commit 5058d7994805fe0b80e13728715b508af9ea6066
author Brian Smith <brian@briansmith.org> Thu Nov 12 15:29:57 2015 -1000
committer Adam Langley <agl@google.com> Thu Nov 19 00:23:14 2015 +0000
tree 0d35ccc4601270faf8fff41a49aef41f80b29b92
parent b1b6229fc825be66c8599c051c4e0f196c1a87e1

Remove p224-64 and p256-64 dead code for non-default generators.

This extends 9f1f04f31359330702451bc74ab98dca3abca602 to the other
implementations.

|EC_GFp_nistp224_method| and |EC_GFp_nistp256_method| are not marked
|OPENSSL_EXPORT|. |EC_GROUP_set_generator| doesn't allow the generator
to be changed for any |EC_GROUP| for built-in curves. Consequently,
there's no way (except some kind of terrible abuse) that this code
could be executed with a non-default generator.

Change-Id: I5d9b6be4e6f9d384159cb3d708390a8e3c69f23f
Reviewed-on: https://boringssl-review.googlesource.com/6489
Reviewed-by: Adam Langley <agl@google.com>

crypto/ec/p256-64.c

diff --git a/crypto/ec/p256-64.c b/crypto/ec/p256-64.c
index 2adcd6b..74d0f84 100644
--- a/crypto/ec/p256-64.c
+++ b/crypto/ec/p256-64.c
@@ -1312,8 +1312,8 @@
  *
  * Tables for other points have table[i] = iG for i in 0 .. 16. */
 
-/* gmul is the table of precomputed base points */
-static const smallfelem gmul[2][16][3] = {
+/* g_pre_comp is the table of precomputed base points */
+static const smallfelem g_pre_comp[2][16][3] = {
     {{{0, 0, 0, 0}, {0, 0, 0, 0}, {0, 0, 0, 0}},
      {{0xf4a13945d898c296, 0x77037d812deb33a0, 0xf8bce6e563a440f2,
        0x6b17d1f2e12c4247},
@@ -1505,8 +1505,7 @@
 static void batch_mul(felem x_out, felem y_out, felem z_out,
                       const felem_bytearray scalars[],
                       const unsigned num_points, const u8 *g_scalar,
-                      const int mixed, const smallfelem pre_comp[][17][3],
-                      const smallfelem g_pre_comp[2][16][3]) {
+                      const int mixed, const smallfelem pre_comp[][17][3]) {
   int i, skip;
   unsigned num, gen_mul = (g_scalar != NULL);
   felem nq[3], ftmp;
@@ -1598,11 +1597,6 @@
   felem_assign(z_out, nq[2]);
 }
 
-/* Precomputation for the group generator. */
-typedef struct {
-  smallfelem g_pre_comp[2][16][3];
-} NISTP256_PRE_COMP;
-
 /******************************************************************************/
 /*
  * OPENSSL EC_METHOD FUNCTIONS
@@ -1724,12 +1718,9 @@
   smallfelem *tmp_smallfelems = NULL;
   felem_bytearray tmp;
   unsigned i, num_bytes;
-  int have_pre_comp = 0;
   size_t num_points = num;
   smallfelem x_in, y_in, z_in;
   felem x_out, y_out, z_out;
-  const smallfelem(*g_pre_comp)[16][3] = NULL;
-  EC_POINT *generator = NULL;
   const EC_POINT *p = NULL;
   const BIGNUM *p_scalar = NULL;
 
@@ -1748,34 +1739,6 @@
     goto err;
   }
 
-  if (scalar != NULL) {
-    /* try to use the standard precomputation */
-    g_pre_comp = &gmul[0];
-    generator = EC_POINT_new(group);
-    if (generator == NULL) {
-      goto err;
-    }
-    /* get the generator from precomputation */
-    if (!smallfelem_to_BN(x, g_pre_comp[0][1][0]) ||
-        !smallfelem_to_BN(y, g_pre_comp[0][1][1]) ||
-        !smallfelem_to_BN(z, g_pre_comp[0][1][2])) {
-      OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
-      goto err;
-    }
-    if (!ec_point_set_Jprojective_coordinates_GFp(group, generator, x, y, z,
-                                                  ctx)) {
-      goto err;
-    }
-    if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) {
-      /* precomputation matches generator */
-      have_pre_comp = 1;
-    } else {
-      /* we don't have valid precomputation: treat the generator as a
-       * random point. */
-      num_points++;
-    }
-  }
-
   if (num_points > 0) {
     if (num_points >= 3) {
       /* unless we precompute multiples for just one or two points,
@@ -1852,7 +1815,7 @@
   }
 
   /* the scalar for the generator */
-  if (scalar != NULL && have_pre_comp) {
+  if (scalar != NULL) {
     memset(g_secret, 0, sizeof(g_secret));
     /* reduce scalar to 0 <= scalar < 2^256 */
     if (BN_num_bits(scalar) > 256 || BN_is_negative(scalar)) {
@@ -1867,16 +1830,10 @@
       num_bytes = BN_bn2bin(scalar, tmp);
     }
     flip_endian(g_secret, tmp, num_bytes);
-    /* do the multiplication with generator precomputation */
-    batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets,
-              num_points, g_secret, mixed, (const smallfelem(*)[17][3])pre_comp,
-              g_pre_comp);
-  } else {
-    /* do the multiplication without generator precomputation */
-    batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets,
-              num_points, NULL, mixed, (const smallfelem(*)[17][3])pre_comp,
-              NULL);
   }
+  batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets,
+            num_points, scalar != NULL ? g_secret : NULL, mixed,
+            (const smallfelem(*)[17][3])pre_comp);
 
   /* reduce the output to its unique minimal representation */
   felem_contract(x_in, x_out);
@@ -1892,7 +1849,6 @@
 
 err:
   BN_CTX_end(ctx);
-  EC_POINT_free(generator);
   BN_CTX_free(new_ctx);
   OPENSSL_free(secrets);
   OPENSSL_free(pre_comp);