commit a0179b8c4af3a0022503fc344e6009e82c5d1716
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Dec 04 11:49:20 2013 +0100
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Dec 05 15:58:38 2013 +0100
tree 381f756e82fe5b81f686d2bb858862c22260f787
parent 312d2e8ea237ac0ff1831e4cb54396f594db7e1c

Change ecp_mul to handle Curve25519 too

library/ecp.c

diff --git a/library/ecp.c b/library/ecp.c
index 75f5b4d..08ca682 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1227,11 +1227,13 @@
 }
 
 /*
- * Multiplication using the comb method
+ * Multiplication using the comb method,
+ * for curves in short Weierstrass form
  */
-int ecp_mul( ecp_group *grp, ecp_point *R,
-             const mpi *m, const ecp_point *P,
-             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+static int ecp_mul_comb( ecp_group *grp, ecp_point *R,
+                         const mpi *m, const ecp_point *P,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng )
 {
     int ret;
     unsigned char w, m_is_odd, p_eq_g, pre_len, i;
@@ -1240,28 +1242,13 @@
     ecp_point *T;
     mpi M, mm;
 
-    /*
-     * Sanity checks (before we even initialize anything)
-     */
-    if( mpi_cmp_int( &P->Z, 1 ) != 0 ||
-        mpi_get_bit( &grp->N, 0 ) != 1 )
-    {
-        return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
-    }
-
-    if( ( ret = ecp_check_privkey( grp, m ) ) != 0 )
-        return( ret );
-
-    /* We'll need this later, but do it now to possibly avoid checking P */
-    p_eq_g = ( mpi_cmp_mpi( &P->Y, &grp->G.Y ) == 0 &&
-               mpi_cmp_mpi( &P->X, &grp->G.X ) == 0 );
-
-    if( ! p_eq_g && ( ret = ecp_check_pubkey( grp, P ) ) != 0 )
-        return( ret );
-
     mpi_init( &M );
     mpi_init( &mm );
 
+    /* we need N to be odd to trnaform m in an odd number, check now */
+    if( mpi_get_bit( &grp->N, 0 ) != 1 )
+        return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
+
     /*
      * Minimize the number of multiplications, that is minimize
      * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
@@ -1273,6 +1260,8 @@
      * If P == G, pre-compute a bit more, since this may be re-used later.
      * Just adding one ups the cost of the first mul by at most 3%.
      */
+    p_eq_g = ( mpi_cmp_mpi( &P->Y, &grp->G.Y ) == 0 &&
+               mpi_cmp_mpi( &P->X, &grp->G.X ) == 0 );
     if( p_eq_g )
         w++;
 
@@ -1466,11 +1455,13 @@
 }
 
 /*
- * Multiplication with Montgomery ladder in x/z coordinates
+ * Multiplication with Montgomery ladder in x/z coordinates,
+ * for curves in Montgomery form
  */
-int ecp_mul_mxz( ecp_group *grp, ecp_point *R,
-                 const mpi *m, const ecp_point *P,
-                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+static int ecp_mul_mxz( ecp_group *grp, ecp_point *R,
+                        const mpi *m, const ecp_point *P,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng )
 {
     int ret;
     size_t i;
@@ -1506,6 +1497,30 @@
 }
 
 /*
+ * Multiplication R = m * P
+ */
+int ecp_mul( ecp_group *grp, ecp_point *R,
+             const mpi *m, const ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+
+    /* Common sanity checks */
+    if( mpi_cmp_int( &P->Z, 1 ) != 0 )
+        return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
+
+    if( ( ret = ecp_check_privkey( grp, m ) ) != 0 ||
+        ( ret = ecp_check_pubkey( grp, P ) ) != 0 )
+        return( ret );
+
+    /* Actual multiplication aglorithm depending of curve type */
+    if( ecp_is_montgomery( grp ) )
+        return( ecp_mul_mxz( grp, R, m, P, f_rng, p_rng ) );
+    else
+        return( ecp_mul_comb( grp, R, m, P, f_rng, p_rng ) );
+}
+
+/*
  * Check that a point is valid as a public key
  */
 int ecp_check_pubkey( const ecp_group *grp, const ecp_point *pt )