Branch :
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
| 27854fe4 | 2025-05-10 05:54:38 | Use err_local.h rather than err.h in most places ok jsing | ||
| 7639f023 | 2025-05-04 05:10:14 | Remove the X9.62 prime239v{1,2,3} curves While RFC 3279 allows these curves for use in X.509 certificates (*), no one actually does this. Certs using these curves cannot be used for TLS and the curves aren't accepted by FIPS either. codesearch shows no actual uses of these curves, only their OIDs are listed. At this point these have become useless historical baggage. ok jsing (*) Of the 27 curves listed in RFC 3279 the only one that seems to have seen actual use in certificates is P-256. | ||
| 8077efd2 | 2025-05-04 04:57:48 | Move P-256 where it belongs ok jsing | ||
| 53b64951 | 2025-05-03 10:15:50 | Fix typo in curve comment: P224r2 -> P224t1 | ||
| 0327bf4b | 2025-03-24 13:07:04 | Explicitly pass group generator to mul_double_nonct() from EC_POINT_mul(). EC_POINT_mul() has a complex multi-use interface - there are effectively three different ways it will behave, depending on which arguments are NULL. In the case where we compute g_scalar * generator + p_scalar * point, the mul_double_nonct() function pointer is called, however only g_scalar, p_scalar and point are passed - it is expected that the lower level implementation (in this case ec_wnaf_mul()) will use the generator from the group. Change mul_double_nonct(), ec_mul_double_nonct() and ec_wnaf_mul() so that they take scalar1, point1, scalar2 and point2. This removes all knowledge of g_scalar and the generator from the multiplication code, keeping it limited to EC_POINT_mul(). While here also consistently pass scalar then point, rather than a mix of scalar/point and point/scalar. ok tb@ | ||
| b6109242 | 2025-03-24 12:49:13 | Check group generator in EC_POINT_mul(). When a non-NULL generator scalar is passed to EC_POINT_mul(), the group's generator will be used in multiplication. Add a check that ensures that the group generator is non-NULL, in order to avoid needing to handle this elsewhere (currently in the lower level point multiplication code). ok tb@ | ||
| cd5e1e4f | 2025-03-13 10:39:51 | pkey_ec_derive: fix call to ECDH_compute_key() The last argument is a pointer to the KDF, so use NULL, not 0. | ||
| 17d1f055 | 2025-03-13 10:31:12 | Simplify field and private key encoding Reach into the group (p and order are always available) and use BN_num_bytes() rather than using clumsy and badly named API. It's shorter and more readable. ok jsing | ||
| 8d6481d6 | 2025-03-10 08:38:11 | ec.h: remove last SunPro pragmas With the removal of the EC_POINTs_* API, this header features no arrays anymore, so this noise can go away. ok miod | ||
| a7da245c | 2025-03-09 17:53:11 | Disambiguate curve comments There are three "X9.62 curve over a 239 bit prime field" and the Brainpool curves are a pair for each field size thanks to their characteristic twist. Just include the curve name for each of the curves. discussed with jsing | ||
| b18dd49f | 2025-03-09 15:42:19 | Remove EC_POINTs_* API And another one... Completely overengineered for the sake of academic credentials and only Ruby ever picked this garbage up. Fortunately, it's no longer used with LibreSSL since we defanged this in 2018. The latest version of ruby/openssl has completely removed this as part of their post 1.0.x cleanup. ok jsing | ||
| f33f69e5 | 2025-03-09 15:39:39 | Remove Jprojective_coordinates API There goes another implementation detail that should never have been leaked out of the library. ok jsing | ||
| 8b8bb845 | 2025-03-09 15:37:31 | Unexport EC_GROUP_*precompute_mult() These have been noops for a while and as usual some Perl module was the only thing "using" it. ok jsing | ||
| aa0f83d7 | 2025-03-09 15:35:40 | Unexport EC_GROUP_copy() Without EC_GROUP_new(), this API is useless. There's EC_GROUP_dup(). ok jsing | ||
| 0b03bf13 | 2025-03-09 15:33:35 | Unexport EC_METHOD and all API using it This is an implementation detail and there is no reason to leak it from the library. This removes EC_GFp_{mont,simple}_method(), EC_GROUP_{method_of,new}(), EC_METHOD_get_field_type(), EC_POINT_method_of() from the public API. EC_GROUP_copy() is now quite useless, so it will go as well. ok jsing | ||
| 6065620d | 2025-02-18 06:31:10 | pkey_ec_derive(): simplify keylen calculation ok jsing | ||
| 715c64a6 | 2025-02-13 11:19:49 | ec_mont_group_set_curve: convert to BN_MONT_CTX_create() and simplify This removes the penultimate internal call of BN_MONT_CTX_new(). The last one could be removed at the cost of introducing a BN_MONT_CTX_dup(), which probably isn't worth it. ok jsing | ||
| 515aa502 | 2025-01-25 17:59:44 | Remove #error if OPENSSL_NO_FOO is defined discussed with jsing | ||
| 6d90e046 | 2025-01-25 13:15:21 | Garbage collect field_type member of the EC methods ok jsing | ||
| a9bbc4f7 | 2025-01-25 13:13:57 | Promote a few functions from EC API to garbage bin EC_GROUP_method_of() and EC_METHOD_get_field_type() only ever used chained together as a convoluted means to retrieve the field type of a group. This is no longer useful since the answer will always be NID_X9_62_prime_field. EC_POINT_method_of(), EC_GROUP{,_have}_precompute_mult(): exposed by one of those expose-everything perl XS modules. ok jsing | ||
| 363913fa | 2025-01-25 10:37:50 | Remove now unused internal ec_group_get_field_type() ok jsing | ||
| 46639ee8 | 2025-01-25 10:36:50 | Remove calls to ec_group_get_field_type() from EC_GROUP_cmp() ok jsing | ||
| ff0b5b20 | 2025-01-25 10:34:36 | Make EC_KEY_precompute_mult() return 1 directly This hasn't done anything in a long time. Only dovecot uses an unchecked call to this. With this we can remove EC_GROUP_precompute_mult(). ok jsing | ||
| c2649b15 | 2025-01-25 10:30:17 | Simplify ecpk_print_explicit_parameters() At this point the NID is always NID_X9_62_prime_field, so we can use SN_X9_62_prime_field directly rather than getting the field type from the method and then converting the nid to an sn with OBJ_nid2sn(). ok jsing | ||
| 9453f7aa | 2025-01-25 10:27:58 | Simplify ec_asn1_group2fieldid() The field_type is always NID_X9_62_prime_field, no need to encode and retrieve this from the group method. ok jsing | ||
| c383f79c | 2025-01-22 12:54:40 | Use simpler (if a bit weird) dup instead of new + copy ok jsing | ||
| 1447fb01 | 2025-01-22 09:56:58 | Remove the mul_generator_ct function pointer from EC_METHOD. There's no need for a separate mul_generator_ct() function pointer - we really only need mul_single_ct() and mul_double_nonct(). And rather than calling ec_mul_ct() and having it figure out which point to use, explicitly pass the generator point when calling mul_single_ct(). ok tb@ | ||
| ba47179b | 2025-01-21 17:01:25 | EC_GROUP_check(): use accessor rather than reaching into the group The API will be removed soon. This prepares moving it to its only consumer. | ||
| 728db599 | 2025-01-17 11:11:27 | Replace the remaining group->meth->field_{mul,sqr} These somehow escaped a prior pass. | ||
| d6f80948 | 2025-01-17 10:54:03 | ecp_methods: remove p = group->p indirection This helped a bit with readability when we needed to do &group->p, but now that's no longer needed. discussed with jsing | ||
| f6116716 | 2025-01-17 10:41:31 | ecp_methods: rework field_{mul,sqr}() handling Add wrapper functions that call the methods so that we can get rid of inconsistent use of ugly function pointers with massively overlong lines and other ways of reaching into the methods. ok jsing | ||
| c852d338 | 2025-01-11 21:20:39 | Fix another awful comment in ec_point_cmp() | ||
| f30d1591 | 2025-01-11 21:13:21 | Align vertical backslashes in a macro | ||
| 7b995231 | 2025-01-11 21:07:25 | ec_point_cmp: tidy up an ugly comment | ||
| ca57bd65 | 2025-01-11 20:57:03 | ec_key_gen() is unused outside ec_key.c, so make it static | ||
| 316bbdac | 2025-01-11 20:55:08 | Move EC_KEY_METHOD_DYNAMIC next to the two methods using it Only EC_KEY_METHOD_{new,free}() need to know about this flag, so make that more obvious. | ||
| 989de271 | 2025-01-11 15:32:36 | Remove a weird comment | ||
| 4fb59ff9 | 2025-01-11 15:26:07 | Rename the is_on_curve() method to point_is_on_curve() Rename ec_is_on_curve() to ec_point_is_on_curve() and ec_cmp() to ec_point_cmp(). | ||
| bbf457e4 | 2025-01-11 15:20:23 | Move is_on_curve() and (point) cmp() up These were in the middle of the methods responsible for curve operations, which makes little sense. | ||
| 69100aa7 | 2025-01-11 15:02:42 | Move compressed coordinate setting into public API Now that it is method-agnostic, we can remove the method and move the implementation to the body of the public API function. And another method goes away. We're soon down to the ones we really need. discussed with jsing | ||
| 9868a3fe | 2025-01-11 14:53:46 | Rework ec_point_set_compressed_coordinates() While this is nicely done, it is a bit too clever. We can do the calculation in the normal domain rather than the Montgomery domain and this way the method becomes method agnostic. This will be a bit slower but since a couple of field operations are nothing compared to the cost of BN_mod_sqrt() this isn't a concern. ok jsing | ||
| 44d65b39 | 2025-01-11 14:48:20 | Move ec_points_make_affine() to the right place discussed with jsing | ||
| c21af703 | 2025-01-11 14:38:57 | Move the EC_POINTs API into the garbage bin | ||
| 9581610f | 2025-01-11 13:58:31 | Neuter the EC_POINTs_* API EC_POINTs_mul() was only ever used by Ruby and they stopped doing so for LibreSSL when we incorporated the constant time multiplication work of Brumley et al and restricted the length of the points array to 1, making this API effectively useless. The only real reason you want to have an API to calculate \sum n_i P_i is for ECDSA where you want m * G + n * P. Whether something like his needs to be in the public API is doubtful. EC_POINTs_make_affine() is an implementation detail of EC_POINTs_mul(). As such it never really belonged into the public API. ok jsing | ||
| 830575bd | 2025-01-11 13:41:17 | Remove a pointless check about Z == 1 ok jsing | ||
| 07ff836a | 2025-01-11 13:38:42 | Inline ec_point_make_affine() in the public API Whatever the EC_METHOD, this will always be equivalent to getting and setting the affine coordinates, so this needs no dedicated method. Also, this is a function that makes no real sense since a caller should never need to care about this... As always, our favorite language bindings thought they might have users who care. This time it's Ruby and Perl. ok jsing | ||
| e0bc670b | 2025-01-09 11:35:46 | ec_lib.c: zap stray empty line at end of file | ||
| 742574bf | 2025-01-09 06:51:11 | check_discriminant: make the assumptions on p, a, b more explicit requested by jsing | ||
| f0238de6 | 2025-01-07 08:52:17 | Remove stale comment about methods and members | ||
| a537a13e | 2025-01-07 08:30:52 | Check discriminant directly in EC_GROUP_set_discriminant() After possibly decoding a and b in EC_GROUP_get_curve(), this is a pure calculation in GFp and as such doesn't make use of any method-specifics. Let's perform this calculation directly in the public API implementation rather than redirecting through the methods and remove yet another method handler. ok jsing | ||
| c9edc1b9 | 2025-01-06 19:23:25 | ec_lib: create a garbage bin at the end, throw Jprojective stuff in there | ||
| de420f14 | 2025-01-06 18:43:27 | Inline the last two uses of ec_mont_group_clear() | ||
| 5e6e829d | 2025-01-06 14:34:47 | group_copy() is no longer a thing... | ||
| be018b2c | 2025-01-06 14:29:33 | Remove get_order_bits() and get_degree() methods The degree made some sense when EC2M was a thing in libcrypto. Fortunately that's not the case anymore. The order handler never made sense. ok jsing | ||
| cb86d051 | 2025-01-06 14:25:10 | More dest -> dst renaming missed in previous requested by jsing | ||
| 428f68d0 | 2025-01-06 14:24:12 | Rename dest into dst requested by jsing | ||
| 2ab5ac8d | 2025-01-06 14:22:55 | Inline the copy handlers in EC_GROUP_copy() This is another bit of indirection that makes this code so hard to follow. ok jsing | ||
| 549c4806 | 2025-01-06 14:10:32 | Use a slightly more sensible order in ec_local.h | ||
| 1cc088a1 | 2025-01-06 12:36:41 | Revise comments to note that these are Jacobian projective coordinates. | ||
| a680ff0c | 2025-01-06 12:35:14 | Remove indirection for coordinate blinding. This is usually method specific, so remove the indirection and call the appropriate blinding function directly. ok tb@ | ||
| 1c80ffcf | 2025-01-06 11:59:02 | Stop caching one in the Montgomery domain This is only used by ec_points_make_affine(), which is only used by the wNAF multiplication, which is only used by ECDSA. We can afford computing that one once per ECDSA verification given the cost of the rest of this. Thus, the field_set_to_one() member disappears from the EC_METHOD and the mont_one member disappears from EC_GROUP and with it all the complications when setting/copying/freeing the group. ok jsing | ||
| e2762cb6 | 2025-01-06 10:56:46 | Prepare removal accessors for Jprojective coordinates That the BN-driven EC code uses Jacobian projective coordinates as an optimization is an implementation detail. As such this should never have leaked out of the library as part of the public API. No consumer should ever care and if they do they're doing it wrong. The only port that cares is one of those stupid little perl modules that expose all the things and transform terrible OpenSSL regress tests into similarly horrible Perl. In practice, only affine coordinates matter (perhaps in compressed form). This prunes two more function pointers from EC_GROUP and prepares the removal of the field_set_to_one() method which is now only used in ec_points_make_affine(). ok jsing sthen | ||
| 3c2cb882 | 2025-01-05 16:07:08 | Move BIGNUMs in EC_GROUP and EC_POINT to the heap The only way to get an EC_GROUP or an EC_POINT is by calling the relevant _new() function and to get rid of it, something must call _free(). Thus we can establish the invariant that every group has Weierstrass coefficients p, a, b as well as order and cofactor hanging off it. Similarly, Every point has allocated BIGNUMs for its Jacobian projective coordinates. Unfortunately, a group has the generator as an optional component in addition to seed and montgomery context/one (where optionality makes more sense). This is a mostly mechanical diff and only drops a few silly comments and a couple of unnecessary NULL checks since in our part of the wrold the word invariant has a meaning. This should also appease Coverity who likes to throw fits at calling BN_free() for BIGNUM on the stack (yes, this is actually a thing). ok jsing | ||
| 21084e45 | 2025-01-01 10:01:31 | Garbage collect .group_finish() There is only one caller, EC_GROUP_free(), so inline the relevant free calls there and dispose of a few layers of indirection. ok jsing | ||
| a78ce0cc | 2025-01-01 09:57:02 | Garbage collect .group_init() For both in-tree methods these are just complicated ways of zeroing part of the group object. The group is allocated with calloc(), so it's all entirely pointless. ok jsing | ||
| dc1dde04 | 2025-01-01 09:31:05 | Use the shorthand p rather than &group->p in one more place | ||
| 116d34ff | 2024-12-24 18:33:24 | Remove disabled code supporting elliptic curves of small order ok jsing | ||
| 3d8e7e8c | 2024-12-19 21:05:46 | ec_mult: use 1ULL to avoid C4334 warning on Visual Studio The shift is between 0 and 5 bits, so it doesn't matter, but VS is short for very st...ubborn as are its users when it comes to reporting non-issues | ||
| f8810940 | 2024-12-16 06:11:26 | Simplify ec_point_to_octets() This had an extra dance to allow a NULL output buffer. The plan was to use this in i2o_ECPublicKey() to preserve the behavior of avoiding an allocation if out == NULL. However, when I rewrote the latter I punted on preserving that complication, as it was already batshit crazy enough. Thus, remove said dance and make ec_point_to_octets() cleaner. ok jsing | ||
| 823dae7d | 2024-12-12 10:02:00 | Rewrite a comment to use p rather than q | ||
| 3fd2f05c | 2024-12-12 10:00:15 | Rename group->field to group->p Now that we only do curves over GF(p) fields, there's no need to use a weird, confusing name for what we usually call p. Adjust some comments in the vicinity as well. | ||
| 4ccb4605 | 2024-12-07 13:49:43 | ec_mult: forgot to make one helper static | ||
| 08f8d319 | 2024-12-07 13:32:07 | Move initialization of sign out of the middle of bits handling | ||
| 9d4c47a8 | 2024-12-06 15:49:37 | Rename ec_wNAF_mul() to ec_wnaf_mul() discussed with jsing | ||
| 2380456e | 2024-12-06 15:39:59 | ec_mult: manage wNAF data in a struct This refactors the wNAF multiplication further and introduces a small API that manages the wNAF digits for bn and the multiples of digit * point in a single struct that is initialized and freed in two API calls in the main function, ec_wNAF_mul(). This way the main algorithm is no longer cluttered with logic to keep various arrays in sync, helper functions calculating the wNAF splitting of bn and multiples of the point do not need to deal with memory management, and a pair of accessors obviates previously missing bounds checking. At this point we have reached a relatively clean and straightforward wNAF implementation that fits precisely the purpose needed in libcrypto, i.e., ECDSA verification instead of being generalized and optimized to the max for no good reason apart from endowing the author with an academic degree. Popper's famous maxim "if you can't say it clearly, keep quiet, and keep working until you can" very much applies to code as well. In other words, shut up and hack (and don't pour too much energy into commit messages, tb). ok jsing | ||
| ce5fd5cb | 2024-12-06 05:13:35 | ec_asn1: update a comment to match reality | ||
| c9c3f1d6 | 2024-12-06 04:35:03 | Set nid on group decoded from EC parameters We match curve parameters against the builtin curves and only accept them if they're encoding a curve known to us. After getting rid of the wtls curves, some of which used to coincide with secp curves (sometimes the wrong ones), the nid is unambiguous. Setting the nid has no direct implications on the encoding. This helps ssh avoid doing ugly computations during the key exchange for PEM keys using this encoding. ok djm joshua jsing | ||
| 04521d92 | 2024-12-04 09:50:52 | Annotate WTLS7 as being wrong This should really have been using SECP 160R2, not SECP 160R1. Of course this means in particular that nobody ever used this curve, at least not against another implementation than OpenSSL. Quasi-monocultures are poisonous whether the monopolist is benevolent and competent or not. | ||
| 9da94e6d | 2024-11-30 21:09:59 | Inline trivial EC point methods Like most of the "group" methods these are shared between Montgomery curves and simple curves. There's no point in five methods hanging off the EC_METHODS struct whne they can just as well be inlined in the public API. It makes all files involved shorter... ok jsing | ||
| 970efd76 | 2024-11-30 16:34:34 | Get BNs Z coordinates from the BN_CTX While there likely won't be enough BNs already available in the ctx, and thus it won't greatly reduce the amount of allocated BNs, it simplifies the exit path quite a bit. review feedback from jsing | ||
| adc6938b | 2024-11-30 16:18:01 | Improve ec_points_make_affine() It is unclear how the original code was supposed to work. It clearly missed a few corner cases (like handling points at infinity correctly) and the badly mangled comment that was supposed to display a binary search tree didn't help at all. Instead do something much more straightforward: multiply all the non-zero Z coordinates of the points not at infinity together, keeping track of the intermediate products. Then do a single expensive modular inversion before working backwards to compute all the inverses. Then the transformation from Jacobian coordinates to affine coordiantes (x, y, z) -> (x/z^2, y/z^3, 1) becomes cheap. A little bit of care has to be taken for Montgomery curves but that's very simple compared to the mess that was there before. ok jsing This is a cleaned up version of: commit 0fe73d6c3641cb175871463bdddbbea3ee0b62ae Author: Bodo Moeller <bodo@openssl.org> Date: Fri Aug 1 17:18:14 2014 +0200 Simplify and fix ec_GFp_simple_points_make_affine (which didn't always handle value 0 correctly). Reviewed-by: emilia@openssl.org | ||
| b87827a7 | 2024-11-25 06:51:39 | Unify checking for the asn1_flag There are only two flag values that libcrypto understands and the default value is 1 while, helpfully, the undesirable non-default is 0. The few existing callers set OPENSSL_EC_NAMED_CURVE or OPENSSL_EC_EXPLICIT_CURVE. Nevertheless, the flag should be checked properly as a flag. The recent upstream checks for EC_GROUP_get_asn1_flag(group) == OPENSSL_EC_NAMED_CURVE don't look right either... ok jsing | ||
| e70a400b | 2024-11-24 10:12:05 | Disable small builtin curves This disables all the curves over fields < 224 bits and a few others. Specifically: SECG: 112r1 112r2 128r1 128r2 160k1 160r1 160r2 192k1 192r1 192v{1,2,3} WTLS: 6 7 8 9 12 Brainpool: P160r1 P160t1 P192r1 P192t1 These are below or at the limit of what is acceptable nowadays. This is less aggressive than what some enterprise linux distributions are using in their patched OpenSSL versions where everything over fields < 256 bits is disabled with the exception of P-224, so interoperability should not be a problem. The curves are left in the tree for now and can be re-enabled by compiling libcrypto with -DENABLE_SMALL_CURVES. They will be fully removed later. One nice benefit of doing this is that the incorrect parameters for WTLS 7 are fixed (obviously nobody uses this one) and now all the builtin curves have a unique corresponding OID (nid). Something like this was suggested a while back by beck, makes sense to sthen ok jsing | ||
| 846d7a9a | 2024-11-23 12:56:31 | Further refactoring of the wNAF code The big change is that the "rows" are no longer slices of val[] but that they actually own the points they contain. The price for this is an extra allocation for val[] and to piece it together from the two rows. That's ugly, but less ugly than before. Add a helper for freeing a row of points. It can deal with a NULL row so, we can remove a couple of complications. The second change is that the logic for preparing the rows is pulled back into ec_wNAF_mul[]. This way the m * G + n * P logic is in the one function that needs to know about it, the rest just deals with a pair of a point and a scalar. This starts resembling actual code... ok jsing | ||
| f6177fef | 2024-11-23 07:37:21 | Drop bn is zero special case This is a corner case that isn't really of interest. We're making a few calculations that don't really hurt, but it's super cheap, so one more complication bites the dust. ok jsing | ||
| 360ab434 | 2024-11-23 07:33:26 | Further simplify after dropping wNAF modification We can now turn the for loop into a proper for loop for which there is obviously no out of bounds access. The length can be determined up front and it's easier to explain what's going on, so expand a few comments. ok jsing | ||
| ff030d81 | 2024-11-23 07:28:57 | Ditch the wNAF modification This is another micro optimization that introduces needless complications for the sake of saving a few cycles. Specifically, by ditching the rule defining the wNAF representation (at most one of w+1 consecutive digits is non-zero) for the topmost digits, one can sometimes save a few digits at the cost of crazy loop conditions and other weirdness. That's not worth it. ok jsing | ||
| 57573e5d | 2024-11-22 17:27:05 | Comment tweak from jsing with another tweak by me | ||
| 007a51dc | 2024-11-22 17:08:13 | Stop using BIGNUM internals, add some clarifying comments ok jsing | ||
| fb282802 | 2024-11-22 16:27:46 | Rewrite the crazy while loop into a for loop It's still horrible, but slightly less so... ok jsing | ||
| 9a8e114f | 2024-11-22 16:17:36 | First pass over compute_wNAF() This streamlines this mess and adapts the API better to its only caller. Nothing much going on here, except that we drop confusing checks and unhelpful comment, thereby making the algorithm more cleanly visible. ok jsing | ||
| 0716b503 | 2024-11-22 15:21:14 | Swap the order of m and n in ec_wNAF_precompute() This matches the ec_wNAF_mul() API better ok jsing | ||
| 5186b6f3 | 2024-11-22 14:59:40 | Split two helpers out of ec_wNAF_mul() As its name indicates, the first, ec_compute_odd_multiples(), fills point, 3 * point, 5 * point, ..., (2 * len - 1) * point into row[]. In fact, it first computes doubled = 2 * point and then goes on to set row[i] = row[i - 1] + doubled. That's straightforward enough. One change here is that this helper allocates row[i] on the fly rather than preallocating the entire array of points up front. The second piece is the actual precomputation, ec_wNAF_precompute(). It first computes the wNAF digits of the two scalars n and m (in this order for now) with appropriate window size and length. Then the above mentioned val[] array is allocated and populated with odd multiples of point and generator. Finally, all points in val[] are made affine in a single step, which means we only need one modular inversion, and this then allows us to take fast paths in all the computations in the one remaining loop in ec_wNAF_mul(). ok jsing | ||
| 49eaabcd | 2024-11-22 12:14:41 | Rename curve_name into nid This used to be the case until they were given a 'more meaningful name' about 20 years ago. We cant fix the public API, but I'm tired of being confused by this nonsense. | ||
| f53a251a | 2024-11-22 12:01:14 | Use OPENSSL_EC_EXPLICIT_CURVE rather than 0 | ||
| 4b70f32a | 2024-11-22 00:54:42 | Garbage collect the now unused totalnum | ||
| aba3a0f2 | 2024-11-22 00:52:39 | Move wNAF[], wNAF_len[], wsize[] to the stack Again, we know their sizes (always 2), so we can avoid allocating and freeing them. Also remove the extra "pivot" element. It's not needed. ok djm | ||
| 23230adb | 2024-11-22 00:15:38 | Change 0 - digit to -digit pointed out by jsing | ||
| 71532873 | 2024-11-22 00:14:36 | Rename val_sub[] into row[] and move it to the stack ok djm | ||
| b6d9506b | 2024-11-21 15:03:56 | ec_wNAF_mul(): lose two levels of indentation This makes the mess a bit more readable. ok jsing |