From 4c4b392670e9a18150e22a1e4f41fce87c78e1ff Mon Sep 17 00:00:00 2001
From: tb <>
Date: Thu, 21 Nov 2024 14:36:03 +0000
Subject: ec_wNAF_mul(): remove r_is_at_infinity silliness

All the EC_POINT_* API has a fast path for the point at infinity. So we're
not gaining more than a few cycles by making this terrible mess even more
terrible than it already is by avoding calls ot it (it's also incorrect as
it is since we don't know that the point is no longer at infinity when it
is unset). Simplify and add a comment explaining what this mess is doing.

ok jsing
---
 src/lib/libcrypto/ec/ec_mult.c | 45 +++++++++++++++++++-----------------------
 1 file changed, 20 insertions(+), 25 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 9015a5a649..e336cf0fac 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.35 2024/11/16 15:32:08 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.36 2024/11/21 14:36:03 tb Exp $ */
 /*
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
@@ -233,7 +233,6 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
 	size_t i, j;
 	int k;
 	int r_is_inverted = 0;
-	int r_is_at_infinity = 1;
 	size_t *wsize = NULL;	/* individual window sizes */
 	signed char **wNAF = NULL;	/* individual wNAFs */
 	size_t *wNAF_len = NULL;
@@ -356,13 +355,21 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
 	if (!EC_POINTs_make_affine(group, num_val, val, ctx))
 		goto err;
 
-	r_is_at_infinity = 1;
+	/*
+	 * Set r to the neutral element. Scan through the wNAF representations
+	 * of m and n, starting at the most significant digit. Double r and for
+	 * each wNAF digit of m add the digit times the point, and for each
+	 * wNAF digit of n add the digit times the generator, adjusting the
+	 * signs as appropriate.
+	 */
+
+	if (!EC_POINT_set_to_infinity(group, r))
+		goto err;
 
 	for (k = max_len - 1; k >= 0; k--) {
-		if (!r_is_at_infinity) {
-			if (!EC_POINT_dbl(group, r, r, ctx))
-				goto err;
-		}
+		if (!EC_POINT_dbl(group, r, r, ctx))
+			goto err;
+
 		for (i = 0; i < totalnum; i++) {
 			if (wNAF_len[i] > (size_t) k) {
 				int digit = wNAF[i][k];
@@ -375,34 +382,22 @@ ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
 						digit = -digit;
 
 					if (is_neg != r_is_inverted) {
-						if (!r_is_at_infinity) {
-							if (!EC_POINT_invert(group, r, ctx))
-								goto err;
-						}
+						if (!EC_POINT_invert(group, r, ctx))
+							goto err;
 						r_is_inverted = !r_is_inverted;
 					}
 					/* digit > 0 */
 
-					if (r_is_at_infinity) {
-						if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
-							goto err;
-						r_is_at_infinity = 0;
-					} else {
-						if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
-							goto err;
-					}
+					if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
+						goto err;
 				}
 			}
 		}
 	}
 
-	if (r_is_at_infinity) {
-		if (!EC_POINT_set_to_infinity(group, r))
+	if (r_is_inverted) {
+		if (!EC_POINT_invert(group, r, ctx))
 			goto err;
-	} else {
-		if (r_is_inverted)
-			if (!EC_POINT_invert(group, r, ctx))
-				goto err;
 	}
 
 	ret = 1;
-- 
cgit v1.2.3-55-g6feb