Commit 1de3ee397c for openssl.org

commit 1de3ee397c929eea04225a4fd214f2fe8c0cf98e
Author: David Foster <david@dafoster.net>
Date:   Wed Jul 1 09:26:21 2026 -0400

    Explain inconsistency in X25519 ladder copies

    Fixes #31560

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Mon Jul 13 15:03:15 2026
    (Merged from https://github.com/openssl/openssl/pull/31812)

diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c
index c6886763ab..53c8bff5ed 100644
--- a/crypto/ec/curve25519.c
+++ b/crypto/ec/curve25519.c
@@ -236,6 +236,13 @@ static void x25519_scalar_mulx(uint8_t out[32], const uint8_t scalar[32],
         fe64_sub(tmp1, x2, z2);
         fe64_add(x2, x2, z2);
         fe64_add(z2, x3, z3);
+        /* The original copy in x25519_scalar_mult_generic uses argument order
+         * fe_mul(z3, tmp0, x2), with the input arguments swapped.
+         *
+         * The assembly implementation of fe64_mul used here runs faster in
+         * parallel with its nearby instructions when an earlier-computable
+         * input (like tmp0) is passed as the 2nd input because it consumes
+         * the 2nd input at a faster rate than the 1st input. */
         fe64_mul(z3, x2, tmp0);
         fe64_mul(z2, z2, tmp1);
         fe64_sqr(tmp0, tmp1);