When compiling with enable-ec_nistp_64_gcc_128, then EC_GROUP_have_precompute_mult always returns 0 for the optimized curves (p256, p224, p521). This was seen on 1.0.1j and 1.0.1i, I believe it has been there since the introduction of enable-ec_nistp_64_gcc_128 a few years ago.
The root cause is that there's a common bug in: ec_GFp_nistp256_precompute_mult() ec_GFp_nistp224_precompute_mult() ec_GFp_nistp521_precompute_mult() If the group given to the function is the well-known group, then it does a memcpy from gmul, and sets ret to 1. So far, this is perfectly reasonable. The bug is that then there's a "goto err", which frees the pre-computed data, and doesn't store the data into group->extra_data (that happens about 4 lines above the err label) When calling EC_GROUP_have_precompute_mult on such groups, the code in ec_GFp_nistp224_have_precompute_mult() ec_GFp_nistp256_have_precompute_mult() ec_GFp_nistp521_have_precompute_mult() checks for the existence of the precomputed data in group->extra_data, which of-course isn't there, and returns false. This doesn't have negative performance impact, as the actual mul code in ec_GFp_nistp224_points_mul() ec_GFp_nistp256_points_mul() ec_GFp_nistp521_points_mul() tries to get the pre-computed data from group->extra_data, fails, but then checks if the group is the well-known group, and then uses gmul anyway. A simple fix would be to add a new label of "done" in all 3 precompute_mult functions, just above the call to EC_EX_DATA_set_data(), and change the "goto err" to "goto done". In addition, remove the "ret = 1;" before the goto, as this will occur later on in the function. This would make it work, at the expense of increasing the memory usage of EC_GROUP, but at least would make the code consistent with other implementations, like ec_wNAF_precompute_mult An alternative would be to not do any memcpy in the precompute_mult if the generator is the well known generator, and change the have_precompute_mult() to return true if the generator is the well-known generator, even if group->extra_data doesn't have any precomputed data stored. Thanks, David Bar ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
