libcrypto/ec/ec_lib.c

*a9bbc4f7Stb/* $OpenBSD: ec_lib.c,v 1.116 2025/01/25 13:13:57 tb Exp $ */
4fcf65c5Sdjm/*
4fcf65c5Sdjm * Originally written by Bodo Moeller for the OpenSSL project.
4fcf65c5Sdjm */
da347917Sbeck/* ====================================================================
4fcf65c5Sdjm * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
da347917Sbeck *
da347917Sbeck * Redistribution and use in source and binary forms, with or without
da347917Sbeck * modification, are permitted provided that the following conditions
da347917Sbeck * are met:
da347917Sbeck *
da347917Sbeck * 1. Redistributions of source code must retain the above copyright
da347917Sbeck *    notice, this list of conditions and the following disclaimer.
da347917Sbeck *
da347917Sbeck * 2. Redistributions in binary form must reproduce the above copyright
da347917Sbeck *    notice, this list of conditions and the following disclaimer in
da347917Sbeck *    the documentation and/or other materials provided with the
da347917Sbeck *    distribution.
da347917Sbeck *
da347917Sbeck * 3. All advertising materials mentioning features or use of this
da347917Sbeck *    software must display the following acknowledgment:
da347917Sbeck *    "This product includes software developed by the OpenSSL Project
da347917Sbeck *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
da347917Sbeck *
da347917Sbeck * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
da347917Sbeck *    endorse or promote products derived from this software without
da347917Sbeck *    prior written permission. For written permission, please contact
da347917Sbeck *    openssl-core@openssl.org.
da347917Sbeck *
da347917Sbeck * 5. Products derived from this software may not be called "OpenSSL"
da347917Sbeck *    nor may "OpenSSL" appear in their names without prior written
da347917Sbeck *    permission of the OpenSSL Project.
da347917Sbeck *
da347917Sbeck * 6. Redistributions of any form whatsoever must retain the following
da347917Sbeck *    acknowledgment:
da347917Sbeck *    "This product includes software developed by the OpenSSL Project
da347917Sbeck *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
da347917Sbeck *
da347917Sbeck * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
da347917Sbeck * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
da347917Sbeck * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
da347917Sbeck * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
da347917Sbeck * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
da347917Sbeck * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
da347917Sbeck * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
da347917Sbeck * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
da347917Sbeck * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
da347917Sbeck * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
da347917Sbeck * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
da347917Sbeck * OF THE POSSIBILITY OF SUCH DAMAGE.
da347917Sbeck * ====================================================================
da347917Sbeck *
da347917Sbeck * This product includes cryptographic software written by Eric Young
da347917Sbeck * (eay@cryptsoft.com).  This product includes software written by Tim
da347917Sbeck * Hudson (tjh@cryptsoft.com).
da347917Sbeck *
da347917Sbeck */
4fcf65c5Sdjm/* ====================================================================
4fcf65c5Sdjm * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4fcf65c5Sdjm * Binary polynomial ECC support in OpenSSL originally developed by
4fcf65c5Sdjm * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
4fcf65c5Sdjm */
da347917Sbeck
587ebde5Stb#include <stdlib.h>
da347917Sbeck#include <string.h>
da347917Sbeck
8cf4d6a6Sjsing#include <openssl/opensslconf.h>
8cf4d6a6Sjsing
587ebde5Stb#include <openssl/bn.h>
587ebde5Stb#include <openssl/ec.h>
da347917Sbeck#include <openssl/err.h>
587ebde5Stb#include <openssl/objects.h>
da347917Sbeck#include <openssl/opensslv.h>
da347917Sbeck
c9675a23Stb#include "bn_local.h"
c9675a23Stb#include "ec_local.h"
da347917Sbeck
f67ac449SteduEC_GROUP *
f67ac449SteduEC_GROUP_new(const EC_METHOD *meth)
da347917Sbeck{
21332710Stb	EC_GROUP *group = NULL;
da347917Sbeck
f67ac449Stedu	if (meth == NULL) {
5067ae9fSbeck		ECerror(EC_R_SLOT_FULL);
21332710Stb		goto err;
da347917Sbeck	}
21332710Stb	if ((group = calloc(1, sizeof(*group))) == NULL) {
5067ae9fSbeck		ECerror(ERR_R_MALLOC_FAILURE);
21332710Stb		goto err;
da347917Sbeck	}
da347917Sbeck
21332710Stb	group->meth = meth;
4fcf65c5Sdjm
21332710Stb	group->asn1_flag = OPENSSL_EC_NAMED_CURVE;
21332710Stb	group->asn1_form = POINT_CONVERSION_UNCOMPRESSED;
da347917Sbeck
3c2cb882Stb	if ((group->p = BN_new()) == NULL)
3c2cb882Stb		goto err;
3c2cb882Stb	if ((group->a = BN_new()) == NULL)
3c2cb882Stb		goto err;
3c2cb882Stb	if ((group->b = BN_new()) == NULL)
3c2cb882Stb		goto err;
3c2cb882Stb
3c2cb882Stb	if ((group->order = BN_new()) == NULL)
3c2cb882Stb		goto err;
3c2cb882Stb	if ((group->cofactor = BN_new()) == NULL)
3c2cb882Stb		goto err;
3c2cb882Stb
3c2cb882Stb	/*
1c80ffcfStb	 * generator, seed and mont_ctx are optional.
3c2cb882Stb	 */
3c2cb882Stb
21332710Stb	return group;
21332710Stb
21332710Stb err:
21332710Stb	EC_GROUP_free(group);
21332710Stb
da347917Sbeck	return NULL;
da347917Sbeck}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_new);
da347917Sbeck
f67ac449Steduvoid
f67ac449SteduEC_GROUP_free(EC_GROUP *group)
da347917Sbeck{
d7292987Sjsing	if (group == NULL)
f67ac449Stedu		return;
c58501deSbeck
3c2cb882Stb	BN_free(group->p);
3c2cb882Stb	BN_free(group->a);
3c2cb882Stb	BN_free(group->b);
21084e45Stb
21084e45Stb	BN_MONT_CTX_free(group->mont_ctx);
da347917Sbeck
a7854573Sjsing	EC_POINT_free(group->generator);
3c2cb882Stb	BN_free(group->order);
3c2cb882Stb	BN_free(group->cofactor);
4fcf65c5Sdjm
7de8a684Sderaadt	freezero(group->seed, group->seed_len);
7de8a684Sderaadt	freezero(group, sizeof *group);
da347917Sbeck}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_free);
da347917Sbeck
a7854573Sjsingvoid
a7854573SjsingEC_GROUP_clear_free(EC_GROUP *group)
a7854573Sjsing{
d7292987Sjsing	EC_GROUP_free(group);
a7854573Sjsing}
8a552917SbeckLCRYPTO_ALIAS(EC_GROUP_clear_free);
da347917Sbeck
f67ac449Steduint
428f68d0StbEC_GROUP_copy(EC_GROUP *dst, const EC_GROUP *src)
da347917Sbeck{
428f68d0Stb	if (dst->meth != src->meth) {
5067ae9fSbeck		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
da347917Sbeck		return 0;
da347917Sbeck	}
428f68d0Stb	if (dst == src)
da347917Sbeck		return 1;
da347917Sbeck
428f68d0Stb	if (!bn_copy(dst->p, src->p))
f67ac449Stedu		return 0;
428f68d0Stb	if (!bn_copy(dst->a, src->a))
2ab5ac8dStb		return 0;
428f68d0Stb	if (!bn_copy(dst->b, src->b))
2ab5ac8dStb		return 0;
2ab5ac8dStb
428f68d0Stb	dst->a_is_minus3 = src->a_is_minus3;
2ab5ac8dStb
428f68d0Stb	BN_MONT_CTX_free(dst->mont_ctx);
428f68d0Stb	dst->mont_ctx = NULL;
2ab5ac8dStb	if (src->mont_ctx != NULL) {
428f68d0Stb		if ((dst->mont_ctx = BN_MONT_CTX_new()) == NULL)
2ab5ac8dStb			return 0;
428f68d0Stb		if (!BN_MONT_CTX_copy(dst->mont_ctx, src->mont_ctx))
2ab5ac8dStb			return 0;
2ab5ac8dStb	}
cf85019eStb
428f68d0Stb	EC_POINT_free(dst->generator);
428f68d0Stb	dst->generator = NULL;
cf85019eStb	if (src->generator != NULL) {
428f68d0Stb		if (!EC_GROUP_set_generator(dst, src->generator, src->order,
3c2cb882Stb		    src->cofactor))
cf85019eStb			return 0;
cf85019eStb	} else {
cf85019eStb		/* XXX - should do the sanity checks as in set_generator() */
428f68d0Stb		if (!bn_copy(dst->order, src->order))
f67ac449Stedu			return 0;
428f68d0Stb		if (!bn_copy(dst->cofactor, src->cofactor))
f67ac449Stedu			return 0;
cf85019eStb	}
4fcf65c5Sdjm
428f68d0Stb	dst->nid = src->nid;
428f68d0Stb	dst->asn1_flag = src->asn1_flag;
428f68d0Stb	dst->asn1_form = src->asn1_form;
4fcf65c5Sdjm
428f68d0Stb	if (!EC_GROUP_set_seed(dst, src->seed, src->seed_len))
4fcf65c5Sdjm		return 0;
4fcf65c5Sdjm
2ab5ac8dStb	return 1;
da347917Sbeck}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_copy);
da347917Sbeck
f67ac449SteduEC_GROUP *
26b186dbStbEC_GROUP_dup(const EC_GROUP *in_group)
4fcf65c5Sdjm{
26b186dbStb	EC_GROUP *group = NULL;
4fcf65c5Sdjm
26b186dbStb	if (in_group == NULL)
26b186dbStb		goto err;
26b186dbStb
26b186dbStb	if ((group = EC_GROUP_new(in_group->meth)) == NULL)
26b186dbStb		goto err;
26b186dbStb	if (!EC_GROUP_copy(group, in_group))
26b186dbStb		goto err;
26b186dbStb
26b186dbStb	return group;
26b186dbStb
26b186dbStb err:
26b186dbStb	EC_GROUP_free(group);
26b186dbStb
8b4d06edStb	return NULL;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_dup);
4fcf65c5Sdjm
baf7262aStb/*
15f1f9a3Stb * If there is a user-provided cofactor, sanity check and use it. Otherwise
823dae7dStb * try computing the cofactor from generator order n and field cardinality p.
baf7262aStb * This works for all curves of cryptographic interest.
baf7262aStb *
823dae7dStb * Hasse's theorem: | h * n - (p + 1) | <= 2 * sqrt(p)
baf7262aStb *
823dae7dStb * So: h_min = (p + 1 - 2*sqrt(p)) / n and h_max = (p + 1 + 2*sqrt(p)) / n and
823dae7dStb * therefore h_max - h_min = 4*sqrt(p) / n. So if n > 4*sqrt(p) holds, there is
baf7262aStb * only one possible value for h:
baf7262aStb *
823dae7dStb *	h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (p + 1)/n \rceil
baf7262aStb *
baf7262aStb * Otherwise, zero cofactor and return success.
baf7262aStb */
baf7262aStbstatic int
15f1f9a3Stbec_set_cofactor(EC_GROUP *group, const BIGNUM *in_cofactor)
baf7262aStb{
baf7262aStb	BN_CTX *ctx = NULL;
15f1f9a3Stb	BIGNUM *cofactor;
baf7262aStb	int ret = 0;
baf7262aStb
3c2cb882Stb	BN_zero(group->cofactor);
15f1f9a3Stb
15f1f9a3Stb	if ((ctx = BN_CTX_new()) == NULL)
15f1f9a3Stb		goto err;
15f1f9a3Stb
15f1f9a3Stb	BN_CTX_start(ctx);
15f1f9a3Stb	if ((cofactor = BN_CTX_get(ctx)) == NULL)
15f1f9a3Stb		goto err;
15f1f9a3Stb
15f1f9a3Stb	/*
15f1f9a3Stb	 * Unfortunately, the cofactor is an optional field in many standards.
15f1f9a3Stb	 * Internally, the library uses a 0 cofactor as a marker for "unknown
15f1f9a3Stb	 * cofactor".  So accept in_cofactor == NULL or in_cofactor >= 0.
15f1f9a3Stb	 */
15f1f9a3Stb	if (in_cofactor != NULL && !BN_is_zero(in_cofactor)) {
15f1f9a3Stb		if (BN_is_negative(in_cofactor)) {
15f1f9a3Stb			ECerror(EC_R_UNKNOWN_COFACTOR);
15f1f9a3Stb			goto err;
15f1f9a3Stb		}
15f1f9a3Stb		if (!bn_copy(cofactor, in_cofactor))
15f1f9a3Stb			goto err;
15f1f9a3Stb		goto done;
15f1f9a3Stb	}
15f1f9a3Stb
baf7262aStb	/*
baf7262aStb	 * If the cofactor is too large, we cannot guess it and default to zero.
823dae7dStb	 * The RHS of below is a strict overestimate of log(4 * sqrt(p)).
baf7262aStb	 */
3c2cb882Stb	if (BN_num_bits(group->order) <= (BN_num_bits(group->p) + 1) / 2 + 3)
15f1f9a3Stb		goto done;
baf7262aStb
baf7262aStb	/*
baf7262aStb	 * Compute
823dae7dStb	 *     h = \lfloor (p + 1)/n \rceil = \lfloor (p + 1 + n/2) / n \rfloor.
baf7262aStb	 */
baf7262aStb
baf7262aStb	/* h = n/2 */
3c2cb882Stb	if (!BN_rshift1(cofactor, group->order))
baf7262aStb		goto err;
baf7262aStb	/* h = 1 + n/2 */
15f1f9a3Stb	if (!BN_add_word(cofactor, 1))
baf7262aStb		goto err;
823dae7dStb	/* h = p + 1 + n/2 */
3c2cb882Stb	if (!BN_add(cofactor, cofactor, group->p))
baf7262aStb		goto err;
823dae7dStb	/* h = (p + 1 + n/2) / n */
3c2cb882Stb	if (!BN_div_ct(cofactor, NULL, cofactor, group->order, ctx))
15f1f9a3Stb		goto err;
15f1f9a3Stb
15f1f9a3Stb done:
15f1f9a3Stb	/* Use Hasse's theorem to bound the cofactor. */
3c2cb882Stb	if (BN_num_bits(cofactor) > BN_num_bits(group->p) + 1) {
15f1f9a3Stb		ECerror(EC_R_INVALID_GROUP_ORDER);
15f1f9a3Stb		goto err;
15f1f9a3Stb	}
15f1f9a3Stb
3c2cb882Stb	if (!bn_copy(group->cofactor, cofactor))
baf7262aStb		goto err;
baf7262aStb
baf7262aStb	ret = 1;
e2787e9fStb
baf7262aStb err:
baf7262aStb	BN_CTX_end(ctx);
baf7262aStb	BN_CTX_free(ctx);
e2787e9fStb
baf7262aStb	return ret;
baf7262aStb}
da347917Sbeck
f67ac449Steduint
f67ac449SteduEC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
f67ac449Stedu    const BIGNUM *order, const BIGNUM *cofactor)
da347917Sbeck{
f67ac449Stedu	if (generator == NULL) {
5067ae9fSbeck		ECerror(ERR_R_PASSED_NULL_PARAMETER);
da347917Sbeck		return 0;
da347917Sbeck	}
baf7262aStb
3fd2f05cStb	/* Require p >= 1. */
3c2cb882Stb	if (BN_is_zero(group->p) || BN_is_negative(group->p)) {
baf7262aStb		ECerror(EC_R_INVALID_FIELD);
baf7262aStb		return 0;
baf7262aStb	}
baf7262aStb
baf7262aStb	/*
3cc94d96Stb	 * Require order > 1 and enforce an upper bound of at most one bit more
baf7262aStb	 * than the field cardinality due to Hasse's theorem.
baf7262aStb	 */
3cc94d96Stb	if (order == NULL || BN_cmp(order, BN_value_one()) <= 0 ||
3c2cb882Stb	    BN_num_bits(order) > BN_num_bits(group->p) + 1) {
baf7262aStb		ECerror(EC_R_INVALID_GROUP_ORDER);
baf7262aStb		return 0;
baf7262aStb	}
baf7262aStb
26dd3e34Stb	if (group->generator == NULL)
4fcf65c5Sdjm		group->generator = EC_POINT_new(group);
f67ac449Stedu	if (group->generator == NULL)
f67ac449Stedu		return 0;
26dd3e34Stb
f67ac449Stedu	if (!EC_POINT_copy(group->generator, generator))
f67ac449Stedu		return 0;
4fcf65c5Sdjm
3c2cb882Stb	if (!bn_copy(group->order, order))
f67ac449Stedu		return 0;
4fcf65c5Sdjm
15f1f9a3Stb	if (!ec_set_cofactor(group, cofactor))
f67ac449Stedu		return 0;
206d4dd0Stb
4fcf65c5Sdjm	return 1;
da347917Sbeck}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_set_generator);
da347917Sbeck
f67ac449Steduconst EC_POINT *
f67ac449SteduEC_GROUP_get0_generator(const EC_GROUP *group)
da347917Sbeck{
4fcf65c5Sdjm	return group->generator;
da347917Sbeck}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_get0_generator);
da347917Sbeck
f67ac449Steduint
f67ac449SteduEC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
da347917Sbeck{
3c2cb882Stb	if (!bn_copy(order, group->order))
da347917Sbeck		return 0;
4fcf65c5Sdjm
4fcf65c5Sdjm	return !BN_is_zero(order);
da347917Sbeck}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_get_order);
da347917Sbeck
7fd74d8bStbconst BIGNUM *
7fd74d8bStbEC_GROUP_get0_order(const EC_GROUP *group)
7fd74d8bStb{
3c2cb882Stb	return group->order;
7fd74d8bStb}
7fd74d8bStb
70b8897aStbint
70b8897aStbEC_GROUP_order_bits(const EC_GROUP *group)
70b8897aStb{
be018b2cStb	return BN_num_bits(group->order);
70b8897aStb}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_order_bits);
da347917Sbeck
f67ac449Steduint
f67ac449SteduEC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
da347917Sbeck{
3c2cb882Stb	if (!bn_copy(cofactor, group->cofactor))
4fcf65c5Sdjm		return 0;
4fcf65c5Sdjm
3c2cb882Stb	return !BN_is_zero(group->cofactor);
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_get_cofactor);
4fcf65c5Sdjm
b072588bStbconst BIGNUM *
b072588bStbEC_GROUP_get0_cofactor(const EC_GROUP *group)
b072588bStb{
3c2cb882Stb	return group->cofactor;
b072588bStb}
b072588bStb
f67ac449Steduvoid
f67ac449SteduEC_GROUP_set_curve_name(EC_GROUP *group, int nid)
da347917Sbeck{
49eaabcdStb	group->nid = nid;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_set_curve_name);
4fcf65c5Sdjm
f67ac449Steduint
f67ac449SteduEC_GROUP_get_curve_name(const EC_GROUP *group)
4fcf65c5Sdjm{
49eaabcdStb	return group->nid;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_get_curve_name);
4fcf65c5Sdjm
f67ac449Steduvoid
f67ac449SteduEC_GROUP_set_asn1_flag(EC_GROUP *group, int flag)
4fcf65c5Sdjm{
4fcf65c5Sdjm	group->asn1_flag = flag;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_set_asn1_flag);
4fcf65c5Sdjm
f67ac449Steduint
f67ac449SteduEC_GROUP_get_asn1_flag(const EC_GROUP *group)
4fcf65c5Sdjm{
4fcf65c5Sdjm	return group->asn1_flag;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_get_asn1_flag);
4fcf65c5Sdjm
f67ac449Steduvoid
f67ac449SteduEC_GROUP_set_point_conversion_form(EC_GROUP *group,
4fcf65c5Sdjm    point_conversion_form_t form)
4fcf65c5Sdjm{
4fcf65c5Sdjm	group->asn1_form = form;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_set_point_conversion_form);
4fcf65c5Sdjm
f67ac449Stedupoint_conversion_form_t
f67ac449SteduEC_GROUP_get_point_conversion_form(const EC_GROUP *group)
4fcf65c5Sdjm{
4fcf65c5Sdjm	return group->asn1_form;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_get_point_conversion_form);
4fcf65c5Sdjm
f67ac449Stedusize_t
b5448e3dStbEC_GROUP_set_seed(EC_GROUP *group, const unsigned char *seed, size_t len)
4fcf65c5Sdjm{
6f3a6cb1Sbeck	free(group->seed);
4fcf65c5Sdjm	group->seed = NULL;
4fcf65c5Sdjm	group->seed_len = 0;
b5448e3dStb
c715fd08Stb	if (seed == NULL || len == 0)
4fcf65c5Sdjm		return 1;
4fcf65c5Sdjm
6f3a6cb1Sbeck	if ((group->seed = malloc(len)) == NULL)
4fcf65c5Sdjm		return 0;
b5448e3dStb	memcpy(group->seed, seed, len);
4fcf65c5Sdjm	group->seed_len = len;
4fcf65c5Sdjm
4fcf65c5Sdjm	return len;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_set_seed);
4fcf65c5Sdjm
f67ac449Steduunsigned char *
f67ac449SteduEC_GROUP_get0_seed(const EC_GROUP *group)
4fcf65c5Sdjm{
4fcf65c5Sdjm	return group->seed;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_get0_seed);
4fcf65c5Sdjm
f67ac449Stedusize_t
f67ac449SteduEC_GROUP_get_seed_len(const EC_GROUP *group)
4fcf65c5Sdjm{
4fcf65c5Sdjm	return group->seed_len;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_get_seed_len);
4fcf65c5Sdjm
f67ac449Steduint
0b15d7eeStbEC_GROUP_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
1f65bd71Sjsing    const BIGNUM *b, BN_CTX *ctx_in)
4fcf65c5Sdjm{
1f65bd71Sjsing	BN_CTX *ctx;
1f65bd71Sjsing	int ret = 0;
1f65bd71Sjsing
1f65bd71Sjsing	if ((ctx = ctx_in) == NULL)
1f65bd71Sjsing		ctx = BN_CTX_new();
1f65bd71Sjsing	if (ctx == NULL)
1f65bd71Sjsing		goto err;
1f65bd71Sjsing
60ca3fa5Stb	if (group->meth->group_set_curve == NULL) {
5067ae9fSbeck		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1f65bd71Sjsing		goto err;
da347917Sbeck	}
1f65bd71Sjsing	ret = group->meth->group_set_curve(group, p, a, b, ctx);
1f65bd71Sjsing
1f65bd71Sjsing err:
1f65bd71Sjsing	if (ctx != ctx_in)
1f65bd71Sjsing		BN_CTX_free(ctx);
1f65bd71Sjsing
1f65bd71Sjsing	return ret;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_set_curve);
4fcf65c5Sdjm
f67ac449Steduint
0b15d7eeStbEC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
1f65bd71Sjsing    BN_CTX *ctx_in)
4fcf65c5Sdjm{
1f65bd71Sjsing	BN_CTX *ctx;
1f65bd71Sjsing	int ret = 0;
1f65bd71Sjsing
1f65bd71Sjsing	if ((ctx = ctx_in) == NULL)
1f65bd71Sjsing		ctx = BN_CTX_new();
1f65bd71Sjsing	if (ctx == NULL)
1f65bd71Sjsing		goto err;
1f65bd71Sjsing
60ca3fa5Stb	if (group->meth->group_get_curve == NULL) {
5067ae9fSbeck		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
7b871452Stb		goto err;
4fcf65c5Sdjm	}
1f65bd71Sjsing	ret = group->meth->group_get_curve(group, p, a, b, ctx);
1f65bd71Sjsing
1f65bd71Sjsing err:
1f65bd71Sjsing	if (ctx != ctx_in)
1f65bd71Sjsing		BN_CTX_free(ctx);
1f65bd71Sjsing
1f65bd71Sjsing	return ret;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_get_curve);
4fcf65c5Sdjm
0b15d7eeStbint
0b15d7eeStbEC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
0b15d7eeStb    const BIGNUM *b, BN_CTX *ctx)
0b15d7eeStb{
0b15d7eeStb	return EC_GROUP_set_curve(group, p, a, b, ctx);
0b15d7eeStb}
8a552917SbeckLCRYPTO_ALIAS(EC_GROUP_set_curve_GFp);
0b15d7eeStb
0b15d7eeStbint
0b15d7eeStbEC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
0b15d7eeStb    BN_CTX *ctx)
0b15d7eeStb{
0b15d7eeStb	return EC_GROUP_get_curve(group, p, a, b, ctx);
0b15d7eeStb}
8a552917SbeckLCRYPTO_ALIAS(EC_GROUP_get_curve_GFp);
0b15d7eeStb
2567856aStbEC_GROUP *
2567856aStbEC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b,
2567856aStb    BN_CTX *ctx)
2567856aStb{
2567856aStb	EC_GROUP *group;
2567856aStb
2567856aStb	if ((group = EC_GROUP_new(EC_GFp_mont_method())) == NULL)
2567856aStb		goto err;
2567856aStb
2567856aStb	if (!EC_GROUP_set_curve(group, p, a, b, ctx))
2567856aStb		goto err;
2567856aStb
2567856aStb	return group;
2567856aStb
2567856aStb err:
2567856aStb	EC_GROUP_free(group);
2567856aStb
2567856aStb	return NULL;
2567856aStb}
2567856aStbLCRYPTO_ALIAS(EC_GROUP_new_curve_GFp);
2567856aStb
f67ac449Steduint
f67ac449SteduEC_GROUP_get_degree(const EC_GROUP *group)
4fcf65c5Sdjm{
be018b2cStb	return BN_num_bits(group->p);
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_get_degree);
4fcf65c5Sdjm
f67ac449Steduint
1f65bd71SjsingEC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx_in)
4fcf65c5Sdjm{
1f65bd71Sjsing	BN_CTX *ctx;
a537a13eStb	BIGNUM *p, *a, *b, *discriminant;
1f65bd71Sjsing	int ret = 0;
1f65bd71Sjsing
1f65bd71Sjsing	if ((ctx = ctx_in) == NULL)
1f65bd71Sjsing		ctx = BN_CTX_new();
1f65bd71Sjsing	if (ctx == NULL)
1f65bd71Sjsing		goto err;
1f65bd71Sjsing
a537a13eStb	BN_CTX_start(ctx);
a537a13eStb
a537a13eStb	if ((p = BN_CTX_get(ctx)) == NULL)
7b871452Stb		goto err;
a537a13eStb	if ((a = BN_CTX_get(ctx)) == NULL)
a537a13eStb		goto err;
a537a13eStb	if ((b = BN_CTX_get(ctx)) == NULL)
a537a13eStb		goto err;
a537a13eStb	if ((discriminant = BN_CTX_get(ctx)) == NULL)
a537a13eStb		goto err;
a537a13eStb
a537a13eStb	if (!EC_GROUP_get_curve(group, p, a, b, ctx))
a537a13eStb		goto err;
a537a13eStb
a537a13eStb	/*
742574bfStb	 * Check that the discriminant 4a^3 + 27b^2 is non-zero modulo p
742574bfStb	 * assuming that p > 3 is prime and that a and b are in [0, p).
a537a13eStb	 */
a537a13eStb
a537a13eStb	if (BN_is_zero(a) && BN_is_zero(b))
a537a13eStb		goto err;
a537a13eStb	if (BN_is_zero(a) || BN_is_zero(b))
a537a13eStb		goto done;
a537a13eStb
a537a13eStb	/* Compute the discriminant: first 4a^3, then 27b^2, then their sum. */
a537a13eStb	if (!BN_mod_sqr(discriminant, a, p, ctx))
a537a13eStb		goto err;
a537a13eStb	if (!BN_mod_mul(discriminant, discriminant, a, p, ctx))
a537a13eStb		goto err;
a537a13eStb	if (!BN_lshift(discriminant, discriminant, 2))
a537a13eStb		goto err;
a537a13eStb
a537a13eStb	if (!BN_mod_sqr(b, b, p, ctx))
a537a13eStb		goto err;
a537a13eStb	if (!BN_mul_word(b, 27))
a537a13eStb		goto err;
a537a13eStb
a537a13eStb	if (!BN_mod_add(discriminant, discriminant, b, p, ctx))
a537a13eStb		goto err;
a537a13eStb
a537a13eStb	if (BN_is_zero(discriminant))
a537a13eStb		goto err;
a537a13eStb
a537a13eStb done:
a537a13eStb	ret = 1;
1f65bd71Sjsing
1f65bd71Sjsing err:
1f65bd71Sjsing	if (ctx != ctx_in)
1f65bd71Sjsing		BN_CTX_free(ctx);
1f65bd71Sjsing
1f65bd71Sjsing	return ret;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_check_discriminant);
4fcf65c5Sdjm
f67ac449Steduint
c827a8a4StbEC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx_in)
c827a8a4Stb{
c827a8a4Stb	BN_CTX *ctx;
c827a8a4Stb	EC_POINT *point = NULL;
ba47179bStb	const EC_POINT *generator;
c827a8a4Stb	const BIGNUM *order;
c827a8a4Stb	int ret = 0;
c827a8a4Stb
c827a8a4Stb	if ((ctx = ctx_in) == NULL)
c827a8a4Stb		ctx = BN_CTX_new();
c827a8a4Stb	if (ctx == NULL)
c827a8a4Stb		goto err;
c827a8a4Stb
c827a8a4Stb	if (!EC_GROUP_check_discriminant(group, ctx)) {
c827a8a4Stb		ECerror(EC_R_DISCRIMINANT_IS_ZERO);
c827a8a4Stb		goto err;
c827a8a4Stb	}
c6fb1b70Stb
ba47179bStb	if ((generator = EC_GROUP_get0_generator(group)) == NULL) {
c827a8a4Stb		ECerror(EC_R_UNDEFINED_GENERATOR);
c827a8a4Stb		goto err;
c827a8a4Stb	}
ba47179bStb	if (EC_POINT_is_on_curve(group, generator, ctx) <= 0) {
c827a8a4Stb		ECerror(EC_R_POINT_IS_NOT_ON_CURVE);
c827a8a4Stb		goto err;
c827a8a4Stb	}
c6fb1b70Stb
c827a8a4Stb	if ((point = EC_POINT_new(group)) == NULL)
c827a8a4Stb		goto err;
c827a8a4Stb	if ((order = EC_GROUP_get0_order(group)) == NULL)
c827a8a4Stb		goto err;
c827a8a4Stb	if (BN_is_zero(order)) {
c827a8a4Stb		ECerror(EC_R_UNDEFINED_ORDER);
c827a8a4Stb		goto err;
c827a8a4Stb	}
c827a8a4Stb	if (!EC_POINT_mul(group, point, order, NULL, NULL, ctx))
c827a8a4Stb		goto err;
09b27144Stb	if (!EC_POINT_is_at_infinity(group, point)) {
c827a8a4Stb		ECerror(EC_R_INVALID_GROUP_ORDER);
c827a8a4Stb		goto err;
c827a8a4Stb	}
c827a8a4Stb
c827a8a4Stb	ret = 1;
c827a8a4Stb
c827a8a4Stb err:
c827a8a4Stb	if (ctx != ctx_in)
c827a8a4Stb		BN_CTX_free(ctx);
c827a8a4Stb
c827a8a4Stb	EC_POINT_free(point);
c827a8a4Stb
c827a8a4Stb	return ret;
c827a8a4Stb}
c827a8a4StbLCRYPTO_ALIAS(EC_GROUP_check);
c827a8a4Stb
7e8924c8Stb/*
7e8924c8Stb * Returns -1 on error, 0 if the groups are equal, 1 if they are distinct.
7e8924c8Stb */
c827a8a4Stbint
7e8924c8StbEC_GROUP_cmp(const EC_GROUP *group1, const EC_GROUP *group2, BN_CTX *ctx_in)
4fcf65c5Sdjm{
7e8924c8Stb	BN_CTX *ctx = NULL;
7e8924c8Stb	BIGNUM *p1, *a1, *b1, *p2, *a2, *b2;
7e8924c8Stb	const EC_POINT *generator1, *generator2;
7e8924c8Stb	const BIGNUM *order1, *order2, *cofactor1, *cofactor2;
7e8924c8Stb	int nid1, nid2;
7e8924c8Stb	int cmp = 1;
7e8924c8Stb	int ret = -1;
4fcf65c5Sdjm
7e8924c8Stb	if ((ctx = ctx_in) == NULL)
7e8924c8Stb		ctx = BN_CTX_new();
7e8924c8Stb	if (ctx == NULL)
7e8924c8Stb		goto err;
4fcf65c5Sdjm
4fcf65c5Sdjm	BN_CTX_start(ctx);
7e8924c8Stb
7e8924c8Stb	if ((nid1 = EC_GROUP_get_curve_name(group1)) != NID_undef &&
7e8924c8Stb	    (nid2 = EC_GROUP_get_curve_name(group2)) != NID_undef) {
7e8924c8Stb		if (nid1 != nid2)
7e8924c8Stb			goto distinct;
7e8924c8Stb	}
7e8924c8Stb
7e8924c8Stb	if ((p1 = BN_CTX_get(ctx)) == NULL)
7e8924c8Stb		goto err;
aa389b8cSjsing	if ((a1 = BN_CTX_get(ctx)) == NULL)
aa389b8cSjsing		goto err;
aa389b8cSjsing	if ((b1 = BN_CTX_get(ctx)) == NULL)
aa389b8cSjsing		goto err;
7e8924c8Stb	if ((p2 = BN_CTX_get(ctx)) == NULL)
aa389b8cSjsing		goto err;
7e8924c8Stb	if ((a2 = BN_CTX_get(ctx)) == NULL)
7e8924c8Stb		goto err;
7e8924c8Stb	if ((b2 = BN_CTX_get(ctx)) == NULL)
aa389b8cSjsing		goto err;
aa389b8cSjsing
f67ac449Stedu	/*
7e8924c8Stb	 * If we ever support curves in non-Weierstrass form, this check needs
7e8924c8Stb	 * to be adjusted. The comparison of the generators will fail anyway.
4fcf65c5Sdjm	 */
7e8924c8Stb	if (!EC_GROUP_get_curve(group1, p1, a1, b1, ctx))
4c1eb2ebSdoug		goto err;
7e8924c8Stb	if (!EC_GROUP_get_curve(group2, p2, a2, b2, ctx))
7e8924c8Stb		goto err;
4fcf65c5Sdjm
7e8924c8Stb	if (BN_cmp(p1, p2) != 0 || BN_cmp(a1, a2) != 0 || BN_cmp(b1, b2) != 0)
7e8924c8Stb		goto distinct;
7e8924c8Stb
7e8924c8Stb	if ((generator1 = EC_GROUP_get0_generator(group1)) == NULL)
7e8924c8Stb		goto err;
7e8924c8Stb	if ((generator2 = EC_GROUP_get0_generator(group2)) == NULL)
7e8924c8Stb		goto err;
7e8924c8Stb
7e8924c8Stb	/*
7e8924c8Stb	 * It does not matter whether group1 or group2 is used: both points must
7e8924c8Stb	 * have a matching method for this to succeed.
7e8924c8Stb	 */
7e8924c8Stb	if ((cmp = EC_POINT_cmp(group1, generator1, generator2, ctx)) < 0)
7e8924c8Stb		goto err;
7e8924c8Stb	if (cmp == 1)
7e8924c8Stb		goto distinct;
7e8924c8Stb	cmp = 1;
7e8924c8Stb
7e8924c8Stb	if ((order1 = EC_GROUP_get0_order(group1)) == NULL)
7e8924c8Stb		goto err;
7e8924c8Stb	if ((order2 = EC_GROUP_get0_order(group2)) == NULL)
7e8924c8Stb		goto err;
7e8924c8Stb
7e8924c8Stb	if ((cofactor1 = EC_GROUP_get0_cofactor(group1)) == NULL)
7e8924c8Stb		goto err;
7e8924c8Stb	if ((cofactor2 = EC_GROUP_get0_cofactor(group2)) == NULL)
7e8924c8Stb		goto err;
7e8924c8Stb
7e8924c8Stb	if (BN_cmp(order1, order2) != 0 || BN_cmp(cofactor1, cofactor2) != 0)
7e8924c8Stb		goto distinct;
7e8924c8Stb
7e8924c8Stb	/* All parameters match: the groups are equal. */
7e8924c8Stb	cmp = 0;
7e8924c8Stb
7e8924c8Stb distinct:
7e8924c8Stb	ret = cmp;
aa389b8cSjsing
aa389b8cSjsing err:
aa389b8cSjsing	BN_CTX_end(ctx);
7e8924c8Stb
7e8924c8Stb	if (ctx != ctx_in)
aa389b8cSjsing		BN_CTX_free(ctx);
7e8924c8Stb
7e8924c8Stb	return ret;
da347917Sbeck}
ea2baf45SbeckLCRYPTO_ALIAS(EC_GROUP_cmp);
da347917Sbeck
f67ac449SteduEC_POINT *
f67ac449SteduEC_POINT_new(const EC_GROUP *group)
da347917Sbeck{
22896994Stb	EC_POINT *point = NULL;
da347917Sbeck
f67ac449Stedu	if (group == NULL) {
5067ae9fSbeck		ECerror(ERR_R_PASSED_NULL_PARAMETER);
22896994Stb		goto err;
da347917Sbeck	}
da347917Sbeck
22896994Stb	if ((point = calloc(1, sizeof(*point))) == NULL) {
22896994Stb		ECerror(ERR_R_MALLOC_FAILURE);
22896994Stb		goto err;
da347917Sbeck	}
22896994Stb
3c2cb882Stb	if ((point->X = BN_new()) == NULL)
3c2cb882Stb		goto err;
3c2cb882Stb	if ((point->Y = BN_new()) == NULL)
3c2cb882Stb		goto err;
3c2cb882Stb	if ((point->Z = BN_new()) == NULL)
3c2cb882Stb		goto err;
3c2cb882Stb
22896994Stb	point->meth = group->meth;
22896994Stb
22896994Stb	return point;
22896994Stb
22896994Stb err:
22896994Stb	EC_POINT_free(point);
22896994Stb
22896994Stb	return NULL;
da347917Sbeck}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_new);
da347917Sbeck
f67ac449Steduvoid
f67ac449SteduEC_POINT_free(EC_POINT *point)
da347917Sbeck{
d7292987Sjsing	if (point == NULL)
f67ac449Stedu		return;
c58501deSbeck
3c2cb882Stb	BN_free(point->X);
3c2cb882Stb	BN_free(point->Y);
3c2cb882Stb	BN_free(point->Z);
da347917Sbeck
a7854573Sjsing	freezero(point, sizeof *point);
a7854573Sjsing}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_free);
da347917Sbeck
f67ac449Steduvoid
f67ac449SteduEC_POINT_clear_free(EC_POINT *point)
da347917Sbeck{
d7292987Sjsing	EC_POINT_free(point);
da347917Sbeck}
8a552917SbeckLCRYPTO_ALIAS(EC_POINT_clear_free);
da347917Sbeck
f67ac449Steduint
cb86d051StbEC_POINT_copy(EC_POINT *dst, const EC_POINT *src)
da347917Sbeck{
cb86d051Stb	if (dst->meth != src->meth) {
5067ae9fSbeck		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
da347917Sbeck		return 0;
da347917Sbeck	}
cb86d051Stb	if (dst == src)
da347917Sbeck		return 1;
9da94e6dStb
cb86d051Stb	if (!bn_copy(dst->X, src->X))
9da94e6dStb		return 0;
cb86d051Stb	if (!bn_copy(dst->Y, src->Y))
9da94e6dStb		return 0;
cb86d051Stb	if (!bn_copy(dst->Z, src->Z))
9da94e6dStb		return 0;
cb86d051Stb	dst->Z_is_one = src->Z_is_one;
9da94e6dStb
9da94e6dStb	return 1;
da347917Sbeck}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_copy);
da347917Sbeck
f67ac449SteduEC_POINT *
22896994StbEC_POINT_dup(const EC_POINT *in_point, const EC_GROUP *group)
4fcf65c5Sdjm{
22896994Stb	EC_POINT *point = NULL;
4fcf65c5Sdjm
22896994Stb	if (in_point == NULL)
22896994Stb		goto err;
4fcf65c5Sdjm
22896994Stb	if ((point = EC_POINT_new(group)) == NULL)
22896994Stb		goto err;
22896994Stb
22896994Stb	if (!EC_POINT_copy(point, in_point))
22896994Stb		goto err;
22896994Stb
22896994Stb	return point;
22896994Stb
22896994Stb err:
22896994Stb	EC_POINT_free(point);
22896994Stb
4fcf65c5Sdjm	return NULL;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_dup);
4fcf65c5Sdjm
f67ac449Steduint
f67ac449SteduEC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
da347917Sbeck{
f67ac449Stedu	if (group->meth != point->meth) {
5067ae9fSbeck		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
da347917Sbeck		return 0;
da347917Sbeck	}
9da94e6dStb
3c2cb882Stb	BN_zero(point->Z);
9da94e6dStb	point->Z_is_one = 0;
9da94e6dStb
9da94e6dStb	return 1;
da347917Sbeck}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_set_to_infinity);
da347917Sbeck
4f21b6f2Stbint
74a506e7StbEC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
1f65bd71Sjsing    const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx_in)
da347917Sbeck{
1f65bd71Sjsing	BN_CTX *ctx;
1f65bd71Sjsing	int ret = 0;
1f65bd71Sjsing
1f65bd71Sjsing	if ((ctx = ctx_in) == NULL)
1f65bd71Sjsing		ctx = BN_CTX_new();
1f65bd71Sjsing	if (ctx == NULL)
1f65bd71Sjsing		goto err;
1f65bd71Sjsing
14a674d4Stb	if (group->meth->point_set_affine_coordinates == NULL) {
5067ae9fSbeck		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1f65bd71Sjsing		goto err;
da347917Sbeck	}
f67ac449Stedu	if (group->meth != point->meth) {
5067ae9fSbeck		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
1f65bd71Sjsing		goto err;
da347917Sbeck	}
ea076652Stb	if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx))
1f65bd71Sjsing		goto err;
1f65bd71Sjsing
ea076652Stb	if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
ea076652Stb		ECerror(EC_R_POINT_IS_NOT_ON_CURVE);
1f65bd71Sjsing		goto err;
ea076652Stb	}
1f65bd71Sjsing
1f65bd71Sjsing	ret = 1;
1f65bd71Sjsing
1f65bd71Sjsing err:
1f65bd71Sjsing	if (ctx != ctx_in)
1f65bd71Sjsing		BN_CTX_free(ctx);
1f65bd71Sjsing
1f65bd71Sjsing	return ret;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_set_affine_coordinates);
4fcf65c5Sdjm
74a506e7Stbint
74a506e7StbEC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
74a506e7Stb    const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
74a506e7Stb{
74a506e7Stb	return EC_POINT_set_affine_coordinates(group, point, x, y, ctx);
74a506e7Stb}
8a552917SbeckLCRYPTO_ALIAS(EC_POINT_set_affine_coordinates_GFp);
74a506e7Stb
f67ac449Steduint
74a506e7StbEC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
1f65bd71Sjsing    BIGNUM *x, BIGNUM *y, BN_CTX *ctx_in)
da347917Sbeck{
2d40ce70Stb	BN_CTX *ctx = NULL;
1f65bd71Sjsing	int ret = 0;
1f65bd71Sjsing
2d40ce70Stb	if (EC_POINT_is_at_infinity(group, point) > 0) {
2d40ce70Stb		ECerror(EC_R_POINT_AT_INFINITY);
2d40ce70Stb		goto err;
2d40ce70Stb	}
2d40ce70Stb
1f65bd71Sjsing	if ((ctx = ctx_in) == NULL)
1f65bd71Sjsing		ctx = BN_CTX_new();
1f65bd71Sjsing	if (ctx == NULL)
1f65bd71Sjsing		goto err;
1f65bd71Sjsing
14a674d4Stb	if (group->meth->point_get_affine_coordinates == NULL) {
5067ae9fSbeck		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
7b871452Stb		goto err;
da347917Sbeck	}
f67ac449Stedu	if (group->meth != point->meth) {
5067ae9fSbeck		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
7b871452Stb		goto err;
da347917Sbeck	}
1f65bd71Sjsing	ret = group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
1f65bd71Sjsing
1f65bd71Sjsing err:
1f65bd71Sjsing	if (ctx != ctx_in)
1f65bd71Sjsing		BN_CTX_free(ctx);
1f65bd71Sjsing
1f65bd71Sjsing	return ret;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_get_affine_coordinates);
4fcf65c5Sdjm
74a506e7Stbint
74a506e7StbEC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
74a506e7Stb    BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
74a506e7Stb{
74a506e7Stb	return EC_POINT_get_affine_coordinates(group, point, x, y, ctx);
74a506e7Stb}
8a552917SbeckLCRYPTO_ALIAS(EC_POINT_get_affine_coordinates_GFp);
74a506e7Stb
f67ac449Steduint
c2bab48dStbEC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
69100aa7Stb    const BIGNUM *in_x, int y_bit, BN_CTX *ctx_in)
c2bab48dStb{
69100aa7Stb	BIGNUM *p, *a, *b, *w, *x, *y;
c2bab48dStb	BN_CTX *ctx;
c2bab48dStb	int ret = 0;
c2bab48dStb
c2bab48dStb	if ((ctx = ctx_in) == NULL)
c2bab48dStb		ctx = BN_CTX_new();
c2bab48dStb	if (ctx == NULL)
c2bab48dStb		goto err;
c2bab48dStb
69100aa7Stb	y_bit = (y_bit != 0);
69100aa7Stb
69100aa7Stb	BN_CTX_start(ctx);
69100aa7Stb
69100aa7Stb	if ((p = BN_CTX_get(ctx)) == NULL)
69100aa7Stb		goto err;
69100aa7Stb	if ((a = BN_CTX_get(ctx)) == NULL)
69100aa7Stb		goto err;
69100aa7Stb	if ((b = BN_CTX_get(ctx)) == NULL)
69100aa7Stb		goto err;
69100aa7Stb	if ((w = BN_CTX_get(ctx)) == NULL)
69100aa7Stb		goto err;
69100aa7Stb	if ((x = BN_CTX_get(ctx)) == NULL)
69100aa7Stb		goto err;
69100aa7Stb	if ((y = BN_CTX_get(ctx)) == NULL)
69100aa7Stb		goto err;
69100aa7Stb
69100aa7Stb	/*
69100aa7Stb	 * Weierstrass equation: y^2 = x^3 + ax + b, so y is one of the
69100aa7Stb	 * square roots of x^3 + ax + b. The y-bit indicates which one.
69100aa7Stb	 */
69100aa7Stb
69100aa7Stb	if (!EC_GROUP_get_curve(group, p, a, b, ctx))
69100aa7Stb		goto err;
69100aa7Stb
69100aa7Stb	/* XXX - should we not insist on 0 <= x < p instead? */
69100aa7Stb	if (!BN_nnmod(x, in_x, p, ctx))
69100aa7Stb		goto err;
69100aa7Stb
69100aa7Stb	/* y = x^3 */
69100aa7Stb	if (!BN_mod_sqr(y, x, p, ctx))
69100aa7Stb		goto err;
69100aa7Stb	if (!BN_mod_mul(y, y, x, p, ctx))
69100aa7Stb		goto err;
69100aa7Stb
69100aa7Stb	/* y += ax */
69100aa7Stb	if (group->a_is_minus3) {
69100aa7Stb		if (!BN_mod_lshift1_quick(w, x, p))
69100aa7Stb			goto err;
69100aa7Stb		if (!BN_mod_add_quick(w, w, x, p))
69100aa7Stb			goto err;
69100aa7Stb		if (!BN_mod_sub_quick(y, y, w, p))
69100aa7Stb			goto err;
69100aa7Stb	} else {
69100aa7Stb		if (!BN_mod_mul(w, a, x, p, ctx))
69100aa7Stb			goto err;
69100aa7Stb		if (!BN_mod_add_quick(y, y, w, p))
c2bab48dStb			goto err;
c2bab48dStb	}
69100aa7Stb
69100aa7Stb	/* y += b */
69100aa7Stb	if (!BN_mod_add_quick(y, y, b, p))
69100aa7Stb		goto err;
69100aa7Stb
69100aa7Stb	if (!BN_mod_sqrt(y, y, p, ctx)) {
69100aa7Stb		ECerror(EC_R_INVALID_COMPRESSED_POINT);
c2bab48dStb		goto err;
c2bab48dStb	}
69100aa7Stb
69100aa7Stb	if (y_bit == BN_is_odd(y))
69100aa7Stb		goto done;
69100aa7Stb
69100aa7Stb	if (BN_is_zero(y)) {
69100aa7Stb		ECerror(EC_R_INVALID_COMPRESSION_BIT);
69100aa7Stb		goto err;
69100aa7Stb	}
69100aa7Stb	if (!BN_usub(y, p, y))
69100aa7Stb		goto err;
69100aa7Stb
69100aa7Stb	if (y_bit != BN_is_odd(y)) {
69100aa7Stb		/* Can only happen if p is even and should not be reachable. */
69100aa7Stb		ECerror(ERR_R_INTERNAL_ERROR);
69100aa7Stb		goto err;
69100aa7Stb	}
69100aa7Stb
69100aa7Stb done:
69100aa7Stb	if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
69100aa7Stb		goto err;
69100aa7Stb
69100aa7Stb	ret = 1;
c2bab48dStb
c2bab48dStb err:
69100aa7Stb	BN_CTX_end(ctx);
69100aa7Stb
c2bab48dStb	if (ctx != ctx_in)
c2bab48dStb		BN_CTX_free(ctx);
c2bab48dStb
c2bab48dStb	return ret;
c2bab48dStb}
c2bab48dStbLCRYPTO_ALIAS(EC_POINT_set_compressed_coordinates);
c2bab48dStb
c2bab48dStbint
c2bab48dStbEC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
c2bab48dStb    const BIGNUM *x, int y_bit, BN_CTX *ctx)
c2bab48dStb{
c2bab48dStb	return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx);
c2bab48dStb}
c2bab48dStbLCRYPTO_ALIAS(EC_POINT_set_compressed_coordinates_GFp);
c2bab48dStb
c2bab48dStbint
f67ac449SteduEC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
1f65bd71Sjsing    const EC_POINT *b, BN_CTX *ctx_in)
da347917Sbeck{
1f65bd71Sjsing	BN_CTX *ctx;
1f65bd71Sjsing	int ret = 0;
1f65bd71Sjsing
1f65bd71Sjsing	if ((ctx = ctx_in) == NULL)
1f65bd71Sjsing		ctx = BN_CTX_new();
1f65bd71Sjsing	if (ctx == NULL)
1f65bd71Sjsing		goto err;
1f65bd71Sjsing
1f65bd71Sjsing	if (group->meth->add == NULL) {
1f65bd71Sjsing		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1f65bd71Sjsing		goto err;
1f65bd71Sjsing	}
1f65bd71Sjsing	if (group->meth != r->meth || group->meth != a->meth ||
1f65bd71Sjsing	    group->meth != b->meth) {
1f65bd71Sjsing		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
1f65bd71Sjsing		goto err;
1f65bd71Sjsing	}
1f65bd71Sjsing	ret = group->meth->add(group, r, a, b, ctx);
1f65bd71Sjsing
1f65bd71Sjsing err:
1f65bd71Sjsing	if (ctx != ctx_in)
1f65bd71Sjsing		BN_CTX_free(ctx);
1f65bd71Sjsing
1f65bd71Sjsing	return ret;
1f65bd71Sjsing}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_add);
1f65bd71Sjsing
1f65bd71Sjsingint
1f65bd71SjsingEC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
1f65bd71Sjsing    BN_CTX *ctx_in)
1f65bd71Sjsing{
1f65bd71Sjsing	BN_CTX *ctx;
1f65bd71Sjsing	int ret = 0;
1f65bd71Sjsing
1f65bd71Sjsing	if ((ctx = ctx_in) == NULL)
1f65bd71Sjsing		ctx = BN_CTX_new();
1f65bd71Sjsing	if (ctx == NULL)
1f65bd71Sjsing		goto err;
1f65bd71Sjsing
1f65bd71Sjsing	if (group->meth->dbl == NULL) {
5067ae9fSbeck		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
7b871452Stb		goto err;
da347917Sbeck	}
1f65bd71Sjsing	if (group->meth != r->meth || r->meth != a->meth) {
5067ae9fSbeck		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
7b871452Stb		goto err;
da347917Sbeck	}
1f65bd71Sjsing	ret = group->meth->dbl(group, r, a, ctx);
da347917Sbeck
1f65bd71Sjsing err:
1f65bd71Sjsing	if (ctx != ctx_in)
1f65bd71Sjsing		BN_CTX_free(ctx);
1f65bd71Sjsing
1f65bd71Sjsing	return ret;
1f65bd71Sjsing}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_dbl);
da347917Sbeck
f67ac449Steduint
1f65bd71SjsingEC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx_in)
da347917Sbeck{
1f65bd71Sjsing	BN_CTX *ctx;
1f65bd71Sjsing	int ret = 0;
da347917Sbeck
1f65bd71Sjsing	if ((ctx = ctx_in) == NULL)
1f65bd71Sjsing		ctx = BN_CTX_new();
1f65bd71Sjsing	if (ctx == NULL)
1f65bd71Sjsing		goto err;
da347917Sbeck
7b871452Stb	if (group->meth->invert == NULL) {
5067ae9fSbeck		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
7b871452Stb		goto err;
da347917Sbeck	}
f67ac449Stedu	if (group->meth != a->meth) {
5067ae9fSbeck		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
7b871452Stb		goto err;
da347917Sbeck	}
7b871452Stb	ret = group->meth->invert(group, a, ctx);
da347917Sbeck
1f65bd71Sjsing err:
1f65bd71Sjsing	if (ctx != ctx_in)
1f65bd71Sjsing		BN_CTX_free(ctx);
1f65bd71Sjsing
1f65bd71Sjsing	return ret;
1f65bd71Sjsing}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_invert);
da347917Sbeck
f67ac449Steduint
f67ac449SteduEC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
da347917Sbeck{
f67ac449Stedu	if (group->meth != point->meth) {
5067ae9fSbeck		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
da347917Sbeck		return 0;
da347917Sbeck	}
9da94e6dStb
3c2cb882Stb	return BN_is_zero(point->Z);
da347917Sbeck}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_is_at_infinity);
da347917Sbeck
f67ac449Steduint
1f65bd71SjsingEC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
1f65bd71Sjsing    BN_CTX *ctx_in)
da347917Sbeck{
1f65bd71Sjsing	BN_CTX *ctx;
1540d532Stb	int ret = -1;
1f65bd71Sjsing
1f65bd71Sjsing	if ((ctx = ctx_in) == NULL)
1f65bd71Sjsing		ctx = BN_CTX_new();
1f65bd71Sjsing	if (ctx == NULL)
1f65bd71Sjsing		goto err;
1f65bd71Sjsing
4fb59ff9Stb	if (group->meth->point_is_on_curve == NULL) {
5067ae9fSbeck		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1f65bd71Sjsing		goto err;
da347917Sbeck	}
f67ac449Stedu	if (group->meth != point->meth) {
5067ae9fSbeck		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
1f65bd71Sjsing		goto err;
da347917Sbeck	}
4fb59ff9Stb	ret = group->meth->point_is_on_curve(group, point, ctx);
da347917Sbeck
1f65bd71Sjsing err:
1f65bd71Sjsing	if (ctx != ctx_in)
1f65bd71Sjsing		BN_CTX_free(ctx);
1f65bd71Sjsing
1f65bd71Sjsing	return ret;
1f65bd71Sjsing}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_is_on_curve);
da347917Sbeck
f67ac449Steduint
f67ac449SteduEC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b,
1f65bd71Sjsing    BN_CTX *ctx_in)
da347917Sbeck{
1f65bd71Sjsing	BN_CTX *ctx;
1f65bd71Sjsing	int ret = -1;
da347917Sbeck
1f65bd71Sjsing	if ((ctx = ctx_in) == NULL)
1f65bd71Sjsing		ctx = BN_CTX_new();
1f65bd71Sjsing	if (ctx == NULL)
1f65bd71Sjsing		goto err;
1f65bd71Sjsing
1f65bd71Sjsing	if (group->meth->point_cmp == NULL) {
1f65bd71Sjsing		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1f65bd71Sjsing		goto err;
1f65bd71Sjsing	}
1f65bd71Sjsing	if (group->meth != a->meth || a->meth != b->meth) {
1f65bd71Sjsing		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
1f65bd71Sjsing		goto err;
1f65bd71Sjsing	}
1f65bd71Sjsing	ret = group->meth->point_cmp(group, a, b, ctx);
1f65bd71Sjsing
1f65bd71Sjsing err:
1f65bd71Sjsing	if (ctx != ctx_in)
1f65bd71Sjsing		BN_CTX_free(ctx);
1f65bd71Sjsing
1f65bd71Sjsing	return ret;
1f65bd71Sjsing}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_cmp);
da347917Sbeck
f67ac449Steduint
1f65bd71SjsingEC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx_in)
da347917Sbeck{
1f65bd71Sjsing	BN_CTX *ctx;
07ff836aStb	BIGNUM *x, *y;
1f65bd71Sjsing	int ret = 0;
1f65bd71Sjsing
1f65bd71Sjsing	if ((ctx = ctx_in) == NULL)
1f65bd71Sjsing		ctx = BN_CTX_new();
1f65bd71Sjsing	if (ctx == NULL)
1f65bd71Sjsing		goto err;
1f65bd71Sjsing
07ff836aStb	BN_CTX_start(ctx);
07ff836aStb
07ff836aStb	if ((x = BN_CTX_get(ctx)) == NULL)
07ff836aStb		goto err;
07ff836aStb	if ((y = BN_CTX_get(ctx)) == NULL)
07ff836aStb		goto err;
07ff836aStb
07ff836aStb	if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
07ff836aStb		goto err;
07ff836aStb	if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
07ff836aStb		goto err;
07ff836aStb
07ff836aStb	ret = 1;
da347917Sbeck
1f65bd71Sjsing err:
07ff836aStb	BN_CTX_end(ctx);
07ff836aStb
1f65bd71Sjsing	if (ctx != ctx_in)
1f65bd71Sjsing		BN_CTX_free(ctx);
1f65bd71Sjsing
1f65bd71Sjsing	return ret;
1f65bd71Sjsing}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_make_affine);
da347917Sbeck
f67ac449Steduint
f67ac449SteduEC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
1f65bd71Sjsing    const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx_in)
4fcf65c5Sdjm{
1f65bd71Sjsing	BN_CTX *ctx;
1f65bd71Sjsing	int ret = 0;
1f65bd71Sjsing
1f65bd71Sjsing	if ((ctx = ctx_in) == NULL)
1f65bd71Sjsing		ctx = BN_CTX_new();
1f65bd71Sjsing	if (ctx == NULL)
1f65bd71Sjsing		goto err;
1f65bd71Sjsing
1447fb01Sjsing	if (group->meth->mul_single_ct == NULL ||
149fe518Stb	    group->meth->mul_double_nonct == NULL) {
149fe518Stb		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1f65bd71Sjsing		goto err;
149fe518Stb	}
1f65bd71Sjsing
149fe518Stb	if (g_scalar != NULL && point == NULL && p_scalar == NULL) {
149fe518Stb		/*
149fe518Stb		 * In this case we want to compute g_scalar * GeneratorPoint:
149fe518Stb		 * this codepath is reached most prominently by (ephemeral) key
149fe518Stb		 * generation of EC cryptosystems (i.e. ECDSA keygen and sign
149fe518Stb		 * setup, ECDH keygen/first half), where the scalar is always
149fe518Stb		 * secret. This is why we ignore if BN_FLG_CONSTTIME is actually
149fe518Stb		 * set and we always call the constant time version.
149fe518Stb		 */
1447fb01Sjsing		ret = group->meth->mul_single_ct(group, r, g_scalar,
1447fb01Sjsing		    group->generator, ctx);
1f65bd71Sjsing	} else if (g_scalar == NULL && point != NULL && p_scalar != NULL) {
1f65bd71Sjsing		/*
1f65bd71Sjsing		 * In this case we want to compute p_scalar * GenericPoint:
149fe518Stb		 * this codepath is reached most prominently by the second half
149fe518Stb		 * of ECDH, where the secret scalar is multiplied by the peer's
149fe518Stb		 * public point. To protect the secret scalar, we ignore if
149fe518Stb		 * BN_FLG_CONSTTIME is actually set and we always call the
149fe518Stb		 * constant time version.
149fe518Stb		 */
1f65bd71Sjsing		ret = group->meth->mul_single_ct(group, r, p_scalar, point, ctx);
1f65bd71Sjsing	} else if (g_scalar != NULL && point != NULL && p_scalar != NULL) {
149fe518Stb		/*
149fe518Stb		 * In this case we want to compute
149fe518Stb		 *   g_scalar * GeneratorPoint + p_scalar * GenericPoint:
149fe518Stb		 * this codepath is reached most prominently by ECDSA signature
149fe518Stb		 * verification. So we call the non-ct version.
149fe518Stb		 */
1f65bd71Sjsing		ret = group->meth->mul_double_nonct(group, r, g_scalar,
149fe518Stb		    p_scalar, point, ctx);
1f65bd71Sjsing	} else {
149fe518Stb		/* Anything else is an error. */
149fe518Stb		ECerror(ERR_R_EC_LIB);
1f65bd71Sjsing		goto err;
1f65bd71Sjsing	}
1f65bd71Sjsing
1f65bd71Sjsing err:
1f65bd71Sjsing	if (ctx != ctx_in)
1f65bd71Sjsing		BN_CTX_free(ctx);
1f65bd71Sjsing
1f65bd71Sjsing	return ret;
4fcf65c5Sdjm}
ea2baf45SbeckLCRYPTO_ALIAS(EC_POINT_mul);
4fcf65c5Sdjm
c9edc1b9Stb/*
c9edc1b9Stb * XXX - remove everything below in the next bump
c9edc1b9Stb */
c9edc1b9Stb
c9edc1b9Stbint
c9edc1b9StbEC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
c9edc1b9Stb    const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
c9edc1b9Stb{
c9edc1b9Stb	ECerror(ERR_R_DISABLED);
c9edc1b9Stb	return 0;
c9edc1b9Stb}
c9edc1b9StbLCRYPTO_ALIAS(EC_POINT_set_Jprojective_coordinates_GFp);
c9edc1b9Stb
c9edc1b9Stbint
c9edc1b9StbEC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
c9edc1b9Stb    const EC_POINT *point, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
c9edc1b9Stb{
c9edc1b9Stb	ECerror(ERR_R_DISABLED);
c9edc1b9Stb	return 0;
c9edc1b9Stb}
c9edc1b9StbLCRYPTO_ALIAS(EC_POINT_get_Jprojective_coordinates_GFp);
c21af703Stb
c21af703Stbint
c21af703StbEC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
c21af703Stb    BN_CTX *ctx_in)
c21af703Stb{
c21af703Stb	ECerror(ERR_R_DISABLED);
c21af703Stb	return 0;
c21af703Stb}
c21af703StbLCRYPTO_ALIAS(EC_POINTs_make_affine);
c21af703Stb
c21af703Stbint
c21af703StbEC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
c21af703Stb    size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
c21af703Stb    BN_CTX *ctx_in)
c21af703Stb{
c21af703Stb	ECerror(ERR_R_DISABLED);
c21af703Stb	return 0;
c21af703Stb}
c21af703StbLCRYPTO_ALIAS(EC_POINTs_mul);
*a9bbc4f7Stb
*a9bbc4f7Stbconst EC_METHOD *
*a9bbc4f7StbEC_GROUP_method_of(const EC_GROUP *group)
*a9bbc4f7Stb{
*a9bbc4f7Stb	ECerror(ERR_R_DISABLED);
*a9bbc4f7Stb	return NULL;
*a9bbc4f7Stb}
*a9bbc4f7StbLCRYPTO_ALIAS(EC_GROUP_method_of);
*a9bbc4f7Stb
*a9bbc4f7Stbint
*a9bbc4f7StbEC_METHOD_get_field_type(const EC_METHOD *meth)
*a9bbc4f7Stb{
*a9bbc4f7Stb	ECerror(ERR_R_DISABLED);
*a9bbc4f7Stb	return NID_undef;
*a9bbc4f7Stb}
*a9bbc4f7StbLCRYPTO_ALIAS(EC_METHOD_get_field_type);
*a9bbc4f7Stb
*a9bbc4f7Stbconst EC_METHOD *
*a9bbc4f7StbEC_POINT_method_of(const EC_POINT *point)
*a9bbc4f7Stb{
*a9bbc4f7Stb	ECerror(ERR_R_DISABLED);
*a9bbc4f7Stb	return NULL;
*a9bbc4f7Stb}
*a9bbc4f7StbLCRYPTO_ALIAS(EC_POINT_method_of);
*a9bbc4f7Stb
*a9bbc4f7Stbint
*a9bbc4f7StbEC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx_in)
*a9bbc4f7Stb{
*a9bbc4f7Stb	ECerror(ERR_R_DISABLED);
*a9bbc4f7Stb	return 0;
*a9bbc4f7Stb}
*a9bbc4f7StbLCRYPTO_ALIAS(EC_GROUP_precompute_mult);
*a9bbc4f7Stb
*a9bbc4f7Stbint
*a9bbc4f7StbEC_GROUP_have_precompute_mult(const EC_GROUP *group)
*a9bbc4f7Stb{
*a9bbc4f7Stb	ECerror(ERR_R_DISABLED);
*a9bbc4f7Stb	return 0;
*a9bbc4f7Stb}
*a9bbc4f7StbLCRYPTO_ALIAS(EC_GROUP_have_precompute_mult);