xref: /openbsd/lib/libcrypto/ec/ec_local.h (revision 6d90e046) 
1 /* $OpenBSD: ec_local.h,v 1.65 2025/01/25 13:15:21 tb Exp $ */
2 /*
3  * Originally written by Bodo Moeller for the OpenSSL project.
4  */
5 /* ====================================================================
6  * Copyright (c) 1998-2010 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    openssl-core@openssl.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 /* ====================================================================
59  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60  *
61  * Portions of the attached software ("Contribution") are developed by
62  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
63  *
64  * The Contribution is licensed pursuant to the OpenSSL open source
65  * license provided above.
66  *
67  * The elliptic curve binary polynomial software is originally written by
68  * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
69  *
70  */
71 
72 #include <stdlib.h>
73 
74 #include <openssl/bn.h>
75 #include <openssl/ec.h>
76 #include <openssl/objects.h>
77 
78 #include "bn_local.h"
79 
80 __BEGIN_HIDDEN_DECLS
81 
82 struct ec_method_st {
83 	int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
84 	    const BIGNUM *b, BN_CTX *);
85 	int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
86 	    BIGNUM *b, BN_CTX *);
87 
88 	int (*point_is_on_curve)(const EC_GROUP *, const EC_POINT *, BN_CTX *);
89 	int (*point_cmp)(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
90 	    BN_CTX *);
91 
92 	int (*point_set_affine_coordinates)(const EC_GROUP *, EC_POINT *,
93 	    const BIGNUM *x, const BIGNUM *y, BN_CTX *);
94 	int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_POINT *,
95 	    BIGNUM *x, BIGNUM *y, BN_CTX *);
96 
97 	/* Only used by the wNAF code. */
98 	int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT **,
99 	    BN_CTX *);
100 
101 	int (*add)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
102 	    const EC_POINT *b, BN_CTX *);
103 	int (*dbl)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
104 	int (*invert)(const EC_GROUP *, EC_POINT *, BN_CTX *);
105 
106 	int (*mul_single_ct)(const EC_GROUP *group, EC_POINT *r,
107 	    const BIGNUM *scalar, const EC_POINT *point, BN_CTX *);
108 	int (*mul_double_nonct)(const EC_GROUP *group, EC_POINT *r,
109 	    const BIGNUM *g_scalar, const BIGNUM *p_scalar,
110 	    const EC_POINT *point, BN_CTX *);
111 
112 	/*
113 	 * These can be used by 'add' and 'dbl' so that the same implementations
114 	 * of point operations can be used with different optimized versions of
115 	 * expensive field operations.
116 	 */
117 	int (*field_mul)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
118 	    const BIGNUM *b, BN_CTX *);
119 	int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
120 	    BN_CTX *);
121 
122 	/* Encode to and decode from other forms (e.g. Montgomery). */
123 	int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
124 	    BN_CTX *);
125 	int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
126 	    BN_CTX *);
127 } /* EC_METHOD */;
128 
129 struct ec_group_st {
130 	const EC_METHOD *meth;
131 
132 	EC_POINT *generator;	/* Optional */
133 	BIGNUM *order;
134 	BIGNUM *cofactor;
135 
136 	int nid;		/* Optional NID for named curve. */
137 
138 	/* ASN.1 encoding controls. */
139 	int asn1_flag;
140 	point_conversion_form_t asn1_form;
141 
142 	/* Optional seed for parameters (appears in ASN.1). */
143 	unsigned char *seed;
144 	size_t seed_len;
145 
146 	/*
147 	 * Coefficients of the Weierstrass equation y^2 = x^3 + a*x + b (mod p).
148 	 */
149 	BIGNUM *p;
150 	BIGNUM *a;
151 	BIGNUM *b;
152 
153 	/* Enables optimized point arithmetics for special case. */
154 	int a_is_minus3;
155 
156 	/* Montgomery context used by EC_GFp_mont_method. */
157 	BN_MONT_CTX *mont_ctx;
158 } /* EC_GROUP */;
159 
160 struct ec_point_st {
161 	const EC_METHOD *meth;
162 
163 	/*
164 	 * Jacobian projective coordinates: (X, Y, Z) represents (X/Z^2, Y/Z^3)
165 	 * if Z != 0
166 	 */
167 	BIGNUM *X;
168 	BIGNUM *Y;
169 	BIGNUM *Z;
170 	int Z_is_one; /* enable optimized point arithmetics for special case */
171 } /* EC_POINT */;
172 
173 /* Compute r = generator * m + point * n in non-constant time. */
174 int ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
175     const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx);
176 
177 int ec_group_is_builtin_curve(const EC_GROUP *group, int *out_nid);
178 
179 /*
180  * Wrappers around the unergonomic EC_POINT_{oct2point,point2oct}().
181  */
182 int ec_point_from_octets(const EC_GROUP *group, const unsigned char *buf,
183     size_t buf_len, EC_POINT **out_point, uint8_t *out_form, BN_CTX *ctx_in);
184 int ec_point_to_octets(const EC_GROUP *group, const EC_POINT *point, int form,
185     unsigned char **out_buf, size_t *len, BN_CTX *ctx_in);
186 
187 /* Public API in OpenSSL */
188 const BIGNUM *EC_GROUP_get0_cofactor(const EC_GROUP *group);
189 const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group);
190 
191 struct ec_key_method_st {
192 	const char *name;
193 	int32_t flags;
194 	int (*init)(EC_KEY *key);
195 	void (*finish)(EC_KEY *key);
196 	int (*copy)(EC_KEY *dest, const EC_KEY *src);
197 	int (*set_group)(EC_KEY *key, const EC_GROUP *grp);
198 	int (*set_private)(EC_KEY *key, const BIGNUM *priv_key);
199 	int (*set_public)(EC_KEY *key, const EC_POINT *pub_key);
200 	int (*keygen)(EC_KEY *key);
201 	int (*compute_key)(unsigned char **out, size_t *out_len,
202 	    const EC_POINT *pub_key, const EC_KEY *ecdh);
203 	int (*sign)(int type, const unsigned char *dgst, int dlen, unsigned char
204 	    *sig, unsigned int *siglen, const BIGNUM *kinv,
205 	    const BIGNUM *r, EC_KEY *eckey);
206 	int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
207 	    BIGNUM **rp);
208 	ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgst_len,
209 	    const BIGNUM *in_kinv, const BIGNUM *in_r,
210 	    EC_KEY *eckey);
211 	int (*verify)(int type, const unsigned char *dgst, int dgst_len,
212 	    const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
213 	int (*verify_sig)(const unsigned char *dgst, int dgst_len,
214 	    const ECDSA_SIG *sig, EC_KEY *eckey);
215 } /* EC_KEY_METHOD */;
216 
217 struct ec_key_st {
218 	const EC_KEY_METHOD *meth;
219 
220 	int version;
221 
222 	EC_GROUP *group;
223 
224 	EC_POINT *pub_key;
225 	BIGNUM	 *priv_key;
226 
227 	unsigned int enc_flag;
228 	point_conversion_form_t conv_form;
229 
230 	int	references;
231 	int	flags;
232 
233 	CRYPTO_EX_DATA ex_data;
234 } /* EC_KEY */;
235 
236 int eckey_compute_pubkey(EC_KEY *eckey);
237 int ecdh_compute_key(unsigned char **out, size_t *out_len,
238     const EC_POINT *pub_key, const EC_KEY *ecdh);
239 int ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
240     const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
241 int ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
242     const ECDSA_SIG *sig, EC_KEY *eckey);
243 
244 /*
245  * ECDH Key Derivation Function as defined in ANSI X9.63.
246  */
247 int ecdh_KDF_X9_63(unsigned char *out, size_t outlen, const unsigned char *Z,
248     size_t Zlen, const unsigned char *sinfo, size_t sinfolen, const EVP_MD *md);
249 
250 __END_HIDDEN_DECLS
251