From 36bed230b580f92d2e10d13e4ba472236e622562 Mon Sep 17 00:00:00 2001
From: Nicola Tuveri <nic.tuv@gmail.com>
Date: Thu, 19 Apr 2018 12:43:33 +0000
Subject: [PATCH] Address code style comments

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
---
 crypto/ec/ec_mult.c | 64 +++++++++++++++++++++++----------------------
 1 file changed, 33 insertions(+), 31 deletions(-)

diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 1b9a4cf2ae..c79db46c72 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -101,7 +101,7 @@ void EC_ec_pre_comp_free(EC_PRE_COMP *pre)
     OPENSSL_free(pre);
 }
 
-#define EC_POINT_set_flags(P, flags) do { \
+#define EC_POINT_BN_set_flags(P, flags) do { \
     BN_set_flags((P)->X, (flags)); \
     BN_set_flags((P)->Y, (flags)); \
     BN_set_flags((P)->Z, (flags)); \
@@ -129,16 +129,15 @@ void EC_ec_pre_comp_free(EC_PRE_COMP *pre)
 static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
                             const EC_POINT *point, BN_CTX *ctx)
 {
-    int i, order_bits, group_top, kbit, pbit, Z_is_one, ret;
-    ret = 0;
+    int i, order_bits, group_top, kbit, pbit, Z_is_one;
     EC_POINT *s = NULL;
     BIGNUM *k = NULL;
     BIGNUM *lambda = NULL;
     BN_CTX *new_ctx = NULL;
+    int ret = 0;
 
-    if (ctx == NULL)
-        if ((ctx = new_ctx = BN_CTX_secure_new()) == NULL)
-            return 0;
+    if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
+        goto err;
 
     if ((group->order == NULL) || (group->field == NULL))
         goto err;
@@ -159,7 +158,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, const BIGNUM *sc
             goto err;
     }
 
-    EC_POINT_set_flags(s, BN_FLG_CONSTTIME);
+    EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME);
 
     BN_CTX_start(ctx);
     lambda = BN_CTX_get(ctx);
@@ -217,7 +216,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, const BIGNUM *sc
     if (!EC_POINT_copy(r, s))
         goto err;
 
-    EC_POINT_set_flags(r, BN_FLG_CONSTTIME);
+    EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME);
 
     if (!EC_POINT_dbl(group, s, s, ctx))
         goto err;
@@ -259,7 +258,7 @@ err:
 
     return ret;
 }
-#undef EC_POINT_set_flags
+#undef EC_POINT_BN_set_flags
 
 /*
  * TODO: table should be optimised for the wNAF-based implementation,
@@ -286,28 +285,6 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
                 size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
                 BN_CTX *ctx)
 {
-    if ((scalar != NULL) && (num == 0)) {
-        /* In this case we want to compute scalar * GeneratorPoint:
-         * this codepath is reached most prominently by (ephemeral) key
-         * generation of EC cryptosystems (i.e. ECDSA keygen and sign setup,
-         * ECDH keygen/first half), where the scalar is always secret.
-         * This is why we ignore if BN_FLG_CONSTTIME is actually set and we
-         * always call the constant time version.
-         */
-        return ec_mul_consttime(group, r, scalar, NULL, ctx);
-    }
-
-    if ((scalar == NULL) && (num == 1)) {
-        /* In this case we want to compute scalar * GenericPoint:
-         * this codepath is reached most prominently by the second half of
-         * ECDH, where the secret scalar is multiplied by the peer's public
-         * point.
-         * To protect the secret scalar, we ignore if BN_FLG_CONSTTIME is
-         * actually set and we always call the constant time version.
-         */
-        return ec_mul_consttime(group, r, scalars[0], points[0], ctx);
-    }
-
     BN_CTX *new_ctx = NULL;
     const EC_POINT *generator = NULL;
     EC_POINT *tmp = NULL;
@@ -333,6 +310,31 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
                                  * precomputation is not available */
     int ret = 0;
 
+    /* Handle the common cases where the scalar is secret, enforcing a
+     * constant time scalar multiplication algorithm.
+     */
+    if ((scalar != NULL) && (num == 0)) {
+        /* In this case we want to compute scalar * GeneratorPoint:
+         * this codepath is reached most prominently by (ephemeral) key
+         * generation of EC cryptosystems (i.e. ECDSA keygen and sign setup,
+         * ECDH keygen/first half), where the scalar is always secret.
+         * This is why we ignore if BN_FLG_CONSTTIME is actually set and we
+         * always call the constant time version.
+         */
+        return ec_mul_consttime(group, r, scalar, NULL, ctx);
+    }
+    if ((scalar == NULL) && (num == 1)) {
+        /* In this case we want to compute scalar * GenericPoint:
+         * this codepath is reached most prominently by the second half of
+         * ECDH, where the secret scalar is multiplied by the peer's public
+         * point.
+         * To protect the secret scalar, we ignore if BN_FLG_CONSTTIME is
+         * actually set and we always call the constant time version.
+         */
+        return ec_mul_consttime(group, r, scalars[0], points[0], ctx);
+    }
+
+
     if (group->meth != r->meth) {
         ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
         return 0;
-- 
GitLab