commit 4d89c7e1849f72547aabd2bec62ce22ae1bdbf4b
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri Oct 04 15:18:38 2013 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Fri Oct 11 09:18:27 2013 +0200
tree eb110e60f7ce32b9e60ef34c23d3e96e93b7cde4
parent 971f8b84bb5c286b90165dc079c9c6385c02ad3a

RSA blinding: check highly unlikely cases

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index 2055ef7..8cd2f10 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -267,7 +267,7 @@
 static int rsa_prepare_blinding( rsa_context *ctx,
                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
 {
-    int ret;
+    int ret, count = 0;
 
     if( ctx->Vf.p != NULL )
     {
@@ -280,8 +280,14 @@
         return( 0 );
     }
 
-    /* Unblinding value: Vf = random number */
-    MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
+    /* Unblinding value: Vf = random number, invertible mod N */
+    do {
+        if( count++ > 10 )
+            return( POLARSSL_ERR_RSA_RNG_FAILED );
+
+        MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
+        MPI_CHK( mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
+    } while( mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
 
     /* Blinding value: Vi =  Vf^(-e) mod N */
     MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );