Clear the point S before freeing in ec_scalar_mul_ladder
authorBernd Edlinger <bernd.edlinger@hotmail.de>
Sun, 17 Mar 2019 16:28:24 +0000 (17:28 +0100)
committerBernd Edlinger <bernd.edlinger@hotmail.de>
Mon, 18 Mar 2019 21:39:55 +0000 (22:39 +0100)
The secret point R can be recovered from S using the equation R = S - P.
The X and Z coordinates should be sufficient for that.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8504)

crypto/ec/ec_mult.c

index 9b0aac2313bac9f2c0d4f7c1375deb951455e492..c76c528048eaf0b5b770b119c1e8f6905f40c0c8 100644 (file)
@@ -378,7 +378,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
 
  err:
     EC_POINT_free(p);
-    EC_POINT_free(s);
+    EC_POINT_clear_free(s);
     BN_CTX_end(ctx);
 
     return ret;