1
0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-10-24 11:43:21 +08:00

Fix a timing leak in ecp_mul_mxz()

The bit length of m is leaked through through timing in ecp_mul_mxz().
Initially found by Manuel Pégourié-Gonnard on ecp_mul_edxyz(), which has
been inspired from ecp_mul_mxz(), during initial review of the EdDSA PR.
See: https://github.com/Mbed-TLS/mbedtls/pull/3245#discussion_r490827996

Fix that by using grp->nbits + 1 instead, which anyway is very close to
the length of m, which means there is no significant performance impact.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
This commit is contained in:
Aurelien Jarno
2022-05-15 13:24:05 +02:00
committed by Dave Rodgman
parent d654171087
commit edc110d15a

View File

@@ -2594,7 +2594,7 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) ); MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );
/* Loop invariant: R = result so far, RP = R + P */ /* Loop invariant: R = result so far, RP = R + P */
i = mbedtls_mpi_bitlen( m ); /* one past the (zero-based) most significant bit */ i = grp->nbits + 1; /* one past the (zero-based) required msb for private keys */
while( i-- > 0 ) while( i-- > 0 )
{ {
b = mbedtls_mpi_get_bit( m, i ); b = mbedtls_mpi_get_bit( m, i );