michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #include "mpi.h" michael@0: #include "mplogic.h" michael@0: #include "ecl.h" michael@0: #include "ecl-priv.h" michael@0: #include "ec2.h" michael@0: #include "ecp.h" michael@0: #include michael@0: #include michael@0: michael@0: /* Allocate memory for a new ECGroup object. */ michael@0: ECGroup * michael@0: ECGroup_new() michael@0: { michael@0: mp_err res = MP_OKAY; michael@0: ECGroup *group; michael@0: group = (ECGroup *) malloc(sizeof(ECGroup)); michael@0: if (group == NULL) michael@0: return NULL; michael@0: group->constructed = MP_YES; michael@0: group->meth = NULL; michael@0: group->text = NULL; michael@0: MP_DIGITS(&group->curvea) = 0; michael@0: MP_DIGITS(&group->curveb) = 0; michael@0: MP_DIGITS(&group->genx) = 0; michael@0: MP_DIGITS(&group->geny) = 0; michael@0: MP_DIGITS(&group->order) = 0; michael@0: group->base_point_mul = NULL; michael@0: group->points_mul = NULL; michael@0: group->validate_point = NULL; michael@0: group->extra1 = NULL; michael@0: group->extra2 = NULL; michael@0: group->extra_free = NULL; michael@0: MP_CHECKOK(mp_init(&group->curvea)); michael@0: MP_CHECKOK(mp_init(&group->curveb)); michael@0: MP_CHECKOK(mp_init(&group->genx)); michael@0: MP_CHECKOK(mp_init(&group->geny)); michael@0: MP_CHECKOK(mp_init(&group->order)); michael@0: michael@0: CLEANUP: michael@0: if (res != MP_OKAY) { michael@0: ECGroup_free(group); michael@0: return NULL; michael@0: } michael@0: return group; michael@0: } michael@0: michael@0: /* Construct a generic ECGroup for elliptic curves over prime fields. */ michael@0: ECGroup * michael@0: ECGroup_consGFp(const mp_int *irr, const mp_int *curvea, michael@0: const mp_int *curveb, const mp_int *genx, michael@0: const mp_int *geny, const mp_int *order, int cofactor) michael@0: { michael@0: mp_err res = MP_OKAY; michael@0: ECGroup *group = NULL; michael@0: michael@0: group = ECGroup_new(); michael@0: if (group == NULL) michael@0: return NULL; michael@0: michael@0: group->meth = GFMethod_consGFp(irr); michael@0: if (group->meth == NULL) { michael@0: res = MP_MEM; michael@0: goto CLEANUP; michael@0: } michael@0: MP_CHECKOK(mp_copy(curvea, &group->curvea)); michael@0: MP_CHECKOK(mp_copy(curveb, &group->curveb)); michael@0: MP_CHECKOK(mp_copy(genx, &group->genx)); michael@0: MP_CHECKOK(mp_copy(geny, &group->geny)); michael@0: MP_CHECKOK(mp_copy(order, &group->order)); michael@0: group->cofactor = cofactor; michael@0: group->point_add = &ec_GFp_pt_add_aff; michael@0: group->point_sub = &ec_GFp_pt_sub_aff; michael@0: group->point_dbl = &ec_GFp_pt_dbl_aff; michael@0: group->point_mul = &ec_GFp_pt_mul_jm_wNAF; michael@0: group->base_point_mul = NULL; michael@0: group->points_mul = &ec_GFp_pts_mul_jac; michael@0: group->validate_point = &ec_GFp_validate_point; michael@0: michael@0: CLEANUP: michael@0: if (res != MP_OKAY) { michael@0: ECGroup_free(group); michael@0: return NULL; michael@0: } michael@0: return group; michael@0: } michael@0: michael@0: /* Construct a generic ECGroup for elliptic curves over prime fields with michael@0: * field arithmetic implemented in Montgomery coordinates. */ michael@0: ECGroup * michael@0: ECGroup_consGFp_mont(const mp_int *irr, const mp_int *curvea, michael@0: const mp_int *curveb, const mp_int *genx, michael@0: const mp_int *geny, const mp_int *order, int cofactor) michael@0: { michael@0: mp_err res = MP_OKAY; michael@0: ECGroup *group = NULL; michael@0: michael@0: group = ECGroup_new(); michael@0: if (group == NULL) michael@0: return NULL; michael@0: michael@0: group->meth = GFMethod_consGFp_mont(irr); michael@0: if (group->meth == NULL) { michael@0: res = MP_MEM; michael@0: goto CLEANUP; michael@0: } michael@0: MP_CHECKOK(group->meth-> michael@0: field_enc(curvea, &group->curvea, group->meth)); michael@0: MP_CHECKOK(group->meth-> michael@0: field_enc(curveb, &group->curveb, group->meth)); michael@0: MP_CHECKOK(group->meth->field_enc(genx, &group->genx, group->meth)); michael@0: MP_CHECKOK(group->meth->field_enc(geny, &group->geny, group->meth)); michael@0: MP_CHECKOK(mp_copy(order, &group->order)); michael@0: group->cofactor = cofactor; michael@0: group->point_add = &ec_GFp_pt_add_aff; michael@0: group->point_sub = &ec_GFp_pt_sub_aff; michael@0: group->point_dbl = &ec_GFp_pt_dbl_aff; michael@0: group->point_mul = &ec_GFp_pt_mul_jm_wNAF; michael@0: group->base_point_mul = NULL; michael@0: group->points_mul = &ec_GFp_pts_mul_jac; michael@0: group->validate_point = &ec_GFp_validate_point; michael@0: michael@0: CLEANUP: michael@0: if (res != MP_OKAY) { michael@0: ECGroup_free(group); michael@0: return NULL; michael@0: } michael@0: return group; michael@0: } michael@0: michael@0: #ifdef NSS_ECC_MORE_THAN_SUITE_B michael@0: /* Construct a generic ECGroup for elliptic curves over binary polynomial michael@0: * fields. */ michael@0: ECGroup * michael@0: ECGroup_consGF2m(const mp_int *irr, const unsigned int irr_arr[5], michael@0: const mp_int *curvea, const mp_int *curveb, michael@0: const mp_int *genx, const mp_int *geny, michael@0: const mp_int *order, int cofactor) michael@0: { michael@0: mp_err res = MP_OKAY; michael@0: ECGroup *group = NULL; michael@0: michael@0: group = ECGroup_new(); michael@0: if (group == NULL) michael@0: return NULL; michael@0: michael@0: group->meth = GFMethod_consGF2m(irr, irr_arr); michael@0: if (group->meth == NULL) { michael@0: res = MP_MEM; michael@0: goto CLEANUP; michael@0: } michael@0: MP_CHECKOK(mp_copy(curvea, &group->curvea)); michael@0: MP_CHECKOK(mp_copy(curveb, &group->curveb)); michael@0: MP_CHECKOK(mp_copy(genx, &group->genx)); michael@0: MP_CHECKOK(mp_copy(geny, &group->geny)); michael@0: MP_CHECKOK(mp_copy(order, &group->order)); michael@0: group->cofactor = cofactor; michael@0: group->point_add = &ec_GF2m_pt_add_aff; michael@0: group->point_sub = &ec_GF2m_pt_sub_aff; michael@0: group->point_dbl = &ec_GF2m_pt_dbl_aff; michael@0: group->point_mul = &ec_GF2m_pt_mul_mont; michael@0: group->base_point_mul = NULL; michael@0: group->points_mul = &ec_pts_mul_basic; michael@0: group->validate_point = &ec_GF2m_validate_point; michael@0: michael@0: CLEANUP: michael@0: if (res != MP_OKAY) { michael@0: ECGroup_free(group); michael@0: return NULL; michael@0: } michael@0: return group; michael@0: } michael@0: #endif michael@0: michael@0: /* Construct ECGroup from hex parameters and name, if any. Called by michael@0: * ECGroup_fromHex and ECGroup_fromName. */ michael@0: ECGroup * michael@0: ecgroup_fromNameAndHex(const ECCurveName name, michael@0: const ECCurveParams * params) michael@0: { michael@0: mp_int irr, curvea, curveb, genx, geny, order; michael@0: int bits; michael@0: ECGroup *group = NULL; michael@0: mp_err res = MP_OKAY; michael@0: michael@0: /* initialize values */ michael@0: MP_DIGITS(&irr) = 0; michael@0: MP_DIGITS(&curvea) = 0; michael@0: MP_DIGITS(&curveb) = 0; michael@0: MP_DIGITS(&genx) = 0; michael@0: MP_DIGITS(&geny) = 0; michael@0: MP_DIGITS(&order) = 0; michael@0: MP_CHECKOK(mp_init(&irr)); michael@0: MP_CHECKOK(mp_init(&curvea)); michael@0: MP_CHECKOK(mp_init(&curveb)); michael@0: MP_CHECKOK(mp_init(&genx)); michael@0: MP_CHECKOK(mp_init(&geny)); michael@0: MP_CHECKOK(mp_init(&order)); michael@0: MP_CHECKOK(mp_read_radix(&irr, params->irr, 16)); michael@0: MP_CHECKOK(mp_read_radix(&curvea, params->curvea, 16)); michael@0: MP_CHECKOK(mp_read_radix(&curveb, params->curveb, 16)); michael@0: MP_CHECKOK(mp_read_radix(&genx, params->genx, 16)); michael@0: MP_CHECKOK(mp_read_radix(&geny, params->geny, 16)); michael@0: MP_CHECKOK(mp_read_radix(&order, params->order, 16)); michael@0: michael@0: /* determine number of bits */ michael@0: bits = mpl_significant_bits(&irr) - 1; michael@0: if (bits < MP_OKAY) { michael@0: res = bits; michael@0: goto CLEANUP; michael@0: } michael@0: michael@0: /* determine which optimizations (if any) to use */ michael@0: if (params->field == ECField_GFp) { michael@0: switch (name) { michael@0: #ifdef NSS_ECC_MORE_THAN_SUITE_B michael@0: #ifdef ECL_USE_FP michael@0: case ECCurve_SECG_PRIME_160R1: michael@0: group = michael@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, michael@0: &order, params->cofactor); michael@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } michael@0: MP_CHECKOK(ec_group_set_secp160r1_fp(group)); michael@0: break; michael@0: #endif michael@0: case ECCurve_SECG_PRIME_192R1: michael@0: #ifdef ECL_USE_FP michael@0: group = michael@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, michael@0: &order, params->cofactor); michael@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } michael@0: MP_CHECKOK(ec_group_set_nistp192_fp(group)); michael@0: #else michael@0: group = michael@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, michael@0: &order, params->cofactor); michael@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } michael@0: MP_CHECKOK(ec_group_set_gfp192(group, name)); michael@0: #endif michael@0: break; michael@0: case ECCurve_SECG_PRIME_224R1: michael@0: #ifdef ECL_USE_FP michael@0: group = michael@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, michael@0: &order, params->cofactor); michael@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } michael@0: MP_CHECKOK(ec_group_set_nistp224_fp(group)); michael@0: #else michael@0: group = michael@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, michael@0: &order, params->cofactor); michael@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } michael@0: MP_CHECKOK(ec_group_set_gfp224(group, name)); michael@0: #endif michael@0: break; michael@0: #endif /* NSS_ECC_MORE_THAN_SUITE_B */ michael@0: case ECCurve_SECG_PRIME_256R1: michael@0: group = michael@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, michael@0: &order, params->cofactor); michael@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } michael@0: MP_CHECKOK(ec_group_set_gfp256(group, name)); michael@0: MP_CHECKOK(ec_group_set_gfp256_32(group, name)); michael@0: break; michael@0: case ECCurve_SECG_PRIME_521R1: michael@0: group = michael@0: ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, michael@0: &order, params->cofactor); michael@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } michael@0: MP_CHECKOK(ec_group_set_gfp521(group, name)); michael@0: break; michael@0: default: michael@0: /* use generic arithmetic */ michael@0: group = michael@0: ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny, michael@0: &order, params->cofactor); michael@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } michael@0: } michael@0: #ifdef NSS_ECC_MORE_THAN_SUITE_B michael@0: } else if (params->field == ECField_GF2m) { michael@0: group = ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx, &geny, &order, params->cofactor); michael@0: if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } michael@0: if ((name == ECCurve_NIST_K163) || michael@0: (name == ECCurve_NIST_B163) || michael@0: (name == ECCurve_SECG_CHAR2_163R1)) { michael@0: MP_CHECKOK(ec_group_set_gf2m163(group, name)); michael@0: } else if ((name == ECCurve_SECG_CHAR2_193R1) || michael@0: (name == ECCurve_SECG_CHAR2_193R2)) { michael@0: MP_CHECKOK(ec_group_set_gf2m193(group, name)); michael@0: } else if ((name == ECCurve_NIST_K233) || michael@0: (name == ECCurve_NIST_B233)) { michael@0: MP_CHECKOK(ec_group_set_gf2m233(group, name)); michael@0: } michael@0: #endif michael@0: } else { michael@0: res = MP_UNDEF; michael@0: goto CLEANUP; michael@0: } michael@0: michael@0: /* set name, if any */ michael@0: if ((group != NULL) && (params->text != NULL)) { michael@0: group->text = strdup(params->text); michael@0: if (group->text == NULL) { michael@0: res = MP_MEM; michael@0: } michael@0: } michael@0: michael@0: CLEANUP: michael@0: mp_clear(&irr); michael@0: mp_clear(&curvea); michael@0: mp_clear(&curveb); michael@0: mp_clear(&genx); michael@0: mp_clear(&geny); michael@0: mp_clear(&order); michael@0: if (res != MP_OKAY) { michael@0: ECGroup_free(group); michael@0: return NULL; michael@0: } michael@0: return group; michael@0: } michael@0: michael@0: /* Construct ECGroup from hexadecimal representations of parameters. */ michael@0: ECGroup * michael@0: ECGroup_fromHex(const ECCurveParams * params) michael@0: { michael@0: return ecgroup_fromNameAndHex(ECCurve_noName, params); michael@0: } michael@0: michael@0: /* Construct ECGroup from named parameters. */ michael@0: ECGroup * michael@0: ECGroup_fromName(const ECCurveName name) michael@0: { michael@0: ECGroup *group = NULL; michael@0: ECCurveParams *params = NULL; michael@0: mp_err res = MP_OKAY; michael@0: michael@0: params = EC_GetNamedCurveParams(name); michael@0: if (params == NULL) { michael@0: res = MP_UNDEF; michael@0: goto CLEANUP; michael@0: } michael@0: michael@0: /* construct actual group */ michael@0: group = ecgroup_fromNameAndHex(name, params); michael@0: if (group == NULL) { michael@0: res = MP_UNDEF; michael@0: goto CLEANUP; michael@0: } michael@0: michael@0: CLEANUP: michael@0: EC_FreeCurveParams(params); michael@0: if (res != MP_OKAY) { michael@0: ECGroup_free(group); michael@0: return NULL; michael@0: } michael@0: return group; michael@0: } michael@0: michael@0: /* Validates an EC public key as described in Section 5.2.2 of X9.62. */ michael@0: mp_err ECPoint_validate(const ECGroup *group, const mp_int *px, const michael@0: mp_int *py) michael@0: { michael@0: /* 1: Verify that publicValue is not the point at infinity */ michael@0: /* 2: Verify that the coordinates of publicValue are elements michael@0: * of the field. michael@0: */ michael@0: /* 3: Verify that publicValue is on the curve. */ michael@0: /* 4: Verify that the order of the curve times the publicValue michael@0: * is the point at infinity. michael@0: */ michael@0: return group->validate_point(px, py, group); michael@0: } michael@0: michael@0: /* Free the memory allocated (if any) to an ECGroup object. */ michael@0: void michael@0: ECGroup_free(ECGroup *group) michael@0: { michael@0: if (group == NULL) michael@0: return; michael@0: GFMethod_free(group->meth); michael@0: if (group->constructed == MP_NO) michael@0: return; michael@0: mp_clear(&group->curvea); michael@0: mp_clear(&group->curveb); michael@0: mp_clear(&group->genx); michael@0: mp_clear(&group->geny); michael@0: mp_clear(&group->order); michael@0: if (group->text != NULL) michael@0: free(group->text); michael@0: if (group->extra_free != NULL) michael@0: group->extra_free(group); michael@0: free(group); michael@0: }