grpc 1.24.0 → 1.25.0

data/third_party/boringssl/crypto/fipsmodule/ec/simple_mul.c

@@ -0,0 +1,84 @@
+/* Copyright (c) 2018, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/ec.h>
+
+#include <assert.h>
+
+#include "internal.h"
+#include "../bn/internal.h"
+#include "../../internal.h"
+
+
+void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r,
+                     const EC_RAW_POINT *p, const EC_SCALAR *scalar) {
+  // This is a generic implementation for uncommon curves that not do not
+  // warrant a tuned one. It uses unsigned digits so that the doubling case in
+  // |ec_GFp_mont_add| is always unreachable, erring on safety and simplicity.
+
+  // Compute a table of the first 32 multiples of |p| (including infinity).
+  EC_RAW_POINT precomp[32];
+  ec_GFp_simple_point_set_to_infinity(group, &precomp[0]);
+  ec_GFp_simple_point_copy(&precomp[1], p);
+  for (size_t j = 2; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
+    if (j & 1) {
+      ec_GFp_mont_add(group, &precomp[j], &precomp[1], &precomp[j - 1]);
+    } else {
+      ec_GFp_mont_dbl(group, &precomp[j], &precomp[j / 2]);
+    }
+  }
+
+  // Divide bits in |scalar| into windows.
+  unsigned bits = BN_num_bits(&group->order);
+  int r_is_at_infinity = 1;
+  for (unsigned i = bits - 1; i < bits; i--) {
+    if (!r_is_at_infinity) {
+      ec_GFp_mont_dbl(group, r, r);
+    }
+    if (i % 5 == 0) {
+      // Compute the next window value.
+      const size_t width = group->order.width;
+      uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 4;
+      window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 3;
+      window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 2;
+      window |= bn_is_bit_set_words(scalar->words, width, i + 1) << 1;
+      window |= bn_is_bit_set_words(scalar->words, width, i);
+
+      // Select the entry in constant-time.
+      EC_RAW_POINT tmp;
+      OPENSSL_memset(&tmp, 0, sizeof(EC_RAW_POINT));
+      for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
+        BN_ULONG mask = constant_time_eq_w(j, window);
+        ec_felem_select(group, &tmp.X, mask, &precomp[j].X, &tmp.X);
+        ec_felem_select(group, &tmp.Y, mask, &precomp[j].Y, &tmp.Y);
+        ec_felem_select(group, &tmp.Z, mask, &precomp[j].Z, &tmp.Z);
+      }
+
+      if (r_is_at_infinity) {
+        ec_GFp_simple_point_copy(r, &tmp);
+        r_is_at_infinity = 0;
+      } else {
+        ec_GFp_mont_add(group, r, r, &tmp);
+      }
+    }
+  }
+  if (r_is_at_infinity) {
+    ec_GFp_simple_point_set_to_infinity(group, r);
+  }
+}
+
+void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
+                          const EC_SCALAR *scalar) {
+  ec_GFp_mont_mul(group, r, &group->generator->raw, scalar);
+}

data/third_party/boringssl/crypto/fipsmodule/ec/util.c

@@ -18,6 +18,7 @@
 
 #include "internal.h"
 
+
 // This function looks at 5+1 scalar bits (5 current, 1 adjacent less
 // significant bit), and recodes them into a signed digit for use in fast point
 // multiplication: the use of signed rather than unsigned digits means that
@@ -43,13 +44,13 @@
 //     of a nonnegative integer (b_k in {0, 1}), rewrite it in digits 0, 1, -1
 //     by using bit-wise subtraction as follows:
 //
-//        b_k b_(k-1)  ...  b_2  b_1  b_0
-//      -     b_k      ...  b_3  b_2  b_1  b_0
-//       -------------------------------------
-//        s_k b_(k-1)  ...  s_3  s_2  s_1  s_0
+//        b_k     b_(k-1)  ...  b_2  b_1  b_0
+//      -         b_k      ...  b_3  b_2  b_1  b_0
+//       -----------------------------------------
+//        s_(k+1) s_k      ...  s_3  s_2  s_1  s_0
 //
 //     A left-shift followed by subtraction of the original value yields a new
-//     representation of the same value, using signed bits s_i = b_(i+1) - b_i.
+//     representation of the same value, using signed bits s_i = b_(i-1) - b_i.
 //     This representation from Booth's paper has since appeared in the
 //     literature under a variety of different names including "reversed binary
 //     form", "alternating greedy expansion", "mutual opposite form", and
@@ -73,7 +74,7 @@
 // (1961), pp. 67-91), in a radix-2^5 setting.  That is, we always combine five
 // signed bits into a signed digit:
 //
-//       s_(4j + 4) s_(4j + 3) s_(4j + 2) s_(4j + 1) s_(4j)
+//       s_(5j + 4) s_(5j + 3) s_(5j + 2) s_(5j + 1) s_(5j)
 //
 // The sign-alternating property implies that the resulting digit values are
 // integers from -16 to 16.
@@ -81,14 +82,164 @@
 // Of course, we don't actually need to compute the signed digits s_i as an
 // intermediate step (that's just a nice way to see how this scheme relates
 // to the wNAF): a direct computation obtains the recoded digit from the
-// six bits b_(4j + 4) ... b_(4j - 1).
+// six bits b_(5j + 4) ... b_(5j - 1).
 //
-// This function takes those five bits as an integer (0 .. 63), writing the
+// This function takes those six bits as an integer (0 .. 63), writing the
 // recoded digit to *sign (0 for positive, 1 for negative) and *digit (absolute
-// value, in the range 0 .. 8).  Note that this integer essentially provides the
-// input bits "shifted to the left" by one position: for example, the input to
-// compute the least significant recoded digit, given that there's no bit b_-1,
-// has to be b_4 b_3 b_2 b_1 b_0 0.
+// value, in the range 0 .. 16).  Note that this integer essentially provides
+// the input bits "shifted to the left" by one position: for example, the input
+// to compute the least significant recoded digit, given that there's no bit
+// b_-1, has to be b_4 b_3 b_2 b_1 b_0 0.
+//
+// DOUBLING CASE:
+//
+// Point addition formulas for short Weierstrass curves are often incomplete.
+// Edge cases such as P + P or P + ∞ must be handled separately. This
+// complicates constant-time requirements. P + ∞ cannot be avoided (any window
+// may be zero) and is handled with constant-time selects. P + P (where P is not
+// ∞) usually is not. Instead, windowing strategies are chosen to avoid this
+// case. Whether this happens depends on the group order.
+//
+// Let w be the window width (in this function, w = 5). The non-trivial doubling
+// case in single-point scalar multiplication may occur if and only if the
+// 2^(w-1) bit of the group order is zero.
+//
+// Note the above only holds if the scalar is fully reduced and the group order
+// is a prime that is much larger than 2^w. It also only holds when windows
+// are applied from most significant to least significant, doubling between each
+// window. It does not apply to more complex table strategies such as
+// |EC_GFp_nistz256_method|.
+//
+// PROOF:
+//
+// Let n be the group order. Let l be the number of bits needed to represent n.
+// Assume there exists some 0 <= k < n such that signed w-bit windowed
+// multiplication hits the doubling case.
+//
+// Windowed multiplication consists of iterating over groups of s_i (defined
+// above based on k's binary representation) from most to least significant. At
+// iteration i (for i = ..., 3w, 2w, w, 0, starting from the most significant
+// window), we:
+//
+//  1. Double the accumulator A, w times. Let A_i be the value of A at this
+//     point.
+//
+//  2. Set A to T_i + A_i, where T_i is a precomputed multiple of P
+//     corresponding to the window s_(i+w-1) ... s_i.
+//
+// Let j be the index such that A_j = T_j ≠ ∞. Looking at A_i and T_i as
+// multiples of P, define a_i and t_i to be scalar coefficients of A_i and T_i.
+// Thus a_j = t_j ≠ 0 (mod n). Note a_i and t_i may not be reduced mod n. t_i is
+// the value of the w signed bits s_(i+w-1) ... s_i. a_i is computed as a_i =
+// 2^w * (a_(i+w) + t_(i+w)).
+//
+// t_i is bounded by -2^(w-1) <= t_i <= 2^(w-1). Additionally, we may write it
+// in terms of unsigned bits b_i. t_i consists of signed bits s_(i+w-1) ... s_i.
+// This is computed as:
+//
+//         b_(i+w-2) b_(i+w-3)  ...  b_i      b_(i-1)
+//      -  b_(i+w-1) b_(i+w-2)  ...  b_(i+1)  b_i
+//       --------------------------------------------
+//   t_i = s_(i+w-1) s_(i+w-2)  ...  s_(i+1)  s_i
+//
+// Observe that b_(i+w-2) through b_i occur in both terms. Let x be the integer
+// represented by that bit string, i.e. 2^(w-2)*b_(i+w-2) + ... + b_i.
+//
+//   t_i = (2*x + b_(i-1)) - (2^(w-1)*b_(i+w-1) + x)
+//       = x - 2^(w-1)*b_(i+w-1) + b_(i-1)
+//
+// Or, using C notation for bit operations:
+//
+//   t_i = (k>>i) & ((1<<(w-1)) - 1) - (k>>i) & (1<<(w-1)) + (k>>(i-1)) & 1
+//
+// Note b_(i-1) is added in left-shifted by one (or doubled) from its place.
+// This is compensated by t_(i-w)'s subtraction term. Thus, a_i may be computed
+// by adding b_l b_(l-1) ... b_(i+1) b_i and an extra copy of b_(i-1). In C
+// notation, this is:
+//
+//   a_i = (k>>(i+w)) << w + ((k>>(i+w-1)) & 1) << w
+//
+// Observe that, while t_i may be positive or negative, a_i is bounded by
+// 0 <= a_i < n + 2^w. Additionally, a_i can only be zero if b_(i+w-1) and up
+// are all zero. (Note this implies a non-trivial P + (-P) is unreachable for
+// all groups. That would imply the subsequent a_i is zero, which means all
+// terms thus far were zero.)
+//
+// Returning to our doubling position, we have a_j = t_j (mod n). We now
+// determine the value of a_j - t_j, which must be divisible by n. Our bounds on
+// a_j and t_j imply a_j - t_j is 0 or n. If it is 0, a_j = t_j. However, 2^w
+// divides a_j and -2^(w-1) <= t_j <= 2^(w-1), so this can only happen if
+// a_j = t_j = 0, which is a trivial doubling. Therefore, a_j - t_j = n.
+//
+// Now we determine j. Suppose j > 0. w divides j, so j >= w. Then,
+//
+//   n = a_j - t_j = (k>>(j+w)) << w + ((k>>(j+w-1)) & 1) << w - t_j
+//                <= k/2^j + 2^w - t_j
+//                 < n/2^w + 2^w + 2^(w-1)
+//
+// n is much larger than 2^w, so this is impossible. Thus, j = 0: only the final
+// addition may hit the doubling case.
+//
+// Finally, we consider bit patterns for n and k. Divide k into k_H + k_M + k_L
+// such that k_H is the contribution from b_(l-1) .. b_w, k_M is the
+// contribution from b_(w-1), and k_L is the contribution from b_(w-2) ... b_0.
+// That is:
+//
+// - 2^w divides k_H
+// - k_M is 0 or 2^(w-1)
+// - 0 <= k_L < 2^(w-1)
+//
+// Divide n into n_H + n_M + n_L similarly. We thus have:
+//
+//   t_0 = (k>>0) & ((1<<(w-1)) - 1) - (k>>0) & (1<<(w-1)) + (k>>(0-1)) & 1
+//       = k & ((1<<(w-1)) - 1) - k & (1<<(w-1))
+//       = k_L - k_M
+//
+//   a_0 = (k>>(0+w)) << w + ((k>>(0+w-1)) & 1) << w
+//       = (k>>w) << w + ((k>>(w-1)) & 1) << w
+//       = k_H + 2*k_M
+//
+//                 n = a_0 - t_0
+//   n_H + n_M + n_L = (k_H + 2*k_M) - (k_L - k_M)
+//                   = k_H + 3*k_M - k_L
+//
+// k_H - k_L < k and k < n, so k_H - k_L ≠ n. Therefore k_M is not 0 and must be
+// 2^(w-1). Now we consider k_H and n_H. We know k_H <= n_H. Suppose k_H = n_H.
+// Then,
+//
+//   n_M + n_L = 3*(2^(w-1)) - k_L
+//             > 3*(2^(w-1)) - 2^(w-1)
+//             = 2^w
+//
+// Contradiction (n_M + n_L is the bottom w bits of n). Thus k_H < n_H. Suppose
+// k_H < n_H - 2*2^w. Then,
+//
+//   n_H + n_M + n_L = k_H + 3*(2^(w-1)) - k_L
+//                   < n_H - 2*2^w + 3*(2^(w-1)) - k_L
+//         n_M + n_L < -2^(w-1) - k_L
+//
+// Contradiction. Thus, k_H = n_H - 2^w. (Note 2^w divides n_H and k_H.) Thus,
+//
+//   n_H + n_M + n_L = k_H + 3*(2^(w-1)) - k_L
+//                   = n_H - 2^w + 3*(2^(w-1)) - k_L
+//         n_M + n_L = 2^(w-1) - k_L
+//                  <= 2^(w-1)
+//
+// Equality would mean 2^(w-1) divides n, which is impossible if n is prime.
+// Thus n_M + n_L < 2^(w-1), so n_M is zero, proving our condition.
+//
+// This proof constructs k, so, to show the converse, let k_H = n_H - 2^w,
+// k_M = 2^(w-1), k_L = 2^(w-1) - n_L. This will result in a non-trivial point
+// doubling in the final addition and is the only such scalar.
+//
+// COMMON CURVES:
+//
+// The group orders for common curves end in the following bit patterns:
+//
+//   P-521: ...00001001; w = 4 is okay
+//   P-384: ...01110011; w = 2, 5, 6, 7 are okay
+//   P-256: ...01010001; w = 5, 7 are okay
+//   P-224: ...00111101; w = 3, 4, 5, 6 are okay
 void ec_GFp_nistp_recode_scalar_bits(uint8_t *sign, uint8_t *digit,
                                      uint8_t in) {
   uint8_t s, d;

data/third_party/boringssl/crypto/fipsmodule/ec/wnaf.c

@@ -67,13 +67,12 @@
 
 #include <openssl/ec.h>
 
+#include <assert.h>
 #include <string.h>
 
 #include <openssl/bn.h>
 #include <openssl/err.h>
-#include <openssl/mem.h>
 #include <openssl/thread.h>
-#include <openssl/type_check.h>
 
 #include "internal.h"
 #include "../bn/internal.h"
@@ -85,270 +84,144 @@
 //   http://link.springer.com/chapter/10.1007%2F3-540-45537-X_13
 //   http://www.bmoeller.de/pdf/TI-01-08.multiexp.pdf
 
-int ec_compute_wNAF(const EC_GROUP *group, int8_t *out, const EC_SCALAR *scalar,
-                    size_t bits, int w) {
+void ec_compute_wNAF(const EC_GROUP *group, int8_t *out,
+                     const EC_SCALAR *scalar, size_t bits, int w) {
   // 'int8_t' can represent integers with absolute values less than 2^7.
-  if (w <= 0 || w > 7 || bits == 0) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-    return 0;
-  }
-  int bit = 1 << w;         // at most 128
-  int next_bit = bit << 1;  // at most 256
+  assert(0 < w && w <= 7);
+  assert(bits != 0);
+  int bit = 1 << w;         // 2^w, at most 128
+  int next_bit = bit << 1;  // 2^(w+1), at most 256
   int mask = next_bit - 1;  // at most 255
 
   int window_val = scalar->words[0] & mask;
-  size_t j = 0;
-  // If j+w+1 >= bits, window_val will not increase.
-  while (window_val != 0 || j + w + 1 < bits) {
+  for (size_t j = 0; j < bits + 1; j++) {
+    assert(0 <= window_val && window_val <= next_bit);
     int digit = 0;
-
-    // 0 <= window_val <= 2^(w+1)
-
     if (window_val & 1) {
-      // 0 < window_val < 2^(w+1)
-
+      assert(0 < window_val && window_val < next_bit);
       if (window_val & bit) {
-        digit = window_val - next_bit;  // -2^w < digit < 0
+        digit = window_val - next_bit;
+        // We know -next_bit < digit < 0 and window_val - digit = next_bit.
 
-#if 1  // modified wNAF
+        // modified wNAF
         if (j + w + 1 >= bits) {
           // special case for generating modified wNAFs:
           // no new bits will be added into window_val,
           // so using a positive digit here will decrease
           // the total length of the representation
 
-          digit = window_val & (mask >> 1);  // 0 < digit < 2^w
+          digit = window_val & (mask >> 1);
+          // We know 0 < digit < bit and window_val - digit = bit.
         }
-#endif
       } else {
-        digit = window_val;  // 0 < digit < 2^w
-      }
-
-      if (digit <= -bit || digit >= bit || !(digit & 1)) {
-        OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-        return 0;
+        digit = window_val;
+        // We know 0 < digit < bit and window_val - digit = 0.
       }
 
       window_val -= digit;
 
-      // Now window_val is 0 or 2^(w+1) in standard wNAF generation;
-      // for modified window NAFs, it may also be 2^w.
-      if (window_val != 0 && window_val != next_bit && window_val != bit) {
-        OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-        return 0;
-      }
+      // Now window_val is 0 or 2^(w+1) in standard wNAF generation.
+      // For modified window NAFs, it may also be 2^w.
+      //
+      // See the comments above for the derivation of each of these bounds.
+      assert(window_val == 0 || window_val == next_bit || window_val == bit);
+      assert(-bit < digit && digit < bit);
+
+      // window_val was odd, so digit is also odd.
+      assert(digit & 1);
     }
 
-    out[j++] = digit;
+    out[j] = digit;
 
+    // Incorporate the next bit. Previously, |window_val| <= |next_bit|, so if
+    // we shift and add at most one copy of |bit|, this will continue to hold
+    // afterwards.
     window_val >>= 1;
     window_val +=
-        bit * bn_is_bit_set_words(scalar->words, group->order.width, j + w);
-
-    if (window_val > next_bit) {
-      OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-      return 0;
-    }
-  }
-
-  // Fill the rest of the wNAF with zeros.
-  if (j > bits + 1) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-    return 0;
-  }
-  for (size_t i = j; i < bits + 1; i++) {
-    out[i] = 0;
+        bit * bn_is_bit_set_words(scalar->words, group->order.width, j + w + 1);
+    assert(window_val <= next_bit);
   }
 
-  return 1;
+  // bits + 1 entries should be sufficient to consume all bits.
+  assert(window_val == 0);
 }
 
-// TODO: table should be optimised for the wNAF-based implementation,
-//       sometimes smaller windows will give better performance
-//       (thus the boundaries should be increased)
-static size_t window_bits_for_scalar_size(size_t b) {
-  if (b >= 300) {
-    return 4;
-  }
-
-  if (b >= 70) {
-    return 3;
-  }
-
-  if (b >= 20) {
-    return 2;
-  }
-
-  return 1;
-}
-
-// EC_WNAF_MAX_WINDOW_BITS is the largest value returned by
-// |window_bits_for_scalar_size|.
-#define EC_WNAF_MAX_WINDOW_BITS 4
-
-// compute_precomp sets |out[i]| to a newly-allocated |EC_POINT| containing
-// (2*i+1)*p, for i from 0 to |len|. It returns one on success and
-// zero on error.
-static int compute_precomp(const EC_GROUP *group, EC_POINT **out,
-                           const EC_POINT *p, size_t len, BN_CTX *ctx) {
-  out[0] = EC_POINT_new(group);
-  if (out[0] == NULL ||
-      !EC_POINT_copy(out[0], p)) {
-    return 0;
-  }
-
-  int ret = 0;
-  EC_POINT *two_p = EC_POINT_new(group);
-  if (two_p == NULL ||
-      !EC_POINT_dbl(group, two_p, p, ctx)) {
-    goto err;
-  }
-
+// compute_precomp sets |out[i]| to (2*i+1)*p, for i from 0 to |len|.
+static void compute_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
+                            const EC_RAW_POINT *p, size_t len) {
+  ec_GFp_simple_point_copy(&out[0], p);
+  EC_RAW_POINT two_p;
+  ec_GFp_mont_dbl(group, &two_p, p);
   for (size_t i = 1; i < len; i++) {
-    out[i] = EC_POINT_new(group);
-    if (out[i] == NULL ||
-        !EC_POINT_add(group, out[i], out[i - 1], two_p, ctx)) {
-      goto err;
-    }
+    ec_GFp_mont_add(group, &out[i], &out[i - 1], &two_p);
   }
-
-  ret = 1;
-
-err:
-  EC_POINT_free(two_p);
-  return ret;
 }
 
-static int lookup_precomp(const EC_GROUP *group, EC_POINT *out,
-                          EC_POINT *const *precomp, int digit, BN_CTX *ctx) {
+static void lookup_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
+                           const EC_RAW_POINT *precomp, int digit) {
   if (digit < 0) {
     digit = -digit;
-    return EC_POINT_copy(out, precomp[digit >> 1]) &&
-           EC_POINT_invert(group, out, ctx);
+    ec_GFp_simple_point_copy(out, &precomp[digit >> 1]);
+    ec_GFp_simple_invert(group, out);
+  } else {
+    ec_GFp_simple_point_copy(out, &precomp[digit >> 1]);
   }
-
-  return EC_POINT_copy(out, precomp[digit >> 1]);
 }
 
-int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const EC_SCALAR *g_scalar,
-                const EC_POINT *p, const EC_SCALAR *p_scalar, BN_CTX *ctx) {
-  BN_CTX *new_ctx = NULL;
-  EC_POINT *precomp_storage[2 * (1 << (EC_WNAF_MAX_WINDOW_BITS - 1))] = {NULL};
-  EC_POINT **g_precomp = NULL, **p_precomp = NULL;
-  int8_t g_wNAF[EC_MAX_SCALAR_BYTES * 8 + 1];
-  int8_t p_wNAF[EC_MAX_SCALAR_BYTES * 8 + 1];
-  EC_POINT *tmp = NULL;
-  int ret = 0;
+// EC_WNAF_WINDOW_BITS is the window size to use for |ec_GFp_mont_mul_public|.
+#define EC_WNAF_WINDOW_BITS 4
 
-  if (ctx == NULL) {
-    ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL) {
-      goto err;
-    }
-  }
+// EC_WNAF_TABLE_SIZE is the table size to use for |ec_GFp_mont_mul_public|.
+#define EC_WNAF_TABLE_SIZE (1 << (EC_WNAF_WINDOW_BITS - 1))
 
+void ec_GFp_mont_mul_public(const EC_GROUP *group, EC_RAW_POINT *r,
+                            const EC_SCALAR *g_scalar, const EC_RAW_POINT *p,
+                            const EC_SCALAR *p_scalar) {
   size_t bits = BN_num_bits(&group->order);
-  size_t wsize = window_bits_for_scalar_size(bits);
   size_t wNAF_len = bits + 1;
-  size_t precomp_len = (size_t)1 << (wsize - 1);
 
-  OPENSSL_COMPILE_ASSERT(
-      OPENSSL_ARRAY_SIZE(g_wNAF) == OPENSSL_ARRAY_SIZE(p_wNAF),
-      g_wNAF_and_p_wNAF_are_different_sizes);
+  int8_t g_wNAF[EC_MAX_BYTES * 8 + 1];
+  EC_RAW_POINT g_precomp[EC_WNAF_TABLE_SIZE];
+  assert(wNAF_len <= OPENSSL_ARRAY_SIZE(g_wNAF));
+  const EC_RAW_POINT *g = &group->generator->raw;
+  ec_compute_wNAF(group, g_wNAF, g_scalar, bits, EC_WNAF_WINDOW_BITS);
+  compute_precomp(group, g_precomp, g, EC_WNAF_TABLE_SIZE);
 
-  if (wNAF_len > OPENSSL_ARRAY_SIZE(g_wNAF) ||
-      2 * precomp_len > OPENSSL_ARRAY_SIZE(precomp_storage)) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-    goto err;
-  }
-
-  // TODO(davidben): |mul_public| is for ECDSA verification which can assume
-  // non-NULL inputs, but this code is also used for |mul| which cannot. It's
-  // not constant-time, so replace the generic |mul| and remove the NULL checks.
-  size_t total_precomp = 0;
-  if (g_scalar != NULL) {
-    const EC_POINT *g = EC_GROUP_get0_generator(group);
-    if (g == NULL) {
-      OPENSSL_PUT_ERROR(EC, EC_R_UNDEFINED_GENERATOR);
-      goto err;
-    }
-    g_precomp = precomp_storage + total_precomp;
-    total_precomp += precomp_len;
-    if (!ec_compute_wNAF(group, g_wNAF, g_scalar, bits, wsize) ||
-        !compute_precomp(group, g_precomp, g, precomp_len, ctx)) {
-      goto err;
-    }
-  }
-
-  if (p_scalar != NULL) {
-    p_precomp = precomp_storage + total_precomp;
-    total_precomp += precomp_len;
-    if (!ec_compute_wNAF(group, p_wNAF, p_scalar, bits, wsize) ||
-        !compute_precomp(group, p_precomp, p, precomp_len, ctx)) {
-      goto err;
-    }
-  }
-
-  tmp = EC_POINT_new(group);
-  if (tmp == NULL ||
-      // |window_bits_for_scalar_size| assumes we do this step.
-      !EC_POINTs_make_affine(group, total_precomp, precomp_storage, ctx)) {
-    goto err;
-  }
+  int8_t p_wNAF[EC_MAX_BYTES * 8 + 1];
+  EC_RAW_POINT p_precomp[EC_WNAF_TABLE_SIZE];
+  assert(wNAF_len <= OPENSSL_ARRAY_SIZE(p_wNAF));
+  ec_compute_wNAF(group, p_wNAF, p_scalar, bits, EC_WNAF_WINDOW_BITS);
+  compute_precomp(group, p_precomp, p, EC_WNAF_TABLE_SIZE);
 
+  EC_RAW_POINT tmp;
   int r_is_at_infinity = 1;
   for (size_t k = wNAF_len - 1; k < wNAF_len; k--) {
-    if (!r_is_at_infinity && !EC_POINT_dbl(group, r, r, ctx)) {
-      goto err;
+    if (!r_is_at_infinity) {
+      ec_GFp_mont_dbl(group, r, r);
     }
 
-    if (g_scalar != NULL) {
-      if (g_wNAF[k] != 0) {
-        if (!lookup_precomp(group, tmp, g_precomp, g_wNAF[k], ctx)) {
-          goto err;
-        }
-        if (r_is_at_infinity) {
-          if (!EC_POINT_copy(r, tmp)) {
-            goto err;
-          }
-          r_is_at_infinity = 0;
-        } else if (!EC_POINT_add(group, r, r, tmp, ctx)) {
-          goto err;
-        }
+    if (g_wNAF[k] != 0) {
+      lookup_precomp(group, &tmp, g_precomp, g_wNAF[k]);
+      if (r_is_at_infinity) {
+        ec_GFp_simple_point_copy(r, &tmp);
+        r_is_at_infinity = 0;
+      } else {
+        ec_GFp_mont_add(group, r, r, &tmp);
       }
     }
 
-    if (p_scalar != NULL) {
-      if (p_wNAF[k] != 0) {
-        if (!lookup_precomp(group, tmp, p_precomp, p_wNAF[k], ctx)) {
-          goto err;
-        }
-        if (r_is_at_infinity) {
-          if (!EC_POINT_copy(r, tmp)) {
-            goto err;
-          }
-          r_is_at_infinity = 0;
-        } else if (!EC_POINT_add(group, r, r, tmp, ctx)) {
-          goto err;
-        }
+    if (p_wNAF[k] != 0) {
+      lookup_precomp(group, &tmp, p_precomp, p_wNAF[k]);
+      if (r_is_at_infinity) {
+        ec_GFp_simple_point_copy(r, &tmp);
+        r_is_at_infinity = 0;
+      } else {
+        ec_GFp_mont_add(group, r, r, &tmp);
       }
     }
   }
 
-  if (r_is_at_infinity &&
-      !EC_POINT_set_to_infinity(group, r)) {
-    goto err;
-  }
-
-  ret = 1;
-
-err:
-  BN_CTX_free(new_ctx);
-  EC_POINT_free(tmp);
-  OPENSSL_cleanse(&g_wNAF, sizeof(g_wNAF));
-  OPENSSL_cleanse(&p_wNAF, sizeof(p_wNAF));
-  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(precomp_storage); i++) {
-    EC_POINT_free(precomp_storage[i]);
+  if (r_is_at_infinity) {
+    ec_GFp_simple_point_set_to_infinity(group, r);
   }
-  return ret;
 }