1 files changed, 20 insertions, 25 deletions
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 9015a5a649..e336cf0fac 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.35 2024/11/16 15:32:08 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.36 2024/11/21 14:36:03 tb Exp $ */
 /*
 * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
 */
@@ -233,7 +233,6 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
        size_t i, j;
        int k;
        int r_is_inverted = 0;
-        int r_is_at_infinity = 1;
        size_t *wsize = NULL;   /* individual window sizes */
        signed char **wNAF = NULL;      /* individual wNAFs */
        size_t *wNAF_len = NULL;
@@ -356,13 +355,21 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
        if (!EC_POINTs_make_affine(group, num_val, val, ctx))
                goto err;
-        r_is_at_infinity = 1;
+        /*
+         * Set r to the neutral element. Scan through the wNAF representations
+         * of m and n, starting at the most significant digit. Double r and for
+         * each wNAF digit of m add the digit times the point, and for each
+         * wNAF digit of n add the digit times the generator, adjusting the
+         * signs as appropriate.
+         */
+        if (!EC_POINT_set_to_infinity(group, r))
+                goto err;
        for (k = max_len - 1; k >= 0; k--) {
-                if (!r_is_at_infinity) {
+                if (!EC_POINT_dbl(group, r, r, ctx))
-                        if (!EC_POINT_dbl(group, r, r, ctx))
+                        goto err;
-                                goto err;
-                }
                for (i = 0; i < totalnum; i++) {
                        if (wNAF_len[i] > (size_t) k) {
                                int digit = wNAF[i][k];
@@ -375,34 +382,22 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
                                                digit = -digit;
                                        if (is_neg != r_is_inverted) {
-                                                if (!r_is_at_infinity) {
+                                                if (!EC_POINT_invert(group, r, ctx))
-                                                        if (!EC_POINT_invert(group, r, ctx))
+                                                        goto err;
-                                                                goto err;
-                                                }
                                                r_is_inverted = !r_is_inverted;
                                        }
                                        /* digit > 0 */
-                                        if (r_is_at_infinity) {
+                                        if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
-                                                if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
+                                                goto err;
-                                                        goto err;
-                                                r_is_at_infinity = 0;
-                                        } else {
-                                                if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
-                                                        goto err;
-                                        }
                                }
                        }
                }
        }
-        if (r_is_at_infinity) {
+        if (r_is_inverted) {
-                if (!EC_POINT_set_to_infinity(group, r))
+                if (!EC_POINT_invert(group, r, ctx))
                        goto err;
-        } else {
-                if (r_is_inverted)
-                        if (!EC_POINT_invert(group, r, ctx))
-                                goto err;
        }
        ret = 1;

diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c index 9015a5a649..e336cf0fac 100644 --- a/src/lib/libcrypto/ec/ec_mult.c +++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ec_mult.c,v 1.35 2024/11/16 15:32:08 tb Exp $ */	1	/* $OpenBSD: ec_mult.c,v 1.36 2024/11/21 14:36:03 tb Exp $ */
2	/*	2	/*
3	* Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.	3	* Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
4	*/	4	*/
@@ -233,7 +233,6 @@ ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *m,
233	size_t i, j;	233	size_t i, j;
234	int k;	234	int k;
235	int r_is_inverted = 0;	235	int r_is_inverted = 0;
236	int r_is_at_infinity = 1;
237	size_t wsize = NULL; / individual window sizes */	236	size_t wsize = NULL; / individual window sizes */
238	signed char *wNAF = NULL; / individual wNAFs */	237	signed char *wNAF = NULL; / individual wNAFs */
239	size_t *wNAF_len = NULL;	238	size_t *wNAF_len = NULL;
@@ -356,13 +355,21 @@ ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *m,
356	if (!EC_POINTs_make_affine(group, num_val, val, ctx))	355	if (!EC_POINTs_make_affine(group, num_val, val, ctx))
357	goto err;	356	goto err;
358		357
359	r_is_at_infinity = 1;	358	/*
		359	* Set r to the neutral element. Scan through the wNAF representations
		360	* of m and n, starting at the most significant digit. Double r and for
		361	* each wNAF digit of m add the digit times the point, and for each
		362	* wNAF digit of n add the digit times the generator, adjusting the
		363	* signs as appropriate.
		364	*/
		365
		366	if (!EC_POINT_set_to_infinity(group, r))
		367	goto err;
360		368
361	for (k = max_len - 1; k >= 0; k--) {	369	for (k = max_len - 1; k >= 0; k--) {
362	if (!r_is_at_infinity) {	370	if (!EC_POINT_dbl(group, r, r, ctx))
363	if (!EC_POINT_dbl(group, r, r, ctx))	371	goto err;
364	goto err;	372
365	}
366	for (i = 0; i < totalnum; i++) {	373	for (i = 0; i < totalnum; i++) {
367	if (wNAF_len[i] > (size_t) k) {	374	if (wNAF_len[i] > (size_t) k) {
368	int digit = wNAF[i][k];	375	int digit = wNAF[i][k];
@@ -375,34 +382,22 @@ ec_wNAF_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *m,
375	digit = -digit;	382	digit = -digit;
376		383
377	if (is_neg != r_is_inverted) {	384	if (is_neg != r_is_inverted) {
378	if (!r_is_at_infinity) {	385	if (!EC_POINT_invert(group, r, ctx))
379	if (!EC_POINT_invert(group, r, ctx))	386	goto err;
380	goto err;
381	}
382	r_is_inverted = !r_is_inverted;	387	r_is_inverted = !r_is_inverted;
383	}	388	}
384	/* digit > 0 */	389	/* digit > 0 */
385		390
386	if (r_is_at_infinity) {	391	if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
387	if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))	392	goto err;
388	goto err;
389	r_is_at_infinity = 0;
390	} else {
391	if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
392	goto err;
393	}
394	}	393	}
395	}	394	}
396	}	395	}
397	}	396	}
398		397
399	if (r_is_at_infinity) {	398	if (r_is_inverted) {
400	if (!EC_POINT_set_to_infinity(group, r))	399	if (!EC_POINT_invert(group, r, ctx))
401	goto err;	400	goto err;
402	} else {
403	if (r_is_inverted)
404	if (!EC_POINT_invert(group, r, ctx))
405	goto err;
406	}	401	}
407		402
408	ret = 1;	403	ret = 1;