crypto/ec/curve25519.c: remove redundant fe[51]_cswap.

3 least significant bits of the input scalar are explicitly cleared,
hence swap variable has fixed value [of zero] upon exit from the loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5408)

diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c
index 2c0bd5fcf481e52a9b86287cbc1b1f2714a55077..63ec53171c6aa933a101eadcb42142744203806f 100644 (file)
--- a/crypto/ec/curve25519.c
+++ b/crypto/ec/curve25519.c
@@ -471,8 +471,6 @@ static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
         fe51_mul(z3, x1, z2);
         fe51_mul(z2, tmp1, tmp0);
     }
-    fe51_cswap(x2, x3, swap);
-    fe51_cswap(z2, z3, swap);
 
     fe51_invert(z2, z2);
     fe51_mul(x2, x2, z2);
@@ -4050,8 +4048,6 @@ static void x25519_scalar_mult_generic(uint8_t out[32],
     fe_mul(z3, x1, z2);
     fe_mul(z2, tmp1, tmp0);
   }
-  fe_cswap(x2, x3, swap);
-  fe_cswap(z2, z3, swap);
 
   fe_invert(z2, z2);
   fe_mul(x2, x2, z2);