Optimization of ossl_ec_key_public_check()

We can do just the quick check if cofactor == 1 as the
fact that the point is on the curve already implies
that order * point = infinity.

Fixes #21833

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24816)

diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index 9bc4e032c557171925e732e01217b59af060b31b..b9a12bbf18050a9a16bde611a3f52154948e7c9f 100644 (file)
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -563,10 +563,16 @@ int ossl_ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx)
     int ret = 0;
     EC_POINT *point = NULL;
     const BIGNUM *order = NULL;
+    const BIGNUM *cofactor = EC_GROUP_get0_cofactor(eckey->group);
 
     if (!ossl_ec_key_public_check_quick(eckey, ctx))
         return 0;
 
+    if (cofactor != NULL && BN_is_one(cofactor)) {
+        /* Skip the unnecessary expensive computation for curves with cofactor of 1. */
+        return 1;
+    }
+
     point = EC_POINT_new(eckey->group);
     if (point == NULL)
         return 0;