Explicitly pass group generator to mul_double_nonct() from EC_POINT_mul().

EC_POINT_mul() has a complex multi-use interface - there are effectively three different ways it will behave, depending on which arguments are NULL. In the case where we compute g_scalar * generator + p_scalar * point, the mul_double_nonct() function pointer is called, however only g_scalar, p_scalar and point are passed - it is expected that the lower level implementation (in this case ec_wnaf_mul()) will use the generator from the group. Change mul_double_nonct(), ec_mul_double_nonct() and ec_wnaf_mul() so that they take scalar1, point1, scalar2 and point2. This removes all knowledge of g_scalar and the generator from the multiplication code, keeping it limited to EC_POINT_mul(). While here also consistently pass scalar then point, rather than a mix of scalar/point and point/scalar. ok tb@
author: jsing <> 2025-03-24 13:07:04 +0000
committer: jsing <> 2025-03-24 13:07:04 +0000
commit: 70275e713454e731b5cbf6545eff93592d1d9872 (patch)
tree: 6397da5be4e5b65da2b65dd38a2c3f1202843573 /src/lib/libcrypto/ec/ec_lib.c
parent: e8c19f02f4b0497ce5d3eca5d72b3cdaeaff9f09 (diff)
download: openbsd-70275e713454e731b5cbf6545eff93592d1d9872.tar.gz
openbsd-70275e713454e731b5cbf6545eff93592d1d9872.tar.bz2
openbsd-70275e713454e731b5cbf6545eff93592d1d9872.zip
1 files changed, 5 insertions, 5 deletions
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 598038de1d..7982d23f06 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.122 2025/03/24 12:49:13 jsing Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.123 2025/03/24 13:07:04 jsing Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -1333,8 +1333,8 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
                 * secret. This is why we ignore if BN_FLG_CONSTTIME is actually
                 * set and we always call the constant time version.
                 */
-                ret = group->meth->mul_single_ct(group, r, g_scalar,
+                ret = group->meth->mul_single_ct(group, r,
-                    group->generator, ctx);
+                    g_scalar, group->generator, ctx);
        } else if (g_scalar == NULL && point != NULL && p_scalar != NULL) {
                /*
                 * In this case we want to compute p_scalar * GenericPoint:
@@ -1352,8 +1352,8 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
                 * this codepath is reached most prominently by ECDSA signature
                 * verification. So we call the non-ct version.
                 */
-                ret = group->meth->mul_double_nonct(group, r, g_scalar,
+                ret = group->meth->mul_double_nonct(group, r,
-                    p_scalar, point, ctx);
+                    g_scalar, group->generator, p_scalar, point, ctx);
        } else {
                /* Anything else is an error. */
                ECerror(ERR_R_EC_LIB);
author	jsing <>	2025-03-24 13:07:04 +0000
committer	jsing <>	2025-03-24 13:07:04 +0000
commit	70275e713454e731b5cbf6545eff93592d1d9872 (patch)
tree	6397da5be4e5b65da2b65dd38a2c3f1202843573 /src/lib/libcrypto/ec/ec_lib.c
parent	e8c19f02f4b0497ce5d3eca5d72b3cdaeaff9f09 (diff)
download	openbsd-70275e713454e731b5cbf6545eff93592d1d9872.tar.gz openbsd-70275e713454e731b5cbf6545eff93592d1d9872.tar.bz2 openbsd-70275e713454e731b5cbf6545eff93592d1d9872.zip

diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c index 598038de1d..7982d23f06 100644 --- a/src/lib/libcrypto/ec/ec_lib.c +++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ec_lib.c,v 1.122 2025/03/24 12:49:13 jsing Exp $ */	1	/* $OpenBSD: ec_lib.c,v 1.123 2025/03/24 13:07:04 jsing Exp $ */
2	/*	2	/*
3	* Originally written by Bodo Moeller for the OpenSSL project.	3	* Originally written by Bodo Moeller for the OpenSSL project.
4	*/	4	*/
@@ -1333,8 +1333,8 @@ EC_POINT_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *g_scalar,
1333	* secret. This is why we ignore if BN_FLG_CONSTTIME is actually	1333	* secret. This is why we ignore if BN_FLG_CONSTTIME is actually
1334	* set and we always call the constant time version.	1334	* set and we always call the constant time version.
1335	*/	1335	*/
1336	ret = group->meth->mul_single_ct(group, r, g_scalar,	1336	ret = group->meth->mul_single_ct(group, r,
1337	group->generator, ctx);	1337	g_scalar, group->generator, ctx);
1338	} else if (g_scalar == NULL && point != NULL && p_scalar != NULL) {	1338	} else if (g_scalar == NULL && point != NULL && p_scalar != NULL) {
1339	/*	1339	/*
1340	* In this case we want to compute p_scalar * GenericPoint:	1340	* In this case we want to compute p_scalar * GenericPoint:
@@ -1352,8 +1352,8 @@ EC_POINT_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *g_scalar,
1352	* this codepath is reached most prominently by ECDSA signature	1352	* this codepath is reached most prominently by ECDSA signature
1353	* verification. So we call the non-ct version.	1353	* verification. So we call the non-ct version.
1354	*/	1354	*/
1355	ret = group->meth->mul_double_nonct(group, r, g_scalar,	1355	ret = group->meth->mul_double_nonct(group, r,
1356	p_scalar, point, ctx);	1356	g_scalar, group->generator, p_scalar, point, ctx);
1357	} else {	1357	} else {
1358	/* Anything else is an error. */	1358	/* Anything else is an error. */
1359	ECerror(ERR_R_EC_LIB);	1359	ECerror(ERR_R_EC_LIB);