1 files changed, 14 insertions, 4 deletions

diff --git a/src/crypto/fipsmodule/ec/ec_key.c b/src/crypto/fipsmodule/ec/ec_key.c
index a48671a..c75d90b 100644
--- a/src/crypto/fipsmodule/ec/ec_key.c
+++ b/src/crypto/fipsmodule/ec/ec_key.c
@@ -163,12 +163,12 @@ void EC_KEY_free(EC_KEY *r) {
     METHOD_unref(r->ecdsa_meth);
   }
 
+  CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), r, &r->ex_data);
+
   EC_GROUP_free(r->group);
   EC_POINT_free(r->pub_key);
   ec_wrapped_scalar_free(r->priv_key);
 
-  CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), r, &r->ex_data);
-
   OPENSSL_free(r);
 }
 
@@ -314,8 +314,10 @@ int EC_KEY_check_key(const EC_KEY *eckey) {
       OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);
       return 0;
     }
-    if (!ec_GFp_simple_points_equal(eckey->group, &point,
-                                    &eckey->pub_key->raw)) {
+    // Leaking this comparison only leaks whether |eckey|'s public key was
+    // correct.
+    if (!constant_time_declassify_int(ec_GFp_simple_points_equal(
+            eckey->group, &point, &eckey->pub_key->raw))) {
       OPENSSL_PUT_ERROR(EC, EC_R_INVALID_PRIVATE_KEY);
       return 0;
     }
@@ -500,6 +502,14 @@ int EC_KEY_generate_key(EC_KEY *key) {
     return 0;
   }
 
+  // The public key is derived from the private key, but it is public.
+  //
+  // TODO(crbug.com/boringssl/677): This isn't quite right. While |pub_key|
+  // represents a public point, it is still in Jacobian form and the exact
+  // Jacobian representation is secret. We need to make it affine first. See
+  // discussion in the bug.
+  CONSTTIME_DECLASSIFY(&pub_key->raw, sizeof(pub_key->raw));
+
   ec_wrapped_scalar_free(key->priv_key);
   key->priv_key = priv_key;
   EC_POINT_free(key->pub_key);