Fix a timing leak in ecp_mul_mxz()

The bit length of m is leaked through through timing in ecp_mul_mxz(). Initially found by Manuel Pégourié-Gonnard on ecp_mul_edxyz(), which has been inspired from ecp_mul_mxz(), during initial review of the EdDSA PR. See: https://github.com/Mbed-TLS/mbedtls/pull/3245#discussion_r490827996 Fix that by using grp->nbits + 1 instead, which anyway is very close to the length of m, which means there is no significant performance impact. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
2025-04-23 10:25:35 +03:00 · 2022-05-15 13:24:05 +02:00 · 2022-05-15 13:24:05 +02:00 · edc110d15a
commit edc110d15a
parent d654171087
1 changed files with 1 additions and 1 deletions
--- a/library/ecp.c
+++ b/library/ecp.c
@ -2594,7 +2594,7 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
        MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );

    /* Loop invariant: R = result so far, RP = R + P */
-    i = mbedtls_mpi_bitlen( m ); /* one past the (zero-based) most significant bit */
+    i = grp->nbits + 1; /* one past the (zero-based) required msb for private keys */
    while( i-- > 0 )
    {
        b = mbedtls_mpi_get_bit( m, i );