handle negative scalars correctly when doing point multiplication

2 files changed, 25 insertions, 2 deletions

diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index ddd3db5921..01574d8c93 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -187,10 +187,18 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, BIGNUM *scalar,
 		if (i < num)
 			{
 			if (!EC_POINT_copy(val_sub[i][0], points[i])) goto err;
+			if (scalars[i]->neg)
+				{
+				if (!EC_POINT_invert(group, val_sub[i][0], ctx)) goto err;
+				}
 			}
 		else
 			{
 			if (!EC_POINT_copy(val_sub[i][0], generator)) goto err;
+			if (scalar->neg)
+				{
+				if (!EC_POINT_invert(group, val_sub[i][0], ctx)) goto err;
+				}
 			}
 
 		if (wsize[i] > 1)
diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c
index b68e27e98a..766a0dbc75 100644
--- a/crypto/ec/ectest.c
+++ b/crypto/ec/ectest.c
@@ -519,7 +519,7 @@ int main(int argc, char *argv[])
 		scalars[0] = y; /* (group order + 1)/2,  so  y*Q + y*Q = Q */
 		scalars[1] = y;
 
-		fprintf(stdout, "simultaneous multiplication ... ");
+		fprintf(stdout, "simultaneous multiplication ...");
 		fflush(stdout);
 
 		/* z is still the group order */
@@ -528,7 +528,22 @@ int main(int argc, char *argv[])
 		if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
 		if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT;
 
-		fprintf(stdout, "ok\n\n");
+		fprintf(stdout, ".");
+		fflush(stdout);
+
+		if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
+		if (!BN_copy(z, y)) ABORT;
+		z->neg = 1;
+
+		points[0] = Q;
+		points[1] = Q;
+		scalars[0] = y;
+		scalars[1] = z;
+
+		if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
+		if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+		fprintf(stdout, " ok\n\n");
 	}