diff options
Diffstat (limited to 'src/lib/libcrypto/ec/ec_mult.c')
| -rw-r--r-- | src/lib/libcrypto/ec/ec_mult.c | 38 |
1 files changed, 17 insertions, 21 deletions
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c index 68061ffd67..d74c89cfe2 100644 --- a/src/lib/libcrypto/ec/ec_mult.c +++ b/src/lib/libcrypto/ec/ec_mult.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ec_mult.c,v 1.57 2025/01/11 13:58:31 tb Exp $ */ | 1 | /* $OpenBSD: ec_mult.c,v 1.59 2025/05/10 05:54:38 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. | 3 | * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. |
| 4 | */ | 4 | */ |
| @@ -67,9 +67,9 @@ | |||
| 67 | 67 | ||
| 68 | #include <openssl/bn.h> | 68 | #include <openssl/bn.h> |
| 69 | #include <openssl/ec.h> | 69 | #include <openssl/ec.h> |
| 70 | #include <openssl/err.h> | ||
| 71 | 70 | ||
| 72 | #include "ec_local.h" | 71 | #include "ec_local.h" |
| 72 | #include "err_local.h" | ||
| 73 | 73 | ||
| 74 | /* Holds the wNAF digits of bn and the corresponding odd multiples of point. */ | 74 | /* Holds the wNAF digits of bn and the corresponding odd multiples of point. */ |
| 75 | struct ec_wnaf { | 75 | struct ec_wnaf { |
| @@ -259,7 +259,7 @@ ec_wnaf_free(struct ec_wnaf *wnaf) | |||
| 259 | */ | 259 | */ |
| 260 | 260 | ||
| 261 | static struct ec_wnaf * | 261 | static struct ec_wnaf * |
| 262 | ec_wnaf_new(const EC_GROUP *group, const EC_POINT *point, const BIGNUM *bn, | 262 | ec_wnaf_new(const EC_GROUP *group, const BIGNUM *scalar, const EC_POINT *point, |
| 263 | BN_CTX *ctx) | 263 | BN_CTX *ctx) |
| 264 | { | 264 | { |
| 265 | struct ec_wnaf *wnaf; | 265 | struct ec_wnaf *wnaf; |
| @@ -267,15 +267,15 @@ ec_wnaf_new(const EC_GROUP *group, const EC_POINT *point, const BIGNUM *bn, | |||
| 267 | if ((wnaf = calloc(1, sizeof(*wnaf))) == NULL) | 267 | if ((wnaf = calloc(1, sizeof(*wnaf))) == NULL) |
| 268 | goto err; | 268 | goto err; |
| 269 | 269 | ||
| 270 | wnaf->num_digits = BN_num_bits(bn) + 1; | 270 | wnaf->num_digits = BN_num_bits(scalar) + 1; |
| 271 | if ((wnaf->digits = calloc(wnaf->num_digits, | 271 | if ((wnaf->digits = calloc(wnaf->num_digits, |
| 272 | sizeof(*wnaf->digits))) == NULL) | 272 | sizeof(*wnaf->digits))) == NULL) |
| 273 | goto err; | 273 | goto err; |
| 274 | 274 | ||
| 275 | if (!ec_compute_wnaf(bn, wnaf->digits, wnaf->num_digits)) | 275 | if (!ec_compute_wnaf(scalar, wnaf->digits, wnaf->num_digits)) |
| 276 | goto err; | 276 | goto err; |
| 277 | 277 | ||
| 278 | wnaf->num_multiples = 1ULL << (ec_window_bits(bn) - 1); | 278 | wnaf->num_multiples = 1ULL << (ec_window_bits(scalar) - 1); |
| 279 | if ((wnaf->multiples = calloc(wnaf->num_multiples, | 279 | if ((wnaf->multiples = calloc(wnaf->num_multiples, |
| 280 | sizeof(*wnaf->multiples))) == NULL) | 280 | sizeof(*wnaf->multiples))) == NULL) |
| 281 | goto err; | 281 | goto err; |
| @@ -313,38 +313,34 @@ ec_wnaf_multiple(struct ec_wnaf *wnaf, signed char digit) | |||
| 313 | } | 313 | } |
| 314 | 314 | ||
| 315 | /* | 315 | /* |
| 316 | * Compute r = generator * m + point * n in non-constant time. | 316 | * Compute r = scalar1 * point1 + scalar2 * point2 in non-constant time. |
| 317 | */ | 317 | */ |
| 318 | 318 | ||
| 319 | int | 319 | int |
| 320 | ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m, | 320 | ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1, |
| 321 | const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx) | 321 | const EC_POINT *point1, const BIGNUM *scalar2, const EC_POINT *point2, |
| 322 | BN_CTX *ctx) | ||
| 322 | { | 323 | { |
| 323 | struct ec_wnaf *wnaf[2] = { NULL, NULL }; | 324 | struct ec_wnaf *wnaf[2] = { NULL, NULL }; |
| 324 | const EC_POINT *generator; | ||
| 325 | size_t i; | 325 | size_t i; |
| 326 | int k; | 326 | int k; |
| 327 | int r_is_inverted = 0; | 327 | int r_is_inverted = 0; |
| 328 | size_t num_digits; | 328 | size_t num_digits; |
| 329 | int ret = 0; | 329 | int ret = 0; |
| 330 | 330 | ||
| 331 | if (m == NULL || n == NULL) { | 331 | if (scalar1 == NULL || scalar2 == NULL) { |
| 332 | ECerror(ERR_R_PASSED_NULL_PARAMETER); | 332 | ECerror(ERR_R_PASSED_NULL_PARAMETER); |
| 333 | goto err; | 333 | goto err; |
| 334 | } | 334 | } |
| 335 | if (group->meth != r->meth || group->meth != point->meth) { | 335 | if (group->meth != r->meth || group->meth != point1->meth || |
| 336 | group->meth != point2->meth) { | ||
| 336 | ECerror(EC_R_INCOMPATIBLE_OBJECTS); | 337 | ECerror(EC_R_INCOMPATIBLE_OBJECTS); |
| 337 | goto err; | 338 | goto err; |
| 338 | } | 339 | } |
| 339 | 340 | ||
| 340 | if ((generator = EC_GROUP_get0_generator(group)) == NULL) { | 341 | if ((wnaf[0] = ec_wnaf_new(group, scalar1, point1, ctx)) == NULL) |
| 341 | ECerror(EC_R_UNDEFINED_GENERATOR); | ||
| 342 | goto err; | ||
| 343 | } | ||
| 344 | |||
| 345 | if ((wnaf[0] = ec_wnaf_new(group, generator, m, ctx)) == NULL) | ||
| 346 | goto err; | 342 | goto err; |
| 347 | if ((wnaf[1] = ec_wnaf_new(group, point, n, ctx)) == NULL) | 343 | if ((wnaf[1] = ec_wnaf_new(group, scalar2, point2, ctx)) == NULL) |
| 348 | goto err; | 344 | goto err; |
| 349 | 345 | ||
| 350 | if (!ec_normalize_points(group, wnaf[0], wnaf[1], ctx)) | 346 | if (!ec_normalize_points(group, wnaf[0], wnaf[1], ctx)) |
| @@ -357,8 +353,8 @@ ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m, | |||
| 357 | /* | 353 | /* |
| 358 | * Set r to the neutral element. Scan through the wNAF representations | 354 | * Set r to the neutral element. Scan through the wNAF representations |
| 359 | * of m and n, starting at the most significant digit. Double r and for | 355 | * of m and n, starting at the most significant digit. Double r and for |
| 360 | * each wNAF digit of m add the digit times the generator, and for each | 356 | * each wNAF digit of scalar1 add the digit times point1, and for each |
| 361 | * wNAF digit of n add the digit times the point, adjusting the signs | 357 | * wNAF digit of scalar2 add the digit times point2, adjusting the signs |
| 362 | * as appropriate. | 358 | * as appropriate. |
| 363 | */ | 359 | */ |
| 364 | 360 | ||