commit 86ad5be18a4694848108ba9f950e93d8de436ee4
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Jun 26 11:03:19 2020 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Jul 24 11:55:28 2020 +0200
tree af1c320a5380c52c9bab2faf765828ec8a9f7d63
parent d96edbc6005f23a20e031655afc8077b335b2d36

RSA: remove redundant GCD call in prepare_blinding()

inv_mod() already returns a specific error code if the value is not
invertible, so no need to check in advance that it is. Also, this is a
preparation for blinding the call to inv_mod(), which is made easier by
avoiding the redundancy (otherwise the call to gcd() would need to be blinded
too).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index af1cef6..7c1a73f 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -826,11 +826,14 @@
             return( MBEDTLS_ERR_RSA_RNG_FAILED );
 
         MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
-    } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
+
+        ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N );
+        if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+            goto cleanup;
+
+    } while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
 
     /* Blinding value: Vi =  Vf^(-e) mod N */
-    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );