From 338eeb0c4f5c9b11835db1fad0de1fa0274ce71e Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Sat, 20 Jan 2018 09:36:51 -0500
Subject: [PATCH] Remove r_is_inverted logic.

This appears to be pointless. Before, we would have a 50% chance of
doing an inversion at each non-zero bit but the first
(r_is_at_infinity), plus a 50% chance of doing an inversion at the end.
Now we would have a 50% chance of doing an inversion at each non-zero
bit. That's the same number of coin flips.

Change-Id: I8158fd48601cb041188826d4f68ac1a31a6fbbbc
Reviewed-on: https://boringssl-review.googlesource.com/25146
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
---
 crypto/fipsmodule/ec/wnaf.c | 34 ++++++++++++----------------------
 1 file changed, 12 insertions(+), 22 deletions(-)

diff --git a/crypto/fipsmodule/ec/wnaf.c b/crypto/fipsmodule/ec/wnaf.c
index a1cff943..0a2bcbab 100644
--- a/crypto/fipsmodule/ec/wnaf.c
+++ b/crypto/fipsmodule/ec/wnaf.c
@@ -232,8 +232,6 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r,
   size_t total_num = 0;
   size_t i, j;
   int k;
-  int r_is_inverted = 0;
-  int r_is_at_infinity = 1;
   int8_t **wNAF = NULL;  // individual wNAFs
   size_t *wNAF_len = NULL;
   size_t max_len = 0;
@@ -377,7 +375,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r,
   }
 #endif
 
-  r_is_at_infinity = 1;
+  int r_is_at_infinity = 1;
 
   for (k = max_len - 1; k >= 0; k--) {
     if (!r_is_at_infinity && !EC_POINT_dbl(group, r, r, ctx)) {
@@ -387,31 +385,26 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r,
     for (i = 0; i < total_num; i++) {
       if (wNAF_len[i] > (size_t)k) {
         int digit = wNAF[i][k];
-        int is_neg;
-
         if (digit) {
-          is_neg = digit < 0;
-
-          if (is_neg) {
+          const EC_POINT *tmp2;
+          if (digit < 0) {
             digit = -digit;
-          }
-
-          if (is_neg != r_is_inverted) {
-            if (!r_is_at_infinity && !EC_POINT_invert(group, r, ctx)) {
+            if (!EC_POINT_copy(tmp, val_sub[i][digit >> 1]) ||
+                !EC_POINT_invert(group, tmp, ctx)) {
               goto err;
             }
-            r_is_inverted = !r_is_inverted;
+            tmp2 = tmp;
+          } else {
+            tmp2 = val_sub[i][digit >> 1];
           }
 
-          // digit > 0
-
           if (r_is_at_infinity) {
-            if (!EC_POINT_copy(r, val_sub[i][digit >> 1])) {
+            if (!EC_POINT_copy(r, tmp2)) {
               goto err;
             }
             r_is_at_infinity = 0;
           } else {
-            if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx)) {
+            if (!EC_POINT_add(group, r, r, tmp2, ctx)) {
               goto err;
             }
           }
@@ -420,11 +413,8 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r,
     }
   }
 
-  if (r_is_at_infinity) {
-    if (!EC_POINT_set_to_infinity(group, r)) {
-      goto err;
-    }
-  } else if (r_is_inverted && !EC_POINT_invert(group, r, ctx)) {
+  if (r_is_at_infinity &&
+      !EC_POINT_set_to_infinity(group, r)) {
     goto err;
   }