomery_small(out->words, group->order.width, words, num,
|
||||
group->order_mont);
|
||||
bn_from_montgomery_small(out->words, group->order->N.width, words, num,
|
||||
group->order);
|
||||
// Convert "to" Montgomery form to remove the R^-1 factor added.
|
||||
ec_scalar_to_montgomery(group, out, out);
|
||||
}
|
||||
|
||||
void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,
|
||||
const EC_SCALAR *b) {
|
||||
const BIGNUM *order = &group->order;
|
||||
const BIGNUM *order = &group->order->N;
|
||||
BN_ULONG tmp[EC_MAX_WORDS];
|
||||
bn_mod_add_words(r->words, a->words, b->words, order->d, tmp, order->width);
|
||||
OPENSSL_cleanse(tmp, sizeof(tmp));
|
||||
@ -94,7 +96,7 @@ void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,
|
||||
|
||||
void ec_scalar_sub(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,
|
||||
const EC_SCALAR *b) {
|
||||
const BIGNUM *order = &group->order;
|
||||
const BIGNUM *order = &group->order->N;
|
||||
BN_ULONG tmp[EC_MAX_WORDS];
|
||||
bn_mod_sub_words(r->words, a->words, b->words, order->d, tmp, order->width);
|
||||
OPENSSL_cleanse(tmp, sizeof(tmp));
|
||||
@ -108,35 +110,35 @@ void ec_scalar_neg(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a) {
|
||||
|
||||
void ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask,
|
||||
const EC_SCALAR *a, const EC_SCALAR *b) {
|
||||
const BIGNUM *order = &group->order;
|
||||
const BIGNUM *order = &group->order->N;
|
||||
bn_select_words(out->words, mask, a->words, b->words, order->width);
|
||||
}
|
||||
|
||||
void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r,
|
||||
const EC_SCALAR *a) {
|
||||
const BIGNUM *order = &group->order;
|
||||
bn_to_montgomery_small(r->words, a->words, order->width, group->order_mont);
|
||||
const BIGNUM *order = &group->order->N;
|
||||
bn_to_montgomery_small(r->words, a->words, order->width, group->order);
|
||||
}
|
||||
|
||||
void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r,
|
||||
const EC_SCALAR *a) {
|
||||
const BIGNUM *order = &group->order;
|
||||
const BIGNUM *order = &group->order->N;
|
||||
bn_from_montgomery_small(r->words, order->width, a->words, order->width,
|
||||
group->order_mont);
|
||||
group->order);
|
||||
}
|
||||
|
||||
void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r,
|
||||
const EC_SCALAR *a, const EC_SCALAR *b) {
|
||||
const BIGNUM *order = &group->order;
|
||||
const BIGNUM *order = &group->order->N;
|
||||
bn_mod_mul_montgomery_small(r->words, a->words, b->words, order->width,
|
||||
group->order_mont);
|
||||
group->order);
|
||||
}
|
||||
|
||||
void ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r,
|
||||
const EC_SCALAR *a) {
|
||||
const BIGNUM *order = &group->order;
|
||||
const BIGNUM *order = &group->order->N;
|
||||
bn_mod_inverse0_prime_mont_small(r->words, a->words, order->width,
|
||||
group->order_mont);
|
||||
group->order);
|
||||
}
|
||||
|
||||
int ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,
|
||||
|
@ -40,7 +40,7 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,
|
||||
}
|
||||
|
||||
// Divide bits in |scalar| into windows.
|
||||
unsigned bits = BN_num_bits(&group->order);
|
||||
unsigned bits = EC_GROUP_order_bits(group);
|
||||
int r_is_at_infinity = 1;
|
||||
for (unsigned i = bits - 1; i < bits; i--) {
|
||||
if (!r_is_at_infinity) {
|
||||
@ -48,7 +48,7 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,
|
||||
}
|
||||
if (i % 5 == 0) {
|
||||
// Compute the next window value.
|
||||
const size_t width = group->order.width;
|
||||
const size_t width = group->order->N.width;
|
||||
uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 4;
|
||||
window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 3;
|
||||
window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 2;
|
||||
@ -99,7 +99,7 @@ static void ec_GFp_mont_batch_get_window(const EC_GROUP *group,
|
||||
EC_JACOBIAN *out,
|
||||
const EC_JACOBIAN precomp[17],
|
||||
const EC_SCALAR *scalar, unsigned i) {
|
||||
const size_t width = group->order.width;
|
||||
const size_t width = group->order->N.width;
|
||||
uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 5;
|
||||
window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 4;
|
||||
window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 3;
|
||||
@ -138,7 +138,7 @@ void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r,
|
||||
}
|
||||
|
||||
// Divide bits in |scalar| into windows.
|
||||
unsigned bits = BN_num_bits(&group->order);
|
||||
unsigned bits = EC_GROUP_order_bits(group);
|
||||
int r_is_at_infinity = 1;
|
||||
for (unsigned i = bits; i <= bits; i--) {
|
||||
if (!r_is_at_infinity) {
|
||||
@ -212,7 +212,7 @@ static void ec_GFp_mont_get_comb_window(const EC_GROUP *group,
|
||||
EC_JACOBIAN *out,
|
||||
const EC_PRECOMP *precomp,
|
||||
const EC_SCALAR *scalar, unsigned i) {
|
||||
const size_t width = group->order.width;
|
||||
const size_t width = group->order->N.width;
|
||||
unsigned stride = ec_GFp_mont_comb_stride(group);
|
||||
// Select the bits corresponding to the comb shifted up by |i|.
|
||||
unsigned window = 0;
|
||||
|
@ -138,8 +138,8 @@ void ec_compute_wNAF(const EC_GROUP *group, int8_t *out,
|
||||
// we shift and add at most one copy of |bit|, this will continue to hold
|
||||
// afterwards.
|
||||
window_val >>= 1;
|
||||
window_val +=
|
||||
bit * bn_is_bit_set_words(scalar->words, group->order.width, j + w + 1);
|
||||
window_val += bit * bn_is_bit_set_words(scalar->words,
|
||||
group->order->N.width, j + w + 1);
|
||||
assert(window_val <= next_bit);
|
||||
}
|
||||
|
||||
@ -183,7 +183,7 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
|
||||
const EC_SCALAR *g_scalar,
|
||||
const EC_JACOBIAN *points,
|
||||
const EC_SCALAR *scalars, size_t num) {
|
||||
size_t bits = BN_num_bits(&group->order);
|
||||
size_t bits = EC_GROUP_order_bits(group);
|
||||
size_t wNAF_len = bits + 1;
|
||||
|
||||
int ret = 0;
|
||||
|
@ -71,7 +71,7 @@
|
||||
// ECDSA.
|
||||
static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
|
||||
const uint8_t *digest, size_t digest_len) {
|
||||
const BIGNUM *order = &group->order;
|
||||
const BIGNUM *order = EC_GROUP_get0_order(group);
|
||||
size_t num_bits = BN_num_bits(order);
|
||||
// Need to truncate digest if it is too long: first truncate whole bytes.
|
||||
size_t num_bytes = (num_bits + 7) / 8;
|
||||
|
@ -201,7 +201,7 @@ static int pmbtoken_compute_keys(const PMBTOKEN_METHOD *method,
|
||||
}
|
||||
|
||||
const EC_SCALAR *scalars[] = {x0, y0, x1, y1, xs, ys};
|
||||
size_t scalar_len = BN_num_bytes(&group->order);
|
||||
size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
|
||||
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) {
|
||||
uint8_t *buf;
|
||||
if (!CBB_add_space(out_private, &buf, scalar_len)) {
|
||||
@ -290,7 +290,7 @@ static int pmbtoken_issuer_key_from_bytes(const PMBTOKEN_METHOD *method,
|
||||
const EC_GROUP *group = method->group;
|
||||
CBS cbs, tmp;
|
||||
CBS_init(&cbs, in, len);
|
||||
size_t scalar_len = BN_num_bytes(&group->order);
|
||||
size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
|
||||
EC_SCALAR *scalars[] = {&key->x0, &key->y0, &key->x1,
|
||||
&key->y1, &key->xs, &key->ys};
|
||||
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) {
|
||||
@ -390,7 +390,7 @@ err:
|
||||
static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
|
||||
const EC_SCALAR *scalar) {
|
||||
uint8_t *buf;
|
||||
size_t scalar_len = BN_num_bytes(&group->order);
|
||||
size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
|
||||
if (!CBB_add_space(out, &buf, scalar_len)) {
|
||||
return 0;
|
||||
}
|
||||
@ -399,7 +399,7 @@ static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
|
||||
}
|
||||
|
||||
static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) {
|
||||
size_t scalar_len = BN_num_bytes(&group->order);
|
||||
size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
|
||||
CBS tmp;
|
||||
if (!CBS_get_bytes(cbs, &tmp, scalar_len)) {
|
||||
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
|
||||
|
@ -95,7 +95,7 @@ static int cbs_get_point(CBS *cbs, const EC_GROUP *group, EC_AFFINE *out) {
|
||||
static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
|
||||
const EC_SCALAR *scalar) {
|
||||
uint8_t *buf;
|
||||
size_t scalar_len = BN_num_bytes(&group->order);
|
||||
size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
|
||||
if (!CBB_add_space(out, &buf, scalar_len)) {
|
||||
return 0;
|
||||
}
|
||||
@ -104,7 +104,7 @@ static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
|
||||
}
|
||||
|
||||
static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) {
|
||||
size_t scalar_len = BN_num_bytes(&group->order);
|
||||
size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
|
||||
CBS tmp;
|
||||
if (!CBS_get_bytes(cbs, &tmp, scalar_len)) {
|
||||
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
|
||||
|
Loading…
x
Reference in New Issue
Block a user