From: Bernd Edlinger Date: Fri, 12 Apr 2019 12:28:00 +0000 (+0200) Subject: Don't use coordinate blinding when scalar is group order X-Git-Tag: openssl-3.0.0-alpha1~2181 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=3051bf2afab7ac8b7b9c64e68755d1addd2fb8ff;p=oweals%2Fopenssl.git Don't use coordinate blinding when scalar is group order This happens in ec_key_simple_check_key and EC_GROUP_check. Since the the group order is not a secret scalar, it is unnecessary to use coordinate blinding. Fixes: #8731 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8734) --- diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 755d64400a..968125f3cd 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -441,7 +441,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, * scalar multiplication implementation based on a Montgomery ladder, * with various timing attack defenses. */ - if ((scalar != NULL) && (num == 0)) { + if ((scalar != group->order) && (scalar != NULL) && (num == 0)) { /*- * In this case we want to compute scalar * GeneratorPoint: this * codepath is reached most prominently by (ephemeral) key @@ -452,7 +452,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, */ return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx); } - if ((scalar == NULL) && (num == 1)) { + if ((scalar == NULL) && (num == 1) && (scalars[0] != group->order)) { /*- * In this case we want to compute scalar * VariablePoint: this * codepath is reached most prominently by the second half of ECDH,