From ff6e24710a8027ee6c669a9a3066feae9809f23f Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Mon, 7 Jul 2014 13:34:41 +0200
Subject: [PATCH] RSA blinding: check highly unlikely cases

---
 library/rsa.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/library/rsa.c b/library/rsa.c
index 953e85258..26191ebf3 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -283,12 +283,20 @@ int rsa_private( rsa_context *ctx,
 #else
     if( f_rng != NULL )
     {
+        int count = 0;
+
         /*
          * Blinding
          * T = T * Vi mod N
          */
         /* Unblinding value: Vf = random number */
-        MPI_CHK( mpi_fill_random( &Vf, ctx->len - 1, f_rng, p_rng ) );
+        do {
+            if( count++ > 10 )
+                return( POLARSSL_ERR_RSA_RNG_FAILED );
+
+            MPI_CHK( mpi_fill_random( &Vf, ctx->len - 1, f_rng, p_rng ) );
+            MPI_CHK( mpi_gcd( &Vi, &Vf, &ctx->N ) );
+        } while( mpi_cmp_int( &Vi, 1 ) != 0 );
 
         /* Mathematically speaking, the algorithm should check Vf
          * against 0, P and Q (Vf should be relatively prime to N, and 0 < Vf < N),