Commit e861d659 authored by Bernd Edlinger's avatar Bernd Edlinger
Browse files

Don't use coordinate blinding when scalar is group order 



This happens in ec_key_simple_check_key and EC_GROUP_check.
Since the the group order is not a secret scalar, it is
unnecessary to use coordinate blinding.

Fixes: #8731

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8734)

(cherry picked from commit 3051bf2afab7ac8b7b9c64e68755d1addd2fb8ff)
parent dbd233b8

crypto/ec/ec_mult.c

+2 −2
Original line number Diff line number Diff line
@@ -441,7 +441,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, 
         * scalar multiplication implementation based on a Montgomery ladder,

         * with various timing attack defenses.

         */

        if ((scalar != NULL) && (num == 0)) {

        if ((scalar != group->order) && (scalar != NULL) && (num == 0)) {

            /*-

             * In this case we want to compute scalar * GeneratorPoint: this

             * codepath is reached most prominently by (ephemeral) key
@@ -452,7 +452,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, 
             */

            return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx);

        }

        if ((scalar == NULL) && (num == 1)) {

        if ((scalar == NULL) && (num == 1) && (scalars[0] != group->order)) {

            /*-

             * In this case we want to compute scalar * VariablePoint: this

             * codepath is reached most prominently by the second half of ECDH,