back out ecc constant time changes

after the constant time commits various regress tests started failing
on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out
resulted in 'invalid elliptic curve value'

ok tb@

diff --git a/lib/libcrypto/ec/ec2_mult.c b/lib/libcrypto/ec/ec2_mult.c
index 4638029..10191d7 100644 (file)
--- a/lib/libcrypto/ec/ec2_mult.c
+++ b/lib/libcrypto/ec/ec2_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_mult.c,v 1.10 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec2_mult.c,v 1.11 2018/07/15 05:38:48 jsg Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -111,7 +111,7 @@ gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx)
 
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        return ret;
 }
@@ -155,7 +155,7 @@ gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1,
 
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        return ret;
 }
@@ -243,7 +243,7 @@ gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1,
 
        ret = 2;
 
- err:
+err:
        BN_CTX_end(ctx);
        return ret;
 }
@@ -356,7 +356,7 @@ ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
 
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        return ret;
 }
@@ -424,7 +424,7 @@ ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 
        ret = 1;
 
- err:
+err:
        EC_POINT_free(p);
        EC_POINT_free(acc);
        BN_CTX_free(new_ctx);

diff --git a/lib/libcrypto/ec/ec2_oct.c b/lib/libcrypto/ec/ec2_oct.c
index 1727f78..bb480c5 100644 (file)
--- a/lib/libcrypto/ec/ec2_oct.c
+++ b/lib/libcrypto/ec/ec2_oct.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_oct.c,v 1.9 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec2_oct.c,v 1.10 2018/07/15 05:38:48 jsg Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -157,7 +157,7 @@ ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point
 
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -272,7 +272,7 @@ ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point,
        BN_CTX_free(new_ctx);
        return ret;
 
- err:
+err:
        if (used_ctx)
                BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
@@ -374,7 +374,7 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
        }
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;

diff --git a/lib/libcrypto/ec/ec2_smpl.c b/lib/libcrypto/ec/ec2_smpl.c
index f1cbd3f..c3fff56 100644 (file)
--- a/lib/libcrypto/ec/ec2_smpl.c
+++ b/lib/libcrypto/ec/ec2_smpl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_smpl.c,v 1.17 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec2_smpl.c,v 1.18 2018/07/15 05:38:48 jsg Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -107,11 +107,15 @@ EC_GF2m_simple_method(void)
                .point_cmp = ec_GF2m_simple_cmp,
                .make_affine = ec_GF2m_simple_make_affine,
                .points_make_affine = ec_GF2m_simple_points_make_affine,
-               .mul_generator_ct = ec_GFp_simple_mul_generator_ct,
-               .mul_single_ct = ec_GFp_simple_mul_single_ct,
-               .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
+
+               /*
+                * the following three method functions are defined in
+                * ec2_mult.c
+                */
+               .mul = ec_GF2m_simple_mul,
                .precompute_mult = ec_GF2m_precompute_mult,
                .have_precompute_mult = ec_GF2m_have_precompute_mult,
+
                .field_mul = ec_GF2m_simple_field_mul,
                .field_sqr = ec_GF2m_simple_field_sqr,
                .field_div = ec_GF2m_simple_field_div,
@@ -228,7 +232,7 @@ ec_GF2m_simple_group_set_curve(EC_GROUP * group,
                group->b.d[i] = 0;
 
        ret = 1;
- err:
+err:
        return ret;
 }
 
@@ -256,7 +260,7 @@ ec_GF2m_simple_group_get_curve(const EC_GROUP *group,
        }
        ret = 1;
 
- err:
+err:
        return ret;
 }
 
@@ -302,7 +306,7 @@ ec_GF2m_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx)
 
        ret = 1;
 
- err:
+err:
        if (ctx != NULL)
                BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
@@ -394,7 +398,7 @@ ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * p
        point->Z_is_one = 1;
        ret = 1;
 
- err:
+err:
        return ret;
 }
 
@@ -428,7 +432,7 @@ ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group,
        }
        ret = 1;
 
- err:
+err:
        return ret;
 }
 
@@ -545,7 +549,7 @@ ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
 
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -637,7 +641,7 @@ ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX
        if (!BN_GF2m_add(lh, lh, y2))
                goto err;
        ret = BN_is_zero(lh);
- err:
+err:
        if (ctx)
                BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
@@ -689,7 +693,7 @@ ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
                goto err;
        ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1;
 
- err:
+err:
        if (ctx)
                BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
@@ -730,7 +734,7 @@ ec_GF2m_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ct
 
        ret = 1;
 
- err:
+err:
        if (ctx)
                BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);

diff --git a/lib/libcrypto/ec/ec_ameth.c b/lib/libcrypto/ec/ec_ameth.c
index 21390aa..30f29ef 100644 (file)
--- a/lib/libcrypto/ec/ec_ameth.c
+++ b/lib/libcrypto/ec/ec_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_ameth.c,v 1.21 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_ameth.c,v 1.22 2018/07/15 05:38:48 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -126,7 +126,7 @@ eckey_pub_encode(X509_PUBKEY * pk, const EVP_PKEY * pkey)
        if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC),
                ptype, pval, penc, penclen))
                return 1;
- err:
+err:
        if (ptype == V_ASN1_OBJECT)
                ASN1_OBJECT_free(pval);
        else
@@ -177,7 +177,7 @@ eckey_type2param(int ptype, const void *pval)
 
        return eckey;
 
- ecerr:
+ecerr:
        if (eckey)
                EC_KEY_free(eckey);
        return NULL;
@@ -210,7 +210,7 @@ eckey_pub_decode(EVP_PKEY * pkey, X509_PUBKEY * pubkey)
        EVP_PKEY_assign_EC_KEY(pkey, eckey);
        return 1;
 
- ecerr:
+ecerr:
        if (eckey)
                EC_KEY_free(eckey);
        return 0;
@@ -290,9 +290,9 @@ eckey_priv_decode(EVP_PKEY * pkey, PKCS8_PRIV_KEY_INFO * p8)
        EVP_PKEY_assign_EC_KEY(pkey, eckey);
        return 1;
 
- ecliberr:
+ecliberr:
        ECerror(ERR_R_EC_LIB);
- ecerr:
+ecerr:
        if (eckey)
                EC_KEY_free(eckey);
        return 0;
@@ -483,7 +483,7 @@ do_EC_KEY_print(BIO * bp, const EC_KEY * x, int off, int ktype)
        if (!ECPKParameters_print(bp, group, off))
                goto err;
        ret = 1;
- err:
+err:
        if (!ret)
                ECerror(reason);
        BN_free(pub_key);

diff --git a/lib/libcrypto/ec/ec_asn1.c b/lib/libcrypto/ec/ec_asn1.c
index 1fb0670..f5a1331 100644 (file)
--- a/lib/libcrypto/ec/ec_asn1.c
+++ b/lib/libcrypto/ec/ec_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_asn1.c,v 1.28 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_asn1.c,v 1.29 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -793,7 +793,7 @@ ec_asn1_group2fieldid(const EC_GROUP * group, X9_62_FIELDID * field)
 
        ok = 1;
 
- err:
+err:
        BN_free(tmp);
        return (ok);
 }
@@ -896,7 +896,7 @@ ec_asn1_group2curve(const EC_GROUP * group, X9_62_CURVE * curve)
 
        ok = 1;
 
- err:
+err:
        free(buffer_1);
        free(buffer_2);
        BN_free(tmp_1);
@@ -988,8 +988,7 @@ ec_asn1_group2parameters(const EC_GROUP * group, ECPARAMETERS * param)
        }
        ok = 1;
 
- err:
-       if (!ok) {
+err:   if (!ok) {
                if (ret && !param)
                        ECPARAMETERS_free(ret);
                ret = NULL;
@@ -1245,8 +1244,7 @@ ec_asn1_parameters2group(const ECPARAMETERS * params)
        }
        ok = 1;
 
- err:
-       if (!ok) {
+err:   if (!ok) {
                EC_GROUP_clear_free(ret);
                ret = NULL;
        }
@@ -1314,7 +1312,7 @@ d2i_ECPKParameters(EC_GROUP ** a, const unsigned char **in, long len)
                *a = group;
        }
 
- err:
+err:
        ECPKPARAMETERS_free(params);
        return (group);
 }
@@ -1427,7 +1425,7 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len)
                *a = ret;
        return (ret);
 
- err:
+err:
        if (a == NULL || *a != ret)
                EC_KEY_free(ret);
        if (priv_key)
@@ -1512,7 +1510,7 @@ i2d_ECPrivateKey(EC_KEY * a, unsigned char **out)
                goto err;
        }
        ok = 1;
- err:
+err:
        free(buffer);
        if (priv_key)
                EC_PRIVATEKEY_free(priv_key);

diff --git a/lib/libcrypto/ec/ec_check.c b/lib/libcrypto/ec/ec_check.c
index b0c6333..a76d21c 100644 (file)
--- a/lib/libcrypto/ec/ec_check.c
+++ b/lib/libcrypto/ec/ec_check.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_check.c,v 1.7 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_check.c,v 1.8 2018/07/15 05:38:48 jsg Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
@@ -106,7 +106,7 @@ EC_GROUP_check(const EC_GROUP * group, BN_CTX * ctx)
        }
        ret = 1;
 
- err:
+err:
        if (ctx != NULL)
                BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);

diff --git a/lib/libcrypto/ec/ec_curve.c b/lib/libcrypto/ec/ec_curve.c
index 7bf8583..1808e7b 100644 (file)
--- a/lib/libcrypto/ec/ec_curve.c
+++ b/lib/libcrypto/ec/ec_curve.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_curve.c,v 1.17 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_curve.c,v 1.18 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -3235,7 +3235,7 @@ ec_group_new_from_data(const ec_list_element curve)
                }
        }
        ok = 1;
- err:
+err:
        if (!ok) {
                EC_GROUP_free(group);
                group = NULL;

diff --git a/lib/libcrypto/ec/ec_key.c b/lib/libcrypto/ec/ec_key.c
index 33c9acc..a9f03c4 100644 (file)
--- a/lib/libcrypto/ec/ec_key.c
+++ b/lib/libcrypto/ec/ec_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_key.c,v 1.15 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_key.c,v 1.16 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -253,7 +253,7 @@ EC_KEY_generate_key(EC_KEY * eckey)
 
        ok = 1;
 
- err:
+err:
        BN_free(order);
        if (pub_key != NULL && eckey->pub_key == NULL)
                EC_POINT_free(pub_key);
@@ -324,7 +324,7 @@ EC_KEY_check_key(const EC_KEY * eckey)
                }
        }
        ok = 1;
- err:
+err:
        BN_CTX_free(ctx);
        EC_POINT_free(point);
        return (ok);
@@ -395,7 +395,7 @@ EC_KEY_set_public_key_affine_coordinates(EC_KEY * key, BIGNUM * x, BIGNUM * y)
 
        ok = 1;
 
- err:
+err:
        BN_CTX_free(ctx);
        EC_POINT_free(point);
        return ok;

diff --git a/lib/libcrypto/ec/ec_lcl.h b/lib/libcrypto/ec/ec_lcl.h
index 4916d3a..bcfd817 100644 (file)
--- a/lib/libcrypto/ec/ec_lcl.h
+++ b/lib/libcrypto/ec/ec_lcl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lcl.h,v 1.8 2018/07/10 21:55:49 tb Exp $ */
+/* $OpenBSD: ec_lcl.h,v 1.9 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -160,12 +160,10 @@ struct ec_method_st {
        int (*make_affine)(const EC_GROUP *, EC_POINT *, BN_CTX *);
        int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
 
-       /* used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, EC_POINT_have_precompute_mult */
-       int (*mul_generator_ct)(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar, BN_CTX *);
-       int (*mul_single_ct)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
-               const EC_POINT *point, BN_CTX *);
-       int (*mul_double_nonct)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
-               const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *);
+       /* used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, EC_POINT_have_precompute_mult
+        * (default implementations are used if the 'mul' pointer is 0): */
+       int (*mul)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+               size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
        int (*precompute_mult)(EC_GROUP *group, BN_CTX *);
        int (*have_precompute_mult)(const EC_GROUP *group);
 
@@ -339,11 +337,6 @@ int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
 int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
 int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
 int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
-int ec_GFp_simple_mul_generator_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar, BN_CTX *);
-int ec_GFp_simple_mul_single_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar,
-       const EC_POINT *point, BN_CTX *);
-int ec_GFp_simple_mul_double_nonct(const EC_GROUP *, EC_POINT *r, const BIGNUM *g_scalar,
-       const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *);
 
 
 /* method functions in ecp_mont.c */

diff --git a/lib/libcrypto/ec/ec_lib.c b/lib/libcrypto/ec/ec_lib.c
index 1d1daca..29207d6 100644 (file)
--- a/lib/libcrypto/ec/ec_lib.c
+++ b/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.26 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.27 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -526,7 +526,7 @@ EC_GROUP_cmp(const EC_GROUP * a, const EC_GROUP * b, BN_CTX * ctx)
 
        return r;
 
- err:
+err:
        BN_CTX_end(ctx);
        if (ctx_new)
                BN_CTX_free(ctx);
@@ -1026,88 +1026,47 @@ EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
 }
 
 
-/* Functions for point multiplication */
+/* Functions for point multiplication.
+ *
+ * If group->meth->mul is 0, we use the wNAF-based implementations in ec_mult.c;
+ * otherwise we dispatch through methods.
+ */
+
 int 
 EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
     size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
 {
-       /*
-        * The function pointers must be set, and only support num == 0 and
-        * num == 1.
-        */
-       if (group->meth->mul_generator_ct == NULL ||
-           group->meth->mul_single_ct == NULL ||
-           group->meth->mul_double_nonct == NULL ||
-           num > 1) {
-               ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-               return 0;
-       }
-       
-       /* Either bP or aG + bP, this is sane. */
-       if (num == 1 && points != NULL && scalars != NULL)
-               return EC_POINT_mul(group, r, scalar, points[0], scalars[0],
-                   ctx);
-       
-       /* aG, this is sane */
-       if (scalar != NULL && points == NULL && scalars == NULL)
-               return EC_POINT_mul(group, r, scalar, NULL, NULL, ctx);
-       
-       /* anything else is an error */
-       ECerror(ERR_R_EC_LIB);
-       return 0;
+       if (group->meth->mul == 0)
+               /* use default */
+               return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
+
+       return group->meth->mul(group, r, scalar, num, points, scalars, ctx);
 }
 
 int 
 EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
     const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx)
 {
-       if (group->meth->mul_generator_ct == NULL ||
-           group->meth->mul_single_ct == NULL ||
-           group->meth->mul_double_nonct == NULL) {
-               ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-               return 0;
-       }
-       if (g_scalar != NULL && point == NULL && p_scalar == NULL) {
-               /*
-                * In this case we want to compute g_scalar * GeneratorPoint:
-                * this codepath is reached most prominently by (ephemeral) key
-                * generation of EC cryptosystems (i.e. ECDSA keygen and sign
-                * setup, ECDH keygen/first half), where the scalar is always
-                * secret. This is why we ignore if BN_FLG_CONSTTIME is actually
-                * set and we always call the constant time version.
-                */
-               return group->meth->mul_generator_ct(group, r, g_scalar, ctx);
-       }
-       if (g_scalar == NULL && point != NULL && p_scalar != NULL) {
-               /* In this case we want to compute p_scalar * GenericPoint:
-                * this codepath is reached most prominently by the second half
-                * of ECDH, where the secret scalar is multiplied by the peer's
-                * public point. To protect the secret scalar, we ignore if
-                * BN_FLG_CONSTTIME is actually set and we always call the
-                * constant time version.
-                */
-               return group->meth->mul_single_ct(group, r, p_scalar, point,
-                   ctx);
-       }
-       if (g_scalar != NULL && point != NULL && p_scalar != NULL) {
-               /*
-                * In this case we want to compute
-                *   g_scalar * GeneratorPoint + p_scalar * GenericPoint:
-                * this codepath is reached most prominently by ECDSA signature
-                * verification. So we call the non-ct version.
-                */
-               return group->meth->mul_double_nonct(group, r, g_scalar,
-                   p_scalar, point, ctx);
-       }
-               
-       /* Anything else is an error. */
-       ECerror(ERR_R_EC_LIB);
-       return 0;
+       /* just a convenient interface to EC_POINTs_mul() */
+
+       const EC_POINT *points[1];
+       const BIGNUM *scalars[1];
+
+       points[0] = point;
+       scalars[0] = p_scalar;
+
+       return EC_POINTs_mul(group, r, g_scalar,
+           (point != NULL && p_scalar != NULL),
+           points, scalars, ctx);
 }
 
 int 
 EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
 {
+       if (group->meth->mul == 0)
+               /* use default */
+               return ec_wNAF_precompute_mult(group, ctx);
+
        if (group->meth->precompute_mult != 0)
                return group->meth->precompute_mult(group, ctx);
        else
@@ -1117,6 +1076,10 @@ EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
 int 
 EC_GROUP_have_precompute_mult(const EC_GROUP * group)
 {
+       if (group->meth->mul == 0)
+               /* use default */
+               return ec_wNAF_have_precompute_mult(group);
+
        if (group->meth->have_precompute_mult != 0)
                return group->meth->have_precompute_mult(group);
        else

diff --git a/lib/libcrypto/ec/ec_mult.c b/lib/libcrypto/ec/ec_mult.c
index 08bc8c3..4f321d3 100644 (file)
--- a/lib/libcrypto/ec/ec_mult.c
+++ b/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.22 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.23 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
@@ -301,7 +301,7 @@ compute_wNAF(const BIGNUM * scalar, int w, size_t * ret_len)
        len = j;
        ok = 1;
 
- err:
+err:
        if (!ok) {
                free(r);
                r = NULL;
@@ -678,7 +678,7 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 
        ret = 1;
 
- err:
+err:
        BN_CTX_free(new_ctx);
        EC_POINT_free(tmp);
        free(wsize);
@@ -857,7 +857,7 @@ ec_wNAF_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
        pre_comp = NULL;
 
        ret = 1;
- err:
+err:
        if (ctx != NULL)
                BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);

diff --git a/lib/libcrypto/ec/eck_prn.c b/lib/libcrypto/ec/eck_prn.c
index 0291de9..7c0db42 100644 (file)
--- a/lib/libcrypto/ec/eck_prn.c
+++ b/lib/libcrypto/ec/eck_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: eck_prn.c,v 1.13 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: eck_prn.c,v 1.14 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -321,7 +321,7 @@ ECPKParameters_print(BIO * bp, const EC_GROUP * x, int off)
                        goto err;
        }
        ret = 1;
- err:
+err:
        if (!ret)
                ECerror(reason);
        BN_free(p);

diff --git a/lib/libcrypto/ec/ecp_mont.c b/lib/libcrypto/ec/ecp_mont.c
index 302f833..03e594d 100644 (file)
--- a/lib/libcrypto/ec/ecp_mont.c
+++ b/lib/libcrypto/ec/ecp_mont.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_mont.c,v 1.13 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_mont.c,v 1.14 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -102,9 +102,6 @@ EC_GFp_mont_method(void)
                .point_cmp = ec_GFp_simple_cmp,
                .make_affine = ec_GFp_simple_make_affine,
                .points_make_affine = ec_GFp_simple_points_make_affine,
-               .mul_generator_ct = ec_GFp_simple_mul_generator_ct,
-               .mul_single_ct = ec_GFp_simple_mul_single_ct,
-               .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
                .field_mul = ec_GFp_mont_field_mul,
                .field_sqr = ec_GFp_mont_field_sqr,
                .field_encode = ec_GFp_mont_field_encode,
@@ -175,7 +172,7 @@ ec_GFp_mont_group_copy(EC_GROUP * dest, const EC_GROUP * src)
        }
        return 1;
 
- err:
+err:
        if (dest->field_data1 != NULL) {
                BN_MONT_CTX_free(dest->field_data1);
                dest->field_data1 = NULL;
@@ -228,7 +225,7 @@ ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
                BN_free(group->field_data2);
                group->field_data2 = NULL;
        }
- err:
+err:
        BN_CTX_free(new_ctx);
        BN_MONT_CTX_free(mont);
        BN_free(one);

diff --git a/lib/libcrypto/ec/ecp_nist.c b/lib/libcrypto/ec/ecp_nist.c
index 8aa9f49..027a07d 100644 (file)
--- a/lib/libcrypto/ec/ecp_nist.c
+++ b/lib/libcrypto/ec/ecp_nist.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nist.c,v 1.11 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_nist.c,v 1.12 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -151,7 +151,7 @@ ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p,
 
        ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
 
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -179,7 +179,7 @@ ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
                goto err;
 
        ret = 1;
- err:
+err:
        BN_CTX_free(ctx_new);
        return ret;
 }
@@ -206,7 +206,7 @@ ec_GFp_nist_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a,
                goto err;
 
        ret = 1;
- err:
+err:
        BN_CTX_free(ctx_new);
        return ret;
 }

diff --git a/lib/libcrypto/ec/ecp_nistp224.c b/lib/libcrypto/ec/ecp_nistp224.c
index 3921508..1ba8cb0 100644 (file)
--- a/lib/libcrypto/ec/ecp_nistp224.c
+++ b/lib/libcrypto/ec/ecp_nistp224.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp224.c,v 1.20 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_nistp224.c,v 1.21 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Emilia Kasper (Google) for the OpenSSL project.
  */
@@ -1281,7 +1281,7 @@ ec_GFp_nistp224_group_set_curve(EC_GROUP * group, const BIGNUM * p,
        }
        group->field_mod_func = BN_nist_mod_224;
        ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -1537,7 +1537,7 @@ ec_GFp_nistp224_points_mul(const EC_GROUP * group, EC_POINT * r,
        }
        ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
 
- err:
+err:
        BN_CTX_end(ctx);
        EC_POINT_free(generator);
        BN_CTX_free(new_ctx);
@@ -1666,7 +1666,7 @@ ec_GFp_nistp224_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
                goto err;
        ret = 1;
        pre = NULL;
- err:
+err:
        BN_CTX_end(ctx);
        EC_POINT_free(generator);
        BN_CTX_free(new_ctx);

diff --git a/lib/libcrypto/ec/ecp_nistp256.c b/lib/libcrypto/ec/ecp_nistp256.c
index 7046dce..3b0784f 100644 (file)
--- a/lib/libcrypto/ec/ecp_nistp256.c
+++ b/lib/libcrypto/ec/ecp_nistp256.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp256.c,v 1.19 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_nistp256.c,v 1.20 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Adam Langley (Google) for the OpenSSL project
  */
@@ -1830,7 +1830,7 @@ ec_GFp_nistp256_group_set_curve(EC_GROUP * group, const BIGNUM * p,
        }
        group->field_mod_func = BN_nist_mod_256;
        ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -2090,7 +2090,7 @@ ec_GFp_nistp256_points_mul(const EC_GROUP * group, EC_POINT * r,
        }
        ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
 
- err:
+err:
        BN_CTX_end(ctx);
        EC_POINT_free(generator);
        BN_CTX_free(new_ctx);
@@ -2213,7 +2213,7 @@ ec_GFp_nistp256_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
                goto err;
        ret = 1;
        pre = NULL;
- err:
+err:
        BN_CTX_end(ctx);
        EC_POINT_free(generator);
        BN_CTX_free(new_ctx);

diff --git a/lib/libcrypto/ec/ecp_nistp521.c b/lib/libcrypto/ec/ecp_nistp521.c
index 7c20daa..823e7a0 100644 (file)
--- a/lib/libcrypto/ec/ecp_nistp521.c
+++ b/lib/libcrypto/ec/ecp_nistp521.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp521.c,v 1.20 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_nistp521.c,v 1.21 2018/07/15 05:38:48 jsg Exp $ */
 /*
  * Written by Adam Langley (Google) for the OpenSSL project
  */
@@ -1721,7 +1721,7 @@ ec_GFp_nistp521_group_set_curve(EC_GROUP * group, const BIGNUM * p,
        }
        group->field_mod_func = BN_nist_mod_521;
        ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -1979,7 +1979,7 @@ ec_GFp_nistp521_points_mul(const EC_GROUP * group, EC_POINT * r,
        }
        ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
 
- err:
+err:
        BN_CTX_end(ctx);
        EC_POINT_free(generator);
        BN_CTX_free(new_ctx);
@@ -2088,7 +2088,7 @@ ec_GFp_nistp521_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
                goto err;
        ret = 1;
        pre = NULL;
- err:
+err:
        BN_CTX_end(ctx);
        EC_POINT_free(generator);
        BN_CTX_free(new_ctx);

diff --git a/lib/libcrypto/ec/ecp_nistz256.c b/lib/libcrypto/ec/ecp_nistz256.c
index 3d52938..71c2952 100644 (file)
--- a/lib/libcrypto/ec/ecp_nistz256.c
+++ b/lib/libcrypto/ec/ecp_nistz256.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ecp_nistz256.c,v 1.4 2018/07/10 22:06:14 tb Exp $     */
+/*     $OpenBSD: ecp_nistz256.c,v 1.5 2018/07/15 05:38:48 jsg Exp $    */
 /* Copyright (c) 2014, Intel Corporation.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -565,7 +565,7 @@ ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,
        }
 
        ret = 1;
- err:
+err:
        free(table);
        free(p_str);
        free(scalars);
@@ -712,7 +712,7 @@ ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx)
        ec_pre_comp = NULL;
        ret = 1;
 
- err:
+err:
        if (ctx != NULL)
                BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
@@ -985,7 +985,7 @@ ecp_nistz256_points_mul(const EC_GROUP *group, EC_POINT *r,
 
        ret = 1;
 
- err:
+err:
        if (ctx)
                BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);

diff --git a/lib/libcrypto/ec/ecp_oct.c b/lib/libcrypto/ec/ecp_oct.c
index da9eccf..3d50f70 100644 (file)
--- a/lib/libcrypto/ec/ecp_oct.c
+++ b/lib/libcrypto/ec/ecp_oct.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_oct.c,v 1.9 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_oct.c,v 1.10 2018/07/15 05:38:48 jsg Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project.
  * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -190,7 +190,7 @@ ec_GFp_simple_set_compressed_coordinates(const EC_GROUP * group,
 
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -294,7 +294,7 @@ ec_GFp_simple_point2oct(const EC_GROUP * group, const EC_POINT * point, point_co
        BN_CTX_free(new_ctx);
        return ret;
 
- err:
+err:
        if (used_ctx)
                BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
@@ -388,7 +388,7 @@ ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point,
        }
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;

diff --git a/lib/libcrypto/ec/ecp_smpl.c b/lib/libcrypto/ec/ecp_smpl.c
index 57e8345..1fe5530 100644 (file)
--- a/lib/libcrypto/ec/ecp_smpl.c
+++ b/lib/libcrypto/ec/ecp_smpl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_smpl.c,v 1.19 2018/07/10 22:06:14 tb Exp $ */
+/* $OpenBSD: ecp_smpl.c,v 1.20 2018/07/15 05:38:48 jsg Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project.
  * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -103,9 +103,6 @@ EC_GFp_simple_method(void)
                .point_cmp = ec_GFp_simple_cmp,
                .make_affine = ec_GFp_simple_make_affine,
                .points_make_affine = ec_GFp_simple_points_make_affine,
-               .mul_generator_ct = ec_GFp_simple_mul_generator_ct,
-               .mul_single_ct = ec_GFp_simple_mul_single_ct,
-               .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
                .field_mul = ec_GFp_simple_field_mul,
                .field_sqr = ec_GFp_simple_field_sqr
        };
@@ -223,7 +220,7 @@ ec_GFp_simple_group_set_curve(EC_GROUP * group,
 
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -268,7 +265,7 @@ ec_GFp_simple_group_get_curve(const EC_GROUP * group, BIGNUM * p, BIGNUM * a, BI
        }
        ret = 1;
 
- err:
+err:
        BN_CTX_free(new_ctx);
        return ret;
 }
@@ -349,7 +346,7 @@ ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx)
        }
        ret = 1;
 
- err:
+err:
        if (ctx != NULL)
                BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
@@ -459,7 +456,7 @@ ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP * group, EC_POINT *
        }
        ret = 1;
 
- err:
+err:
        BN_CTX_free(new_ctx);
        return ret;
 }
@@ -507,7 +504,7 @@ ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP * group, const EC_P
 
        ret = 1;
 
- err:
+err:
        BN_CTX_free(new_ctx);
        return ret;
 }
@@ -627,7 +624,7 @@ ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POIN
 
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -814,7 +811,7 @@ ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, cons
 
        ret = 1;
 
- end:
+end:
        if (ctx)                /* otherwise we already called BN_CTX_end */
                BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
@@ -957,7 +954,7 @@ ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_C
 
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -1078,7 +1075,7 @@ ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX
 
        ret = (0 == BN_ucmp(tmp, rh));
 
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -1180,7 +1177,7 @@ ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b
        /* points are equal */
        ret = 0;
 
- end:
+end:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -1218,7 +1215,7 @@ ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx
        }
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        return ret;
@@ -1383,7 +1380,7 @@ ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT *
 
        ret = 1;
 
- err:
+err:
        BN_CTX_end(ctx);
        BN_CTX_free(new_ctx);
        if (heap != NULL) {
@@ -1412,248 +1409,3 @@ ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN
 {
        return BN_mod_sqr(r, a, &group->field, ctx);
 }
-
-#define EC_POINT_BN_set_flags(P, flags) do {                           \
-       BN_set_flags(&(P)->X, (flags));                                 \
-       BN_set_flags(&(P)->Y, (flags));                                 \
-       BN_set_flags(&(P)->Z, (flags));                                 \
-} while(0)
-
-#define EC_POINT_CSWAP(c, a, b, w, t) do {                             \
-       if (!BN_swap_ct(c, &(a)->X, &(b)->X, w) ||                      \
-           !BN_swap_ct(c, &(a)->Y, &(b)->Y, w) ||                      \
-           !BN_swap_ct(c, &(a)->Z, &(b)->Z, w))                        \
-               goto err;                                               \
-       t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c);                      \
-       (a)->Z_is_one ^= (t);                                           \
-       (b)->Z_is_one ^= (t);                                           \
-} while(0)
-
-/*
- * This function computes (in constant time) a point multiplication over the
- * EC group.
- *
- * At a high level, it is Montgomery ladder with conditional swaps.
- *
- * It performs either a fixed point multiplication
- *          (scalar * generator)
- * when point is NULL, or a variable point multiplication
- *          (scalar * point)
- * when point is not NULL.
- *
- * scalar should be in the range [0,n) otherwise all constant time bets are off.
- *
- * NB: This says nothing about EC_POINT_add and EC_POINT_dbl,
- * which of course are not constant time themselves.
- *
- * The product is stored in r.
- *
- * Returns 1 on success, 0 otherwise.
- */
-static int
-ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
-    const EC_POINT *point, BN_CTX *ctx)
-{
-       int i, cardinality_bits, group_top, kbit, pbit, Z_is_one;
-       EC_POINT *s = NULL;
-       BIGNUM *k = NULL;
-       BIGNUM *lambda = NULL;
-       BIGNUM *cardinality = NULL;
-       BN_CTX *new_ctx = NULL;
-       int ret = 0;
-
-       if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL)
-               return 0;
-
-       BN_CTX_start(ctx);
-
-       if ((s = EC_POINT_new(group)) == NULL)
-               goto err;
-
-       if (point == NULL) {
-               if (!EC_POINT_copy(s, group->generator))
-                       goto err;
-       } else {
-               if (!EC_POINT_copy(s, point))
-                       goto err;
-       }
-
-       EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME);
-
-       if ((cardinality = BN_CTX_get(ctx)) == NULL)
-               goto err;
-       if ((lambda = BN_CTX_get(ctx)) == NULL)
-               goto err;
-       if ((k = BN_CTX_get(ctx)) == NULL)
-               goto err;
-       if (!BN_mul(cardinality, &group->order, &group->cofactor, ctx))
-               goto err;
-
-       /*
-        * Group cardinalities are often on a word boundary.
-        * So when we pad the scalar, some timing diff might
-        * pop if it needs to be expanded due to carries.
-        * So expand ahead of time.
-        */
-       cardinality_bits = BN_num_bits(cardinality);
-       group_top = cardinality->top;
-       if ((bn_wexpand(k, group_top + 1) == NULL) ||
-           (bn_wexpand(lambda, group_top + 1) == NULL))
-               goto err;
-
-       if (!BN_copy(k, scalar))
-               goto err;
-
-       BN_set_flags(k, BN_FLG_CONSTTIME);
-
-       if (BN_num_bits(k) > cardinality_bits || BN_is_negative(k)) {
-               /*
-                * This is an unusual input, and we don't guarantee
-                * constant-timeness
-                */
-               if (!BN_nnmod(k, k, cardinality, ctx))
-                       goto err;
-       }
-
-       if (!BN_add(lambda, k, cardinality))
-               goto err;
-       BN_set_flags(lambda, BN_FLG_CONSTTIME);
-       if (!BN_add(k, lambda, cardinality))
-               goto err;
-       /*
-        * lambda := scalar + cardinality
-        * k := scalar + 2*cardinality
-        */
-       kbit = BN_is_bit_set(lambda, cardinality_bits);
-       if (!BN_swap_ct(kbit, k, lambda, group_top + 1))
-               goto err;
-
-       group_top = group->field.top;
-       if ((bn_wexpand(&s->X, group_top) == NULL) ||
-           (bn_wexpand(&s->Y, group_top) == NULL) ||
-           (bn_wexpand(&s->Z, group_top) == NULL) ||
-           (bn_wexpand(&r->X, group_top) == NULL) ||
-           (bn_wexpand(&r->Y, group_top) == NULL) ||
-           (bn_wexpand(&r->Z, group_top) == NULL))
-               goto err;
-
-       /* top bit is a 1, in a fixed pos */
-       if (!EC_POINT_copy(r, s))
-               goto err;
-
-       EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME);
-
-       if (!EC_POINT_dbl(group, s, s, ctx))
-               goto err;
-
-       pbit = 0;
-
-       /*
-        * The ladder step, with branches, is
-        *
-        * k[i] == 0: S = add(R, S), R = dbl(R)
-        * k[i] == 1: R = add(S, R), S = dbl(S)
-        *
-        * Swapping R, S conditionally on k[i] leaves you with state
-        *
-        * k[i] == 0: T, U = R, S
-        * k[i] == 1: T, U = S, R
-        *
-        * Then perform the ECC ops.
-        *
-        * U = add(T, U)
-        * T = dbl(T)
-        *
-        * Which leaves you with state
-        *
-        * k[i] == 0: U = add(R, S), T = dbl(R)
-        * k[i] == 1: U = add(S, R), T = dbl(S)
-        *
-        * Swapping T, U conditionally on k[i] leaves you with state
-        *
-        * k[i] == 0: R, S = T, U
-        * k[i] == 1: R, S = U, T
-        *
-        * Which leaves you with state
-        *
-        * k[i] == 0: S = add(R, S), R = dbl(R)
-        * k[i] == 1: R = add(S, R), S = dbl(S)
-        *
-        * So we get the same logic, but instead of a branch it's a
-        * conditional swap, followed by ECC ops, then another conditional swap.
-        *
-        * Optimization: The end of iteration i and start of i-1 looks like
-        *
-        * ...
-        * CSWAP(k[i], R, S)
-        * ECC
-        * CSWAP(k[i], R, S)
-        * (next iteration)
-        * CSWAP(k[i-1], R, S)
-        * ECC
-        * CSWAP(k[i-1], R, S)
-        * ...
-        *
-        * So instead of two contiguous swaps, you can merge the condition
-        * bits and do a single swap.
-        *
-        * k[i]   k[i-1]    Outcome
-        * 0      0         No Swap
-        * 0      1         Swap
-        * 1      0         Swap
-        * 1      1         No Swap
-        *
-        * This is XOR. pbit tracks the previous bit of k.
-        */
-
-       for (i = cardinality_bits - 1; i >= 0; i--) {
-               kbit = BN_is_bit_set(k, i) ^ pbit;
-               EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one);
-               if (!EC_POINT_add(group, s, r, s, ctx))
-                       goto err;
-               if (!EC_POINT_dbl(group, r, r, ctx))
-                       goto err;
-               /*
-                * pbit logic merges this cswap with that of the
-                * next iteration
-                */
-               pbit ^= kbit;
-       }
-       /* one final cswap to move the right value into r */
-       EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one);
-       
-       ret = 1;
-
- err:
-       EC_POINT_free(s);
-       if (ctx != NULL)
-               BN_CTX_end(ctx);
-       BN_CTX_free(new_ctx);
-
-       return ret;
-}
-
-#undef EC_POINT_BN_set_flags
-#undef EC_POINT_CSWAP
-
-int
-ec_GFp_simple_mul_generator_ct(const EC_GROUP *group, EC_POINT *r,
-    const BIGNUM *scalar, BN_CTX *ctx)
-{
-       return ec_GFp_simple_mul_ct(group, r, scalar, NULL, ctx);
-}
-
-int
-ec_GFp_simple_mul_single_ct(const EC_GROUP *group, EC_POINT *r,
-    const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx)
-{
-       return ec_GFp_simple_mul_ct(group, r, scalar, point, ctx);
-}
-
-int
-ec_GFp_simple_mul_double_nonct(const EC_GROUP *group, EC_POINT *r,
-    const BIGNUM *g_scalar, const BIGNUM *p_scalar, const EC_POINT *point,
-    BN_CTX *ctx)
-{
-       return ec_wNAF_mul(group, r, g_scalar, 1, &point, &p_scalar, ctx);
-}

diff --git a/lib/libcrypto/man/EC_POINT_add.3 b/lib/libcrypto/man/EC_POINT_add.3
index e2a33b6..a9ad556 100644 (file)
--- a/lib/libcrypto/man/EC_POINT_add.3
+++ b/lib/libcrypto/man/EC_POINT_add.3
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: EC_POINT_add.3,v 1.9 2018/07/11 08:42:38 tb Exp $
+.\"    $OpenBSD: EC_POINT_add.3,v 1.10 2018/07/15 05:38:48 jsg Exp $
 .\"    OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 11 2018 $
+.Dd $Mdocdate: July 15 2018 $
 .Dt EC_POINT_ADD 3
 .Os
 .Sh NAME
@@ -217,30 +217,12 @@ The value
 .Fa n
 may be
 .Dv NULL ,
-in which case the result is just
+in which case the result is just q * m.
 .Pp
-.Dl q * m.
-.Pp
-.Fn EC_POINTs_mul
-only supports the values 0 and 1 for
-.Fa num .
-If it is 1, then
 .Fn EC_POINTs_mul
 calculates the value
 .Pp
-.Dl generator * n + q[0] * m[0].
-.Pp
-If
-.Fa num
-is 0 then
-.Fa q
-and
-.Fa m
-must be
-.Dv NULL ,
-and the result is just
-.Pp
-.Dl generator * n .
+.Dl generator * n + q[0] * m[0] + ... + q[num-1] * m[num-1]
 .Pp
 As for
 .Fn EC_POINT_mul ,