grpc 1.12.0 → 1.13.0.pre1

data/third_party/boringssl/crypto/fipsmodule/ec/p224-64.c

@@ -19,9 +19,6 @@
 
 #include <openssl/base.h>
 
-#if defined(OPENSSL_64_BIT) && !defined(OPENSSL_WINDOWS) && \
-    !defined(OPENSSL_SMALL)
-
 #include <openssl/bn.h>
 #include <openssl/ec.h>
 #include <openssl/err.h>
@@ -34,6 +31,8 @@
 #include "../../internal.h"
 
 
+#if defined(BORINGSSL_HAS_UINT128) && !defined(OPENSSL_SMALL)
+
 // Field elements are represented as a_0 + 2^56*a_1 + 2^112*a_2 + 2^168*a_3
 // using 64-bit coefficients called 'limbs', and sometimes (for multiplication
 // results) as b_0 + 2^56*b_1 + 2^112*b_2 + 2^168*b_3 + 2^224*b_4 + 2^280*b_5 +
@@ -1016,22 +1015,27 @@ static int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group,
   p224_felem_inv(z2, z1);
   p224_felem_square(tmp, z2);
   p224_felem_reduce(z1, tmp);
-  p224_felem_mul(tmp, x_in, z1);
-  p224_felem_reduce(x_in, tmp);
-  p224_felem_contract(x_out, x_in);
-  if (x != NULL && !p224_felem_to_BN(x, x_out)) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
-    return 0;
+
+  if (x != NULL) {
+    p224_felem_mul(tmp, x_in, z1);
+    p224_felem_reduce(x_in, tmp);
+    p224_felem_contract(x_out, x_in);
+    if (!p224_felem_to_BN(x, x_out)) {
+      OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
+      return 0;
+    }
   }
 
-  p224_felem_mul(tmp, z1, z2);
-  p224_felem_reduce(z1, tmp);
-  p224_felem_mul(tmp, y_in, z1);
-  p224_felem_reduce(y_in, tmp);
-  p224_felem_contract(y_out, y_in);
-  if (y != NULL && !p224_felem_to_BN(y, y_out)) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
-    return 0;
+  if (y != NULL) {
+    p224_felem_mul(tmp, z1, z2);
+    p224_felem_reduce(z1, tmp);
+    p224_felem_mul(tmp, y_in, z1);
+    p224_felem_reduce(y_in, tmp);
+    p224_felem_contract(y_out, y_in);
+    if (!p224_felem_to_BN(y, y_out)) {
+      OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
+      return 0;
+    }
   }
 
   return 1;
@@ -1041,28 +1045,9 @@ static int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
                                       const EC_SCALAR *g_scalar,
                                       const EC_POINT *p,
                                       const EC_SCALAR *p_scalar, BN_CTX *ctx) {
-  int ret = 0;
-  BN_CTX *new_ctx = NULL;
-  BIGNUM *x, *y, *z, *tmp_scalar;
   p224_felem p_pre_comp[17][3];
   p224_felem x_in, y_in, z_in, x_out, y_out, z_out;
 
-  if (ctx == NULL) {
-    ctx = BN_CTX_new();
-    new_ctx = ctx;
-    if (ctx == NULL) {
-      return 0;
-    }
-  }
-
-  BN_CTX_start(ctx);
-  if ((x = BN_CTX_get(ctx)) == NULL ||
-      (y = BN_CTX_get(ctx)) == NULL ||
-      (z = BN_CTX_get(ctx)) == NULL ||
-      (tmp_scalar = BN_CTX_get(ctx)) == NULL) {
-    goto err;
-  }
-
   if (p != NULL && p_scalar != NULL) {
     // We treat NULL scalars as 0, and NULL points as points at infinity, i.e.,
     // they contribute nothing to the linear combination.
@@ -1071,7 +1056,7 @@ static int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
     if (!p224_BN_to_felem(x_out, &p->X) ||
         !p224_BN_to_felem(y_out, &p->Y) ||
         !p224_BN_to_felem(z_out, &p->Z)) {
-      goto err;
+      return 0;
     }
 
     p224_felem_assign(p_pre_comp[1][0], x_out);
@@ -1101,18 +1086,13 @@ static int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
   p224_felem_contract(x_in, x_out);
   p224_felem_contract(y_in, y_out);
   p224_felem_contract(z_in, z_out);
-  if (!p224_felem_to_BN(x, x_in) ||
-      !p224_felem_to_BN(y, y_in) ||
-      !p224_felem_to_BN(z, z_in)) {
+  if (!p224_felem_to_BN(&r->X, x_in) ||
+      !p224_felem_to_BN(&r->Y, y_in) ||
+      !p224_felem_to_BN(&r->Z, z_in)) {
     OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
-    goto err;
+    return 0;
   }
-  ret = ec_point_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
-
-err:
-  BN_CTX_end(ctx);
-  BN_CTX_free(new_ctx);
-  return ret;
+  return 1;
 }
 
 DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp224_method) {
@@ -1122,10 +1102,11 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp224_method) {
   out->point_get_affine_coordinates =
       ec_GFp_nistp224_point_get_affine_coordinates;
   out->mul = ec_GFp_nistp224_points_mul;
+  out->mul_public = ec_GFp_nistp224_points_mul;
   out->field_mul = ec_GFp_simple_field_mul;
   out->field_sqr = ec_GFp_simple_field_sqr;
   out->field_encode = NULL;
   out->field_decode = NULL;
 };
 
-#endif  // 64_BIT && !WINDOWS && !SMALL
+#endif  // BORINGSSL_HAS_UINT128 && !SMALL

data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.c

@@ -1,24 +1,20 @@
-/* Copyright (c) 2014, Intel Corporation.
+/*
+ * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2014, Intel Corporation. All Rights Reserved.
  *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-// Developers and authors:
-// Shay Gueron (1, 2), and Vlad Krasnov (1)
-// (1) Intel Corporation, Israel Development Center
-// (2) University of Haifa
-// Reference:
-// S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with
-//                          256 Bit Primes"
+ * Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1)
+ * (1) Intel Corporation, Israel Development Center, Haifa, Israel
+ * (2) University of Haifa, Israel
+ *
+ * Reference:
+ * S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with
+ *                          256 Bit Primes"
+ */
 
 #include <openssl/ec.h>
 
@@ -205,13 +201,7 @@ static void ecp_nistz256_mod_inverse_mont(BN_ULONG r[P256_LIMBS],
 // returns one if it fits. Otherwise it returns zero.
 static int ecp_nistz256_bignum_to_field_elem(BN_ULONG out[P256_LIMBS],
                                              const BIGNUM *in) {
-  if (in->top > P256_LIMBS) {
-    return 0;
-  }
-
-  OPENSSL_memset(out, 0, sizeof(BN_ULONG) * P256_LIMBS);
-  OPENSSL_memcpy(out, in->d, sizeof(BN_ULONG) * in->top);
-  return 1;
+  return bn_copy_words(out, P256_LIMBS, in);
 }
 
 // r = p * p_scalar
@@ -446,6 +436,7 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistz256_method) {
   out->group_set_curve = ec_GFp_mont_group_set_curve;
   out->point_get_affine_coordinates = ecp_nistz256_get_affine;
   out->mul = ecp_nistz256_points_mul;
+  out->mul_public = ecp_nistz256_points_mul;
   out->field_mul = ec_GFp_mont_field_mul;
   out->field_sqr = ec_GFp_mont_field_sqr;
   out->field_encode = ec_GFp_mont_field_encode;

data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.h

@@ -1,16 +1,20 @@
-/* Copyright (c) 2014, Intel Corporation.
+/*
+ * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2014, Intel Corporation. All Rights Reserved.
  *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+ * Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1)
+ * (1) Intel Corporation, Israel Development Center, Haifa, Israel
+ * (2) University of Haifa, Israel
+ *
+ * Reference:
+ * S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with
+ *                          256 Bit Primes"
+ */
 
 #ifndef OPENSSL_HEADER_EC_P256_X86_64_H
 #define OPENSSL_HEADER_EC_P256_X86_64_H

data/third_party/boringssl/crypto/fipsmodule/ec/simple.c

@@ -135,9 +135,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
     goto err;
   }
   BN_set_negative(&group->field, 0);
+  // Store the field in minimal form, so it can be used with |BN_ULONG| arrays.
+  bn_set_minimal_width(&group->field);
 
   // group->a
-  if (!BN_nnmod(tmp_a, a, p, ctx)) {
+  if (!BN_nnmod(tmp_a, a, &group->field, ctx)) {
     goto err;
   }
   if (group->meth->field_encode) {
@@ -149,7 +151,7 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
   }
 
   // group->b
-  if (!BN_nnmod(&group->b, b, p, ctx)) {
+  if (!BN_nnmod(&group->b, b, &group->field, ctx)) {
     goto err;
   }
   if (group->meth->field_encode &&
@@ -269,9 +271,14 @@ static int set_Jprojective_coordinate_GFp(const EC_GROUP *group, BIGNUM *out,
   return BN_copy(out, in) != NULL;
 }
 
-int ec_GFp_simple_set_Jprojective_coordinates_GFp(
-    const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, const BIGNUM *y,
-    const BIGNUM *z, BN_CTX *ctx) {
+int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group,
+                                               EC_POINT *point, const BIGNUM *x,
+                                               const BIGNUM *y, BN_CTX *ctx) {
+  if (x == NULL || y == NULL) {
+    OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
+    return 0;
+  }
+
   BN_CTX *new_ctx = NULL;
   int ret = 0;
 
@@ -284,7 +291,7 @@ int ec_GFp_simple_set_Jprojective_coordinates_GFp(
 
   if (!set_Jprojective_coordinate_GFp(group, &point->X, x, ctx) ||
       !set_Jprojective_coordinate_GFp(group, &point->Y, y, ctx) ||
-      !set_Jprojective_coordinate_GFp(group, &point->Z, z, ctx)) {
+      !BN_copy(&point->Z, &group->one)) {
     goto err;
   }
 
@@ -295,19 +302,6 @@ err:
   return ret;
 }
 
-int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group,
-                                               EC_POINT *point, const BIGNUM *x,
-                                               const BIGNUM *y, BN_CTX *ctx) {
-  if (x == NULL || y == NULL) {
-    // unlike for projective coordinates, we do not tolerate this
-    OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
-    return 0;
-  }
-
-  return ec_point_set_Jprojective_coordinates_GFp(group, point, x, y,
-                                                  BN_value_one(), ctx);
-}
-
 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
                       const EC_POINT *b, BN_CTX *ctx) {
   int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
@@ -401,8 +395,8 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   }
 
   // n5, n6
-  if (!BN_mod_sub_quick(n5, n1, n3, p) ||
-      !BN_mod_sub_quick(n6, n2, n4, p)) {
+  if (!bn_mod_sub_quick_ctx(n5, n1, n3, p, ctx) ||
+      !bn_mod_sub_quick_ctx(n6, n2, n4, p, ctx)) {
     goto end;
   }
   // n5 = n1 - n3
@@ -424,8 +418,8 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   }
 
   // 'n7', 'n8'
-  if (!BN_mod_add_quick(n1, n1, n3, p) ||
-      !BN_mod_add_quick(n2, n2, n4, p)) {
+  if (!bn_mod_add_quick_ctx(n1, n1, n3, p, ctx) ||
+      !bn_mod_add_quick_ctx(n2, n2, n4, p, ctx)) {
     goto end;
   }
   // 'n7' = n1 + n3
@@ -459,14 +453,14 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   if (!field_sqr(group, n0, n6, ctx) ||
       !field_sqr(group, n4, n5, ctx) ||
       !field_mul(group, n3, n1, n4, ctx) ||
-      !BN_mod_sub_quick(&r->X, n0, n3, p)) {
+      !bn_mod_sub_quick_ctx(&r->X, n0, n3, p, ctx)) {
     goto end;
   }
   // X_r = n6^2 - n5^2 * 'n7'
 
   // 'n9'
-  if (!BN_mod_lshift1_quick(n0, &r->X, p) ||
-      !BN_mod_sub_quick(n0, n3, n0, p)) {
+  if (!bn_mod_lshift1_quick_ctx(n0, &r->X, p, ctx) ||
+      !bn_mod_sub_quick_ctx(n0, n3, n0, p, ctx)) {
     goto end;
   }
   // n9 = n5^2 * 'n7' - 2 * X_r
@@ -477,7 +471,7 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
     goto end;  // now n5 is n5^3
   }
   if (!field_mul(group, n1, n2, n5, ctx) ||
-      !BN_mod_sub_quick(n0, n0, n1, p)) {
+      !bn_mod_sub_quick_ctx(n0, n0, n1, p, ctx)) {
     goto end;
   }
   if (BN_is_odd(n0) && !BN_add(n0, n0, p)) {
@@ -542,31 +536,31 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   // n1
   if (BN_cmp(&a->Z, &group->one) == 0) {
     if (!field_sqr(group, n0, &a->X, ctx) ||
-        !BN_mod_lshift1_quick(n1, n0, p) ||
-        !BN_mod_add_quick(n0, n0, n1, p) ||
-        !BN_mod_add_quick(n1, n0, &group->a, p)) {
+        !bn_mod_lshift1_quick_ctx(n1, n0, p, ctx) ||
+        !bn_mod_add_quick_ctx(n0, n0, n1, p, ctx) ||
+        !bn_mod_add_quick_ctx(n1, n0, &group->a, p, ctx)) {
       goto err;
     }
     // n1 = 3 * X_a^2 + a_curve
   } else if (group->a_is_minus3) {
     if (!field_sqr(group, n1, &a->Z, ctx) ||
-        !BN_mod_add_quick(n0, &a->X, n1, p) ||
-        !BN_mod_sub_quick(n2, &a->X, n1, p) ||
+        !bn_mod_add_quick_ctx(n0, &a->X, n1, p, ctx) ||
+        !bn_mod_sub_quick_ctx(n2, &a->X, n1, p, ctx) ||
         !field_mul(group, n1, n0, n2, ctx) ||
-        !BN_mod_lshift1_quick(n0, n1, p) ||
-        !BN_mod_add_quick(n1, n0, n1, p)) {
+        !bn_mod_lshift1_quick_ctx(n0, n1, p, ctx) ||
+        !bn_mod_add_quick_ctx(n1, n0, n1, p, ctx)) {
       goto err;
     }
     // n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
     //    = 3 * X_a^2 - 3 * Z_a^4
   } else {
     if (!field_sqr(group, n0, &a->X, ctx) ||
-        !BN_mod_lshift1_quick(n1, n0, p) ||
-        !BN_mod_add_quick(n0, n0, n1, p) ||
+        !bn_mod_lshift1_quick_ctx(n1, n0, p, ctx) ||
+        !bn_mod_add_quick_ctx(n0, n0, n1, p, ctx) ||
         !field_sqr(group, n1, &a->Z, ctx) ||
         !field_sqr(group, n1, n1, ctx) ||
         !field_mul(group, n1, n1, &group->a, ctx) ||
-        !BN_mod_add_quick(n1, n1, n0, p)) {
+        !bn_mod_add_quick_ctx(n1, n1, n0, p, ctx)) {
       goto err;
     }
     // n1 = 3 * X_a^2 + a_curve * Z_a^4
@@ -580,7 +574,7 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   } else if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) {
     goto err;
   }
-  if (!BN_mod_lshift1_quick(&r->Z, n0, p)) {
+  if (!bn_mod_lshift1_quick_ctx(&r->Z, n0, p, ctx)) {
     goto err;
   }
   // Z_r = 2 * Y_a * Z_a
@@ -588,30 +582,30 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   // n2
   if (!field_sqr(group, n3, &a->Y, ctx) ||
       !field_mul(group, n2, &a->X, n3, ctx) ||
-      !BN_mod_lshift_quick(n2, n2, 2, p)) {
+      !bn_mod_lshift_quick_ctx(n2, n2, 2, p, ctx)) {
     goto err;
   }
   // n2 = 4 * X_a * Y_a^2
 
   // X_r
-  if (!BN_mod_lshift1_quick(n0, n2, p) ||
+  if (!bn_mod_lshift1_quick_ctx(n0, n2, p, ctx) ||
       !field_sqr(group, &r->X, n1, ctx) ||
-      !BN_mod_sub_quick(&r->X, &r->X, n0, p)) {
+      !bn_mod_sub_quick_ctx(&r->X, &r->X, n0, p, ctx)) {
     goto err;
   }
   // X_r = n1^2 - 2 * n2
 
   // n3
   if (!field_sqr(group, n0, n3, ctx) ||
-      !BN_mod_lshift_quick(n3, n0, 3, p)) {
+      !bn_mod_lshift_quick_ctx(n3, n0, 3, p, ctx)) {
     goto err;
   }
   // n3 = 8 * Y_a^4
 
   // Y_r
-  if (!BN_mod_sub_quick(n0, n2, &r->X, p) ||
+  if (!bn_mod_sub_quick_ctx(n0, n2, &r->X, p, ctx) ||
       !field_mul(group, n0, n1, n0, ctx) ||
-      !BN_mod_sub_quick(&r->Y, n0, n3, p)) {
+      !bn_mod_sub_quick_ctx(&r->Y, n0, n3, p, ctx)) {
     goto err;
   }
   // Y_r = n1 * (n2 - X_r) - n3
@@ -694,15 +688,15 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
 
     // rh := (rh + a*Z^4)*X
     if (group->a_is_minus3) {
-      if (!BN_mod_lshift1_quick(tmp, Z4, p) ||
-          !BN_mod_add_quick(tmp, tmp, Z4, p) ||
-          !BN_mod_sub_quick(rh, rh, tmp, p) ||
+      if (!bn_mod_lshift1_quick_ctx(tmp, Z4, p, ctx) ||
+          !bn_mod_add_quick_ctx(tmp, tmp, Z4, p, ctx) ||
+          !bn_mod_sub_quick_ctx(rh, rh, tmp, p, ctx) ||
           !field_mul(group, rh, rh, &point->X, ctx)) {
         goto err;
       }
     } else {
       if (!field_mul(group, tmp, Z4, &group->a, ctx) ||
-          !BN_mod_add_quick(rh, rh, tmp, p) ||
+          !bn_mod_add_quick_ctx(rh, rh, tmp, p, ctx) ||
           !field_mul(group, rh, rh, &point->X, ctx)) {
         goto err;
       }
@@ -710,17 +704,17 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
 
     // rh := rh + b*Z^6
     if (!field_mul(group, tmp, &group->b, Z6, ctx) ||
-        !BN_mod_add_quick(rh, rh, tmp, p)) {
+        !bn_mod_add_quick_ctx(rh, rh, tmp, p, ctx)) {
       goto err;
     }
   } else {
     // rh := (rh + a)*X
-    if (!BN_mod_add_quick(rh, rh, &group->a, p) ||
+    if (!bn_mod_add_quick_ctx(rh, rh, &group->a, p, ctx) ||
         !field_mul(group, rh, rh, &point->X, ctx)) {
       goto err;
     }
     // rh := rh + b
-    if (!BN_mod_add_quick(rh, rh, &group->b, p)) {
+    if (!bn_mod_add_quick_ctx(rh, rh, &group->b, p, ctx)) {
       goto err;
     }
   }