Simplify signature of ec_wNAF_mul()

The only caller passes in num = 1 and is itself called in a path that ensures that the multiplier of the generator is != NULL. Consequently we don't need to deal with an array of points and an array of scalars so rename them accordingly. In addition, the change implies that numblocks and num_scalar are now always 1, so inline this information and take a first step towards disentangling this gordian knot. ok jsing
author: tb <> 2024-11-16 15:32:08 +0000
committer: tb <> 2024-11-16 15:32:08 +0000
commit: b4c334cf7760113f167c0d700e27fb65de2f189a (patch)
tree: 8ca97dd5b4dd927e82e0a93db711fbeac9268afe /src/lib
parent: 23d9a213525c4cdbc5fba2b8cf4109f087fe41d3 (diff)
download: openbsd-b4c334cf7760113f167c0d700e27fb65de2f189a.tar.gz
openbsd-b4c334cf7760113f167c0d700e27fb65de2f189a.tar.bz2
openbsd-b4c334cf7760113f167c0d700e27fb65de2f189a.zip
3 files changed, 30 insertions, 56 deletions
diff --git a/src/lib/libcrypto/ec/ec_local.h b/src/lib/libcrypto/ec/ec_local.h
index e5189361e0..db8d4ab28f 100644
--- a/src/lib/libcrypto/ec/ec_local.h
+++ b/src/lib/libcrypto/ec/ec_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_local.h,v 1.37 2024/11/12 10:53:22 tb Exp $ */
+/* $OpenBSD: ec_local.h,v 1.38 2024/11/16 15:32:08 tb Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -247,10 +247,9 @@ struct ec_point_st {
        int Z_is_one; /* enable optimized point arithmetics for special case */
 } /* EC_POINT */;
-/* method functions in ec_mult.c
+/* Compute r = generator * m + point * n in non-constant time. */
- * (ec_lib.c uses these as defaults if group->method->mul is 0) */
+int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
-int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+    const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx);
-        size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
 int ec_group_simple_order_bits(const EC_GROUP *group);
 int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 7b62666337..9015a5a649 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.34 2024/11/15 12:09:36 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.35 2024/11/16 15:32:08 tb Exp $ */
 /*
 * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
 */
@@ -219,20 +219,17 @@ compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
                  (b) >=   20 ? 2 : \
                  1))
-/* Compute
+/*
- *      \sum scalars[i]*points[i],
+ * Compute r = generator * m + point * n in non-constant time.
- * also including
- *      scalar*generator
- * in the addition if scalar != NULL
 */
 int
-ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
-    size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
+    const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx)
 {
        const EC_POINT *generator = NULL;
        EC_POINT *tmp = NULL;
        size_t totalnum;
-        size_t numblocks = 0;   /* for wNAF splitting */
        size_t i, j;
        int k;
        int r_is_inverted = 0;
@@ -246,37 +243,23 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
        EC_POINT **v;
        EC_POINT ***val_sub = NULL;     /* pointers to sub-arrays of 'val' or
                                         * 'pre_comp->points' */
-        int num_scalar = 0;     /* flag: will be set to 1 if 'scalar' must be
-                                 * treated like other scalars, i.e.
-                                 * precomputation is not available */
        int ret = 0;
-        if (group->meth != r->meth) {
+        if (m == NULL || n == NULL) {
-                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
+                ECerror(ERR_R_PASSED_NULL_PARAMETER);
-                return 0;
+                goto err;
-        }
-        if ((scalar == NULL) && (num == 0)) {
-                return EC_POINT_set_to_infinity(group, r);
        }
-        for (i = 0; i < num; i++) {
+        if (group->meth != r->meth || group->meth != point->meth) {
-                if (group->meth != points[i]->meth) {
+                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
-                        ECerror(EC_R_INCOMPATIBLE_OBJECTS);
+                goto err;
-                        return 0;
-                }
        }
-        if (scalar != NULL) {
+        if ((generator = EC_GROUP_get0_generator(group)) == NULL) {
-                generator = EC_GROUP_get0_generator(group);
+                ECerror(EC_R_UNDEFINED_GENERATOR);
-                if (generator == NULL) {
+                goto err;
-                        ECerror(EC_R_UNDEFINED_GENERATOR);
-                        goto err;
-                }
-                numblocks = 1;
-                num_scalar = 1; /* treat 'scalar' like 'num'-th
-                                 * element of 'scalars' */
        }
-        totalnum = num + numblocks;
+        totalnum = 2;
        /* includes space for pivot */
        wNAF = reallocarray(NULL, (totalnum + 1), sizeof wNAF[0]);
@@ -299,28 +282,20 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
        /* num_val will be the total number of temporarily precomputed points */
        num_val = 0;
-        for (i = 0; i < num + num_scalar; i++) {
+        for (i = 0; i < 2; i++) {
                size_t bits;
-                bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
+                bits = i < 1 ? BN_num_bits(n) : BN_num_bits(m);
                wsize[i] = EC_window_bits_for_scalar_size(bits);
                num_val += (size_t) 1 << (wsize[i] - 1);
                wNAF[i + 1] = NULL;     /* make sure we always have a pivot */
-                wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]);
+                wNAF[i] = compute_wNAF(i < 1 ? n : m, wsize[i], &wNAF_len[i]);
                if (wNAF[i] == NULL)
                        goto err;
                if (wNAF_len[i] > max_len)
                        max_len = wNAF_len[i];
        }
-        if (numblocks) {
-                /* we go here iff scalar != NULL */
-                if (num_scalar != 1) {
-                        ECerror(ERR_R_INTERNAL_ERROR);
-                        goto err;
-                }
-        }
        /*
         * All points we precompute now go into a single array 'val'.
         * 'val_sub[i]' is a pointer to the subarray for the i-th point, or
@@ -336,7 +311,7 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
        /* allocate points for precomputation */
        v = val;
-        for (i = 0; i < num + num_scalar; i++) {
+        for (i = 0; i < 2; i++) {
                val_sub[i] = v;
                for (j = 0; j < ((size_t) 1 << (wsize[i] - 1)); j++) {
                        *v = EC_POINT_new(group);
@@ -359,9 +334,9 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
         *  val_sub[i][2] := 5 * points[i]
         *  ...
         */
-        for (i = 0; i < num + num_scalar; i++) {
+        for (i = 0; i < 2; i++) {
-                if (i < num) {
+                if (i < 1) {
-                        if (!EC_POINT_copy(val_sub[i][0], points[i]))
+                        if (!EC_POINT_copy(val_sub[i][0], point))
                                goto err;
                } else {
                        if (!EC_POINT_copy(val_sub[i][0], generator))
diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c
index 61f95b5bb9..1b763cf219 100644
--- a/src/lib/libcrypto/ec/ecp_methods.c
+++ b/src/lib/libcrypto/ec/ecp_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_methods.c,v 1.7 2024/11/12 13:09:54 tb Exp $ */
+/* $OpenBSD: ecp_methods.c,v 1.8 2024/11/16 15:32:08 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
 * for the OpenSSL project.
 * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1604,7 +1604,7 @@ static int
 ec_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
    const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *ctx)
 {
-        return ec_wNAF_mul(group, r, g_scalar, 1, &point, &p_scalar, ctx);
+        return ec_wNAF_mul(group, r, g_scalar, point, p_scalar, ctx);
 }
 static void
author	tb <>	2024-11-16 15:32:08 +0000
committer	tb <>	2024-11-16 15:32:08 +0000
commit	b4c334cf7760113f167c0d700e27fb65de2f189a (patch)
tree	8ca97dd5b4dd927e82e0a93db711fbeac9268afe /src/lib
parent	23d9a213525c4cdbc5fba2b8cf4109f087fe41d3 (diff)
download	openbsd-b4c334cf7760113f167c0d700e27fb65de2f189a.tar.gz openbsd-b4c334cf7760113f167c0d700e27fb65de2f189a.tar.bz2 openbsd-b4c334cf7760113f167c0d700e27fb65de2f189a.zip

diff --git a/src/lib/libcrypto/ec/ec_local.h b/src/lib/libcrypto/ec/ec_local.h index e5189361e0..db8d4ab28f 100644 --- a/src/lib/libcrypto/ec/ec_local.h +++ b/src/lib/libcrypto/ec/ec_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ec_local.h,v 1.37 2024/11/12 10:53:22 tb Exp $ */	1	/* $OpenBSD: ec_local.h,v 1.38 2024/11/16 15:32:08 tb Exp $ */
2	/*	2	/*
3	* Originally written by Bodo Moeller for the OpenSSL project.	3	* Originally written by Bodo Moeller for the OpenSSL project.
4	*/	4	*/
@@ -247,10 +247,9 @@ struct ec_point_st {
247	int Z_is_one; /* enable optimized point arithmetics for special case */	247	int Z_is_one; /* enable optimized point arithmetics for special case */
248	} /* EC_POINT */;	248	} /* EC_POINT */;
249		249
250	/* method functions in ec_mult.c	250	/* Compute r = generator * m + point * n in non-constant time. */
251	* (ec_lib.c uses these as defaults if group->method->mul is 0) */	251	int ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *m,
252	int ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *scalar,	252	const EC_POINT point, const BIGNUM n, BN_CTX *ctx);
253	size_t num, const EC_POINT points[], const BIGNUM scalars[], BN_CTX *);
254		253
255	int ec_group_simple_order_bits(const EC_GROUP *group);	254	int ec_group_simple_order_bits(const EC_GROUP *group);
256	int ec_point_blind_coordinates(const EC_GROUP group, EC_POINT p, BN_CTX *ctx);	255	int ec_point_blind_coordinates(const EC_GROUP group, EC_POINT p, BN_CTX *ctx);


diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c index 7b62666337..9015a5a649 100644 --- a/src/lib/libcrypto/ec/ec_mult.c +++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ec_mult.c,v 1.34 2024/11/15 12:09:36 tb Exp $ */	1	/* $OpenBSD: ec_mult.c,v 1.35 2024/11/16 15:32:08 tb Exp $ */
2	/*	2	/*
3	* Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.	3	* Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
4	*/	4	*/
@@ -219,20 +219,17 @@ compute_wNAF(const BIGNUM scalar, int w, size_t ret_len)
219	(b) >= 20 ? 2 : \	219	(b) >= 20 ? 2 : \
220	1))	220	1))
221		221
222	/* Compute	222	/*
223	* \sum scalars[i]*points[i],	223	* Compute r = generator * m + point * n in non-constant time.
224	* also including
225	* scalar*generator
226	* in the addition if scalar != NULL
227	*/	224	*/
		225
228	int	226	int
229	ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *scalar,	227	ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *m,
230	size_t num, const EC_POINT points[], const BIGNUM scalars[], BN_CTX *ctx)	228	const EC_POINT point, const BIGNUM n, BN_CTX *ctx)
231	{	229	{
232	const EC_POINT *generator = NULL;	230	const EC_POINT *generator = NULL;
233	EC_POINT *tmp = NULL;	231	EC_POINT *tmp = NULL;
234	size_t totalnum;	232	size_t totalnum;
235	size_t numblocks = 0; /* for wNAF splitting */
236	size_t i, j;	233	size_t i, j;
237	int k;	234	int k;
238	int r_is_inverted = 0;	235	int r_is_inverted = 0;
@@ -246,37 +243,23 @@ ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *scalar,
246	EC_POINT **v;	243	EC_POINT **v;
247	EC_POINT **val_sub = NULL; / pointers to sub-arrays of 'val' or	244	EC_POINT **val_sub = NULL; / pointers to sub-arrays of 'val' or
248	* 'pre_comp->points' */	245	* 'pre_comp->points' */
249	int num_scalar = 0; /* flag: will be set to 1 if 'scalar' must be
250	* treated like other scalars, i.e.
251	* precomputation is not available */
252	int ret = 0;	246	int ret = 0;
253		247
254	if (group->meth != r->meth) {	248	if (m == NULL \|\| n == NULL) {
255	ECerror(EC_R_INCOMPATIBLE_OBJECTS);	249	ECerror(ERR_R_PASSED_NULL_PARAMETER);
256	return 0;	250	goto err;
257	}
258	if ((scalar == NULL) && (num == 0)) {
259	return EC_POINT_set_to_infinity(group, r);
260	}	251	}
261	for (i = 0; i < num; i++) {	252	if (group->meth != r->meth \|\| group->meth != point->meth) {
262	if (group->meth != points[i]->meth) {	253	ECerror(EC_R_INCOMPATIBLE_OBJECTS);
263	ECerror(EC_R_INCOMPATIBLE_OBJECTS);	254	goto err;
264	return 0;
265	}
266	}	255	}
267		256
268	if (scalar != NULL) {	257	if ((generator = EC_GROUP_get0_generator(group)) == NULL) {
269	generator = EC_GROUP_get0_generator(group);	258	ECerror(EC_R_UNDEFINED_GENERATOR);
270	if (generator == NULL) {	259	goto err;
271	ECerror(EC_R_UNDEFINED_GENERATOR);
272	goto err;
273	}
274
275	numblocks = 1;
276	num_scalar = 1; /* treat 'scalar' like 'num'-th
277	* element of 'scalars' */
278	}	260	}
279	totalnum = num + numblocks;	261
		262	totalnum = 2;
280		263
281	/* includes space for pivot */	264	/* includes space for pivot */
282	wNAF = reallocarray(NULL, (totalnum + 1), sizeof wNAF[0]);	265	wNAF = reallocarray(NULL, (totalnum + 1), sizeof wNAF[0]);
@@ -299,28 +282,20 @@ ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *scalar,
299	/* num_val will be the total number of temporarily precomputed points */	282	/* num_val will be the total number of temporarily precomputed points */
300	num_val = 0;	283	num_val = 0;
301		284
302	for (i = 0; i < num + num_scalar; i++) {	285	for (i = 0; i < 2; i++) {
303	size_t bits;	286	size_t bits;
304		287
305	bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);	288	bits = i < 1 ? BN_num_bits(n) : BN_num_bits(m);
306	wsize[i] = EC_window_bits_for_scalar_size(bits);	289	wsize[i] = EC_window_bits_for_scalar_size(bits);
307	num_val += (size_t) 1 << (wsize[i] - 1);	290	num_val += (size_t) 1 << (wsize[i] - 1);
308	wNAF[i + 1] = NULL; /* make sure we always have a pivot */	291	wNAF[i + 1] = NULL; /* make sure we always have a pivot */
309	wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]);	292	wNAF[i] = compute_wNAF(i < 1 ? n : m, wsize[i], &wNAF_len[i]);
310	if (wNAF[i] == NULL)	293	if (wNAF[i] == NULL)
311	goto err;	294	goto err;
312	if (wNAF_len[i] > max_len)	295	if (wNAF_len[i] > max_len)
313	max_len = wNAF_len[i];	296	max_len = wNAF_len[i];
314	}	297	}
315		298
316	if (numblocks) {
317	/* we go here iff scalar != NULL */
318
319	if (num_scalar != 1) {
320	ECerror(ERR_R_INTERNAL_ERROR);
321	goto err;
322	}
323	}
324	/*	299	/*
325	* All points we precompute now go into a single array 'val'.	300	* All points we precompute now go into a single array 'val'.
326	* 'val_sub[i]' is a pointer to the subarray for the i-th point, or	301	* 'val_sub[i]' is a pointer to the subarray for the i-th point, or
@@ -336,7 +311,7 @@ ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *scalar,
336		311
337	/* allocate points for precomputation */	312	/* allocate points for precomputation */
338	v = val;	313	v = val;
339	for (i = 0; i < num + num_scalar; i++) {	314	for (i = 0; i < 2; i++) {
340	val_sub[i] = v;	315	val_sub[i] = v;
341	for (j = 0; j < ((size_t) 1 << (wsize[i] - 1)); j++) {	316	for (j = 0; j < ((size_t) 1 << (wsize[i] - 1)); j++) {
342	*v = EC_POINT_new(group);	317	*v = EC_POINT_new(group);
@@ -359,9 +334,9 @@ ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *scalar,
359	* val_sub[i][2] := 5 * points[i]	334	* val_sub[i][2] := 5 * points[i]
360	* ...	335	* ...
361	*/	336	*/
362	for (i = 0; i < num + num_scalar; i++) {	337	for (i = 0; i < 2; i++) {
363	if (i < num) {	338	if (i < 1) {
364	if (!EC_POINT_copy(val_sub[i][0], points[i]))	339	if (!EC_POINT_copy(val_sub[i][0], point))
365	goto err;	340	goto err;
366	} else {	341	} else {
367	if (!EC_POINT_copy(val_sub[i][0], generator))	342	if (!EC_POINT_copy(val_sub[i][0], generator))


diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c index 61f95b5bb9..1b763cf219 100644 --- a/src/lib/libcrypto/ec/ecp_methods.c +++ b/src/lib/libcrypto/ec/ecp_methods.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ecp_methods.c,v 1.7 2024/11/12 13:09:54 tb Exp $ */	1	/* $OpenBSD: ecp_methods.c,v 1.8 2024/11/16 15:32:08 tb Exp $ */
2	/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>	2	/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3	* for the OpenSSL project.	3	* for the OpenSSL project.
4	* Includes code written by Bodo Moeller for the OpenSSL project.	4	* Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1604,7 +1604,7 @@ static int
1604	ec_mul_double_nonct(const EC_GROUP group, EC_POINT r, const BIGNUM *g_scalar,	1604	ec_mul_double_nonct(const EC_GROUP group, EC_POINT r, const BIGNUM *g_scalar,
1605	const BIGNUM p_scalar, const EC_POINT point, BN_CTX *ctx)	1605	const BIGNUM p_scalar, const EC_POINT point, BN_CTX *ctx)
1606	{	1606	{
1607	return ec_wNAF_mul(group, r, g_scalar, 1, &point, &p_scalar, ctx);	1607	return ec_wNAF_mul(group, r, g_scalar, point, p_scalar, ctx);
1608	}	1608	}
1609		1609
1610	static void	1610	static void