From b694ac34c67a61603d51be4ed12f815e39102235 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sat, 23 Nov 2024 07:33:26 +0000
Subject: Further simplify after dropping wNAF modification

We can now turn the for loop into a proper for loop for which there is
obviously no out of bounds access. The length can be determined up front
and it's easier to explain what's going on, so expand a few comments.

ok jsing
---
 src/lib/libcrypto/ec/ec_mult.c | 36 +++++++++++++-----------------------
 1 file changed, 13 insertions(+), 23 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index b7a9e346cf..382174a367 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.48 2024/11/23 07:28:57 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.49 2024/11/23 07:33:26 tb Exp $ */
 /*
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
@@ -98,24 +98,12 @@ ec_compute_wNAF(const BIGNUM *bn, signed char **out_wNAF, size_t *out_wNAF_len,
     size_t *out_len)
 {
 	signed char *wNAF = NULL;
-	size_t wNAF_len = 1, len = 1;
+	size_t i, wNAF_len, len;
 	int digit, bit, next, sign, wbits, window;
-	size_t i;
 	int ret = 0;
 
-	if (BN_is_zero(bn)) {
-		if ((wNAF = calloc(1, 1)) == NULL) {
-			ECerror(ERR_R_MALLOC_FAILURE);
-			goto err;
-		}
-
-		goto done;
-	}
-
-	sign = BN_is_negative(bn) ? -1 : 1;
-
-	wNAF_len = BN_num_bits(bn);
-	if ((wNAF = calloc(1, wNAF_len + 1)) == NULL) {
+	wNAF_len = BN_num_bits(bn) + 1;
+	if ((wNAF = calloc(1, wNAF_len)) == NULL) {
 		ECerror(ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
@@ -123,6 +111,11 @@ ec_compute_wNAF(const BIGNUM *bn, signed char **out_wNAF, size_t *out_wNAF_len,
 	wbits = ec_window_bits(bn);
 	len = 1 << (wbits - 1);
 
+	if (BN_is_zero(bn))
+		goto done;
+
+	sign = BN_is_negative(bn) ? -1 : 1;
+
 	bit = 1 << wbits;
 	next = bit << 1;
 
@@ -134,15 +127,14 @@ ec_compute_wNAF(const BIGNUM *bn, signed char **out_wNAF, size_t *out_wNAF_len,
 	}
 
 	/* Instead of bn >>= 1 in each iteration, slide window to the left. */
-	for (i = 0; i + wbits + 1 < wNAF_len || window != 0; i++) {
+	for (i = 0; i < wNAF_len; i++) {
 		digit = 0;
 
 		/*
 		 * If window is odd, the i-th wNAF digit is window (mods 2^w),
-		 * where mods is the signed modulo in (-2^w-1, 2^w-1]. In the
-		 * last iterations the digits are grouped slightly differently.
-		 * Subtract the digit from window, so window is 0, next, or bit,
-		 * and add the digit to the wNAF digits.
+		 * where mods is the signed modulo in (-2^w-1, 2^w-1]. Subtract
+		 * the digit from window, so window is 0 or next, and add the
+		 * digit to the wNAF digits.
 		 */
 		if ((window & 1) != 0) {
 			digit = window;
@@ -158,8 +150,6 @@ ec_compute_wNAF(const BIGNUM *bn, signed char **out_wNAF, size_t *out_wNAF_len,
 		window += bit * BN_is_bit_set(bn, i + wbits + 1);
 	}
 
-	wNAF_len = i;
-
  done:
 	*out_wNAF = wNAF;
 	wNAF = NULL;
-- 
cgit v1.2.3-55-g6feb