Merge pull request #3726 from gilles-peskine-arm/changelog-user-visible-only-development
Only use ChangeLog to inform users, not for acknowledgement
diff --git a/ChangeLog.d/fix-rsa-blinding.txt b/ChangeLog.d/fix-rsa-blinding.txt
new file mode 100644
index 0000000..a13572c
--- /dev/null
+++ b/ChangeLog.d/fix-rsa-blinding.txt
@@ -0,0 +1,6 @@
+Bugfix
+ * Fix rsa_prepare_blinding() to retry when the blinding value is not
+ invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This
+ addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
+ Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin).
+ Fixes #3647.
diff --git a/ChangeLog.d/getrandom.txt b/ChangeLog.d/getrandom.txt
new file mode 100644
index 0000000..87a3a6c
--- /dev/null
+++ b/ChangeLog.d/getrandom.txt
@@ -0,0 +1,2 @@
+Changes
+ Use glibc's getrandom() instead of syscall when glibc > 2.25.
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
index 4bf660e..0f992f3 100644
--- a/library/entropy_poll.c
+++ b/library/entropy_poll.c
@@ -18,9 +18,15 @@
*/
#if defined(__linux__)
+#if !defined(_GNU_SOURCE)
/* Ensure that syscall() is available even when compiling with -std=c99 */
#define _GNU_SOURCE
#endif
+#include <features.h>
+#if __GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 25)
+#define HAVE_SYS_RANDOM 1
+#endif
+#endif
#include "common.h"
@@ -86,10 +92,16 @@
/*
* Test for Linux getrandom() support.
- * Since there is no wrapper in the libc yet, use the generic syscall wrapper
+ * When the C library is GNU libc and its version is greater than 2.25,
+ * include sys/random.h to use getrandom(),
+ * otherwise use the generic use the generic syscall wrapper
* available in GNU libc and compatible libc's (eg uClibc).
*/
-#if ((defined(__linux__) && defined(__GLIBC__)) || defined(__midipix__))
+#if HAVE_SYS_RANDOM
+#include <sys/random.h>
+#include <errno.h>
+#define HAVE_GETRANDOM
+#elif (defined(__linux__) && defined(__GLIBC__)) || defined(__midipix__)
#include <unistd.h>
#include <sys/syscall.h>
#if defined(SYS_getrandom)
@@ -155,7 +167,11 @@
((void) data);
#if defined(HAVE_GETRANDOM)
+#if HAVE_SYS_RANDOM
+ ret = getrandom(output, len, 0);
+#else
ret = getrandom_wrapper( output, len, 0 );
+#endif
if( ret >= 0 )
{
*olen = ret;
diff --git a/library/rsa.c b/library/rsa.c
index 84d87de..d6abd65 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -811,15 +811,14 @@
* which one, we just loop and choose new values for both of them.
* (Each iteration succeeds with overwhelming probability.) */
ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
- if( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
- continue;
- if( ret != 0 )
+ if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
goto cleanup;
- /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
- MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
- } while( 0 );
+ } while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+
+ /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
/* Blinding value: Vi = Vf^(-e) mod N
* (Vi already contains Vf^-1 at this point) */