Deleted ECC_ECDSA_VERIFY_ITCH macro. Tweak the corresponding function, and use it.

6f544435 · Niels Möller · 24c9769b · 6f544435 · 6f544435 · 6f544435
Commit 6f544435 authored Aug 28, 2014 by Niels Möller
--- a/ChangeLog
+++ b/ChangeLog
 2014-08-28  Niels Möller  <nisse@lysator.liu.se>

+	* ecc-internal.h (ECC_ECDSA_VERIFY_ITCH): Deleted macro. Needed
+	scratch depends on curve type, not just size.
+	* ecdsa-verify.c (ecdsa_verify): Use the ecc_ecdsa_verify_itch
+	function, not the corresponding macro.
+	* ecc-ecdsa-verify.c (ecc_ecdsa_verify_itch): Take ecc->mul_itch
+	into account. Also reduce to 5*ecc->size + ecc->mul_itch.
+
 	* testsuite/ecdsa-sign-test.c (test_main): Added test for the
 	obscure case of ecdsa using curve25519.


--- a/ecc-ecdsa-verify.c
+++ b/ecc-ecdsa-verify.c
@@ -62,9 +62,8 @@ ecdsa_in_range (const struct ecc_curve *ecc, const mp_limb_t *xp)
 mp_size_t
 ecc_ecdsa_verify_itch (const struct ecc_curve *ecc)
 {
-  /* Largest storage need is for the ecc_mul_a call, 6 * ecc->size +
-     ECC_MUL_A_ITCH (size) */
-  return ECC_ECDSA_VERIFY_ITCH (ecc->size);
+  /* Largest storage need is for the ecc->mul call. */
+  return 5*ecc->size + ecc->mul_itch;
 }

 /* FIXME: Use faster primitives, not requiring side-channel silence. */
@@ -113,7 +112,7 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc,
  /* u2 = r / s, P2 = u2 * Y */
  ecc_modq_mul (ecc, u2, rp, sinv);

-   /* Total storage: 5*ecc->size + ECC_MUL_A_ITCH (ecc->size) */
+   /* Total storage: 5*ecc->size + ecc->mul_itch */
  ecc_mul_a (ecc, P2, u2, pp, u2 + ecc->size);

  /* u1 = h / s, P1 = u1 * G */
@@ -124,7 +123,7 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc,
     unlikely. */
  if (!zero_p (u1, ecc->size))
    {
-      /* Total storage: 6*ecc->size + ECC_MUL_G_ITCH (ecc->size) */
+      /* Total storage: 6*ecc->size + ecc->mul_g_itch (ecc->size) */
      ecc_mul_g (ecc, P1, u1, u1 + ecc->size);

      /* NOTE: ecc_add_jjj and/or ecc_j_to_a will produce garbage in

--- a/ecc-internal.h
+++ b/ecc-internal.h
@@ -285,8 +285,6 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap);
  (((3 << ECC_MUL_A_EH_WBITS) + 10) * (size))
 #endif
 #define ECC_ECDSA_SIGN_ITCH(size) (12*(size))
-#define ECC_ECDSA_VERIFY_ITCH(size) \
-  (6*(size) + ECC_MUL_A_ITCH ((size)))
 #define ECC_MODQ_RANDOM_ITCH(size) (size)
 #define ECC_HASH_ITCH(size) (1+(size))


--- a/ecdsa-verify.c
+++ b/ecdsa-verify.c
@@ -47,7 +47,7 @@ ecdsa_verify (const struct ecc_point *pub,
 	      const struct dsa_signature *signature)
 {
  mp_limb_t size = pub->ecc->size;
-  mp_size_t itch = 2*size + ECC_ECDSA_VERIFY_ITCH (size);
+  mp_size_t itch = 2*size + ecc_ecdsa_verify_itch (pub->ecc);
  /* For ECC_MUL_A_WBITS == 0, at most 1512 bytes. With
     ECC_MUL_A_WBITS == 4, currently needs 67 * ecc->size, at most
     4824 bytes. Don't use stack allocation for this. */