ec_wNAF_mul(): remove r_is_at_infinity silliness

All the EC_POINT_* API has a fast path for the point at infinity. So we're not gaining more than a few cycles by making this terrible mess even more terrible than it already is by avoding calls ot it (it's also incorrect as it is since we don't know that the point is no longer at infinity when it is unset). Simplify and add a comment explaining what this mess is doing. ok jsing
author: tb <> 2024-11-21 14:36:03 +0000
committer: tb <> 2024-11-21 14:36:03 +0000
commit: 4c4b392670e9a18150e22a1e4f41fce87c78e1ff (patch)
tree: 9fec7cf79e2e1cbbcb4b1cc9695793f7708a20ef /src/lib
parent: d63d1441a9dbaaffa40e22387332018199226c57 (diff)
download: openbsd-4c4b392670e9a18150e22a1e4f41fce87c78e1ff.tar.gz
openbsd-4c4b392670e9a18150e22a1e4f41fce87c78e1ff.tar.bz2
openbsd-4c4b392670e9a18150e22a1e4f41fce87c78e1ff.zip
1 files changed, 20 insertions, 25 deletions
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 9015a5a649..e336cf0fac 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.35 2024/11/16 15:32:08 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.36 2024/11/21 14:36:03 tb Exp $ */
 /*
 * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
 */
@@ -233,7 +233,6 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
        size_t i, j;
        int k;
        int r_is_inverted = 0;
-        int r_is_at_infinity = 1;
        size_t *wsize = NULL;   /* individual window sizes */
        signed char **wNAF = NULL;      /* individual wNAFs */
        size_t *wNAF_len = NULL;
@@ -356,13 +355,21 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
        if (!EC_POINTs_make_affine(group, num_val, val, ctx))
                goto err;
-        r_is_at_infinity = 1;
+        /*
+         * Set r to the neutral element. Scan through the wNAF representations
+         * of m and n, starting at the most significant digit. Double r and for
+         * each wNAF digit of m add the digit times the point, and for each
+         * wNAF digit of n add the digit times the generator, adjusting the
+         * signs as appropriate.
+         */
+        if (!EC_POINT_set_to_infinity(group, r))
+                goto err;
        for (k = max_len - 1; k >= 0; k--) {
-                if (!r_is_at_infinity) {
+                if (!EC_POINT_dbl(group, r, r, ctx))
-                        if (!EC_POINT_dbl(group, r, r, ctx))
+                        goto err;
-                                goto err;
-                }
                for (i = 0; i < totalnum; i++) {
                        if (wNAF_len[i] > (size_t) k) {
                                int digit = wNAF[i][k];
@@ -375,34 +382,22 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
                                                digit = -digit;
                                        if (is_neg != r_is_inverted) {
-                                                if (!r_is_at_infinity) {
+                                                if (!EC_POINT_invert(group, r, ctx))
-                                                        if (!EC_POINT_invert(group, r, ctx))
+                                                        goto err;
-                                                                goto err;
-                                                }
                                                r_is_inverted = !r_is_inverted;
                                        }
                                        /* digit > 0 */
-                                        if (r_is_at_infinity) {
+                                        if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
-                                                if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
+                                                goto err;
-                                                        goto err;
-                                                r_is_at_infinity = 0;
-                                        } else {
-                                                if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
-                                                        goto err;
-                                        }
                                }
                        }
                }
        }
-        if (r_is_at_infinity) {
+        if (r_is_inverted) {
-                if (!EC_POINT_set_to_infinity(group, r))
+                if (!EC_POINT_invert(group, r, ctx))
                        goto err;
-        } else {
-                if (r_is_inverted)
-                        if (!EC_POINT_invert(group, r, ctx))
-                                goto err;
        }
        ret = 1;
author	tb <>	2024-11-21 14:36:03 +0000
committer	tb <>	2024-11-21 14:36:03 +0000
commit	4c4b392670e9a18150e22a1e4f41fce87c78e1ff (patch)
tree	9fec7cf79e2e1cbbcb4b1cc9695793f7708a20ef /src/lib
parent	d63d1441a9dbaaffa40e22387332018199226c57 (diff)
download	openbsd-4c4b392670e9a18150e22a1e4f41fce87c78e1ff.tar.gz openbsd-4c4b392670e9a18150e22a1e4f41fce87c78e1ff.tar.bz2 openbsd-4c4b392670e9a18150e22a1e4f41fce87c78e1ff.zip

diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c index 9015a5a649..e336cf0fac 100644 --- a/src/lib/libcrypto/ec/ec_mult.c +++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ec_mult.c,v 1.35 2024/11/16 15:32:08 tb Exp $ */	1	/* $OpenBSD: ec_mult.c,v 1.36 2024/11/21 14:36:03 tb Exp $ */
2	/*	2	/*
3	* Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.	3	* Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
4	*/	4	*/
@@ -233,7 +233,6 @@ ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *m,
233	size_t i, j;	233	size_t i, j;
234	int k;	234	int k;
235	int r_is_inverted = 0;	235	int r_is_inverted = 0;
236	int r_is_at_infinity = 1;
237	size_t wsize = NULL; / individual window sizes */	236	size_t wsize = NULL; / individual window sizes */
238	signed char *wNAF = NULL; / individual wNAFs */	237	signed char *wNAF = NULL; / individual wNAFs */
239	size_t *wNAF_len = NULL;	238	size_t *wNAF_len = NULL;
@@ -356,13 +355,21 @@ ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *m,
356	if (!EC_POINTs_make_affine(group, num_val, val, ctx))	355	if (!EC_POINTs_make_affine(group, num_val, val, ctx))
357	goto err;	356	goto err;
358		357
359	r_is_at_infinity = 1;	358	/*
		359	* Set r to the neutral element. Scan through the wNAF representations
		360	* of m and n, starting at the most significant digit. Double r and for
		361	* each wNAF digit of m add the digit times the point, and for each
		362	* wNAF digit of n add the digit times the generator, adjusting the
		363	* signs as appropriate.
		364	*/
		365
		366	if (!EC_POINT_set_to_infinity(group, r))
		367	goto err;
360		368
361	for (k = max_len - 1; k >= 0; k--) {	369	for (k = max_len - 1; k >= 0; k--) {
362	if (!r_is_at_infinity) {	370	if (!EC_POINT_dbl(group, r, r, ctx))
363	if (!EC_POINT_dbl(group, r, r, ctx))	371	goto err;
364	goto err;	372
365	}
366	for (i = 0; i < totalnum; i++) {	373	for (i = 0; i < totalnum; i++) {
367	if (wNAF_len[i] > (size_t) k) {	374	if (wNAF_len[i] > (size_t) k) {
368	int digit = wNAF[i][k];	375	int digit = wNAF[i][k];
@@ -375,34 +382,22 @@ ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *m,
375	digit = -digit;	382	digit = -digit;
376		383
377	if (is_neg != r_is_inverted) {	384	if (is_neg != r_is_inverted) {
378	if (!r_is_at_infinity) {	385	if (!EC_POINT_invert(group, r, ctx))
379	if (!EC_POINT_invert(group, r, ctx))	386	goto err;
380	goto err;
381	}
382	r_is_inverted = !r_is_inverted;	387	r_is_inverted = !r_is_inverted;
383	}	388	}
384	/* digit > 0 */	389	/* digit > 0 */
385		390
386	if (r_is_at_infinity) {	391	if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
387	if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))	392	goto err;
388	goto err;
389	r_is_at_infinity = 0;
390	} else {
391	if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
392	goto err;
393	}
394	}	393	}
395	}	394	}
396	}	395	}
397	}	396	}
398		397
399	if (r_is_at_infinity) {	398	if (r_is_inverted) {
400	if (!EC_POINT_set_to_infinity(group, r))	399	if (!EC_POINT_invert(group, r, ctx))
401	goto err;	400	goto err;
402	} else {
403	if (r_is_inverted)
404	if (!EC_POINT_invert(group, r, ctx))
405	goto err;
406	}	401	}
407		402
408	ret = 1;	403	ret = 1;