|
@@ -121,6 +121,9 @@ void EC_ec_pre_comp_free(EC_PRE_COMP *pre)
|
|
|
* `scalar` cannot be NULL and should be in the range [0,n) otherwise all
|
|
|
* constant time bets are off (where n is the cardinality of the EC group).
|
|
|
*
|
|
|
+ * This function expects `group->order` and `group->cardinality` to be well
|
|
|
+ * defined and non-zero: it fails with an error code otherwise.
|
|
|
+ *
|
|
|
* NB: This says nothing about the constant-timeness of the ladder step
|
|
|
* implementation (i.e., the default implementation is based on EC_POINT_add and
|
|
|
* EC_POINT_dbl, which of course are not constant time themselves) or the
|
|
@@ -128,9 +131,11 @@ void EC_ec_pre_comp_free(EC_PRE_COMP *pre)
|
|
|
*
|
|
|
* The product is stored in `r`.
|
|
|
*
|
|
|
+ * This is an internal function: callers are in charge of ensuring that the
|
|
|
+ * input parameters `group`, `r`, `scalar` and `ctx` are not NULL.
|
|
|
+ *
|
|
|
* Returns 1 on success, 0 otherwise.
|
|
|
*/
|
|
|
-static
|
|
|
int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
|
|
|
const BIGNUM *scalar, const EC_POINT *point,
|
|
|
BN_CTX *ctx)
|
|
@@ -141,15 +146,20 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
|
|
|
BIGNUM *k = NULL;
|
|
|
BIGNUM *lambda = NULL;
|
|
|
BIGNUM *cardinality = NULL;
|
|
|
- BN_CTX *new_ctx = NULL;
|
|
|
int ret = 0;
|
|
|
|
|
|
/* early exit if the input point is the point at infinity */
|
|
|
if (point != NULL && EC_POINT_is_at_infinity(group, point))
|
|
|
return EC_POINT_set_to_infinity(group, r);
|
|
|
|
|
|
- if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
|
|
|
+ if (BN_is_zero(group->order)) {
|
|
|
+ ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_UNKNOWN_ORDER);
|
|
|
return 0;
|
|
|
+ }
|
|
|
+ if (BN_is_zero(group->cofactor)) {
|
|
|
+ ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_UNKNOWN_COFACTOR);
|
|
|
+ return 0;
|
|
|
+ }
|
|
|
|
|
|
BN_CTX_start(ctx);
|
|
|
|
|
@@ -370,7 +380,6 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
|
|
|
EC_POINT_free(p);
|
|
|
EC_POINT_free(s);
|
|
|
BN_CTX_end(ctx);
|
|
|
- BN_CTX_free(new_ctx);
|
|
|
|
|
|
return ret;
|
|
|
}
|
|
@@ -402,7 +411,6 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
|
|
|
size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
|
|
|
BN_CTX *ctx)
|
|
|
{
|
|
|
- BN_CTX *new_ctx = NULL;
|
|
|
const EC_POINT *generator = NULL;
|
|
|
EC_POINT *tmp = NULL;
|
|
|
size_t totalnum;
|
|
@@ -427,15 +435,6 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
|
|
|
* precomputation is not available */
|
|
|
int ret = 0;
|
|
|
|
|
|
- if (!ec_point_is_compat(r, group)) {
|
|
|
- ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
|
|
|
- return 0;
|
|
|
- }
|
|
|
-
|
|
|
- if ((scalar == NULL) && (num == 0)) {
|
|
|
- return EC_POINT_set_to_infinity(group, r);
|
|
|
- }
|
|
|
-
|
|
|
if (!BN_is_zero(group->order) && !BN_is_zero(group->cofactor)) {
|
|
|
/*-
|
|
|
* Handle the common cases where the scalar is secret, enforcing a
|
|
@@ -465,19 +464,6 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
|
|
|
}
|
|
|
}
|
|
|
|
|
|
- for (i = 0; i < num; i++) {
|
|
|
- if (!ec_point_is_compat(points[i], group)) {
|
|
|
- ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
|
|
|
- return 0;
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- if (ctx == NULL) {
|
|
|
- ctx = new_ctx = BN_CTX_new();
|
|
|
- if (ctx == NULL)
|
|
|
- goto err;
|
|
|
- }
|
|
|
-
|
|
|
if (scalar != NULL) {
|
|
|
generator = EC_GROUP_get0_generator(group);
|
|
|
if (generator == NULL) {
|
|
@@ -784,7 +770,6 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
|
|
|
ret = 1;
|
|
|
|
|
|
err:
|
|
|
- BN_CTX_free(new_ctx);
|
|
|
EC_POINT_free(tmp);
|
|
|
OPENSSL_free(wsize);
|
|
|
OPENSSL_free(wNAF_len);
|