From 70275e713454e731b5cbf6545eff93592d1d9872 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 24 Mar 2025 13:07:04 +0000
Subject: Explicitly pass group generator to mul_double_nonct() from
 EC_POINT_mul().

EC_POINT_mul() has a complex multi-use interface - there are effectively
three different ways it will behave, depending on which arguments are NULL.
In the case where we compute g_scalar * generator + p_scalar * point, the
mul_double_nonct() function pointer is called, however only g_scalar,
p_scalar and point are passed - it is expected that the lower level
implementation (in this case ec_wnaf_mul()) will use the generator from
the group.

Change mul_double_nonct(), ec_mul_double_nonct() and ec_wnaf_mul() so that
they take scalar1, point1, scalar2 and point2. This removes all knowledge
of g_scalar and the generator from the multiplication code, keeping it
limited to EC_POINT_mul(). While here also consistently pass scalar then
point, rather than a mix of scalar/point and point/scalar.

ok tb@
---
 src/lib/libcrypto/ec/ec_lib.c      | 10 +++++-----
 src/lib/libcrypto/ec/ec_local.h    | 13 +++++++------
 src/lib/libcrypto/ec/ec_mult.c     | 36 ++++++++++++++++--------------------
 src/lib/libcrypto/ec/ecp_methods.c |  9 +++++----
 4 files changed, 33 insertions(+), 35 deletions(-)

diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 598038de1d..7982d23f06 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.122 2025/03/24 12:49:13 jsing Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.123 2025/03/24 13:07:04 jsing Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -1333,8 +1333,8 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
 		 * secret. This is why we ignore if BN_FLG_CONSTTIME is actually
 		 * set and we always call the constant time version.
 		 */
-		ret = group->meth->mul_single_ct(group, r, g_scalar,
-		    group->generator, ctx);
+		ret = group->meth->mul_single_ct(group, r,
+		    g_scalar, group->generator, ctx);
 	} else if (g_scalar == NULL && point != NULL && p_scalar != NULL) {
 		/*
 		 * In this case we want to compute p_scalar * GenericPoint:
@@ -1352,8 +1352,8 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
 		 * this codepath is reached most prominently by ECDSA signature
 		 * verification. So we call the non-ct version.
 		 */
-		ret = group->meth->mul_double_nonct(group, r, g_scalar,
-		    p_scalar, point, ctx);
+		ret = group->meth->mul_double_nonct(group, r,
+		    g_scalar, group->generator, p_scalar, point, ctx);
 	} else {
 		/* Anything else is an error. */
 		ECerror(ERR_R_EC_LIB);
diff --git a/src/lib/libcrypto/ec/ec_local.h b/src/lib/libcrypto/ec/ec_local.h
index 9c188c0197..c7a54d3a2b 100644
--- a/src/lib/libcrypto/ec/ec_local.h
+++ b/src/lib/libcrypto/ec/ec_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_local.h,v 1.66 2025/03/09 15:33:35 tb Exp $ */
+/* $OpenBSD: ec_local.h,v 1.67 2025/03/24 13:07:04 jsing Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -106,8 +106,8 @@ typedef struct ec_method_st {
 	int (*mul_single_ct)(const EC_GROUP *group, EC_POINT *r,
 	    const BIGNUM *scalar, const EC_POINT *point, BN_CTX *);
 	int (*mul_double_nonct)(const EC_GROUP *group, EC_POINT *r,
-	    const BIGNUM *g_scalar, const BIGNUM *p_scalar,
-	    const EC_POINT *point, BN_CTX *);
+	    const BIGNUM *scalar1, const EC_POINT *point1,
+	    const BIGNUM *scalar2, const EC_POINT *point2, BN_CTX *);
 
 	/*
 	 * These can be used by 'add' and 'dbl' so that the same implementations
@@ -173,9 +173,10 @@ struct ec_point_st {
 const EC_METHOD *EC_GFp_simple_method(void);
 const EC_METHOD *EC_GFp_mont_method(void);
 
-/* Compute r = generator * m + point * n in non-constant time. */
-int ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
-    const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx);
+/* Compute r = scalar1 * point1 + scalar2 * point2 in non-constant time. */
+int ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
+    const EC_POINT *point1, const BIGNUM *scalar2, const EC_POINT *point2,
+    BN_CTX *ctx);
 
 int ec_group_is_builtin_curve(const EC_GROUP *group, int *out_nid);
 
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 68061ffd67..673696a9fd 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.57 2025/01/11 13:58:31 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.58 2025/03/24 13:07:04 jsing Exp $ */
 /*
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
@@ -259,7 +259,7 @@ ec_wnaf_free(struct ec_wnaf *wnaf)
  */
 
 static struct ec_wnaf *
-ec_wnaf_new(const EC_GROUP *group, const EC_POINT *point, const BIGNUM *bn,
+ec_wnaf_new(const EC_GROUP *group, const BIGNUM *scalar, const EC_POINT *point,
     BN_CTX *ctx)
 {
 	struct ec_wnaf *wnaf;
@@ -267,15 +267,15 @@ ec_wnaf_new(const EC_GROUP *group, const EC_POINT *point, const BIGNUM *bn,
 	if ((wnaf = calloc(1, sizeof(*wnaf))) == NULL)
 		goto err;
 
-	wnaf->num_digits = BN_num_bits(bn) + 1;
+	wnaf->num_digits = BN_num_bits(scalar) + 1;
 	if ((wnaf->digits = calloc(wnaf->num_digits,
 	    sizeof(*wnaf->digits))) == NULL)
 		goto err;
 
-	if (!ec_compute_wnaf(bn, wnaf->digits, wnaf->num_digits))
+	if (!ec_compute_wnaf(scalar, wnaf->digits, wnaf->num_digits))
 		goto err;
 
-	wnaf->num_multiples = 1ULL << (ec_window_bits(bn) - 1);
+	wnaf->num_multiples = 1ULL << (ec_window_bits(scalar) - 1);
 	if ((wnaf->multiples = calloc(wnaf->num_multiples,
 	    sizeof(*wnaf->multiples))) == NULL)
 		goto err;
@@ -313,38 +313,34 @@ ec_wnaf_multiple(struct ec_wnaf *wnaf, signed char digit)
 }
 
 /*
- * Compute r = generator * m + point * n in non-constant time.
+ * Compute r = scalar1 * point1 + scalar2 * point2 in non-constant time.
  */
 
 int
-ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
-    const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx)
+ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
+    const EC_POINT *point1, const BIGNUM *scalar2, const EC_POINT *point2,
+    BN_CTX *ctx)
 {
 	struct ec_wnaf *wnaf[2] = { NULL, NULL };
-	const EC_POINT *generator;
 	size_t i;
 	int k;
 	int r_is_inverted = 0;
 	size_t num_digits;
 	int ret = 0;
 
-	if (m == NULL || n == NULL) {
+	if (scalar1 == NULL || scalar2 == NULL) {
 		ECerror(ERR_R_PASSED_NULL_PARAMETER);
 		goto err;
 	}
-	if (group->meth != r->meth || group->meth != point->meth) {
+	if (group->meth != r->meth || group->meth != point1->meth ||
+	    group->meth != point2->meth) {
 		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
 		goto err;
 	}
 
-	if ((generator = EC_GROUP_get0_generator(group)) == NULL) {
-		ECerror(EC_R_UNDEFINED_GENERATOR);
-		goto err;
-	}
-
-	if ((wnaf[0] = ec_wnaf_new(group, generator, m, ctx)) == NULL)
+	if ((wnaf[0] = ec_wnaf_new(group, scalar1, point1, ctx)) == NULL)
 		goto err;
-	if ((wnaf[1] = ec_wnaf_new(group, point, n, ctx)) == NULL)
+	if ((wnaf[1] = ec_wnaf_new(group, scalar2, point2, ctx)) == NULL)
 		goto err;
 
 	if (!ec_normalize_points(group, wnaf[0], wnaf[1], ctx))
@@ -357,8 +353,8 @@ ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
 	/*
 	 * Set r to the neutral element. Scan through the wNAF representations
 	 * of m and n, starting at the most significant digit. Double r and for
-	 * each wNAF digit of m add the digit times the generator, and for each
-	 * wNAF digit of n add the digit times the point, adjusting the signs
+	 * each wNAF digit of scalar1 add the digit times point1, and for each
+	 * wNAF digit of scalar2 add the digit times point2, adjusting the signs
 	 * as appropriate.
 	 */
 
diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c
index 544c2be4d4..ced85ceb1e 100644
--- a/src/lib/libcrypto/ec/ecp_methods.c
+++ b/src/lib/libcrypto/ec/ecp_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_methods.c,v 1.44 2025/03/09 15:33:35 tb Exp $ */
+/* $OpenBSD: ecp_methods.c,v 1.45 2025/03/24 13:07:04 jsing Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project.
  * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1194,10 +1194,11 @@ ec_mul_single_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 }
 
 static int
-ec_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
-    const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *ctx)
+ec_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
+    const EC_POINT *point1, const BIGNUM *scalar2, const EC_POINT *point2,
+    BN_CTX *ctx)
 {
-	return ec_wnaf_mul(group, r, g_scalar, point, p_scalar, ctx);
+	return ec_wnaf_mul(group, r, scalar1, point1, scalar2, point2, ctx);
 }
 
 static int
-- 
cgit v1.2.3-55-g6feb