* and contributed to the OpenSSL project.
*/
-#include <string.h>
+
+#include <string.h>
#include <openssl/err.h>
+#include "internal/bn_int.h"
#include "ec_lcl.h"
EC_POINT **p;
for (p = pre->points; *p != NULL; p++)
+ {
EC_POINT_clear_free(*p);
- OPENSSL_cleanse(pre->points, sizeof pre->points);
+ OPENSSL_cleanse(p, sizeof *p);
+ }
OPENSSL_free(pre->points);
}
- OPENSSL_cleanse(pre, sizeof pre);
+ OPENSSL_cleanse(pre, sizeof *pre);
OPENSSL_free(pre);
}
-/* Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
- * This is an array r[] of values that are either zero or odd with an
- * absolute value less than 2^w satisfying
- * scalar = \sum_j r[j]*2^j
- * where at most one of any w+1 consecutive digits is non-zero
- * with the exception that the most significant digit may be only
- * w-1 zeros away from that next non-zero digit.
- */
-static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
- {
- int window_val;
- int ok = 0;
- signed char *r = NULL;
- int sign = 1;
- int bit, next_bit, mask;
- size_t len = 0, j;
-
- if (BN_is_zero(scalar))
- {
- r = OPENSSL_malloc(1);
- if (!r)
- {
- ECerr(EC_F_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- r[0] = 0;
- *ret_len = 1;
- return r;
- }
-
- if (w <= 0 || w > 7) /* 'signed char' can represent integers with absolute values less than 2^7 */
- {
- ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
- goto err;
- }
- bit = 1 << w; /* at most 128 */
- next_bit = bit << 1; /* at most 256 */
- mask = next_bit - 1; /* at most 255 */
-
- if (BN_is_negative(scalar))
- {
- sign = -1;
- }
-
- if (scalar->d == NULL || scalar->top == 0)
- {
- ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
- goto err;
- }
-
- len = BN_num_bits(scalar);
- r = OPENSSL_malloc(len + 1); /* modified wNAF may be one digit longer than binary representation
- * (*ret_len will be set to the actual length, i.e. at most
- * BN_num_bits(scalar) + 1) */
- if (r == NULL)
- {
- ECerr(EC_F_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- window_val = scalar->d[0] & mask;
- j = 0;
- while ((window_val != 0) || (j + w + 1 < len)) /* if j+w+1 >= len, window_val will not increase */
- {
- int digit = 0;
-
- /* 0 <= window_val <= 2^(w+1) */
- if (window_val & 1)
- {
- /* 0 < window_val < 2^(w+1) */
-
- if (window_val & bit)
- {
- digit = window_val - next_bit; /* -2^w < digit < 0 */
-
-#if 1 /* modified wNAF */
- if (j + w + 1 >= len)
- {
- /* special case for generating modified wNAFs:
- * no new bits will be added into window_val,
- * so using a positive digit here will decrease
- * the total length of the representation */
-
- digit = window_val & (mask >> 1); /* 0 < digit < 2^w */
- }
-#endif
- }
- else
- {
- digit = window_val; /* 0 < digit < 2^w */
- }
-
- if (digit <= -bit || digit >= bit || !(digit & 1))
- {
- ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
- goto err;
- }
-
- window_val -= digit;
-
- /* now window_val is 0 or 2^(w+1) in standard wNAF generation;
- * for modified window NAFs, it may also be 2^w
- */
- if (window_val != 0 && window_val != next_bit && window_val != bit)
- {
- ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
- goto err;
- }
- }
-
- r[j++] = sign * digit;
-
- window_val >>= 1;
- window_val += bit * BN_is_bit_set(scalar, j + w);
-
- if (window_val > next_bit)
- {
- ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
- goto err;
- }
- }
-
- if (j > len + 1)
- {
- ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
- goto err;
- }
- len = j;
- ok = 1;
-
- err:
- if (!ok)
- {
- OPENSSL_free(r);
- r = NULL;
- }
- if (ok)
- *ret_len = len;
- return r;
- }
/* TODO: table should be optimised for the wNAF-based implementation,
if (numblocks > pre_comp->numblocks)
numblocks = pre_comp->numblocks;
- pre_points_per_block = 1u << (pre_comp->w - 1);
+ pre_points_per_block = (size_t)1 << (pre_comp->w - 1);
/* check that pre_comp looks sane */
if (pre_comp->num != (pre_comp->numblocks * pre_points_per_block))
wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]);
wNAF = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]); /* includes space for pivot */
val_sub = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
-
+
+ /* Ensure wNAF is initialised in case we end up going to err */
+ if (wNAF) wNAF[0] = NULL; /* preliminary pivot */
+
if (!wsize || !wNAF_len || !wNAF || !val_sub)
{
ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
goto err;
}
- wNAF[0] = NULL; /* preliminary pivot */
-
/* num_val will be the total number of temporarily precomputed points */
num_val = 0;
bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
wsize[i] = EC_window_bits_for_scalar_size(bits);
- num_val += 1u << (wsize[i] - 1);
+ num_val += (size_t)1 << (wsize[i] - 1);
wNAF[i + 1] = NULL; /* make sure we always have a pivot */
- wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]);
+ wNAF[i] = bn_compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]);
if (wNAF[i] == NULL)
goto err;
if (wNAF_len[i] > max_len)
/* use the window size for which we have precomputation */
wsize[num] = pre_comp->w;
- tmp_wNAF = compute_wNAF(scalar, wsize[num], &tmp_len);
+ tmp_wNAF = bn_compute_wNAF(scalar, wsize[num], &tmp_len);
if (!tmp_wNAF)
goto err;
for (i = 0; i < num + num_scalar; i++)
{
val_sub[i] = v;
- for (j = 0; j < (1u << (wsize[i] - 1)); j++)
+ for (j = 0; j < ((size_t)1 << (wsize[i] - 1)); j++)
{
*v = EC_POINT_new(group);
if (*v == NULL) goto err;
if (!(tmp = EC_POINT_new(group)))
goto err;
- /* prepare precomputed values:
+ /*-
+ * prepare precomputed values:
* val_sub[i][0] := points[i]
* val_sub[i][1] := 3 * points[i]
* val_sub[i][2] := 5 * points[i]
if (wsize[i] > 1)
{
if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx)) goto err;
- for (j = 1; j < (1u << (wsize[i] - 1)); j++)
+ for (j = 1; j < ((size_t)1 << (wsize[i] - 1)); j++)
{
if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) goto err;
}
}
-/* ec_wNAF_precompute_mult()
+/*-
+ * ec_wNAF_precompute_mult()
* creates an EC_PRE_COMP object with preprecomputed multiples of the generator
* for use with wNAF splitting as implemented in ec_wNAF_mul().
*
numblocks = (bits + blocksize - 1) / blocksize; /* max. number of blocks to use for wNAF splitting */
- pre_points_per_block = 1u << (w - 1);
+ pre_points_per_block = (size_t)1 << (w - 1);
num = pre_points_per_block * numblocks; /* number of points to compute and store */
points = OPENSSL_malloc(sizeof (EC_POINT*)*(num + 1));