diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2024-11-16 15:32:09 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2024-11-16 15:32:09 +0000 |
commit | cae5e4d27d0174ef5af5bf2f777aa236eeca9335 (patch) | |
tree | 3c018edee9f7605bf687f51380021bfad9848b5a /lib/libcrypto/ec | |
parent | bbab9dc78c82fe8745bf14259991978e1b6237dc (diff) |
Simplify signature of ec_wNAF_mul()
The only caller passes in num = 1 and is itself called in a path that
ensures that the multiplier of the generator is != NULL. Consequently
we don't need to deal with an array of points and an array of scalars
so rename them accordingly.
In addition, the change implies that numblocks and num_scalar are now
always 1, so inline this information and take a first step towards
disentangling this gordian knot.
ok jsing
Diffstat (limited to 'lib/libcrypto/ec')
-rw-r--r-- | lib/libcrypto/ec/ec_local.h | 9 | ||||
-rw-r--r-- | lib/libcrypto/ec/ec_mult.c | 73 | ||||
-rw-r--r-- | lib/libcrypto/ec/ecp_methods.c | 4 |
3 files changed, 30 insertions, 56 deletions
diff --git a/lib/libcrypto/ec/ec_local.h b/lib/libcrypto/ec/ec_local.h index e5189361e00..db8d4ab28fd 100644 --- a/lib/libcrypto/ec/ec_local.h +++ b/lib/libcrypto/ec/ec_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_local.h,v 1.37 2024/11/12 10:53:22 tb Exp $ */ +/* $OpenBSD: ec_local.h,v 1.38 2024/11/16 15:32:08 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -247,10 +247,9 @@ struct ec_point_st { int Z_is_one; /* enable optimized point arithmetics for special case */ } /* EC_POINT */; -/* method functions in ec_mult.c - * (ec_lib.c uses these as defaults if group->method->mul is 0) */ -int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *); +/* Compute r = generator * m + point * n in non-constant time. */ +int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m, + const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx); int ec_group_simple_order_bits(const EC_GROUP *group); int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); diff --git a/lib/libcrypto/ec/ec_mult.c b/lib/libcrypto/ec/ec_mult.c index 7b626663378..9015a5a6498 100644 --- a/lib/libcrypto/ec/ec_mult.c +++ b/lib/libcrypto/ec/ec_mult.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_mult.c,v 1.34 2024/11/15 12:09:36 tb Exp $ */ +/* $OpenBSD: ec_mult.c,v 1.35 2024/11/16 15:32:08 tb Exp $ */ /* * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. */ @@ -219,20 +219,17 @@ compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len) (b) >= 20 ? 2 : \ 1)) -/* Compute - * \sum scalars[i]*points[i], - * also including - * scalar*generator - * in the addition if scalar != NULL +/* + * Compute r = generator * m + point * n in non-constant time. */ + int -ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) +ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m, + const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx) { const EC_POINT *generator = NULL; EC_POINT *tmp = NULL; size_t totalnum; - size_t numblocks = 0; /* for wNAF splitting */ size_t i, j; int k; int r_is_inverted = 0; @@ -246,37 +243,23 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, EC_POINT **v; EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' or * 'pre_comp->points' */ - int num_scalar = 0; /* flag: will be set to 1 if 'scalar' must be - * treated like other scalars, i.e. - * precomputation is not available */ int ret = 0; - if (group->meth != r->meth) { - ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; - } - if ((scalar == NULL) && (num == 0)) { - return EC_POINT_set_to_infinity(group, r); + if (m == NULL || n == NULL) { + ECerror(ERR_R_PASSED_NULL_PARAMETER); + goto err; } - for (i = 0; i < num; i++) { - if (group->meth != points[i]->meth) { - ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; - } + if (group->meth != r->meth || group->meth != point->meth) { + ECerror(EC_R_INCOMPATIBLE_OBJECTS); + goto err; } - if (scalar != NULL) { - generator = EC_GROUP_get0_generator(group); - if (generator == NULL) { - ECerror(EC_R_UNDEFINED_GENERATOR); - goto err; - } - - numblocks = 1; - num_scalar = 1; /* treat 'scalar' like 'num'-th - * element of 'scalars' */ + if ((generator = EC_GROUP_get0_generator(group)) == NULL) { + ECerror(EC_R_UNDEFINED_GENERATOR); + goto err; } - totalnum = num + numblocks; + + totalnum = 2; /* includes space for pivot */ wNAF = reallocarray(NULL, (totalnum + 1), sizeof wNAF[0]); @@ -299,28 +282,20 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, /* num_val will be the total number of temporarily precomputed points */ num_val = 0; - for (i = 0; i < num + num_scalar; i++) { + for (i = 0; i < 2; i++) { size_t bits; - bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar); + bits = i < 1 ? BN_num_bits(n) : BN_num_bits(m); wsize[i] = EC_window_bits_for_scalar_size(bits); num_val += (size_t) 1 << (wsize[i] - 1); wNAF[i + 1] = NULL; /* make sure we always have a pivot */ - wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]); + wNAF[i] = compute_wNAF(i < 1 ? n : m, wsize[i], &wNAF_len[i]); if (wNAF[i] == NULL) goto err; if (wNAF_len[i] > max_len) max_len = wNAF_len[i]; } - if (numblocks) { - /* we go here iff scalar != NULL */ - - if (num_scalar != 1) { - ECerror(ERR_R_INTERNAL_ERROR); - goto err; - } - } /* * All points we precompute now go into a single array 'val'. * 'val_sub[i]' is a pointer to the subarray for the i-th point, or @@ -336,7 +311,7 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, /* allocate points for precomputation */ v = val; - for (i = 0; i < num + num_scalar; i++) { + for (i = 0; i < 2; i++) { val_sub[i] = v; for (j = 0; j < ((size_t) 1 << (wsize[i] - 1)); j++) { *v = EC_POINT_new(group); @@ -359,9 +334,9 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, * val_sub[i][2] := 5 * points[i] * ... */ - for (i = 0; i < num + num_scalar; i++) { - if (i < num) { - if (!EC_POINT_copy(val_sub[i][0], points[i])) + for (i = 0; i < 2; i++) { + if (i < 1) { + if (!EC_POINT_copy(val_sub[i][0], point)) goto err; } else { if (!EC_POINT_copy(val_sub[i][0], generator)) diff --git a/lib/libcrypto/ec/ecp_methods.c b/lib/libcrypto/ec/ecp_methods.c index 61f95b5bb9f..1b763cf219c 100644 --- a/lib/libcrypto/ec/ecp_methods.c +++ b/lib/libcrypto/ec/ecp_methods.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_methods.c,v 1.7 2024/11/12 13:09:54 tb Exp $ */ +/* $OpenBSD: ecp_methods.c,v 1.8 2024/11/16 15:32:08 tb Exp $ */ /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> * for the OpenSSL project. * Includes code written by Bodo Moeller for the OpenSSL project. @@ -1604,7 +1604,7 @@ static int ec_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *ctx) { - return ec_wNAF_mul(group, r, g_scalar, 1, &point, &p_scalar, ctx); + return ec_wNAF_mul(group, r, g_scalar, point, p_scalar, ctx); } static void |