From 5a27d0fd33187fa17d3aa1b151b981a5434a200f Mon Sep 17 00:00:00 2001
From: jsg <>
Date: Sun, 15 Jul 2018 05:38:48 +0000
Subject: back out ecc constant time changes

after the constant time commits various regress tests started failing
on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out
resulted in 'invalid elliptic curve value'

ok tb@
---
 src/lib/libcrypto/ec/ec_lib.c | 101 +++++++++++++-----------------------------
 1 file changed, 32 insertions(+), 69 deletions(-)

(limited to 'src/lib/libcrypto/ec/ec_lib.c')

diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 1d1daca166..29207d6b48 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.26 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.27 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -526,7 +526,7 @@ EC_GROUP_cmp(const EC_GROUP * a, const EC_GROUP * b, BN_CTX * ctx)
 
 	return r;
 
- err:
+err:
 	BN_CTX_end(ctx);
 	if (ctx_new)
 		BN_CTX_free(ctx);
@@ -1026,88 +1026,47 @@ EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
 }
 
 
-/* Functions for point multiplication */
+/* Functions for point multiplication.
+ *
+ * If group->meth->mul is 0, we use the wNAF-based implementations in ec_mult.c;
+ * otherwise we dispatch through methods.
+ */
+
 int 
 EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
     size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
 {
-	/*
-	 * The function pointers must be set, and only support num == 0 and
-	 * num == 1.
-	 */
-	if (group->meth->mul_generator_ct == NULL ||
-	    group->meth->mul_single_ct == NULL ||
-	    group->meth->mul_double_nonct == NULL ||
-	    num > 1) {
-		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-		return 0;
-	}
-	
-	/* Either bP or aG + bP, this is sane. */
-	if (num == 1 && points != NULL && scalars != NULL)
-		return EC_POINT_mul(group, r, scalar, points[0], scalars[0],
-		    ctx);
-	
-	/* aG, this is sane */
-	if (scalar != NULL && points == NULL && scalars == NULL)
-		return EC_POINT_mul(group, r, scalar, NULL, NULL, ctx);
-	
-	/* anything else is an error */
-	ECerror(ERR_R_EC_LIB);
-	return 0;
+	if (group->meth->mul == 0)
+		/* use default */
+		return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
+
+	return group->meth->mul(group, r, scalar, num, points, scalars, ctx);
 }
 
 int 
 EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
     const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx)
 {
-	if (group->meth->mul_generator_ct == NULL ||
-	    group->meth->mul_single_ct == NULL ||
-	    group->meth->mul_double_nonct == NULL) {
-		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-		return 0;
-	}
-	if (g_scalar != NULL && point == NULL && p_scalar == NULL) {
-		/*
-		 * In this case we want to compute g_scalar * GeneratorPoint:
-		 * this codepath is reached most prominently by (ephemeral) key
-		 * generation of EC cryptosystems (i.e. ECDSA keygen and sign
-		 * setup, ECDH keygen/first half), where the scalar is always
-		 * secret. This is why we ignore if BN_FLG_CONSTTIME is actually
-		 * set and we always call the constant time version.
-		 */
-		return group->meth->mul_generator_ct(group, r, g_scalar, ctx);
-	}
-	if (g_scalar == NULL && point != NULL && p_scalar != NULL) {
-		/* In this case we want to compute p_scalar * GenericPoint:
-		 * this codepath is reached most prominently by the second half
-		 * of ECDH, where the secret scalar is multiplied by the peer's
-		 * public point. To protect the secret scalar, we ignore if
-		 * BN_FLG_CONSTTIME is actually set and we always call the
-		 * constant time version.
-		 */
-		return group->meth->mul_single_ct(group, r, p_scalar, point,
-		    ctx);
-	}
-	if (g_scalar != NULL && point != NULL && p_scalar != NULL) {
-		/*
-		 * In this case we want to compute
-		 *   g_scalar * GeneratorPoint + p_scalar * GenericPoint:
-		 * this codepath is reached most prominently by ECDSA signature
-		 * verification. So we call the non-ct version.
-		 */
-		return group->meth->mul_double_nonct(group, r, g_scalar,
-		    p_scalar, point, ctx);
-	}
-		
-	/* Anything else is an error. */
-	ECerror(ERR_R_EC_LIB);
-	return 0;
+	/* just a convenient interface to EC_POINTs_mul() */
+
+	const EC_POINT *points[1];
+	const BIGNUM *scalars[1];
+
+	points[0] = point;
+	scalars[0] = p_scalar;
+
+	return EC_POINTs_mul(group, r, g_scalar,
+	    (point != NULL && p_scalar != NULL),
+	    points, scalars, ctx);
 }
 
 int 
 EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
 {
+	if (group->meth->mul == 0)
+		/* use default */
+		return ec_wNAF_precompute_mult(group, ctx);
+
 	if (group->meth->precompute_mult != 0)
 		return group->meth->precompute_mult(group, ctx);
 	else
@@ -1117,6 +1076,10 @@ EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
 int 
 EC_GROUP_have_precompute_mult(const EC_GROUP * group)
 {
+	if (group->meth->mul == 0)
+		/* use default */
+		return ec_wNAF_have_precompute_mult(group);
+
 	if (group->meth->have_precompute_mult != 0)
 		return group->meth->have_precompute_mult(group);
 	else
-- 
cgit v1.2.3-55-g6feb