grpc 1.24.0 → 1.25.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +306 -243
- data/etc/roots.pem +0 -100
- data/include/grpc/grpc_security.h +44 -18
- data/include/grpc/impl/codegen/grpc_types.h +15 -0
- data/include/grpc/impl/codegen/port_platform.h +27 -11
- data/include/grpc/impl/codegen/sync_generic.h +1 -1
- data/src/boringssl/err_data.c +695 -650
- data/src/core/ext/filters/client_channel/client_channel.cc +257 -179
- data/src/core/ext/filters/client_channel/client_channel.h +24 -0
- data/src/core/ext/filters/client_channel/client_channel_channelz.cc +2 -3
- data/src/core/ext/filters/client_channel/client_channel_factory.h +1 -5
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +18 -45
- data/src/core/ext/filters/client_channel/health/health_check_client.h +5 -13
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy.cc +2 -3
- data/src/core/ext/filters/client_channel/lb_policy.h +65 -55
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +14 -14
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +113 -36
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +14 -19
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +36 -13
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +3 -10
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +814 -1589
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +2 -5
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +3 -6
- data/src/core/ext/filters/client_channel/resolver.cc +1 -2
- data/src/core/ext/filters/client_channel/resolver.h +8 -16
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +25 -8
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +46 -12
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +10 -17
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +7 -8
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +111 -44
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +22 -14
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +29 -10
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +27 -36
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +7 -10
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +60 -16
- data/src/core/ext/filters/client_channel/resolver_factory.h +4 -8
- data/src/core/ext/filters/client_channel/resolver_registry.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver_registry.h +1 -1
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +7 -10
- data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +7 -8
- data/src/core/ext/filters/client_channel/resolving_lb_policy.h +1 -1
- data/src/core/ext/filters/client_channel/retry_throttle.cc +5 -5
- data/src/core/ext/filters/client_channel/retry_throttle.h +1 -4
- data/src/core/ext/filters/client_channel/service_config.h +8 -8
- data/src/core/ext/filters/client_channel/subchannel.cc +53 -86
- data/src/core/ext/filters/client_channel/subchannel.h +7 -9
- data/src/core/ext/filters/client_channel/subchannel_interface.h +9 -13
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +3 -6
- data/src/core/ext/filters/client_channel/{lb_policy/xds/xds_load_balancer_api.cc → xds/xds_api.cc} +169 -52
- data/src/core/ext/filters/client_channel/xds/xds_api.h +171 -0
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +450 -0
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.h +99 -0
- data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_channel.h +8 -6
- data/src/core/ext/filters/client_channel/xds/xds_channel_args.h +26 -0
- data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_channel_secure.cc +28 -11
- data/src/core/ext/filters/client_channel/xds/xds_client.cc +1413 -0
- data/src/core/ext/filters/client_channel/xds/xds_client.h +221 -0
- data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_client_stats.cc +1 -5
- data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_client_stats.h +3 -4
- data/src/core/ext/filters/deadline/deadline_filter.cc +20 -20
- data/src/core/ext/filters/http/client/http_client_filter.cc +15 -15
- data/src/core/ext/filters/http/client_authority_filter.cc +14 -14
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +12 -12
- data/src/core/ext/filters/max_age/max_age_filter.cc +59 -50
- data/src/core/ext/filters/message_size/message_size_filter.cc +18 -18
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +15 -14
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +233 -175
- data/src/core/ext/transport/chttp2/transport/flow_control.h +21 -24
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +253 -163
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +24 -12
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +2 -3
- data/src/core/ext/transport/chttp2/transport/internal.h +13 -15
- data/src/core/ext/transport/chttp2/transport/writing.cc +3 -0
- data/src/core/ext/transport/inproc/inproc_transport.cc +20 -13
- data/src/core/lib/channel/channel_args.cc +16 -0
- data/src/core/lib/channel/channel_args.h +22 -0
- data/src/core/lib/channel/channelz.cc +5 -6
- data/src/core/lib/channel/channelz.h +1 -1
- data/src/core/lib/channel/connected_channel.cc +20 -20
- data/src/core/lib/channel/handshaker.h +3 -4
- data/src/core/lib/channel/handshaker_factory.h +1 -3
- data/src/core/lib/debug/trace.h +3 -2
- data/src/core/lib/gprpp/arena.cc +3 -3
- data/src/core/lib/gprpp/arena.h +2 -3
- data/src/core/lib/gprpp/inlined_vector.h +9 -0
- data/src/core/lib/gprpp/map.h +3 -501
- data/src/core/lib/gprpp/memory.h +45 -41
- data/src/core/lib/gprpp/mpscq.cc +108 -0
- data/src/core/lib/gprpp/mpscq.h +98 -0
- data/src/core/lib/gprpp/orphanable.h +6 -11
- data/src/core/lib/gprpp/ref_counted.h +25 -19
- data/src/core/lib/gprpp/set.h +33 -0
- data/src/core/lib/gprpp/thd.h +2 -4
- data/src/core/lib/http/httpcli.cc +1 -1
- data/src/core/lib/http/httpcli_security_connector.cc +15 -11
- data/src/core/lib/http/parser.cc +1 -1
- data/src/core/lib/iomgr/buffer_list.cc +4 -5
- data/src/core/lib/iomgr/buffer_list.h +5 -6
- data/src/core/lib/iomgr/call_combiner.cc +4 -5
- data/src/core/lib/iomgr/call_combiner.h +2 -2
- data/src/core/lib/iomgr/cfstream_handle.h +3 -5
- data/src/core/lib/iomgr/closure.h +8 -3
- data/src/core/lib/iomgr/combiner.cc +45 -82
- data/src/core/lib/iomgr/combiner.h +32 -8
- data/src/core/lib/iomgr/endpoint_cfstream.cc +5 -3
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +19 -15
- data/src/core/lib/iomgr/ev_poll_posix.cc +3 -1
- data/src/core/lib/iomgr/exec_ctx.h +4 -3
- data/src/core/lib/iomgr/executor.cc +4 -2
- data/src/core/lib/iomgr/executor.h +3 -0
- data/src/core/lib/iomgr/executor/mpmcqueue.h +3 -6
- data/src/core/lib/iomgr/executor/threadpool.cc +1 -2
- data/src/core/lib/iomgr/executor/threadpool.h +7 -11
- data/src/core/lib/iomgr/resource_quota.cc +55 -51
- data/src/core/lib/iomgr/resource_quota.h +13 -9
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +13 -0
- data/src/core/lib/iomgr/socket_utils_posix.h +4 -0
- data/src/core/lib/iomgr/tcp_client_posix.cc +4 -11
- data/src/core/lib/iomgr/tcp_custom.cc +9 -7
- data/src/core/lib/iomgr/tcp_posix.cc +20 -16
- data/src/core/lib/iomgr/tcp_server.h +1 -4
- data/src/core/lib/iomgr/tcp_server_custom.cc +5 -5
- data/src/core/lib/iomgr/tcp_server_posix.cc +1 -1
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +2 -11
- data/src/core/lib/iomgr/timer_custom.cc +2 -2
- data/src/core/lib/iomgr/udp_server.cc +3 -2
- data/src/core/lib/iomgr/udp_server.h +6 -12
- data/src/core/lib/json/json.h +1 -1
- data/src/core/lib/json/json_string.cc +2 -2
- data/src/core/lib/profiling/basic_timers.cc +2 -2
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -2
- data/src/core/lib/security/credentials/alts/grpc_alts_credentials_server_options.cc +1 -1
- data/src/core/lib/security/credentials/credentials.h +4 -20
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +4 -4
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -3
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +64 -0
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +4 -4
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +9 -7
- data/src/core/lib/security/security_connector/load_system_roots_linux.cc +2 -0
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +4 -4
- data/src/core/lib/security/security_connector/security_connector.cc +1 -0
- data/src/core/lib/security/security_connector/security_connector.h +19 -17
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +8 -5
- data/src/core/lib/security/security_connector/ssl_utils.cc +2 -2
- data/src/core/lib/security/security_connector/ssl_utils.h +1 -1
- data/src/core/lib/security/security_connector/tls/spiffe_security_connector.cc +14 -6
- data/src/core/lib/security/security_connector/tls/spiffe_security_connector.h +4 -2
- data/src/core/lib/security/transport/client_auth_filter.cc +17 -17
- data/src/core/lib/security/transport/security_handshaker.cc +29 -13
- data/src/core/lib/security/transport/security_handshaker.h +4 -2
- data/src/core/lib/security/transport/server_auth_filter.cc +14 -14
- data/src/core/lib/slice/slice.cc +2 -10
- data/src/core/lib/slice/slice_hash_table.h +4 -6
- data/src/core/lib/slice/slice_intern.cc +42 -39
- data/src/core/lib/slice/slice_internal.h +3 -3
- data/src/core/lib/slice/slice_utils.h +21 -4
- data/src/core/lib/slice/slice_weak_hash_table.h +4 -6
- data/src/core/lib/surface/call.cc +3 -3
- data/src/core/lib/surface/channel.cc +7 -0
- data/src/core/lib/surface/completion_queue.cc +12 -11
- data/src/core/lib/surface/completion_queue.h +4 -2
- data/src/core/lib/surface/init.cc +1 -0
- data/src/core/lib/surface/lame_client.cc +33 -18
- data/src/core/lib/surface/server.cc +77 -76
- data/src/core/lib/surface/version.cc +1 -1
- data/src/core/lib/transport/byte_stream.h +3 -7
- data/src/core/lib/transport/connectivity_state.cc +112 -98
- data/src/core/lib/transport/connectivity_state.h +100 -50
- data/src/core/lib/transport/static_metadata.cc +276 -288
- data/src/core/lib/transport/static_metadata.h +73 -76
- data/src/core/lib/transport/status_conversion.cc +1 -1
- data/src/core/lib/transport/status_metadata.cc +1 -1
- data/src/core/lib/transport/transport.cc +2 -2
- data/src/core/lib/transport/transport.h +12 -4
- data/src/core/lib/transport/transport_op_string.cc +14 -11
- data/src/core/tsi/alts/frame_protector/alts_unseal_privacy_integrity_crypter.cc +1 -1
- data/src/core/tsi/alts/handshaker/alts_shared_resource.cc +1 -1
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +5 -5
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +12 -2
- data/src/core/tsi/fake_transport_security.cc +7 -5
- data/src/core/tsi/grpc_shadow_boringssl.h +2918 -2627
- data/src/core/tsi/local_transport_security.cc +8 -6
- data/src/core/tsi/ssl/session_cache/ssl_session.h +1 -3
- data/src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc +1 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +7 -5
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +4 -6
- data/src/core/tsi/ssl/session_cache/ssl_session_openssl.cc +1 -2
- data/src/core/tsi/ssl_transport_security.cc +12 -12
- data/src/core/tsi/ssl_transport_security.h +2 -2
- data/src/core/tsi/transport_security_grpc.cc +7 -0
- data/src/core/tsi/transport_security_grpc.h +6 -0
- data/src/ruby/ext/grpc/extconf.rb +1 -0
- data/src/ruby/ext/grpc/rb_call.c +1 -1
- data/src/ruby/ext/grpc/rb_channel.c +1 -1
- data/src/ruby/lib/grpc/generic/bidi_call.rb +1 -1
- data/src/ruby/lib/grpc/generic/rpc_server.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/spec/google_rpc_status_utils_spec.rb +2 -2
- data/third_party/boringssl/crypto/asn1/a_bool.c +18 -5
- data/third_party/boringssl/crypto/asn1/a_d2i_fp.c +17 -221
- data/third_party/boringssl/crypto/asn1/a_dup.c +0 -24
- data/third_party/boringssl/crypto/asn1/a_enum.c +2 -2
- data/third_party/boringssl/crypto/asn1/a_i2d_fp.c +10 -72
- data/third_party/boringssl/crypto/asn1/a_int.c +12 -71
- data/third_party/boringssl/crypto/asn1/a_mbstr.c +110 -216
- data/third_party/boringssl/crypto/asn1/a_object.c +16 -5
- data/third_party/boringssl/crypto/asn1/a_strnid.c +1 -0
- data/third_party/boringssl/crypto/asn1/asn1_lib.c +5 -1
- data/third_party/boringssl/crypto/asn1/tasn_enc.c +3 -1
- data/third_party/boringssl/crypto/base64/base64.c +2 -2
- data/third_party/boringssl/crypto/bio/bio.c +73 -9
- data/third_party/boringssl/crypto/bio/connect.c +4 -0
- data/third_party/boringssl/crypto/bio/fd.c +4 -0
- data/third_party/boringssl/crypto/bio/file.c +5 -2
- data/third_party/boringssl/crypto/bio/socket.c +4 -0
- data/third_party/boringssl/crypto/bio/socket_helper.c +4 -0
- data/third_party/boringssl/crypto/bn_extra/convert.c +11 -7
- data/third_party/boringssl/crypto/bytestring/ber.c +8 -4
- data/third_party/boringssl/crypto/bytestring/cbb.c +19 -7
- data/third_party/boringssl/crypto/bytestring/cbs.c +28 -15
- data/third_party/boringssl/crypto/bytestring/internal.h +28 -7
- data/third_party/boringssl/crypto/bytestring/unicode.c +155 -0
- data/third_party/boringssl/crypto/chacha/chacha.c +36 -19
- data/third_party/boringssl/crypto/chacha/internal.h +45 -0
- data/third_party/boringssl/crypto/cipher_extra/cipher_extra.c +29 -0
- data/third_party/boringssl/crypto/cipher_extra/e_aesccm.c +269 -25
- data/third_party/boringssl/crypto/cipher_extra/e_aesctrhmac.c +16 -14
- data/third_party/boringssl/crypto/cipher_extra/e_aesgcmsiv.c +54 -38
- data/third_party/boringssl/crypto/cipher_extra/e_chacha20poly1305.c +133 -41
- data/third_party/boringssl/crypto/cipher_extra/e_tls.c +23 -15
- data/third_party/boringssl/crypto/cipher_extra/tls_cbc.c +24 -15
- data/third_party/boringssl/crypto/cmac/cmac.c +62 -25
- data/third_party/boringssl/crypto/conf/conf.c +7 -0
- data/third_party/boringssl/crypto/cpu-arm-linux.c +4 -148
- data/third_party/boringssl/crypto/cpu-arm-linux.h +201 -0
- data/third_party/boringssl/crypto/cpu-intel.c +45 -51
- data/third_party/boringssl/crypto/crypto.c +39 -22
- data/third_party/boringssl/crypto/curve25519/spake25519.c +1 -1
- data/third_party/boringssl/crypto/dsa/dsa.c +77 -53
- data/third_party/boringssl/crypto/ec_extra/ec_asn1.c +20 -8
- data/third_party/boringssl/crypto/ec_extra/ec_derive.c +96 -0
- data/third_party/boringssl/crypto/{ecdh/ecdh.c → ecdh_extra/ecdh_extra.c} +20 -58
- data/third_party/boringssl/crypto/ecdsa_extra/ecdsa_asn1.c +1 -9
- data/third_party/boringssl/crypto/engine/engine.c +2 -1
- data/third_party/boringssl/crypto/err/err.c +2 -0
- data/third_party/boringssl/crypto/err/internal.h +2 -2
- data/third_party/boringssl/crypto/evp/evp.c +89 -8
- data/third_party/boringssl/crypto/evp/evp_asn1.c +56 -5
- data/third_party/boringssl/crypto/evp/evp_ctx.c +52 -14
- data/third_party/boringssl/crypto/evp/internal.h +18 -1
- data/third_party/boringssl/crypto/evp/p_dsa_asn1.c +5 -0
- data/third_party/boringssl/crypto/evp/p_ec.c +51 -3
- data/third_party/boringssl/crypto/evp/p_ec_asn1.c +6 -7
- data/third_party/boringssl/crypto/evp/p_ed25519.c +36 -3
- data/third_party/boringssl/crypto/evp/p_ed25519_asn1.c +76 -45
- data/third_party/boringssl/crypto/evp/p_rsa.c +3 -1
- data/third_party/boringssl/crypto/evp/p_rsa_asn1.c +5 -0
- data/third_party/boringssl/crypto/evp/p_x25519.c +110 -0
- data/third_party/boringssl/crypto/evp/p_x25519_asn1.c +249 -0
- data/third_party/boringssl/crypto/evp/scrypt.c +6 -2
- data/third_party/boringssl/crypto/fipsmodule/aes/aes.c +34 -274
- data/third_party/boringssl/crypto/fipsmodule/aes/internal.h +161 -21
- data/third_party/boringssl/crypto/fipsmodule/aes/key_wrap.c +111 -13
- data/third_party/boringssl/crypto/fipsmodule/aes/mode_wrappers.c +17 -21
- data/third_party/boringssl/crypto/fipsmodule/bcm.c +119 -7
- data/third_party/boringssl/crypto/fipsmodule/bn/bn.c +19 -2
- data/third_party/boringssl/crypto/fipsmodule/bn/cmp.c +2 -2
- data/third_party/boringssl/crypto/fipsmodule/bn/ctx.c +93 -160
- data/third_party/boringssl/crypto/fipsmodule/bn/div.c +48 -57
- data/third_party/boringssl/crypto/fipsmodule/bn/div_extra.c +87 -0
- data/third_party/boringssl/crypto/fipsmodule/bn/exponentiation.c +143 -211
- data/third_party/boringssl/crypto/fipsmodule/bn/gcd.c +0 -305
- data/third_party/boringssl/crypto/fipsmodule/bn/gcd_extra.c +325 -0
- data/third_party/boringssl/crypto/fipsmodule/bn/internal.h +168 -50
- data/third_party/boringssl/crypto/fipsmodule/bn/montgomery.c +68 -92
- data/third_party/boringssl/crypto/fipsmodule/bn/montgomery_inv.c +7 -6
- data/third_party/boringssl/crypto/fipsmodule/bn/mul.c +11 -14
- data/third_party/boringssl/crypto/fipsmodule/bn/prime.c +358 -443
- data/third_party/boringssl/crypto/fipsmodule/bn/random.c +25 -35
- data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.c +20 -25
- data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.h +76 -5
- data/third_party/boringssl/crypto/fipsmodule/bn/shift.c +14 -14
- data/third_party/boringssl/crypto/fipsmodule/cipher/cipher.c +7 -2
- data/third_party/boringssl/crypto/fipsmodule/cipher/e_aes.c +383 -516
- data/third_party/boringssl/crypto/fipsmodule/cipher/e_des.c +4 -0
- data/third_party/boringssl/crypto/fipsmodule/cipher/internal.h +3 -4
- data/third_party/boringssl/crypto/fipsmodule/delocate.h +3 -2
- data/third_party/boringssl/crypto/fipsmodule/digest/digest.c +32 -17
- data/third_party/boringssl/crypto/fipsmodule/digest/md32_common.h +3 -3
- data/third_party/boringssl/crypto/fipsmodule/ec/ec.c +228 -122
- data/third_party/boringssl/crypto/fipsmodule/ec/ec_key.c +34 -8
- data/third_party/boringssl/crypto/fipsmodule/ec/ec_montgomery.c +311 -98
- data/third_party/boringssl/crypto/fipsmodule/ec/felem.c +82 -0
- data/third_party/boringssl/crypto/fipsmodule/ec/internal.h +263 -97
- data/third_party/boringssl/crypto/fipsmodule/ec/oct.c +22 -59
- data/third_party/boringssl/crypto/fipsmodule/ec/p224-64.c +317 -234
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64-table.h +9473 -9475
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.c +313 -109
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.h +36 -0
- data/third_party/boringssl/crypto/fipsmodule/ec/scalar.c +96 -0
- data/third_party/boringssl/crypto/fipsmodule/ec/simple.c +126 -792
- data/third_party/boringssl/crypto/fipsmodule/ec/simple_mul.c +84 -0
- data/third_party/boringssl/crypto/fipsmodule/ec/util.c +163 -12
- data/third_party/boringssl/crypto/fipsmodule/ec/wnaf.c +84 -211
- data/third_party/boringssl/crypto/fipsmodule/ecdh/ecdh.c +122 -0
- data/third_party/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c +60 -205
- data/third_party/boringssl/crypto/fipsmodule/fips_shared_support.c +32 -0
- data/third_party/boringssl/crypto/fipsmodule/is_fips.c +2 -0
- data/third_party/boringssl/crypto/fipsmodule/md4/md4.c +3 -1
- data/third_party/boringssl/crypto/fipsmodule/md5/internal.h +37 -0
- data/third_party/boringssl/crypto/fipsmodule/md5/md5.c +11 -8
- data/third_party/boringssl/crypto/fipsmodule/modes/cbc.c +35 -79
- data/third_party/boringssl/crypto/fipsmodule/modes/cfb.c +7 -39
- data/third_party/boringssl/crypto/fipsmodule/modes/ctr.c +7 -27
- data/third_party/boringssl/crypto/fipsmodule/modes/gcm.c +123 -309
- data/third_party/boringssl/crypto/fipsmodule/modes/internal.h +189 -126
- data/third_party/boringssl/crypto/fipsmodule/modes/ofb.c +3 -2
- data/third_party/boringssl/crypto/fipsmodule/rand/ctrdrbg.c +2 -2
- data/third_party/boringssl/crypto/fipsmodule/rand/internal.h +35 -0
- data/third_party/boringssl/crypto/fipsmodule/rand/rand.c +24 -19
- data/third_party/boringssl/crypto/fipsmodule/rand/urandom.c +256 -77
- data/third_party/boringssl/crypto/fipsmodule/rsa/padding.c +10 -7
- data/third_party/boringssl/crypto/fipsmodule/rsa/rsa.c +5 -1
- data/third_party/boringssl/crypto/fipsmodule/rsa/rsa_impl.c +131 -14
- data/third_party/boringssl/crypto/fipsmodule/self_check/self_check.c +83 -10
- data/third_party/boringssl/crypto/fipsmodule/sha/internal.h +53 -0
- data/third_party/boringssl/crypto/fipsmodule/sha/sha1.c +9 -13
- data/third_party/boringssl/crypto/fipsmodule/sha/sha256.c +18 -12
- data/third_party/boringssl/crypto/fipsmodule/sha/sha512.c +95 -168
- data/third_party/boringssl/crypto/hrss/hrss.c +2201 -0
- data/third_party/boringssl/crypto/hrss/internal.h +62 -0
- data/third_party/boringssl/crypto/internal.h +95 -20
- data/third_party/boringssl/crypto/lhash/lhash.c +45 -33
- data/third_party/boringssl/crypto/mem.c +39 -2
- data/third_party/boringssl/crypto/obj/obj.c +4 -4
- data/third_party/boringssl/crypto/obj/obj_dat.h +6181 -875
- data/third_party/boringssl/crypto/pem/pem_all.c +2 -3
- data/third_party/boringssl/crypto/pem/pem_info.c +144 -162
- data/third_party/boringssl/crypto/pem/pem_lib.c +53 -52
- data/third_party/boringssl/crypto/pem/pem_pkey.c +13 -21
- data/third_party/boringssl/crypto/pkcs7/pkcs7.c +15 -22
- data/third_party/boringssl/crypto/pkcs7/pkcs7_x509.c +168 -16
- data/third_party/boringssl/crypto/pkcs8/internal.h +11 -0
- data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +24 -15
- data/third_party/boringssl/crypto/pkcs8/pkcs8.c +42 -25
- data/third_party/boringssl/crypto/pkcs8/pkcs8_x509.c +559 -43
- data/third_party/boringssl/crypto/pool/internal.h +1 -1
- data/third_party/boringssl/crypto/pool/pool.c +21 -0
- data/third_party/boringssl/crypto/rand_extra/deterministic.c +8 -0
- data/third_party/boringssl/crypto/rand_extra/fuchsia.c +1 -14
- data/third_party/boringssl/crypto/refcount_lock.c +2 -2
- data/third_party/boringssl/crypto/rsa_extra/rsa_print.c +22 -0
- data/third_party/boringssl/crypto/siphash/siphash.c +80 -0
- data/third_party/boringssl/crypto/stack/stack.c +83 -32
- data/third_party/boringssl/crypto/thread_none.c +2 -2
- data/third_party/boringssl/crypto/thread_pthread.c +2 -2
- data/third_party/boringssl/crypto/thread_win.c +38 -19
- data/third_party/boringssl/crypto/x509/a_strex.c +22 -2
- data/third_party/boringssl/crypto/x509/asn1_gen.c +2 -1
- data/third_party/boringssl/crypto/x509/by_dir.c +7 -0
- data/third_party/boringssl/crypto/x509/by_file.c +12 -10
- data/third_party/boringssl/crypto/x509/t_crl.c +5 -8
- data/third_party/boringssl/crypto/x509/t_req.c +1 -3
- data/third_party/boringssl/crypto/x509/t_x509.c +5 -8
- data/third_party/boringssl/crypto/x509/x509_cmp.c +1 -1
- data/third_party/boringssl/crypto/x509/x509_def.c +1 -1
- data/third_party/boringssl/crypto/x509/x509_lu.c +114 -5
- data/third_party/boringssl/crypto/x509/x509_req.c +20 -0
- data/third_party/boringssl/crypto/x509/x509_set.c +5 -0
- data/third_party/boringssl/crypto/x509/x509_trs.c +1 -0
- data/third_party/boringssl/crypto/x509/x509_txt.c +4 -5
- data/third_party/boringssl/crypto/x509/x509_vfy.c +145 -138
- data/third_party/boringssl/crypto/x509/x509_vpm.c +2 -0
- data/third_party/boringssl/crypto/x509/x509cset.c +40 -0
- data/third_party/boringssl/crypto/x509/x509name.c +2 -3
- data/third_party/boringssl/crypto/x509/x_all.c +109 -210
- data/third_party/boringssl/crypto/x509/x_x509.c +6 -0
- data/third_party/boringssl/crypto/x509v3/ext_dat.h +1 -3
- data/third_party/boringssl/crypto/x509v3/internal.h +56 -0
- data/third_party/boringssl/crypto/x509v3/pcy_cache.c +2 -0
- data/third_party/boringssl/crypto/x509v3/pcy_node.c +1 -0
- data/third_party/boringssl/crypto/x509v3/pcy_tree.c +4 -2
- data/third_party/boringssl/crypto/x509v3/v3_akey.c +5 -2
- data/third_party/boringssl/crypto/x509v3/v3_alt.c +19 -13
- data/third_party/boringssl/crypto/x509v3/v3_conf.c +2 -1
- data/third_party/boringssl/crypto/x509v3/v3_cpols.c +3 -2
- data/third_party/boringssl/crypto/x509v3/v3_genn.c +1 -6
- data/third_party/boringssl/crypto/x509v3/v3_lib.c +1 -0
- data/third_party/boringssl/crypto/x509v3/v3_ocsp.c +68 -0
- data/third_party/boringssl/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl/crypto/x509v3/v3_purp.c +47 -69
- data/third_party/boringssl/crypto/x509v3/v3_skey.c +5 -2
- data/third_party/boringssl/crypto/x509v3/v3_utl.c +69 -25
- data/third_party/boringssl/include/openssl/aead.h +45 -19
- data/third_party/boringssl/include/openssl/aes.h +32 -7
- data/third_party/boringssl/include/openssl/asn1.h +7 -77
- data/third_party/boringssl/include/openssl/base.h +120 -6
- data/third_party/boringssl/include/openssl/base64.h +4 -1
- data/third_party/boringssl/include/openssl/bio.h +112 -81
- data/third_party/boringssl/include/openssl/blowfish.h +3 -3
- data/third_party/boringssl/include/openssl/bn.h +55 -29
- data/third_party/boringssl/include/openssl/buf.h +2 -2
- data/third_party/boringssl/include/openssl/bytestring.h +54 -32
- data/third_party/boringssl/include/openssl/cast.h +2 -2
- data/third_party/boringssl/include/openssl/cipher.h +46 -16
- data/third_party/boringssl/include/openssl/cmac.h +6 -2
- data/third_party/boringssl/include/openssl/conf.h +3 -6
- data/third_party/boringssl/include/openssl/cpu.h +25 -9
- data/third_party/boringssl/include/openssl/crypto.h +32 -10
- data/third_party/boringssl/include/openssl/curve25519.h +4 -4
- data/third_party/boringssl/include/openssl/dh.h +3 -2
- data/third_party/boringssl/include/openssl/digest.h +21 -7
- data/third_party/boringssl/include/openssl/dsa.h +8 -2
- data/third_party/boringssl/include/openssl/e_os2.h +18 -0
- data/third_party/boringssl/include/openssl/ec.h +25 -21
- data/third_party/boringssl/include/openssl/ec_key.h +36 -8
- data/third_party/boringssl/include/openssl/ecdh.h +17 -0
- data/third_party/boringssl/include/openssl/ecdsa.h +3 -3
- data/third_party/boringssl/include/openssl/engine.h +4 -4
- data/third_party/boringssl/include/openssl/err.h +3 -0
- data/third_party/boringssl/include/openssl/evp.h +199 -42
- data/third_party/boringssl/include/openssl/hmac.h +4 -4
- data/third_party/boringssl/include/openssl/hrss.h +100 -0
- data/third_party/boringssl/include/openssl/lhash.h +131 -23
- data/third_party/boringssl/include/openssl/md4.h +6 -4
- data/third_party/boringssl/include/openssl/md5.h +6 -4
- data/third_party/boringssl/include/openssl/mem.h +6 -2
- data/third_party/boringssl/include/openssl/nid.h +3 -0
- data/third_party/boringssl/include/openssl/obj.h +3 -0
- data/third_party/boringssl/include/openssl/pem.h +102 -64
- data/third_party/boringssl/include/openssl/pkcs7.h +136 -3
- data/third_party/boringssl/include/openssl/pkcs8.h +42 -3
- data/third_party/boringssl/include/openssl/pool.h +13 -2
- data/third_party/boringssl/include/openssl/ripemd.h +5 -4
- data/third_party/boringssl/include/openssl/rsa.h +46 -15
- data/third_party/boringssl/include/openssl/sha.h +40 -28
- data/third_party/boringssl/include/openssl/siphash.h +37 -0
- data/third_party/boringssl/include/openssl/span.h +17 -9
- data/third_party/boringssl/include/openssl/ssl.h +766 -393
- data/third_party/boringssl/include/openssl/ssl3.h +4 -3
- data/third_party/boringssl/include/openssl/stack.h +134 -77
- data/third_party/boringssl/include/openssl/thread.h +1 -1
- data/third_party/boringssl/include/openssl/tls1.h +25 -9
- data/third_party/boringssl/include/openssl/type_check.h +14 -15
- data/third_party/boringssl/include/openssl/x509.h +28 -3
- data/third_party/boringssl/include/openssl/x509_vfy.h +98 -32
- data/third_party/boringssl/include/openssl/x509v3.h +17 -13
- data/third_party/boringssl/ssl/d1_both.cc +9 -18
- data/third_party/boringssl/ssl/d1_lib.cc +4 -3
- data/third_party/boringssl/ssl/d1_pkt.cc +4 -4
- data/third_party/boringssl/ssl/d1_srtp.cc +15 -15
- data/third_party/boringssl/ssl/dtls_method.cc +0 -1
- data/third_party/boringssl/ssl/dtls_record.cc +28 -28
- data/third_party/boringssl/ssl/handoff.cc +295 -91
- data/third_party/boringssl/ssl/handshake.cc +133 -72
- data/third_party/boringssl/ssl/handshake_client.cc +218 -189
- data/third_party/boringssl/ssl/handshake_server.cc +399 -272
- data/third_party/boringssl/ssl/internal.h +1413 -928
- data/third_party/boringssl/ssl/s3_both.cc +175 -36
- data/third_party/boringssl/ssl/s3_lib.cc +9 -13
- data/third_party/boringssl/ssl/s3_pkt.cc +63 -29
- data/third_party/boringssl/ssl/ssl_aead_ctx.cc +55 -35
- data/third_party/boringssl/ssl/ssl_asn1.cc +57 -73
- data/third_party/boringssl/ssl/ssl_buffer.cc +13 -12
- data/third_party/boringssl/ssl/ssl_cert.cc +313 -210
- data/third_party/boringssl/ssl/ssl_cipher.cc +159 -221
- data/third_party/boringssl/ssl/ssl_file.cc +2 -0
- data/third_party/boringssl/ssl/ssl_key_share.cc +164 -19
- data/third_party/boringssl/ssl/ssl_lib.cc +847 -555
- data/third_party/boringssl/ssl/ssl_privkey.cc +441 -111
- data/third_party/boringssl/ssl/ssl_session.cc +230 -178
- data/third_party/boringssl/ssl/ssl_transcript.cc +21 -142
- data/third_party/boringssl/ssl/ssl_versions.cc +88 -93
- data/third_party/boringssl/ssl/ssl_x509.cc +279 -218
- data/third_party/boringssl/ssl/t1_enc.cc +5 -96
- data/third_party/boringssl/ssl/t1_lib.cc +931 -678
- data/third_party/boringssl/ssl/tls13_both.cc +251 -121
- data/third_party/boringssl/ssl/tls13_client.cc +129 -73
- data/third_party/boringssl/ssl/tls13_enc.cc +350 -282
- data/third_party/boringssl/ssl/tls13_server.cc +259 -192
- data/third_party/boringssl/ssl/tls_method.cc +26 -21
- data/third_party/boringssl/ssl/tls_record.cc +42 -47
- data/third_party/boringssl/third_party/fiat/curve25519.c +261 -1324
- data/third_party/boringssl/third_party/fiat/curve25519_32.h +911 -0
- data/third_party/boringssl/third_party/fiat/curve25519_64.h +559 -0
- data/third_party/boringssl/third_party/fiat/p256.c +238 -999
- data/third_party/boringssl/third_party/fiat/p256_32.h +3226 -0
- data/third_party/boringssl/third_party/fiat/p256_64.h +1217 -0
- data/third_party/upb/upb/port_def.inc +1 -1
- data/third_party/upb/upb/table.c +2 -1
- metadata +72 -44
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_load_balancer_api.h +0 -127
- data/src/core/lib/gpr/mpscq.cc +0 -117
- data/src/core/lib/gpr/mpscq.h +0 -88
- data/src/core/lib/gprpp/abstract.h +0 -47
- data/src/core/lib/gprpp/pair.h +0 -38
- data/third_party/boringssl/crypto/cipher_extra/e_ssl3.c +0 -460
- data/third_party/boringssl/crypto/fipsmodule/modes/ccm.c +0 -256
- data/third_party/boringssl/include/openssl/lhash_macros.h +0 -174
- data/third_party/boringssl/ssl/custom_extensions.cc +0 -265
@@ -23,6 +23,8 @@
|
|
23
23
|
|
24
24
|
#include <openssl/bn.h>
|
25
25
|
|
26
|
+
#include "../bn/internal.h"
|
27
|
+
|
26
28
|
#if defined(__cplusplus)
|
27
29
|
extern "C" {
|
28
30
|
#endif
|
@@ -61,6 +63,40 @@ static inline void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS],
|
|
61
63
|
ecp_nistz256_mul_mont(res, in, ONE);
|
62
64
|
}
|
63
65
|
|
66
|
+
// ecp_nistz256_to_mont sets |res| to |in|, converted to Montgomery domain
|
67
|
+
// by multiplying with RR = 2^512 mod P precomputed for NIST P256 curve.
|
68
|
+
static inline void ecp_nistz256_to_mont(BN_ULONG res[P256_LIMBS],
|
69
|
+
const BN_ULONG in[P256_LIMBS]) {
|
70
|
+
static const BN_ULONG RR[P256_LIMBS] = {
|
71
|
+
TOBN(0x00000000, 0x00000003), TOBN(0xfffffffb, 0xffffffff),
|
72
|
+
TOBN(0xffffffff, 0xfffffffe), TOBN(0x00000004, 0xfffffffd)};
|
73
|
+
ecp_nistz256_mul_mont(res, in, RR);
|
74
|
+
}
|
75
|
+
|
76
|
+
|
77
|
+
// P-256 scalar operations.
|
78
|
+
//
|
79
|
+
// The following functions compute modulo N, where N is the order of P-256. They
|
80
|
+
// take fully-reduced inputs and give fully-reduced outputs.
|
81
|
+
|
82
|
+
// ecp_nistz256_ord_mul_mont sets |res| to |a| * |b| where inputs and outputs
|
83
|
+
// are in Montgomery form. That is, |res| is |a| * |b| * 2^-256 mod N.
|
84
|
+
void ecp_nistz256_ord_mul_mont(BN_ULONG res[P256_LIMBS],
|
85
|
+
const BN_ULONG a[P256_LIMBS],
|
86
|
+
const BN_ULONG b[P256_LIMBS]);
|
87
|
+
|
88
|
+
// ecp_nistz256_ord_sqr_mont sets |res| to |a|^(2*|rep|) where inputs and
|
89
|
+
// outputs are in Montgomery form. That is, |res| is
|
90
|
+
// (|a| * 2^-256)^(2*|rep|) * 2^256 mod N.
|
91
|
+
void ecp_nistz256_ord_sqr_mont(BN_ULONG res[P256_LIMBS],
|
92
|
+
const BN_ULONG a[P256_LIMBS], BN_ULONG rep);
|
93
|
+
|
94
|
+
// beeu_mod_inverse_vartime sets out = a^-1 mod p using a Euclidean algorithm.
|
95
|
+
// Assumption: 0 < a < p < 2^(256) and p is odd.
|
96
|
+
int beeu_mod_inverse_vartime(BN_ULONG out[P256_LIMBS],
|
97
|
+
const BN_ULONG a[P256_LIMBS],
|
98
|
+
const BN_ULONG p[P256_LIMBS]);
|
99
|
+
|
64
100
|
|
65
101
|
// P-256 point operations.
|
66
102
|
//
|
@@ -0,0 +1,96 @@
|
|
1
|
+
/* Copyright (c) 2018, Google Inc.
|
2
|
+
*
|
3
|
+
* Permission to use, copy, modify, and/or distribute this software for any
|
4
|
+
* purpose with or without fee is hereby granted, provided that the above
|
5
|
+
* copyright notice and this permission notice appear in all copies.
|
6
|
+
*
|
7
|
+
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
8
|
+
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
9
|
+
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
10
|
+
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
11
|
+
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
12
|
+
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
13
|
+
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
14
|
+
|
15
|
+
#include <openssl/ec.h>
|
16
|
+
#include <openssl/err.h>
|
17
|
+
#include <openssl/mem.h>
|
18
|
+
|
19
|
+
#include "internal.h"
|
20
|
+
#include "../bn/internal.h"
|
21
|
+
#include "../../internal.h"
|
22
|
+
|
23
|
+
|
24
|
+
int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
|
25
|
+
const BIGNUM *in) {
|
26
|
+
if (!bn_copy_words(out->words, group->order.width, in) ||
|
27
|
+
!bn_less_than_words(out->words, group->order.d, group->order.width)) {
|
28
|
+
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
|
29
|
+
return 0;
|
30
|
+
}
|
31
|
+
return 1;
|
32
|
+
}
|
33
|
+
|
34
|
+
int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a,
|
35
|
+
const EC_SCALAR *b) {
|
36
|
+
return OPENSSL_memcmp(a->words, b->words,
|
37
|
+
group->order.width * sizeof(BN_ULONG)) == 0;
|
38
|
+
}
|
39
|
+
|
40
|
+
int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) {
|
41
|
+
BN_ULONG mask = 0;
|
42
|
+
for (int i = 0; i < group->order.width; i++) {
|
43
|
+
mask |= a->words[i];
|
44
|
+
}
|
45
|
+
return mask == 0;
|
46
|
+
}
|
47
|
+
|
48
|
+
int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,
|
49
|
+
const uint8_t additional_data[32]) {
|
50
|
+
return bn_rand_range_words(out->words, 1, group->order.d, group->order.width,
|
51
|
+
additional_data);
|
52
|
+
}
|
53
|
+
|
54
|
+
void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,
|
55
|
+
const EC_SCALAR *b) {
|
56
|
+
const BIGNUM *order = &group->order;
|
57
|
+
BN_ULONG tmp[EC_MAX_WORDS];
|
58
|
+
bn_mod_add_words(r->words, a->words, b->words, order->d, tmp, order->width);
|
59
|
+
OPENSSL_cleanse(tmp, sizeof(tmp));
|
60
|
+
}
|
61
|
+
|
62
|
+
void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r,
|
63
|
+
const EC_SCALAR *a) {
|
64
|
+
const BIGNUM *order = &group->order;
|
65
|
+
bn_to_montgomery_small(r->words, a->words, order->width, group->order_mont);
|
66
|
+
}
|
67
|
+
|
68
|
+
void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r,
|
69
|
+
const EC_SCALAR *a) {
|
70
|
+
const BIGNUM *order = &group->order;
|
71
|
+
bn_from_montgomery_small(r->words, a->words, order->width, group->order_mont);
|
72
|
+
}
|
73
|
+
|
74
|
+
void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r,
|
75
|
+
const EC_SCALAR *a, const EC_SCALAR *b) {
|
76
|
+
const BIGNUM *order = &group->order;
|
77
|
+
bn_mod_mul_montgomery_small(r->words, a->words, b->words, order->width,
|
78
|
+
group->order_mont);
|
79
|
+
}
|
80
|
+
|
81
|
+
void ec_simple_scalar_inv_montgomery(const EC_GROUP *group, EC_SCALAR *r,
|
82
|
+
const EC_SCALAR *a) {
|
83
|
+
const BIGNUM *order = &group->order;
|
84
|
+
bn_mod_inverse_prime_mont_small(r->words, a->words, order->width,
|
85
|
+
group->order_mont);
|
86
|
+
}
|
87
|
+
|
88
|
+
void ec_scalar_inv_montgomery(const EC_GROUP *group, EC_SCALAR *r,
|
89
|
+
const EC_SCALAR *a) {
|
90
|
+
group->meth->scalar_inv_montgomery(group, r, a);
|
91
|
+
}
|
92
|
+
|
93
|
+
int ec_scalar_inv_montgomery_vartime(const EC_GROUP *group, EC_SCALAR *r,
|
94
|
+
const EC_SCALAR *a) {
|
95
|
+
return group->meth->scalar_inv_montgomery_vartime(group, r, a);
|
96
|
+
}
|
@@ -90,18 +90,12 @@
|
|
90
90
|
|
91
91
|
int ec_GFp_simple_group_init(EC_GROUP *group) {
|
92
92
|
BN_init(&group->field);
|
93
|
-
BN_init(&group->a);
|
94
|
-
BN_init(&group->b);
|
95
|
-
BN_init(&group->one);
|
96
93
|
group->a_is_minus3 = 0;
|
97
94
|
return 1;
|
98
95
|
}
|
99
96
|
|
100
97
|
void ec_GFp_simple_group_finish(EC_GROUP *group) {
|
101
98
|
BN_free(&group->field);
|
102
|
-
BN_free(&group->a);
|
103
|
-
BN_free(&group->b);
|
104
|
-
BN_free(&group->one);
|
105
99
|
}
|
106
100
|
|
107
101
|
int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
|
@@ -109,7 +103,6 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
|
|
109
103
|
BN_CTX *ctx) {
|
110
104
|
int ret = 0;
|
111
105
|
BN_CTX *new_ctx = NULL;
|
112
|
-
BIGNUM *tmp_a;
|
113
106
|
|
114
107
|
// p must be a prime > 3
|
115
108
|
if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
|
@@ -125,8 +118,8 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
|
|
125
118
|
}
|
126
119
|
|
127
120
|
BN_CTX_start(ctx);
|
128
|
-
|
129
|
-
if (
|
121
|
+
BIGNUM *tmp = BN_CTX_get(ctx);
|
122
|
+
if (tmp == NULL) {
|
130
123
|
goto err;
|
131
124
|
}
|
132
125
|
|
@@ -139,37 +132,24 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
|
|
139
132
|
bn_set_minimal_width(&group->field);
|
140
133
|
|
141
134
|
// group->a
|
142
|
-
if (!BN_nnmod(
|
143
|
-
|
144
|
-
}
|
145
|
-
if (group->meth->field_encode) {
|
146
|
-
if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) {
|
147
|
-
goto err;
|
148
|
-
}
|
149
|
-
} else if (!BN_copy(&group->a, tmp_a)) {
|
135
|
+
if (!BN_nnmod(tmp, a, &group->field, ctx) ||
|
136
|
+
!ec_bignum_to_felem(group, &group->a, tmp)) {
|
150
137
|
goto err;
|
151
138
|
}
|
152
139
|
|
153
|
-
// group->
|
154
|
-
if (!
|
155
|
-
goto err;
|
156
|
-
}
|
157
|
-
if (group->meth->field_encode &&
|
158
|
-
!group->meth->field_encode(group, &group->b, &group->b, ctx)) {
|
140
|
+
// group->a_is_minus3
|
141
|
+
if (!BN_add_word(tmp, 3)) {
|
159
142
|
goto err;
|
160
143
|
}
|
144
|
+
group->a_is_minus3 = (0 == BN_cmp(tmp, &group->field));
|
161
145
|
|
162
|
-
// group->
|
163
|
-
if (!
|
146
|
+
// group->b
|
147
|
+
if (!BN_nnmod(tmp, b, &group->field, ctx) ||
|
148
|
+
!ec_bignum_to_felem(group, &group->b, tmp)) {
|
164
149
|
goto err;
|
165
150
|
}
|
166
|
-
group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
|
167
151
|
|
168
|
-
if (group->
|
169
|
-
if (!group->meth->field_encode(group, &group->one, BN_value_one(), ctx)) {
|
170
|
-
goto err;
|
171
|
-
}
|
172
|
-
} else if (!BN_copy(&group->one, BN_value_one())) {
|
152
|
+
if (!ec_bignum_to_felem(group, &group->one, BN_value_one())) {
|
173
153
|
goto err;
|
174
154
|
}
|
175
155
|
|
@@ -182,489 +162,67 @@ err:
|
|
182
162
|
}
|
183
163
|
|
184
164
|
int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
|
185
|
-
BIGNUM *b
|
186
|
-
|
187
|
-
|
188
|
-
|
189
|
-
if (p != NULL && !BN_copy(p, &group->field)) {
|
165
|
+
BIGNUM *b) {
|
166
|
+
if ((p != NULL && !BN_copy(p, &group->field)) ||
|
167
|
+
(a != NULL && !ec_felem_to_bignum(group, a, &group->a)) ||
|
168
|
+
(b != NULL && !ec_felem_to_bignum(group, b, &group->b))) {
|
190
169
|
return 0;
|
191
170
|
}
|
192
|
-
|
193
|
-
if (a != NULL || b != NULL) {
|
194
|
-
if (group->meth->field_decode) {
|
195
|
-
if (ctx == NULL) {
|
196
|
-
ctx = new_ctx = BN_CTX_new();
|
197
|
-
if (ctx == NULL) {
|
198
|
-
return 0;
|
199
|
-
}
|
200
|
-
}
|
201
|
-
if (a != NULL && !group->meth->field_decode(group, a, &group->a, ctx)) {
|
202
|
-
goto err;
|
203
|
-
}
|
204
|
-
if (b != NULL && !group->meth->field_decode(group, b, &group->b, ctx)) {
|
205
|
-
goto err;
|
206
|
-
}
|
207
|
-
} else {
|
208
|
-
if (a != NULL && !BN_copy(a, &group->a)) {
|
209
|
-
goto err;
|
210
|
-
}
|
211
|
-
if (b != NULL && !BN_copy(b, &group->b)) {
|
212
|
-
goto err;
|
213
|
-
}
|
214
|
-
}
|
215
|
-
}
|
216
|
-
|
217
|
-
ret = 1;
|
218
|
-
|
219
|
-
err:
|
220
|
-
BN_CTX_free(new_ctx);
|
221
|
-
return ret;
|
222
|
-
}
|
223
|
-
|
224
|
-
unsigned ec_GFp_simple_group_get_degree(const EC_GROUP *group) {
|
225
|
-
return BN_num_bits(&group->field);
|
226
|
-
}
|
227
|
-
|
228
|
-
int ec_GFp_simple_point_init(EC_POINT *point) {
|
229
|
-
BN_init(&point->X);
|
230
|
-
BN_init(&point->Y);
|
231
|
-
BN_init(&point->Z);
|
232
|
-
|
233
171
|
return 1;
|
234
172
|
}
|
235
173
|
|
236
|
-
void
|
237
|
-
|
238
|
-
|
239
|
-
|
240
|
-
}
|
241
|
-
|
242
|
-
int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) {
|
243
|
-
if (!BN_copy(&dest->X, &src->X) ||
|
244
|
-
!BN_copy(&dest->Y, &src->Y) ||
|
245
|
-
!BN_copy(&dest->Z, &src->Z)) {
|
246
|
-
return 0;
|
247
|
-
}
|
248
|
-
|
249
|
-
return 1;
|
174
|
+
void ec_GFp_simple_point_init(EC_RAW_POINT *point) {
|
175
|
+
OPENSSL_memset(&point->X, 0, sizeof(EC_FELEM));
|
176
|
+
OPENSSL_memset(&point->Y, 0, sizeof(EC_FELEM));
|
177
|
+
OPENSSL_memset(&point->Z, 0, sizeof(EC_FELEM));
|
250
178
|
}
|
251
179
|
|
252
|
-
|
253
|
-
|
254
|
-
|
255
|
-
|
180
|
+
void ec_GFp_simple_point_copy(EC_RAW_POINT *dest, const EC_RAW_POINT *src) {
|
181
|
+
OPENSSL_memcpy(&dest->X, &src->X, sizeof(EC_FELEM));
|
182
|
+
OPENSSL_memcpy(&dest->Y, &src->Y, sizeof(EC_FELEM));
|
183
|
+
OPENSSL_memcpy(&dest->Z, &src->Z, sizeof(EC_FELEM));
|
256
184
|
}
|
257
185
|
|
258
|
-
|
259
|
-
|
260
|
-
|
261
|
-
|
262
|
-
|
263
|
-
if (BN_is_negative(in) ||
|
264
|
-
BN_cmp(in, &group->field) >= 0) {
|
265
|
-
OPENSSL_PUT_ERROR(EC, EC_R_COORDINATES_OUT_OF_RANGE);
|
266
|
-
return 0;
|
267
|
-
}
|
268
|
-
if (group->meth->field_encode) {
|
269
|
-
return group->meth->field_encode(group, out, in, ctx);
|
270
|
-
}
|
271
|
-
return BN_copy(out, in) != NULL;
|
186
|
+
void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,
|
187
|
+
EC_RAW_POINT *point) {
|
188
|
+
// Although it is strictly only necessary to zero Z, we zero the entire point
|
189
|
+
// in case |point| was stack-allocated and yet to be initialized.
|
190
|
+
ec_GFp_simple_point_init(point);
|
272
191
|
}
|
273
192
|
|
274
193
|
int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group,
|
275
|
-
|
276
|
-
const BIGNUM *
|
194
|
+
EC_RAW_POINT *point,
|
195
|
+
const BIGNUM *x,
|
196
|
+
const BIGNUM *y) {
|
277
197
|
if (x == NULL || y == NULL) {
|
278
198
|
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
|
279
199
|
return 0;
|
280
200
|
}
|
281
201
|
|
282
|
-
|
283
|
-
|
284
|
-
|
285
|
-
if (ctx == NULL) {
|
286
|
-
ctx = new_ctx = BN_CTX_new();
|
287
|
-
if (ctx == NULL) {
|
288
|
-
return 0;
|
289
|
-
}
|
290
|
-
}
|
291
|
-
|
292
|
-
if (!set_Jprojective_coordinate_GFp(group, &point->X, x, ctx) ||
|
293
|
-
!set_Jprojective_coordinate_GFp(group, &point->Y, y, ctx) ||
|
294
|
-
!BN_copy(&point->Z, &group->one)) {
|
295
|
-
goto err;
|
296
|
-
}
|
297
|
-
|
298
|
-
ret = 1;
|
299
|
-
|
300
|
-
err:
|
301
|
-
BN_CTX_free(new_ctx);
|
302
|
-
return ret;
|
303
|
-
}
|
304
|
-
|
305
|
-
int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
|
306
|
-
const EC_POINT *b, BN_CTX *ctx) {
|
307
|
-
int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
|
308
|
-
BN_CTX *);
|
309
|
-
int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
|
310
|
-
const BIGNUM *p;
|
311
|
-
BN_CTX *new_ctx = NULL;
|
312
|
-
BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
|
313
|
-
int ret = 0;
|
314
|
-
|
315
|
-
if (a == b) {
|
316
|
-
return EC_POINT_dbl(group, r, a, ctx);
|
317
|
-
}
|
318
|
-
if (EC_POINT_is_at_infinity(group, a)) {
|
319
|
-
return EC_POINT_copy(r, b);
|
320
|
-
}
|
321
|
-
if (EC_POINT_is_at_infinity(group, b)) {
|
322
|
-
return EC_POINT_copy(r, a);
|
323
|
-
}
|
324
|
-
|
325
|
-
field_mul = group->meth->field_mul;
|
326
|
-
field_sqr = group->meth->field_sqr;
|
327
|
-
p = &group->field;
|
328
|
-
|
329
|
-
if (ctx == NULL) {
|
330
|
-
ctx = new_ctx = BN_CTX_new();
|
331
|
-
if (ctx == NULL) {
|
332
|
-
return 0;
|
333
|
-
}
|
334
|
-
}
|
335
|
-
|
336
|
-
BN_CTX_start(ctx);
|
337
|
-
n0 = BN_CTX_get(ctx);
|
338
|
-
n1 = BN_CTX_get(ctx);
|
339
|
-
n2 = BN_CTX_get(ctx);
|
340
|
-
n3 = BN_CTX_get(ctx);
|
341
|
-
n4 = BN_CTX_get(ctx);
|
342
|
-
n5 = BN_CTX_get(ctx);
|
343
|
-
n6 = BN_CTX_get(ctx);
|
344
|
-
if (n6 == NULL) {
|
345
|
-
goto end;
|
346
|
-
}
|
347
|
-
|
348
|
-
// Note that in this function we must not read components of 'a' or 'b'
|
349
|
-
// once we have written the corresponding components of 'r'.
|
350
|
-
// ('r' might be one of 'a' or 'b'.)
|
351
|
-
|
352
|
-
// n1, n2
|
353
|
-
int b_Z_is_one = BN_cmp(&b->Z, &group->one) == 0;
|
354
|
-
|
355
|
-
if (b_Z_is_one) {
|
356
|
-
if (!BN_copy(n1, &a->X) || !BN_copy(n2, &a->Y)) {
|
357
|
-
goto end;
|
358
|
-
}
|
359
|
-
// n1 = X_a
|
360
|
-
// n2 = Y_a
|
361
|
-
} else {
|
362
|
-
if (!field_sqr(group, n0, &b->Z, ctx) ||
|
363
|
-
!field_mul(group, n1, &a->X, n0, ctx)) {
|
364
|
-
goto end;
|
365
|
-
}
|
366
|
-
// n1 = X_a * Z_b^2
|
367
|
-
|
368
|
-
if (!field_mul(group, n0, n0, &b->Z, ctx) ||
|
369
|
-
!field_mul(group, n2, &a->Y, n0, ctx)) {
|
370
|
-
goto end;
|
371
|
-
}
|
372
|
-
// n2 = Y_a * Z_b^3
|
373
|
-
}
|
374
|
-
|
375
|
-
// n3, n4
|
376
|
-
int a_Z_is_one = BN_cmp(&a->Z, &group->one) == 0;
|
377
|
-
if (a_Z_is_one) {
|
378
|
-
if (!BN_copy(n3, &b->X) || !BN_copy(n4, &b->Y)) {
|
379
|
-
goto end;
|
380
|
-
}
|
381
|
-
// n3 = X_b
|
382
|
-
// n4 = Y_b
|
383
|
-
} else {
|
384
|
-
if (!field_sqr(group, n0, &a->Z, ctx) ||
|
385
|
-
!field_mul(group, n3, &b->X, n0, ctx)) {
|
386
|
-
goto end;
|
387
|
-
}
|
388
|
-
// n3 = X_b * Z_a^2
|
389
|
-
|
390
|
-
if (!field_mul(group, n0, n0, &a->Z, ctx) ||
|
391
|
-
!field_mul(group, n4, &b->Y, n0, ctx)) {
|
392
|
-
goto end;
|
393
|
-
}
|
394
|
-
// n4 = Y_b * Z_a^3
|
395
|
-
}
|
396
|
-
|
397
|
-
// n5, n6
|
398
|
-
if (!bn_mod_sub_consttime(n5, n1, n3, p, ctx) ||
|
399
|
-
!bn_mod_sub_consttime(n6, n2, n4, p, ctx)) {
|
400
|
-
goto end;
|
401
|
-
}
|
402
|
-
// n5 = n1 - n3
|
403
|
-
// n6 = n2 - n4
|
404
|
-
|
405
|
-
if (BN_is_zero(n5)) {
|
406
|
-
if (BN_is_zero(n6)) {
|
407
|
-
// a is the same point as b
|
408
|
-
BN_CTX_end(ctx);
|
409
|
-
ret = EC_POINT_dbl(group, r, a, ctx);
|
410
|
-
ctx = NULL;
|
411
|
-
goto end;
|
412
|
-
} else {
|
413
|
-
// a is the inverse of b
|
414
|
-
BN_zero(&r->Z);
|
415
|
-
ret = 1;
|
416
|
-
goto end;
|
417
|
-
}
|
418
|
-
}
|
419
|
-
|
420
|
-
// 'n7', 'n8'
|
421
|
-
if (!bn_mod_add_consttime(n1, n1, n3, p, ctx) ||
|
422
|
-
!bn_mod_add_consttime(n2, n2, n4, p, ctx)) {
|
423
|
-
goto end;
|
424
|
-
}
|
425
|
-
// 'n7' = n1 + n3
|
426
|
-
// 'n8' = n2 + n4
|
427
|
-
|
428
|
-
// Z_r
|
429
|
-
if (a_Z_is_one && b_Z_is_one) {
|
430
|
-
if (!BN_copy(&r->Z, n5)) {
|
431
|
-
goto end;
|
432
|
-
}
|
433
|
-
} else {
|
434
|
-
if (a_Z_is_one) {
|
435
|
-
if (!BN_copy(n0, &b->Z)) {
|
436
|
-
goto end;
|
437
|
-
}
|
438
|
-
} else if (b_Z_is_one) {
|
439
|
-
if (!BN_copy(n0, &a->Z)) {
|
440
|
-
goto end;
|
441
|
-
}
|
442
|
-
} else if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) {
|
443
|
-
goto end;
|
444
|
-
}
|
445
|
-
if (!field_mul(group, &r->Z, n0, n5, ctx)) {
|
446
|
-
goto end;
|
447
|
-
}
|
448
|
-
}
|
449
|
-
|
450
|
-
// Z_r = Z_a * Z_b * n5
|
451
|
-
|
452
|
-
// X_r
|
453
|
-
if (!field_sqr(group, n0, n6, ctx) ||
|
454
|
-
!field_sqr(group, n4, n5, ctx) ||
|
455
|
-
!field_mul(group, n3, n1, n4, ctx) ||
|
456
|
-
!bn_mod_sub_consttime(&r->X, n0, n3, p, ctx)) {
|
457
|
-
goto end;
|
458
|
-
}
|
459
|
-
// X_r = n6^2 - n5^2 * 'n7'
|
460
|
-
|
461
|
-
// 'n9'
|
462
|
-
if (!bn_mod_lshift1_consttime(n0, &r->X, p, ctx) ||
|
463
|
-
!bn_mod_sub_consttime(n0, n3, n0, p, ctx)) {
|
464
|
-
goto end;
|
465
|
-
}
|
466
|
-
// n9 = n5^2 * 'n7' - 2 * X_r
|
467
|
-
|
468
|
-
// Y_r
|
469
|
-
if (!field_mul(group, n0, n0, n6, ctx) ||
|
470
|
-
!field_mul(group, n5, n4, n5, ctx)) {
|
471
|
-
goto end; // now n5 is n5^3
|
472
|
-
}
|
473
|
-
if (!field_mul(group, n1, n2, n5, ctx) ||
|
474
|
-
!bn_mod_sub_consttime(n0, n0, n1, p, ctx)) {
|
475
|
-
goto end;
|
476
|
-
}
|
477
|
-
if (BN_is_odd(n0) && !BN_add(n0, n0, p)) {
|
478
|
-
goto end;
|
479
|
-
}
|
480
|
-
// now 0 <= n0 < 2*p, and n0 is even
|
481
|
-
if (!BN_rshift1(&r->Y, n0)) {
|
482
|
-
goto end;
|
483
|
-
}
|
484
|
-
// Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2
|
485
|
-
|
486
|
-
ret = 1;
|
487
|
-
|
488
|
-
end:
|
489
|
-
if (ctx) {
|
490
|
-
// otherwise we already called BN_CTX_end
|
491
|
-
BN_CTX_end(ctx);
|
492
|
-
}
|
493
|
-
BN_CTX_free(new_ctx);
|
494
|
-
return ret;
|
495
|
-
}
|
496
|
-
|
497
|
-
int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
|
498
|
-
BN_CTX *ctx) {
|
499
|
-
int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
|
500
|
-
BN_CTX *);
|
501
|
-
int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
|
502
|
-
const BIGNUM *p;
|
503
|
-
BN_CTX *new_ctx = NULL;
|
504
|
-
BIGNUM *n0, *n1, *n2, *n3;
|
505
|
-
int ret = 0;
|
506
|
-
|
507
|
-
if (EC_POINT_is_at_infinity(group, a)) {
|
508
|
-
BN_zero(&r->Z);
|
509
|
-
return 1;
|
510
|
-
}
|
511
|
-
|
512
|
-
field_mul = group->meth->field_mul;
|
513
|
-
field_sqr = group->meth->field_sqr;
|
514
|
-
p = &group->field;
|
515
|
-
|
516
|
-
if (ctx == NULL) {
|
517
|
-
ctx = new_ctx = BN_CTX_new();
|
518
|
-
if (ctx == NULL) {
|
519
|
-
return 0;
|
520
|
-
}
|
521
|
-
}
|
522
|
-
|
523
|
-
BN_CTX_start(ctx);
|
524
|
-
n0 = BN_CTX_get(ctx);
|
525
|
-
n1 = BN_CTX_get(ctx);
|
526
|
-
n2 = BN_CTX_get(ctx);
|
527
|
-
n3 = BN_CTX_get(ctx);
|
528
|
-
if (n3 == NULL) {
|
529
|
-
goto err;
|
530
|
-
}
|
531
|
-
|
532
|
-
// Note that in this function we must not read components of 'a'
|
533
|
-
// once we have written the corresponding components of 'r'.
|
534
|
-
// ('r' might the same as 'a'.)
|
535
|
-
|
536
|
-
// n1
|
537
|
-
if (BN_cmp(&a->Z, &group->one) == 0) {
|
538
|
-
if (!field_sqr(group, n0, &a->X, ctx) ||
|
539
|
-
!bn_mod_lshift1_consttime(n1, n0, p, ctx) ||
|
540
|
-
!bn_mod_add_consttime(n0, n0, n1, p, ctx) ||
|
541
|
-
!bn_mod_add_consttime(n1, n0, &group->a, p, ctx)) {
|
542
|
-
goto err;
|
543
|
-
}
|
544
|
-
// n1 = 3 * X_a^2 + a_curve
|
545
|
-
} else if (group->a_is_minus3) {
|
546
|
-
if (!field_sqr(group, n1, &a->Z, ctx) ||
|
547
|
-
!bn_mod_add_consttime(n0, &a->X, n1, p, ctx) ||
|
548
|
-
!bn_mod_sub_consttime(n2, &a->X, n1, p, ctx) ||
|
549
|
-
!field_mul(group, n1, n0, n2, ctx) ||
|
550
|
-
!bn_mod_lshift1_consttime(n0, n1, p, ctx) ||
|
551
|
-
!bn_mod_add_consttime(n1, n0, n1, p, ctx)) {
|
552
|
-
goto err;
|
553
|
-
}
|
554
|
-
// n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
|
555
|
-
// = 3 * X_a^2 - 3 * Z_a^4
|
556
|
-
} else {
|
557
|
-
if (!field_sqr(group, n0, &a->X, ctx) ||
|
558
|
-
!bn_mod_lshift1_consttime(n1, n0, p, ctx) ||
|
559
|
-
!bn_mod_add_consttime(n0, n0, n1, p, ctx) ||
|
560
|
-
!field_sqr(group, n1, &a->Z, ctx) ||
|
561
|
-
!field_sqr(group, n1, n1, ctx) ||
|
562
|
-
!field_mul(group, n1, n1, &group->a, ctx) ||
|
563
|
-
!bn_mod_add_consttime(n1, n1, n0, p, ctx)) {
|
564
|
-
goto err;
|
565
|
-
}
|
566
|
-
// n1 = 3 * X_a^2 + a_curve * Z_a^4
|
567
|
-
}
|
568
|
-
|
569
|
-
// Z_r
|
570
|
-
if (BN_cmp(&a->Z, &group->one) == 0) {
|
571
|
-
if (!BN_copy(n0, &a->Y)) {
|
572
|
-
goto err;
|
573
|
-
}
|
574
|
-
} else if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) {
|
575
|
-
goto err;
|
576
|
-
}
|
577
|
-
if (!bn_mod_lshift1_consttime(&r->Z, n0, p, ctx)) {
|
578
|
-
goto err;
|
579
|
-
}
|
580
|
-
// Z_r = 2 * Y_a * Z_a
|
581
|
-
|
582
|
-
// n2
|
583
|
-
if (!field_sqr(group, n3, &a->Y, ctx) ||
|
584
|
-
!field_mul(group, n2, &a->X, n3, ctx) ||
|
585
|
-
!bn_mod_lshift_consttime(n2, n2, 2, p, ctx)) {
|
586
|
-
goto err;
|
587
|
-
}
|
588
|
-
// n2 = 4 * X_a * Y_a^2
|
589
|
-
|
590
|
-
// X_r
|
591
|
-
if (!bn_mod_lshift1_consttime(n0, n2, p, ctx) ||
|
592
|
-
!field_sqr(group, &r->X, n1, ctx) ||
|
593
|
-
!bn_mod_sub_consttime(&r->X, &r->X, n0, p, ctx)) {
|
594
|
-
goto err;
|
595
|
-
}
|
596
|
-
// X_r = n1^2 - 2 * n2
|
597
|
-
|
598
|
-
// n3
|
599
|
-
if (!field_sqr(group, n0, n3, ctx) ||
|
600
|
-
!bn_mod_lshift_consttime(n3, n0, 3, p, ctx)) {
|
601
|
-
goto err;
|
602
|
-
}
|
603
|
-
// n3 = 8 * Y_a^4
|
604
|
-
|
605
|
-
// Y_r
|
606
|
-
if (!bn_mod_sub_consttime(n0, n2, &r->X, p, ctx) ||
|
607
|
-
!field_mul(group, n0, n1, n0, ctx) ||
|
608
|
-
!bn_mod_sub_consttime(&r->Y, n0, n3, p, ctx)) {
|
609
|
-
goto err;
|
202
|
+
if (!ec_bignum_to_felem(group, &point->X, x) ||
|
203
|
+
!ec_bignum_to_felem(group, &point->Y, y)) {
|
204
|
+
return 0;
|
610
205
|
}
|
611
|
-
|
206
|
+
OPENSSL_memcpy(&point->Z, &group->one, sizeof(EC_FELEM));
|
612
207
|
|
613
|
-
|
614
|
-
|
615
|
-
err:
|
616
|
-
BN_CTX_end(ctx);
|
617
|
-
BN_CTX_free(new_ctx);
|
618
|
-
return ret;
|
208
|
+
return 1;
|
619
209
|
}
|
620
210
|
|
621
|
-
|
622
|
-
|
623
|
-
// point is its own inverse
|
624
|
-
return 1;
|
625
|
-
}
|
626
|
-
|
627
|
-
return BN_usub(&point->Y, &group->field, &point->Y);
|
211
|
+
void ec_GFp_simple_invert(const EC_GROUP *group, EC_RAW_POINT *point) {
|
212
|
+
ec_felem_neg(group, &point->Y, &point->Y);
|
628
213
|
}
|
629
214
|
|
630
|
-
int ec_GFp_simple_is_at_infinity(const EC_GROUP *group,
|
631
|
-
|
215
|
+
int ec_GFp_simple_is_at_infinity(const EC_GROUP *group,
|
216
|
+
const EC_RAW_POINT *point) {
|
217
|
+
return ec_felem_non_zero_mask(group, &point->Z) == 0;
|
632
218
|
}
|
633
219
|
|
634
|
-
int ec_GFp_simple_is_on_curve(const EC_GROUP *group,
|
635
|
-
|
636
|
-
|
637
|
-
BN_CTX *);
|
638
|
-
int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
|
639
|
-
const BIGNUM *p;
|
640
|
-
BN_CTX *new_ctx = NULL;
|
641
|
-
BIGNUM *rh, *tmp, *Z4, *Z6;
|
642
|
-
int ret = 0;
|
643
|
-
|
644
|
-
if (EC_POINT_is_at_infinity(group, point)) {
|
220
|
+
int ec_GFp_simple_is_on_curve(const EC_GROUP *group,
|
221
|
+
const EC_RAW_POINT *point) {
|
222
|
+
if (ec_GFp_simple_is_at_infinity(group, point)) {
|
645
223
|
return 1;
|
646
224
|
}
|
647
225
|
|
648
|
-
field_mul = group->meth->field_mul;
|
649
|
-
field_sqr = group->meth->field_sqr;
|
650
|
-
p = &group->field;
|
651
|
-
|
652
|
-
if (ctx == NULL) {
|
653
|
-
ctx = new_ctx = BN_CTX_new();
|
654
|
-
if (ctx == NULL) {
|
655
|
-
return 0;
|
656
|
-
}
|
657
|
-
}
|
658
|
-
|
659
|
-
BN_CTX_start(ctx);
|
660
|
-
rh = BN_CTX_get(ctx);
|
661
|
-
tmp = BN_CTX_get(ctx);
|
662
|
-
Z4 = BN_CTX_get(ctx);
|
663
|
-
Z6 = BN_CTX_get(ctx);
|
664
|
-
if (Z6 == NULL) {
|
665
|
-
goto err;
|
666
|
-
}
|
667
|
-
|
668
226
|
// We have a curve defined by a Weierstrass equation
|
669
227
|
// y^2 = x^3 + a*x + b.
|
670
228
|
// The point to consider is given in Jacobian projective coordinates
|
@@ -674,79 +232,53 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
|
|
674
232
|
// Y^2 = X^3 + a*X*Z^4 + b*Z^6.
|
675
233
|
// To test this, we add up the right-hand side in 'rh'.
|
676
234
|
|
235
|
+
void (*const felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,
|
236
|
+
const EC_FELEM *b) = group->meth->felem_mul;
|
237
|
+
void (*const felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a) =
|
238
|
+
group->meth->felem_sqr;
|
239
|
+
|
677
240
|
// rh := X^2
|
678
|
-
|
679
|
-
|
680
|
-
}
|
241
|
+
EC_FELEM rh;
|
242
|
+
felem_sqr(group, &rh, &point->X);
|
681
243
|
|
682
|
-
|
683
|
-
|
684
|
-
|
685
|
-
|
686
|
-
|
687
|
-
}
|
244
|
+
EC_FELEM tmp, Z4, Z6;
|
245
|
+
if (!ec_felem_equal(group, &point->Z, &group->one)) {
|
246
|
+
felem_sqr(group, &tmp, &point->Z);
|
247
|
+
felem_sqr(group, &Z4, &tmp);
|
248
|
+
felem_mul(group, &Z6, &Z4, &tmp);
|
688
249
|
|
689
250
|
// rh := (rh + a*Z^4)*X
|
690
251
|
if (group->a_is_minus3) {
|
691
|
-
|
692
|
-
|
693
|
-
|
694
|
-
|
695
|
-
goto err;
|
696
|
-
}
|
252
|
+
ec_felem_add(group, &tmp, &Z4, &Z4);
|
253
|
+
ec_felem_add(group, &tmp, &tmp, &Z4);
|
254
|
+
ec_felem_sub(group, &rh, &rh, &tmp);
|
255
|
+
felem_mul(group, &rh, &rh, &point->X);
|
697
256
|
} else {
|
698
|
-
|
699
|
-
|
700
|
-
|
701
|
-
goto err;
|
702
|
-
}
|
257
|
+
felem_mul(group, &tmp, &Z4, &group->a);
|
258
|
+
ec_felem_add(group, &rh, &rh, &tmp);
|
259
|
+
felem_mul(group, &rh, &rh, &point->X);
|
703
260
|
}
|
704
261
|
|
705
262
|
// rh := rh + b*Z^6
|
706
|
-
|
707
|
-
|
708
|
-
goto err;
|
709
|
-
}
|
263
|
+
felem_mul(group, &tmp, &group->b, &Z6);
|
264
|
+
ec_felem_add(group, &rh, &rh, &tmp);
|
710
265
|
} else {
|
711
266
|
// rh := (rh + a)*X
|
712
|
-
|
713
|
-
|
714
|
-
goto err;
|
715
|
-
}
|
267
|
+
ec_felem_add(group, &rh, &rh, &group->a);
|
268
|
+
felem_mul(group, &rh, &rh, &point->X);
|
716
269
|
// rh := rh + b
|
717
|
-
|
718
|
-
goto err;
|
719
|
-
}
|
270
|
+
ec_felem_add(group, &rh, &rh, &group->b);
|
720
271
|
}
|
721
272
|
|
722
273
|
// 'lh' := Y^2
|
723
|
-
|
724
|
-
|
725
|
-
}
|
726
|
-
|
727
|
-
ret = (0 == BN_ucmp(tmp, rh));
|
728
|
-
|
729
|
-
err:
|
730
|
-
BN_CTX_end(ctx);
|
731
|
-
BN_CTX_free(new_ctx);
|
732
|
-
return ret;
|
274
|
+
felem_sqr(group, &tmp, &point->Y);
|
275
|
+
return ec_felem_equal(group, &tmp, &rh);
|
733
276
|
}
|
734
277
|
|
735
|
-
int ec_GFp_simple_cmp(const EC_GROUP *group, const
|
736
|
-
const
|
737
|
-
//
|
738
|
-
//
|
739
|
-
// 0 equal (in affine coordinates)
|
740
|
-
// 1 not equal
|
741
|
-
|
742
|
-
int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
|
743
|
-
BN_CTX *);
|
744
|
-
int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
|
745
|
-
BN_CTX *new_ctx = NULL;
|
746
|
-
BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
|
747
|
-
const BIGNUM *tmp1_, *tmp2_;
|
748
|
-
int ret = -1;
|
749
|
-
|
278
|
+
int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_RAW_POINT *a,
|
279
|
+
const EC_RAW_POINT *b) {
|
280
|
+
// Note this function returns zero if |a| and |b| are equal and 1 if they are
|
281
|
+
// not equal.
|
750
282
|
if (ec_GFp_simple_is_at_infinity(group, a)) {
|
751
283
|
return ec_GFp_simple_is_at_infinity(group, b) ? 0 : 1;
|
752
284
|
}
|
@@ -755,292 +287,94 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
|
|
755
287
|
return 1;
|
756
288
|
}
|
757
289
|
|
758
|
-
int a_Z_is_one =
|
759
|
-
int b_Z_is_one =
|
290
|
+
int a_Z_is_one = ec_felem_equal(group, &a->Z, &group->one);
|
291
|
+
int b_Z_is_one = ec_felem_equal(group, &b->Z, &group->one);
|
760
292
|
|
761
293
|
if (a_Z_is_one && b_Z_is_one) {
|
762
|
-
return (
|
294
|
+
return !ec_felem_equal(group, &a->X, &b->X) ||
|
295
|
+
!ec_felem_equal(group, &a->Y, &b->Y);
|
763
296
|
}
|
764
297
|
|
765
|
-
|
766
|
-
|
767
|
-
|
768
|
-
|
769
|
-
ctx = new_ctx = BN_CTX_new();
|
770
|
-
if (ctx == NULL) {
|
771
|
-
return -1;
|
772
|
-
}
|
773
|
-
}
|
774
|
-
|
775
|
-
BN_CTX_start(ctx);
|
776
|
-
tmp1 = BN_CTX_get(ctx);
|
777
|
-
tmp2 = BN_CTX_get(ctx);
|
778
|
-
Za23 = BN_CTX_get(ctx);
|
779
|
-
Zb23 = BN_CTX_get(ctx);
|
780
|
-
if (Zb23 == NULL) {
|
781
|
-
goto end;
|
782
|
-
}
|
298
|
+
void (*const felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,
|
299
|
+
const EC_FELEM *b) = group->meth->felem_mul;
|
300
|
+
void (*const felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a) =
|
301
|
+
group->meth->felem_sqr;
|
783
302
|
|
784
303
|
// We have to decide whether
|
785
304
|
// (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
|
786
305
|
// or equivalently, whether
|
787
306
|
// (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
|
788
307
|
|
308
|
+
EC_FELEM tmp1, tmp2, Za23, Zb23;
|
309
|
+
const EC_FELEM *tmp1_, *tmp2_;
|
789
310
|
if (!b_Z_is_one) {
|
790
|
-
|
791
|
-
|
792
|
-
|
793
|
-
}
|
794
|
-
tmp1_ = tmp1;
|
311
|
+
felem_sqr(group, &Zb23, &b->Z);
|
312
|
+
felem_mul(group, &tmp1, &a->X, &Zb23);
|
313
|
+
tmp1_ = &tmp1;
|
795
314
|
} else {
|
796
315
|
tmp1_ = &a->X;
|
797
316
|
}
|
798
317
|
if (!a_Z_is_one) {
|
799
|
-
|
800
|
-
|
801
|
-
|
802
|
-
}
|
803
|
-
tmp2_ = tmp2;
|
318
|
+
felem_sqr(group, &Za23, &a->Z);
|
319
|
+
felem_mul(group, &tmp2, &b->X, &Za23);
|
320
|
+
tmp2_ = &tmp2;
|
804
321
|
} else {
|
805
322
|
tmp2_ = &b->X;
|
806
323
|
}
|
807
324
|
|
808
|
-
//
|
809
|
-
if (
|
810
|
-
|
811
|
-
goto end;
|
325
|
+
// Compare X_a*Z_b^2 with X_b*Z_a^2.
|
326
|
+
if (!ec_felem_equal(group, tmp1_, tmp2_)) {
|
327
|
+
return 1; // The points differ.
|
812
328
|
}
|
813
329
|
|
814
|
-
|
815
330
|
if (!b_Z_is_one) {
|
816
|
-
|
817
|
-
|
818
|
-
|
819
|
-
}
|
820
|
-
// tmp1_ = tmp1
|
331
|
+
felem_mul(group, &Zb23, &Zb23, &b->Z);
|
332
|
+
felem_mul(group, &tmp1, &a->Y, &Zb23);
|
333
|
+
// tmp1_ = &tmp1
|
821
334
|
} else {
|
822
335
|
tmp1_ = &a->Y;
|
823
336
|
}
|
824
337
|
if (!a_Z_is_one) {
|
825
|
-
|
826
|
-
|
827
|
-
|
828
|
-
}
|
829
|
-
// tmp2_ = tmp2
|
338
|
+
felem_mul(group, &Za23, &Za23, &a->Z);
|
339
|
+
felem_mul(group, &tmp2, &b->Y, &Za23);
|
340
|
+
// tmp2_ = &tmp2
|
830
341
|
} else {
|
831
342
|
tmp2_ = &b->Y;
|
832
343
|
}
|
833
344
|
|
834
|
-
//
|
835
|
-
if (
|
836
|
-
|
837
|
-
goto end;
|
345
|
+
// Compare Y_a*Z_b^3 with Y_b*Z_a^3.
|
346
|
+
if (!ec_felem_equal(group, tmp1_, tmp2_)) {
|
347
|
+
return 1; // The points differ.
|
838
348
|
}
|
839
349
|
|
840
|
-
// points are equal
|
841
|
-
|
842
|
-
|
843
|
-
end:
|
844
|
-
BN_CTX_end(ctx);
|
845
|
-
BN_CTX_free(new_ctx);
|
846
|
-
return ret;
|
350
|
+
// The points are equal.
|
351
|
+
return 0;
|
847
352
|
}
|
848
353
|
|
849
|
-
int
|
850
|
-
|
851
|
-
|
852
|
-
|
853
|
-
|
854
|
-
|
855
|
-
|
856
|
-
|
857
|
-
|
858
|
-
|
859
|
-
|
860
|
-
|
861
|
-
|
862
|
-
if (ctx == NULL) {
|
863
|
-
return 0;
|
864
|
-
}
|
865
|
-
}
|
866
|
-
|
867
|
-
BN_CTX_start(ctx);
|
868
|
-
x = BN_CTX_get(ctx);
|
869
|
-
y = BN_CTX_get(ctx);
|
870
|
-
if (y == NULL) {
|
871
|
-
goto err;
|
872
|
-
}
|
873
|
-
|
874
|
-
if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx) ||
|
875
|
-
!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
|
876
|
-
goto err;
|
877
|
-
}
|
878
|
-
if (BN_cmp(&point->Z, &group->one) != 0) {
|
879
|
-
OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
|
880
|
-
goto err;
|
881
|
-
}
|
882
|
-
|
883
|
-
ret = 1;
|
884
|
-
|
885
|
-
err:
|
886
|
-
BN_CTX_end(ctx);
|
887
|
-
BN_CTX_free(new_ctx);
|
888
|
-
return ret;
|
354
|
+
int ec_GFp_simple_mont_inv_mod_ord_vartime(const EC_GROUP *group,
|
355
|
+
EC_SCALAR *out,
|
356
|
+
const EC_SCALAR *in) {
|
357
|
+
// This implementation (in fact) runs in constant time,
|
358
|
+
// even though for this interface it is not mandatory.
|
359
|
+
|
360
|
+
// out = in^-1 in the Montgomery domain. This is
|
361
|
+
// |ec_scalar_to_montgomery| followed by |ec_scalar_inv_montgomery|, but
|
362
|
+
// |ec_scalar_inv_montgomery| followed by |ec_scalar_from_montgomery| is
|
363
|
+
// equivalent and slightly more efficient.
|
364
|
+
ec_scalar_inv_montgomery(group, out, in);
|
365
|
+
ec_scalar_from_montgomery(group, out, out);
|
366
|
+
return 1;
|
889
367
|
}
|
890
368
|
|
891
|
-
int
|
892
|
-
|
893
|
-
|
894
|
-
|
895
|
-
|
896
|
-
|
897
|
-
|
898
|
-
if (num == 0) {
|
899
|
-
return 1;
|
900
|
-
}
|
901
|
-
|
902
|
-
if (ctx == NULL) {
|
903
|
-
ctx = new_ctx = BN_CTX_new();
|
904
|
-
if (ctx == NULL) {
|
905
|
-
return 0;
|
906
|
-
}
|
907
|
-
}
|
908
|
-
|
909
|
-
BN_CTX_start(ctx);
|
910
|
-
tmp = BN_CTX_get(ctx);
|
911
|
-
tmp_Z = BN_CTX_get(ctx);
|
912
|
-
if (tmp == NULL || tmp_Z == NULL) {
|
913
|
-
goto err;
|
914
|
-
}
|
915
|
-
|
916
|
-
prod_Z = OPENSSL_malloc(num * sizeof(prod_Z[0]));
|
917
|
-
if (prod_Z == NULL) {
|
918
|
-
goto err;
|
919
|
-
}
|
920
|
-
OPENSSL_memset(prod_Z, 0, num * sizeof(prod_Z[0]));
|
921
|
-
for (size_t i = 0; i < num; i++) {
|
922
|
-
prod_Z[i] = BN_new();
|
923
|
-
if (prod_Z[i] == NULL) {
|
924
|
-
goto err;
|
925
|
-
}
|
926
|
-
}
|
927
|
-
|
928
|
-
// Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
|
929
|
-
// skipping any zero-valued inputs (pretend that they're 1).
|
930
|
-
|
931
|
-
if (!BN_is_zero(&points[0]->Z)) {
|
932
|
-
if (!BN_copy(prod_Z[0], &points[0]->Z)) {
|
933
|
-
goto err;
|
934
|
-
}
|
935
|
-
} else {
|
936
|
-
if (BN_copy(prod_Z[0], &group->one) == NULL) {
|
937
|
-
goto err;
|
938
|
-
}
|
939
|
-
}
|
940
|
-
|
941
|
-
for (size_t i = 1; i < num; i++) {
|
942
|
-
if (!BN_is_zero(&points[i]->Z)) {
|
943
|
-
if (!group->meth->field_mul(group, prod_Z[i], prod_Z[i - 1],
|
944
|
-
&points[i]->Z, ctx)) {
|
945
|
-
goto err;
|
946
|
-
}
|
947
|
-
} else {
|
948
|
-
if (!BN_copy(prod_Z[i], prod_Z[i - 1])) {
|
949
|
-
goto err;
|
950
|
-
}
|
951
|
-
}
|
952
|
-
}
|
953
|
-
|
954
|
-
// Now use a single explicit inversion to replace every non-zero points[i]->Z
|
955
|
-
// by its inverse. We use |BN_mod_inverse_odd| instead of doing a constant-
|
956
|
-
// time inversion using Fermat's Little Theorem because this function is
|
957
|
-
// usually only used for converting multiples of a public key point to
|
958
|
-
// affine, and a public key point isn't secret. If we were to use Fermat's
|
959
|
-
// Little Theorem then the cost of the inversion would usually be so high
|
960
|
-
// that converting the multiples to affine would be counterproductive.
|
961
|
-
int no_inverse;
|
962
|
-
if (!BN_mod_inverse_odd(tmp, &no_inverse, prod_Z[num - 1], &group->field,
|
963
|
-
ctx)) {
|
964
|
-
OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
|
965
|
-
goto err;
|
966
|
-
}
|
967
|
-
|
968
|
-
if (group->meth->field_encode != NULL) {
|
969
|
-
// In the Montgomery case, we just turned R*H (representing H)
|
970
|
-
// into 1/(R*H), but we need R*(1/H) (representing 1/H);
|
971
|
-
// i.e. we need to multiply by the Montgomery factor twice.
|
972
|
-
if (!group->meth->field_encode(group, tmp, tmp, ctx) ||
|
973
|
-
!group->meth->field_encode(group, tmp, tmp, ctx)) {
|
974
|
-
goto err;
|
975
|
-
}
|
976
|
-
}
|
977
|
-
|
978
|
-
for (size_t i = num - 1; i > 0; --i) {
|
979
|
-
// Loop invariant: tmp is the product of the inverses of
|
980
|
-
// points[0]->Z .. points[i]->Z (zero-valued inputs skipped).
|
981
|
-
if (BN_is_zero(&points[i]->Z)) {
|
982
|
-
continue;
|
983
|
-
}
|
984
|
-
|
985
|
-
// Set tmp_Z to the inverse of points[i]->Z (as product
|
986
|
-
// of Z inverses 0 .. i, Z values 0 .. i - 1).
|
987
|
-
if (!group->meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx) ||
|
988
|
-
// Update tmp to satisfy the loop invariant for i - 1.
|
989
|
-
!group->meth->field_mul(group, tmp, tmp, &points[i]->Z, ctx) ||
|
990
|
-
// Replace points[i]->Z by its inverse.
|
991
|
-
!BN_copy(&points[i]->Z, tmp_Z)) {
|
992
|
-
goto err;
|
993
|
-
}
|
994
|
-
}
|
995
|
-
|
996
|
-
// Replace points[0]->Z by its inverse.
|
997
|
-
if (!BN_is_zero(&points[0]->Z) && !BN_copy(&points[0]->Z, tmp)) {
|
998
|
-
goto err;
|
999
|
-
}
|
1000
|
-
|
1001
|
-
// Finally, fix up the X and Y coordinates for all points.
|
1002
|
-
for (size_t i = 0; i < num; i++) {
|
1003
|
-
EC_POINT *p = points[i];
|
1004
|
-
|
1005
|
-
if (!BN_is_zero(&p->Z)) {
|
1006
|
-
// turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1).
|
1007
|
-
if (!group->meth->field_sqr(group, tmp, &p->Z, ctx) ||
|
1008
|
-
!group->meth->field_mul(group, &p->X, &p->X, tmp, ctx) ||
|
1009
|
-
!group->meth->field_mul(group, tmp, tmp, &p->Z, ctx) ||
|
1010
|
-
!group->meth->field_mul(group, &p->Y, &p->Y, tmp, ctx)) {
|
1011
|
-
goto err;
|
1012
|
-
}
|
1013
|
-
|
1014
|
-
if (BN_copy(&p->Z, &group->one) == NULL) {
|
1015
|
-
goto err;
|
1016
|
-
}
|
1017
|
-
}
|
1018
|
-
}
|
1019
|
-
|
1020
|
-
ret = 1;
|
1021
|
-
|
1022
|
-
err:
|
1023
|
-
BN_CTX_end(ctx);
|
1024
|
-
BN_CTX_free(new_ctx);
|
1025
|
-
if (prod_Z != NULL) {
|
1026
|
-
for (size_t i = 0; i < num; i++) {
|
1027
|
-
if (prod_Z[i] == NULL) {
|
1028
|
-
break;
|
1029
|
-
}
|
1030
|
-
BN_clear_free(prod_Z[i]);
|
1031
|
-
}
|
1032
|
-
OPENSSL_free(prod_Z);
|
369
|
+
int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
|
370
|
+
const EC_SCALAR *r) {
|
371
|
+
if (ec_GFp_simple_is_at_infinity(group, p)) {
|
372
|
+
// |ec_get_x_coordinate_as_scalar| will check this internally, but this way
|
373
|
+
// we do not push to the error queue.
|
374
|
+
return 0;
|
1033
375
|
}
|
1034
376
|
|
1035
|
-
|
1036
|
-
|
1037
|
-
|
1038
|
-
int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
|
1039
|
-
const BIGNUM *b, BN_CTX *ctx) {
|
1040
|
-
return BN_mod_mul(r, a, b, &group->field, ctx);
|
1041
|
-
}
|
1042
|
-
|
1043
|
-
int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
|
1044
|
-
BN_CTX *ctx) {
|
1045
|
-
return BN_mod_sqr(r, a, &group->field, ctx);
|
377
|
+
EC_SCALAR x;
|
378
|
+
return ec_get_x_coordinate_as_scalar(group, &x, p) &&
|
379
|
+
ec_scalar_equal_vartime(group, &x, r);
|
1046
380
|
}
|