From 1251b90bf9e1786533dc4694b9bffbea6a952a9e Mon Sep 17 00:00:00 2001
From: Jack Lloyd <jack@randombit.net>
Date: Wed, 17 Jul 2024 07:36:53 -0400
Subject: [PATCH] Fix ECDSA verification on curves with cofactors

The trick in #4211 doesn't work correctly for curves with cofactors.
Since such curves are weird and deprecated, just force to affine
for such curves, rather than complicating the fast path.

Fixes #4219
---
 src/lib/pubkey/ec_group/ec_inner_bn.cpp | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/lib/pubkey/ec_group/ec_inner_bn.cpp b/src/lib/pubkey/ec_group/ec_inner_bn.cpp
index 271fe93ae51..d45318babd2 100644
--- a/src/lib/pubkey/ec_group/ec_inner_bn.cpp
+++ b/src/lib/pubkey/ec_group/ec_inner_bn.cpp
@@ -177,9 +177,16 @@ bool EC_Mul2Table_Data_BN::mul2_vartime_x_mod_order_eq(const EC_Scalar_Data& v,
       return false;
    }
 
+   /*
+   * The trick used below doesn't work for curves with cofactors
+   */
+   if(m_group->has_cofactor()) {
+      return m_group->mod_order(pt.get_affine_x()) == bn_v.value();
+   }
+
    /*
    * Note we're working with the projective coordinate directly here!
-   * Nominally we're doing this:
+   * Nominally we're comparing v with the affine x coordinate.
    *
    * return m_group->mod_order(pt.get_affine_x()) == bn_v.value();
    *