commit b6f45a616cd337d6483bf57840e4cb6e2ae39b57
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Dec 04 21:54:36 2013 +0100
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Dec 05 15:58:38 2013 +0100
tree 82ad4016fac45f1b59b830abb01c66d80779d8e3
parent a60fe8943dfb9a12f0abb7973d42b8adf6e95727

Avoid potential leak in ecp_mul_mxz()

library/ecp.c

diff --git a/library/ecp.c b/library/ecp.c
index d661c2e..631dcaa 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1473,6 +1473,7 @@
 {
     int ret;
     size_t i;
+    unsigned char b;
     ecp_point RP;
     mpi PX;
 
@@ -1491,14 +1492,23 @@
     if( f_rng != NULL )
         MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );
 
+    /* Loop invariant: R = result so far, RP = R + P */
     i = mpi_msb( m ); /* one past the (zero-based) most significant bit */
     while( i-- > 0 )
     {
-        // TODO: no branch, and constant memory-access pattern
-        if( mpi_get_bit( m, i ) )
-            MPI_CHK( ecp_double_add_mxz( grp, &RP, R, &RP, R, &PX ) );
-        else
-            MPI_CHK( ecp_double_add_mxz( grp, R, &RP, R, &RP, &PX ) );
+        b = mpi_get_bit( m, i );
+        /*
+         *  if (b) R = 2R + P else R = 2R,
+         * which is:
+         *  if (b) double_add( RP, R, RP, R )
+         *  else   double_add( R, RP, R, RP )
+         * but using safe conditional swaps to avoid leaks
+         */
+        MPI_CHK( mpi_safe_cond_swap( &R->X, &RP.X, b ) );
+        MPI_CHK( mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
+        MPI_CHK( ecp_double_add_mxz( grp, R, &RP, R, &RP, &PX ) );
+        MPI_CHK( mpi_safe_cond_swap( &R->X, &RP.X, b ) );
+        MPI_CHK( mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
     }
 
     MPI_CHK( ecp_normalize_mxz( grp, R ) );