Explicitly pass group generator to mul_double_nonct() from EC_POINT_mul().

EC_POINT_mul() has a complex multi-use interface - there are effectively
three different ways it will behave, depending on which arguments are NULL.
In the case where we compute g_scalar * generator + p_scalar * point, the
mul_double_nonct() function pointer is called, however only g_scalar,
p_scalar and point are passed - it is expected that the lower level
implementation (in this case ec_wnaf_mul()) will use the generator from
the group.

Change mul_double_nonct(), ec_mul_double_nonct() and ec_wnaf_mul() so that
they take scalar1, point1, scalar2 and point2. This removes all knowledge
of g_scalar and the generator from the multiplication code, keeping it
limited to EC_POINT_mul(). While here also consistently pass scalar then
point, rather than a mix of scalar/point and point/scalar.

ok tb@

4 files changed, 33 insertions, 35 deletions

diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 598038de1d..7982d23f06 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.122 2025/03/24 12:49:13 jsing Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.123 2025/03/24 13:07:04 jsing Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -1333,8 +1333,8 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
                  * secret. This is why we ignore if BN_FLG_CONSTTIME is actually
                  * set and we always call the constant time version.
                  */
-                ret = group->meth->mul_single_ct(group, r, g_scalar,
-                    group->generator, ctx);
+                ret = group->meth->mul_single_ct(group, r,
+                    g_scalar, group->generator, ctx);
         } else if (g_scalar == NULL && point != NULL && p_scalar != NULL) {
                 /*
                  * In this case we want to compute p_scalar * GenericPoint:
@@ -1352,8 +1352,8 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
                  * this codepath is reached most prominently by ECDSA signature
                  * verification. So we call the non-ct version.
                  */
-                ret = group->meth->mul_double_nonct(group, r, g_scalar,
-                    p_scalar, point, ctx);
+                ret = group->meth->mul_double_nonct(group, r,
+                    g_scalar, group->generator, p_scalar, point, ctx);
         } else {
                 /* Anything else is an error. */
                 ECerror(ERR_R_EC_LIB);
diff --git a/src/lib/libcrypto/ec/ec_local.h b/src/lib/libcrypto/ec/ec_local.h
index 9c188c0197..c7a54d3a2b 100644
--- a/src/lib/libcrypto/ec/ec_local.h
+++ b/src/lib/libcrypto/ec/ec_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_local.h,v 1.66 2025/03/09 15:33:35 tb Exp $ */
+/* $OpenBSD: ec_local.h,v 1.67 2025/03/24 13:07:04 jsing Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -106,8 +106,8 @@ typedef struct ec_method_st {
         int (*mul_single_ct)(const EC_GROUP *group, EC_POINT *r,
             const BIGNUM *scalar, const EC_POINT *point, BN_CTX *);
         int (*mul_double_nonct)(const EC_GROUP *group, EC_POINT *r,
-            const BIGNUM *g_scalar, const BIGNUM *p_scalar,
-            const EC_POINT *point, BN_CTX *);
+            const BIGNUM *scalar1, const EC_POINT *point1,
+            const BIGNUM *scalar2, const EC_POINT *point2, BN_CTX *);
 
         /*
          * These can be used by 'add' and 'dbl' so that the same implementations
@@ -173,9 +173,10 @@ struct ec_point_st {
 const EC_METHOD *EC_GFp_simple_method(void);
 const EC_METHOD *EC_GFp_mont_method(void);
 
-/* Compute r = generator * m + point * n in non-constant time. */
-int ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
-    const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx);
+/* Compute r = scalar1 * point1 + scalar2 * point2 in non-constant time. */
+int ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
+    const EC_POINT *point1, const BIGNUM *scalar2, const EC_POINT *point2,
+    BN_CTX *ctx);
 
 int ec_group_is_builtin_curve(const EC_GROUP *group, int *out_nid);
 
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 68061ffd67..673696a9fd 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.57 2025/01/11 13:58:31 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.58 2025/03/24 13:07:04 jsing Exp $ */
 /*
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
@@ -259,7 +259,7 @@ ec_wnaf_free(struct ec_wnaf *wnaf)
  */
 
 static struct ec_wnaf *
-ec_wnaf_new(const EC_GROUP *group, const EC_POINT *point, const BIGNUM *bn,
+ec_wnaf_new(const EC_GROUP *group, const BIGNUM *scalar, const EC_POINT *point,
     BN_CTX *ctx)
 {
         struct ec_wnaf *wnaf;
@@ -267,15 +267,15 @@ ec_wnaf_new(const EC_GROUP *group, const EC_POINT *point, const BIGNUM *bn,
         if ((wnaf = calloc(1, sizeof(*wnaf))) == NULL)
                 goto err;
 
-        wnaf->num_digits = BN_num_bits(bn) + 1;
+        wnaf->num_digits = BN_num_bits(scalar) + 1;
         if ((wnaf->digits = calloc(wnaf->num_digits,
             sizeof(*wnaf->digits))) == NULL)
                 goto err;
 
-        if (!ec_compute_wnaf(bn, wnaf->digits, wnaf->num_digits))
+        if (!ec_compute_wnaf(scalar, wnaf->digits, wnaf->num_digits))
                 goto err;
 
-        wnaf->num_multiples = 1ULL << (ec_window_bits(bn) - 1);
+        wnaf->num_multiples = 1ULL << (ec_window_bits(scalar) - 1);
         if ((wnaf->multiples = calloc(wnaf->num_multiples,
             sizeof(*wnaf->multiples))) == NULL)
                 goto err;
@@ -313,38 +313,34 @@ ec_wnaf_multiple(struct ec_wnaf *wnaf, signed char digit)
 }
 
 /*
- * Compute r = generator * m + point * n in non-constant time.
+ * Compute r = scalar1 * point1 + scalar2 * point2 in non-constant time.
  */
 
 int
-ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
-    const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx)
+ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
+    const EC_POINT *point1, const BIGNUM *scalar2, const EC_POINT *point2,
+    BN_CTX *ctx)
 {
         struct ec_wnaf *wnaf[2] = { NULL, NULL };
-        const EC_POINT *generator;
         size_t i;
         int k;
         int r_is_inverted = 0;
         size_t num_digits;
         int ret = 0;
 
-        if (m == NULL || n == NULL) {
+        if (scalar1 == NULL || scalar2 == NULL) {
                 ECerror(ERR_R_PASSED_NULL_PARAMETER);
                 goto err;
         }
-        if (group->meth != r->meth || group->meth != point->meth) {
+        if (group->meth != r->meth || group->meth != point1->meth ||
+            group->meth != point2->meth) {
                 ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                 goto err;
         }
 
-        if ((generator = EC_GROUP_get0_generator(group)) == NULL) {
-                ECerror(EC_R_UNDEFINED_GENERATOR);
-                goto err;
-        }
-
-        if ((wnaf[0] = ec_wnaf_new(group, generator, m, ctx)) == NULL)
+        if ((wnaf[0] = ec_wnaf_new(group, scalar1, point1, ctx)) == NULL)
                 goto err;
-        if ((wnaf[1] = ec_wnaf_new(group, point, n, ctx)) == NULL)
+        if ((wnaf[1] = ec_wnaf_new(group, scalar2, point2, ctx)) == NULL)
                 goto err;
 
         if (!ec_normalize_points(group, wnaf[0], wnaf[1], ctx))
@@ -357,8 +353,8 @@ ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
         /*
          * Set r to the neutral element. Scan through the wNAF representations
          * of m and n, starting at the most significant digit. Double r and for
-         * each wNAF digit of m add the digit times the generator, and for each
-         * wNAF digit of n add the digit times the point, adjusting the signs
+         * each wNAF digit of scalar1 add the digit times point1, and for each
+         * wNAF digit of scalar2 add the digit times point2, adjusting the signs
          * as appropriate.
          */
 
diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c
index 544c2be4d4..ced85ceb1e 100644
--- a/src/lib/libcrypto/ec/ecp_methods.c
+++ b/src/lib/libcrypto/ec/ecp_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_methods.c,v 1.44 2025/03/09 15:33:35 tb Exp $ */
+/* $OpenBSD: ecp_methods.c,v 1.45 2025/03/24 13:07:04 jsing Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project.
  * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1194,10 +1194,11 @@ ec_mul_single_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 }
 
 static int
-ec_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
-    const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *ctx)
+ec_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
+    const EC_POINT *point1, const BIGNUM *scalar2, const EC_POINT *point2,
+    BN_CTX *ctx)
 {
-        return ec_wnaf_mul(group, r, g_scalar, point, p_scalar, ctx);
+        return ec_wnaf_mul(group, r, scalar1, point1, scalar2, point2, ctx);
 }
 
 static int