libgo/go/crypto/elliptic/p224.go

   1 // Copyright 2013 The Go Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style
   3 // license that can be found in the LICENSE file.
   4
   5 package elliptic
   6
   7 import (
   8         "crypto/elliptic/internal/nistec"
   9         "crypto/rand"
  10         "math/big"
  11 )
  12
  13 // p224Curve is a Curve implementation based on nistec.P224Point.
  14 //
  15 // It's a wrapper that exposes the big.Int-based Curve interface and encodes the
  16 // legacy idiosyncrasies it requires, such as invalid and infinity point
  17 // handling.
  18 //
  19 // To interact with the nistec package, points are encoded into and decoded from
  20 // properly formatted byte slices. All big.Int use is limited to this package.
  21 // Encoding and decoding is 1/1000th of the runtime of a scalar multiplication,
  22 // so the overhead is acceptable.
  23 type p224Curve struct {
  24         params *CurveParams
  25 }
  26
  27 var p224 p224Curve
  28 var _ Curve = p224
  29
  30 func initP224() {
  31         p224.params = &CurveParams{
  32                 Name:    "P-224",
  33                 BitSize: 224,
  34                 // FIPS 186-4, section D.1.2.2
  35                 P:  bigFromDecimal("26959946667150639794667015087019630673557916260026308143510066298881"),
  36                 N:  bigFromDecimal("26959946667150639794667015087019625940457807714424391721682722368061"),
  37                 B:  bigFromHex("b4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4"),
  38                 Gx: bigFromHex("b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21"),
  39                 Gy: bigFromHex("bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34"),
  40         }
  41 }
  42
  43 func (curve p224Curve) Params() *CurveParams {
  44         return curve.params
  45 }
  46
  47 func (curve p224Curve) IsOnCurve(x, y *big.Int) bool {
  48         // IsOnCurve is documented to reject (0, 0), the conventional point at
  49         // infinity, which however is accepted by p224PointFromAffine.
  50         if x.Sign() == 0 && y.Sign() == 0 {
  51                 return false
  52         }
  53         _, ok := p224PointFromAffine(x, y)
  54         return ok
  55 }
  56
  57 func p224PointFromAffine(x, y *big.Int) (p *nistec.P224Point, ok bool) {
  58         // (0, 0) is by convention the point at infinity, which can't be represented
  59         // in affine coordinates. Marshal incorrectly encodes it as an uncompressed
  60         // point, which SetBytes would correctly reject. See Issue 37294.
  61         if x.Sign() == 0 && y.Sign() == 0 {
  62                 return nistec.NewP224Point(), true
  63         }
  64         if x.Sign() < 0 || y.Sign() < 0 {
  65                 return nil, false
  66         }
  67         if x.BitLen() > 224 || y.BitLen() > 224 {
  68                 return nil, false
  69         }
  70         p, err := nistec.NewP224Point().SetBytes(Marshal(P224(), x, y))
  71         if err != nil {
  72                 return nil, false
  73         }
  74         return p, true
  75 }
  76
  77 func p224PointToAffine(p *nistec.P224Point) (x, y *big.Int) {
  78         out := p.Bytes()
  79         if len(out) == 1 && out[0] == 0 {
  80                 // This is the correct encoding of the point at infinity, which
  81                 // Unmarshal does not support. See Issue 37294.
  82                 return new(big.Int), new(big.Int)
  83         }
  84         x, y = Unmarshal(P224(), out)
  85         if x == nil {
  86                 panic("crypto/elliptic: internal error: Unmarshal rejected a valid point encoding")
  87         }
  88         return x, y
  89 }
  90
  91 // p224RandomPoint returns a random point on the curve. It's used when Add,
  92 // Double, or ScalarMult are fed a point not on the curve, which is undefined
  93 // behavior. Originally, we used to do the math on it anyway (which allows
  94 // invalid curve attacks) and relied on the caller and Unmarshal to avoid this
  95 // happening in the first place. Now, we just can't construct a nistec.P224Point
  96 // for an invalid pair of coordinates, because that API is safer. If we panic,
  97 // we risk introducing a DoS. If we return nil, we risk a panic. If we return
  98 // the input, ecdsa.Verify might fail open. The safest course seems to be to
  99 // return a valid, random point, which hopefully won't help the attacker.
 100 func p224RandomPoint() (x, y *big.Int) {
 101         _, x, y, err := GenerateKey(P224(), rand.Reader)
 102         if err != nil {
 103                 panic("crypto/elliptic: failed to generate random point")
 104         }
 105         return x, y
 106 }
 107
 108 func (p224Curve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int) {
 109         p1, ok := p224PointFromAffine(x1, y1)
 110         if !ok {
 111                 return p224RandomPoint()
 112         }
 113         p2, ok := p224PointFromAffine(x2, y2)
 114         if !ok {
 115                 return p224RandomPoint()
 116         }
 117         return p224PointToAffine(p1.Add(p1, p2))
 118 }
 119
 120 func (p224Curve) Double(x1, y1 *big.Int) (*big.Int, *big.Int) {
 121         p, ok := p224PointFromAffine(x1, y1)
 122         if !ok {
 123                 return p224RandomPoint()
 124         }
 125         return p224PointToAffine(p.Double(p))
 126 }
 127
 128 func (p224Curve) ScalarMult(Bx, By *big.Int, scalar []byte) (*big.Int, *big.Int) {
 129         p, ok := p224PointFromAffine(Bx, By)
 130         if !ok {
 131                 return p224RandomPoint()
 132         }
 133         return p224PointToAffine(p.ScalarMult(p, scalar))
 134 }
 135
 136 func (p224Curve) ScalarBaseMult(scalar []byte) (*big.Int, *big.Int) {
 137         p := nistec.NewP224Generator()
 138         return p224PointToAffine(p.ScalarMult(p, scalar))
 139 }