From: Andy Polyakov <appro@openssl.org>
Date: Mon, 19 Feb 2018 14:00:59 +0000 (+0100)
Subject: crypto/ec/curve25519.c: remove redundant fe[51]_cswap.
X-Git-Tag: OpenSSL_1_1_1-pre2~55
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=127d6cf747652a182636597cbdf4d0d49d2e661a;p=oweals%2Fopenssl.git

crypto/ec/curve25519.c: remove redundant fe[51]_cswap.

3 least significant bits of the input scalar are explicitly cleared,
hence swap variable has fixed value [of zero] upon exit from the loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5408)
---

diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c
index 2c0bd5fcf4..63ec53171c 100644
--- a/crypto/ec/curve25519.c
+++ b/crypto/ec/curve25519.c
@@ -471,8 +471,6 @@ static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
         fe51_mul(z3, x1, z2);
         fe51_mul(z2, tmp1, tmp0);
     }
-    fe51_cswap(x2, x3, swap);
-    fe51_cswap(z2, z3, swap);
 
     fe51_invert(z2, z2);
     fe51_mul(x2, x2, z2);
@@ -4050,8 +4048,6 @@ static void x25519_scalar_mult_generic(uint8_t out[32],
     fe_mul(z3, x1, z2);
     fe_mul(z2, tmp1, tmp0);
   }
-  fe_cswap(x2, x3, swap);
-  fe_cswap(z2, z3, swap);
 
   fe_invert(z2, z2);
   fe_mul(x2, x2, z2);