summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authortb <>2024-11-22 17:08:13 +0000
committertb <>2024-11-22 17:08:13 +0000
commitbfef86f278f7d1d9ebade63c9d0ad4c5e4155c39 (patch)
tree6d36e74def888854e8b3a19843b5c1f1c8c5723e /src
parent8779fdbb1d3be3f67d2c6e4127059274af065610 (diff)
downloadopenbsd-bfef86f278f7d1d9ebade63c9d0ad4c5e4155c39.tar.gz
openbsd-bfef86f278f7d1d9ebade63c9d0ad4c5e4155c39.tar.bz2
openbsd-bfef86f278f7d1d9ebade63c9d0ad4c5e4155c39.zip
Stop using BIGNUM internals, add some clarifying comments
ok jsing
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/ec/ec_mult.c27
1 files changed, 23 insertions, 4 deletions
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 546a74c590..4dc5e12a46 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ec_mult.c,v 1.45 2024/11/22 16:27:46 tb Exp $ */ 1/* $OpenBSD: ec_mult.c,v 1.46 2024/11/22 17:08:13 tb Exp $ */
2/* 2/*
3 * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. 3 * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
4 */ 4 */
@@ -67,7 +67,6 @@
67#include <openssl/ec.h> 67#include <openssl/ec.h>
68#include <openssl/err.h> 68#include <openssl/err.h>
69 69
70#include "bn_local.h"
71#include "ec_local.h" 70#include "ec_local.h"
72 71
73static int 72static int
@@ -89,6 +88,10 @@ ec_window_bits(const BIGNUM *bn)
89 return 1; 88 return 1;
90} 89}
91 90
91/*
92 * Modified width-(w+1) non-adjacent form of bn.
93 */
94
92static int 95static int
93ec_compute_wNAF(const BIGNUM *bn, signed char **out_wNAF, size_t *out_wNAF_len, 96ec_compute_wNAF(const BIGNUM *bn, signed char **out_wNAF, size_t *out_wNAF_len,
94 size_t *out_len) 97 size_t *out_len)
@@ -108,6 +111,8 @@ ec_compute_wNAF(const BIGNUM *bn, signed char **out_wNAF, size_t *out_wNAF_len,
108 goto done; 111 goto done;
109 } 112 }
110 113
114 sign = BN_is_negative(bn) ? -1 : 1;
115
111 wNAF_len = BN_num_bits(bn); 116 wNAF_len = BN_num_bits(bn);
112 if ((wNAF = calloc(1, wNAF_len + 1)) == NULL) { 117 if ((wNAF = calloc(1, wNAF_len + 1)) == NULL) {
113 ECerror(ERR_R_MALLOC_FAILURE); 118 ECerror(ERR_R_MALLOC_FAILURE);
@@ -121,13 +126,25 @@ ec_compute_wNAF(const BIGNUM *bn, signed char **out_wNAF, size_t *out_wNAF_len,
121 next = bit << 1; 126 next = bit << 1;
122 mask = next - 1; 127 mask = next - 1;
123 128
124 sign = BN_is_negative(bn) ? -1 : 1;
125 129
126 window = bn->d[0] & mask; 130 /* Extract the wbits + 1 lowest bits without using BIGNUM internals. */
131 window = 0;
132 for (i = 0; i < wbits + 1; i++) {
133 if (BN_is_bit_set(bn, i))
134 window |= (1 << i);
135 }
127 136
137 /* Instead of bn >>= 1 in each iteration, slide window to the left. */
128 for (i = 0; i + wbits + 1 < wNAF_len || window != 0; i++) { 138 for (i = 0; i + wbits + 1 < wNAF_len || window != 0; i++) {
129 digit = 0; 139 digit = 0;
130 140
141 /*
142 * If window is odd, the i-th wNAF digit is window (mods 2^w),
143 * where mods is the signed modulo in (-2^w-1, 2^w-1]. In the
144 * last iterations the digits are grouped slightly differently.
145 * Subtract the digit from window, so window is 0, next, or bit,
146 * and add the digit to the wNAF digits.
147 */
131 if ((window & 1) != 0) { 148 if ((window & 1) != 0) {
132 digit = window; 149 digit = window;
133 if ((window & bit) != 0) { 150 if ((window & bit) != 0) {
@@ -140,6 +157,8 @@ ec_compute_wNAF(const BIGNUM *bn, signed char **out_wNAF, size_t *out_wNAF_len,
140 } 157 }
141 158
142 wNAF[i] = sign * digit; 159 wNAF[i] = sign * digit;
160
161 /* Slide the window to the left. */
143 window >>= 1; 162 window >>= 1;
144 window += bit * BN_is_bit_set(bn, i + wbits + 1); 163 window += bit * BN_is_bit_set(bn, i + wbits + 1);
145 } 164 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 19:58:33 +0000