11 files changed, 281 insertions, 279 deletions
diff --git a/lib/libcrypto/ec/ec_ameth.c b/lib/libcrypto/ec/ec_ameth.c
index 754fabfb4d3..903b18a8db9 100644
--- a/lib/libcrypto/ec/ec_ameth.c
+++ b/lib/libcrypto/ec/ec_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_ameth.c,v 1.72 2024/10/29 06:36:58 tb Exp $ */
+/* $OpenBSD: ec_ameth.c,v 1.73 2024/11/25 06:51:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -104,7 +104,7 @@ eckey_get_curve_name(const EC_KEY *eckey, int *nid)
 		ECerror(EC_R_MISSING_PARAMETERS);
 		return 0;
 	}
-	if (EC_GROUP_get_asn1_flag(group) != 0)
+	if ((EC_GROUP_get_asn1_flag(group) & OPENSSL_EC_NAMED_CURVE) != 0)
 		*nid = EC_GROUP_get_curve_name(group);
 
 	return 1;
diff --git a/lib/libcrypto/ec/ec_asn1.c b/lib/libcrypto/ec/ec_asn1.c
index ed7bae16b94..b5be7b496d5 100644
--- a/lib/libcrypto/ec/ec_asn1.c
+++ b/lib/libcrypto/ec/ec_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_asn1.c,v 1.106 2024/11/08 13:55:45 tb Exp $ */
+/* $OpenBSD: ec_asn1.c,v 1.107 2024/11/22 12:01:14 tb Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -1110,7 +1110,7 @@ ec_asn1_pkparameters2group(const ECPKPARAMETERS *params)
 			ECerror(ERR_R_EC_LIB);
 			return NULL;
 		}
-		EC_GROUP_set_asn1_flag(group, 0);
+		EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
 	} else if (params->type == ECPK_PARAM_IMPLICITLY_CA) {
 		return NULL;
 	} else {
diff --git a/lib/libcrypto/ec/ec_curve.c b/lib/libcrypto/ec/ec_curve.c
index 3face800e43..fd7831598b8 100644
--- a/lib/libcrypto/ec/ec_curve.c
+++ b/lib/libcrypto/ec/ec_curve.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_curve.c,v 1.49 2024/10/23 10:41:51 tb Exp $ */
+/* $OpenBSD: ec_curve.c,v 1.50 2024/11/24 10:12:05 tb Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -83,6 +83,8 @@
 
 #include "ec_local.h"
 
+#ifdef ENABLE_SMALL_CURVES
+
 /* the nist prime curves */
 static const struct {
 	uint8_t seed[20];
@@ -129,6 +131,8 @@ static const struct {
 	},
 };
 
+#endif /* ENABLE_SMALL_CURVES */
+
 static const struct {
 	uint8_t seed[20];
 	uint8_t p[28];
@@ -300,6 +304,8 @@ static const struct {
 	},
 };
 
+#ifdef ENABLE_SMALL_CURVES
+
 /* the x9.62 prime curves (minus the nist prime curves) */
 static const struct {
 	uint8_t seed[20];
@@ -391,6 +397,8 @@ static const struct {
 	},
 };
 
+#endif /* ENABLE_SMALL_CURVES */
+
 static const struct {
 	uint8_t seed[20];
 	uint8_t p[30];
@@ -577,6 +585,8 @@ static const struct {
 	},
 };
 
+#ifdef ENABLE_SMALL_CURVES
+
 /* the secg prime curves (minus the nist and x9.62 prime curves) */
 static const struct {
 	uint8_t seed[20];
@@ -904,6 +914,8 @@ static const struct {
 	},
 };
 
+#endif /* ENABLE_SMALL_CURVES */
+
 static const struct {
 	uint8_t p[29];
 	uint8_t a[29];
@@ -990,6 +1002,8 @@ static const struct {
 	},
 };
 
+#ifdef ENABLE_SMALL_CURVES
+
 /* some wap/wtls curves */
 static const struct {
 	uint8_t p[15];
@@ -1253,6 +1267,8 @@ static const struct {
 	},
 };
 
+#endif /* ENABLE_SMALL_CURVES */
+
 static const struct {
 	uint8_t p[28];
 	uint8_t a[28];
@@ -1810,6 +1826,7 @@ static const struct ec_curve {
 	const uint8_t *order;
 } ec_curve_list[] = {
 	/* secg curves */
+#ifdef ENABLE_SMALL_CURVES
 	{
 		.comment = "SECG/WTLS curve over a 112 bit prime field",
 		.nid = NID_secp112r1,
@@ -1919,6 +1936,7 @@ static const struct ec_curve {
 		.order = _EC_SECG_PRIME_192K1.order,
 		.cofactor = 1,
 	},
+#endif /* ENABLE_SMALL_CURVES */
 	{
 		.comment = "SECG curve over a 224 bit prime field",
 		.nid = NID_secp224k1,
@@ -1987,6 +2005,7 @@ static const struct ec_curve {
 		.cofactor = 1,
 	},
 	/* X9.62 curves */
+#ifdef ENABLE_SMALL_CURVES
 	{
 		.comment = "NIST/X9.62/SECG curve over a 192 bit prime field",
 		.nid = NID_X9_62_prime192v1,
@@ -2029,6 +2048,7 @@ static const struct ec_curve {
 		.order = _EC_X9_62_PRIME_192V3.order,
 		.cofactor = 1,
 	},
+#endif /* ENABLE_SMALL_CURVES */
 	{
 		.comment = "X9.62 curve over a 239 bit prime field",
 		.nid = NID_X9_62_prime239v1,
@@ -2085,6 +2105,7 @@ static const struct ec_curve {
 		.order = _EC_X9_62_PRIME_256V1.order,
 		.cofactor = 1,
 	},
+#ifdef ENABLE_SMALL_CURVES
 	{
 		.comment = "SECG/WTLS curve over a 112 bit prime field",
 		.nid = NID_wap_wsg_idm_ecid_wtls6,
@@ -2198,6 +2219,7 @@ static const struct ec_curve {
 		.order = _EC_brainpoolP192t1.order,
 		.cofactor = 1,
 	},
+#endif /* ENABLE_SMALL_CURVES */
 	{
 		.comment = "RFC 5639 curve over a 224 bit prime field",
 		.nid = NID_brainpoolP224r1,
diff --git a/lib/libcrypto/ec/ec_lib.c b/lib/libcrypto/ec/ec_lib.c
index 9be8f22222a..542f7a0ba2a 100644
--- a/lib/libcrypto/ec/ec_lib.c
+++ b/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.87 2024/11/17 10:48:13 tb Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.88 2024/11/22 12:14:41 tb Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -169,7 +169,7 @@ EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
 			return 0;
 	}
 
-	dest->curve_name = src->curve_name;
+	dest->nid = src->nid;
 	dest->asn1_flag = src->asn1_flag;
 	dest->asn1_form = src->asn1_form;
 
@@ -408,14 +408,14 @@ EC_GROUP_get0_cofactor(const EC_GROUP *group)
 void
 EC_GROUP_set_curve_name(EC_GROUP *group, int nid)
 {
-	group->curve_name = nid;
+	group->nid = nid;
 }
 LCRYPTO_ALIAS(EC_GROUP_set_curve_name);
 
 int
 EC_GROUP_get_curve_name(const EC_GROUP *group)
 {
-	return group->curve_name;
+	return group->nid;
 }
 LCRYPTO_ALIAS(EC_GROUP_get_curve_name);
 
diff --git a/lib/libcrypto/ec/ec_local.h b/lib/libcrypto/ec/ec_local.h
index db8d4ab28fd..5d1909db03a 100644
--- a/lib/libcrypto/ec/ec_local.h
+++ b/lib/libcrypto/ec/ec_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_local.h,v 1.38 2024/11/16 15:32:08 tb Exp $ */
+/* $OpenBSD: ec_local.h,v 1.39 2024/11/22 12:14:41 tb Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -175,7 +175,7 @@ struct ec_group_st {
 	BIGNUM order;
 	BIGNUM cofactor;
 
-	int curve_name;		/* Optional NID for named curve. */
+	int nid;		/* Optional NID for named curve. */
 
 	/* ASN.1 encoding controls. */
 	int asn1_flag;
diff --git a/lib/libcrypto/ec/ec_mult.c b/lib/libcrypto/ec/ec_mult.c
index 43fab4b83c0..4944c34a1ed 100644
--- a/lib/libcrypto/ec/ec_mult.c
+++ b/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.41 2024/11/22 00:54:42 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.51 2024/11/23 12:56:31 tb Exp $ */
 /*
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
@@ -61,163 +61,206 @@
  * and contributed to the OpenSSL project.
  */
 
+#include <stdint.h>
 #include <stdlib.h>
+#include <string.h>
 
 #include <openssl/bn.h>
 #include <openssl/ec.h>
 #include <openssl/err.h>
 
-#include "bn_local.h"
 #include "ec_local.h"
 
+static int
+ec_window_bits(const BIGNUM *bn)
+{
+	int bits = BN_num_bits(bn);
+
+	if (bits >= 2000)
+		return 6;
+	if (bits >= 800)
+		return 5;
+	if (bits >= 300)
+		return 4;
+	if (bits >= 70)
+		return 3;
+	if (bits >= 20)
+		return 2;
+
+	return 1;
+}
+
 /*
- * This file implements the wNAF-based interleaving multi-exponentation method
- * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp>);
- * for multiplication with precomputation, we use wNAF splitting
- * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#fastexp>).
+ * Width-(w+1) non-adjacent form of bn = \sum_j n_j 2^j, with odd n_j,
+ * where at most one of any (w+1) consecutive digits is non-zero.
  */
 
-/* Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
- * This is an array  r[]  of values that are either zero or odd with an
- * absolute value less than  2^w  satisfying
- *     scalar = \sum_j r[j]*2^j
- * where at most one of any  w+1  consecutive digits is non-zero
- * with the exception that the most significant digit may be only
- * w-1 zeros away from that next non-zero digit.
- */
-static signed char *
-compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
+static int
+ec_compute_wNAF(const BIGNUM *bn, signed char **out_wNAF, size_t *out_wNAF_len,
+    size_t *out_len)
 {
-	int window_val;
-	int ok = 0;
-	signed char *r = NULL;
-	int sign = 1;
-	int bit, next_bit, mask;
-	size_t len = 0, j;
-
-	if (BN_is_zero(scalar)) {
-		r = malloc(1);
-		if (!r) {
-			ECerror(ERR_R_MALLOC_FAILURE);
-			goto err;
-		}
-		r[0] = 0;
-		*ret_len = 1;
-		return r;
-	}
-	if (w <= 0 || w > 7) {
-		/* 'signed char' can represent integers with
-		 * absolute values less than 2^7 */
-		ECerror(ERR_R_INTERNAL_ERROR);
-		goto err;
-	}
-	bit = 1 << w;		/* at most 128 */
-	next_bit = bit << 1;	/* at most 256 */
-	mask = next_bit - 1;	/* at most 255 */
+	signed char *wNAF = NULL;
+	size_t i, wNAF_len, len;
+	int digit, bit, next, sign, wbits, window;
+	int ret = 0;
 
-	if (BN_is_negative(scalar)) {
-		sign = -1;
-	}
-	if (scalar->d == NULL || scalar->top == 0) {
-		ECerror(ERR_R_INTERNAL_ERROR);
-		goto err;
-	}
-	len = BN_num_bits(scalar);
-	r = malloc(len + 1);	/* modified wNAF may be one digit longer than
-				 * binary representation (*ret_len will be
-				 * set to the actual length, i.e. at most
-				 * BN_num_bits(scalar) + 1) */
-	if (r == NULL) {
+	wNAF_len = BN_num_bits(bn) + 1;
+	if ((wNAF = calloc(1, wNAF_len)) == NULL) {
 		ECerror(ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
-	window_val = scalar->d[0] & mask;
-	j = 0;
-	while ((window_val != 0) || (j + w + 1 < len)) {
-		/* if j+w+1 >= len, window_val will not increase */
-		int digit = 0;
-
-		/* 0 <= window_val <= 2^(w+1) */
-		if (window_val & 1) {
-			/* 0 < window_val < 2^(w+1) */
-			if (window_val & bit) {
-				digit = window_val - next_bit;	/* -2^w < digit < 0 */
-
-#if 1				/* modified wNAF */
-				if (j + w + 1 >= len) {
-					/*
-					 * special case for generating
-					 * modified wNAFs: no new bits will
-					 * be added into window_val, so using
-					 * a positive digit here will
-					 * decrease the total length of the
-					 * representation
-					 */
-
-					digit = window_val & (mask >> 1);	/* 0 < digit < 2^w */
-				}
-#endif
-			} else {
-				digit = window_val;	/* 0 < digit < 2^w */
-			}
 
-			if (digit <= -bit || digit >= bit || !(digit & 1)) {
-				ECerror(ERR_R_INTERNAL_ERROR);
-				goto err;
-			}
-			window_val -= digit;
-
-			/*
-			 * now window_val is 0 or 2^(w+1) in standard wNAF
-			 * generation; for modified window NAFs, it may also
-			 * be 2^w
-			 */
-			if (window_val != 0 && window_val != next_bit && window_val != bit) {
-				ECerror(ERR_R_INTERNAL_ERROR);
-				goto err;
-			}
-		}
-		r[j++] = sign * digit;
+	wbits = ec_window_bits(bn);
+	len = 1 << (wbits - 1);
 
-		window_val >>= 1;
-		window_val += bit * BN_is_bit_set(scalar, j + w);
+	sign = BN_is_negative(bn) ? -1 : 1;
 
-		if (window_val > next_bit) {
-			ECerror(ERR_R_INTERNAL_ERROR);
-			goto err;
+	bit = 1 << wbits;
+	next = bit << 1;
+
+	/* Extract the wbits + 1 lowest bits from bn into window. */
+	window = 0;
+	for (i = 0; i < wbits + 1; i++) {
+		if (BN_is_bit_set(bn, i))
+			window |= (1 << i);
+	}
+
+	/* Instead of bn >>= 1 in each iteration, slide window to the left. */
+	for (i = 0; i < wNAF_len; i++) {
+		digit = 0;
+
+		/*
+		 * If window is odd, the i-th wNAF digit is window (mods 2^w),
+		 * where mods is the signed modulo in (-2^w-1, 2^w-1]. Subtract
+		 * the digit from window, so window is 0 or next, and add the
+		 * digit to the wNAF digits.
+		 */
+		if ((window & 1) != 0) {
+			digit = window;
+			if ((window & bit) != 0)
+				digit = window - next;
+			window -= digit;
 		}
+
+		wNAF[i] = sign * digit;
+
+		/* Slide the window to the left. */
+		window >>= 1;
+		window += bit * BN_is_bit_set(bn, i + wbits + 1);
 	}
 
-	if (j > len + 1) {
-		ECerror(ERR_R_INTERNAL_ERROR);
+	*out_wNAF = wNAF;
+	wNAF = NULL;
+	*out_wNAF_len = wNAF_len;
+	*out_len = len;
+
+	ret = 1;
+
+ err:
+	free(wNAF);
+
+	return ret;
+}
+
+static void
+free_row(EC_POINT **row, size_t row_len)
+{
+	size_t i;
+
+	if (row == NULL)
+		return;
+
+	for (i = 0; i < row_len; i++)
+		EC_POINT_free(row[i]);
+	free(row);
+}
+
+static int
+ec_compute_odd_multiples(const EC_GROUP *group, const EC_POINT *point,
+    EC_POINT ***out_row, size_t row_len, BN_CTX *ctx)
+{
+	EC_POINT **row = NULL;
+	EC_POINT *doubled = NULL;
+	size_t i;
+	int ret = 0;
+
+	if (row_len < 1)
+		goto err;
+
+	if ((row = calloc(row_len, sizeof(*row))) == NULL)
+		goto err;
+
+	if ((row[0] = EC_POINT_dup(point, group)) == NULL)
+		goto err;
+
+	if ((doubled = EC_POINT_new(group)) == NULL)
 		goto err;
+	if (!EC_POINT_dbl(group, doubled, point, ctx))
+		goto err;
+	for (i = 1; i < row_len; i++) {
+		if ((row[i] = EC_POINT_new(group)) == NULL)
+			goto err;
+		if (!EC_POINT_add(group, row[i], row[i - 1], doubled, ctx))
+			goto err;
 	}
-	len = j;
-	ok = 1;
+
+	*out_row = row;
+	row = NULL;
+
+	ret = 1;
 
  err:
-	if (!ok) {
-		free(r);
-		r = NULL;
-	}
-	if (ok)
-		*ret_len = len;
-	return r;
-}
+	EC_POINT_free(doubled);
+	free_row(row, row_len);
 
+	return ret;
+}
 
-/* TODO: table should be optimised for the wNAF-based implementation,
- *       sometimes smaller windows will give better performance
- *       (thus the boundaries should be increased)
+/*
+ * Compute the wNAF representation of m and a list of odd multiples of point.
  */
-#define EC_window_bits_for_scalar_size(b) \
-		((size_t) \
-		 ((b) >= 2000 ? 6 : \
-		  (b) >=  800 ? 5 : \
-		  (b) >=  300 ? 4 : \
-		  (b) >=   70 ? 3 : \
-		  (b) >=   20 ? 2 : \
-		  1))
+
+static int
+ec_compute_row(const EC_GROUP *group, const BIGNUM *m, const EC_POINT *point,
+    signed char **wNAF, size_t *wNAF_len, EC_POINT ***out_row, size_t *out_row_len,
+    BN_CTX *ctx)
+{
+	if (!ec_compute_wNAF(m, wNAF, wNAF_len, out_row_len))
+		return 0;
+	if (!ec_compute_odd_multiples(group, point, out_row, *out_row_len, ctx))
+		return 0;
+	return 1;
+}
+
+static int
+ec_normalize_rows(const EC_GROUP *group, EC_POINT **row0, size_t len0,
+    EC_POINT **row1, size_t len1, BN_CTX *ctx)
+{
+	EC_POINT **val = NULL;
+	size_t len = 0;
+	int ret = 0;
+
+	if (len1 > SIZE_MAX - len0)
+		goto err;
+	len = len0 + len1;
+
+	if ((val = calloc(len, sizeof(*val))) == NULL) {
+		ECerror(ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+	memcpy(&val[0], row0, sizeof(*val) * len0);
+	memcpy(&val[len0], row1, sizeof(*val) * len1);
+
+	if (!EC_POINTs_make_affine(group, len, val, ctx))
+		goto err;
+
+	ret = 1;
+
+ err:
+	free(val);
+
+	return ret;
+}
 
 /*
  * Compute r = generator * m + point * n in non-constant time.
@@ -227,19 +270,15 @@ int
 ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
     const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx)
 {
+	const EC_POINT *generator;
 	signed char *wNAF[2] = { 0 };
 	size_t wNAF_len[2] = { 0 };
-	size_t wsize[2] = { 0 };
-	const EC_POINT *generator = NULL;
-	EC_POINT *tmp = NULL;
 	EC_POINT **row[2] = { 0 };
-	size_t i, j;
+	size_t row_len[2] = { 0 };
+	size_t i;
 	int k;
 	int r_is_inverted = 0;
 	size_t max_len = 0;
-	size_t num_val;
-	EC_POINT **val = NULL;	/* precomputation */
-	EC_POINT **v;
 	int ret = 0;
 
 	if (m == NULL || n == NULL) {
@@ -256,88 +295,25 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
 		goto err;
 	}
 
-	/* num_val will be the total number of temporarily precomputed points */
-	num_val = 0;
-
-	for (i = 0; i < 2; i++) {
-		size_t bits;
-
-		bits = i < 1 ? BN_num_bits(n) : BN_num_bits(m);
-		wsize[i] = EC_window_bits_for_scalar_size(bits);
-		num_val += (size_t) 1 << (wsize[i] - 1);
-		wNAF[i] = compute_wNAF(i < 1 ? n : m, wsize[i], &wNAF_len[i]);
-		if (wNAF[i] == NULL)
-			goto err;
-		if (wNAF_len[i] > max_len)
-			max_len = wNAF_len[i];
-	}
-
-	/*
-	 * All points we precompute now go into a single array 'val'.
-	 * 'val_sub[i]' is a pointer to the subarray for the i-th point, or
-	 * to a subarray of 'pre_comp->points' if we already have
-	 * precomputation.
-	 */
-	val = reallocarray(NULL, (num_val + 1), sizeof val[0]);
-	if (val == NULL) {
-		ECerror(ERR_R_MALLOC_FAILURE);
+	if (!ec_compute_row(group, m, generator, &wNAF[0], &wNAF_len[0],
+	    &row[0], &row_len[0], ctx))
 		goto err;
-	}
-	val[num_val] = NULL;	/* pivot element */
-
-	/* allocate points for precomputation */
-	v = val;
-	for (i = 0; i < 2; i++) {
-		row[i] = v;
-		for (j = 0; j < ((size_t) 1 << (wsize[i] - 1)); j++) {
-			*v = EC_POINT_new(group);
-			if (*v == NULL)
-				goto err;
-			v++;
-		}
-	}
-	if (!(v == val + num_val)) {
-		ECerror(ERR_R_INTERNAL_ERROR);
+	if (!ec_compute_row(group, n, point, &wNAF[1], &wNAF_len[1],
+	    &row[1], &row_len[1], ctx))
 		goto err;
-	}
-	if (!(tmp = EC_POINT_new(group)))
+	if (!ec_normalize_rows(group, row[0], row_len[0], row[1], row_len[1], ctx))
 		goto err;
 
-	/*
-	 * prepare precomputed values:
-	 *  row[i][0] :=     points[i]
-	 *  row[i][1] := 3 * points[i]
-	 *  row[i][2] := 5 * points[i]
-	 *  ...
-	 */
-	for (i = 0; i < 2; i++) {
-		if (i < 1) {
-			if (!EC_POINT_copy(row[i][0], point))
-				goto err;
-		} else {
-			if (!EC_POINT_copy(row[i][0], generator))
-				goto err;
-		}
-
-		if (wsize[i] > 1) {
-			if (!EC_POINT_dbl(group, tmp, row[i][0], ctx))
-				goto err;
-			for (j = 1; j < ((size_t) 1 << (wsize[i] - 1)); j++) {
-				if (!EC_POINT_add(group, row[i][j], row[i][j - 1], tmp, ctx))
-					goto err;
-			}
-		}
-	}
-
-	if (!EC_POINTs_make_affine(group, num_val, val, ctx))
-		goto err;
+	max_len = wNAF_len[0];
+	if (wNAF_len[1] > max_len)
+		max_len = wNAF_len[1];
 
 	/*
 	 * Set r to the neutral element. Scan through the wNAF representations
 	 * of m and n, starting at the most significant digit. Double r and for
-	 * each wNAF digit of m add the digit times the point, and for each
-	 * wNAF digit of n add the digit times the generator, adjusting the
-	 * signs as appropriate.
+	 * each wNAF digit of m add the digit times the generator, and for each
+	 * wNAF digit of n add the digit times the point, adjusting the signs
+	 * as appropriate.
 	 */
 
 	if (!EC_POINT_set_to_infinity(group, r))
@@ -381,14 +357,10 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
 	ret = 1;
 
  err:
-	EC_POINT_free(tmp);
 	free(wNAF[0]);
 	free(wNAF[1]);
-	if (val != NULL) {
-		for (v = val; *v != NULL; v++)
-			EC_POINT_free(*v);
-		free(val);
-	}
+	free_row(row[0], row_len[0]);
+	free_row(row[1], row_len[1]);
 
 	return ret;
 }
diff --git a/lib/libcrypto/ec/eck_prn.c b/lib/libcrypto/ec/eck_prn.c
index 012391c803f..98e1a7e7bde 100644
--- a/lib/libcrypto/ec/eck_prn.c
+++ b/lib/libcrypto/ec/eck_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: eck_prn.c,v 1.39 2024/11/14 10:27:59 tb Exp $ */
+/* $OpenBSD: eck_prn.c,v 1.40 2024/11/25 06:51:39 tb Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -330,7 +330,7 @@ ECPKParameters_print(BIO *bio, const EC_GROUP *group, int off)
 		return 0;
 	}
 
-	if (EC_GROUP_get_asn1_flag(group))
+	if ((EC_GROUP_get_asn1_flag(group) & OPENSSL_EC_NAMED_CURVE) != 0)
 		return ecpk_print_asn1_parameters(bio, group, off);
 
 	return ecpk_print_explicit_parameters(bio, group, off);
diff --git a/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 b/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
index 9049a118324..0a70e51ad67 100644
--- a/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
+++ b/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.25 2024/11/07 17:33:42 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.26 2024/11/24 14:48:12 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\" Parts were split out into RSA_pkey_ctx_ctrl(3).
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 7 2024 $
+.Dd $Mdocdate: November 24 2024 $
 .Dt EVP_PKEY_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -411,24 +411,34 @@ The return value is the user key material length.
 The resulting pointer is owned by the library and should not be
 freed by the caller.
 .Ss CMAC parameters
-Application programs normally initialize an
-.Vt EVP_PKEY_CTX
-object using
-.Xr EVP_PKEY_CTX_new 3 ,
-specifying the
-.Vt EVP_PKEY
-object containing the symmetric key right away.
-Alternatively, an empty
+Application programs normally implement CMAC as described in
+.Xr EVP_PKEY_new_CMAC_key 3
+and do not need the control commands documented here.
+.Pp
+Alternatively, the call to
+.Xr EVP_PKEY_new_CMAC_key 3
+can be replaced as follows,
+leaving the rest of the example code given there unchanged:
+.Pp
+.Bl -enum -width 2n -compact
+.It
+Create an empty
 .Vt EVP_PKEY_CTX
-object can be created by passing the
+object by passing the
 .Dv EVP_PKEY_CMAC
 constant to
 .Xr EVP_PKEY_CTX_new_id 3 .
-After that, the block cipher can be selected by calling
+.It
+Initialize it with
+.Xr EVP_PKEY_keygen_init 3 .
+.It
+Select the block cipher by calling
 .Fn EVP_PKEY_CTX_ctrl
 with an
 .Fa optype
-of \-1, a
+of
+.Dv EVP_PKEY_OP_KEYGEN ,
+a
 .Fa cmd
 of
 .Dv EVP_PKEY_CTRL_CIPHER ,
@@ -441,13 +451,14 @@ object, which can be obtained from the functions in the CIPHER LISTING in
 The
 .Fa p1
 argument is ignored; passing 0 is recommended.
-.Pp
-After selecting the block cipher with
-.Dv EVP_PKEY_CTRL_CIPHER ,
+.It
+Call
 .Fn EVP_PKEY_CTX_ctrl
-can be called again with an
+again with an
 .Fa optype
-of \-1, a
+of
+.Dv EVP_PKEY_OP_KEYGEN ,
+a
 .Fa cmd
 of
 .Dv EVP_PKEY_CTRL_SET_MAC_KEY ,
@@ -455,6 +466,24 @@ of
 pointing to the symmetric key, and
 .Fa p1
 specifying the length of the symmetric key in bytes.
+.It
+Extract the desired
+.Vt EVP_PKEY
+object using
+.Xr EVP_PKEY_keygen 3 ,
+making sure the
+.Fa ppkey
+argument points to a storage location containing a
+.Dv NULL
+pointer.
+.It
+Proceed with
+.Xr EVP_MD_CTX_new 3 ,
+.Xr EVP_DigestSignInit 3 ,
+and
+.Xr EVP_DigestSign 3
+as usual.
+.El
 .Ss Other parameters
 The
 .Fn EVP_PKEY_CTX_set1_id ,
diff --git a/lib/libcrypto/perlasm/x86asm.pl b/lib/libcrypto/perlasm/x86asm.pl
index e039382e009..7e727076841 100644
--- a/lib/libcrypto/perlasm/x86asm.pl
+++ b/lib/libcrypto/perlasm/x86asm.pl
@@ -1,7 +1,7 @@
 #!/usr/bin/env perl
 
 # require 'x86asm.pl';
-# &asm_init(<flavor>,"des-586.pl"[,$i386only]);
+# &asm_init(<flavor>,"aes-586.pl"[,$x86only]);
 # &function_begin("foo");
 # ...
 # &function_end("foo");
diff --git a/lib/libcrypto/sha/sha3.c b/lib/libcrypto/sha/sha3.c
index b070d715ca4..6a7196d5826 100644
--- a/lib/libcrypto/sha/sha3.c
+++ b/lib/libcrypto/sha/sha3.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sha3.c,v 1.15 2023/04/16 15:32:16 jsing Exp $	*/
+/*	$OpenBSD: sha3.c,v 1.16 2024/11/23 15:38:12 jsing Exp $	*/
 /*
  * The MIT License (MIT)
  *
@@ -57,17 +57,8 @@ sha3_keccakf(uint64_t st[25])
 	uint64_t t, bc[5];
 	int i, j, r;
 
-#if BYTE_ORDER != LITTLE_ENDIAN
-	uint8_t *v;
-
-	for (i = 0; i < 25; i++) {
-		v = (uint8_t *) &st[i];
-		st[i] = ((uint64_t) v[0])	 | (((uint64_t) v[1]) << 8) |
-			(((uint64_t) v[2]) << 16) | (((uint64_t) v[3]) << 24) |
-			(((uint64_t) v[4]) << 32) | (((uint64_t) v[5]) << 40) |
-			(((uint64_t) v[6]) << 48) | (((uint64_t) v[7]) << 56);
-	}
-#endif
+	for (i = 0; i < 25; i++)
+		st[i] = le64toh(st[i]);
 
 	for (r = 0; r < KECCAKF_ROUNDS; r++) {
 
@@ -102,20 +93,8 @@ sha3_keccakf(uint64_t st[25])
 		st[0] ^= sha3_keccakf_rndc[r];
 	}
 
-#if BYTE_ORDER != LITTLE_ENDIAN
-	for (i = 0; i < 25; i++) {
-		v = (uint8_t *) &st[i];
-		t = st[i];
-		v[0] = t & 0xFF;
-		v[1] = (t >> 8) & 0xFF;
-		v[2] = (t >> 16) & 0xFF;
-		v[3] = (t >> 24) & 0xFF;
-		v[4] = (t >> 32) & 0xFF;
-		v[5] = (t >> 40) & 0xFF;
-		v[6] = (t >> 48) & 0xFF;
-		v[7] = (t >> 56) & 0xFF;
-	}
-#endif
+	for (i = 0; i < 25; i++)
+		st[i] = htole64(st[i]);
 }
 
 int
diff --git a/lib/libutil/imsg-buffer.c b/lib/libutil/imsg-buffer.c
index 23a81f00b4d..f7e8aff7588 100644
--- a/lib/libutil/imsg-buffer.c
+++ b/lib/libutil/imsg-buffer.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: imsg-buffer.c,v 1.29 2024/11/22 02:11:09 tb Exp $	*/
+/*	$OpenBSD: imsg-buffer.c,v 1.30 2024/11/22 07:20:50 tb Exp $	*/
 
 /*
  * Copyright (c) 2023 Claudio Jeker <claudio@openbsd.org>
@@ -605,10 +605,10 @@ msgbuf_new_reader(size_t hdrsz, ssize_t (*readhdr)(struct ibuf *, void *),
 void
 msgbuf_free(struct msgbuf *msgbuf)
 {
-	if (msgbuf != NULL) {
-		msgbuf_clear(msgbuf);
-		free(msgbuf->rbuf);
-	}
+	if (msgbuf == NULL)
+		return;
+	msgbuf_clear(msgbuf);
+	free(msgbuf->rbuf);
 	free(msgbuf);
 }