commit 6bcbc925bfe6f56c2d9871e34126cde37181ee14
author Janos Follath <janos.follath@arm.com> Tue Nov 21 09:46:43 2023 +0000
committer Dave Rodgman <dave.rodgman@arm.com> Mon Jan 22 15:33:19 2024 +0000
tree a0cbe32caa65dae4c61b4b5eca99c8de52612869
parent d6b096532c936390d9a085dedb6444cee069a3ba

Extend blinding to RSA result check

Signed-off-by: Janos Follath <janos.follath@arm.com>

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index 32a2650..5b6bf40 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1113,8 +1113,6 @@
         goto cleanup;
     }
 
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
-
     /*
      * Blinding
      * T = T * Vi mod N
@@ -1123,6 +1121,8 @@
     MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
     MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
 
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
+
     /*
      * Exponent blinding
      */
@@ -1191,12 +1191,6 @@
     MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
 #endif /* MBEDTLS_RSA_NO_CRT */
 
-    /*
-     * Unblind
-     * T = T * Vf mod N
-     */
-    MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N));
-
     /* Verify the result to prevent glitching attacks. */
     MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&C, &T, &ctx->E,
                                         &ctx->N, &ctx->RN));
@@ -1205,6 +1199,12 @@
         goto cleanup;
     }
 
+    /*
+     * Unblind
+     * T = T * Vf mod N
+     */
+    MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N));
+
     olen = ctx->len;
     MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));