Explicitly pass group generator to mul_double_nonct() from EC_POINT_mul().

EC_POINT_mul() has a complex multi-use interface - there are effectively three different ways it will behave, depending on which arguments are NULL. In the case where we compute g_scalar * generator + p_scalar * point, the mul_double_nonct() function pointer is called, however only g_scalar, p_scalar and point are passed - it is expected that the lower level implementation (in this case ec_wnaf_mul()) will use the generator from the group. Change mul_double_nonct(), ec_mul_double_nonct() and ec_wnaf_mul() so that they take scalar1, point1, scalar2 and point2. This removes all knowledge of g_scalar and the generator from the multiplication code, keeping it limited to EC_POINT_mul(). While here also consistently pass scalar then point, rather than a mix of scalar/point and point/scalar. ok tb@
author: jsing <> 2025-03-24 13:07:04 +0000
committer: jsing <> 2025-03-24 13:07:04 +0000
commit: 865465694bb9f7950a0710e8d7667d2540779602 (patch)
tree: 6397da5be4e5b65da2b65dd38a2c3f1202843573 /src
parent: 572b48cb49edaff7e25c2a2130a6715142745223 (diff)
download: openbsd-865465694bb9f7950a0710e8d7667d2540779602.tar.gz
openbsd-865465694bb9f7950a0710e8d7667d2540779602.tar.bz2
openbsd-865465694bb9f7950a0710e8d7667d2540779602.zip
4 files changed, 33 insertions, 35 deletions
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 598038de1d..7982d23f06 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.122 2025/03/24 12:49:13 jsing Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.123 2025/03/24 13:07:04 jsing Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -1333,8 +1333,8 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
                 * secret. This is why we ignore if BN_FLG_CONSTTIME is actually
                 * set and we always call the constant time version.
                 */
-                ret = group->meth->mul_single_ct(group, r, g_scalar,
+                ret = group->meth->mul_single_ct(group, r,
-                    group->generator, ctx);
+                    g_scalar, group->generator, ctx);
        } else if (g_scalar == NULL && point != NULL && p_scalar != NULL) {
                /*
                 * In this case we want to compute p_scalar * GenericPoint:
@@ -1352,8 +1352,8 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
                 * this codepath is reached most prominently by ECDSA signature
                 * verification. So we call the non-ct version.
                 */
-                ret = group->meth->mul_double_nonct(group, r, g_scalar,
+                ret = group->meth->mul_double_nonct(group, r,
-                    p_scalar, point, ctx);
+                    g_scalar, group->generator, p_scalar, point, ctx);
        } else {
                /* Anything else is an error. */
                ECerror(ERR_R_EC_LIB);
diff --git a/src/lib/libcrypto/ec/ec_local.h b/src/lib/libcrypto/ec/ec_local.h
index 9c188c0197..c7a54d3a2b 100644
--- a/src/lib/libcrypto/ec/ec_local.h
+++ b/src/lib/libcrypto/ec/ec_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_local.h,v 1.66 2025/03/09 15:33:35 tb Exp $ */
+/* $OpenBSD: ec_local.h,v 1.67 2025/03/24 13:07:04 jsing Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -106,8 +106,8 @@ typedef struct ec_method_st {
        int (*mul_single_ct)(const EC_GROUP *group, EC_POINT *r,
            const BIGNUM *scalar, const EC_POINT *point, BN_CTX *);
        int (*mul_double_nonct)(const EC_GROUP *group, EC_POINT *r,
-            const BIGNUM *g_scalar, const BIGNUM *p_scalar,
+            const BIGNUM *scalar1, const EC_POINT *point1,
-            const EC_POINT *point, BN_CTX *);
+            const BIGNUM *scalar2, const EC_POINT *point2, BN_CTX *);
        /*
         * These can be used by 'add' and 'dbl' so that the same implementations
@@ -173,9 +173,10 @@ struct ec_point_st {
 const EC_METHOD *EC_GFp_simple_method(void);
 const EC_METHOD *EC_GFp_mont_method(void);
-/* Compute r = generator * m + point * n in non-constant time. */
+/* Compute r = scalar1 * point1 + scalar2 * point2 in non-constant time. */
-int ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
+int ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
-    const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx);
+    const EC_POINT *point1, const BIGNUM *scalar2, const EC_POINT *point2,
+    BN_CTX *ctx);
 int ec_group_is_builtin_curve(const EC_GROUP *group, int *out_nid);
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 68061ffd67..673696a9fd 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.57 2025/01/11 13:58:31 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.58 2025/03/24 13:07:04 jsing Exp $ */
 /*
 * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
 */
@@ -259,7 +259,7 @@ ec_wnaf_free(struct ec_wnaf *wnaf)
 */
 static struct ec_wnaf *
-ec_wnaf_new(const EC_GROUP *group, const EC_POINT *point, const BIGNUM *bn,
+ec_wnaf_new(const EC_GROUP *group, const BIGNUM *scalar, const EC_POINT *point,
    BN_CTX *ctx)
 {
        struct ec_wnaf *wnaf;
@@ -267,15 +267,15 @@ ec_wnaf_new(const EC_GROUP *group, const EC_POINT *point, const BIGNUM *bn,
        if ((wnaf = calloc(1, sizeof(*wnaf))) == NULL)
                goto err;
-        wnaf->num_digits = BN_num_bits(bn) + 1;
+        wnaf->num_digits = BN_num_bits(scalar) + 1;
        if ((wnaf->digits = calloc(wnaf->num_digits,
            sizeof(*wnaf->digits))) == NULL)
                goto err;
-        if (!ec_compute_wnaf(bn, wnaf->digits, wnaf->num_digits))
+        if (!ec_compute_wnaf(scalar, wnaf->digits, wnaf->num_digits))
                goto err;
-        wnaf->num_multiples = 1ULL << (ec_window_bits(bn) - 1);
+        wnaf->num_multiples = 1ULL << (ec_window_bits(scalar) - 1);
        if ((wnaf->multiples = calloc(wnaf->num_multiples,
            sizeof(*wnaf->multiples))) == NULL)
                goto err;
@@ -313,38 +313,34 @@ ec_wnaf_multiple(struct ec_wnaf *wnaf, signed char digit)
 }
 /*
- * Compute r = generator * m + point * n in non-constant time.
+ * Compute r = scalar1 * point1 + scalar2 * point2 in non-constant time.
 */
 int
-ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
+ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
-    const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx)
+    const EC_POINT *point1, const BIGNUM *scalar2, const EC_POINT *point2,
+    BN_CTX *ctx)
 {
        struct ec_wnaf *wnaf[2] = { NULL, NULL };
-        const EC_POINT *generator;
        size_t i;
        int k;
        int r_is_inverted = 0;
        size_t num_digits;
        int ret = 0;
-        if (m == NULL || n == NULL) {
+        if (scalar1 == NULL || scalar2 == NULL) {
                ECerror(ERR_R_PASSED_NULL_PARAMETER);
                goto err;
        }
-        if (group->meth != r->meth || group->meth != point->meth) {
+        if (group->meth != r->meth || group->meth != point1->meth ||
+            group->meth != point2->meth) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                goto err;
        }
-        if ((generator = EC_GROUP_get0_generator(group)) == NULL) {
+        if ((wnaf[0] = ec_wnaf_new(group, scalar1, point1, ctx)) == NULL)
-                ECerror(EC_R_UNDEFINED_GENERATOR);
-                goto err;
-        }
-        if ((wnaf[0] = ec_wnaf_new(group, generator, m, ctx)) == NULL)
                goto err;
-        if ((wnaf[1] = ec_wnaf_new(group, point, n, ctx)) == NULL)
+        if ((wnaf[1] = ec_wnaf_new(group, scalar2, point2, ctx)) == NULL)
                goto err;
        if (!ec_normalize_points(group, wnaf[0], wnaf[1], ctx))
@@ -357,8 +353,8 @@ ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
        /*
         * Set r to the neutral element. Scan through the wNAF representations
         * of m and n, starting at the most significant digit. Double r and for
-         * each wNAF digit of m add the digit times the generator, and for each
+         * each wNAF digit of scalar1 add the digit times point1, and for each
-         * wNAF digit of n add the digit times the point, adjusting the signs
+         * wNAF digit of scalar2 add the digit times point2, adjusting the signs
         * as appropriate.
         */
diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c
index 544c2be4d4..ced85ceb1e 100644
--- a/src/lib/libcrypto/ec/ecp_methods.c
+++ b/src/lib/libcrypto/ec/ecp_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_methods.c,v 1.44 2025/03/09 15:33:35 tb Exp $ */
+/* $OpenBSD: ecp_methods.c,v 1.45 2025/03/24 13:07:04 jsing Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
 * for the OpenSSL project.
 * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1194,10 +1194,11 @@ ec_mul_single_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 }
 static int
-ec_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
+ec_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
-    const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *ctx)
+    const EC_POINT *point1, const BIGNUM *scalar2, const EC_POINT *point2,
+    BN_CTX *ctx)
 {
-        return ec_wnaf_mul(group, r, g_scalar, point, p_scalar, ctx);
+        return ec_wnaf_mul(group, r, scalar1, point1, scalar2, point2, ctx);
 }
 static int
author	jsing <>	2025-03-24 13:07:04 +0000
committer	jsing <>	2025-03-24 13:07:04 +0000
commit	865465694bb9f7950a0710e8d7667d2540779602 (patch)
tree	6397da5be4e5b65da2b65dd38a2c3f1202843573 /src
parent	572b48cb49edaff7e25c2a2130a6715142745223 (diff)
download	openbsd-865465694bb9f7950a0710e8d7667d2540779602.tar.gz openbsd-865465694bb9f7950a0710e8d7667d2540779602.tar.bz2 openbsd-865465694bb9f7950a0710e8d7667d2540779602.zip