Don't use coordinate blinding when scalar is group order

This happens in ec_key_simple_check_key and EC_GROUP_check.
Since the the group order is not a secret scalar, it is
unnecessary to use coordinate blinding.

Fixes: #8731

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8734)

(cherry picked from commit 3051bf2afab7ac8b7b9c64e68755d1addd2fb8ff)

diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index ce5796de366b3988108d14a311bda53796ae19d3..11c7be1c118782dccb2c05f2d393c2ce972e5fe2 100644 (file)
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -441,7 +441,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
          * scalar multiplication implementation based on a Montgomery ladder,
          * with various timing attack defenses.
          */
-        if ((scalar != NULL) && (num == 0)) {
+        if ((scalar != group->order) && (scalar != NULL) && (num == 0)) {
             /*-
              * In this case we want to compute scalar * GeneratorPoint: this
              * codepath is reached most prominently by (ephemeral) key
@@ -452,7 +452,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
              */
             return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx);
         }
-        if ((scalar == NULL) && (num == 1)) {
+        if ((scalar == NULL) && (num == 1) && (scalars[0] != group->order)) {
             /*-
              * In this case we want to compute scalar * VariablePoint: this
              * codepath is reached most prominently by the second half of ECDH,