Clear the point S before freeing in ec_mul_consttime

The secret point R can be recovered from S using the equation R = S - P.
The X and Z coordinates should be sufficient for that.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8505)

diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 8350082eb42e35c06cf3b58eca6b3a0556fab28f..47c0fc028c9dfc08ce2e07e835462dcbda8d7e02 100644 (file)
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -325,7 +325,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
     ret = 1;
 
  err:
-    EC_POINT_free(s);
+    EC_POINT_clear_free(s);
     BN_CTX_end(ctx);
     BN_CTX_free(new_ctx);