21399773049

Committed 27 Jan 2026 01:51PM UTC coverage: 90.072% (-0.001%) from 90.073%

Build # 21399773049

Build Type

Pull #5268

github

Committed by

web-flow

Commit Message

Merge dd3337d77 into 0d718b146

Pull Request Pull Request #5268: Avoid validation of known EC groups when decoding an explicit curve block

Run Details

102164 of 113425 relevant lines covered (90.07%)

11494463.5 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

91.41

/src/lib/pubkey/ec_group/ec_inner_data.cpp

/*
* (C) 2024 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/ec_inner_data.h>

#include <botan/der_enc.h>
#include <botan/internal/ec_inner_pc.h>
#include <botan/internal/fmt.h>
#include <botan/internal/pcurves.h>
#include <algorithm>

#if defined(BOTAN_HAS_LEGACY_EC_POINT)
   #include <botan/internal/ec_inner_bn.h>
   #include <botan/internal/point_mul.h>
#endif

#if defined(BOTAN_HAS_XMD)
   #include <botan/internal/xmd.h>
#endif

namespace Botan {

EC_Group_Data::~EC_Group_Data() = default;

// Note this constructor *does not* initialize m_curve, m_base_point or m_base_mult
EC_Group_Data::EC_Group_Data(const BigInt& p,
                             const BigInt& a,
                             const BigInt& b,
                             const BigInt& g_x,
                             const BigInt& g_y,
                             const BigInt& order,
                             const BigInt& cofactor,
                             const OID& oid,
                             EC_Group_Source source) :
      m_p(p),
      m_a(a),
      m_b(b),
      m_g_x(g_x),
      m_g_y(g_y),
      m_order(order),
      m_cofactor(cofactor),
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
      m_mod_field(Barrett_Reduction::for_public_modulus(p)),
      m_mod_order(Barrett_Reduction::for_public_modulus(order)),
      m_monty(m_p, m_mod_field),
#endif
      m_oid(oid),
      m_p_words(p.sig_words()),
      m_p_bits(p.bits()),
      m_order_bits(order.bits()),
      m_order_bytes((m_order_bits + 7) / 8),
      m_a_is_minus_3(a == p - 3),
      m_a_is_zero(a.is_zero()),
      m_has_cofactor(m_cofactor != 1),
      m_order_is_less_than_p(m_order < p),
      m_source(source) {
   // TODO(Botan4) we can assume/assert the OID is set
   if(!m_oid.empty()) {
      DER_Encoder der(m_der_named_curve);
      der.encode(m_oid);

      const std::string name = m_oid.human_name_or_empty();
      if(!name.empty()) {
         // returns nullptr if unknown or not supported
         m_pcurve = PCurve::PrimeOrderCurve::for_named_curve(name);
      }
      if(m_pcurve) {
         m_engine = EC_Group_Engine::Optimized;
      }
   }

   // Try a generic pcurves instance
   if(!m_pcurve && !m_has_cofactor) {
      m_pcurve = PCurve::PrimeOrderCurve::from_params(p, a, b, g_x, g_y, order);
      if(m_pcurve) {
         m_engine = EC_Group_Engine::Generic;
      }
      // possibly still null here, if parameters unsuitable or if the
      // pcurves_generic module wasn't included in the build
   }

#if defined(BOTAN_HAS_LEGACY_EC_POINT)
   secure_vector<word> ws;
   m_a_r = m_monty.mul(a, m_monty.R2(), ws);
   m_b_r = m_monty.mul(b, m_monty.R2(), ws);
   if(!m_pcurve) {
      m_engine = EC_Group_Engine::Legacy;
   }
#else
   if(!m_pcurve) {
      if(m_oid.empty()) {
         throw Not_Implemented("EC_Group this group is not supported in this build configuration");
      } else {
         throw Not_Implemented(
            fmt("EC_Group the group {} is not supported in this build configuration", oid.to_string()));
      }
   }
#endif
}

std::shared_ptr<EC_Group_Data> EC_Group_Data::create(const BigInt& p,
                                                     const BigInt& a,
                                                     const BigInt& b,
                                                     const BigInt& g_x,
                                                     const BigInt& g_y,
                                                     const BigInt& order,
                                                     const BigInt& cofactor,
                                                     const OID& oid,
                                                     EC_Group_Source source) {
   auto group = std::make_shared<EC_Group_Data>(p, a, b, g_x, g_y, order, cofactor, oid, source);

#if defined(BOTAN_HAS_LEGACY_EC_POINT)
   group->m_curve = CurveGFp(group.get());
   group->m_base_point = EC_Point(group->m_curve, g_x, g_y);
   if(!group->m_pcurve) {
      group->m_base_mult = std::make_unique<EC_Point_Base_Point_Precompute>(group->m_base_point, group->m_mod_order);
   }
#endif

   return group;
}

bool EC_Group_Data::params_match(const BigInt& p,
                                 const BigInt& a,
                                 const BigInt& b,
                                 const BigInt& g_x,
                                 const BigInt& g_y,
                                 const BigInt& order,
                                 const BigInt& cofactor) const {
   if(p != this->p()) {
      return false;
   }
   if(a != this->a()) {
      return false;
   }
   if(b != this->b()) {
      return false;
   }
   if(order != this->order()) {
      return false;
   }
   if(cofactor != this->cofactor()) {
      return false;
   }
   if(g_x != this->g_x()) {
      return false;
   }
   if(g_y != this->g_y()) {
      return false;
   }

   return true;
}

bool EC_Group_Data::params_match(const BigInt& p,
                                 const BigInt& a,
                                 const BigInt& b,
                                 std::span<const uint8_t> base_pt,
                                 const BigInt& order,
                                 const BigInt& cofactor) const {
   if(p != this->p()) {
      return false;
   }
   if(a != this->a()) {
      return false;
   }
   if(b != this->b()) {
      return false;
   }
   if(order != this->order()) {
      return false;
   }
   if(cofactor != this->cofactor()) {
      return false;
   }

   const size_t field_len = this->p_bytes();

   if(base_pt.size() == 1 + field_len && (base_pt[0] == 0x02 || base_pt[0] == 0x03)) {
      // compressed

      auto x_bytes = m_g_x.serialize(field_len);
      const bool y_odd = base_pt[0] == 0x03;

      if(!std::ranges::equal(base_pt.subspan(1), x_bytes)) {
         return false;
      }

      if(m_g_y.is_odd() != y_odd) {
         return false;
      }

      return true;
   } else if(base_pt.size() == 1 + 2 * field_len && base_pt[0] == 0x04) {
      auto x_bytes = m_g_x.serialize(field_len);
      auto y_bytes = m_g_y.serialize(field_len);

      if(!std::ranges::equal(base_pt.subspan(1, field_len), x_bytes)) {
         return false;
      }

      if(!std::ranges::equal(base_pt.subspan(1 + field_len, field_len), y_bytes)) {
         return false;
      }

      return true;
   } else {
      throw Decoding_Error("Invalid base point encoding in explicit group");
   }
}

bool EC_Group_Data::params_match(const EC_Group_Data& other) const {
   return params_match(other.p(), other.a(), other.b(), other.g_x(), other.g_y(), other.order(), other.cofactor());
}

void EC_Group_Data::set_oid(const OID& oid) {
   BOTAN_ARG_CHECK(!oid.empty(), "OID should be set");
   BOTAN_STATE_CHECK(m_oid.empty() && m_der_named_curve.empty());
   m_oid = oid;

   DER_Encoder der(m_der_named_curve);
   der.encode(m_oid);
}

std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_from_bytes_with_trunc(std::span<const uint8_t> bytes) const {
   const size_t bit_length = 8 * bytes.size();

   if(bit_length < order_bits()) {
      // No shifting required, but might still need to reduce by modulus
      return this->scalar_from_bytes_mod_order(bytes);
   } else {
      const size_t shift = bit_length - order_bits();

      const size_t new_length = bytes.size() - (shift / 8);
      const size_t bit_shift = shift % 8;

      if(bit_shift == 0) {
         // Easy case just read different bytes
         return this->scalar_from_bytes_mod_order(bytes.first(new_length));
      } else {
         std::vector<uint8_t> sbytes(new_length);

         uint8_t carry = 0;
         for(size_t i = 0; i != new_length; ++i) {
            const uint8_t w = bytes[i];
            sbytes[i] = (w >> bit_shift) | carry;
            carry = w << (8 - bit_shift);
         }

         return this->scalar_from_bytes_mod_order(sbytes);
      }
   }
}

std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_from_bytes_mod_order(std::span<const uint8_t> bytes) const {
   if(bytes.size() > 2 * order_bytes()) {
      return {};
   }

   if(m_pcurve) {
      if(auto s = m_pcurve->scalar_from_wide_bytes(bytes)) {
         return std::make_unique<EC_Scalar_Data_PC>(shared_from_this(), std::move(*s));
      } else {
         return {};
      }
   } else {
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
      return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), m_mod_order.reduce(BigInt(bytes)));
#else
      throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
   }
}

std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_random(RandomNumberGenerator& rng) const {
   if(m_pcurve) {
      return std::make_unique<EC_Scalar_Data_PC>(shared_from_this(), m_pcurve->random_scalar(rng));
   } else {
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
      return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(),
                                                 BigInt::random_integer(rng, BigInt::one(), m_order));
#else
      throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
   }
}

std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_one() const {
   if(m_pcurve) {
      return std::make_unique<EC_Scalar_Data_PC>(shared_from_this(), m_pcurve->scalar_one());
   } else {
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
      return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), BigInt::one());
#else
      throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
   }
}

std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_from_bigint(const BigInt& bn) const {
   if(bn <= 0 || bn >= m_order) {
      return {};
   }

   if(m_pcurve) {
      return this->scalar_deserialize(bn.serialize(m_order_bytes));
   } else {
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
      return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), bn);
#else
      throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
   }
}

std::unique_ptr<EC_Scalar_Data> EC_Group_Data::gk_x_mod_order(const EC_Scalar_Data& scalar,
                                                              RandomNumberGenerator& rng) const {
   if(m_pcurve) {
      const auto& k = EC_Scalar_Data_PC::checked_ref(scalar);
      auto gk_x_mod_order = m_pcurve->base_point_mul_x_mod_order(k.value(), rng);
      return std::make_unique<EC_Scalar_Data_PC>(shared_from_this(), gk_x_mod_order);
   } else {
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
      const auto& k = EC_Scalar_Data_BN::checked_ref(scalar);
      BOTAN_STATE_CHECK(m_base_mult != nullptr);
      std::vector<BigInt> ws;
      const auto pt = m_base_mult->mul(k.value(), rng, m_order, ws);

      if(pt.is_zero()) {
         return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), BigInt::zero());
      } else {
         return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), m_mod_order.reduce(pt.get_affine_x()));
      }
#else
      throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
   }
}

std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_deserialize(std::span<const uint8_t> bytes) const {
   if(bytes.size() != m_order_bytes) {
      return nullptr;
   }

   if(m_pcurve) {
      if(auto s = m_pcurve->deserialize_scalar(bytes)) {
         return std::make_unique<EC_Scalar_Data_PC>(shared_from_this(), *s);
      } else {
         return nullptr;
      }
   } else {
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
      BigInt r(bytes);

      if(r.is_zero() || r >= m_order) {
         return nullptr;
      }

      return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), std::move(r));
#else
      throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
   }
}

std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::point_deserialize(std::span<const uint8_t> bytes) const {
   // The deprecated "hybrid" point format
   // TODO(Botan4) remove this
   if(bytes.size() >= 1 + 2 * 4 && (bytes[0] == 0x06 || bytes[0] == 0x07)) {
      const bool hdr_y_is_even = bytes[0] == 0x06;
      const bool y_is_even = (bytes.back() & 0x01) == 0;

      if(hdr_y_is_even == y_is_even) {
         std::vector<uint8_t> sec1(bytes.begin(), bytes.end());
         sec1[0] = 0x04;
         return this->point_deserialize(sec1);
      }
   }

   try {
      if(m_pcurve) {
         if(auto pt = m_pcurve->deserialize_point(bytes)) {
            return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), std::move(*pt));
         } else {
            return {};
         }
      } else {
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
         auto pt = Botan::OS2ECP(bytes, m_curve);
         return std::make_unique<EC_AffinePoint_Data_BN>(shared_from_this(), std::move(pt));
#else
         throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
      }
   } catch(...) {
      return {};
   }
}

namespace {

std::function<void(std::span<uint8_t>)> h2c_expand_message(std::string_view hash_fn,
                                                           std::span<const uint8_t> input,
                                                           std::span<const uint8_t> domain_sep) {
   /*
   * This could be extended to support expand_message_xof or a MHF like Argon2
   */

   if(hash_fn.starts_with("SHAKE")) {
      throw Not_Implemented("Hash to curve currently does not support expand_message_xof");
   }

   return [=](std::span<uint8_t> uniform_bytes) {
#if defined(BOTAN_HAS_XMD)
      expand_message_xmd(hash_fn, uniform_bytes, input, domain_sep);
#else
      BOTAN_UNUSED(hash_fn, uniform_bytes, input, domain_sep);
      throw Not_Implemented("Hash to curve is not implemented due to XMD being disabled");
#endif
   };
}

}  // namespace

std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::point_hash_to_curve_ro(std::string_view hash_fn,
                                                                           std::span<const uint8_t> input,
                                                                           std::span<const uint8_t> domain_sep) const {
   if(m_pcurve) {
      auto pt = m_pcurve->hash_to_curve_ro(h2c_expand_message(hash_fn, input, domain_sep));
      return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), m_pcurve->point_to_affine(pt));
   } else {
      throw Not_Implemented("Hash to curve is not implemented for this curve");
   }
}

std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::point_hash_to_curve_nu(std::string_view hash_fn,
                                                                           std::span<const uint8_t> input,
                                                                           std::span<const uint8_t> domain_sep) const {
   if(m_pcurve) {
      auto pt = m_pcurve->hash_to_curve_nu(h2c_expand_message(hash_fn, input, domain_sep));
      return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), std::move(pt));
   } else {
      throw Not_Implemented("Hash to curve is not implemented for this curve");
   }
}

std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::point_g_mul(const EC_Scalar_Data& scalar,
                                                                RandomNumberGenerator& rng) const {
   if(m_pcurve) {
      const auto& k = EC_Scalar_Data_PC::checked_ref(scalar);
      auto pt = m_pcurve->point_to_affine(m_pcurve->mul_by_g(k.value(), rng));
      return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), std::move(pt));
   } else {
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
      const auto& group = scalar.group();
      const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar);

      BOTAN_STATE_CHECK(group->m_base_mult != nullptr);
      std::vector<BigInt> ws;
      auto pt = group->m_base_mult->mul(bn.value(), rng, m_order, ws);
      return std::make_unique<EC_AffinePoint_Data_BN>(shared_from_this(), std::move(pt));
#else
      throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
   }
}

std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::mul_px_qy(const EC_AffinePoint_Data& p,
                                                              const EC_Scalar_Data& x,
                                                              const EC_AffinePoint_Data& q,
                                                              const EC_Scalar_Data& y,
                                                              RandomNumberGenerator& rng) const {
   if(m_pcurve) {
      auto pt = m_pcurve->mul_px_qy(EC_AffinePoint_Data_PC::checked_ref(p).value(),
                                    EC_Scalar_Data_PC::checked_ref(x).value(),
                                    EC_AffinePoint_Data_PC::checked_ref(q).value(),
                                    EC_Scalar_Data_PC::checked_ref(y).value(),
                                    rng);

      if(pt) {
         return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), m_pcurve->point_to_affine(*pt));
      } else {
         return nullptr;
      }
   } else {
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
      std::vector<BigInt> ws;
      const auto& group = p.group();

      // TODO this could be better!
      const EC_Point_Var_Point_Precompute p_mul(p.to_legacy_point(), rng, ws);
      const EC_Point_Var_Point_Precompute q_mul(q.to_legacy_point(), rng, ws);

      const auto order = group->order() * group->cofactor();  // See #3800

      auto px = p_mul.mul(EC_Scalar_Data_BN::checked_ref(x).value(), rng, order, ws);
      auto qy = q_mul.mul(EC_Scalar_Data_BN::checked_ref(y).value(), rng, order, ws);

      auto px_qy = px + qy;

      if(!px_qy.is_zero()) {
         px_qy.force_affine();
         return std::make_unique<EC_AffinePoint_Data_BN>(shared_from_this(), std::move(px_qy));
      } else {
         return nullptr;
      }
#else
      throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
   }
}

std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::affine_add(const EC_AffinePoint_Data& p,
                                                               const EC_AffinePoint_Data& q) const {
   if(m_pcurve) {
      auto pt = m_pcurve->point_add(EC_AffinePoint_Data_PC::checked_ref(p).value(),
                                    EC_AffinePoint_Data_PC::checked_ref(q).value());

      return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), m_pcurve->point_to_affine(pt));
   } else {
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
      auto pt = p.to_legacy_point() + q.to_legacy_point();
      return std::make_unique<EC_AffinePoint_Data_BN>(shared_from_this(), std::move(pt));
#else
      throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
   }
}

std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::affine_neg(const EC_AffinePoint_Data& p) const {
   if(m_pcurve) {
      auto pt = m_pcurve->point_negate(EC_AffinePoint_Data_PC::checked_ref(p).value());
      return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), pt);
   } else {
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
      auto pt = p.to_legacy_point();
      pt.negate();  // negates in place
      return std::make_unique<EC_AffinePoint_Data_BN>(shared_from_this(), std::move(pt));
#else
      throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
   }
}

std::unique_ptr<EC_Mul2Table_Data> EC_Group_Data::make_mul2_table(const EC_AffinePoint_Data& h) const {
   if(m_pcurve) {
      return std::make_unique<EC_Mul2Table_Data_PC>(h);
   } else {
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
      const EC_AffinePoint_Data_BN g(shared_from_this(), this->base_point());
      return std::make_unique<EC_Mul2Table_Data_BN>(g, h);
#else
      throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
   }
}

}  // namespace Botan

1	/*
2	* (C) 2024 Jack Lloyd
3	*
4	* Botan is released under the Simplified BSD License (see license.txt)
5	*/
6
7	#include <botan/internal/ec_inner_data.h>
8
9	#include <botan/der_enc.h>
10	#include <botan/internal/ec_inner_pc.h>
11	#include <botan/internal/fmt.h>
12	#include <botan/internal/pcurves.h>
13	#include <algorithm>
14
15	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
16	#include <botan/internal/ec_inner_bn.h>
17	#include <botan/internal/point_mul.h>
18	#endif
19
20	#if defined(BOTAN_HAS_XMD)
21	#include <botan/internal/xmd.h>
22	#endif
23
24	namespace Botan {
25
26	EC_Group_Data::~EC_Group_Data() = default;	6,901✔
27
28	// Note this constructor does not initialize m_curve, m_base_point or m_base_mult
29	EC_Group_Data::EC_Group_Data(const BigInt& p,	1,151✔
30	const BigInt& a,
31	const BigInt& b,
32	const BigInt& g_x,
33	const BigInt& g_y,
34	const BigInt& order,
35	const BigInt& cofactor,
36	const OID& oid,
37	EC_Group_Source source) :	1,151✔
38	m_p(p),	1,151✔
39	m_a(a),	1,151✔
40	m_b(b),	1,151✔
41	m_g_x(g_x),	1,151✔
42	m_g_y(g_y),	1,151✔
43	m_order(order),	1,151✔
44	m_cofactor(cofactor),	1,151✔
45	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
46	m_mod_field(Barrett_Reduction::for_public_modulus(p)),	1,151✔
47	m_mod_order(Barrett_Reduction::for_public_modulus(order)),	1,151✔
48	m_monty(m_p, m_mod_field),	1,151✔
49	#endif
50	m_oid(oid),	1,151✔
51	m_p_words(p.sig_words()),	1,151✔
52	m_p_bits(p.bits()),	1,151✔
53	m_order_bits(order.bits()),	1,151✔
54	m_order_bytes((m_order_bits + 7) / 8),	1,151✔
55	m_a_is_minus_3(a == p - 3),	1,151✔
56	m_a_is_zero(a.is_zero()),	1,151✔
57	m_has_cofactor(m_cofactor != 1),	1,151✔
58	m_order_is_less_than_p(m_order < p),	1,151✔
59	m_source(source) {	3,453✔
60	// TODO(Botan4) we can assume/assert the OID is set
61	if(!m_oid.empty()) {	1,151✔
62	DER_Encoder der(m_der_named_curve);	1,146✔
63	der.encode(m_oid);	1,146✔
64
65	const std::string name = m_oid.human_name_or_empty();	1,146✔
66	if(!name.empty()) {	1,146✔
67	// returns nullptr if unknown or not supported
68	m_pcurve = PCurve::PrimeOrderCurve::for_named_curve(name);	1,141✔
69	}
70	if(m_pcurve) {	1,146✔
71	m_engine = EC_Group_Engine::Optimized;	904✔
72	}
73	}	1,146✔
74
75	// Try a generic pcurves instance
76	if(!m_pcurve && !m_has_cofactor) {	1,151✔
77	m_pcurve = PCurve::PrimeOrderCurve::from_params(p, a, b, g_x, g_y, order);	246✔
78	if(m_pcurve) {	246✔
79	m_engine = EC_Group_Engine::Generic;	147✔
80	}
81	// possibly still null here, if parameters unsuitable or if the
82	// pcurves_generic module wasn't included in the build
83	}
84
85	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
86	secure_vector<word> ws;	1,151✔
87	m_a_r = m_monty.mul(a, m_monty.R2(), ws);	2,302✔
88	m_b_r = m_monty.mul(b, m_monty.R2(), ws);	2,302✔
89	if(!m_pcurve) {	1,151✔
90	m_engine = EC_Group_Engine::Legacy;	100✔
91	}
92	#else
93	if(!m_pcurve) {
94	if(m_oid.empty()) {
95	throw Not_Implemented("EC_Group this group is not supported in this build configuration");
96	} else {
97	throw Not_Implemented(
98	fmt("EC_Group the group {} is not supported in this build configuration", oid.to_string()));
99	}
100	}
101	#endif
102	}	1,151✔
103
104	std::shared_ptr<EC_Group_Data> EC_Group_Data::create(const BigInt& p,	1,151✔
105	const BigInt& a,
106	const BigInt& b,
107	const BigInt& g_x,
108	const BigInt& g_y,
109	const BigInt& order,
110	const BigInt& cofactor,
111	const OID& oid,
112	EC_Group_Source source) {
113	auto group = std::make_shared<EC_Group_Data>(p, a, b, g_x, g_y, order, cofactor, oid, source);	1,151✔
114
115	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
116	group->m_curve = CurveGFp(group.get());	1,151✔
117	group->m_base_point = EC_Point(group->m_curve, g_x, g_y);	2,302✔
118	if(!group->m_pcurve) {	1,151✔
119	group->m_base_mult = std::make_unique<EC_Point_Base_Point_Precompute>(group->m_base_point, group->m_mod_order);	100✔
120	}
121	#endif
122
123	return group;	1,151✔
124	}	×
125
126	bool EC_Group_Data::params_match(const BigInt& p,	194✔
127	const BigInt& a,
128	const BigInt& b,
129	const BigInt& g_x,
130	const BigInt& g_y,
131	const BigInt& order,
132	const BigInt& cofactor) const {
133	if(p != this->p()) {	194✔
134	return false;
135	}
136	if(a != this->a()) {	38✔
137	return false;
138	}
139	if(b != this->b()) {	35✔
140	return false;
141	}
142	if(order != this->order()) {	35✔
143	return false;
144	}
145	if(cofactor != this->cofactor()) {	35✔
146	return false;
147	}
148	if(g_x != this->g_x()) {	35✔
149	return false;
150	}
151	if(g_y != this->g_y()) {	34✔
152	return false;
153	}
154
155	return true;
156	}
157
158	bool EC_Group_Data::params_match(const BigInt& p,	827✔
159	const BigInt& a,
160	const BigInt& b,
161	std::span<const uint8_t> base_pt,
162	const BigInt& order,
163	const BigInt& cofactor) const {
164	if(p != this->p()) {	827✔
165	return false;
166	}
167	if(a != this->a()) {	79✔
168	return false;
169	}
170	if(b != this->b()) {	74✔
171	return false;
172	}
173	if(order != this->order()) {	67✔
174	return false;
175	}
176	if(cofactor != this->cofactor()) {	64✔
177	return false;
178	}
179
180	const size_t field_len = this->p_bytes();	64✔
181
182	if(base_pt.size() == 1 + field_len && (base_pt[0] == 0x02 \|\| base_pt[0] == 0x03)) {	64✔
183	// compressed
184
185	auto x_bytes = m_g_x.serialize(field_len);	×
186	const bool y_odd = base_pt[0] == 0x03;	×
187
188	if(!std::ranges::equal(base_pt.subspan(1), x_bytes)) {	×
189	return false;
190	}
191
192	if(m_g_y.is_odd() != y_odd) {	×
193	return false;
194	}
195
196	return true;	×
197	} else if(base_pt.size() == 1 + 2 * field_len && base_pt[0] == 0x04) {	64✔
198	auto x_bytes = m_g_x.serialize(field_len);	63✔
199	auto y_bytes = m_g_y.serialize(field_len);	63✔
200
201	if(!std::ranges::equal(base_pt.subspan(1, field_len), x_bytes)) {	126✔
202	return false;
203	}
204
205	if(!std::ranges::equal(base_pt.subspan(1 + field_len, field_len), y_bytes)) {	177✔
206	return false;
207	}
208
209	return true;	57✔
210	} else {	126✔
211	throw Decoding_Error("Invalid base point encoding in explicit group");	1✔
212	}
213	}
214
215	bool EC_Group_Data::params_match(const EC_Group_Data& other) const {	×
216	return params_match(other.p(), other.a(), other.b(), other.g_x(), other.g_y(), other.order(), other.cofactor());	×
217	}
218
219	void EC_Group_Data::set_oid(const OID& oid) {	×
220	BOTAN_ARG_CHECK(!oid.empty(), "OID should be set");	×
221	BOTAN_STATE_CHECK(m_oid.empty() && m_der_named_curve.empty());	×
222	m_oid = oid;	×
223
224	DER_Encoder der(m_der_named_curve);	×
225	der.encode(m_oid);	×
226	}	×
227
228	std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_from_bytes_with_trunc(std::span<const uint8_t> bytes) const {	30,618✔
229	const size_t bit_length = 8 * bytes.size();	30,618✔
230
231	if(bit_length < order_bits()) {	30,618✔
232	// No shifting required, but might still need to reduce by modulus
233	return this->scalar_from_bytes_mod_order(bytes);	5,270✔
234	} else {
235	const size_t shift = bit_length - order_bits();	25,348✔
236
237	const size_t new_length = bytes.size() - (shift / 8);	25,348✔
238	const size_t bit_shift = shift % 8;	25,348✔
239
240	if(bit_shift == 0) {	25,348✔
241	// Easy case just read different bytes
242	return this->scalar_from_bytes_mod_order(bytes.first(new_length));	22,690✔
243	} else {
244	std::vector<uint8_t> sbytes(new_length);	2,658✔
245
246	uint8_t carry = 0;	2,658✔
247	for(size_t i = 0; i != new_length; ++i) {	72,691✔
248	const uint8_t w = bytes[i];	70,033✔
249	sbytes[i] = (w >> bit_shift) \| carry;	70,033✔
250	carry = w << (8 - bit_shift);	70,033✔
251	}
252
253	return this->scalar_from_bytes_mod_order(sbytes);	2,658✔
254	}	2,658✔
255	}
256	}
257
258	std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_from_bytes_mod_order(std::span<const uint8_t> bytes) const {	39,405✔
259	if(bytes.size() > 2 * order_bytes()) {	39,405✔
260	return {};	×
261	}
262
263	if(m_pcurve) {	39,405✔
264	if(auto s = m_pcurve->scalar_from_wide_bytes(bytes)) {	36,575✔
265	return std::make_unique<EC_Scalar_Data_PC>(shared_from_this(), std::move(*s));	36,575✔
266	} else {
267	return {};	×
268	}	36,575✔
269	} else {
270	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
271	return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), m_mod_order.reduce(BigInt(bytes)));	2,830✔
272	#else
273	throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
274	#endif
275	}
276	}
277
278	std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_random(RandomNumberGenerator& rng) const {	46,145✔
279	if(m_pcurve) {	46,145✔
280	return std::make_unique<EC_Scalar_Data_PC>(shared_from_this(), m_pcurve->random_scalar(rng));	39,946✔
281	} else {
282	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
283	return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(),	12,398✔
284	BigInt::random_integer(rng, BigInt::one(), m_order));	18,597✔
285	#else
286	throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
287	#endif
288	}
289	}
290
291	std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_one() const {	129✔
292	if(m_pcurve) {	129✔
293	return std::make_unique<EC_Scalar_Data_PC>(shared_from_this(), m_pcurve->scalar_one());	117✔
294	} else {
295	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
296	return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), BigInt::one());	12✔
297	#else
298	throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
299	#endif
300	}
301	}
302
303	std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_from_bigint(const BigInt& bn) const {	4,450✔
304	if(bn <= 0 \|\| bn >= m_order) {	4,450✔
305	return {};	×
306	}
307
308	if(m_pcurve) {	4,450✔
309	return this->scalar_deserialize(bn.serialize(m_order_bytes));	8,078✔
310	} else {
311	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
312	return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), bn);	411✔
313	#else
314	throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
315	#endif
316	}
317	}
318
319	std::unique_ptr<EC_Scalar_Data> EC_Group_Data::gk_x_mod_order(const EC_Scalar_Data& scalar,	6,151✔
320	RandomNumberGenerator& rng) const {
321	if(m_pcurve) {	6,151✔
322	const auto& k = EC_Scalar_Data_PC::checked_ref(scalar);	5,752✔
323	auto gk_x_mod_order = m_pcurve->base_point_mul_x_mod_order(k.value(), rng);	5,752✔
324	return std::make_unique<EC_Scalar_Data_PC>(shared_from_this(), gk_x_mod_order);	5,752✔
325	} else {	5,752✔
326	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
327	const auto& k = EC_Scalar_Data_BN::checked_ref(scalar);	399✔
328	BOTAN_STATE_CHECK(m_base_mult != nullptr);	399✔
329	std::vector<BigInt> ws;	399✔
330	const auto pt = m_base_mult->mul(k.value(), rng, m_order, ws);	399✔
331
332	if(pt.is_zero()) {	798✔
333	return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), BigInt::zero());	×
334	} else {
335	return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), m_mod_order.reduce(pt.get_affine_x()));	399✔
336	}
337	#else
338	throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
339	#endif
340	}	399✔
341	}
342
343	std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_deserialize(std::span<const uint8_t> bytes) const {	75,673✔
344	if(bytes.size() != m_order_bytes) {	75,673✔
345	return nullptr;	5,856✔
346	}
347
348	if(m_pcurve) {	69,817✔
349	if(auto s = m_pcurve->deserialize_scalar(bytes)) {	65,495✔
350	return std::make_unique<EC_Scalar_Data_PC>(shared_from_this(), *s);	63,090✔
351	} else {
352	return nullptr;	2,405✔
353	}	65,495✔
354	} else {
355	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
356	BigInt r(bytes);	4,322✔
357
358	if(r.is_zero() \|\| r >= m_order) {	8,644✔
359	return nullptr;	426✔
360	}
361
362	return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), std::move(r));	3,896✔
363	#else
364	throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
365	#endif
366	}	4,322✔
367	}
368
369	std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::point_deserialize(std::span<const uint8_t> bytes) const {	47,708✔
370	// The deprecated "hybrid" point format
371	// TODO(Botan4) remove this
372	if(bytes.size() >= 1 + 2 * 4 && (bytes[0] == 0x06 \|\| bytes[0] == 0x07)) {	47,708✔
373	const bool hdr_y_is_even = bytes[0] == 0x06;	207✔
374	const bool y_is_even = (bytes.back() & 0x01) == 0;	207✔
375
376	if(hdr_y_is_even == y_is_even) {	207✔
377	std::vector<uint8_t> sec1(bytes.begin(), bytes.end());	147✔
378	sec1[0] = 0x04;	147✔
379	return this->point_deserialize(sec1);	147✔
380	}	147✔
381	}
382
383	try {	47,561✔
384	if(m_pcurve) {	47,561✔
385	if(auto pt = m_pcurve->deserialize_point(bytes)) {	44,799✔
386	return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), std::move(*pt));	38,482✔
387	} else {
388	return {};	6,317✔
389	}	44,799✔
390	} else {
391	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
392	auto pt = Botan::OS2ECP(bytes, m_curve);	2,762✔
393	return std::make_unique<EC_AffinePoint_Data_BN>(shared_from_this(), std::move(pt));	2,706✔
394	#else
395	throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
396	#endif
397	}	2,706✔
398	} catch(...) {	56✔
399	return {};	56✔
400	}	56✔
401	}
402
403	namespace {
404
405	std::function<void(std::span<uint8_t>)> h2c_expand_message(std::string_view hash_fn,	43✔
406	std::span<const uint8_t> input,
407	std::span<const uint8_t> domain_sep) {
408	/*
409	* This could be extended to support expand_message_xof or a MHF like Argon2
410	*/
411
412	if(hash_fn.starts_with("SHAKE")) {	43✔
413	throw Not_Implemented("Hash to curve currently does not support expand_message_xof");	×
414	}
415
416	return [=](std::span<uint8_t> uniform_bytes) {	129✔
417	#if defined(BOTAN_HAS_XMD)
418	expand_message_xmd(hash_fn, uniform_bytes, input, domain_sep);	43✔
419	#else
420	BOTAN_UNUSED(hash_fn, uniform_bytes, input, domain_sep);
421	throw Not_Implemented("Hash to curve is not implemented due to XMD being disabled");
422	#endif
423	};	43✔
424	}
425
426	} // namespace
427
428	std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::point_hash_to_curve_ro(std::string_view hash_fn,	20✔
429	std::span<const uint8_t> input,
430	std::span<const uint8_t> domain_sep) const {
431	if(m_pcurve) {	20✔
432	auto pt = m_pcurve->hash_to_curve_ro(h2c_expand_message(hash_fn, input, domain_sep));	20✔
433	return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), m_pcurve->point_to_affine(pt));	20✔
434	} else {	20✔
435	throw Not_Implemented("Hash to curve is not implemented for this curve");	×
436	}
437	}
438
439	std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::point_hash_to_curve_nu(std::string_view hash_fn,	23✔
440	std::span<const uint8_t> input,
441	std::span<const uint8_t> domain_sep) const {
442	if(m_pcurve) {	23✔
443	auto pt = m_pcurve->hash_to_curve_nu(h2c_expand_message(hash_fn, input, domain_sep));	23✔
444	return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), std::move(pt));	23✔
445	} else {	23✔
446	throw Not_Implemented("Hash to curve is not implemented for this curve");	×
447	}
448	}
449
450	std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::point_g_mul(const EC_Scalar_Data& scalar,	15,613✔
451	RandomNumberGenerator& rng) const {
452	if(m_pcurve) {	15,613✔
453	const auto& k = EC_Scalar_Data_PC::checked_ref(scalar);	13,738✔
454	auto pt = m_pcurve->point_to_affine(m_pcurve->mul_by_g(k.value(), rng));	13,738✔
455	return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), std::move(pt));	13,738✔
456	} else {	13,738✔
457	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
458	const auto& group = scalar.group();	1,875✔
459	const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar);	1,875✔
460
461	BOTAN_STATE_CHECK(group->m_base_mult != nullptr);	1,875✔
462	std::vector<BigInt> ws;	1,875✔
463	auto pt = group->m_base_mult->mul(bn.value(), rng, m_order, ws);	1,875✔
464	return std::make_unique<EC_AffinePoint_Data_BN>(shared_from_this(), std::move(pt));	1,875✔
465	#else
466	throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
467	#endif
468	}	1,875✔
469	}
470
471	std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::mul_px_qy(const EC_AffinePoint_Data& p,	3,472✔
472	const EC_Scalar_Data& x,
473	const EC_AffinePoint_Data& q,
474	const EC_Scalar_Data& y,
475	RandomNumberGenerator& rng) const {
476	if(m_pcurve) {	3,472✔
477	auto pt = m_pcurve->mul_px_qy(EC_AffinePoint_Data_PC::checked_ref(p).value(),	6,384✔
478	EC_Scalar_Data_PC::checked_ref(x).value(),	3,192✔
479	EC_AffinePoint_Data_PC::checked_ref(q).value(),	3,192✔
480	EC_Scalar_Data_PC::checked_ref(y).value(),	3,192✔
481	rng);	3,192✔
482
483	if(pt) {	3,192✔
484	return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), m_pcurve->point_to_affine(*pt));	3,024✔
485	} else {
486	return nullptr;	168✔
487	}
488	} else {	3,192✔
489	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
490	std::vector<BigInt> ws;	280✔
491	const auto& group = p.group();	280✔
492
493	// TODO this could be better!
494	const EC_Point_Var_Point_Precompute p_mul(p.to_legacy_point(), rng, ws);	280✔
495	const EC_Point_Var_Point_Precompute q_mul(q.to_legacy_point(), rng, ws);	280✔
496
497	const auto order = group->order() * group->cofactor(); // See #3800	280✔
498
499	auto px = p_mul.mul(EC_Scalar_Data_BN::checked_ref(x).value(), rng, order, ws);	280✔
500	auto qy = q_mul.mul(EC_Scalar_Data_BN::checked_ref(y).value(), rng, order, ws);	280✔
501
502	auto px_qy = px + qy;	280✔
503
504	if(!px_qy.is_zero()) {	532✔
505	px_qy.force_affine();	252✔
506	return std::make_unique<EC_AffinePoint_Data_BN>(shared_from_this(), std::move(px_qy));	252✔
507	} else {
508	return nullptr;	28✔
509	}
510	#else
511	throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
512	#endif
513	}	840✔
514	}
515
516	std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::affine_add(const EC_AffinePoint_Data& p,	7,745✔
517	const EC_AffinePoint_Data& q) const {
518	if(m_pcurve) {	7,745✔
519	auto pt = m_pcurve->point_add(EC_AffinePoint_Data_PC::checked_ref(p).value(),	7,005✔
520	EC_AffinePoint_Data_PC::checked_ref(q).value());	7,005✔
521
522	return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), m_pcurve->point_to_affine(pt));	7,004✔
523	} else {	7,004✔
524	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
525	auto pt = p.to_legacy_point() + q.to_legacy_point();	740✔
526	return std::make_unique<EC_AffinePoint_Data_BN>(shared_from_this(), std::move(pt));	740✔
527	#else
528	throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
529	#endif
530	}	740✔
531	}
532
533	std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::affine_neg(const EC_AffinePoint_Data& p) const {	9,512✔
534	if(m_pcurve) {	9,512✔
535	auto pt = m_pcurve->point_negate(EC_AffinePoint_Data_PC::checked_ref(p).value());	8,454✔
536	return std::make_unique<EC_AffinePoint_Data_PC>(shared_from_this(), pt);	8,454✔
537	} else {	8,454✔
538	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
539	auto pt = p.to_legacy_point();	1,058✔
540	pt.negate(); // negates in place	1,058✔
541	return std::make_unique<EC_AffinePoint_Data_BN>(shared_from_this(), std::move(pt));	1,058✔
542	#else
543	throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
544	#endif
545	}	1,058✔
546	}
547
548	std::unique_ptr<EC_Mul2Table_Data> EC_Group_Data::make_mul2_table(const EC_AffinePoint_Data& h) const {	14,979✔
549	if(m_pcurve) {	14,979✔
550	return std::make_unique<EC_Mul2Table_Data_PC>(h);	14,679✔
551	} else {
552	#if defined(BOTAN_HAS_LEGACY_EC_POINT)
553	const EC_AffinePoint_Data_BN g(shared_from_this(), this->base_point());	600✔
554	return std::make_unique<EC_Mul2Table_Data_BN>(g, h);	300✔
555	#else
556	throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
557	#endif
558	}	300✔
559	}
560
561	} // namespace Botan

randombit / botan / 21399773049

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous