Neuter the EC_POINTs_* API

EC_POINTs_mul() was only ever used by Ruby and they stopped doing so for
LibreSSL when we incorporated the constant time multiplication work of
Brumley et al and restricted the length of the points array to 1, making
this API effectively useless. The only real reason you want to have an
API to calculate \sum n_i P_i is for ECDSA where you want m * G + n * P.
Whether something like his needs to be in the public API is doubtful.

EC_POINTs_make_affine() is an implementation detail of EC_POINTs_mul().
As such it never really belonged into the public API.

ok jsing

4 files changed, 16 insertions, 77 deletions

diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index de6fe20083..f1ff11a087 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.107 2025/01/11 13:41:17 tb Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.108 2025/01/11 13:58:31 tb Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -1265,32 +1265,8 @@ int
 EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
     BN_CTX *ctx_in)
 {
-        BN_CTX *ctx;
-        size_t i;
-        int ret = 0;
-
-        if ((ctx = ctx_in) == NULL)
-                ctx = BN_CTX_new();
-        if (ctx == NULL)
-                goto err;
-
-        if (group->meth->points_make_affine == NULL) {
-                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                goto err;
-        }
-        for (i = 0; i < num; i++) {
-                if (group->meth != points[i]->meth) {
-                        ECerror(EC_R_INCOMPATIBLE_OBJECTS);
-                        goto err;
-                }
-        }
-        ret = group->meth->points_make_affine(group, num, points, ctx);
-
- err:
-        if (ctx != ctx_in)
-                BN_CTX_free(ctx);
-
-        return ret;
+        ECerror(ERR_R_DISABLED);
+        return 0;
 }
 LCRYPTO_ALIAS(EC_POINTs_make_affine);
 
@@ -1299,40 +1275,8 @@ EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
     size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
     BN_CTX *ctx_in)
 {
-        BN_CTX *ctx;
-        int ret = 0;
-
-        if ((ctx = ctx_in) == NULL)
-                ctx = BN_CTX_new();
-        if (ctx == NULL)
-                goto err;
-
-        /* Only num == 0 and num == 1 is supported. */
-        if (group->meth->mul_generator_ct == NULL ||
-            group->meth->mul_single_ct == NULL ||
-            group->meth->mul_double_nonct == NULL ||
-            num > 1) {
-                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                goto err;
-        }
-
-        if (num == 1 && points != NULL && scalars != NULL) {
-                /* Either bP or aG + bP, this is sane. */
-                ret = EC_POINT_mul(group, r, scalar, points[0], scalars[0], ctx);
-        } else if (scalar != NULL && points == NULL && scalars == NULL) {
-                /* aG, this is sane */
-                ret = EC_POINT_mul(group, r, scalar, NULL, NULL, ctx);
-        } else {
-                /* anything else is an error */
-                ECerror(ERR_R_EC_LIB);
-                goto err;
-        }
-
- err:
-        if (ctx != ctx_in)
-                BN_CTX_free(ctx);
-
-        return ret;
+        ECerror(ERR_R_DISABLED);
+        return 0;
 }
 LCRYPTO_ALIAS(EC_POINTs_mul);
 
diff --git a/src/lib/libcrypto/ec/ec_local.h b/src/lib/libcrypto/ec/ec_local.h
index 7cb5c55f6d..0e81ab2b12 100644
--- a/src/lib/libcrypto/ec/ec_local.h
+++ b/src/lib/libcrypto/ec/ec_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_local.h,v 1.55 2025/01/11 13:38:42 tb Exp $ */
+/* $OpenBSD: ec_local.h,v 1.56 2025/01/11 13:58:31 tb Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -79,12 +79,6 @@
 
 __BEGIN_HIDDEN_DECLS
 
-#if defined(__SUNPRO_C)
-# if __SUNPRO_C >= 0x520
-# pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE)
-# endif
-#endif
-
 struct ec_method_st {
         int field_type;
 
@@ -100,6 +94,10 @@ struct ec_method_st {
         int (*point_set_compressed_coordinates)(const EC_GROUP *, EC_POINT *,
             const BIGNUM *x, int y_bit, BN_CTX *);
 
+        /* Only used by the wNAF code. */
+        int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT **,
+            BN_CTX *);
+
         int (*add)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
             const EC_POINT *b, BN_CTX *);
         int (*dbl)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
@@ -109,9 +107,6 @@ struct ec_method_st {
         int (*point_cmp)(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
             BN_CTX *);
 
-        int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[],
-            BN_CTX *);
-
         int (*mul_generator_ct)(const EC_GROUP *, EC_POINT *r,
             const BIGNUM *scalar, BN_CTX *);
         int (*mul_single_ct)(const EC_GROUP *group, EC_POINT *r,
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index d11086de64..68061ffd67 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.56 2024/12/19 21:05:46 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.57 2025/01/11 13:58:31 tb Exp $ */
 /*
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
@@ -219,7 +219,7 @@ ec_normalize_points(const EC_GROUP *group, struct ec_wnaf *wnaf0,
         memcpy(&val[0], points0, sizeof(*val) * len0);
         memcpy(&val[len0], points1, sizeof(*val) * len1);
 
-        if (!EC_POINTs_make_affine(group, len, val, ctx))
+        if (!group->meth->points_make_affine(group, len, val, ctx))
                 goto err;
 
         ret = 1;
diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c
index a2a74334f4..d1895c959f 100644
--- a/src/lib/libcrypto/ec/ecp_methods.c
+++ b/src/lib/libcrypto/ec/ecp_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_methods.c,v 1.27 2025/01/11 13:38:42 tb Exp $ */
+/* $OpenBSD: ecp_methods.c,v 1.28 2025/01/11 13:58:31 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project.
  * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -892,7 +892,7 @@ ec_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
 }
 
 static int
-ec_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
+ec_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT **points,
     BN_CTX *ctx)
 {
         BIGNUM **prod_Z = NULL;
@@ -1425,12 +1425,12 @@ static const EC_METHOD ec_GFp_simple_method = {
         .point_set_affine_coordinates = ec_point_set_affine_coordinates,
         .point_get_affine_coordinates = ec_point_get_affine_coordinates,
         .point_set_compressed_coordinates = ec_set_compressed_coordinates,
+        .points_make_affine = ec_points_make_affine,
         .add = ec_add,
         .dbl = ec_dbl,
         .invert = ec_invert,
         .is_on_curve = ec_is_on_curve,
         .point_cmp = ec_cmp,
-        .points_make_affine = ec_points_make_affine,
         .mul_generator_ct = ec_mul_generator_ct,
         .mul_single_ct = ec_mul_single_ct,
         .mul_double_nonct = ec_mul_double_nonct,
@@ -1452,12 +1452,12 @@ static const EC_METHOD ec_GFp_mont_method = {
         .point_set_affine_coordinates = ec_point_set_affine_coordinates,
         .point_get_affine_coordinates = ec_point_get_affine_coordinates,
         .point_set_compressed_coordinates = ec_set_compressed_coordinates,
+        .points_make_affine = ec_points_make_affine,
         .add = ec_add,
         .dbl = ec_dbl,
         .invert = ec_invert,
         .is_on_curve = ec_is_on_curve,
         .point_cmp = ec_cmp,
-        .points_make_affine = ec_points_make_affine,
         .mul_generator_ct = ec_mul_generator_ct,
         .mul_single_ct = ec_mul_single_ct,
         .mul_double_nonct = ec_mul_double_nonct,