Avoid superflous randomization with restartable

Checking the budget only after the randomization is done means sometimes we were randomizing first, then noticing we ran out of budget, return, come back and randomize again before we finally normalize. While this is fine from a correctness and security perspective, it's a minor inefficiency, and can also be disconcerting while debugging, so we might as well avoid it. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 09:53:20 +02:00 · 2020-06-08 09:53:20 +02:00 · 9b8d34edd4
commit 9b8d34edd4
parent d53ef2ffd1
1 changed files with 1 additions and 1 deletions
--- a/library/ecp.c
+++ b/library/ecp.c
@ -2151,6 +2151,7 @@ static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp,
        rs_ctx->rsm->state = ecp_rsm_final_norm;

 final_norm:
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
 #endif
    /*
     * Knowledge of the jacobian coordinates may leak the last few bits of the
@ -2168,7 +2169,6 @@ final_norm:
 #endif
        MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, RR, f_rng, p_rng ) );

-    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
    MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );

 #if defined(MBEDTLS_ECP_RESTARTABLE)