Commit 1de3ee397c for openssl.org
commit 1de3ee397c929eea04225a4fd214f2fe8c0cf98e
Author: David Foster <david@dafoster.net>
Date: Wed Jul 1 09:26:21 2026 -0400
Explain inconsistency in X25519 ladder copies
Fixes #31560
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jul 13 15:03:15 2026
(Merged from https://github.com/openssl/openssl/pull/31812)
diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c
index c6886763ab..53c8bff5ed 100644
--- a/crypto/ec/curve25519.c
+++ b/crypto/ec/curve25519.c
@@ -236,6 +236,13 @@ static void x25519_scalar_mulx(uint8_t out[32], const uint8_t scalar[32],
fe64_sub(tmp1, x2, z2);
fe64_add(x2, x2, z2);
fe64_add(z2, x3, z3);
+ /* The original copy in x25519_scalar_mult_generic uses argument order
+ * fe_mul(z3, tmp0, x2), with the input arguments swapped.
+ *
+ * The assembly implementation of fe64_mul used here runs faster in
+ * parallel with its nearby instructions when an earlier-computable
+ * input (like tmp0) is passed as the 2nd input because it consumes
+ * the 2nd input at a faster rate than the 1st input. */
fe64_mul(z3, x2, tmp0);
fe64_mul(z2, z2, tmp1);
fe64_sqr(tmp0, tmp1);