summaryrefslogtreecommitdiff
path: root/lib/libcrypto/ec
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2024-11-16 15:32:09 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2024-11-16 15:32:09 +0000
commitcae5e4d27d0174ef5af5bf2f777aa236eeca9335 (patch)
tree3c018edee9f7605bf687f51380021bfad9848b5a /lib/libcrypto/ec
parentbbab9dc78c82fe8745bf14259991978e1b6237dc (diff)
Simplify signature of ec_wNAF_mul()
The only caller passes in num = 1 and is itself called in a path that ensures that the multiplier of the generator is != NULL. Consequently we don't need to deal with an array of points and an array of scalars so rename them accordingly. In addition, the change implies that numblocks and num_scalar are now always 1, so inline this information and take a first step towards disentangling this gordian knot. ok jsing
Diffstat (limited to 'lib/libcrypto/ec')
-rw-r--r--lib/libcrypto/ec/ec_local.h9
-rw-r--r--lib/libcrypto/ec/ec_mult.c73
-rw-r--r--lib/libcrypto/ec/ecp_methods.c4
3 files changed, 30 insertions, 56 deletions
diff --git a/lib/libcrypto/ec/ec_local.h b/lib/libcrypto/ec/ec_local.h
index e5189361e00..db8d4ab28fd 100644
--- a/lib/libcrypto/ec/ec_local.h
+++ b/lib/libcrypto/ec/ec_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_local.h,v 1.37 2024/11/12 10:53:22 tb Exp $ */
+/* $OpenBSD: ec_local.h,v 1.38 2024/11/16 15:32:08 tb Exp $ */
/*
* Originally written by Bodo Moeller for the OpenSSL project.
*/
@@ -247,10 +247,9 @@ struct ec_point_st {
int Z_is_one; /* enable optimized point arithmetics for special case */
} /* EC_POINT */;
-/* method functions in ec_mult.c
- * (ec_lib.c uses these as defaults if group->method->mul is 0) */
-int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
- size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
+/* Compute r = generator * m + point * n in non-constant time. */
+int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
+ const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx);
int ec_group_simple_order_bits(const EC_GROUP *group);
int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
diff --git a/lib/libcrypto/ec/ec_mult.c b/lib/libcrypto/ec/ec_mult.c
index 7b626663378..9015a5a6498 100644
--- a/lib/libcrypto/ec/ec_mult.c
+++ b/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.34 2024/11/15 12:09:36 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.35 2024/11/16 15:32:08 tb Exp $ */
/*
* Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
*/
@@ -219,20 +219,17 @@ compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
(b) >= 20 ? 2 : \
1))
-/* Compute
- * \sum scalars[i]*points[i],
- * also including
- * scalar*generator
- * in the addition if scalar != NULL
+/*
+ * Compute r = generator * m + point * n in non-constant time.
*/
+
int
-ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
- size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
+ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
+ const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx)
{
const EC_POINT *generator = NULL;
EC_POINT *tmp = NULL;
size_t totalnum;
- size_t numblocks = 0; /* for wNAF splitting */
size_t i, j;
int k;
int r_is_inverted = 0;
@@ -246,37 +243,23 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
EC_POINT **v;
EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' or
* 'pre_comp->points' */
- int num_scalar = 0; /* flag: will be set to 1 if 'scalar' must be
- * treated like other scalars, i.e.
- * precomputation is not available */
int ret = 0;
- if (group->meth != r->meth) {
- ECerror(EC_R_INCOMPATIBLE_OBJECTS);
- return 0;
- }
- if ((scalar == NULL) && (num == 0)) {
- return EC_POINT_set_to_infinity(group, r);
+ if (m == NULL || n == NULL) {
+ ECerror(ERR_R_PASSED_NULL_PARAMETER);
+ goto err;
}
- for (i = 0; i < num; i++) {
- if (group->meth != points[i]->meth) {
- ECerror(EC_R_INCOMPATIBLE_OBJECTS);
- return 0;
- }
+ if (group->meth != r->meth || group->meth != point->meth) {
+ ECerror(EC_R_INCOMPATIBLE_OBJECTS);
+ goto err;
}
- if (scalar != NULL) {
- generator = EC_GROUP_get0_generator(group);
- if (generator == NULL) {
- ECerror(EC_R_UNDEFINED_GENERATOR);
- goto err;
- }
-
- numblocks = 1;
- num_scalar = 1; /* treat 'scalar' like 'num'-th
- * element of 'scalars' */
+ if ((generator = EC_GROUP_get0_generator(group)) == NULL) {
+ ECerror(EC_R_UNDEFINED_GENERATOR);
+ goto err;
}
- totalnum = num + numblocks;
+
+ totalnum = 2;
/* includes space for pivot */
wNAF = reallocarray(NULL, (totalnum + 1), sizeof wNAF[0]);
@@ -299,28 +282,20 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
/* num_val will be the total number of temporarily precomputed points */
num_val = 0;
- for (i = 0; i < num + num_scalar; i++) {
+ for (i = 0; i < 2; i++) {
size_t bits;
- bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
+ bits = i < 1 ? BN_num_bits(n) : BN_num_bits(m);
wsize[i] = EC_window_bits_for_scalar_size(bits);
num_val += (size_t) 1 << (wsize[i] - 1);
wNAF[i + 1] = NULL; /* make sure we always have a pivot */
- wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]);
+ wNAF[i] = compute_wNAF(i < 1 ? n : m, wsize[i], &wNAF_len[i]);
if (wNAF[i] == NULL)
goto err;
if (wNAF_len[i] > max_len)
max_len = wNAF_len[i];
}
- if (numblocks) {
- /* we go here iff scalar != NULL */
-
- if (num_scalar != 1) {
- ECerror(ERR_R_INTERNAL_ERROR);
- goto err;
- }
- }
/*
* All points we precompute now go into a single array 'val'.
* 'val_sub[i]' is a pointer to the subarray for the i-th point, or
@@ -336,7 +311,7 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
/* allocate points for precomputation */
v = val;
- for (i = 0; i < num + num_scalar; i++) {
+ for (i = 0; i < 2; i++) {
val_sub[i] = v;
for (j = 0; j < ((size_t) 1 << (wsize[i] - 1)); j++) {
*v = EC_POINT_new(group);
@@ -359,9 +334,9 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
* val_sub[i][2] := 5 * points[i]
* ...
*/
- for (i = 0; i < num + num_scalar; i++) {
- if (i < num) {
- if (!EC_POINT_copy(val_sub[i][0], points[i]))
+ for (i = 0; i < 2; i++) {
+ if (i < 1) {
+ if (!EC_POINT_copy(val_sub[i][0], point))
goto err;
} else {
if (!EC_POINT_copy(val_sub[i][0], generator))
diff --git a/lib/libcrypto/ec/ecp_methods.c b/lib/libcrypto/ec/ecp_methods.c
index 61f95b5bb9f..1b763cf219c 100644
--- a/lib/libcrypto/ec/ecp_methods.c
+++ b/lib/libcrypto/ec/ecp_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_methods.c,v 1.7 2024/11/12 13:09:54 tb Exp $ */
+/* $OpenBSD: ecp_methods.c,v 1.8 2024/11/16 15:32:08 tb Exp $ */
/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
* for the OpenSSL project.
* Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1604,7 +1604,7 @@ static int
ec_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *ctx)
{
- return ec_wNAF_mul(group, r, g_scalar, 1, &point, &p_scalar, ctx);
+ return ec_wNAF_mul(group, r, g_scalar, point, p_scalar, ctx);
}
static void