1 files changed, 32 insertions, 69 deletions
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 1d1daca166..29207d6b48 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.26 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.27 2018/07/15 05:38:48 jsg Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -526,7 +526,7 @@ EC_GROUP_cmp(const EC_GROUP * a, const EC_GROUP * b, BN_CTX * ctx)
        return r;
- err:
+err:
        BN_CTX_end(ctx);
        if (ctx_new)
                BN_CTX_free(ctx);
@@ -1026,88 +1026,47 @@ EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
 }
-/* Functions for point multiplication */
+/* Functions for point multiplication.
+ *
+ * If group->meth->mul is 0, we use the wNAF-based implementations in ec_mult.c;
+ * otherwise we dispatch through methods.
+ */
 int 
 EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
    size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
 {
-        /*
+        if (group->meth->mul == 0)
-         * The function pointers must be set, and only support num == 0 and
+                /* use default */
-         * num == 1.
+                return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
-         */
-        if (group->meth->mul_generator_ct == NULL ||
+        return group->meth->mul(group, r, scalar, num, points, scalars, ctx);
-            group->meth->mul_single_ct == NULL ||
-            group->meth->mul_double_nonct == NULL ||
-            num > 1) {
-                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return 0;
-        }
-        
-        /* Either bP or aG + bP, this is sane. */
-        if (num == 1 && points != NULL && scalars != NULL)
-                return EC_POINT_mul(group, r, scalar, points[0], scalars[0],
-                    ctx);
-        
-        /* aG, this is sane */
-        if (scalar != NULL && points == NULL && scalars == NULL)
-                return EC_POINT_mul(group, r, scalar, NULL, NULL, ctx);
-        
-        /* anything else is an error */
-        ECerror(ERR_R_EC_LIB);
-        return 0;
 }
 int 
 EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
    const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx)
 {
-        if (group->meth->mul_generator_ct == NULL ||
+        /* just a convenient interface to EC_POINTs_mul() */
-            group->meth->mul_single_ct == NULL ||
-            group->meth->mul_double_nonct == NULL) {
+        const EC_POINT *points[1];
-                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+        const BIGNUM *scalars[1];
-                return 0;
-        }
+        points[0] = point;
-        if (g_scalar != NULL && point == NULL && p_scalar == NULL) {
+        scalars[0] = p_scalar;
-                /*
-                 * In this case we want to compute g_scalar * GeneratorPoint:
+        return EC_POINTs_mul(group, r, g_scalar,
-                 * this codepath is reached most prominently by (ephemeral) key
+            (point != NULL && p_scalar != NULL),
-                 * generation of EC cryptosystems (i.e. ECDSA keygen and sign
+            points, scalars, ctx);
-                 * setup, ECDH keygen/first half), where the scalar is always
-                 * secret. This is why we ignore if BN_FLG_CONSTTIME is actually
-                 * set and we always call the constant time version.
-                 */
-                return group->meth->mul_generator_ct(group, r, g_scalar, ctx);
-        }
-        if (g_scalar == NULL && point != NULL && p_scalar != NULL) {
-                /* In this case we want to compute p_scalar * GenericPoint:
-                 * this codepath is reached most prominently by the second half
-                 * of ECDH, where the secret scalar is multiplied by the peer's
-                 * public point. To protect the secret scalar, we ignore if
-                 * BN_FLG_CONSTTIME is actually set and we always call the
-                 * constant time version.
-                 */
-                return group->meth->mul_single_ct(group, r, p_scalar, point,
-                    ctx);
-        }
-        if (g_scalar != NULL && point != NULL && p_scalar != NULL) {
-                /*
-                 * In this case we want to compute
-                 *   g_scalar * GeneratorPoint + p_scalar * GenericPoint:
-                 * this codepath is reached most prominently by ECDSA signature
-                 * verification. So we call the non-ct version.
-                 */
-                return group->meth->mul_double_nonct(group, r, g_scalar,
-                    p_scalar, point, ctx);
-        }
-                
-        /* Anything else is an error. */
-        ECerror(ERR_R_EC_LIB);
-        return 0;
 }
 int 
 EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
 {
+        if (group->meth->mul == 0)
+                /* use default */
+                return ec_wNAF_precompute_mult(group, ctx);
        if (group->meth->precompute_mult != 0)
                return group->meth->precompute_mult(group, ctx);
        else
@@ -1117,6 +1076,10 @@ EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
 int 
 EC_GROUP_have_precompute_mult(const EC_GROUP * group)
 {
+        if (group->meth->mul == 0)
+                /* use default */
+                return ec_wNAF_have_precompute_mult(group);
        if (group->meth->have_precompute_mult != 0)
                return group->meth->have_precompute_mult(group);
        else

diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c index 1d1daca166..29207d6b48 100644 --- a/src/lib/libcrypto/ec/ec_lib.c +++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ec_lib.c,v 1.26 2018/07/10 22:06:14 tb Exp $ */	1	/* $OpenBSD: ec_lib.c,v 1.27 2018/07/15 05:38:48 jsg Exp $ */
2	/*	2	/*
3	* Originally written by Bodo Moeller for the OpenSSL project.	3	* Originally written by Bodo Moeller for the OpenSSL project.
4	*/	4	*/
@@ -526,7 +526,7 @@ EC_GROUP_cmp(const EC_GROUP * a, const EC_GROUP * b, BN_CTX * ctx)
526		526
527	return r;	527	return r;
528		528
529	err:	529	err:
530	BN_CTX_end(ctx);	530	BN_CTX_end(ctx);
531	if (ctx_new)	531	if (ctx_new)
532	BN_CTX_free(ctx);	532	BN_CTX_free(ctx);
@@ -1026,88 +1026,47 @@ EC_POINTs_make_affine(const EC_GROUP group, size_t num, EC_POINT points[],
1026	}	1026	}
1027		1027
1028		1028
1029	/* Functions for point multiplication */	1029	/* Functions for point multiplication.
		1030	*
		1031	* If group->meth->mul is 0, we use the wNAF-based implementations in ec_mult.c;
		1032	* otherwise we dispatch through methods.
		1033	*/
		1034
1030	int	1035	int
1031	EC_POINTs_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *scalar,	1036	EC_POINTs_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *scalar,
1032	size_t num, const EC_POINT points[], const BIGNUM scalars[], BN_CTX *ctx)	1037	size_t num, const EC_POINT points[], const BIGNUM scalars[], BN_CTX *ctx)
1033	{	1038	{
1034	/*	1039	if (group->meth->mul == 0)
1035	* The function pointers must be set, and only support num == 0 and	1040	/* use default */
1036	* num == 1.	1041	return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
1037	*/	1042
1038	if (group->meth->mul_generator_ct == NULL \|\|	1043	return group->meth->mul(group, r, scalar, num, points, scalars, ctx);
1039	group->meth->mul_single_ct == NULL \|\|
1040	group->meth->mul_double_nonct == NULL \|\|
1041	num > 1) {
1042	ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1043	return 0;
1044	}
1045
1046	/* Either bP or aG + bP, this is sane. */
1047	if (num == 1 && points != NULL && scalars != NULL)
1048	return EC_POINT_mul(group, r, scalar, points[0], scalars[0],
1049	ctx);
1050
1051	/* aG, this is sane */
1052	if (scalar != NULL && points == NULL && scalars == NULL)
1053	return EC_POINT_mul(group, r, scalar, NULL, NULL, ctx);
1054
1055	/* anything else is an error */
1056	ECerror(ERR_R_EC_LIB);
1057	return 0;
1058	}	1044	}
1059		1045
1060	int	1046	int
1061	EC_POINT_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *g_scalar,	1047	EC_POINT_mul(const EC_GROUP group, EC_POINT r, const BIGNUM *g_scalar,
1062	const EC_POINT point, const BIGNUM p_scalar, BN_CTX *ctx)	1048	const EC_POINT point, const BIGNUM p_scalar, BN_CTX *ctx)
1063	{	1049	{
1064	if (group->meth->mul_generator_ct == NULL \|\|	1050	/* just a convenient interface to EC_POINTs_mul() */
1065	group->meth->mul_single_ct == NULL \|\|	1051
1066	group->meth->mul_double_nonct == NULL) {	1052	const EC_POINT *points[1];
1067	ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);	1053	const BIGNUM *scalars[1];
1068	return 0;	1054
1069	}	1055	points[0] = point;
1070	if (g_scalar != NULL && point == NULL && p_scalar == NULL) {	1056	scalars[0] = p_scalar;
1071	/*	1057
1072	* In this case we want to compute g_scalar * GeneratorPoint:	1058	return EC_POINTs_mul(group, r, g_scalar,
1073	* this codepath is reached most prominently by (ephemeral) key	1059	(point != NULL && p_scalar != NULL),
1074	* generation of EC cryptosystems (i.e. ECDSA keygen and sign	1060	points, scalars, ctx);
1075	* setup, ECDH keygen/first half), where the scalar is always
1076	* secret. This is why we ignore if BN_FLG_CONSTTIME is actually
1077	* set and we always call the constant time version.
1078	*/
1079	return group->meth->mul_generator_ct(group, r, g_scalar, ctx);
1080	}
1081	if (g_scalar == NULL && point != NULL && p_scalar != NULL) {
1082	/* In this case we want to compute p_scalar * GenericPoint:
1083	* this codepath is reached most prominently by the second half
1084	* of ECDH, where the secret scalar is multiplied by the peer's
1085	* public point. To protect the secret scalar, we ignore if
1086	* BN_FLG_CONSTTIME is actually set and we always call the
1087	* constant time version.
1088	*/
1089	return group->meth->mul_single_ct(group, r, p_scalar, point,
1090	ctx);
1091	}
1092	if (g_scalar != NULL && point != NULL && p_scalar != NULL) {
1093	/*
1094	* In this case we want to compute
1095	* g_scalar * GeneratorPoint + p_scalar * GenericPoint:
1096	* this codepath is reached most prominently by ECDSA signature
1097	* verification. So we call the non-ct version.
1098	*/
1099	return group->meth->mul_double_nonct(group, r, g_scalar,
1100	p_scalar, point, ctx);
1101	}
1102
1103	/* Anything else is an error. */
1104	ECerror(ERR_R_EC_LIB);
1105	return 0;
1106	}	1061	}
1107		1062
1108	int	1063	int
1109	EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx)	1064	EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
1110	{	1065	{
		1066	if (group->meth->mul == 0)
		1067	/* use default */
		1068	return ec_wNAF_precompute_mult(group, ctx);
		1069
1111	if (group->meth->precompute_mult != 0)	1070	if (group->meth->precompute_mult != 0)
1112	return group->meth->precompute_mult(group, ctx);	1071	return group->meth->precompute_mult(group, ctx);
1113	else	1072	else
@@ -1117,6 +1076,10 @@ EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
1117	int	1076	int
1118	EC_GROUP_have_precompute_mult(const EC_GROUP * group)	1077	EC_GROUP_have_precompute_mult(const EC_GROUP * group)
1119	{	1078	{
		1079	if (group->meth->mul == 0)
		1080	/* use default */
		1081	return ec_wNAF_have_precompute_mult(group);
		1082
1120	if (group->meth->have_precompute_mult != 0)	1083	if (group->meth->have_precompute_mult != 0)
1121	return group->meth->have_precompute_mult(group);	1084	return group->meth->have_precompute_mult(group);
1122	else	1085	else