back out ecc constant time changes

after the constant time commits various regress tests started failing
on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out
resulted in 'invalid elliptic curve value'

ok tb@

21 files changed, 137 insertions, 448 deletions

diff --git a/src/lib/libcrypto/ec/ec2_mult.c b/src/lib/libcrypto/ec/ec2_mult.c
index 463802950d..10191d7916 100644
--- a/src/lib/libcrypto/ec/ec2_mult.c
+++ b/src/lib/libcrypto/ec/ec2_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_mult.c,v 1.10 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec2_mult.c,v 1.11 2018/07/15 05:38:48 jsg Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -111,7 +111,7 @@ gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx)
 
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         return ret;
 }
@@ -155,7 +155,7 @@ gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1,
 
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         return ret;
 }
@@ -243,7 +243,7 @@ gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1,
 
         ret = 2;
 
- err:
+err:
         BN_CTX_end(ctx);
         return ret;
 }
@@ -356,7 +356,7 @@ ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
 
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         return ret;
 }
@@ -424,7 +424,7 @@ ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 
         ret = 1;
 
- err:
+err:
         EC_POINT_free(p);
         EC_POINT_free(acc);
         BN_CTX_free(new_ctx);
diff --git a/src/lib/libcrypto/ec/ec2_oct.c b/src/lib/libcrypto/ec/ec2_oct.c
index 1727f780a3..bb480c5016 100644
--- a/src/lib/libcrypto/ec/ec2_oct.c
+++ b/src/lib/libcrypto/ec/ec2_oct.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_oct.c,v 1.9 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec2_oct.c,v 1.10 2018/07/15 05:38:48 jsg Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -157,7 +157,7 @@ ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point
 
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -272,7 +272,7 @@ ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point,
         BN_CTX_free(new_ctx);
         return ret;
 
- err:
+err:
         if (used_ctx)
                 BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
@@ -374,7 +374,7 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
         }
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c
index f1cbd3f3c4..c3fff56c44 100644
--- a/src/lib/libcrypto/ec/ec2_smpl.c
+++ b/src/lib/libcrypto/ec/ec2_smpl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_smpl.c,v 1.17 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec2_smpl.c,v 1.18 2018/07/15 05:38:48 jsg Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -107,11 +107,15 @@ EC_GF2m_simple_method(void)
                 .point_cmp = ec_GF2m_simple_cmp,
                 .make_affine = ec_GF2m_simple_make_affine,
                 .points_make_affine = ec_GF2m_simple_points_make_affine,
-                .mul_generator_ct = ec_GFp_simple_mul_generator_ct,
-                .mul_single_ct = ec_GFp_simple_mul_single_ct,
-                .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
+
+                /*
+                 * the following three method functions are defined in
+                 * ec2_mult.c
+                 */
+                .mul = ec_GF2m_simple_mul,
                 .precompute_mult = ec_GF2m_precompute_mult,
                 .have_precompute_mult = ec_GF2m_have_precompute_mult,
+
                 .field_mul = ec_GF2m_simple_field_mul,
                 .field_sqr = ec_GF2m_simple_field_sqr,
                 .field_div = ec_GF2m_simple_field_div,
@@ -228,7 +232,7 @@ ec_GF2m_simple_group_set_curve(EC_GROUP * group,
                 group->b.d[i] = 0;
 
         ret = 1;
- err:
+err:
         return ret;
 }
 
@@ -256,7 +260,7 @@ ec_GF2m_simple_group_get_curve(const EC_GROUP *group,
         }
         ret = 1;
 
- err:
+err:
         return ret;
 }
 
@@ -302,7 +306,7 @@ ec_GF2m_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx)
 
         ret = 1;
 
- err:
+err:
         if (ctx != NULL)
                 BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
@@ -394,7 +398,7 @@ ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * p
         point->Z_is_one = 1;
         ret = 1;
 
- err:
+err:
         return ret;
 }
 
@@ -428,7 +432,7 @@ ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group,
         }
         ret = 1;
 
- err:
+err:
         return ret;
 }
 
@@ -545,7 +549,7 @@ ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
 
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -637,7 +641,7 @@ ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX
         if (!BN_GF2m_add(lh, lh, y2))
                 goto err;
         ret = BN_is_zero(lh);
- err:
+err:
         if (ctx)
                 BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
@@ -689,7 +693,7 @@ ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
                 goto err;
         ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1;
 
- err:
+err:
         if (ctx)
                 BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
@@ -730,7 +734,7 @@ ec_GF2m_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ct
 
         ret = 1;
 
- err:
+err:
         if (ctx)
                 BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
diff --git a/src/lib/libcrypto/ec/ec_ameth.c b/src/lib/libcrypto/ec/ec_ameth.c
index 21390aabd4..30f29ef545 100644
--- a/src/lib/libcrypto/ec/ec_ameth.c
+++ b/src/lib/libcrypto/ec/ec_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_ameth.c,v 1.21 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_ameth.c,v 1.22 2018/07/15 05:38:48 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -126,7 +126,7 @@ eckey_pub_encode(X509_PUBKEY * pk, const EVP_PKEY * pkey)
         if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC),
                 ptype, pval, penc, penclen))
                 return 1;
- err:
+err:
         if (ptype == V_ASN1_OBJECT)
                 ASN1_OBJECT_free(pval);
         else
@@ -177,7 +177,7 @@ eckey_type2param(int ptype, const void *pval)
 
         return eckey;
 
- ecerr:
+ecerr:
         if (eckey)
                 EC_KEY_free(eckey);
         return NULL;
@@ -210,7 +210,7 @@ eckey_pub_decode(EVP_PKEY * pkey, X509_PUBKEY * pubkey)
         EVP_PKEY_assign_EC_KEY(pkey, eckey);
         return 1;
 
- ecerr:
+ecerr:
         if (eckey)
                 EC_KEY_free(eckey);
         return 0;
@@ -290,9 +290,9 @@ eckey_priv_decode(EVP_PKEY * pkey, PKCS8_PRIV_KEY_INFO * p8)
         EVP_PKEY_assign_EC_KEY(pkey, eckey);
         return 1;
 
- ecliberr:
+ecliberr:
         ECerror(ERR_R_EC_LIB);
- ecerr:
+ecerr:
         if (eckey)
                 EC_KEY_free(eckey);
         return 0;
@@ -483,7 +483,7 @@ do_EC_KEY_print(BIO * bp, const EC_KEY * x, int off, int ktype)
         if (!ECPKParameters_print(bp, group, off))
                 goto err;
         ret = 1;
- err:
+err:
         if (!ret)
                 ECerror(reason);
         BN_free(pub_key);
diff --git a/src/lib/libcrypto/ec/ec_asn1.c b/src/lib/libcrypto/ec/ec_asn1.c
index 1fb0670efe..f5a1331ba3 100644
--- a/src/lib/libcrypto/ec/ec_asn1.c
+++ b/src/lib/libcrypto/ec/ec_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_asn1.c,v 1.28 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_asn1.c,v 1.29 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -793,7 +793,7 @@ ec_asn1_group2fieldid(const EC_GROUP * group, X9_62_FIELDID * field)
 
         ok = 1;
 
- err:
+err:
         BN_free(tmp);
         return (ok);
 }
@@ -896,7 +896,7 @@ ec_asn1_group2curve(const EC_GROUP * group, X9_62_CURVE * curve)
 
         ok = 1;
 
- err:
+err:
         free(buffer_1);
         free(buffer_2);
         BN_free(tmp_1);
@@ -988,8 +988,7 @@ ec_asn1_group2parameters(const EC_GROUP * group, ECPARAMETERS * param)
         }
         ok = 1;
 
- err:
-        if (!ok) {
+err:    if (!ok) {
                 if (ret && !param)
                         ECPARAMETERS_free(ret);
                 ret = NULL;
@@ -1245,8 +1244,7 @@ ec_asn1_parameters2group(const ECPARAMETERS * params)
         }
         ok = 1;
 
- err:
-        if (!ok) {
+err:    if (!ok) {
                 EC_GROUP_clear_free(ret);
                 ret = NULL;
         }
@@ -1314,7 +1312,7 @@ d2i_ECPKParameters(EC_GROUP ** a, const unsigned char **in, long len)
                 *a = group;
         }
 
- err:
+err:
         ECPKPARAMETERS_free(params);
         return (group);
 }
@@ -1427,7 +1425,7 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len)
                 *a = ret;
         return (ret);
 
- err:
+err:
         if (a == NULL || *a != ret)
                 EC_KEY_free(ret);
         if (priv_key)
@@ -1512,7 +1510,7 @@ i2d_ECPrivateKey(EC_KEY * a, unsigned char **out)
                 goto err;
         }
         ok = 1;
- err:
+err:
         free(buffer);
         if (priv_key)
                 EC_PRIVATEKEY_free(priv_key);
diff --git a/src/lib/libcrypto/ec/ec_check.c b/src/lib/libcrypto/ec/ec_check.c
index b0c63331c6..a76d21c1ff 100644
--- a/src/lib/libcrypto/ec/ec_check.c
+++ b/src/lib/libcrypto/ec/ec_check.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_check.c,v 1.7 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_check.c,v 1.8 2018/07/15 05:38:48 jsg Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
@@ -106,7 +106,7 @@ EC_GROUP_check(const EC_GROUP * group, BN_CTX * ctx)
         }
         ret = 1;
 
- err:
+err:
         if (ctx != NULL)
                 BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
diff --git a/src/lib/libcrypto/ec/ec_curve.c b/src/lib/libcrypto/ec/ec_curve.c
index 7bf85835dc..1808e7b65c 100644
--- a/src/lib/libcrypto/ec/ec_curve.c
+++ b/src/lib/libcrypto/ec/ec_curve.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_curve.c,v 1.17 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_curve.c,v 1.18 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -3235,7 +3235,7 @@ ec_group_new_from_data(const ec_list_element curve)
                 }
         }
         ok = 1;
- err:
+err:
         if (!ok) {
                 EC_GROUP_free(group);
                 group = NULL;
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
index 33c9acccd7..a9f03c4ac2 100644
--- a/src/lib/libcrypto/ec/ec_key.c
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_key.c,v 1.15 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_key.c,v 1.16 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -253,7 +253,7 @@ EC_KEY_generate_key(EC_KEY * eckey)
 
         ok = 1;
 
- err:
+err:
         BN_free(order);
         if (pub_key != NULL && eckey->pub_key == NULL)
                 EC_POINT_free(pub_key);
@@ -324,7 +324,7 @@ EC_KEY_check_key(const EC_KEY * eckey)
                 }
         }
         ok = 1;
- err:
+err:
         BN_CTX_free(ctx);
         EC_POINT_free(point);
         return (ok);
@@ -395,7 +395,7 @@ EC_KEY_set_public_key_affine_coordinates(EC_KEY * key, BIGNUM * x, BIGNUM * y)
 
         ok = 1;
 
- err:
+err:
         BN_CTX_free(ctx);
         EC_POINT_free(point);
         return ok;
diff --git a/src/lib/libcrypto/ec/ec_lcl.h b/src/lib/libcrypto/ec/ec_lcl.h
index 4916d3a14a..bcfd817b70 100644
--- a/src/lib/libcrypto/ec/ec_lcl.h
+++ b/src/lib/libcrypto/ec/ec_lcl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lcl.h,v 1.8 2018/07/10 21:55:49 tb Exp $ */
+/* $OpenBSD: ec_lcl.h,v 1.9 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -160,12 +160,10 @@ struct ec_method_st {
         int (*make_affine)(const EC_GROUP *, EC_POINT *, BN_CTX *);
         int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
 
-        /* used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, EC_POINT_have_precompute_mult */
-        int (*mul_generator_ct)(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar, BN_CTX *);
-        int (*mul_single_ct)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
-                const EC_POINT *point, BN_CTX *);
-        int (*mul_double_nonct)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
-                const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *);
+        /* used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, EC_POINT_have_precompute_mult
+         * (default implementations are used if the 'mul' pointer is 0): */
+        int (*mul)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+                size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
         int (*precompute_mult)(EC_GROUP *group, BN_CTX *);
         int (*have_precompute_mult)(const EC_GROUP *group);
 
@@ -339,11 +337,6 @@ int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
 int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
 int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
 int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
-int ec_GFp_simple_mul_generator_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar, BN_CTX *);
-int ec_GFp_simple_mul_single_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar,
-        const EC_POINT *point, BN_CTX *);
-int ec_GFp_simple_mul_double_nonct(const EC_GROUP *, EC_POINT *r, const BIGNUM *g_scalar,
-        const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *);
 
 
 /* method functions in ecp_mont.c */
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 1d1daca166..29207d6b48 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.26 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.27 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -526,7 +526,7 @@ EC_GROUP_cmp(const EC_GROUP * a, const EC_GROUP * b, BN_CTX * ctx)
 
         return r;
 
- err:
+err:
         BN_CTX_end(ctx);
         if (ctx_new)
                 BN_CTX_free(ctx);
@@ -1026,88 +1026,47 @@ EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
 }
 
 
-/* Functions for point multiplication */
+/* Functions for point multiplication.
+ *
+ * If group->meth->mul is 0, we use the wNAF-based implementations in ec_mult.c;
+ * otherwise we dispatch through methods.
+ */
+
 int 
 EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
     size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
 {
-        /*
-         * The function pointers must be set, and only support num == 0 and
-         * num == 1.
-         */
-        if (group->meth->mul_generator_ct == NULL ||
-            group->meth->mul_single_ct == NULL ||
-            group->meth->mul_double_nonct == NULL ||
-            num > 1) {
-                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return 0;
-        }
-        
-        /* Either bP or aG + bP, this is sane. */
-        if (num == 1 && points != NULL && scalars != NULL)
-                return EC_POINT_mul(group, r, scalar, points[0], scalars[0],
-                    ctx);
-        
-        /* aG, this is sane */
-        if (scalar != NULL && points == NULL && scalars == NULL)
-                return EC_POINT_mul(group, r, scalar, NULL, NULL, ctx);
-        
-        /* anything else is an error */
-        ECerror(ERR_R_EC_LIB);
-        return 0;
+        if (group->meth->mul == 0)
+                /* use default */
+                return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
+
+        return group->meth->mul(group, r, scalar, num, points, scalars, ctx);
 }
 
 int 
 EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
     const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx)
 {
-        if (group->meth->mul_generator_ct == NULL ||
-            group->meth->mul_single_ct == NULL ||
-            group->meth->mul_double_nonct == NULL) {
-                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return 0;
-        }
-        if (g_scalar != NULL && point == NULL && p_scalar == NULL) {
-                /*
-                 * In this case we want to compute g_scalar * GeneratorPoint:
-                 * this codepath is reached most prominently by (ephemeral) key
-                 * generation of EC cryptosystems (i.e. ECDSA keygen and sign
-                 * setup, ECDH keygen/first half), where the scalar is always
-                 * secret. This is why we ignore if BN_FLG_CONSTTIME is actually
-                 * set and we always call the constant time version.
-                 */
-                return group->meth->mul_generator_ct(group, r, g_scalar, ctx);
-        }
-        if (g_scalar == NULL && point != NULL && p_scalar != NULL) {
-                /* In this case we want to compute p_scalar * GenericPoint:
-                 * this codepath is reached most prominently by the second half
-                 * of ECDH, where the secret scalar is multiplied by the peer's
-                 * public point. To protect the secret scalar, we ignore if
-                 * BN_FLG_CONSTTIME is actually set and we always call the
-                 * constant time version.
-                 */
-                return group->meth->mul_single_ct(group, r, p_scalar, point,
-                    ctx);
-        }
-        if (g_scalar != NULL && point != NULL && p_scalar != NULL) {
-                /*
-                 * In this case we want to compute
-                 *   g_scalar * GeneratorPoint + p_scalar * GenericPoint:
-                 * this codepath is reached most prominently by ECDSA signature
-                 * verification. So we call the non-ct version.
-                 */
-                return group->meth->mul_double_nonct(group, r, g_scalar,
-                    p_scalar, point, ctx);
-        }
-                
-        /* Anything else is an error. */
-        ECerror(ERR_R_EC_LIB);
-        return 0;
+        /* just a convenient interface to EC_POINTs_mul() */
+
+        const EC_POINT *points[1];
+        const BIGNUM *scalars[1];
+
+        points[0] = point;
+        scalars[0] = p_scalar;
+
+        return EC_POINTs_mul(group, r, g_scalar,
+            (point != NULL && p_scalar != NULL),
+            points, scalars, ctx);
 }
 
 int 
 EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
 {
+        if (group->meth->mul == 0)
+                /* use default */
+                return ec_wNAF_precompute_mult(group, ctx);
+
         if (group->meth->precompute_mult != 0)
                 return group->meth->precompute_mult(group, ctx);
         else
@@ -1117,6 +1076,10 @@ EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
 int 
 EC_GROUP_have_precompute_mult(const EC_GROUP * group)
 {
+        if (group->meth->mul == 0)
+                /* use default */
+                return ec_wNAF_have_precompute_mult(group);
+
         if (group->meth->have_precompute_mult != 0)
                 return group->meth->have_precompute_mult(group);
         else
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 08bc8c380c..4f321d3f55 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.22 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.23 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
@@ -301,7 +301,7 @@ compute_wNAF(const BIGNUM * scalar, int w, size_t * ret_len)
         len = j;
         ok = 1;
 
- err:
+err:
         if (!ok) {
                 free(r);
                 r = NULL;
@@ -678,7 +678,7 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 
         ret = 1;
 
- err:
+err:
         BN_CTX_free(new_ctx);
         EC_POINT_free(tmp);
         free(wsize);
@@ -857,7 +857,7 @@ ec_wNAF_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
         pre_comp = NULL;
 
         ret = 1;
- err:
+err:
         if (ctx != NULL)
                 BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
diff --git a/src/lib/libcrypto/ec/eck_prn.c b/src/lib/libcrypto/ec/eck_prn.c
index 0291de9613..7c0db42ef4 100644
--- a/src/lib/libcrypto/ec/eck_prn.c
+++ b/src/lib/libcrypto/ec/eck_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: eck_prn.c,v 1.13 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: eck_prn.c,v 1.14 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -321,7 +321,7 @@ ECPKParameters_print(BIO * bp, const EC_GROUP * x, int off)
                         goto err;
         }
         ret = 1;
- err:
+err:
         if (!ret)
                 ECerror(reason);
         BN_free(p);
diff --git a/src/lib/libcrypto/ec/ecp_mont.c b/src/lib/libcrypto/ec/ecp_mont.c
index 302f833306..03e594d38d 100644
--- a/src/lib/libcrypto/ec/ecp_mont.c
+++ b/src/lib/libcrypto/ec/ecp_mont.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_mont.c,v 1.13 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_mont.c,v 1.14 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -102,9 +102,6 @@ EC_GFp_mont_method(void)
                 .point_cmp = ec_GFp_simple_cmp,
                 .make_affine = ec_GFp_simple_make_affine,
                 .points_make_affine = ec_GFp_simple_points_make_affine,
-                .mul_generator_ct = ec_GFp_simple_mul_generator_ct,
-                .mul_single_ct = ec_GFp_simple_mul_single_ct,
-                .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
                 .field_mul = ec_GFp_mont_field_mul,
                 .field_sqr = ec_GFp_mont_field_sqr,
                 .field_encode = ec_GFp_mont_field_encode,
@@ -175,7 +172,7 @@ ec_GFp_mont_group_copy(EC_GROUP * dest, const EC_GROUP * src)
         }
         return 1;
 
- err:
+err:
         if (dest->field_data1 != NULL) {
                 BN_MONT_CTX_free(dest->field_data1);
                 dest->field_data1 = NULL;
@@ -228,7 +225,7 @@ ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
                 BN_free(group->field_data2);
                 group->field_data2 = NULL;
         }
- err:
+err:
         BN_CTX_free(new_ctx);
         BN_MONT_CTX_free(mont);
         BN_free(one);
diff --git a/src/lib/libcrypto/ec/ecp_nist.c b/src/lib/libcrypto/ec/ecp_nist.c
index 8aa9f49592..027a07d5c0 100644
--- a/src/lib/libcrypto/ec/ecp_nist.c
+++ b/src/lib/libcrypto/ec/ecp_nist.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nist.c,v 1.11 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_nist.c,v 1.12 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -151,7 +151,7 @@ ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p,
 
         ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
 
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -179,7 +179,7 @@ ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
                 goto err;
 
         ret = 1;
- err:
+err:
         BN_CTX_free(ctx_new);
         return ret;
 }
@@ -206,7 +206,7 @@ ec_GFp_nist_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a,
                 goto err;
 
         ret = 1;
- err:
+err:
         BN_CTX_free(ctx_new);
         return ret;
 }
diff --git a/src/lib/libcrypto/ec/ecp_nistp224.c b/src/lib/libcrypto/ec/ecp_nistp224.c
index 3921508094..1ba8cb09a0 100644
--- a/src/lib/libcrypto/ec/ecp_nistp224.c
+++ b/src/lib/libcrypto/ec/ecp_nistp224.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp224.c,v 1.20 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_nistp224.c,v 1.21 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Emilia Kasper (Google) for the OpenSSL project.
  */
@@ -1281,7 +1281,7 @@ ec_GFp_nistp224_group_set_curve(EC_GROUP * group, const BIGNUM * p,
         }
         group->field_mod_func = BN_nist_mod_224;
         ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -1537,7 +1537,7 @@ ec_GFp_nistp224_points_mul(const EC_GROUP * group, EC_POINT * r,
         }
         ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
 
- err:
+err:
         BN_CTX_end(ctx);
         EC_POINT_free(generator);
         BN_CTX_free(new_ctx);
@@ -1666,7 +1666,7 @@ ec_GFp_nistp224_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
                 goto err;
         ret = 1;
         pre = NULL;
- err:
+err:
         BN_CTX_end(ctx);
         EC_POINT_free(generator);
         BN_CTX_free(new_ctx);
diff --git a/src/lib/libcrypto/ec/ecp_nistp256.c b/src/lib/libcrypto/ec/ecp_nistp256.c
index 7046dcebc0..3b0784f153 100644
--- a/src/lib/libcrypto/ec/ecp_nistp256.c
+++ b/src/lib/libcrypto/ec/ecp_nistp256.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp256.c,v 1.19 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_nistp256.c,v 1.20 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Adam Langley (Google) for the OpenSSL project
  */
@@ -1830,7 +1830,7 @@ ec_GFp_nistp256_group_set_curve(EC_GROUP * group, const BIGNUM * p,
         }
         group->field_mod_func = BN_nist_mod_256;
         ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -2090,7 +2090,7 @@ ec_GFp_nistp256_points_mul(const EC_GROUP * group, EC_POINT * r,
         }
         ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
 
- err:
+err:
         BN_CTX_end(ctx);
         EC_POINT_free(generator);
         BN_CTX_free(new_ctx);
@@ -2213,7 +2213,7 @@ ec_GFp_nistp256_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
                 goto err;
         ret = 1;
         pre = NULL;
- err:
+err:
         BN_CTX_end(ctx);
         EC_POINT_free(generator);
         BN_CTX_free(new_ctx);
diff --git a/src/lib/libcrypto/ec/ecp_nistp521.c b/src/lib/libcrypto/ec/ecp_nistp521.c
index 7c20daae28..823e7a0d51 100644
--- a/src/lib/libcrypto/ec/ecp_nistp521.c
+++ b/src/lib/libcrypto/ec/ecp_nistp521.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp521.c,v 1.20 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_nistp521.c,v 1.21 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Adam Langley (Google) for the OpenSSL project
  */
@@ -1721,7 +1721,7 @@ ec_GFp_nistp521_group_set_curve(EC_GROUP * group, const BIGNUM * p,
         }
         group->field_mod_func = BN_nist_mod_521;
         ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -1979,7 +1979,7 @@ ec_GFp_nistp521_points_mul(const EC_GROUP * group, EC_POINT * r,
         }
         ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
 
- err:
+err:
         BN_CTX_end(ctx);
         EC_POINT_free(generator);
         BN_CTX_free(new_ctx);
@@ -2088,7 +2088,7 @@ ec_GFp_nistp521_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
                 goto err;
         ret = 1;
         pre = NULL;
- err:
+err:
         BN_CTX_end(ctx);
         EC_POINT_free(generator);
         BN_CTX_free(new_ctx);
diff --git a/src/lib/libcrypto/ec/ecp_nistz256.c b/src/lib/libcrypto/ec/ecp_nistz256.c
index 3d52938721..71c2952d8c 100644
--- a/src/lib/libcrypto/ec/ecp_nistz256.c
+++ b/src/lib/libcrypto/ec/ecp_nistz256.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ecp_nistz256.c,v 1.4 2018/07/10 22:06:14 tb Exp $     */
+/*      $OpenBSD: ecp_nistz256.c,v 1.5 2018/07/15 05:38:48 jsg Exp $    */
 /* Copyright (c) 2014, Intel Corporation.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -565,7 +565,7 @@ ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,
         }
 
         ret = 1;
- err:
+err:
         free(table);
         free(p_str);
         free(scalars);
@@ -712,7 +712,7 @@ ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx)
         ec_pre_comp = NULL;
         ret = 1;
 
- err:
+err:
         if (ctx != NULL)
                 BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
@@ -985,7 +985,7 @@ ecp_nistz256_points_mul(const EC_GROUP *group, EC_POINT *r,
 
         ret = 1;
 
- err:
+err:
         if (ctx)
                 BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
diff --git a/src/lib/libcrypto/ec/ecp_oct.c b/src/lib/libcrypto/ec/ecp_oct.c
index da9eccfe6a..3d50f707c0 100644
--- a/src/lib/libcrypto/ec/ecp_oct.c
+++ b/src/lib/libcrypto/ec/ecp_oct.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_oct.c,v 1.9 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_oct.c,v 1.10 2018/07/15 05:38:48 jsg Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project.
  * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -190,7 +190,7 @@ ec_GFp_simple_set_compressed_coordinates(const EC_GROUP * group,
 
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -294,7 +294,7 @@ ec_GFp_simple_point2oct(const EC_GROUP * group, const EC_POINT * point, point_co
         BN_CTX_free(new_ctx);
         return ret;
 
- err:
+err:
         if (used_ctx)
                 BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
@@ -388,7 +388,7 @@ ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point,
         }
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index 57e8345364..1fe55307b4 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_smpl.c,v 1.19 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_smpl.c,v 1.20 2018/07/15 05:38:48 jsg Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project.
  * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -103,9 +103,6 @@ EC_GFp_simple_method(void)
                 .point_cmp = ec_GFp_simple_cmp,
                 .make_affine = ec_GFp_simple_make_affine,
                 .points_make_affine = ec_GFp_simple_points_make_affine,
-                .mul_generator_ct = ec_GFp_simple_mul_generator_ct,
-                .mul_single_ct = ec_GFp_simple_mul_single_ct,
-                .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
                 .field_mul = ec_GFp_simple_field_mul,
                 .field_sqr = ec_GFp_simple_field_sqr
         };
@@ -223,7 +220,7 @@ ec_GFp_simple_group_set_curve(EC_GROUP * group,
 
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -268,7 +265,7 @@ ec_GFp_simple_group_get_curve(const EC_GROUP * group, BIGNUM * p, BIGNUM * a, BI
         }
         ret = 1;
 
- err:
+err:
         BN_CTX_free(new_ctx);
         return ret;
 }
@@ -349,7 +346,7 @@ ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx)
         }
         ret = 1;
 
- err:
+err:
         if (ctx != NULL)
                 BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
@@ -459,7 +456,7 @@ ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP * group, EC_POINT *
         }
         ret = 1;
 
- err:
+err:
         BN_CTX_free(new_ctx);
         return ret;
 }
@@ -507,7 +504,7 @@ ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP * group, const EC_P
 
         ret = 1;
 
- err:
+err:
         BN_CTX_free(new_ctx);
         return ret;
 }
@@ -627,7 +624,7 @@ ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POIN
 
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -814,7 +811,7 @@ ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, cons
 
         ret = 1;
 
- end:
+end:
         if (ctx)                /* otherwise we already called BN_CTX_end */
                 BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
@@ -957,7 +954,7 @@ ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_C
 
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -1078,7 +1075,7 @@ ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX
 
         ret = (0 == BN_ucmp(tmp, rh));
 
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -1180,7 +1177,7 @@ ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b
         /* points are equal */
         ret = 0;
 
- end:
+end:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -1218,7 +1215,7 @@ ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx
         }
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         return ret;
@@ -1383,7 +1380,7 @@ ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT *
 
         ret = 1;
 
- err:
+err:
         BN_CTX_end(ctx);
         BN_CTX_free(new_ctx);
         if (heap != NULL) {
@@ -1412,248 +1409,3 @@ ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN
 {
         return BN_mod_sqr(r, a, &group->field, ctx);
 }
-
-#define EC_POINT_BN_set_flags(P, flags) do {                            \
-        BN_set_flags(&(P)->X, (flags));                                 \
-        BN_set_flags(&(P)->Y, (flags));                                 \
-        BN_set_flags(&(P)->Z, (flags));                                 \
-} while(0)
-
-#define EC_POINT_CSWAP(c, a, b, w, t) do {                              \
-        if (!BN_swap_ct(c, &(a)->X, &(b)->X, w) ||                      \
-            !BN_swap_ct(c, &(a)->Y, &(b)->Y, w) ||                      \
-            !BN_swap_ct(c, &(a)->Z, &(b)->Z, w))                        \
-                goto err;                                               \
-        t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c);                      \
-        (a)->Z_is_one ^= (t);                                           \
-        (b)->Z_is_one ^= (t);                                           \
-} while(0)
-
-/*
- * This function computes (in constant time) a point multiplication over the
- * EC group.
- *
- * At a high level, it is Montgomery ladder with conditional swaps.
- *
- * It performs either a fixed point multiplication
- *          (scalar * generator)
- * when point is NULL, or a variable point multiplication
- *          (scalar * point)
- * when point is not NULL.
- *
- * scalar should be in the range [0,n) otherwise all constant time bets are off.
- *
- * NB: This says nothing about EC_POINT_add and EC_POINT_dbl,
- * which of course are not constant time themselves.
- *
- * The product is stored in r.
- *
- * Returns 1 on success, 0 otherwise.
- */
-static int
-ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
-    const EC_POINT *point, BN_CTX *ctx)
-{
-        int i, cardinality_bits, group_top, kbit, pbit, Z_is_one;
-        EC_POINT *s = NULL;
-        BIGNUM *k = NULL;
-        BIGNUM *lambda = NULL;
-        BIGNUM *cardinality = NULL;
-        BN_CTX *new_ctx = NULL;
-        int ret = 0;
-
-        if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL)
-                return 0;
-
-        BN_CTX_start(ctx);
-
-        if ((s = EC_POINT_new(group)) == NULL)
-                goto err;
-
-        if (point == NULL) {
-                if (!EC_POINT_copy(s, group->generator))
-                        goto err;
-        } else {
-                if (!EC_POINT_copy(s, point))
-                        goto err;
-        }
-
-        EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME);
-
-        if ((cardinality = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((lambda = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if ((k = BN_CTX_get(ctx)) == NULL)
-                goto err;
-        if (!BN_mul(cardinality, &group->order, &group->cofactor, ctx))
-                goto err;
-
-        /*
-         * Group cardinalities are often on a word boundary.
-         * So when we pad the scalar, some timing diff might
-         * pop if it needs to be expanded due to carries.
-         * So expand ahead of time.
-         */
-        cardinality_bits = BN_num_bits(cardinality);
-        group_top = cardinality->top;
-        if ((bn_wexpand(k, group_top + 1) == NULL) ||
-            (bn_wexpand(lambda, group_top + 1) == NULL))
-                goto err;
-
-        if (!BN_copy(k, scalar))
-                goto err;
-
-        BN_set_flags(k, BN_FLG_CONSTTIME);
-
-        if (BN_num_bits(k) > cardinality_bits || BN_is_negative(k)) {
-                /*
-                 * This is an unusual input, and we don't guarantee
-                 * constant-timeness
-                 */
-                if (!BN_nnmod(k, k, cardinality, ctx))
-                        goto err;
-        }
-
-        if (!BN_add(lambda, k, cardinality))
-                goto err;
-        BN_set_flags(lambda, BN_FLG_CONSTTIME);
-        if (!BN_add(k, lambda, cardinality))
-                goto err;
-        /*
-         * lambda := scalar + cardinality
-         * k := scalar + 2*cardinality
-         */
-        kbit = BN_is_bit_set(lambda, cardinality_bits);
-        if (!BN_swap_ct(kbit, k, lambda, group_top + 1))
-                goto err;
-
-        group_top = group->field.top;
-        if ((bn_wexpand(&s->X, group_top) == NULL) ||
-            (bn_wexpand(&s->Y, group_top) == NULL) ||
-            (bn_wexpand(&s->Z, group_top) == NULL) ||
-            (bn_wexpand(&r->X, group_top) == NULL) ||
-            (bn_wexpand(&r->Y, group_top) == NULL) ||
-            (bn_wexpand(&r->Z, group_top) == NULL))
-                goto err;
-
-        /* top bit is a 1, in a fixed pos */
-        if (!EC_POINT_copy(r, s))
-                goto err;
-
-        EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME);
-
-        if (!EC_POINT_dbl(group, s, s, ctx))
-                goto err;
-
-        pbit = 0;
-
-        /*
-         * The ladder step, with branches, is
-         *
-         * k[i] == 0: S = add(R, S), R = dbl(R)
-         * k[i] == 1: R = add(S, R), S = dbl(S)
-         *
-         * Swapping R, S conditionally on k[i] leaves you with state
-         *
-         * k[i] == 0: T, U = R, S
-         * k[i] == 1: T, U = S, R
-         *
-         * Then perform the ECC ops.
-         *
-         * U = add(T, U)
-         * T = dbl(T)
-         *
-         * Which leaves you with state
-         *
-         * k[i] == 0: U = add(R, S), T = dbl(R)
-         * k[i] == 1: U = add(S, R), T = dbl(S)
-         *
-         * Swapping T, U conditionally on k[i] leaves you with state
-         *
-         * k[i] == 0: R, S = T, U
-         * k[i] == 1: R, S = U, T
-         *
-         * Which leaves you with state
-         *
-         * k[i] == 0: S = add(R, S), R = dbl(R)
-         * k[i] == 1: R = add(S, R), S = dbl(S)
-         *
-         * So we get the same logic, but instead of a branch it's a
-         * conditional swap, followed by ECC ops, then another conditional swap.
-         *
-         * Optimization: The end of iteration i and start of i-1 looks like
-         *
-         * ...
-         * CSWAP(k[i], R, S)
-         * ECC
-         * CSWAP(k[i], R, S)
-         * (next iteration)
-         * CSWAP(k[i-1], R, S)
-         * ECC
-         * CSWAP(k[i-1], R, S)
-         * ...
-         *
-         * So instead of two contiguous swaps, you can merge the condition
-         * bits and do a single swap.
-         *
-         * k[i]   k[i-1]    Outcome
-         * 0      0         No Swap
-         * 0      1         Swap
-         * 1      0         Swap
-         * 1      1         No Swap
-         *
-         * This is XOR. pbit tracks the previous bit of k.
-         */
-
-        for (i = cardinality_bits - 1; i >= 0; i--) {
-                kbit = BN_is_bit_set(k, i) ^ pbit;
-                EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one);
-                if (!EC_POINT_add(group, s, r, s, ctx))
-                        goto err;
-                if (!EC_POINT_dbl(group, r, r, ctx))
-                        goto err;
-                /*
-                 * pbit logic merges this cswap with that of the
-                 * next iteration
-                 */
-                pbit ^= kbit;
-        }
-        /* one final cswap to move the right value into r */
-        EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one);
-        
-        ret = 1;
-
- err:
-        EC_POINT_free(s);
-        if (ctx != NULL)
-                BN_CTX_end(ctx);
-        BN_CTX_free(new_ctx);
-
-        return ret;
-}
-
-#undef EC_POINT_BN_set_flags
-#undef EC_POINT_CSWAP
-
-int
-ec_GFp_simple_mul_generator_ct(const EC_GROUP *group, EC_POINT *r,
-    const BIGNUM *scalar, BN_CTX *ctx)
-{
-        return ec_GFp_simple_mul_ct(group, r, scalar, NULL, ctx);
-}
-
-int
-ec_GFp_simple_mul_single_ct(const EC_GROUP *group, EC_POINT *r,
-    const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx)
-{
-        return ec_GFp_simple_mul_ct(group, r, scalar, point, ctx);
-}
-
-int
-ec_GFp_simple_mul_double_nonct(const EC_GROUP *group, EC_POINT *r,
-    const BIGNUM *g_scalar, const BIGNUM *p_scalar, const EC_POINT *point,
-    BN_CTX *ctx)
-{
-        return ec_wNAF_mul(group, r, g_scalar, 1, &point, &p_scalar, ctx);
-}
diff --git a/src/lib/libcrypto/man/EC_POINT_add.3 b/src/lib/libcrypto/man/EC_POINT_add.3
index e2a33b6a72..a9ad5563cc 100644
--- a/src/lib/libcrypto/man/EC_POINT_add.3
+++ b/src/lib/libcrypto/man/EC_POINT_add.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EC_POINT_add.3,v 1.9 2018/07/11 08:42:38 tb Exp $
+.\"     $OpenBSD: EC_POINT_add.3,v 1.10 2018/07/15 05:38:48 jsg Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 11 2018 $
+.Dd $Mdocdate: July 15 2018 $
 .Dt EC_POINT_ADD 3
 .Os
 .Sh NAME
@@ -217,30 +217,12 @@ The value
 .Fa n
 may be
 .Dv NULL ,
-in which case the result is just
+in which case the result is just q * m.
 .Pp
-.Dl q * m.
-.Pp
-.Fn EC_POINTs_mul
-only supports the values 0 and 1 for
-.Fa num .
-If it is 1, then
 .Fn EC_POINTs_mul
 calculates the value
 .Pp
-.Dl generator * n + q[0] * m[0].
-.Pp
-If
-.Fa num
-is 0 then
-.Fa q
-and
-.Fa m
-must be
-.Dv NULL ,
-and the result is just
-.Pp
-.Dl generator * n .
+.Dl generator * n + q[0] * m[0] + ... + q[num-1] * m[num-1]
 .Pp
 As for
 .Fn EC_POINT_mul ,