yggdrasil/ring
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't store a redundant copy of the order in EC_GROUP

Browse Source 
BN_MONT_CTX already has the modulus, so just use it. This is one less
value to initialize statically.

Bug: 20
Change-Id: I78f73994ab595b795e99d67851bdff3b73fc3dd6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60926
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2023-02-12 10:18:13 -05:00 committed by Boringssl LUCI CQ
parent 4e88a3557f
commit 6f13380d27
15 changed files with 71 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
crypto/ec_extra/ec_derive.c
View File

@ -55,7 +55,8 @@ EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, const uint8_t *secret,
}
uint8_t derived[EC_KEY_DERIVE_EXTRA_BYTES + EC_MAX_BYTES];
size_t derived_len = BN_num_bytes(&group->order) + EC_KEY_DERIVE_EXTRA_BYTES;
size_t derived_len =
BN_num_bytes(EC_GROUP_get0_order(group)) + EC_KEY_DERIVE_EXTRA_BYTES;
assert(derived_len <= sizeof(derived));
if (!HKDF(derived, derived_len, EVP_sha256(), secret, secret_len,
/*salt=*/NULL, /*salt_len=*/0, (const uint8_t *)info,
@ -74,10 +75,10 @@ EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, const uint8_t *secret,
// enough. 2^(num_bytes(order)) < 2^8 * order, so:
//
// priv < 2^8 * order * 2^128 < order * order < order * R
!BN_from_montgomery(priv, priv, group->order_mont, ctx) ||
!BN_from_montgomery(priv, priv, group->order, ctx) ||
// Multiply by R^2 and do another Montgomery reduction to compute
// priv * R^-1 * R^2 * R^-1 = priv mod order.
!BN_to_montgomery(priv, priv, group->order_mont, ctx) ||
!BN_to_montgomery(priv, priv, group->order, ctx) ||
!EC_POINT_mul(group, pub, priv, NULL, NULL, ctx) ||
!EC_KEY_set_group(key, group) || !EC_KEY_set_public_key(key, pub) ||
!EC_KEY_set_private_key(key, priv)) {

5
crypto/ec_extra/hash_to_curve.c
View File

@ -197,15 +197,16 @@ static int hash_to_field2(const EC_GROUP *group, const EVP_MD *md,
static int hash_to_scalar(const EC_GROUP *group, const EVP_MD *md,
EC_SCALAR *out, const uint8_t *dst, size_t dst_len,
unsigned k, const uint8_t *msg, size_t msg_len) {
const BIGNUM *order = EC_GROUP_get0_order(group);
size_t L;
uint8_t buf[EC_MAX_BYTES * 2];
if (!num_bytes_to_derive(&L, &group->order, k) ||
if (!num_bytes_to_derive(&L, order, k) ||
!expand_message_xmd(md, buf, L, msg, msg_len, dst, dst_len)) {
return 0;
}
BN_ULONG words[2 * EC_MAX_WORDS];
size_t num_words = 2 * group->order.width;
size_t num_words = 2 * order->width;
big_endian_to_words(words, num_words, buf, L);
ec_scalar_reduce(group, out, words, num_words);
return 1;

2
crypto/evp/p_ec_asn1.c
View File

@ -215,7 +215,7 @@ static int ec_bits(const EVP_PKEY *pkey) {
ERR_clear_error();
return 0;
}
return BN_num_bits(EC_GROUP_get0_order(group));
return EC_GROUP_order_bits(group);
}
static int ec_missing_parameters(const EVP_PKEY *pkey) {

29
crypto/fipsmodule/ec/ec.c
View File

@ -291,7 +291,6 @@ EC_GROUP *ec_group_new(const EC_METHOD *meth) {
ret->references = 1;
ret->meth = meth;
BN_init(&ret->order);
if (!meth->group_init(ret)) {
OPENSSL_free(ret);
@ -305,15 +304,9 @@ static int ec_group_set_generator(EC_GROUP *group, const EC_AFFINE *generator,
const BIGNUM *order) {
assert(group->generator == NULL);
if (!BN_copy(&group->order, order)) {
return 0;
}
// Store the order in minimal form, so it can be used with |BN_ULONG| arrays.
bn_set_minimal_width(&group->order);
BN_MONT_CTX_free(group->order_mont);
group->order_mont = BN_MONT_CTX_new_for_modulus(&group->order, NULL);
if (group->order_mont == NULL) {
BN_MONT_CTX_free(group->order);
group->order = BN_MONT_CTX_new_for_modulus(order, NULL);
if (group->order == NULL) {
return 0;
}
@ -562,8 +555,7 @@ void EC_GROUP_free(EC_GROUP *group) {
}
ec_point_free(group->generator, 0 /* don't free group */);
BN_free(&group->order);
BN_MONT_CTX_free(group->order_mont);
BN_MONT_CTX_free(group->order);
OPENSSL_free(group);
}
@ -602,7 +594,7 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ignored) {
return a->meth != b->meth ||
a->generator == NULL ||
b->generator == NULL ||
BN_cmp(&a->order, &b->order) != 0 ||
BN_cmp(&a->order->N, &b->order->N) != 0 ||
BN_cmp(&a->field, &b->field) != 0 ||
!ec_felem_equal(a, &a->a, &b->a) ||
!ec_felem_equal(a, &a->b, &b->b) ||
@ -614,8 +606,8 @@ const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) {
}
const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group) {
assert(!BN_is_zero(&group->order));
return &group->order;
assert(group->order != NULL);
return &group->order->N;
}
int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) {
@ -626,7 +618,7 @@ int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) {
}
int EC_GROUP_order_bits(const EC_GROUP *group) {
return BN_num_bits(&group->order);
return BN_num_bits(&group->order->N);
}
int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor,
@ -931,11 +923,10 @@ static int arbitrary_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
ERR_clear_error();
// This is an unusual input, so we do not guarantee constant-time processing.
const BIGNUM *order = &group->order;
BN_CTX_start(ctx);
BIGNUM *tmp = BN_CTX_get(ctx);
int ok = tmp != NULL &&
BN_nnmod(tmp, in, order, ctx) &&
BN_nnmod(tmp, in, EC_GROUP_get0_order(group), ctx) &&
ec_bignum_to_scalar(group, out, tmp);
BN_CTX_end(ctx);
return ok;
@ -1193,7 +1184,7 @@ int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
//
// Additionally, one can manually check this property for built-in curves. It
// is enforced for legacy custom curves in |EC_GROUP_set_generator|.
const BIGNUM *order = &group->order;
const BIGNUM *order = EC_GROUP_get0_order(group);
BN_ULONG words[EC_MAX_WORDS + 1] = {0};
bn_big_endian_to_words(words, order->width + 1, bytes, len);
bn_reduce_once(out->words, words, /*carry=*/words[order->width], order->d,

6
crypto/fipsmodule/ec/ec_key.c
View File

@ -93,8 +93,8 @@ static EC_WRAPPED_SCALAR *ec_wrapped_scalar_new(const EC_GROUP *group) {
OPENSSL_memset(wrapped, 0, sizeof(EC_WRAPPED_SCALAR));
wrapped->bignum.d = wrapped->scalar.words;
wrapped->bignum.width = group->order.width;
wrapped->bignum.dmax = group->order.width;
wrapped->bignum.width = group->order->N.width;
wrapped->bignum.dmax = group->order->N.width;
wrapped->bignum.flags = BN_FLG_STATIC_DATA;
return wrapped;
}
@ -485,7 +485,7 @@ int EC_KEY_generate_key(EC_KEY *key) {
}
// Check that the group order is FIPS compliant (FIPS 186-4 B.4.2).
if (BN_num_bits(EC_GROUP_get0_order(key->group)) < 160) {
if (EC_GROUP_order_bits(key->group) < 160) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
return 0;
}

4
crypto/fipsmodule/ec/ec_montgomery.c
View File

@ -457,7 +457,7 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,
const EC_JACOBIAN *p,
const EC_SCALAR *r) {
if (!group->field_greater_than_order ||
group->field.width != group->order.width) {
group->field.width != group->order->N.width) {
// Do not bother optimizing this case. p > order in all commonly-used
// curves.
return ec_GFp_simple_cmp_x_coordinate(group, p, r);
@ -488,7 +488,7 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,
if (bn_less_than_words(r->words, group->field_minus_order.words,
group->field.width)) {
// We can ignore the carry because: r + group_order < p < 2^256.
bn_add_words(r_Z2.words, r->words, group->order.d, group->field.width);
bn_add_words(r_Z2.words, r->words, group->order->N.d, group->field.width);
ec_GFp_mont_felem_mul(group, &r_Z2, &r_Z2, &Z2_mont);
if (ec_felem_equal(group, &r_Z2, &X)) {
return 1;

3
crypto/fipsmodule/ec/internal.h
View File

@ -595,11 +595,10 @@ struct ec_group_st {
// to avoid a reference cycle. Additionally, Z is guaranteed to be one, so X
// and Y are suitable for use as an |EC_AFFINE|.
EC_POINT *generator;
BIGNUM order;
int curve_name; // optional NID for named curve
BN_MONT_CTX *order_mont; // data for ECDSA inverse
BN_MONT_CTX *order;
// The following members are handled by the method functions,
// even if they appear generic

8
crypto/fipsmodule/ec/p256-nistz.c
View File

@ -563,8 +563,8 @@ static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,
}
#endif
assert(group->order.width == P256_LIMBS);
if (!beeu_mod_inverse_vartime(out->words, in->words, group->order.d)) {
assert(group->order->N.width == P256_LIMBS);
if (!beeu_mod_inverse_vartime(out->words, in->words, group->order->N.d)) {
return 0;
}
@ -580,7 +580,7 @@ static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group,
return 0;
}
assert(group->order.width == P256_LIMBS);
assert(group->order->N.width == P256_LIMBS);
assert(group->field.width == P256_LIMBS);
// We wish to compare X/Z^2 with r. This is equivalent to comparing X with
@ -602,7 +602,7 @@ static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group,
if (bn_less_than_words(r->words, group->field_minus_order.words,
P256_LIMBS)) {
// We can ignore the carry because: r + group_order < p < 2^256.
bn_add_words(r_Z2, r->words, group->order.d, P256_LIMBS);
bn_add_words(r_Z2, r->words, group->order->N.d, P256_LIMBS);
ecp_nistz256_mul_mont(r_Z2, r_Z2, Z2_mont);
if (OPENSSL_memcmp(r_Z2, X, sizeof(r_Z2)) == 0) {
return 1;

4
crypto/fipsmodule/ec/p256.c
View File

@ -710,12 +710,12 @@ static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group,
// Therefore there is a small possibility, less than 1/2^128, that group_order
// < p.x < P. in that case we need not only to compare against |r| but also to
// compare against r+group_order.
assert(group->field.width == group->order.width);
assert(group->field.width == group->order->N.width);
if (bn_less_than_words(r->words, group->field_minus_order.words,
group->field.width)) {
// We can ignore the carry because: r + group_order < p < 2^256.
EC_FELEM tmp;
bn_add_words(tmp.words, r->words, group->order.d, group->order.width);
bn_add_words(tmp.words, r->words, group->order->N.d, group->order->N.width);
fiat_p256_from_generic(r_Z2, &tmp);
fiat_p256_mul(r_Z2, r_Z2, Z2_mont);
if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) {

50
crypto/fipsmodule/ec/scalar.c
View File

@ -23,8 +23,9 @@
int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
const BIGNUM *in) {
if (!bn_copy_words(out->words, group->order.width, in) ||
!bn_less_than_words(out->words, group->order.d, group->order.width)) {
if (!bn_copy_words(out->words, group->order->N.width, in) ||
!bn_less_than_words(out->words, group->order->N.d,
group->order->N.width)) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
return 0;
}
@ -34,12 +35,12 @@ int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a,
const EC_SCALAR *b) {
return OPENSSL_memcmp(a->words, b->words,
group->order.width * sizeof(BN_ULONG)) == 0;
group->order->N.width * sizeof(BN_ULONG)) == 0;
}
int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) {
BN_ULONG mask = 0;
for (int i = 0; i < group->order.width; i++) {
for (int i = 0; i < group->order->N.width; i++) {
mask |= a->words[i];
}
return mask == 0;
@ -47,27 +48,28 @@ int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) {
int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,
const uint8_t additional_data[32]) {
return bn_rand_range_words(out->words, 1, group->order.d, group->order.width,
additional_data);
return bn_rand_range_words(out->words, 1, group->order->N.d,
group->order->N.width, additional_data);
}
void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len,
const EC_SCALAR *in) {
size_t len = BN_num_bytes(&group->order);
bn_words_to_big_endian(out, len, in->words, group->order.width);
size_t len = BN_num_bytes(&group->order->N);
bn_words_to_big_endian(out, len, in->words, group->order->N.width);
*out_len = len;
}
int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out,
const uint8_t *in, size_t len) {
if (len != BN_num_bytes(&group->order)) {
if (len != BN_num_bytes(&group->order->N)) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
return 0;
}
bn_big_endian_to_words(out->words, group->order.width, in, len);
bn_big_endian_to_words(out->words, group->order->N.width, in, len);
if (!bn_less_than_words(out->words, group->order.d, group->order.width)) {
if (!bn_less_than_words(out->words, group->order->N.d,
group->order->N.width)) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
return 0;
}
@ -78,15 +80,15 @@ int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out,
void ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out,
const BN_ULONG *words, size_t num) {
// Convert "from" Montgomery form so the value is reduced modulo the order.
bn_from_montgomery_small(out->words, group->order.width, words, num,
group->order_mont);
bn_from_montgomery_small(out->words, group->order->N.width, words, num,
group->order);
// Convert "to" Montgomery form to remove the R^-1 factor added.
ec_scalar_to_montgomery(group, out, out);
}
void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,
const EC_SCALAR *b) {
const BIGNUM *order = &group->order;
const BIGNUM *order = &group->order->N;
BN_ULONG tmp[EC_MAX_WORDS];
bn_mod_add_words(r->words, a->words, b->words, order->d, tmp, order->width);
OPENSSL_cleanse(tmp, sizeof(tmp));
@ -94,7 +96,7 @@ void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,
void ec_scalar_sub(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,
const EC_SCALAR *b) {
const BIGNUM *order = &group->order;
const BIGNUM *order = &group->order->N;
BN_ULONG tmp[EC_MAX_WORDS];
bn_mod_sub_words(r->words, a->words, b->words, order->d, tmp, order->width);
OPENSSL_cleanse(tmp, sizeof(tmp));
@ -108,35 +110,35 @@ void ec_scalar_neg(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a) {
void ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask,
const EC_SCALAR *a, const EC_SCALAR *b) {
const BIGNUM *order = &group->order;
const BIGNUM *order = &group->order->N;
bn_select_words(out->words, mask, a->words, b->words, order->width);
}
void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r,
const EC_SCALAR *a) {
const BIGNUM *order = &group->order;
bn_to_montgomery_small(r->words, a->words, order->width, group->order_mont);
const BIGNUM *order = &group->order->N;
bn_to_montgomery_small(r->words, a->words, order->width, group->order);
}
void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r,
const EC_SCALAR *a) {
const BIGNUM *order = &group->order;
const BIGNUM *order = &group->order->N;
bn_from_montgomery_small(r->words, order->width, a->words, order->width,
group->order_mont);
group->order);
}
void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r,
const EC_SCALAR *a, const EC_SCALAR *b) {
const BIGNUM *order = &group->order;
const BIGNUM *order = &group->order->N;
bn_mod_mul_montgomery_small(r->words, a->words, b->words, order->width,
group->order_mont);
group->order);
}
void ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r,
const EC_SCALAR *a) {
const BIGNUM *order = &group->order;
const BIGNUM *order = &group->order->N;
bn_mod_inverse0_prime_mont_small(r->words, a->words, order->width,
group->order_mont);
group->order);
}
int ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,

10
crypto/fipsmodule/ec/simple_mul.c
View File

@ -40,7 +40,7 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,
}
// Divide bits in |scalar| into windows.
unsigned bits = BN_num_bits(&group->order);
unsigned bits = EC_GROUP_order_bits(group);
int r_is_at_infinity = 1;
for (unsigned i = bits - 1; i < bits; i--) {
if (!r_is_at_infinity) {
@ -48,7 +48,7 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,
}
if (i % 5 == 0) {
// Compute the next window value.
const size_t width = group->order.width;
const size_t width = group->order->N.width;
uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 4;
window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 3;
window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 2;
@ -99,7 +99,7 @@ static void ec_GFp_mont_batch_get_window(const EC_GROUP *group,
EC_JACOBIAN *out,
const EC_JACOBIAN precomp[17],
const EC_SCALAR *scalar, unsigned i) {
const size_t width = group->order.width;
const size_t width = group->order->N.width;
uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 5;
window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 4;
window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 3;
@ -138,7 +138,7 @@ void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r,
}
// Divide bits in |scalar| into windows.
unsigned bits = BN_num_bits(&group->order);
unsigned bits = EC_GROUP_order_bits(group);
int r_is_at_infinity = 1;
for (unsigned i = bits; i <= bits; i--) {
if (!r_is_at_infinity) {
@ -212,7 +212,7 @@ static void ec_GFp_mont_get_comb_window(const EC_GROUP *group,
EC_JACOBIAN *out,
const EC_PRECOMP *precomp,
const EC_SCALAR *scalar, unsigned i) {
const size_t width = group->order.width;
const size_t width = group->order->N.width;
unsigned stride = ec_GFp_mont_comb_stride(group);
// Select the bits corresponding to the comb shifted up by |i|.
unsigned window = 0;

6
crypto/fipsmodule/ec/wnaf.c
View File

@ -138,8 +138,8 @@ void ec_compute_wNAF(const EC_GROUP *group, int8_t *out,
// we shift and add at most one copy of |bit|, this will continue to hold
// afterwards.
window_val >>= 1;
window_val +=
bit * bn_is_bit_set_words(scalar->words, group->order.width, j + w + 1);
window_val += bit * bn_is_bit_set_words(scalar->words,
group->order->N.width, j + w + 1);
assert(window_val <= next_bit);
}
@ -183,7 +183,7 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
const EC_SCALAR *g_scalar,
const EC_JACOBIAN *points,
const EC_SCALAR *scalars, size_t num) {
size_t bits = BN_num_bits(&group->order);
size_t bits = EC_GROUP_order_bits(group);
size_t wNAF_len = bits + 1;
int ret = 0;

2
crypto/fipsmodule/ecdsa/ecdsa.c
View File

@ -71,7 +71,7 @@
// ECDSA.
static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
const uint8_t *digest, size_t digest_len) {
const BIGNUM *order = &group->order;
const BIGNUM *order = EC_GROUP_get0_order(group);
size_t num_bits = BN_num_bits(order);
// Need to truncate digest if it is too long: first truncate whole bytes.
size_t num_bytes = (num_bits + 7) / 8;

8
crypto/trust_token/pmbtoken.c
View File

@ -201,7 +201,7 @@ static int pmbtoken_compute_keys(const PMBTOKEN_METHOD *method,
}
const EC_SCALAR *scalars[] = {x0, y0, x1, y1, xs, ys};
size_t scalar_len = BN_num_bytes(&group->order);
size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) {
uint8_t *buf;
if (!CBB_add_space(out_private, &buf, scalar_len)) {
@ -290,7 +290,7 @@ static int pmbtoken_issuer_key_from_bytes(const PMBTOKEN_METHOD *method,
const EC_GROUP *group = method->group;
CBS cbs, tmp;
CBS_init(&cbs, in, len);
size_t scalar_len = BN_num_bytes(&group->order);
size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
EC_SCALAR *scalars[] = {&key->x0, &key->y0, &key->x1,
&key->y1, &key->xs, &key->ys};
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) {
@ -390,7 +390,7 @@ err:
static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
const EC_SCALAR *scalar) {
uint8_t *buf;
size_t scalar_len = BN_num_bytes(&group->order);
size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
if (!CBB_add_space(out, &buf, scalar_len)) {
return 0;
}
@ -399,7 +399,7 @@ static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
}
static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) {
size_t scalar_len = BN_num_bytes(&group->order);
size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
CBS tmp;
if (!CBS_get_bytes(cbs, &tmp, scalar_len)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);

4
crypto/trust_token/voprf.c
View File

@ -95,7 +95,7 @@ static int cbs_get_point(CBS *cbs, const EC_GROUP *group, EC_AFFINE *out) {
static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
const EC_SCALAR *scalar) {
uint8_t *buf;
size_t scalar_len = BN_num_bytes(&group->order);
size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
if (!CBB_add_space(out, &buf, scalar_len)) {
return 0;
}
@ -104,7 +104,7 @@ static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
}
static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) {
size_t scalar_len = BN_num_bytes(&group->order);
size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
CBS tmp;
if (!CBS_get_bytes(cbs, &tmp, scalar_len)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);