diff options
Diffstat (limited to 'src/libs/3rdparty/botan/src/lib/pubkey/ec_group')
10 files changed, 0 insertions, 3911 deletions
diff --git a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/curve_gfp.cpp b/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/curve_gfp.cpp deleted file mode 100644 index bd68a3ed7d..0000000000 --- a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/curve_gfp.cpp +++ /dev/null @@ -1,576 +0,0 @@ -/* -* Elliptic curves over GF(p) Montgomery Representation -* (C) 2014,2015,2018 Jack Lloyd -* 2016 Matthias Gierlings -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/curve_gfp.h> -#include <botan/curve_nistp.h> -#include <botan/numthry.h> -#include <botan/reducer.h> -#include <botan/internal/mp_core.h> -#include <botan/internal/mp_asmi.h> - -namespace Botan { - -namespace { - -class CurveGFp_Montgomery final : public CurveGFp_Repr - { - public: - CurveGFp_Montgomery(const BigInt& p, const BigInt& a, const BigInt& b) : - m_p(p), m_a(a), m_b(b), - m_p_words(m_p.sig_words()), - m_p_dash(monty_inverse(m_p.word_at(0))) - { - Modular_Reducer mod_p(m_p); - - m_r.set_bit(m_p_words * BOTAN_MP_WORD_BITS); - m_r = mod_p.reduce(m_r); - - m_r2 = mod_p.square(m_r); - m_r3 = mod_p.multiply(m_r, m_r2); - m_a_r = mod_p.multiply(m_r, m_a); - m_b_r = mod_p.multiply(m_r, m_b); - - m_a_is_zero = m_a.is_zero(); - m_a_is_minus_3 = (m_a + 3 == m_p); - } - - bool a_is_zero() const override { return m_a_is_zero; } - bool a_is_minus_3() const override { return m_a_is_minus_3; } - - const BigInt& get_a() const override { return m_a; } - - const BigInt& get_b() const override { return m_b; } - - const BigInt& get_p() const override { return m_p; } - - const BigInt& get_a_rep() const override { return m_a_r; } - - const BigInt& get_b_rep() const override { return m_b_r; } - - const BigInt& get_1_rep() const override { return m_r; } - - bool is_one(const BigInt& x) const override { return x == m_r; } - - size_t get_p_words() const override { return m_p_words; } - - size_t get_ws_size() const override { return 2*m_p_words + 4; } - - void redc_mod_p(BigInt& z, secure_vector<word>& ws) const override; - - BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override; - - void to_curve_rep(BigInt& x, secure_vector<word>& ws) const override; - - void from_curve_rep(BigInt& x, secure_vector<word>& ws) const override; - - void curve_mul_words(BigInt& z, - const word x_words[], - const size_t x_size, - const BigInt& y, - secure_vector<word>& ws) const override; - - void curve_sqr_words(BigInt& z, - const word x_words[], - size_t x_size, - secure_vector<word>& ws) const override; - - private: - BigInt m_p; - BigInt m_a, m_b; - BigInt m_a_r, m_b_r; - size_t m_p_words; // cache of m_p.sig_words() - - // Montgomery parameters - BigInt m_r, m_r2, m_r3; - word m_p_dash; - - bool m_a_is_zero; - bool m_a_is_minus_3; - }; - -void CurveGFp_Montgomery::redc_mod_p(BigInt& z, secure_vector<word>& ws) const - { - z.reduce_below(m_p, ws); - } - -BigInt CurveGFp_Montgomery::invert_element(const BigInt& x, secure_vector<word>& ws) const - { - // Should we use Montgomery inverse instead? - const BigInt inv = inverse_mod(x, m_p); - BigInt res; - curve_mul(res, inv, m_r3, ws); - return res; - } - -void CurveGFp_Montgomery::to_curve_rep(BigInt& x, secure_vector<word>& ws) const - { - const BigInt tx = x; - curve_mul(x, tx, m_r2, ws); - } - -void CurveGFp_Montgomery::from_curve_rep(BigInt& z, secure_vector<word>& ws) const - { - if(ws.size() < get_ws_size()) - ws.resize(get_ws_size()); - - const size_t output_size = 2*m_p_words + 2; - if(z.size() < output_size) - z.grow_to(output_size); - - bigint_monty_redc(z.mutable_data(), - m_p.data(), m_p_words, m_p_dash, - ws.data(), ws.size()); - } - -void CurveGFp_Montgomery::curve_mul_words(BigInt& z, - const word x_w[], - size_t x_size, - const BigInt& y, - secure_vector<word>& ws) const - { - BOTAN_DEBUG_ASSERT(y.sig_words() <= m_p_words); - - if(ws.size() < get_ws_size()) - ws.resize(get_ws_size()); - - const size_t output_size = 2*m_p_words + 2; - if(z.size() < output_size) - z.grow_to(output_size); - - bigint_mul(z.mutable_data(), z.size(), - x_w, x_size, std::min(m_p_words, x_size), - y.data(), y.size(), std::min(m_p_words, y.size()), - ws.data(), ws.size()); - - bigint_monty_redc(z.mutable_data(), - m_p.data(), m_p_words, m_p_dash, - ws.data(), ws.size()); - } - -void CurveGFp_Montgomery::curve_sqr_words(BigInt& z, - const word x[], - size_t x_size, - secure_vector<word>& ws) const - { - if(ws.size() < get_ws_size()) - ws.resize(get_ws_size()); - - const size_t output_size = 2*m_p_words + 2; - if(z.size() < output_size) - z.grow_to(output_size); - - bigint_sqr(z.mutable_data(), z.size(), - x, x_size, std::min(m_p_words, x_size), - ws.data(), ws.size()); - - bigint_monty_redc(z.mutable_data(), - m_p.data(), m_p_words, m_p_dash, - ws.data(), ws.size()); - } - -class CurveGFp_NIST : public CurveGFp_Repr - { - public: - CurveGFp_NIST(size_t p_bits, const BigInt& a, const BigInt& b) : - m_1(1), m_a(a), m_b(b), m_p_words((p_bits + BOTAN_MP_WORD_BITS - 1) / BOTAN_MP_WORD_BITS) - { - // All Solinas prime curves are assumed a == -3 - } - - bool a_is_zero() const override { return false; } - bool a_is_minus_3() const override { return true; } - - const BigInt& get_a() const override { return m_a; } - - const BigInt& get_b() const override { return m_b; } - - const BigInt& get_1_rep() const override { return m_1; } - - size_t get_p_words() const override { return m_p_words; } - - size_t get_ws_size() const override { return 2*m_p_words + 4; } - - const BigInt& get_a_rep() const override { return m_a; } - - const BigInt& get_b_rep() const override { return m_b; } - - bool is_one(const BigInt& x) const override { return x == 1; } - - void to_curve_rep(BigInt& x, secure_vector<word>& ws) const override - { redc_mod_p(x, ws); } - - void from_curve_rep(BigInt& x, secure_vector<word>& ws) const override - { redc_mod_p(x, ws); } - - BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override; - - void curve_mul_words(BigInt& z, - const word x_words[], - const size_t x_size, - const BigInt& y, - secure_vector<word>& ws) const override; - - void curve_mul_tmp(BigInt& x, const BigInt& y, BigInt& tmp, secure_vector<word>& ws) const - { - curve_mul(tmp, x, y, ws); - x.swap(tmp); - } - - void curve_sqr_tmp(BigInt& x, BigInt& tmp, secure_vector<word>& ws) const - { - curve_sqr(tmp, x, ws); - x.swap(tmp); - } - - void curve_sqr_words(BigInt& z, - const word x_words[], - size_t x_size, - secure_vector<word>& ws) const override; - private: - // Curve parameters - BigInt m_1; - BigInt m_a, m_b; - size_t m_p_words; // cache of m_p.sig_words() - }; - -BigInt CurveGFp_NIST::invert_element(const BigInt& x, secure_vector<word>& ws) const - { - BOTAN_UNUSED(ws); - return inverse_mod(x, get_p()); - } - -void CurveGFp_NIST::curve_mul_words(BigInt& z, - const word x_w[], - size_t x_size, - const BigInt& y, - secure_vector<word>& ws) const - { - BOTAN_DEBUG_ASSERT(y.sig_words() <= m_p_words); - - if(ws.size() < get_ws_size()) - ws.resize(get_ws_size()); - - const size_t output_size = 2*m_p_words + 2; - if(z.size() < output_size) - z.grow_to(output_size); - - bigint_mul(z.mutable_data(), z.size(), - x_w, x_size, std::min(m_p_words, x_size), - y.data(), y.size(), std::min(m_p_words, y.size()), - ws.data(), ws.size()); - - this->redc_mod_p(z, ws); - } - -void CurveGFp_NIST::curve_sqr_words(BigInt& z, const word x[], size_t x_size, - secure_vector<word>& ws) const - { - if(ws.size() < get_ws_size()) - ws.resize(get_ws_size()); - - const size_t output_size = 2*m_p_words + 2; - if(z.size() < output_size) - z.grow_to(output_size); - - bigint_sqr(z.mutable_data(), output_size, - x, x_size, std::min(m_p_words, x_size), - ws.data(), ws.size()); - - this->redc_mod_p(z, ws); - } - -#if defined(BOTAN_HAS_NIST_PRIME_REDUCERS_W32) - -/** -* The NIST P-192 curve -*/ -class CurveGFp_P192 final : public CurveGFp_NIST - { - public: - CurveGFp_P192(const BigInt& a, const BigInt& b) : CurveGFp_NIST(192, a, b) {} - const BigInt& get_p() const override { return prime_p192(); } - private: - void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p192(x, ws); } - }; - -/** -* The NIST P-224 curve -*/ -class CurveGFp_P224 final : public CurveGFp_NIST - { - public: - CurveGFp_P224(const BigInt& a, const BigInt& b) : CurveGFp_NIST(224, a, b) {} - const BigInt& get_p() const override { return prime_p224(); } - private: - void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p224(x, ws); } - }; - -/** -* The NIST P-256 curve -*/ -class CurveGFp_P256 final : public CurveGFp_NIST - { - public: - CurveGFp_P256(const BigInt& a, const BigInt& b) : CurveGFp_NIST(256, a, b) {} - const BigInt& get_p() const override { return prime_p256(); } - private: - void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p256(x, ws); } - BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override; - }; - -BigInt CurveGFp_P256::invert_element(const BigInt& x, secure_vector<word>& ws) const - { - BigInt r, p2, p4, p8, p16, p32, tmp; - - curve_sqr(r, x, ws); - - curve_mul(p2, r, x, ws); - curve_sqr(r, p2, ws); - curve_sqr_tmp(r, tmp, ws); - - curve_mul(p4, r, p2, ws); - - curve_sqr(r, p4, ws); - for(size_t i = 0; i != 3; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul(p8, r, p4, ws);; - - curve_sqr(r, p8, ws); - for(size_t i = 0; i != 7; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul(p16, r, p8, ws); - - curve_sqr(r, p16, ws); - for(size_t i = 0; i != 15; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul(p32, r, p16, ws); - - curve_sqr(r, p32, ws); - for(size_t i = 0; i != 31; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x, tmp, ws); - - for(size_t i = 0; i != 32*4; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, p32, tmp, ws); - - for(size_t i = 0; i != 32; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, p32, tmp, ws); - - for(size_t i = 0; i != 16; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, p16, tmp, ws); - for(size_t i = 0; i != 8; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, p8, tmp, ws); - - for(size_t i = 0; i != 4; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, p4, tmp, ws); - - for(size_t i = 0; i != 2; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, p2, tmp, ws); - - for(size_t i = 0; i != 2; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x, tmp, ws); - - return r; - } - -/** -* The NIST P-384 curve -*/ -class CurveGFp_P384 final : public CurveGFp_NIST - { - public: - CurveGFp_P384(const BigInt& a, const BigInt& b) : CurveGFp_NIST(384, a, b) {} - const BigInt& get_p() const override { return prime_p384(); } - private: - void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p384(x, ws); } - BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override; - }; - -BigInt CurveGFp_P384::invert_element(const BigInt& x, secure_vector<word>& ws) const - { - BigInt r, x2, x3, x15, x30, tmp, rl; - - r = x; - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x, tmp, ws); - x2 = r; - - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x, tmp, ws); - - x3 = r; - - for(size_t i = 0; i != 3; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x3, tmp, ws); - - rl = r; - for(size_t i = 0; i != 6; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, rl, tmp, ws); - - for(size_t i = 0; i != 3; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x3, tmp, ws); - - x15 = r; - for(size_t i = 0; i != 15; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x15, tmp, ws); - - x30 = r; - for(size_t i = 0; i != 30; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x30, tmp, ws); - - rl = r; - for(size_t i = 0; i != 60; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, rl, tmp, ws); - - rl = r; - for(size_t i = 0; i != 120; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, rl, tmp, ws); - - for(size_t i = 0; i != 15; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x15, tmp, ws); - - for(size_t i = 0; i != 31; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x30, tmp, ws); - - for(size_t i = 0; i != 2; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x2, tmp, ws); - - for(size_t i = 0; i != 94; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x30, tmp, ws); - - for(size_t i = 0; i != 2; ++i) - curve_sqr_tmp(r, tmp, ws); - - curve_mul_tmp(r, x, tmp, ws); - - return r; - } - -#endif - -/** -* The NIST P-521 curve -*/ -class CurveGFp_P521 final : public CurveGFp_NIST - { - public: - CurveGFp_P521(const BigInt& a, const BigInt& b) : CurveGFp_NIST(521, a, b) {} - const BigInt& get_p() const override { return prime_p521(); } - private: - void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p521(x, ws); } - BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override; - }; - -BigInt CurveGFp_P521::invert_element(const BigInt& x, secure_vector<word>& ws) const - { - BigInt r; - BigInt rl; - BigInt a7; - BigInt tmp; - - curve_sqr(r, x, ws); - curve_mul_tmp(r, x, tmp, ws); - - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x, tmp, ws); - - rl = r; - - for(size_t i = 0; i != 3; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, rl, tmp, ws); - - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x, tmp, ws); - a7 = r; // need this value later - - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x, tmp, ws); - - rl = r; - for(size_t i = 0; i != 8; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, rl, tmp, ws); - - rl = r; - for(size_t i = 0; i != 16; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, rl, tmp, ws); - - rl = r; - for(size_t i = 0; i != 32; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, rl, tmp, ws); - - rl = r; - for(size_t i = 0; i != 64; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, rl, tmp, ws); - - rl = r; - for(size_t i = 0; i != 128; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, rl, tmp, ws); - - rl = r; - for(size_t i = 0; i != 256; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, rl, tmp, ws); - - for(size_t i = 0; i != 7; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, a7, tmp, ws); - - for(size_t i = 0; i != 2; ++i) - curve_sqr_tmp(r, tmp, ws); - curve_mul_tmp(r, x, tmp, ws); - - return r; - } - -} - -std::shared_ptr<CurveGFp_Repr> -CurveGFp::choose_repr(const BigInt& p, const BigInt& a, const BigInt& b) - { -#if defined(BOTAN_HAS_NIST_PRIME_REDUCERS_W32) - if(p == prime_p192()) - return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P192(a, b)); - if(p == prime_p224()) - return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P224(a, b)); - if(p == prime_p256()) - return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P256(a, b)); - if(p == prime_p384()) - return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P384(a, b)); -#endif - - if(p == prime_p521()) - return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P521(a, b)); - - return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_Montgomery(p, a, b)); - } - -} diff --git a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/curve_gfp.h b/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/curve_gfp.h deleted file mode 100644 index ce3fe4eba8..0000000000 --- a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/curve_gfp.h +++ /dev/null @@ -1,269 +0,0 @@ -/* -* Elliptic curves over GF(p) -* -* (C) 2007 Martin Doering, Christoph Ludwig, Falko Strenzke -* 2010-2011,2012,2014 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_GFP_CURVE_H_ -#define BOTAN_GFP_CURVE_H_ - -#include <botan/bigint.h> -#include <memory> - -namespace Botan { - -class BOTAN_UNSTABLE_API CurveGFp_Repr - { - public: - virtual ~CurveGFp_Repr() = default; - - virtual const BigInt& get_p() const = 0; - virtual const BigInt& get_a() const = 0; - virtual const BigInt& get_b() const = 0; - - virtual size_t get_p_words() const = 0; - - virtual size_t get_ws_size() const = 0; - - virtual bool is_one(const BigInt& x) const = 0; - - virtual bool a_is_zero() const = 0; - - virtual bool a_is_minus_3() const = 0; - - /* - * Returns to_curve_rep(get_a()) - */ - virtual const BigInt& get_a_rep() const = 0; - - /* - * Returns to_curve_rep(get_b()) - */ - virtual const BigInt& get_b_rep() const = 0; - - /* - * Returns to_curve_rep(1) - */ - virtual const BigInt& get_1_rep() const = 0; - - virtual void redc_mod_p(BigInt& z, secure_vector<word>& ws) const = 0; - - virtual BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const = 0; - - virtual void to_curve_rep(BigInt& x, secure_vector<word>& ws) const = 0; - - virtual void from_curve_rep(BigInt& x, secure_vector<word>& ws) const = 0; - - void curve_mul(BigInt& z, const BigInt& x, const BigInt& y, - secure_vector<word>& ws) const - { - BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words); - curve_mul_words(z, x.data(), x.size(), y, ws); - } - - virtual void curve_mul_words(BigInt& z, - const word x_words[], - const size_t x_size, - const BigInt& y, - secure_vector<word>& ws) const = 0; - - void curve_sqr(BigInt& z, const BigInt& x, - secure_vector<word>& ws) const - { - BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words); - curve_sqr_words(z, x.data(), x.size(), ws); - } - - virtual void curve_sqr_words(BigInt& z, - const word x_words[], - size_t x_size, - secure_vector<word>& ws) const = 0; - }; - -/** -* This class represents an elliptic curve over GF(p) -* -* There should not be any reason for applications to use this type. -* If you need EC primitives use the interfaces EC_Group and PointGFp -* -* It is likely this class will be removed entirely in a future major -* release. -*/ -class BOTAN_UNSTABLE_API CurveGFp final - { - public: - - /** - * Create an uninitialized CurveGFp - */ - CurveGFp() = default; - - /** - * Construct the elliptic curve E: y^2 = x^3 + ax + b over GF(p) - * @param p prime number of the field - * @param a first coefficient - * @param b second coefficient - */ - CurveGFp(const BigInt& p, const BigInt& a, const BigInt& b) : - m_repr(choose_repr(p, a, b)) - { - } - - CurveGFp(const CurveGFp&) = default; - - CurveGFp& operator=(const CurveGFp&) = default; - - /** - * @return curve coefficient a - */ - const BigInt& get_a() const { return m_repr->get_a(); } - - /** - * @return curve coefficient b - */ - const BigInt& get_b() const { return m_repr->get_b(); } - - /** - * Get prime modulus of the field of the curve - * @return prime modulus of the field of the curve - */ - const BigInt& get_p() const { return m_repr->get_p(); } - - size_t get_p_words() const { return m_repr->get_p_words(); } - - size_t get_ws_size() const { return m_repr->get_ws_size(); } - - const BigInt& get_a_rep() const { return m_repr->get_a_rep(); } - - const BigInt& get_b_rep() const { return m_repr->get_b_rep(); } - - const BigInt& get_1_rep() const { return m_repr->get_1_rep(); } - - bool a_is_minus_3() const { return m_repr->a_is_minus_3(); } - bool a_is_zero() const { return m_repr->a_is_zero(); } - - bool is_one(const BigInt& x) const { return m_repr->is_one(x); } - - BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const - { - return m_repr->invert_element(x, ws); - } - - void to_rep(BigInt& x, secure_vector<word>& ws) const - { - m_repr->to_curve_rep(x, ws); - } - - void from_rep(BigInt& x, secure_vector<word>& ws) const - { - m_repr->from_curve_rep(x, ws); - } - - BigInt from_rep(const BigInt& x, secure_vector<word>& ws) const - { - BigInt xt(x); - m_repr->from_curve_rep(xt, ws); - return xt; - } - - // TODO: from_rep taking && ref - - void redc_mod_p(BigInt& z, secure_vector<word>& ws) const - { - m_repr->redc_mod_p(z, ws); - } - - void mul(BigInt& z, const BigInt& x, const BigInt& y, secure_vector<word>& ws) const - { - m_repr->curve_mul(z, x, y, ws); - } - - void mul(BigInt& z, const word x_w[], size_t x_size, - const BigInt& y, secure_vector<word>& ws) const - { - m_repr->curve_mul_words(z, x_w, x_size, y, ws); - } - - void sqr(BigInt& z, const BigInt& x, secure_vector<word>& ws) const - { - m_repr->curve_sqr(z, x, ws); - } - - void sqr(BigInt& z, const word x_w[], size_t x_size, secure_vector<word>& ws) const - { - m_repr->curve_sqr_words(z, x_w, x_size, ws); - } - - BigInt mul(const BigInt& x, const BigInt& y, secure_vector<word>& ws) const - { - return mul_to_tmp(x, y, ws); - } - - BigInt sqr(const BigInt& x, secure_vector<word>& ws) const - { - return sqr_to_tmp(x, ws); - } - - BigInt mul_to_tmp(const BigInt& x, const BigInt& y, secure_vector<word>& ws) const - { - BigInt z; - m_repr->curve_mul(z, x, y, ws); - return z; - } - - BigInt sqr_to_tmp(const BigInt& x, secure_vector<word>& ws) const - { - BigInt z; - m_repr->curve_sqr(z, x, ws); - return z; - } - - void swap(CurveGFp& other) - { - std::swap(m_repr, other.m_repr); - } - - /** - * Equality operator - * @param other a curve - * @return true iff *this is the same as other - */ - inline bool operator==(const CurveGFp& other) const - { - if(m_repr.get() == other.m_repr.get()) - return true; - - return (get_p() == other.get_p()) && - (get_a() == other.get_a()) && - (get_b() == other.get_b()); - } - - private: - static std::shared_ptr<CurveGFp_Repr> - choose_repr(const BigInt& p, const BigInt& a, const BigInt& b); - - std::shared_ptr<CurveGFp_Repr> m_repr; - }; - -inline bool operator!=(const CurveGFp& lhs, const CurveGFp& rhs) - { - return !(lhs == rhs); - } - -} - -namespace std { - -template<> inline -void swap<Botan::CurveGFp>(Botan::CurveGFp& curve1, - Botan::CurveGFp& curve2) BOTAN_NOEXCEPT - { - curve1.swap(curve2); - } - -} // namespace std - -#endif diff --git a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/ec_group.cpp b/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/ec_group.cpp deleted file mode 100644 index f4419c7f0b..0000000000 --- a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/ec_group.cpp +++ /dev/null @@ -1,753 +0,0 @@ -/* -* ECC Domain Parameters -* -* (C) 2007 Falko Strenzke, FlexSecure GmbH -* (C) 2008,2018 Jack Lloyd -* (C) 2018 Tobias Niemann -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/ec_group.h> -#include <botan/internal/point_mul.h> -#include <botan/internal/primality.h> -#include <botan/ber_dec.h> -#include <botan/der_enc.h> -#include <botan/oids.h> -#include <botan/pem.h> -#include <botan/reducer.h> -#include <botan/mutex.h> -#include <botan/rng.h> -#include <vector> - -namespace Botan { - -class EC_Group_Data final - { - public: - - EC_Group_Data(const BigInt& p, - const BigInt& a, - const BigInt& b, - const BigInt& g_x, - const BigInt& g_y, - const BigInt& order, - const BigInt& cofactor, - const OID& oid) : - m_curve(p, a, b), - m_base_point(m_curve, g_x, g_y), - m_g_x(g_x), - m_g_y(g_y), - m_order(order), - m_cofactor(cofactor), - m_mod_order(order), - m_base_mult(m_base_point, m_mod_order), - m_oid(oid), - m_p_bits(p.bits()), - m_order_bits(order.bits()), - m_a_is_minus_3(a == p - 3), - m_a_is_zero(a.is_zero()) - { - } - - bool match(const BigInt& p, const BigInt& a, const BigInt& b, - const BigInt& g_x, const BigInt& g_y, - const BigInt& order, const BigInt& cofactor) const - { - return (this->p() == p && - this->a() == a && - this->b() == b && - this->order() == order && - this->cofactor() == cofactor && - this->g_x() == g_x && - this->g_y() == g_y); - } - - const OID& oid() const { return m_oid; } - const BigInt& p() const { return m_curve.get_p(); } - const BigInt& a() const { return m_curve.get_a(); } - const BigInt& b() const { return m_curve.get_b(); } - const BigInt& order() const { return m_order; } - const BigInt& cofactor() const { return m_cofactor; } - const BigInt& g_x() const { return m_g_x; } - const BigInt& g_y() const { return m_g_y; } - - size_t p_bits() const { return m_p_bits; } - size_t p_bytes() const { return (m_p_bits + 7) / 8; } - - size_t order_bits() const { return m_order_bits; } - size_t order_bytes() const { return (m_order_bits + 7) / 8; } - - const CurveGFp& curve() const { return m_curve; } - const PointGFp& base_point() const { return m_base_point; } - - bool a_is_minus_3() const { return m_a_is_minus_3; } - bool a_is_zero() const { return m_a_is_zero; } - - BigInt mod_order(const BigInt& x) const { return m_mod_order.reduce(x); } - - BigInt square_mod_order(const BigInt& x) const - { - return m_mod_order.square(x); - } - - BigInt multiply_mod_order(const BigInt& x, const BigInt& y) const - { - return m_mod_order.multiply(x, y); - } - - BigInt multiply_mod_order(const BigInt& x, const BigInt& y, const BigInt& z) const - { - return m_mod_order.multiply(m_mod_order.multiply(x, y), z); - } - - BigInt inverse_mod_order(const BigInt& x) const - { - return inverse_mod(x, m_order); - } - - PointGFp blinded_base_point_multiply(const BigInt& k, - RandomNumberGenerator& rng, - std::vector<BigInt>& ws) const - { - return m_base_mult.mul(k, rng, m_order, ws); - } - - private: - CurveGFp m_curve; - PointGFp m_base_point; - - BigInt m_g_x; - BigInt m_g_y; - BigInt m_order; - BigInt m_cofactor; - Modular_Reducer m_mod_order; - PointGFp_Base_Point_Precompute m_base_mult; - OID m_oid; - size_t m_p_bits; - size_t m_order_bits; - bool m_a_is_minus_3; - bool m_a_is_zero; - }; - -class EC_Group_Data_Map final - { - public: - EC_Group_Data_Map() {} - - size_t clear() - { - lock_guard_type<mutex_type> lock(m_mutex); - size_t count = m_registered_curves.size(); - m_registered_curves.clear(); - return count; - } - - std::shared_ptr<EC_Group_Data> lookup(const OID& oid) - { - lock_guard_type<mutex_type> lock(m_mutex); - - for(auto i : m_registered_curves) - { - if(i->oid() == oid) - return i; - } - - // Not found, check hardcoded data - std::shared_ptr<EC_Group_Data> data = EC_Group::EC_group_info(oid); - - if(data) - { - m_registered_curves.push_back(data); - return data; - } - - // Nope, unknown curve - return std::shared_ptr<EC_Group_Data>(); - } - - std::shared_ptr<EC_Group_Data> lookup_or_create(const BigInt& p, - const BigInt& a, - const BigInt& b, - const BigInt& g_x, - const BigInt& g_y, - const BigInt& order, - const BigInt& cofactor, - const OID& oid) - { - lock_guard_type<mutex_type> lock(m_mutex); - - for(auto i : m_registered_curves) - { - if(oid.has_value()) - { - if(i->oid() == oid) - return i; - else if(i->oid().has_value()) - continue; - } - - if(i->match(p, a, b, g_x, g_y, order, cofactor)) - return i; - } - - // Not found - if OID is set try looking up that way - - if(oid.has_value()) - { - // Not located in existing store - try hardcoded data set - std::shared_ptr<EC_Group_Data> data = EC_Group::EC_group_info(oid); - - if(data) - { - m_registered_curves.push_back(data); - return data; - } - } - - // Not found or no OID, add data and return - return add_curve(p, a, b, g_x, g_y, order, cofactor, oid); - } - - private: - - std::shared_ptr<EC_Group_Data> add_curve(const BigInt& p, - const BigInt& a, - const BigInt& b, - const BigInt& g_x, - const BigInt& g_y, - const BigInt& order, - const BigInt& cofactor, - const OID& oid) - { - std::shared_ptr<EC_Group_Data> d = - std::make_shared<EC_Group_Data>(p, a, b, g_x, g_y, order, cofactor, oid); - - // This function is always called with the lock held - m_registered_curves.push_back(d); - return d; - } - - mutex_type m_mutex; - std::vector<std::shared_ptr<EC_Group_Data>> m_registered_curves; - }; - -//static -EC_Group_Data_Map& EC_Group::ec_group_data() - { - /* - * This exists purely to ensure the allocator is constructed before g_ec_data, - * which ensures that its destructor runs after ~g_ec_data is complete. - */ - - static Allocator_Initializer g_init_allocator; - static EC_Group_Data_Map g_ec_data; - return g_ec_data; - } - -//static -size_t EC_Group::clear_registered_curve_data() - { - return ec_group_data().clear(); - } - -//static -std::shared_ptr<EC_Group_Data> -EC_Group::load_EC_group_info(const char* p_str, - const char* a_str, - const char* b_str, - const char* g_x_str, - const char* g_y_str, - const char* order_str, - const OID& oid) - { - const BigInt p(p_str); - const BigInt a(a_str); - const BigInt b(b_str); - const BigInt g_x(g_x_str); - const BigInt g_y(g_y_str); - const BigInt order(order_str); - const BigInt cofactor(1); // implicit - - return std::make_shared<EC_Group_Data>(p, a, b, g_x, g_y, order, cofactor, oid); - } - -//static -std::shared_ptr<EC_Group_Data> EC_Group::BER_decode_EC_group(const uint8_t bits[], size_t len) - { - BER_Decoder ber(bits, len); - BER_Object obj = ber.get_next_object(); - - if(obj.type() == NULL_TAG) - { - throw Decoding_Error("Cannot handle ImplicitCA ECC parameters"); - } - else if(obj.type() == OBJECT_ID) - { - OID dom_par_oid; - BER_Decoder(bits, len).decode(dom_par_oid); - return ec_group_data().lookup(dom_par_oid); - } - else if(obj.type() == SEQUENCE) - { - BigInt p, a, b, order, cofactor; - std::vector<uint8_t> base_pt; - std::vector<uint8_t> seed; - - BER_Decoder(bits, len) - .start_cons(SEQUENCE) - .decode_and_check<size_t>(1, "Unknown ECC param version code") - .start_cons(SEQUENCE) - .decode_and_check(OID("1.2.840.10045.1.1"), - "Only prime ECC fields supported") - .decode(p) - .end_cons() - .start_cons(SEQUENCE) - .decode_octet_string_bigint(a) - .decode_octet_string_bigint(b) - .decode_optional_string(seed, BIT_STRING, BIT_STRING) - .end_cons() - .decode(base_pt, OCTET_STRING) - .decode(order) - .decode(cofactor) - .end_cons() - .verify_end(); - - if(p.bits() < 64 || p.is_negative() || !is_bailie_psw_probable_prime(p)) - throw Decoding_Error("Invalid ECC p parameter"); - - if(a.is_negative() || a >= p) - throw Decoding_Error("Invalid ECC a parameter"); - - if(b <= 0 || b >= p) - throw Decoding_Error("Invalid ECC b parameter"); - - if(order <= 0 || !is_bailie_psw_probable_prime(order)) - throw Decoding_Error("Invalid ECC order parameter"); - - if(cofactor <= 0 || cofactor >= 16) - throw Decoding_Error("Invalid ECC cofactor parameter"); - - std::pair<BigInt, BigInt> base_xy = Botan::OS2ECP(base_pt.data(), base_pt.size(), p, a, b); - - return ec_group_data().lookup_or_create(p, a, b, base_xy.first, base_xy.second, order, cofactor, OID()); - } - else - { - throw Decoding_Error("Unexpected tag while decoding ECC domain params"); - } - } - -EC_Group::EC_Group() - { - } - -EC_Group::~EC_Group() - { - // shared_ptr possibly freed here - } - -EC_Group::EC_Group(const OID& domain_oid) - { - this->m_data = ec_group_data().lookup(domain_oid); - if(!this->m_data) - throw Invalid_Argument("Unknown EC_Group " + domain_oid.as_string()); - } - -EC_Group::EC_Group(const std::string& str) - { - if(str == "") - return; // no initialization / uninitialized - - try - { - OID oid = OIDS::lookup(str); - if(oid.empty() == false) - m_data = ec_group_data().lookup(oid); - } - catch(Invalid_OID&) - { - } - - if(m_data == nullptr) - { - if(str.size() > 30 && str.substr(0, 29) == "-----BEGIN EC PARAMETERS-----") - { - // OK try it as PEM ... - secure_vector<uint8_t> ber = PEM_Code::decode_check_label(str, "EC PARAMETERS"); - this->m_data = BER_decode_EC_group(ber.data(), ber.size()); - } - } - - if(m_data == nullptr) - throw Invalid_Argument("Unknown ECC group '" + str + "'"); - } - -//static -std::string EC_Group::PEM_for_named_group(const std::string& name) - { - try - { - EC_Group group(name); - return group.PEM_encode(); - } - catch(...) - { - return ""; - } - } - -EC_Group::EC_Group(const BigInt& p, - const BigInt& a, - const BigInt& b, - const BigInt& base_x, - const BigInt& base_y, - const BigInt& order, - const BigInt& cofactor, - const OID& oid) - { - m_data = ec_group_data().lookup_or_create(p, a, b, base_x, base_y, order, cofactor, oid); - } - -EC_Group::EC_Group(const std::vector<uint8_t>& ber) - { - m_data = BER_decode_EC_group(ber.data(), ber.size()); - } - -const EC_Group_Data& EC_Group::data() const - { - if(m_data == nullptr) - throw Invalid_State("EC_Group uninitialized"); - return *m_data; - } - -const CurveGFp& EC_Group::get_curve() const - { - return data().curve(); - } - -bool EC_Group::a_is_minus_3() const - { - return data().a_is_minus_3(); - } - -bool EC_Group::a_is_zero() const - { - return data().a_is_zero(); - } - -size_t EC_Group::get_p_bits() const - { - return data().p_bits(); - } - -size_t EC_Group::get_p_bytes() const - { - return data().p_bytes(); - } - -size_t EC_Group::get_order_bits() const - { - return data().order_bits(); - } - -size_t EC_Group::get_order_bytes() const - { - return data().order_bytes(); - } - -const BigInt& EC_Group::get_p() const - { - return data().p(); - } - -const BigInt& EC_Group::get_a() const - { - return data().a(); - } - -const BigInt& EC_Group::get_b() const - { - return data().b(); - } - -const PointGFp& EC_Group::get_base_point() const - { - return data().base_point(); - } - -const BigInt& EC_Group::get_order() const - { - return data().order(); - } - -const BigInt& EC_Group::get_g_x() const - { - return data().g_x(); - } - -const BigInt& EC_Group::get_g_y() const - { - return data().g_y(); - } - -const BigInt& EC_Group::get_cofactor() const - { - return data().cofactor(); - } - -BigInt EC_Group::mod_order(const BigInt& k) const - { - return data().mod_order(k); - } - -BigInt EC_Group::square_mod_order(const BigInt& x) const - { - return data().square_mod_order(x); - } - -BigInt EC_Group::multiply_mod_order(const BigInt& x, const BigInt& y) const - { - return data().multiply_mod_order(x, y); - } - -BigInt EC_Group::multiply_mod_order(const BigInt& x, const BigInt& y, const BigInt& z) const - { - return data().multiply_mod_order(x, y, z); - } - -BigInt EC_Group::inverse_mod_order(const BigInt& x) const - { - return data().inverse_mod_order(x); - } - -const OID& EC_Group::get_curve_oid() const - { - return data().oid(); - } - -size_t EC_Group::point_size(PointGFp::Compression_Type format) const - { - // Hybrid and standard format are (x,y), compressed is y, +1 format byte - if(format == PointGFp::COMPRESSED) - return (1 + get_p_bytes()); - else - return (1 + 2*get_p_bytes()); - } - -PointGFp EC_Group::OS2ECP(const uint8_t bits[], size_t len) const - { - return Botan::OS2ECP(bits, len, data().curve()); - } - -PointGFp EC_Group::point(const BigInt& x, const BigInt& y) const - { - // TODO: randomize the representation? - return PointGFp(data().curve(), x, y); - } - -PointGFp EC_Group::point_multiply(const BigInt& x, const PointGFp& pt, const BigInt& y) const - { - PointGFp_Multi_Point_Precompute xy_mul(get_base_point(), pt); - return xy_mul.multi_exp(x, y); - } - -PointGFp EC_Group::blinded_base_point_multiply(const BigInt& k, - RandomNumberGenerator& rng, - std::vector<BigInt>& ws) const - { - return data().blinded_base_point_multiply(k, rng, ws); - } - -BigInt EC_Group::blinded_base_point_multiply_x(const BigInt& k, - RandomNumberGenerator& rng, - std::vector<BigInt>& ws) const - { - const PointGFp pt = data().blinded_base_point_multiply(k, rng, ws); - - if(pt.is_zero()) - return 0; - return pt.get_affine_x(); - } - -BigInt EC_Group::random_scalar(RandomNumberGenerator& rng) const - { - return BigInt::random_integer(rng, 1, get_order()); - } - -PointGFp EC_Group::blinded_var_point_multiply(const PointGFp& point, - const BigInt& k, - RandomNumberGenerator& rng, - std::vector<BigInt>& ws) const - { - PointGFp_Var_Point_Precompute mul(point, rng, ws); - return mul.mul(k, rng, get_order(), ws); - } - -PointGFp EC_Group::zero_point() const - { - return PointGFp(data().curve()); - } - -std::vector<uint8_t> -EC_Group::DER_encode(EC_Group_Encoding form) const - { - std::vector<uint8_t> output; - - DER_Encoder der(output); - - if(form == EC_DOMPAR_ENC_EXPLICIT) - { - const size_t ecpVers1 = 1; - const OID curve_type("1.2.840.10045.1.1"); // prime field - - const size_t p_bytes = get_p_bytes(); - - der.start_cons(SEQUENCE) - .encode(ecpVers1) - .start_cons(SEQUENCE) - .encode(curve_type) - .encode(get_p()) - .end_cons() - .start_cons(SEQUENCE) - .encode(BigInt::encode_1363(get_a(), p_bytes), - OCTET_STRING) - .encode(BigInt::encode_1363(get_b(), p_bytes), - OCTET_STRING) - .end_cons() - .encode(get_base_point().encode(PointGFp::UNCOMPRESSED), OCTET_STRING) - .encode(get_order()) - .encode(get_cofactor()) - .end_cons(); - } - else if(form == EC_DOMPAR_ENC_OID) - { - const OID oid = get_curve_oid(); - if(oid.empty()) - { - throw Encoding_Error("Cannot encode EC_Group as OID because OID not set"); - } - der.encode(oid); - } - else if(form == EC_DOMPAR_ENC_IMPLICITCA) - { - der.encode_null(); - } - else - { - throw Internal_Error("EC_Group::DER_encode: Unknown encoding"); - } - - return output; - } - -std::string EC_Group::PEM_encode() const - { - const std::vector<uint8_t> der = DER_encode(EC_DOMPAR_ENC_EXPLICIT); - return PEM_Code::encode(der, "EC PARAMETERS"); - } - -bool EC_Group::operator==(const EC_Group& other) const - { - if(m_data == other.m_data) - return true; // same shared rep - - /* - * No point comparing order/cofactor as they are uniquely determined - * by the curve equation (p,a,b) and the base point. - */ - return (get_p() == other.get_p() && - get_a() == other.get_a() && - get_b() == other.get_b() && - get_g_x() == other.get_g_x() && - get_g_y() == other.get_g_y()); - } - -bool EC_Group::verify_public_element(const PointGFp& point) const - { - //check that public point is not at infinity - if(point.is_zero()) - return false; - - //check that public point is on the curve - if(point.on_the_curve() == false) - return false; - - //check that public point has order q - if((point * get_order()).is_zero() == false) - return false; - - if(get_cofactor() > 1) - { - if((point * get_cofactor()).is_zero()) - return false; - } - - return true; - } - -bool EC_Group::verify_group(RandomNumberGenerator& rng, - bool) const - { - const BigInt& p = get_p(); - const BigInt& a = get_a(); - const BigInt& b = get_b(); - const BigInt& order = get_order(); - const PointGFp& base_point = get_base_point(); - - if(a < 0 || a >= p) - return false; - if(b <= 0 || b >= p) - return false; - if(order <= 0) - return false; - - //check if field modulus is prime - if(!is_prime(p, rng, 128)) - { - return false; - } - - //check if order is prime - if(!is_prime(order, rng, 128)) - { - return false; - } - - //compute the discriminant: 4*a^3 + 27*b^2 which must be nonzero - const Modular_Reducer mod_p(p); - - const BigInt discriminant = mod_p.reduce( - mod_p.multiply(4, mod_p.cube(a)) + - mod_p.multiply(27, mod_p.square(b))); - - if(discriminant == 0) - { - return false; - } - - //check for valid cofactor - if(get_cofactor() < 1) - { - return false; - } - - //check if the base point is on the curve - if(!base_point.on_the_curve()) - { - return false; - } - if((base_point * get_cofactor()).is_zero()) - { - return false; - } - //check if order of the base point is correct - if(!(base_point * order).is_zero()) - { - return false; - } - - return true; - } - -} diff --git a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/ec_group.h b/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/ec_group.h deleted file mode 100644 index 8a22cebce1..0000000000 --- a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/ec_group.h +++ /dev/null @@ -1,374 +0,0 @@ -/* -* ECC Domain Parameters -* -* (C) 2007 Falko Strenzke, FlexSecure GmbH -* 2008-2010 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_ECC_DOMAIN_PARAMETERS_H_ -#define BOTAN_ECC_DOMAIN_PARAMETERS_H_ - -#include <botan/point_gfp.h> -#include <botan/asn1_oid.h> -#include <memory> -#include <set> - -namespace Botan { - -/** -* This class represents elliptic curce domain parameters -*/ -enum EC_Group_Encoding { - EC_DOMPAR_ENC_EXPLICIT = 0, - EC_DOMPAR_ENC_IMPLICITCA = 1, - EC_DOMPAR_ENC_OID = 2 -}; - -class CurveGFp; - -class EC_Group_Data; -class EC_Group_Data_Map; - -/** -* Class representing an elliptic curve -* -* The internal representation is stored in a shared_ptr, so copying an -* EC_Group is inexpensive. -*/ -class BOTAN_PUBLIC_API(2,0) EC_Group final - { - public: - - /** - * Construct Domain paramers from specified parameters - * @param curve elliptic curve - * @param base_point a base point - * @param order the order of the base point - * @param cofactor the cofactor - */ - BOTAN_DEPRECATED("Use version taking all BigInts") - EC_Group(const CurveGFp& curve, - const PointGFp& base_point, - const BigInt& order, - const BigInt& cofactor) : - EC_Group(curve.get_p(), - curve.get_a(), - curve.get_b(), - base_point.get_affine_x(), - base_point.get_affine_y(), - order, - cofactor) {} - - /** - * Construct Domain paramers from specified parameters - * @param p the elliptic curve p - * @param a the elliptic curve a param - * @param b the elliptic curve b param - * @param base_x the x coordinate of the base point - * @param base_y the y coordinate of the base point - * @param order the order of the base point - * @param cofactor the cofactor - * @param oid an optional OID used to identify this curve - */ - EC_Group(const BigInt& p, - const BigInt& a, - const BigInt& b, - const BigInt& base_x, - const BigInt& base_y, - const BigInt& order, - const BigInt& cofactor, - const OID& oid = OID()); - - /** - * Decode a BER encoded ECC domain parameter set - * @param ber_encoding the bytes of the BER encoding - */ - explicit EC_Group(const std::vector<uint8_t>& ber_encoding); - - /** - * Create an EC domain by OID (or throw if unknown) - * @param oid the OID of the EC domain to create - */ - explicit EC_Group(const OID& oid); - - /** - * Create an EC domain from PEM encoding (as from PEM_encode), or - * from an OID name (eg "secp256r1", or "1.2.840.10045.3.1.7") - * @param pem_or_oid PEM-encoded data, or an OID - */ - explicit EC_Group(const std::string& pem_or_oid); - - /** - * Create an uninitialized EC_Group - */ - EC_Group(); - - ~EC_Group(); - - /** - * Create the DER encoding of this domain - * @param form of encoding to use - * @returns bytes encododed as DER - */ - std::vector<uint8_t> DER_encode(EC_Group_Encoding form) const; - - /** - * Return the PEM encoding (always in explicit form) - * @return string containing PEM data - */ - std::string PEM_encode() const; - - /** - * Return domain parameter curve - * @result domain parameter curve - */ - BOTAN_DEPRECATED("Avoid CurveGFp") const CurveGFp& get_curve() const; - - /** - * Return if a == -3 mod p - */ - bool a_is_minus_3() const; - - /** - * Return if a == 0 mod p - */ - bool a_is_zero() const; - - /** - * Return the size of p in bits (same as get_p().bits()) - */ - size_t get_p_bits() const; - - /** - * Return the size of p in bits (same as get_p().bytes()) - */ - size_t get_p_bytes() const; - - /** - * Return the size of group order in bits (same as get_order().bits()) - */ - size_t get_order_bits() const; - - /** - * Return the size of p in bytes (same as get_order().bytes()) - */ - size_t get_order_bytes() const; - - /** - * Return the prime modulus of the field - */ - const BigInt& get_p() const; - - /** - * Return the a parameter of the elliptic curve equation - */ - const BigInt& get_a() const; - - /** - * Return the b parameter of the elliptic curve equation - */ - const BigInt& get_b() const; - - /** - * Return group base point - * @result base point - */ - const PointGFp& get_base_point() const; - - /** - * Return the x coordinate of the base point - */ - const BigInt& get_g_x() const; - - /** - * Return the y coordinate of the base point - */ - const BigInt& get_g_y() const; - - /** - * Return the order of the base point - * @result order of the base point - */ - const BigInt& get_order() const; - - /* - * Reduce x modulo the order - */ - BigInt mod_order(const BigInt& x) const; - - /* - * Return inverse of x modulo the order - */ - BigInt inverse_mod_order(const BigInt& x) const; - - /* - * Reduce (x*x) modulo the order - */ - BigInt square_mod_order(const BigInt& x) const; - - /* - * Reduce (x*y) modulo the order - */ - BigInt multiply_mod_order(const BigInt& x, const BigInt& y) const; - - /* - * Reduce (x*y*z) modulo the order - */ - BigInt multiply_mod_order(const BigInt& x, const BigInt& y, const BigInt& z) const; - - /** - * Return the cofactor - * @result the cofactor - */ - const BigInt& get_cofactor() const; - - /** - * Check if y is a plausible point on the curve - * - * In particular, checks that it is a point on the curve, not infinity, - * and that it has order matching the group. - */ - bool verify_public_element(const PointGFp& y) const; - - /** - * Return the OID of these domain parameters - * @result the OID as a string - */ - std::string BOTAN_DEPRECATED("Use get_curve_oid") get_oid() const { return get_curve_oid().as_string(); } - - /** - * Return the OID of these domain parameters - * @result the OID - */ - const OID& get_curve_oid() const; - - /** - * Return a point on this curve with the affine values x, y - */ - PointGFp point(const BigInt& x, const BigInt& y) const; - - /** - * Multi exponentiate. Not constant time. - * @return base_point*x + pt*y - */ - PointGFp point_multiply(const BigInt& x, const PointGFp& pt, const BigInt& y) const; - - /** - * Blinded point multiplication, attempts resistance to side channels - * @param k the scalar - * @param rng a random number generator - * @param ws a temp workspace - * @return base_point*k - */ - PointGFp blinded_base_point_multiply(const BigInt& k, - RandomNumberGenerator& rng, - std::vector<BigInt>& ws) const; - - /** - * Blinded point multiplication, attempts resistance to side channels - * Returns just the x coordinate of the point - * - * @param k the scalar - * @param rng a random number generator - * @param ws a temp workspace - * @return x coordinate of base_point*k - */ - BigInt blinded_base_point_multiply_x(const BigInt& k, - RandomNumberGenerator& rng, - std::vector<BigInt>& ws) const; - - /** - * Blinded point multiplication, attempts resistance to side channels - * @param point input point - * @param k the scalar - * @param rng a random number generator - * @param ws a temp workspace - * @return point*k - */ - PointGFp blinded_var_point_multiply(const PointGFp& point, - const BigInt& k, - RandomNumberGenerator& rng, - std::vector<BigInt>& ws) const; - - /** - * Return a random scalar ie an integer in [1,order) - */ - BigInt random_scalar(RandomNumberGenerator& rng) const; - - /** - * Return the zero (or infinite) point on this curve - */ - PointGFp zero_point() const; - - size_t point_size(PointGFp::Compression_Type format) const; - - PointGFp OS2ECP(const uint8_t bits[], size_t len) const; - - template<typename Alloc> - PointGFp OS2ECP(const std::vector<uint8_t, Alloc>& vec) const - { - return this->OS2ECP(vec.data(), vec.size()); - } - - bool initialized() const { return (m_data != nullptr); } - - /** - * Verify EC_Group domain - * @returns true if group is valid. false otherwise - */ - bool verify_group(RandomNumberGenerator& rng, - bool strong = false) const; - - bool operator==(const EC_Group& other) const; - - /** - * Return PEM representation of named EC group - * Deprecated: Use EC_Group(name).PEM_encode() if this is needed - */ - static std::string BOTAN_DEPRECATED("See header comment") PEM_for_named_group(const std::string& name); - - /** - * Return a set of known named EC groups - */ - static const std::set<std::string>& known_named_groups(); - - /* - * For internal use only - */ - static std::shared_ptr<EC_Group_Data> EC_group_info(const OID& oid); - - static size_t clear_registered_curve_data(); - - private: - static EC_Group_Data_Map& ec_group_data(); - - static std::shared_ptr<EC_Group_Data> BER_decode_EC_group(const uint8_t bits[], size_t len); - - static std::shared_ptr<EC_Group_Data> - load_EC_group_info(const char* p, - const char* a, - const char* b, - const char* g_x, - const char* g_y, - const char* order, - const OID& oid); - - // Member data - const EC_Group_Data& data() const; - std::shared_ptr<EC_Group_Data> m_data; - }; - -inline bool operator!=(const EC_Group& lhs, - const EC_Group& rhs) - { - return !(lhs == rhs); - } - -// For compatibility with 1.8 -typedef EC_Group EC_Domain_Params; - -} - -#endif diff --git a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/ec_named.cpp b/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/ec_named.cpp deleted file mode 100644 index ba91b5eaaf..0000000000 --- a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/ec_named.cpp +++ /dev/null @@ -1,289 +0,0 @@ -/* -* List of ECC groups -* (C) 2013,2018 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/ec_group.h> - -namespace Botan { - -//static -std::shared_ptr<EC_Group_Data> EC_Group::EC_group_info(const OID& oid) - { - // P-256 - if(oid == OID{1,2,840,10045,3,1,7}) - return load_EC_group_info("0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", - "0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC", - "0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B", - "0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296", - "0x4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5", - "0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", - oid); - - // P-384 - if(oid == OID{1,3,132,0,34}) - return load_EC_group_info("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC", - "0xB3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF", - "0xAA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7", - "0x3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973", - oid); - // P-521 - if(oid == OID{1,3,132,0,35}) - return load_EC_group_info("0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", - "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", - "0x51953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", - "0xC6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66", - "0x11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650", - "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", - oid); - - // brainpool160r1 - if(oid == OID{1,3,36,3,3,2,8,1,1,1}) - return load_EC_group_info("0xE95E4A5F737059DC60DFC7AD95B3D8139515620F", - "0x340E7BE2A280EB74E2BE61BADA745D97E8F7C300", - "0x1E589A8595423412134FAA2DBDEC95C8D8675E58", - "0xBED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC3", - "0x1667CB477A1A8EC338F94741669C976316DA6321", - "0xE95E4A5F737059DC60DF5991D45029409E60FC09", - oid); - // brainpool192r1 - if(oid == OID{1,3,36,3,3,2,8,1,1,3}) - return load_EC_group_info("0xC302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297", - "0x6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF", - "0x469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9", - "0xC0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6", - "0x14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F", - "0xC302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1", - oid); - // brainpool224r1 - if(oid == OID{1,3,36,3,3,2,8,1,1,5}) - return load_EC_group_info("0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF", - "0x68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43", - "0x2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B", - "0xD9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D", - "0x58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD", - "0xD7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F", - oid); - // brainpool256r1 - if(oid == OID{1,3,36,3,3,2,8,1,1,7}) - return load_EC_group_info("0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", - "0x7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9", - "0x26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6", - "0x8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262", - "0x547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997", - "0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", - oid); - // brainpool320r1 - if(oid == OID{1,3,36,3,3,2,8,1,1,9}) - return load_EC_group_info("0xD35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E27", - "0x3EE30B568FBAB0F883CCEBD46D3F3BB8A2A73513F5EB79DA66190EB085FFA9F492F375A97D860EB4", - "0x520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD884539816F5EB4AC8FB1F1A6", - "0x43BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599C710AF8D0D39E20611", - "0x14FDD05545EC1CC8AB4093247F77275E0743FFED117182EAA9C77877AAAC6AC7D35245D1692E8EE1", - "0xD35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311", - oid); - // brainpool384r1 - if(oid == OID{1,3,36,3,3,2,8,1,1,11}) - return load_EC_group_info("0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53", - "0x7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F90F8AA5814A503AD4EB04A8C7DD22CE2826", - "0x4A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DBC9943AB78696FA504C11", - "0x1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E", - "0x8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315", - "0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565", - oid); - // brainpool512r1 - if(oid == OID{1,3,36,3,3,2,8,1,1,13}) - return load_EC_group_info("0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3", - "0x7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA", - "0x3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723", - "0x81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822", - "0x7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892", - "0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069", - oid); - // frp256v1 - if(oid == OID{1,2,250,1,223,101,256,1}) - return load_EC_group_info("0xF1FD178C0B3AD58F10126DE8CE42435B3961ADBCABC8CA6DE8FCF353D86E9C03", - "0xF1FD178C0B3AD58F10126DE8CE42435B3961ADBCABC8CA6DE8FCF353D86E9C00", - "0xEE353FCA5428A9300D4ABA754A44C00FDFEC0C9AE4B1A1803075ED967B7BB73F", - "0xB6B3D4C356C139EB31183D4749D423958C27D2DCAF98B70164C97A2DD98F5CFF", - "0x6142E0F7C8B204911F9271F0F3ECEF8C2701C307E8E4C9E183115A1554062CFB", - "0xF1FD178C0B3AD58F10126DE8CE42435B53DC67E140D2BF941FFDD459C6D655E1", - oid); - // gost_256A - if(oid == OID{1,2,643,2,2,35,1}) - return load_EC_group_info("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94", - "0xA6", - "0x1", - "0x8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893", - oid); - // secp160k1 - if(oid == OID{1,3,132,0,9}) - return load_EC_group_info("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73", - "0x0", - "0x7", - "0x3B4C382CE37AA192A4019E763036F4F5DD4D7EBB", - "0x938CF935318FDCED6BC28286531733C3F03C4FEE", - "0x100000000000000000001B8FA16DFAB9ACA16B6B3", - oid); - // secp160r1 - if(oid == OID{1,3,132,0,8}) - return load_EC_group_info("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC", - "0x1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45", - "0x4A96B5688EF573284664698968C38BB913CBFC82", - "0x23A628553168947D59DCC912042351377AC5FB32", - "0x100000000000000000001F4C8F927AED3CA752257", - oid); - // secp160r2 - if(oid == OID{1,3,132,0,30}) - return load_EC_group_info("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70", - "0xB4E134D3FB59EB8BAB57274904664D5AF50388BA", - "0x52DCB034293A117E1F4FF11B30F7199D3144CE6D", - "0xFEAFFEF2E331F296E071FA0DF9982CFEA7D43F2E", - "0x100000000000000000000351EE786A818F3A1A16B", - oid); - // secp192k1 - if(oid == OID{1,3,132,0,31}) - return load_EC_group_info("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37", - "0x0", - "0x3", - "0xDB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D", - "0x9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D", - "0xFFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D", - oid); - // secp192r1 - if(oid == OID{1,2,840,10045,3,1,1}) - return load_EC_group_info("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", - "0x64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1", - "0x188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012", - "0x7192B95FFC8DA78631011ED6B24CDD573F977A11E794811", - "0xFFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831", - oid); - // secp224k1 - if(oid == OID{1,3,132,0,32}) - return load_EC_group_info("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D", - "0x0", - "0x5", - "0xA1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C", - "0x7E089FED7FBA344282CAFBD6F7E319F7C0B0BD59E2CA4BDB556D61A5", - "0x10000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7", - oid); - // secp224r1 - if(oid == OID{1,3,132,0,33}) - return load_EC_group_info("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", - "0xB4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", - "0xB70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", - "0xBD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", - oid); - // secp256k1 - if(oid == OID{1,3,132,0,10}) - return load_EC_group_info("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F", - "0x0", - "0x7", - "0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", - "0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141", - oid); - - // sm2p256v1 - if(oid == OID{1,2,156,10197,1,301}) - return load_EC_group_info("0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF", - "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC", - "0x28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93", - "0x32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7", - "0xBC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0", - "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123", - oid); - // x962_p192v2 - if(oid == OID{1,2,840,10045,3,1,2}) - return load_EC_group_info("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", - "0xCC22D6DFB95C6B25E49C0D6364A4E5980C393AA21668D953", - "0xEEA2BAE7E1497842F2DE7769CFE9C989C072AD696F48034A", - "0x6574D11D69B6EC7A672BB82A083DF2F2B0847DE970B2DE15", - "0xFFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31", - oid); - // x962_p192v3 - if(oid == OID{1,2,840,10045,3,1,3}) - return load_EC_group_info("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", - "0x22123DC2395A05CAA7423DAECCC94760A7D462256BD56916", - "0x7D29778100C65A1DA1783716588DCE2B8B4AEE8E228F1896", - "0x38A90F22637337334B49DCB66A6DC8F9978ACA7648A943B0", - "0xFFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13", - oid); - // x962_p239v1 - if(oid == OID{1,2,840,10045,3,1,4}) - return load_EC_group_info("0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF", - "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC", - "0x6B016C3BDCF18941D0D654921475CA71A9DB2FB27D1D37796185C2942C0A", - "0xFFA963CDCA8816CCC33B8642BEDF905C3D358573D3F27FBBD3B3CB9AAAF", - "0x7DEBE8E4E90A5DAE6E4054CA530BA04654B36818CE226B39FCCB7B02F1AE", - "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B", - oid); - // x962_p239v2 - if(oid == OID{1,2,840,10045,3,1,5}) - return load_EC_group_info("0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF", - "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC", - "0x617FAB6832576CBBFED50D99F0249C3FEE58B94BA0038C7AE84C8C832F2C", - "0x38AF09D98727705120C921BB5E9E26296A3CDCF2F35757A0EAFD87B830E7", - "0x5B0125E4DBEA0EC7206DA0FC01D9B081329FB555DE6EF460237DFF8BE4BA", - "0x7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063", - oid); - // x962_p239v3 - if(oid == OID{1,2,840,10045,3,1,6}) - return load_EC_group_info("0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF", - "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC", - "0x255705FA2A306654B1F4CB03D6A750A30C250102D4988717D9BA15AB6D3E", - "0x6768AE8E18BB92CFCF005C949AA2C6D94853D0E660BBF854B1C9505FE95A", - "0x1607E6898F390C06BC1D552BAD226F3B6FCFE48B6E818499AF18E3ED6CF3", - "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551", - oid); - - return std::shared_ptr<EC_Group_Data>(); - } - -//static -const std::set<std::string>& EC_Group::known_named_groups() - { - static const std::set<std::string> named_groups = { - "secp160k1", - "secp160r1", - "secp160r2", - "secp192k1", - "secp192r1", - "secp224k1", - "secp224r1", - "secp256k1", - "secp256r1", - "secp384r1", - "secp521r1", - "brainpool160r1", - "brainpool192r1", - "brainpool224r1", - "brainpool256r1", - "brainpool320r1", - "brainpool384r1", - "brainpool512r1", - "x962_p192v2", - "x962_p192v3", - "x962_p239v1", - "x962_p239v2", - "x962_p239v3", - "gost_256A", - "frp256v1", - "sm2p256v1" - }; - return named_groups; - } -} diff --git a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/info.txt b/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/info.txt deleted file mode 100644 index e382e25a5e..0000000000 --- a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/info.txt +++ /dev/null @@ -1,20 +0,0 @@ -<defines> -ECC_GROUP -> 20170225 -EC_CURVE_GFP -> 20131128 -</defines> - -<requires> -asn1 -numbertheory -pem -</requires> - -<header:internal> -point_mul.h -</header:internal> - -<header:public> -curve_gfp.h -ec_group.h -point_gfp.h -</header:public> diff --git a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/point_gfp.cpp b/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/point_gfp.cpp deleted file mode 100644 index 77803de78f..0000000000 --- a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/point_gfp.cpp +++ /dev/null @@ -1,727 +0,0 @@ -/* -* Point arithmetic on elliptic curves over GF(p) -* -* (C) 2007 Martin Doering, Christoph Ludwig, Falko Strenzke -* 2008-2011,2012,2014,2015 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/point_gfp.h> -#include <botan/numthry.h> -#include <botan/rng.h> -#include <botan/internal/rounding.h> - -namespace Botan { - -PointGFp::PointGFp(const CurveGFp& curve) : - m_curve(curve), - m_coord_x(0), - m_coord_y(curve.get_1_rep()), - m_coord_z(0) - { - // Assumes Montgomery rep of zero is zero - } - -PointGFp::PointGFp(const CurveGFp& curve, const BigInt& x, const BigInt& y) : - m_curve(curve), - m_coord_x(x), - m_coord_y(y), - m_coord_z(m_curve.get_1_rep()) - { - if(x <= 0 || x >= curve.get_p()) - throw Invalid_Argument("Invalid PointGFp affine x"); - if(y <= 0 || y >= curve.get_p()) - throw Invalid_Argument("Invalid PointGFp affine y"); - - secure_vector<word> monty_ws(m_curve.get_ws_size()); - m_curve.to_rep(m_coord_x, monty_ws); - m_curve.to_rep(m_coord_y, monty_ws); - } - -void PointGFp::randomize_repr(RandomNumberGenerator& rng) - { - secure_vector<word> ws(m_curve.get_ws_size()); - randomize_repr(rng, ws); - } - -void PointGFp::randomize_repr(RandomNumberGenerator& rng, secure_vector<word>& ws) - { - const BigInt mask = BigInt::random_integer(rng, 2, m_curve.get_p()); - - /* - * No reason to convert this to Montgomery representation first, - * just pretend the random mask was chosen as Redc(mask) and the - * random mask we generated above is in the Montgomery - * representation. - * //m_curve.to_rep(mask, ws); - */ - const BigInt mask2 = m_curve.sqr_to_tmp(mask, ws); - const BigInt mask3 = m_curve.mul_to_tmp(mask2, mask, ws); - - m_coord_x = m_curve.mul_to_tmp(m_coord_x, mask2, ws); - m_coord_y = m_curve.mul_to_tmp(m_coord_y, mask3, ws); - m_coord_z = m_curve.mul_to_tmp(m_coord_z, mask, ws); - } - -namespace { - -inline void resize_ws(std::vector<BigInt>& ws_bn, size_t cap_size) - { - BOTAN_ASSERT(ws_bn.size() >= PointGFp::WORKSPACE_SIZE, - "Expected size for PointGFp workspace"); - - for(size_t i = 0; i != ws_bn.size(); ++i) - if(ws_bn[i].size() < cap_size) - ws_bn[i].get_word_vector().resize(cap_size); - } - -inline bool all_zeros(const word x[], size_t len) - { - word z = 0; - for(size_t i = 0; i != len; ++i) - z |= x[i]; - return (z == 0); - } - -} - -void PointGFp::add_affine(const word x_words[], size_t x_size, - const word y_words[], size_t y_size, - std::vector<BigInt>& ws_bn) - { - if(all_zeros(x_words, x_size) && all_zeros(y_words, y_size)) - return; - - if(is_zero()) - { - m_coord_x.set_words(x_words, x_size); - m_coord_y.set_words(y_words, y_size); - m_coord_z = m_curve.get_1_rep(); - return; - } - - resize_ws(ws_bn, m_curve.get_ws_size()); - - secure_vector<word>& ws = ws_bn[0].get_word_vector(); - secure_vector<word>& sub_ws = ws_bn[1].get_word_vector(); - - BigInt& T0 = ws_bn[2]; - BigInt& T1 = ws_bn[3]; - BigInt& T2 = ws_bn[4]; - BigInt& T3 = ws_bn[5]; - BigInt& T4 = ws_bn[6]; - - /* - https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 - simplified with Z2 = 1 - */ - - const BigInt& p = m_curve.get_p(); - - m_curve.sqr(T3, m_coord_z, ws); // z1^2 - m_curve.mul(T4, x_words, x_size, T3, ws); // x2*z1^2 - - m_curve.mul(T2, m_coord_z, T3, ws); // z1^3 - m_curve.mul(T0, y_words, y_size, T2, ws); // y2*z1^3 - - T4.mod_sub(m_coord_x, p, sub_ws); // x2*z1^2 - x1*z2^2 - - T0.mod_sub(m_coord_y, p, sub_ws); - - if(T4.is_zero()) - { - if(T0.is_zero()) - { - mult2(ws_bn); - return; - } - - // setting to zero: - m_coord_x = 0; - m_coord_y = m_curve.get_1_rep(); - m_coord_z = 0; - return; - } - - m_curve.sqr(T2, T4, ws); - - m_curve.mul(T3, m_coord_x, T2, ws); - - m_curve.mul(T1, T2, T4, ws); - - m_curve.sqr(m_coord_x, T0, ws); - m_coord_x.mod_sub(T1, p, sub_ws); - m_coord_x.mod_sub(T3, p, sub_ws); - m_coord_x.mod_sub(T3, p, sub_ws); - - T3.mod_sub(m_coord_x, p, sub_ws); - - T2 = m_coord_y; - m_curve.mul(T2, T0, T3, ws); - m_curve.mul(T3, m_coord_y, T1, ws); - T2.mod_sub(T3, p, sub_ws); - m_coord_y = T2; - - m_curve.mul(T3, m_coord_z, T4, ws); - m_coord_z = T3; - } - -void PointGFp::add(const word x_words[], size_t x_size, - const word y_words[], size_t y_size, - const word z_words[], size_t z_size, - std::vector<BigInt>& ws_bn) - { - if(all_zeros(x_words, x_size) && all_zeros(z_words, z_size)) - return; - - if(is_zero()) - { - m_coord_x.set_words(x_words, x_size); - m_coord_y.set_words(y_words, y_size); - m_coord_z.set_words(z_words, z_size); - return; - } - - resize_ws(ws_bn, m_curve.get_ws_size()); - - secure_vector<word>& ws = ws_bn[0].get_word_vector(); - secure_vector<word>& sub_ws = ws_bn[1].get_word_vector(); - - BigInt& T0 = ws_bn[2]; - BigInt& T1 = ws_bn[3]; - BigInt& T2 = ws_bn[4]; - BigInt& T3 = ws_bn[5]; - BigInt& T4 = ws_bn[6]; - BigInt& T5 = ws_bn[7]; - - /* - https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 - */ - - const BigInt& p = m_curve.get_p(); - - m_curve.sqr(T0, z_words, z_size, ws); // z2^2 - m_curve.mul(T1, m_coord_x, T0, ws); // x1*z2^2 - m_curve.mul(T3, z_words, z_size, T0, ws); // z2^3 - m_curve.mul(T2, m_coord_y, T3, ws); // y1*z2^3 - - m_curve.sqr(T3, m_coord_z, ws); // z1^2 - m_curve.mul(T4, x_words, x_size, T3, ws); // x2*z1^2 - - m_curve.mul(T5, m_coord_z, T3, ws); // z1^3 - m_curve.mul(T0, y_words, y_size, T5, ws); // y2*z1^3 - - T4.mod_sub(T1, p, sub_ws); // x2*z1^2 - x1*z2^2 - - T0.mod_sub(T2, p, sub_ws); - - if(T4.is_zero()) - { - if(T0.is_zero()) - { - mult2(ws_bn); - return; - } - - // setting to zero: - m_coord_x = 0; - m_coord_y = m_curve.get_1_rep(); - m_coord_z = 0; - return; - } - - m_curve.sqr(T5, T4, ws); - - m_curve.mul(T3, T1, T5, ws); - - m_curve.mul(T1, T5, T4, ws); - - m_curve.sqr(m_coord_x, T0, ws); - m_coord_x.mod_sub(T1, p, sub_ws); - m_coord_x.mod_sub(T3, p, sub_ws); - m_coord_x.mod_sub(T3, p, sub_ws); - - T3.mod_sub(m_coord_x, p, sub_ws); - - m_curve.mul(m_coord_y, T0, T3, ws); - m_curve.mul(T3, T2, T1, ws); - - m_coord_y.mod_sub(T3, p, sub_ws); - - m_curve.mul(T3, z_words, z_size, m_coord_z, ws); - m_curve.mul(m_coord_z, T3, T4, ws); - } - -void PointGFp::mult2i(size_t iterations, std::vector<BigInt>& ws_bn) - { - if(iterations == 0) - return; - - if(m_coord_y.is_zero()) - { - *this = PointGFp(m_curve); // setting myself to zero - return; - } - - /* - TODO we can save 2 squarings per iteration by computing - a*Z^4 using values cached from previous iteration - */ - for(size_t i = 0; i != iterations; ++i) - mult2(ws_bn); - } - -// *this *= 2 -void PointGFp::mult2(std::vector<BigInt>& ws_bn) - { - if(is_zero()) - return; - - if(m_coord_y.is_zero()) - { - *this = PointGFp(m_curve); // setting myself to zero - return; - } - - resize_ws(ws_bn, m_curve.get_ws_size()); - - secure_vector<word>& ws = ws_bn[0].get_word_vector(); - secure_vector<word>& sub_ws = ws_bn[1].get_word_vector(); - - BigInt& T0 = ws_bn[2]; - BigInt& T1 = ws_bn[3]; - BigInt& T2 = ws_bn[4]; - BigInt& T3 = ws_bn[5]; - BigInt& T4 = ws_bn[6]; - - /* - https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-1986-cc - */ - const BigInt& p = m_curve.get_p(); - - m_curve.sqr(T0, m_coord_y, ws); - - m_curve.mul(T1, m_coord_x, T0, ws); - T1 <<= 2; // * 4 - m_curve.redc_mod_p(T1, sub_ws); - - if(m_curve.a_is_zero()) - { - // if a == 0 then 3*x^2 + a*z^4 is just 3*x^2 - m_curve.sqr(T4, m_coord_x, ws); // x^2 - T4 *= 3; // 3*x^2 - m_curve.redc_mod_p(T4, sub_ws); - } - else if(m_curve.a_is_minus_3()) - { - /* - if a == -3 then - 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) - */ - m_curve.sqr(T3, m_coord_z, ws); // z^2 - - // (x-z^2) - T2 = m_coord_x; - T2.mod_sub(T3, p, sub_ws); - - // (x+z^2) - T3.mod_add(m_coord_x, p, sub_ws); - - m_curve.mul(T4, T2, T3, ws); // (x-z^2)*(x+z^2) - - T4 *= 3; // 3*(x-z^2)*(x+z^2) - m_curve.redc_mod_p(T4, sub_ws); - } - else - { - m_curve.sqr(T3, m_coord_z, ws); // z^2 - m_curve.sqr(T4, T3, ws); // z^4 - m_curve.mul(T3, m_curve.get_a_rep(), T4, ws); // a*z^4 - - m_curve.sqr(T4, m_coord_x, ws); // x^2 - T4 *= 3; // 3*x^2 - T4.mod_add(T3, p, sub_ws); // 3*x^2 + a*z^4 - } - - m_curve.sqr(T2, T4, ws); - T2.mod_sub(T1, p, sub_ws); - T2.mod_sub(T1, p, sub_ws); - - m_curve.sqr(T3, T0, ws); - T3 <<= 3; - m_curve.redc_mod_p(T3, sub_ws); - - T1.mod_sub(T2, p, sub_ws); - - m_curve.mul(T0, T4, T1, ws); - T0.mod_sub(T3, p, sub_ws); - - m_coord_x = T2; - - m_curve.mul(T2, m_coord_y, m_coord_z, ws); - T2 <<= 1; - m_curve.redc_mod_p(T2, sub_ws); - - m_coord_y = T0; - m_coord_z = T2; - } - -// arithmetic operators -PointGFp& PointGFp::operator+=(const PointGFp& rhs) - { - std::vector<BigInt> ws(PointGFp::WORKSPACE_SIZE); - add(rhs, ws); - return *this; - } - -PointGFp& PointGFp::operator-=(const PointGFp& rhs) - { - PointGFp minus_rhs = PointGFp(rhs).negate(); - - if(is_zero()) - *this = minus_rhs; - else - *this += minus_rhs; - - return *this; - } - -PointGFp& PointGFp::operator*=(const BigInt& scalar) - { - *this = scalar * *this; - return *this; - } - -PointGFp operator*(const BigInt& scalar, const PointGFp& point) - { - BOTAN_DEBUG_ASSERT(point.on_the_curve()); - - const size_t scalar_bits = scalar.bits(); - - std::vector<BigInt> ws(PointGFp::WORKSPACE_SIZE); - - PointGFp R[2] = { point.zero(), point }; - - for(size_t i = scalar_bits; i > 0; i--) - { - const size_t b = scalar.get_bit(i - 1); - R[b ^ 1].add(R[b], ws); - R[b].mult2(ws); - } - - if(scalar.is_negative()) - R[0].negate(); - - BOTAN_DEBUG_ASSERT(R[0].on_the_curve()); - - return R[0]; - } - -//static -void PointGFp::force_all_affine(std::vector<PointGFp>& points, - secure_vector<word>& ws) - { - if(points.size() <= 1) - { - for(size_t i = 0; i != points.size(); ++i) - points[i].force_affine(); - return; - } - - /* - For >= 2 points use Montgomery's trick - - See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" - (Hankerson, Menezes, Vanstone) - - TODO is it really necessary to save all k points in c? - */ - - const CurveGFp& curve = points[0].m_curve; - const BigInt& rep_1 = curve.get_1_rep(); - - if(ws.size() < curve.get_ws_size()) - ws.resize(curve.get_ws_size()); - - std::vector<BigInt> c(points.size()); - c[0] = points[0].m_coord_z; - - for(size_t i = 1; i != points.size(); ++i) - { - curve.mul(c[i], c[i-1], points[i].m_coord_z, ws); - } - - BigInt s_inv = curve.invert_element(c[c.size()-1], ws); - - BigInt z_inv, z2_inv, z3_inv; - - for(size_t i = points.size() - 1; i != 0; i--) - { - PointGFp& point = points[i]; - - curve.mul(z_inv, s_inv, c[i-1], ws); - - s_inv = curve.mul_to_tmp(s_inv, point.m_coord_z, ws); - - curve.sqr(z2_inv, z_inv, ws); - curve.mul(z3_inv, z2_inv, z_inv, ws); - point.m_coord_x = curve.mul_to_tmp(point.m_coord_x, z2_inv, ws); - point.m_coord_y = curve.mul_to_tmp(point.m_coord_y, z3_inv, ws); - point.m_coord_z = rep_1; - } - - curve.sqr(z2_inv, s_inv, ws); - curve.mul(z3_inv, z2_inv, s_inv, ws); - points[0].m_coord_x = curve.mul_to_tmp(points[0].m_coord_x, z2_inv, ws); - points[0].m_coord_y = curve.mul_to_tmp(points[0].m_coord_y, z3_inv, ws); - points[0].m_coord_z = rep_1; - } - -void PointGFp::force_affine() - { - if(is_zero()) - throw Invalid_State("Cannot convert zero ECC point to affine"); - - secure_vector<word> ws; - - const BigInt z_inv = m_curve.invert_element(m_coord_z, ws); - const BigInt z2_inv = m_curve.sqr_to_tmp(z_inv, ws); - const BigInt z3_inv = m_curve.mul_to_tmp(z_inv, z2_inv, ws); - m_coord_x = m_curve.mul_to_tmp(m_coord_x, z2_inv, ws); - m_coord_y = m_curve.mul_to_tmp(m_coord_y, z3_inv, ws); - m_coord_z = m_curve.get_1_rep(); - } - -bool PointGFp::is_affine() const - { - return m_curve.is_one(m_coord_z); - } - -BigInt PointGFp::get_affine_x() const - { - if(is_zero()) - throw Illegal_Transformation("Cannot convert zero point to affine"); - - secure_vector<word> monty_ws; - - if(is_affine()) - return m_curve.from_rep(m_coord_x, monty_ws); - - BigInt z2 = m_curve.sqr_to_tmp(m_coord_z, monty_ws); - z2 = m_curve.invert_element(z2, monty_ws); - - BigInt r; - m_curve.mul(r, m_coord_x, z2, monty_ws); - m_curve.from_rep(r, monty_ws); - return r; - } - -BigInt PointGFp::get_affine_y() const - { - if(is_zero()) - throw Illegal_Transformation("Cannot convert zero point to affine"); - - secure_vector<word> monty_ws; - - if(is_affine()) - return m_curve.from_rep(m_coord_y, monty_ws); - - const BigInt z2 = m_curve.sqr_to_tmp(m_coord_z, monty_ws); - const BigInt z3 = m_curve.mul_to_tmp(m_coord_z, z2, monty_ws); - const BigInt z3_inv = m_curve.invert_element(z3, monty_ws); - - BigInt r; - m_curve.mul(r, m_coord_y, z3_inv, monty_ws); - m_curve.from_rep(r, monty_ws); - return r; - } - -bool PointGFp::on_the_curve() const - { - /* - Is the point still on the curve?? (If everything is correct, the - point is always on its curve; then the function will return true. - If somehow the state is corrupted, which suggests a fault attack - (or internal computational error), then return false. - */ - if(is_zero()) - return true; - - secure_vector<word> monty_ws; - - const BigInt y2 = m_curve.from_rep(m_curve.sqr_to_tmp(m_coord_y, monty_ws), monty_ws); - const BigInt x3 = m_curve.mul_to_tmp(m_coord_x, m_curve.sqr_to_tmp(m_coord_x, monty_ws), monty_ws); - const BigInt ax = m_curve.mul_to_tmp(m_coord_x, m_curve.get_a_rep(), monty_ws); - const BigInt z2 = m_curve.sqr_to_tmp(m_coord_z, monty_ws); - - if(m_coord_z == z2) // Is z equal to 1 (in Montgomery form)? - { - if(y2 != m_curve.from_rep(x3 + ax + m_curve.get_b_rep(), monty_ws)) - return false; - } - - const BigInt z3 = m_curve.mul_to_tmp(m_coord_z, z2, monty_ws); - const BigInt ax_z4 = m_curve.mul_to_tmp(ax, m_curve.sqr_to_tmp(z2, monty_ws), monty_ws); - const BigInt b_z6 = m_curve.mul_to_tmp(m_curve.get_b_rep(), m_curve.sqr_to_tmp(z3, monty_ws), monty_ws); - - if(y2 != m_curve.from_rep(x3 + ax_z4 + b_z6, monty_ws)) - return false; - - return true; - } - -// swaps the states of *this and other, does not throw! -void PointGFp::swap(PointGFp& other) - { - m_curve.swap(other.m_curve); - m_coord_x.swap(other.m_coord_x); - m_coord_y.swap(other.m_coord_y); - m_coord_z.swap(other.m_coord_z); - } - -bool PointGFp::operator==(const PointGFp& other) const - { - if(m_curve != other.m_curve) - return false; - - // If this is zero, only equal if other is also zero - if(is_zero()) - return other.is_zero(); - - return (get_affine_x() == other.get_affine_x() && - get_affine_y() == other.get_affine_y()); - } - -// encoding and decoding -std::vector<uint8_t> PointGFp::encode(PointGFp::Compression_Type format) const - { - if(is_zero()) - return std::vector<uint8_t>(1); // single 0 byte - - const size_t p_bytes = m_curve.get_p().bytes(); - - const BigInt x = get_affine_x(); - const BigInt y = get_affine_y(); - - std::vector<uint8_t> result; - - if(format == PointGFp::UNCOMPRESSED) - { - result.resize(1 + 2*p_bytes); - result[0] = 0x04; - BigInt::encode_1363(&result[1], p_bytes, x); - BigInt::encode_1363(&result[1+p_bytes], p_bytes, y); - } - else if(format == PointGFp::COMPRESSED) - { - result.resize(1 + p_bytes); - result[0] = 0x02 | static_cast<uint8_t>(y.get_bit(0)); - BigInt::encode_1363(&result[1], p_bytes, x); - } - else if(format == PointGFp::HYBRID) - { - result.resize(1 + 2*p_bytes); - result[0] = 0x06 | static_cast<uint8_t>(y.get_bit(0)); - BigInt::encode_1363(&result[1], p_bytes, x); - BigInt::encode_1363(&result[1+p_bytes], p_bytes, y); - } - else - throw Invalid_Argument("EC2OSP illegal point encoding"); - - return result; - } - -namespace { - -BigInt decompress_point(bool yMod2, - const BigInt& x, - const BigInt& curve_p, - const BigInt& curve_a, - const BigInt& curve_b) - { - BigInt xpow3 = x * x * x; - - BigInt g = curve_a * x; - g += xpow3; - g += curve_b; - g = g % curve_p; - - BigInt z = ressol(g, curve_p); - - if(z < 0) - throw Illegal_Point("error during EC point decompression"); - - if(z.get_bit(0) != yMod2) - z = curve_p - z; - - return z; - } - -} - -PointGFp OS2ECP(const uint8_t data[], size_t data_len, - const CurveGFp& curve) - { - // Should we really be doing this? - if(data_len <= 1) - return PointGFp(curve); // return zero - - std::pair<BigInt, BigInt> xy = OS2ECP(data, data_len, curve.get_p(), curve.get_a(), curve.get_b()); - - PointGFp point(curve, xy.first, xy.second); - - if(!point.on_the_curve()) - throw Illegal_Point("OS2ECP: Decoded point was not on the curve"); - - return point; - } - -std::pair<BigInt, BigInt> OS2ECP(const uint8_t data[], size_t data_len, - const BigInt& curve_p, - const BigInt& curve_a, - const BigInt& curve_b) - { - if(data_len <= 1) - throw Decoding_Error("OS2ECP invalid point"); - - const uint8_t pc = data[0]; - - BigInt x, y; - - if(pc == 2 || pc == 3) - { - //compressed form - x = BigInt::decode(&data[1], data_len - 1); - - const bool y_mod_2 = ((pc & 0x01) == 1); - y = decompress_point(y_mod_2, x, curve_p, curve_a, curve_b); - } - else if(pc == 4) - { - const size_t l = (data_len - 1) / 2; - - // uncompressed form - x = BigInt::decode(&data[1], l); - y = BigInt::decode(&data[l+1], l); - } - else if(pc == 6 || pc == 7) - { - const size_t l = (data_len - 1) / 2; - - // hybrid form - x = BigInt::decode(&data[1], l); - y = BigInt::decode(&data[l+1], l); - - const bool y_mod_2 = ((pc & 0x01) == 1); - - if(decompress_point(y_mod_2, x, curve_p, curve_a, curve_b) != y) - throw Illegal_Point("OS2ECP: Decoding error in hybrid format"); - } - else - throw Invalid_Argument("OS2ECP: Unknown format type " + std::to_string(pc)); - - return std::make_pair(x, y); - } - -} diff --git a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/point_gfp.h b/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/point_gfp.h deleted file mode 100644 index fa447bf87a..0000000000 --- a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/point_gfp.h +++ /dev/null @@ -1,444 +0,0 @@ -/* -* Point arithmetic on elliptic curves over GF(p) -* -* (C) 2007 Martin Doering, Christoph Ludwig, Falko Strenzke -* 2008-2011,2014,2015 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_POINT_GFP_H_ -#define BOTAN_POINT_GFP_H_ - -#include <botan/curve_gfp.h> -#include <botan/exceptn.h> -#include <vector> - -namespace Botan { - -/** -* Exception thrown if you try to convert a zero point to an affine -* coordinate -*/ -class BOTAN_PUBLIC_API(2,0) Illegal_Transformation final : public Exception - { - public: - explicit Illegal_Transformation(const std::string& err = - "Requested transformation is not possible") : - Exception(err) {} - }; - -/** -* Exception thrown if some form of illegal point is decoded -*/ -class BOTAN_PUBLIC_API(2,0) Illegal_Point final : public Exception - { - public: - explicit Illegal_Point(const std::string& err = "Malformed ECP point detected") : - Exception(err) {} - }; - -/** -* This class represents one point on a curve of GF(p) -*/ -class BOTAN_PUBLIC_API(2,0) PointGFp final - { - public: - enum Compression_Type { - UNCOMPRESSED = 0, - COMPRESSED = 1, - HYBRID = 2 - }; - - enum { WORKSPACE_SIZE = 8 }; - - /** - * Construct an uninitialized PointGFp - */ - PointGFp() = default; - - /** - * Construct the zero point - * @param curve The base curve - */ - explicit PointGFp(const CurveGFp& curve); - - /** - * Copy constructor - */ - PointGFp(const PointGFp&) = default; - - /** - * Move Constructor - */ - PointGFp(PointGFp&& other) - { - this->swap(other); - } - - /** - * Standard Assignment - */ - PointGFp& operator=(const PointGFp&) = default; - - /** - * Move Assignment - */ - PointGFp& operator=(PointGFp&& other) - { - if(this != &other) - this->swap(other); - return (*this); - } - - /** - * Construct a point from its affine coordinates - * @param curve the base curve - * @param x affine x coordinate - * @param y affine y coordinate - */ - PointGFp(const CurveGFp& curve, const BigInt& x, const BigInt& y); - - /** - * EC2OSP - elliptic curve to octet string primitive - * @param format which format to encode using - */ - std::vector<uint8_t> encode(PointGFp::Compression_Type format) const; - - /** - * += Operator - * @param rhs the PointGFp to add to the local value - * @result resulting PointGFp - */ - PointGFp& operator+=(const PointGFp& rhs); - - /** - * -= Operator - * @param rhs the PointGFp to subtract from the local value - * @result resulting PointGFp - */ - PointGFp& operator-=(const PointGFp& rhs); - - /** - * *= Operator - * @param scalar the PointGFp to multiply with *this - * @result resulting PointGFp - */ - PointGFp& operator*=(const BigInt& scalar); - - /** - * Negate this point - * @return *this - */ - PointGFp& negate() - { - if(!is_zero()) - m_coord_y = m_curve.get_p() - m_coord_y; - return *this; - } - - /** - * get affine x coordinate - * @result affine x coordinate - */ - BigInt get_affine_x() const; - - /** - * get affine y coordinate - * @result affine y coordinate - */ - BigInt get_affine_y() const; - - const BigInt& get_x() const { return m_coord_x; } - const BigInt& get_y() const { return m_coord_y; } - const BigInt& get_z() const { return m_coord_z; } - - void swap_coords(BigInt& new_x, BigInt& new_y, BigInt& new_z) - { - m_coord_x.swap(new_x); - m_coord_y.swap(new_y); - m_coord_z.swap(new_z); - } - - /** - * Force this point to affine coordinates - */ - void force_affine(); - - /** - * Force all points on the list to affine coordinates - */ - static void force_all_affine(std::vector<PointGFp>& points, - secure_vector<word>& ws); - - bool is_affine() const; - - /** - * Is this the point at infinity? - * @result true, if this point is at infinity, false otherwise. - */ - bool is_zero() const - { return (m_coord_x.is_zero() && m_coord_z.is_zero()); } - - /** - * Checks whether the point is to be found on the underlying - * curve; used to prevent fault attacks. - * @return if the point is on the curve - */ - bool on_the_curve() const; - - /** - * swaps the states of *this and other, does not throw! - * @param other the object to swap values with - */ - void swap(PointGFp& other); - - /** - * Randomize the point representation - * The actual value (get_affine_x, get_affine_y) does not change - */ - void randomize_repr(RandomNumberGenerator& rng); - - /** - * Randomize the point representation - * The actual value (get_affine_x, get_affine_y) does not change - */ - void randomize_repr(RandomNumberGenerator& rng, secure_vector<word>& ws); - - /** - * Equality operator - */ - bool operator==(const PointGFp& other) const; - - /** - * Point addition - * @param other the point to add to *this - * @param workspace temp space, at least WORKSPACE_SIZE elements - */ - void add(const PointGFp& other, std::vector<BigInt>& workspace) - { - BOTAN_ASSERT_NOMSG(m_curve == other.m_curve); - - const size_t p_words = m_curve.get_p_words(); - - add(other.m_coord_x.data(), std::min(p_words, other.m_coord_x.size()), - other.m_coord_y.data(), std::min(p_words, other.m_coord_y.size()), - other.m_coord_z.data(), std::min(p_words, other.m_coord_z.size()), - workspace); - } - - /** - * Point addition. Array version. - * - * @param x_words the words of the x coordinate of the other point - * @param x_size size of x_words - * @param y_words the words of the y coordinate of the other point - * @param y_size size of y_words - * @param z_words the words of the z coordinate of the other point - * @param z_size size of z_words - * @param workspace temp space, at least WORKSPACE_SIZE elements - */ - void add(const word x_words[], size_t x_size, - const word y_words[], size_t y_size, - const word z_words[], size_t z_size, - std::vector<BigInt>& workspace); - - /** - * Point addition - mixed J+A - * @param other affine point to add - assumed to be affine! - * @param workspace temp space, at least WORKSPACE_SIZE elements - */ - void add_affine(const PointGFp& other, std::vector<BigInt>& workspace) - { - BOTAN_ASSERT_NOMSG(m_curve == other.m_curve); - BOTAN_DEBUG_ASSERT(other.is_affine()); - - const size_t p_words = m_curve.get_p_words(); - add_affine(other.m_coord_x.data(), std::min(p_words, other.m_coord_x.size()), - other.m_coord_y.data(), std::min(p_words, other.m_coord_y.size()), - workspace); - } - - /** - * Point addition - mixed J+A. Array version. - * - * @param x_words the words of the x coordinate of the other point - * @param x_size size of x_words - * @param y_words the words of the y coordinate of the other point - * @param y_size size of y_words - * @param workspace temp space, at least WORKSPACE_SIZE elements - */ - void add_affine(const word x_words[], size_t x_size, - const word y_words[], size_t y_size, - std::vector<BigInt>& workspace); - - /** - * Point doubling - * @param workspace temp space, at least WORKSPACE_SIZE elements - */ - void mult2(std::vector<BigInt>& workspace); - - /** - * Repeated point doubling - * @param i number of doublings to perform - * @param workspace temp space, at least WORKSPACE_SIZE elements - */ - void mult2i(size_t i, std::vector<BigInt>& workspace); - - /** - * Point addition - * @param other the point to add to *this - * @param workspace temp space, at least WORKSPACE_SIZE elements - * @return other plus *this - */ - PointGFp plus(const PointGFp& other, std::vector<BigInt>& workspace) const - { - PointGFp x = (*this); - x.add(other, workspace); - return x; - } - - /** - * Point doubling - * @param workspace temp space, at least WORKSPACE_SIZE elements - * @return *this doubled - */ - PointGFp double_of(std::vector<BigInt>& workspace) const - { - PointGFp x = (*this); - x.mult2(workspace); - return x; - } - - /** - * Return the zero (aka infinite) point associated with this curve - */ - PointGFp zero() const { return PointGFp(m_curve); } - - /** - * Return base curve of this point - * @result the curve over GF(p) of this point - * - * You should not need to use this - */ - const CurveGFp& get_curve() const { return m_curve; } - - private: - CurveGFp m_curve; - BigInt m_coord_x, m_coord_y, m_coord_z; - }; - -/** -* Point multiplication operator -* @param scalar the scalar value -* @param point the point value -* @return scalar*point on the curve -*/ -BOTAN_PUBLIC_API(2,0) PointGFp operator*(const BigInt& scalar, const PointGFp& point); - -/** -* ECC point multiexponentiation - not constant time! -* @param p1 a point -* @param z1 a scalar -* @param p2 a point -* @param z2 a scalar -* @result (p1 * z1 + p2 * z2) -*/ -BOTAN_PUBLIC_API(2,0) PointGFp multi_exponentiate( - const PointGFp& p1, const BigInt& z1, - const PointGFp& p2, const BigInt& z2); - -// relational operators -inline bool operator!=(const PointGFp& lhs, const PointGFp& rhs) - { - return !(rhs == lhs); - } - -// arithmetic operators -inline PointGFp operator-(const PointGFp& lhs) - { - return PointGFp(lhs).negate(); - } - -inline PointGFp operator+(const PointGFp& lhs, const PointGFp& rhs) - { - PointGFp tmp(lhs); - return tmp += rhs; - } - -inline PointGFp operator-(const PointGFp& lhs, const PointGFp& rhs) - { - PointGFp tmp(lhs); - return tmp -= rhs; - } - -inline PointGFp operator*(const PointGFp& point, const BigInt& scalar) - { - return scalar * point; - } - -// encoding and decoding -inline secure_vector<uint8_t> BOTAN_DEPRECATED("Use PointGFp::encode") - EC2OSP(const PointGFp& point, uint8_t format) - { - std::vector<uint8_t> enc = point.encode(static_cast<PointGFp::Compression_Type>(format)); - return secure_vector<uint8_t>(enc.begin(), enc.end()); - } - -/** -* Perform point decoding -* Use EC_Group::OS2ECP instead -*/ -PointGFp BOTAN_PUBLIC_API(2,0) OS2ECP(const uint8_t data[], size_t data_len, - const CurveGFp& curve); - -/** -* Perform point decoding -* Use EC_Group::OS2ECP instead -* -* @param data the encoded point -* @param data_len length of data in bytes -* @param curve_p the curve equation prime -* @param curve_a the curve equation a parameter -* @param curve_b the curve equation b parameter -*/ -std::pair<BigInt, BigInt> BOTAN_UNSTABLE_API OS2ECP(const uint8_t data[], size_t data_len, - const BigInt& curve_p, - const BigInt& curve_a, - const BigInt& curve_b); - -template<typename Alloc> -PointGFp OS2ECP(const std::vector<uint8_t, Alloc>& data, const CurveGFp& curve) - { return OS2ECP(data.data(), data.size(), curve); } - -class PointGFp_Var_Point_Precompute; - -/** -* Deprecated API for point multiplication -* Use EC_Group::blinded_base_point_multiply or EC_Group::blinded_var_point_multiply -*/ -class BOTAN_PUBLIC_API(2,0) BOTAN_DEPRECATED("See comments") Blinded_Point_Multiply final - { - public: - Blinded_Point_Multiply(const PointGFp& base, const BigInt& order, size_t h = 0); - - ~Blinded_Point_Multiply(); - - PointGFp blinded_multiply(const BigInt& scalar, RandomNumberGenerator& rng); - private: - std::vector<BigInt> m_ws; - const BigInt& m_order; - std::unique_ptr<PointGFp_Var_Point_Precompute> m_point_mul; - }; - -} - -namespace std { - -template<> -inline void swap<Botan::PointGFp>(Botan::PointGFp& x, Botan::PointGFp& y) - { x.swap(y); } - -} - -#endif diff --git a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/point_mul.cpp b/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/point_mul.cpp deleted file mode 100644 index da3abaacc6..0000000000 --- a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/point_mul.cpp +++ /dev/null @@ -1,375 +0,0 @@ -/* -* (C) 2015,2018 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/internal/point_mul.h> -#include <botan/rng.h> -#include <botan/reducer.h> -#include <botan/internal/rounding.h> -#include <botan/internal/ct_utils.h> - -namespace Botan { - -PointGFp multi_exponentiate(const PointGFp& x, const BigInt& z1, - const PointGFp& y, const BigInt& z2) - { - PointGFp_Multi_Point_Precompute xy_mul(x, y); - return xy_mul.multi_exp(z1, z2); - } - -Blinded_Point_Multiply::Blinded_Point_Multiply(const PointGFp& base, - const BigInt& order, - size_t h) : - m_ws(PointGFp::WORKSPACE_SIZE), - m_order(order) - { - BOTAN_UNUSED(h); - Null_RNG null_rng; - m_point_mul.reset(new PointGFp_Var_Point_Precompute(base, null_rng, m_ws)); - } - -Blinded_Point_Multiply::~Blinded_Point_Multiply() - { - /* for ~unique_ptr */ - } - -PointGFp Blinded_Point_Multiply::blinded_multiply(const BigInt& scalar, - RandomNumberGenerator& rng) - { - return m_point_mul->mul(scalar, rng, m_order, m_ws); - } - -PointGFp_Base_Point_Precompute::PointGFp_Base_Point_Precompute(const PointGFp& base, - const Modular_Reducer& mod_order) : - m_base_point(base), - m_mod_order(mod_order), - m_p_words(base.get_curve().get_p().sig_words()), - m_T_size(base.get_curve().get_p().bits() + PointGFp_SCALAR_BLINDING_BITS + 1) - { - std::vector<BigInt> ws(PointGFp::WORKSPACE_SIZE); - - const size_t p_bits = base.get_curve().get_p().bits(); - - /* - * Some of the curves (eg secp160k1) have an order slightly larger than - * the size of the prime modulus. In all cases they are at most 1 bit - * longer. The +1 compensates for this. - */ - const size_t T_bits = round_up(p_bits + PointGFp_SCALAR_BLINDING_BITS + 1, 2) / 2; - - std::vector<PointGFp> T(3*T_bits); - T.resize(3*T_bits); - - T[0] = base; - T[1] = T[0]; - T[1].mult2(ws); - T[2] = T[1]; - T[2].add(T[0], ws); - - for(size_t i = 1; i != T_bits; ++i) - { - T[3*i+0] = T[3*i - 2]; - T[3*i+0].mult2(ws); - T[3*i+1] = T[3*i+0]; - T[3*i+1].mult2(ws); - T[3*i+2] = T[3*i+1]; - T[3*i+2].add(T[3*i+0], ws); - } - - PointGFp::force_all_affine(T, ws[0].get_word_vector()); - - m_W.resize(T.size() * 2 * m_p_words); - - word* p = &m_W[0]; - for(size_t i = 0; i != T.size(); ++i) - { - T[i].get_x().encode_words(p, m_p_words); - p += m_p_words; - T[i].get_y().encode_words(p, m_p_words); - p += m_p_words; - } - } - -PointGFp PointGFp_Base_Point_Precompute::mul(const BigInt& k, - RandomNumberGenerator& rng, - const BigInt& group_order, - std::vector<BigInt>& ws) const - { - if(k.is_negative()) - throw Invalid_Argument("PointGFp_Base_Point_Precompute scalar must be positive"); - - // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure) - const BigInt mask(rng, PointGFp_SCALAR_BLINDING_BITS); - - // Instead of reducing k mod group order should we alter the mask size?? - const BigInt scalar = m_mod_order.reduce(k) + group_order * mask; - - const size_t windows = round_up(scalar.bits(), 2) / 2; - - const size_t elem_size = 2*m_p_words; - - BOTAN_ASSERT(windows <= m_W.size() / (3*elem_size), - "Precomputed sufficient values for scalar mult"); - - PointGFp R = m_base_point.zero(); - - if(ws.size() < PointGFp::WORKSPACE_SIZE) - ws.resize(PointGFp::WORKSPACE_SIZE); - - // the precomputed multiples are not secret so use std::vector - std::vector<word> Wt(elem_size); - - for(size_t i = 0; i != windows; ++i) - { - const size_t window = windows - i - 1; - const size_t base_addr = (3*window)*elem_size; - - const word w = scalar.get_substring(2*window, 2); - - const word w_is_1 = CT::is_equal<word>(w, 1); - const word w_is_2 = CT::is_equal<word>(w, 2); - const word w_is_3 = CT::is_equal<word>(w, 3); - - for(size_t j = 0; j != elem_size; ++j) - { - const word w1 = m_W[base_addr + 0*elem_size + j]; - const word w2 = m_W[base_addr + 1*elem_size + j]; - const word w3 = m_W[base_addr + 2*elem_size + j]; - - Wt[j] = CT::select3<word>(w_is_1, w1, w_is_2, w2, w_is_3, w3, 0); - } - - R.add_affine(&Wt[0], m_p_words, &Wt[m_p_words], m_p_words, ws); - - if(i == 0) - { - /* - * Since we start with the top bit of the exponent we know the - * first window must have a non-zero element, and thus R is - * now a point other than the point at infinity. - */ - BOTAN_DEBUG_ASSERT(w != 0); - R.randomize_repr(rng, ws[0].get_word_vector()); - } - } - - BOTAN_DEBUG_ASSERT(R.on_the_curve()); - - return R; - } - -PointGFp_Var_Point_Precompute::PointGFp_Var_Point_Precompute(const PointGFp& point, - RandomNumberGenerator& rng, - std::vector<BigInt>& ws) : - m_curve(point.get_curve()), - m_p_words(m_curve.get_p().sig_words()), - m_window_bits(4) - { - if(ws.size() < PointGFp::WORKSPACE_SIZE) - ws.resize(PointGFp::WORKSPACE_SIZE); - - std::vector<PointGFp> U(static_cast<size_t>(1) << m_window_bits); - U[0] = point.zero(); - U[1] = point; - - for(size_t i = 2; i < U.size(); i += 2) - { - U[i] = U[i/2].double_of(ws); - U[i+1] = U[i].plus(point, ws); - } - - // Hack to handle Blinded_Point_Multiply - if(rng.is_seeded()) - { - BigInt& mask = ws[0]; - BigInt& mask2 = ws[1]; - BigInt& mask3 = ws[2]; - BigInt& new_x = ws[3]; - BigInt& new_y = ws[4]; - BigInt& new_z = ws[5]; - secure_vector<word>& tmp = ws[6].get_word_vector(); - - const CurveGFp& curve = U[0].get_curve(); - - const size_t p_bits = curve.get_p().bits(); - - // Skipping zero point since it can't be randomized - for(size_t i = 1; i != U.size(); ++i) - { - mask.randomize(rng, p_bits - 1, false); - // Easy way of ensuring mask != 0 - mask.set_bit(0); - - curve.sqr(mask2, mask, tmp); - curve.mul(mask3, mask, mask2, tmp); - - curve.mul(new_x, U[i].get_x(), mask2, tmp); - curve.mul(new_y, U[i].get_y(), mask3, tmp); - curve.mul(new_z, U[i].get_z(), mask, tmp); - - U[i].swap_coords(new_x, new_y, new_z); - } - } - - m_T.resize(U.size() * 3 * m_p_words); - - word* p = &m_T[0]; - for(size_t i = 0; i != U.size(); ++i) - { - U[i].get_x().encode_words(p , m_p_words); - U[i].get_y().encode_words(p + m_p_words, m_p_words); - U[i].get_z().encode_words(p + 2*m_p_words, m_p_words); - p += 3*m_p_words; - } - } - -PointGFp PointGFp_Var_Point_Precompute::mul(const BigInt& k, - RandomNumberGenerator& rng, - const BigInt& group_order, - std::vector<BigInt>& ws) const - { - if(k.is_negative()) - throw Invalid_Argument("PointGFp_Var_Point_Precompute scalar must be positive"); - if(ws.size() < PointGFp::WORKSPACE_SIZE) - ws.resize(PointGFp::WORKSPACE_SIZE); - - // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure) - const BigInt mask(rng, PointGFp_SCALAR_BLINDING_BITS, false); - const BigInt scalar = k + group_order * mask; - - const size_t elem_size = 3*m_p_words; - const size_t window_elems = (1ULL << m_window_bits); - - size_t windows = round_up(scalar.bits(), m_window_bits) / m_window_bits; - PointGFp R(m_curve); - secure_vector<word> e(elem_size); - - if(windows > 0) - { - windows--; - - const uint32_t w = scalar.get_substring(windows*m_window_bits, m_window_bits); - - clear_mem(e.data(), e.size()); - for(size_t i = 1; i != window_elems; ++i) - { - const word wmask = CT::is_equal<word>(w, i); - - for(size_t j = 0; j != elem_size; ++j) - { - e[j] |= wmask & m_T[i * elem_size + j]; - } - } - - R.add(&e[0], m_p_words, &e[m_p_words], m_p_words, &e[2*m_p_words], m_p_words, ws); - - /* - Randomize after adding the first nibble as before the addition R - is zero, and we cannot effectively randomize the point - representation of the zero point. - */ - R.randomize_repr(rng, ws[0].get_word_vector()); - } - - while(windows) - { - R.mult2i(m_window_bits, ws); - - const uint32_t w = scalar.get_substring((windows-1)*m_window_bits, m_window_bits); - - clear_mem(e.data(), e.size()); - for(size_t i = 1; i != window_elems; ++i) - { - const word wmask = CT::is_equal<word>(w, i); - - for(size_t j = 0; j != elem_size; ++j) - e[j] |= wmask & m_T[i * elem_size + j]; - } - - R.add(&e[0], m_p_words, &e[m_p_words], m_p_words, &e[2*m_p_words], m_p_words, ws); - - windows--; - } - - BOTAN_DEBUG_ASSERT(R.on_the_curve()); - - return R; - } - - -PointGFp_Multi_Point_Precompute::PointGFp_Multi_Point_Precompute(const PointGFp& x, - const PointGFp& y) - { - std::vector<BigInt> ws(PointGFp::WORKSPACE_SIZE); - - PointGFp x2 = x; - x2.mult2(ws); - - const PointGFp x3(x2.plus(x, ws)); - - PointGFp y2 = y; - y2.mult2(ws); - - const PointGFp y3(y2.plus(y, ws)); - - m_M.reserve(15); - - m_M.push_back(x); - m_M.push_back(x2); - m_M.push_back(x3); - - m_M.push_back(y); - m_M.push_back(y.plus(x, ws)); - m_M.push_back(y.plus(x2, ws)); - m_M.push_back(y.plus(x3, ws)); - - m_M.push_back(y2); - m_M.push_back(y2.plus(x, ws)); - m_M.push_back(y2.plus(x2, ws)); - m_M.push_back(y2.plus(x3, ws)); - - m_M.push_back(y3); - m_M.push_back(y3.plus(x, ws)); - m_M.push_back(y3.plus(x2, ws)); - m_M.push_back(y3.plus(x3, ws)); - - PointGFp::force_all_affine(m_M, ws[0].get_word_vector()); - } - -PointGFp PointGFp_Multi_Point_Precompute::multi_exp(const BigInt& z1, - const BigInt& z2) const - { - std::vector<BigInt> ws(PointGFp::WORKSPACE_SIZE); - - const size_t z_bits = round_up(std::max(z1.bits(), z2.bits()), 2); - - PointGFp H = m_M[0].zero(); - - for(size_t i = 0; i != z_bits; i += 2) - { - if(i > 0) - { - H.mult2i(2, ws); - } - - const uint32_t z1_b = z1.get_substring(z_bits - i - 2, 2); - const uint32_t z2_b = z2.get_substring(z_bits - i - 2, 2); - - const uint32_t z12 = (4*z2_b) + z1_b; - - // This function is not intended to be const time - if(z12) - { - H.add_affine(m_M[z12-1], ws); - } - } - - if(z1.is_negative() != z2.is_negative()) - H.negate(); - - return H; - } - -} diff --git a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/point_mul.h b/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/point_mul.h deleted file mode 100644 index dbaae29950..0000000000 --- a/src/libs/3rdparty/botan/src/lib/pubkey/ec_group/point_mul.h +++ /dev/null @@ -1,84 +0,0 @@ -/* -* (C) 2018 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_POINT_MUL_H_ -#define BOTAN_POINT_MUL_H_ - -#include <botan/point_gfp.h> - -namespace Botan { - -class Modular_Reducer; - -static const size_t PointGFp_SCALAR_BLINDING_BITS = 80; - -class PointGFp_Base_Point_Precompute final - { - public: - PointGFp_Base_Point_Precompute(const PointGFp& base_point, - const Modular_Reducer& mod_order); - - PointGFp mul(const BigInt& k, - RandomNumberGenerator& rng, - const BigInt& group_order, - std::vector<BigInt>& ws) const; - private: - const PointGFp& m_base_point; - const Modular_Reducer& m_mod_order; - - const size_t m_p_words; - const size_t m_T_size; - - /* - * This is a table of T_size * 3*p_word words - */ - std::vector<word> m_W; - }; - -class PointGFp_Var_Point_Precompute final - { - public: - PointGFp_Var_Point_Precompute(const PointGFp& point, - RandomNumberGenerator& rng, - std::vector<BigInt>& ws); - - PointGFp mul(const BigInt& k, - RandomNumberGenerator& rng, - const BigInt& group_order, - std::vector<BigInt>& ws) const; - private: - const CurveGFp m_curve; - const size_t m_p_words; - const size_t m_window_bits; - - /* - * Table of 2^window_bits * 3*2*p_word words - * Kept in locked vector since the base point might be sensitive - * (normally isn't in most protocols but hard to say anything - * categorically.) - */ - secure_vector<word> m_T; - }; - -class PointGFp_Multi_Point_Precompute final - { - public: - PointGFp_Multi_Point_Precompute(const PointGFp& g1, - const PointGFp& g2); - - /* - * Return (g1*k1 + g2*k2) - * Not constant time, intended to use with public inputs - */ - PointGFp multi_exp(const BigInt& k1, - const BigInt& k2) const; - private: - std::vector<PointGFp> m_M; - }; - -} - -#endif |