Merge pull request #6492 from daverodgman/ecp_mul_mxz-timing-leak-2.28

Fix a timing leak in ecp_mul_mxz() - 2.28 backport
2025-09-08 14:49:59 -04:00 · 2022-10-27 19:46:44 +02:00 · 2022-10-27 19:46:44 +02:00 · e0917c0346
commit e0917c0346
parent d654171087 edc110d15a
1 changed files with 1 additions and 1 deletions
--- a/library/ecp.c
+++ b/library/ecp.c
@ -2594,7 +2594,7 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
        MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );

    /* Loop invariant: R = result so far, RP = R + P */
-    i = mbedtls_mpi_bitlen( m ); /* one past the (zero-based) most significant bit */
+    i = grp->nbits + 1; /* one past the (zero-based) required msb for private keys */
    while( i-- > 0 )
    {
        b = mbedtls_mpi_get_bit( m, i );