mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-24 10:10:58 +00:00
Merge pull request #3728 from pkolbus/issue-3647-2.16
Backport 2.16: Restore retry in rsa_prepare_blinding()
This commit is contained in:
commit
319eee5fdd
6
ChangeLog.d/fix-rsa-blinding.txt
Normal file
6
ChangeLog.d/fix-rsa-blinding.txt
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
Bugfix
|
||||||
|
* Fix rsa_prepare_blinding() to retry when the blinding value is not
|
||||||
|
invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This
|
||||||
|
addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
|
||||||
|
Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin).
|
||||||
|
Fixes #3647.
|
|
@ -841,15 +841,14 @@ static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
|
||||||
* which one, we just loop and choose new values for both of them.
|
* which one, we just loop and choose new values for both of them.
|
||||||
* (Each iteration succeeds with overwhelming probability.) */
|
* (Each iteration succeeds with overwhelming probability.) */
|
||||||
ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
|
ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
|
||||||
if( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
|
if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
|
||||||
continue;
|
|
||||||
if( ret != 0 )
|
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
/* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
|
} while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
|
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
|
/* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
|
||||||
} while( 0 );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
|
||||||
|
|
||||||
/* Blinding value: Vi = Vf^(-e) mod N
|
/* Blinding value: Vi = Vf^(-e) mod N
|
||||||
* (Vi already contains Vf^-1 at this point) */
|
* (Vi already contains Vf^-1 at this point) */
|
||||||
|
|
Loading…
Reference in a new issue