Upstream merge 2023 07 18

crypto/ec_extra/hash_to_curve.c

@@ -274,7 +274,7 @@ static BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z,
 // in appendix F.2.
 static void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z,
                                     const BN_ULONG *c1, size_t num_c1,
-                                    const EC_FELEM *c2, EC_RAW_POINT *out,
+                                    const EC_FELEM *c2, EC_JACOBIAN *out,
                                     const EC_FELEM *u) {
   // This function requires the prime be 3 mod 4, and that A = -3.
   assert(is_3mod4(group));
@@ -345,7 +345,7 @@ static void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z,
 
 static int hash_to_curve(const EC_GROUP *group, const EVP_MD *md,
                          const EC_FELEM *Z, const EC_FELEM *c2, unsigned k,
-                         EC_RAW_POINT *out, const uint8_t *dst, size_t dst_len,
+                         EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
                          const uint8_t *msg, size_t msg_len) {
   EC_FELEM u0, u1;
   if (!hash_to_field2(group, md, &u0, &u1, dst, dst_len, k, msg, msg_len)) {
@@ -360,7 +360,7 @@ static int hash_to_curve(const EC_GROUP *group, const EVP_MD *md,
   }
   bn_rshift_words(c1, c1, /*shift=*/2, /*num=*/num_c1);
 
-  EC_RAW_POINT Q0, Q1;
+  EC_JACOBIAN Q0, Q1;
   map_to_curve_simple_swu(group, Z, c1, num_c1, c2, &Q0, &u0);
   map_to_curve_simple_swu(group, Z, c1, num_c1, c2, &Q1, &u1);
 
@@ -402,7 +402,7 @@ static const uint8_t kP384Sqrt12[] = {
     0xa8, 0x0f, 0x7e, 0x19, 0x14, 0xe2, 0xec, 0x69, 0xf5, 0xa6, 0x26, 0xb3};
 
 int ec_hash_to_curve_p256_xmd_sha256_sswu(const EC_GROUP *group,
-                                          EC_RAW_POINT *out, const uint8_t *dst,
+                                          EC_JACOBIAN *out, const uint8_t *dst,
                                           size_t dst_len, const uint8_t *msg,
                                           size_t msg_len) {
   // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16.
@@ -435,7 +435,7 @@ int EC_hash_to_curve_p256_xmd_sha256_sswu(const EC_GROUP *group, EC_POINT *out,
 }
 
 int ec_hash_to_curve_p384_xmd_sha384_sswu(const EC_GROUP *group,
-                                          EC_RAW_POINT *out, const uint8_t *dst,
+                                          EC_JACOBIAN *out, const uint8_t *dst,
                                           size_t dst_len, const uint8_t *msg,
                                           size_t msg_len) {
   // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16.
@@ -480,7 +480,7 @@ int ec_hash_to_scalar_p384_xmd_sha384(
 }
 
 int ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
-    const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
+    const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst,
     size_t dst_len, const uint8_t *msg, size_t msg_len) {
   // See section 8.3 of draft-irtf-cfrg-hash-to-curve-07.
   if (EC_GROUP_get_curve_name(group) != NID_secp384r1) {

crypto/ec_extra/internal.h

@@ -26,23 +26,23 @@ extern "C" {
 
 // Hash-to-curve.
 //
-// Internal |EC_RAW_POINT| versions of the corresponding public APIs.
+// Internal |EC_JACOBIAN| versions of the corresponding public APIs.
 
 // ec_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and
 // writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite
 // from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
 // error.
 OPENSSL_EXPORT int ec_hash_to_curve_p256_xmd_sha256_sswu(
-    const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
-    size_t dst_len, const uint8_t *msg, size_t msg_len);
+    const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
+    const uint8_t *msg, size_t msg_len);
 
 // ec_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and
 // writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite
 // from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
 // error.
 OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha384_sswu(
-    const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
-    size_t dst_len, const uint8_t *msg, size_t msg_len);
+    const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
+    const uint8_t *msg, size_t msg_len);
 
 // ec_hash_to_scalar_p384_xmd_sha384 hashes |msg| to a scalar on |group|
 // and writes the result to |out|, using the hash_to_field operation from the
@@ -59,8 +59,8 @@ OPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha384(
 //
 // TODO(https://crbug.com/1414562): Migrate this to the final version.
 OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
-    const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
-    size_t dst_len, const uint8_t *msg, size_t msg_len);
+    const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
+    const uint8_t *msg, size_t msg_len);
 
 // ec_hash_to_scalar_p384_xmd_sha512_draft07 hashes |msg| to a scalar on |group|
 // and writes the result to |out|, using the hash_to_field operation from the

crypto/fipsmodule/ec/ec.c

@@ -848,20 +848,20 @@ int EC_POINT_get_affine_coordinates(const EC_GROUP *group,
   return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
 }
 
-void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out,
+void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out,
                            const EC_AFFINE *p) {
   out->X = p->X;
   out->Y = p->Y;
   out->Z = group->one;
 }
 
 int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out,
-                          const EC_RAW_POINT *p) {
+                          const EC_JACOBIAN *p) {
   return group->meth->point_get_affine_coordinates(group, p, &out->X, &out->Y);
 }
 
 int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out,
-                                const EC_RAW_POINT *in, size_t num) {
+                                const EC_JACOBIAN *in, size_t num) {
   if (group->meth->jacobian_to_affine_batch == NULL) {
     OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return 0;
@@ -1038,13 +1038,13 @@ int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r,
 
   if (p_scalar != NULL) {
     EC_SCALAR scalar;
-    EC_RAW_POINT tmp;
+    EC_JACOBIAN tmp;
     if (!arbitrary_bignum_to_scalar(group, &scalar, p_scalar, ctx) ||
         !ec_point_mul_scalar(group, &tmp, &p->raw, &scalar)) {
       goto err;
     }
     if (g_scalar == NULL) {
-      OPENSSL_memcpy(&r->raw, &tmp, sizeof(EC_RAW_POINT));
+      OPENSSL_memcpy(&r->raw, &tmp, sizeof(EC_JACOBIAN));
     } else {
       group->meth->add(group, &r->raw, &r->raw, &tmp);
     }
@@ -1064,8 +1064,8 @@ int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
   return ec_point_mul_no_self_test(group, r, g_scalar, p, p_scalar, ctx);
 }
 
-int ec_point_mul_scalar_public(const EC_GROUP *group, EC_RAW_POINT *r,
-                               const EC_SCALAR *g_scalar, const EC_RAW_POINT *p,
+int ec_point_mul_scalar_public(const EC_GROUP *group, EC_JACOBIAN *r,
+                               const EC_SCALAR *g_scalar, const EC_JACOBIAN *p,
                                const EC_SCALAR *p_scalar) {
   if (g_scalar == NULL || p_scalar == NULL || p == NULL) {
     OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
@@ -1080,9 +1080,9 @@ int ec_point_mul_scalar_public(const EC_GROUP *group, EC_RAW_POINT *r,
   return 1;
 }
 
-int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
+int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
                                      const EC_SCALAR *g_scalar,
-                                     const EC_RAW_POINT *points,
+                                     const EC_JACOBIAN *points,
                                      const EC_SCALAR *scalars, size_t num) {
   if (group->meth->mul_public_batch == NULL) {
     OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -1093,8 +1093,8 @@ int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
                                        num);
 }
 
-int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r,
-                        const EC_RAW_POINT *p, const EC_SCALAR *scalar) {
+int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r,
+                        const EC_JACOBIAN *p, const EC_SCALAR *scalar) {
   if (p == NULL || scalar == NULL) {
     OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
     return 0;
@@ -1112,7 +1112,7 @@ int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r,
   return 1;
 }
 
-int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r,
+int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r,
                              const EC_SCALAR *scalar) {
   if (scalar == NULL) {
     OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
@@ -1131,10 +1131,10 @@ int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r,
   return 1;
 }
 
-int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_RAW_POINT *r,
-                              const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
-                              const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
-                              const EC_RAW_POINT *p2,
+int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r,
+                              const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,
+                              const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,
+                              const EC_JACOBIAN *p2,
                               const EC_SCALAR *scalar2) {
   if (group->meth->mul_batch == NULL) {
     OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -1154,7 +1154,7 @@ int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_RAW_POINT *r,
 }
 
 int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
-                    const EC_RAW_POINT *p) {
+                    const EC_JACOBIAN *p) {
   if (group->meth->init_precomp == NULL) {
     OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return 0;
@@ -1163,7 +1163,7 @@ int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
   return group->meth->init_precomp(group, out, p);
 }
 
-int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
+int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r,
                                 const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
                                 const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
                                 const EC_PRECOMP *p2,
@@ -1185,8 +1185,8 @@ int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
   return 1;
 }
 
-void ec_point_select(const EC_GROUP *group, EC_RAW_POINT *out, BN_ULONG mask,
-                      const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
+void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask,
+                      const EC_JACOBIAN *a, const EC_JACOBIAN *b) {
   ec_felem_select(group, &out->X, mask, &a->X, &b->X);
   ec_felem_select(group, &out->Y, mask, &a->Y, &b->Y);
   ec_felem_select(group, &out->Z, mask, &a->Z, &b->Z);
@@ -1207,13 +1207,13 @@ void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask,
   }
 }
 
-int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
+int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
                         const EC_SCALAR *r) {
   return group->meth->cmp_x_coordinate(group, p, r);
 }
 
 int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
-                                  const EC_RAW_POINT *p) {
+                                  const EC_JACOBIAN *p) {
   uint8_t bytes[EC_MAX_BYTES];
   size_t len;
   if (!ec_get_x_coordinate_as_bytes(group, bytes, &len, sizeof(bytes), p)) {
@@ -1255,7 +1255,7 @@ int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,
 
 int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out,
                                  size_t *out_len, size_t max_out,
-                                 const EC_RAW_POINT *p) {
+                                 const EC_JACOBIAN *p) {
   size_t len = BN_num_bytes(&group->field);
   assert(len <= EC_MAX_BYTES);
   if (max_out < len) {
@@ -1273,7 +1273,7 @@ int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out,
   return 1;
 }
 
-void ec_set_to_safe_point(const EC_GROUP *group, EC_RAW_POINT *out) {
+void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out) {
   if (group->generator != NULL) {
     ec_GFp_simple_point_copy(out, &group->generator->raw);
   } else {

crypto/fipsmodule/ec/ec_key.c

@@ -311,7 +311,7 @@ int EC_KEY_check_key(const EC_KEY *eckey) {
   // NOTE: this is a FIPS pair-wise consistency check for the ECDH case. See SP
   // 800-56Ar3, page 36.
   if (eckey->priv_key != NULL) {
-    EC_RAW_POINT point;
+    EC_JACOBIAN point;
     if (!ec_point_mul_scalar_base(eckey->group, &point,
                                   &eckey->priv_key->scalar)) {
       OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);

crypto/fipsmodule/ec/ec_montgomery.c

@@ -175,7 +175,7 @@ void ec_GFp_mont_felem_exp(const EC_GROUP *group, EC_FELEM *out,
 }
 
 static int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group,
-                                                    const EC_RAW_POINT *point,
+                                                    const EC_JACOBIAN *point,
                                                     EC_FELEM *x, EC_FELEM *y) {
   if (ec_GFp_simple_is_at_infinity(group, point)) {
     OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
@@ -202,7 +202,7 @@ static int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group,
 
 static int ec_GFp_mont_jacobian_to_affine_batch(const EC_GROUP *group,
                                                 EC_AFFINE *out,
-                                                const EC_RAW_POINT *in,
+                                                const EC_JACOBIAN *in,
                                                 size_t num) {
   if (num == 0) {
     return 1;
@@ -246,8 +246,8 @@ static int ec_GFp_mont_jacobian_to_affine_batch(const EC_GROUP *group,
   return 1;
 }
 
-void ec_GFp_mont_add(const EC_GROUP *group, EC_RAW_POINT *out,
-                     const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
+void ec_GFp_mont_add(const EC_GROUP *group, EC_JACOBIAN *out,
+                     const EC_JACOBIAN *a, const EC_JACOBIAN *b) {
   if (a == b) {
     ec_GFp_mont_dbl(group, out, a);
     return;
@@ -357,8 +357,8 @@ void ec_GFp_mont_add(const EC_GROUP *group, EC_RAW_POINT *out,
   ec_felem_select(group, &out->Z, z2nz, &z_out, &a->Z);
 }
 
-void ec_GFp_mont_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
-                     const EC_RAW_POINT *a) {
+void ec_GFp_mont_dbl(const EC_GROUP *group, EC_JACOBIAN *r,
+                     const EC_JACOBIAN *a) {
   if (group->a_is_minus3) {
     // The method is taken from:
     //   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
@@ -453,7 +453,7 @@ void ec_GFp_mont_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
 }
 
 static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,
-                                        const EC_RAW_POINT *p,
+                                        const EC_JACOBIAN *p,
                                         const EC_SCALAR *r) {
   if (!group->field_greater_than_order ||
       group->field.width != group->order.width) {

crypto/fipsmodule/ec/ec_test.cc

@@ -2246,7 +2246,7 @@ TEST(ECTest, HashToCurve) {
   ASSERT_TRUE(p224);
   bssl::UniquePtr<EC_GROUP> p384(EC_GROUP_new_by_curve_name(NID_secp384r1));
   ASSERT_TRUE(p384);
-  EC_RAW_POINT raw;
+  EC_JACOBIAN raw;
   bssl::UniquePtr<EC_POINT> p_p384(EC_POINT_new(p384.get()));
   ASSERT_TRUE(p_p384);
   bssl::UniquePtr<EC_POINT> p_p224(EC_POINT_new(p224.get()));