/*
- * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2014, Intel Corporation. All Rights Reserved.
* Copyright (c) 2015, CloudFlare, Inc.
*
# define TOBN(hi,lo) ((BN_ULONG)hi<<32|lo)
#endif
-#if defined(__GNUC__)
-# define ALIGN32 __attribute((aligned(32)))
-#elif defined(_MSC_VER)
-# define ALIGN32 __declspec(align(32))
-#else
-# define ALIGN32
-#endif
-
#define ALIGNPTR(p,N) ((unsigned char *)p+N-(size_t)p%N)
#define P256_LIMBS (256/BN_BITS2)
PRECOMP256_ROW *precomp;
void *precomp_storage;
CRYPTO_REF_COUNT references;
- CRYPTO_RWLOCK *lock;
};
/* Functions implemented in assembly */
OPENSSL_malloc((num * 16 + 5) * sizeof(P256_POINT) + 64)) == NULL
|| (p_str =
OPENSSL_malloc(num * 33 * sizeof(unsigned char))) == NULL
- || (scalars = OPENSSL_malloc(num * sizeof(BIGNUM *))) == NULL) {
- ECerr(EC_F_ECP_NISTZ256_WINDOWED_MUL, ERR_R_MALLOC_FAILURE);
+ || (scalars = OPENSSL_malloc(num * sizeof(BIGNUM *))) == NULL)
goto err;
- }
table = (void *)ALIGNPTR(table_storage, 64);
temp = (P256_POINT *)(table + num);
if ((mod = BN_CTX_get(ctx)) == NULL)
goto err;
if (!BN_nnmod(mod, scalar[i], group->order, ctx)) {
- ECerr(EC_F_ECP_NISTZ256_WINDOWED_MUL, ERR_R_BN_LIB);
+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
goto err;
}
scalars[i] = mod;
if (!ecp_nistz256_bignum_to_field_elem(temp[0].X, point[i]->X)
|| !ecp_nistz256_bignum_to_field_elem(temp[0].Y, point[i]->Y)
|| !ecp_nistz256_bignum_to_field_elem(temp[0].Z, point[i]->Z)) {
- ECerr(EC_F_ECP_NISTZ256_WINDOWED_MUL,
- EC_R_COORDINATES_OUT_OF_RANGE);
+ ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
goto err;
}
EC_pre_comp_free(group);
generator = EC_GROUP_get0_generator(group);
if (generator == NULL) {
- ECerr(EC_F_ECP_NISTZ256_MULT_PRECOMPUTE, EC_R_UNDEFINED_GENERATOR);
+ ERR_raise(ERR_LIB_EC, EC_R_UNDEFINED_GENERATOR);
return 0;
}
goto err;
if (BN_is_zero(order)) {
- ECerr(EC_F_ECP_NISTZ256_MULT_PRECOMPUTE, EC_R_UNKNOWN_ORDER);
+ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_ORDER);
goto err;
}
w = 7;
if ((precomp_storage =
- OPENSSL_malloc(37 * 64 * sizeof(P256_POINT_AFFINE) + 64)) == NULL) {
- ECerr(EC_F_ECP_NISTZ256_MULT_PRECOMPUTE, ERR_R_MALLOC_FAILURE);
+ OPENSSL_malloc(37 * 64 * sizeof(P256_POINT_AFFINE) + 64)) == NULL)
goto err;
- }
preComputedTable = (void *)ALIGNPTR(precomp_storage, 64);
goto err;
if (!ecp_nistz256_bignum_to_field_elem(temp.X, P->X) ||
!ecp_nistz256_bignum_to_field_elem(temp.Y, P->Y)) {
- ECerr(EC_F_ECP_NISTZ256_MULT_PRECOMPUTE,
- EC_R_COORDINATES_OUT_OF_RANGE);
+ ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
goto err;
}
ecp_nistz256_scatter_w7(preComputedTable[j], &temp, k);
return ret;
}
-/*
- * Note that by default ECP_NISTZ256_AVX2 is undefined. While it's great
- * code processing 4 points in parallel, corresponding serial operation
- * is several times slower, because it uses 29x29=58-bit multiplication
- * as opposite to 64x64=128-bit in integer-only scalar case. As result
- * it doesn't provide *significant* performance improvement. Note that
- * just defining ECP_NISTZ256_AVX2 is not sufficient to make it work,
- * you'd need to compile even asm/ecp_nistz256-avx.pl module.
- */
-#if defined(ECP_NISTZ256_AVX2)
-# if !(defined(__x86_64) || defined(__x86_64__) || \
- defined(_M_AMD64) || defined(_M_X64)) || \
- !(defined(__GNUC__) || defined(_MSC_VER)) /* this is for ALIGN32 */
-# undef ECP_NISTZ256_AVX2
-# else
-/* Constant time access, loading four values, from four consecutive tables */
-void ecp_nistz256_avx2_multi_gather_w7(void *result, const void *in,
- int index0, int index1, int index2,
- int index3);
-void ecp_nistz256_avx2_transpose_convert(void *RESULTx4, const void *in);
-void ecp_nistz256_avx2_convert_transpose_back(void *result, const void *Ax4);
-void ecp_nistz256_avx2_point_add_affine_x4(void *RESULTx4, const void *Ax4,
- const void *Bx4);
-void ecp_nistz256_avx2_point_add_affines_x4(void *RESULTx4, const void *Ax4,
- const void *Bx4);
-void ecp_nistz256_avx2_to_mont(void *RESULTx4, const void *Ax4);
-void ecp_nistz256_avx2_from_mont(void *RESULTx4, const void *Ax4);
-void ecp_nistz256_avx2_set1(void *RESULTx4);
-int ecp_nistz_avx2_eligible(void);
-
-static void booth_recode_w7(unsigned char *sign,
- unsigned char *digit, unsigned char in)
-{
- unsigned char s, d;
-
- s = ~((in >> 7) - 1);
- d = (1 << 8) - in - 1;
- d = (d & s) | (in & ~s);
- d = (d >> 1) + (d & 1);
-
- *sign = s & 1;
- *digit = d;
-}
-
-/*
- * ecp_nistz256_avx2_mul_g performs multiplication by G, using only the
- * precomputed table. It does 4 affine point additions in parallel,
- * significantly speeding up point multiplication for a fixed value.
- */
-static void ecp_nistz256_avx2_mul_g(P256_POINT *r,
- unsigned char p_str[33],
- const P256_POINT_AFFINE(*preComputedTable)[64])
-{
- const unsigned int window_size = 7;
- const unsigned int mask = (1 << (window_size + 1)) - 1;
- unsigned int wvalue;
- /* Using 4 windows at a time */
- unsigned char sign0, digit0;
- unsigned char sign1, digit1;
- unsigned char sign2, digit2;
- unsigned char sign3, digit3;
- unsigned int idx = 0;
- BN_ULONG tmp[P256_LIMBS];
- int i;
-
- ALIGN32 BN_ULONG aX4[4 * 9 * 3] = { 0 };
- ALIGN32 BN_ULONG bX4[4 * 9 * 2] = { 0 };
- ALIGN32 P256_POINT_AFFINE point_arr[4];
- ALIGN32 P256_POINT res_point_arr[4];
-
- /* Initial four windows */
- wvalue = *((u16 *) & p_str[0]);
- wvalue = (wvalue << 1) & mask;
- idx += window_size;
- booth_recode_w7(&sign0, &digit0, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign1, &digit1, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign2, &digit2, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign3, &digit3, wvalue);
-
- ecp_nistz256_avx2_multi_gather_w7(point_arr, preComputedTable[0],
- digit0, digit1, digit2, digit3);
-
- ecp_nistz256_neg(tmp, point_arr[0].Y);
- copy_conditional(point_arr[0].Y, tmp, sign0);
- ecp_nistz256_neg(tmp, point_arr[1].Y);
- copy_conditional(point_arr[1].Y, tmp, sign1);
- ecp_nistz256_neg(tmp, point_arr[2].Y);
- copy_conditional(point_arr[2].Y, tmp, sign2);
- ecp_nistz256_neg(tmp, point_arr[3].Y);
- copy_conditional(point_arr[3].Y, tmp, sign3);
-
- ecp_nistz256_avx2_transpose_convert(aX4, point_arr);
- ecp_nistz256_avx2_to_mont(aX4, aX4);
- ecp_nistz256_avx2_to_mont(&aX4[4 * 9], &aX4[4 * 9]);
- ecp_nistz256_avx2_set1(&aX4[4 * 9 * 2]);
-
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign0, &digit0, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign1, &digit1, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign2, &digit2, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign3, &digit3, wvalue);
-
- ecp_nistz256_avx2_multi_gather_w7(point_arr, preComputedTable[4 * 1],
- digit0, digit1, digit2, digit3);
-
- ecp_nistz256_neg(tmp, point_arr[0].Y);
- copy_conditional(point_arr[0].Y, tmp, sign0);
- ecp_nistz256_neg(tmp, point_arr[1].Y);
- copy_conditional(point_arr[1].Y, tmp, sign1);
- ecp_nistz256_neg(tmp, point_arr[2].Y);
- copy_conditional(point_arr[2].Y, tmp, sign2);
- ecp_nistz256_neg(tmp, point_arr[3].Y);
- copy_conditional(point_arr[3].Y, tmp, sign3);
-
- ecp_nistz256_avx2_transpose_convert(bX4, point_arr);
- ecp_nistz256_avx2_to_mont(bX4, bX4);
- ecp_nistz256_avx2_to_mont(&bX4[4 * 9], &bX4[4 * 9]);
- /* Optimized when both inputs are affine */
- ecp_nistz256_avx2_point_add_affines_x4(aX4, aX4, bX4);
-
- for (i = 2; i < 9; i++) {
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign0, &digit0, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign1, &digit1, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign2, &digit2, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign3, &digit3, wvalue);
-
- ecp_nistz256_avx2_multi_gather_w7(point_arr,
- preComputedTable[4 * i],
- digit0, digit1, digit2, digit3);
-
- ecp_nistz256_neg(tmp, point_arr[0].Y);
- copy_conditional(point_arr[0].Y, tmp, sign0);
- ecp_nistz256_neg(tmp, point_arr[1].Y);
- copy_conditional(point_arr[1].Y, tmp, sign1);
- ecp_nistz256_neg(tmp, point_arr[2].Y);
- copy_conditional(point_arr[2].Y, tmp, sign2);
- ecp_nistz256_neg(tmp, point_arr[3].Y);
- copy_conditional(point_arr[3].Y, tmp, sign3);
-
- ecp_nistz256_avx2_transpose_convert(bX4, point_arr);
- ecp_nistz256_avx2_to_mont(bX4, bX4);
- ecp_nistz256_avx2_to_mont(&bX4[4 * 9], &bX4[4 * 9]);
-
- ecp_nistz256_avx2_point_add_affine_x4(aX4, aX4, bX4);
- }
-
- ecp_nistz256_avx2_from_mont(&aX4[4 * 9 * 0], &aX4[4 * 9 * 0]);
- ecp_nistz256_avx2_from_mont(&aX4[4 * 9 * 1], &aX4[4 * 9 * 1]);
- ecp_nistz256_avx2_from_mont(&aX4[4 * 9 * 2], &aX4[4 * 9 * 2]);
-
- ecp_nistz256_avx2_convert_transpose_back(res_point_arr, aX4);
- /* Last window is performed serially */
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- booth_recode_w7(&sign0, &digit0, wvalue);
- ecp_nistz256_gather_w7((P256_POINT_AFFINE *)r,
- preComputedTable[36], digit0);
- ecp_nistz256_neg(tmp, r->Y);
- copy_conditional(r->Y, tmp, sign0);
- memcpy(r->Z, ONE, sizeof(ONE));
- /* Sum the four windows */
- ecp_nistz256_point_add(r, r, &res_point_arr[0]);
- ecp_nistz256_point_add(r, r, &res_point_arr[1]);
- ecp_nistz256_point_add(r, r, &res_point_arr[2]);
- ecp_nistz256_point_add(r, r, &res_point_arr[3]);
-}
-# endif
-#endif
-
__owur static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *group,
const P256_POINT_AFFINE *in,
BN_CTX *ctx)
BIGNUM *tmp_scalar;
if ((num + 1) == 0 || (num + 1) > OPENSSL_MALLOC_MAX_NELEMS(void *)) {
- ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_EC, ERR_R_PASSED_INVALID_ARGUMENT);
return 0;
}
+ memset(&p, 0, sizeof(p));
BN_CTX_start(ctx);
if (scalar) {
generator = EC_GROUP_get0_generator(group);
if (generator == NULL) {
- ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, EC_R_UNDEFINED_GENERATOR);
+ ERR_raise(ERR_LIB_EC, EC_R_UNDEFINED_GENERATOR);
goto err;
}
}
if (preComputedTable) {
+ BN_ULONG infty;
+
if ((BN_num_bits(scalar) > 256)
|| BN_is_negative(scalar)) {
if ((tmp_scalar = BN_CTX_get(ctx)) == NULL)
goto err;
if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) {
- ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_BN_LIB);
+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
goto err;
}
scalar = tmp_scalar;
for (; i < 33; i++)
p_str[i] = 0;
-#if defined(ECP_NISTZ256_AVX2)
- if (ecp_nistz_avx2_eligible()) {
- ecp_nistz256_avx2_mul_g(&p.p, p_str, preComputedTable);
- } else
-#endif
- {
- BN_ULONG infty;
+ /* First window */
+ wvalue = (p_str[0] << 1) & mask;
+ idx += window_size;
- /* First window */
- wvalue = (p_str[0] << 1) & mask;
- idx += window_size;
+ wvalue = _booth_recode_w7(wvalue);
- wvalue = _booth_recode_w7(wvalue);
+ ecp_nistz256_gather_w7(&p.a, preComputedTable[0],
+ wvalue >> 1);
- ecp_nistz256_gather_w7(&p.a, preComputedTable[0],
- wvalue >> 1);
-
- ecp_nistz256_neg(p.p.Z, p.p.Y);
- copy_conditional(p.p.Y, p.p.Z, wvalue & 1);
-
- /*
- * Since affine infinity is encoded as (0,0) and
- * Jacobian ias (,,0), we need to harmonize them
- * by assigning "one" or zero to Z.
- */
- infty = (p.p.X[0] | p.p.X[1] | p.p.X[2] | p.p.X[3] |
- p.p.Y[0] | p.p.Y[1] | p.p.Y[2] | p.p.Y[3]);
- if (P256_LIMBS == 8)
- infty |= (p.p.X[4] | p.p.X[5] | p.p.X[6] | p.p.X[7] |
- p.p.Y[4] | p.p.Y[5] | p.p.Y[6] | p.p.Y[7]);
-
- infty = 0 - is_zero(infty);
- infty = ~infty;
-
- p.p.Z[0] = ONE[0] & infty;
- p.p.Z[1] = ONE[1] & infty;
- p.p.Z[2] = ONE[2] & infty;
- p.p.Z[3] = ONE[3] & infty;
- if (P256_LIMBS == 8) {
- p.p.Z[4] = ONE[4] & infty;
- p.p.Z[5] = ONE[5] & infty;
- p.p.Z[6] = ONE[6] & infty;
- p.p.Z[7] = ONE[7] & infty;
- }
+ ecp_nistz256_neg(p.p.Z, p.p.Y);
+ copy_conditional(p.p.Y, p.p.Z, wvalue & 1);
- for (i = 1; i < 37; i++) {
- unsigned int off = (idx - 1) / 8;
- wvalue = p_str[off] | p_str[off + 1] << 8;
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
+ /*
+ * Since affine infinity is encoded as (0,0) and
+ * Jacobian is (,,0), we need to harmonize them
+ * by assigning "one" or zero to Z.
+ */
+ infty = (p.p.X[0] | p.p.X[1] | p.p.X[2] | p.p.X[3] |
+ p.p.Y[0] | p.p.Y[1] | p.p.Y[2] | p.p.Y[3]);
+ if (P256_LIMBS == 8)
+ infty |= (p.p.X[4] | p.p.X[5] | p.p.X[6] | p.p.X[7] |
+ p.p.Y[4] | p.p.Y[5] | p.p.Y[6] | p.p.Y[7]);
+
+ infty = 0 - is_zero(infty);
+ infty = ~infty;
+
+ p.p.Z[0] = ONE[0] & infty;
+ p.p.Z[1] = ONE[1] & infty;
+ p.p.Z[2] = ONE[2] & infty;
+ p.p.Z[3] = ONE[3] & infty;
+ if (P256_LIMBS == 8) {
+ p.p.Z[4] = ONE[4] & infty;
+ p.p.Z[5] = ONE[5] & infty;
+ p.p.Z[6] = ONE[6] & infty;
+ p.p.Z[7] = ONE[7] & infty;
+ }
- wvalue = _booth_recode_w7(wvalue);
+ for (i = 1; i < 37; i++) {
+ unsigned int off = (idx - 1) / 8;
+ wvalue = p_str[off] | p_str[off + 1] << 8;
+ wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
+ idx += window_size;
- ecp_nistz256_gather_w7(&t.a,
- preComputedTable[i], wvalue >> 1);
+ wvalue = _booth_recode_w7(wvalue);
- ecp_nistz256_neg(t.p.Z, t.a.Y);
- copy_conditional(t.a.Y, t.p.Z, wvalue & 1);
+ ecp_nistz256_gather_w7(&t.a,
+ preComputedTable[i], wvalue >> 1);
- ecp_nistz256_point_add_affine(&p.p, &p.p, &t.a);
- }
+ ecp_nistz256_neg(t.p.Z, t.a.Y);
+ copy_conditional(t.a.Y, t.p.Z, wvalue & 1);
+
+ ecp_nistz256_point_add_affine(&p.p, &p.p, &t.a);
}
} else {
p_is_infinity = 1;
* handled like a normal point.
*/
new_scalars = OPENSSL_malloc((num + 1) * sizeof(BIGNUM *));
- if (new_scalars == NULL) {
- ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE);
+ if (new_scalars == NULL)
goto err;
- }
new_points = OPENSSL_malloc((num + 1) * sizeof(EC_POINT *));
- if (new_points == NULL) {
- ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE);
+ if (new_points == NULL)
goto err;
- }
memcpy(new_scalars, scalars, num * sizeof(BIGNUM *));
new_scalars[num] = scalar;
BN_ULONG x_ret[P256_LIMBS], y_ret[P256_LIMBS];
if (EC_POINT_is_at_infinity(group, point)) {
- ECerr(EC_F_ECP_NISTZ256_GET_AFFINE, EC_R_POINT_AT_INFINITY);
+ ERR_raise(ERR_LIB_EC, EC_R_POINT_AT_INFINITY);
return 0;
}
if (!ecp_nistz256_bignum_to_field_elem(point_x, point->X) ||
!ecp_nistz256_bignum_to_field_elem(point_y, point->Y) ||
!ecp_nistz256_bignum_to_field_elem(point_z, point->Z)) {
- ECerr(EC_F_ECP_NISTZ256_GET_AFFINE, EC_R_COORDINATES_OUT_OF_RANGE);
+ ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
return 0;
}
ret = OPENSSL_zalloc(sizeof(*ret));
- if (ret == NULL) {
- ECerr(EC_F_ECP_NISTZ256_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
+ if (ret == NULL)
return ret;
- }
ret->group = group;
ret->w = 6; /* default */
- ret->references = 1;
- ret->lock = CRYPTO_THREAD_lock_new();
- if (ret->lock == NULL) {
- ECerr(EC_F_ECP_NISTZ256_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
+ if (!CRYPTO_NEW_REF(&ret->references, 1)) {
OPENSSL_free(ret);
return NULL;
}
{
int i;
if (p != NULL)
- CRYPTO_UP_REF(&p->references, &i, p->lock);
+ CRYPTO_UP_REF(&p->references, &i);
return p;
}
if (pre == NULL)
return;
- CRYPTO_DOWN_REF(&pre->references, &i, pre->lock);
+ CRYPTO_DOWN_REF(&pre->references, &i);
REF_PRINT_COUNT("EC_nistz256", pre);
if (i > 0)
return;
REF_ASSERT_ISNT(i < 0);
OPENSSL_free(pre->precomp_storage);
- CRYPTO_THREAD_lock_free(pre->lock);
+ CRYPTO_FREE_REF(&pre->references);
OPENSSL_free(pre);
}
* Catch allocation failure early.
*/
if (bn_wexpand(r, P256_LIMBS) == NULL) {
- ECerr(EC_F_ECP_NISTZ256_INV_MOD_ORD, ERR_R_BN_LIB);
+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
goto err;
}
if ((tmp = BN_CTX_get(ctx)) == NULL
|| !BN_nnmod(tmp, x, group->order, ctx)) {
- ECerr(EC_F_ECP_NISTZ256_INV_MOD_ORD, ERR_R_BN_LIB);
+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
goto err;
}
x = tmp;
}
if (!ecp_nistz256_bignum_to_field_elem(t, x)) {
- ECerr(EC_F_ECP_NISTZ256_INV_MOD_ORD, EC_R_COORDINATES_OUT_OF_RANGE);
+ ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
goto err;
}
/*
* The bottom 128 bit of the exponent are processed with fixed 4-bit window
*/
- for(i = 0; i < 32; i++) {
+ for (i = 0; i < 32; i++) {
/* expLo - the low 128 bits of the exponent we use (ord(p256) - 2),
* split into nibbles */
static const unsigned char expLo[32] = {
static const EC_METHOD ret = {
EC_FLAGS_DEFAULT_OCT,
NID_X9_62_prime_field,
- ec_GFp_mont_group_init,
- ec_GFp_mont_group_finish,
- ec_GFp_mont_group_clear_finish,
- ec_GFp_mont_group_copy,
- ec_GFp_mont_group_set_curve,
- ec_GFp_simple_group_get_curve,
- ec_GFp_simple_group_get_degree,
- ec_group_simple_order_bits,
- ec_GFp_simple_group_check_discriminant,
- ec_GFp_simple_point_init,
- ec_GFp_simple_point_finish,
- ec_GFp_simple_point_clear_finish,
- ec_GFp_simple_point_copy,
- ec_GFp_simple_point_set_to_infinity,
- ec_GFp_simple_point_set_affine_coordinates,
+ ossl_ec_GFp_mont_group_init,
+ ossl_ec_GFp_mont_group_finish,
+ ossl_ec_GFp_mont_group_clear_finish,
+ ossl_ec_GFp_mont_group_copy,
+ ossl_ec_GFp_mont_group_set_curve,
+ ossl_ec_GFp_simple_group_get_curve,
+ ossl_ec_GFp_simple_group_get_degree,
+ ossl_ec_group_simple_order_bits,
+ ossl_ec_GFp_simple_group_check_discriminant,
+ ossl_ec_GFp_simple_point_init,
+ ossl_ec_GFp_simple_point_finish,
+ ossl_ec_GFp_simple_point_clear_finish,
+ ossl_ec_GFp_simple_point_copy,
+ ossl_ec_GFp_simple_point_set_to_infinity,
+ ossl_ec_GFp_simple_point_set_affine_coordinates,
ecp_nistz256_get_affine,
0, 0, 0,
- ec_GFp_simple_add,
- ec_GFp_simple_dbl,
- ec_GFp_simple_invert,
- ec_GFp_simple_is_at_infinity,
- ec_GFp_simple_is_on_curve,
- ec_GFp_simple_cmp,
- ec_GFp_simple_make_affine,
- ec_GFp_simple_points_make_affine,
+ ossl_ec_GFp_simple_add,
+ ossl_ec_GFp_simple_dbl,
+ ossl_ec_GFp_simple_invert,
+ ossl_ec_GFp_simple_is_at_infinity,
+ ossl_ec_GFp_simple_is_on_curve,
+ ossl_ec_GFp_simple_cmp,
+ ossl_ec_GFp_simple_make_affine,
+ ossl_ec_GFp_simple_points_make_affine,
ecp_nistz256_points_mul, /* mul */
ecp_nistz256_mult_precompute, /* precompute_mult */
ecp_nistz256_window_have_precompute_mult, /* have_precompute_mult */
- ec_GFp_mont_field_mul,
- ec_GFp_mont_field_sqr,
+ ossl_ec_GFp_mont_field_mul,
+ ossl_ec_GFp_mont_field_sqr,
0, /* field_div */
- ec_GFp_mont_field_inv,
- ec_GFp_mont_field_encode,
- ec_GFp_mont_field_decode,
- ec_GFp_mont_field_set_to_one,
- ec_key_simple_priv2oct,
- ec_key_simple_oct2priv,
+ ossl_ec_GFp_mont_field_inv,
+ ossl_ec_GFp_mont_field_encode,
+ ossl_ec_GFp_mont_field_decode,
+ ossl_ec_GFp_mont_field_set_to_one,
+ ossl_ec_key_simple_priv2oct,
+ ossl_ec_key_simple_oct2priv,
0, /* set private */
- ec_key_simple_generate_key,
- ec_key_simple_check_key,
- ec_key_simple_generate_public_key,
+ ossl_ec_key_simple_generate_key,
+ ossl_ec_key_simple_check_key,
+ ossl_ec_key_simple_generate_public_key,
0, /* keycopy */
0, /* keyfinish */
- ecdh_simple_compute_key,
- ecdsa_simple_sign_setup,
- ecdsa_simple_sign_sig,
- ecdsa_simple_verify_sig,
+ ossl_ecdh_simple_compute_key,
+ ossl_ecdsa_simple_sign_setup,
+ ossl_ecdsa_simple_sign_sig,
+ ossl_ecdsa_simple_verify_sig,
ecp_nistz256_inv_mod_ord, /* can be #define-d NULL */
0, /* blind_coordinates */
0, /* ladder_pre */