Fix the error handling in EC_POINTs_mul
authorBernd Edlinger <bernd.edlinger@hotmail.de>
Mon, 6 Apr 2020 08:41:36 +0000 (10:41 +0200)
committerBernd Edlinger <bernd.edlinger@hotmail.de>
Tue, 7 Apr 2020 11:22:44 +0000 (13:22 +0200)
This was pointed out by a false-positive
-fsanitizer warning ;-)

However from the cryptographical POV the
code is wrong:
A point R^0 on the wrong curve
is infinity on the wrong curve.

[extended tests]

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11475)

(cherry picked from commit 1eb9b54af7e00fa12196411964ce742ea8677766)

crypto/ec/ec_lib.c

index 3554ada82797b987cf57986b935a06e2ae8e0ad4..22b00e203d3a438884d4b2c71bcb10d3f5e417d3 100644 (file)
@@ -1007,14 +1007,14 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
     size_t i = 0;
     BN_CTX *new_ctx = NULL;
 
-    if ((scalar == NULL) && (num == 0)) {
-        return EC_POINT_set_to_infinity(group, r);
-    }
-
     if (!ec_point_is_compat(r, group)) {
         ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
         return 0;
     }
+
+    if (scalar == NULL && num == 0)
+        return EC_POINT_set_to_infinity(group, r);
+
     for (i = 0; i < num; i++) {
         if (!ec_point_is_compat(points[i], group)) {
             ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);