andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: andre@0: #include "mpi.h" andre@0: #include "mplogic.h" andre@0: #include "ecl.h" andre@0: #include "ecl-priv.h" andre@0: #include "ec2.h" andre@0: #include "ecp.h" andre@0: #include andre@0: #include andre@0: andre@0: /* Allocate memory for a new ECGroup object. */ andre@0: ECGroup * andre@0: ECGroup_new() andre@0: { andre@0: mp_err res = MP_OKAY; andre@0: ECGroup *group; andre@0: group = (ECGroup *) malloc(sizeof(ECGroup)); andre@0: if (group == NULL) andre@0: return NULL; andre@0: group->constructed = MP_YES; andre@0: group->meth = NULL; andre@0: group->text = NULL; andre@0: MP_DIGITS(&group->curvea) = 0; andre@0: MP_DIGITS(&group->curveb) = 0; andre@0: MP_DIGITS(&group->genx) = 0; andre@0: MP_DIGITS(&group->geny) = 0; andre@0: MP_DIGITS(&group->order) = 0; andre@0: group->base_point_mul = NULL; andre@0: group->points_mul = NULL; andre@0: group->validate_point = NULL; andre@0: group->extra1 = NULL; andre@0: group->extra2 = NULL; andre@0: group->extra_free = NULL; andre@0: MP_CHECKOK(mp_init(&group->curvea)); andre@0: MP_CHECKOK(mp_init(&group->curveb)); andre@0: MP_CHECKOK(mp_init(&group->genx)); andre@0: MP_CHECKOK(mp_init(&group->geny)); andre@0: MP_CHECKOK(mp_init(&group->order)); andre@0: andre@0: CLEANUP: andre@0: if (res != MP_OKAY) { andre@0: ECGroup_free(group); andre@0: return NULL; andre@0: } andre@0: return group; andre@0: } andre@0: andre@0: /* Construct a generic ECGroup for elliptic curves over prime fields. */ andre@0: ECGroup * andre@0: ECGroup_consGFp(const mp_int *irr, const mp_int *curvea, andre@0: const mp_int *curveb, const mp_int *genx, andre@0: const mp_int *geny, const mp_int *order, int cofactor) andre@0: { andre@0: mp_err res = MP_OKAY; andre@0: ECGroup *group = NULL; andre@0: andre@0: group = ECGroup_new(); andre@0: if (group == NULL) andre@0: return NULL; andre@0: andre@0: group->meth = GFMethod_consGFp(irr); andre@0: if (group->meth == NULL) { andre@0: res = MP_MEM; andre@0: goto CLEANUP; andre@0: } andre@0: MP_CHECKOK(mp_copy(curvea, &group->curvea)); andre@0: MP_CHECKOK(mp_copy(curveb, &group->curveb)); andre@0: MP_CHECKOK(mp_copy(genx, &group->genx)); andre@0: MP_CHECKOK(mp_copy(geny, &group->geny)); andre@0: MP_CHECKOK(mp_copy(order, &group->order)); andre@0: group->cofactor = cofactor; andre@0: group->point_add = &ec_GFp_pt_add_aff; andre@0: group->point_sub = &ec_GFp_pt_sub_aff; andre@0: group->point_dbl = &ec_GFp_pt_dbl_aff; andre@0: group->point_mul = &ec_GFp_pt_mul_jm_wNAF; andre@0: group->base_point_mul = NULL; andre@0: group->points_mul = &ec_GFp_pts_mul_jac; andre@0: group->validate_point = &ec_GFp_validate_point; andre@0: andre@0: CLEANUP: andre@0: if (res != MP_OKAY) { andre@0: ECGroup_free(group); andre@0: return NULL; andre@0: } andre@0: return group; andre@0: } andre@0: andre@0: /* Construct a generic ECGroup for elliptic curves over prime fields with andre@0: * field arithmetic implemented in Montgomery coordinates. */ andre@0: ECGroup * andre@0: ECGroup_consGFp_mont(const mp_int *irr, const mp_int *curvea, andre@0: const mp_int *curveb, const mp_int *genx, andre@0: const mp_int *geny, const mp_int *order, int cofactor) andre@0: { andre@0: mp_err res = MP_OKAY; andre@0: ECGroup *group = NULL; andre@0: andre@0: group = ECGroup_new(); andre@0: if (group == NULL) andre@0: return NULL; andre@0: andre@0: group->meth = GFMethod_consGFp_mont(irr); andre@0: if (group->meth == NULL) { andre@0: res = MP_MEM; andre@0: goto CLEANUP; andre@0: } andre@0: MP_CHECKOK(group->meth-> andre@0: field_enc(curvea, &group->curvea, group->meth)); andre@0: MP_CHECKOK(group->meth-> andre@0: field_enc(curveb, &group->curveb, group->meth)); andre@0: MP_CHECKOK(group->meth->field_enc(genx, &group->genx, group->meth)); andre@0: MP_CHECKOK(group->meth->field_enc(geny, &group->geny, group->meth)); andre@0: MP_CHECKOK(mp_copy(order, &group->order)); andre@0: group->cofactor = cofactor; andre@0: group->point_add = &ec_GFp_pt_add_aff; andre@0: group->point_sub = &ec_GFp_pt_sub_aff; andre@0: group->point_dbl = &ec_GFp_pt_dbl_aff; andre@0: group->point_mul = &ec_GFp_pt_mul_jm_wNAF; andre@0: group->base_point_mul = NULL; andre@0: group->points_mul = &ec_GFp_pts_mul_jac; andre@0: group->validate_point = &ec_GFp_validate_point; andre@0: andre@0: CLEANUP: andre@0: if (res != MP_OKAY) { andre@0: ECGroup_free(group); andre@0: return NULL; andre@0: } andre@0: return group; andre@0: } andre@0: andre@0: #ifdef NSS_ECC_MORE_THAN_SUITE_B andre@0: /* Construct a generic ECGroup for elliptic curves over binary polynomial andre@0: * fields. */ andre@0: ECGroup * andre@0: ECGroup_consGF2m(const mp_int *irr, const unsigned int irr_arr[5], andre@0: const mp_int *curvea, const mp_int *curveb, andre@0: const mp_int *genx, const mp_int *geny, andre@0: const mp_int *order, int cofactor) andre@0: { andre@0: mp_err res = MP_OKAY; andre@0: ECGroup *group = NULL; andre@0: andre@0: group = ECGroup_new(); andre@0: if (group == NULL) andre@0: return NULL; andre@0: andre@0: group->meth = GFMethod_consGF2m(irr, irr_arr); andre@0: if (group->meth == NULL) { andre@0: res = MP_MEM; andre@0: goto CLEANUP; andre@0: } andre@0: MP_CHECKOK(mp_copy(curvea, &group->curvea)); andre@0: MP_CHECKOK(mp_copy(curveb, &group->curveb)); andre@0: MP_CHECKOK(mp_copy(genx, &group->genx)); andre@0: MP_CHECKOK(mp_copy(geny, &group->geny)); andre@0: MP_CHECKOK(mp_copy(order, &group->order)); andre@0: group->cofactor = cofactor; andre@0: group->point_add = &ec_GF2m_pt_add_aff; andre@0: group->point_sub = &ec_GF2m_pt_sub_aff; andre@0: group->point_dbl = &ec_GF2m_pt_dbl_aff; andre@0: group->point_mul = &ec_GF2m_pt_mul_mont; andre@0: group->base_point_mul = NULL; andre@0: group->points_mul = &ec_pts_mul_basic; andre@0: group->validate_point = &ec_GF2m_validate_point; andre@0: andre@0: CLEANUP: andre@0: if (res != MP_OKAY) { andre@0: ECGroup_free(group); andre@0: return NULL; andre@0: } andre@0: return group; andre@0: } andre@0: #endif andre@0: andre@0: /* Construct ECGroup from hex parameters and name, if any. Called by andre@0: * ECGroup_fromHex and ECGroup_fromName. */ andre@0: ECGroup * andre@0: ecgroup_fromNameAndHex(const ECCurveName name, andre@0: const ECCurveParams * params) andre@0: { andre@0: mp_int irr, curvea, curveb, genx, geny, order; andre@0: int bits; andre@0: ECGroup *group = NULL; andre@0: mp_err res = MP_OKAY; andre@0: andre@0: /* initialize values */ andre@0: MP_DIGITS(&irr) = 0; andre@0: MP_DIGITS(&curvea) = 0; andre@0: MP_DIGITS(&curveb) = 0; andre@0: MP_DIGITS(&genx) = 0; andre@0: MP_DIGITS(&geny) = 0; andre@0: MP_DIGITS(&order) = 0; andre@0: MP_CHECKOK(mp_init(&irr)); andre@0: MP_CHECKOK(mp_init(&curvea)); andre@0: MP_CHECKOK(mp_init(&curveb)); andre@0: MP_CHECKOK(mp_init(&genx)); andre@0: MP_CHECKOK(mp_init(&geny)); andre@0: MP_CHECKOK(mp_init(&order)); andre@0: MP_CHECKOK(mp_read_radix(&irr, params->irr, 16)); andre@0: MP_CHECKOK(mp_read_radix(&curvea, params->curvea, 16)); andre@0: MP_CHECKOK(mp_read_radix(&curveb, params->curveb, 16)); andre@0: MP_CHECKOK(mp_read_radix(&genx, params->genx, 16)); andre@0: MP_CHECKOK(mp_read_radix(&geny, params->geny, 16)); andre@0: MP_CHECKOK(mp_read_radix(&order, params->order, 16)); andre@0: andre@0: /* determine number of bits */ andre@0: bits = mpl_significant_bits(&irr) - 1; andre@0: if (bits < MP_OKAY) { andre@0: res = bits; andre@0: goto CLEANUP; andre@0: } andre@0: andre@0: /* determine which optimizations (if any) to use */ andre@0: if (params->field == ECField_GFp) { andre@0: switch (name) { andre@0: #ifdef NSS_ECC_MORE_THAN_SUITE_B andre@0: #ifdef ECL_USE_FP andre@0: case ECCurve_SECG_PRIME_160R1: andre@0: group = andre@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, andre@0: &order, params->cofactor); andre@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } andre@0: MP_CHECKOK(ec_group_set_secp160r1_fp(group)); andre@0: break; andre@0: #endif andre@0: case ECCurve_SECG_PRIME_192R1: andre@0: #ifdef ECL_USE_FP andre@0: group = andre@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, andre@0: &order, params->cofactor); andre@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } andre@0: MP_CHECKOK(ec_group_set_nistp192_fp(group)); andre@0: #else andre@0: group = andre@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, andre@0: &order, params->cofactor); andre@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } andre@0: MP_CHECKOK(ec_group_set_gfp192(group, name)); andre@0: #endif andre@0: break; andre@0: case ECCurve_SECG_PRIME_224R1: andre@0: #ifdef ECL_USE_FP andre@0: group = andre@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, andre@0: &order, params->cofactor); andre@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } andre@0: MP_CHECKOK(ec_group_set_nistp224_fp(group)); andre@0: #else andre@0: group = andre@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, andre@0: &order, params->cofactor); andre@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } andre@0: MP_CHECKOK(ec_group_set_gfp224(group, name)); andre@0: #endif andre@0: break; andre@0: #endif /* NSS_ECC_MORE_THAN_SUITE_B */ andre@0: case ECCurve_SECG_PRIME_256R1: andre@0: group = andre@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, andre@0: &order, params->cofactor); andre@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } andre@0: MP_CHECKOK(ec_group_set_gfp256(group, name)); andre@0: MP_CHECKOK(ec_group_set_gfp256_32(group, name)); andre@0: break; andre@0: case ECCurve_SECG_PRIME_521R1: andre@0: group = andre@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, andre@0: &order, params->cofactor); andre@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } andre@0: MP_CHECKOK(ec_group_set_gfp521(group, name)); andre@0: break; andre@0: default: andre@0: /* use generic arithmetic */ andre@0: group = andre@0: ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny, andre@0: &order, params->cofactor); andre@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } andre@0: } andre@0: #ifdef NSS_ECC_MORE_THAN_SUITE_B andre@0: } else if (params->field == ECField_GF2m) { andre@0: group = ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx, &geny, &order, params->cofactor); andre@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } andre@0: if ((name == ECCurve_NIST_K163) || andre@0: (name == ECCurve_NIST_B163) || andre@0: (name == ECCurve_SECG_CHAR2_163R1)) { andre@0: MP_CHECKOK(ec_group_set_gf2m163(group, name)); andre@0: } else if ((name == ECCurve_SECG_CHAR2_193R1) || andre@0: (name == ECCurve_SECG_CHAR2_193R2)) { andre@0: MP_CHECKOK(ec_group_set_gf2m193(group, name)); andre@0: } else if ((name == ECCurve_NIST_K233) || andre@0: (name == ECCurve_NIST_B233)) { andre@0: MP_CHECKOK(ec_group_set_gf2m233(group, name)); andre@0: } andre@0: #endif andre@0: } else { andre@0: res = MP_UNDEF; andre@0: goto CLEANUP; andre@0: } andre@0: andre@0: /* set name, if any */ andre@0: if ((group != NULL) && (params->text != NULL)) { andre@0: group->text = strdup(params->text); andre@0: if (group->text == NULL) { andre@0: res = MP_MEM; andre@0: } andre@0: } andre@0: andre@0: CLEANUP: andre@0: mp_clear(&irr); andre@0: mp_clear(&curvea); andre@0: mp_clear(&curveb); andre@0: mp_clear(&genx); andre@0: mp_clear(&geny); andre@0: mp_clear(&order); andre@0: if (res != MP_OKAY) { andre@0: ECGroup_free(group); andre@0: return NULL; andre@0: } andre@0: return group; andre@0: } andre@0: andre@0: /* Construct ECGroup from hexadecimal representations of parameters. */ andre@0: ECGroup * andre@0: ECGroup_fromHex(const ECCurveParams * params) andre@0: { andre@0: return ecgroup_fromNameAndHex(ECCurve_noName, params); andre@0: } andre@0: andre@0: /* Construct ECGroup from named parameters. */ andre@0: ECGroup * andre@0: ECGroup_fromName(const ECCurveName name) andre@0: { andre@0: ECGroup *group = NULL; andre@0: ECCurveParams *params = NULL; andre@0: mp_err res = MP_OKAY; andre@0: andre@0: params = EC_GetNamedCurveParams(name); andre@0: if (params == NULL) { andre@0: res = MP_UNDEF; andre@0: goto CLEANUP; andre@0: } andre@0: andre@0: /* construct actual group */ andre@0: group = ecgroup_fromNameAndHex(name, params); andre@0: if (group == NULL) { andre@0: res = MP_UNDEF; andre@0: goto CLEANUP; andre@0: } andre@0: andre@0: CLEANUP: andre@0: EC_FreeCurveParams(params); andre@0: if (res != MP_OKAY) { andre@0: ECGroup_free(group); andre@0: return NULL; andre@0: } andre@0: return group; andre@0: } andre@0: andre@0: /* Validates an EC public key as described in Section 5.2.2 of X9.62. */ andre@0: mp_err ECPoint_validate(const ECGroup *group, const mp_int *px, const andre@0: mp_int *py) andre@0: { andre@0: /* 1: Verify that publicValue is not the point at infinity */ andre@0: /* 2: Verify that the coordinates of publicValue are elements andre@0: * of the field. andre@0: */ andre@0: /* 3: Verify that publicValue is on the curve. */ andre@0: /* 4: Verify that the order of the curve times the publicValue andre@0: * is the point at infinity. andre@0: */ andre@0: return group->validate_point(px, py, group); andre@0: } andre@0: andre@0: /* Free the memory allocated (if any) to an ECGroup object. */ andre@0: void andre@0: ECGroup_free(ECGroup *group) andre@0: { andre@0: if (group == NULL) andre@0: return; andre@0: GFMethod_free(group->meth); andre@0: if (group->constructed == MP_NO) andre@0: return; andre@0: mp_clear(&group->curvea); andre@0: mp_clear(&group->curveb); andre@0: mp_clear(&group->genx); andre@0: mp_clear(&group->geny); andre@0: mp_clear(&group->order); andre@0: if (group->text != NULL) andre@0: free(group->text); andre@0: if (group->extra_free != NULL) andre@0: group->extra_free(group); andre@0: free(group); andre@0: }