From c79ce881521513c893101f10842ea857976c1030 Mon Sep 17 00:00:00 2001
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Sun, 15 May 2022 13:24:05 +0200
Subject: [PATCH] Fix a timing leak in ecp_mul_mxz()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The bit length of m is leaked through through timing in ecp_mul_mxz().
Initially found by Manuel Pégourié-Gonnard on ecp_mul_edxyz(), which has
been inspired from ecp_mul_mxz(), during initial review of the EdDSA PR.
See: https://github.com/Mbed-TLS/mbedtls/pull/3245#discussion_r490827996

Fix that by using grp->nbits + 1 instead, which anyway is very close to
the length of m, which means there is no significant performance impact.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---
 library/ecp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/ecp.c b/library/ecp.c
index 8b32caa38a..8943837b9f 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -2526,7 +2526,7 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
     MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );
 
     /* Loop invariant: R = result so far, RP = R + P */
-    i = mbedtls_mpi_bitlen( m ); /* one past the (zero-based) most significant bit */
+    i = grp->nbits + 1; /* one past the (zero-based) required msb for private keys */
     while( i-- > 0 )
     {
         b = mbedtls_mpi_get_bit( m, i );