DHM blinding: don't accept P-1 as a blinding value P-1 is as bad as 1 as a blinding value. Don't accept it. The chance that P-1 would be randomly generated is infinitesimal, so this is not a practical issue, but it makes the code cleaner. It was inconsistent to accept P-1 as a blinding value but not as a private key. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

commit: 7b2b66e3f3cbe8b56288d741ac5909f86d1994b8 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Wed Mar 31 22:50:57 2021 +0200
committer: Gilles Peskine <Gilles.Peskine@arm.com> Thu Jun 03 18:10:04 2021 +0200
tree: d47db4a1e2825fe9650e0c848c1a005592862858
parent: cb660f2bdaf8572243462bcd89f8d778f91d9ea4 [diff]
diff --git a/library/dhm.c b/library/dhm.c
index f2ad551..5e0864b 100644
--- a/library/dhm.c
+++ b/library/dhm.c

@@ -329,7 +329,7 @@
         if( count++ > 10 )
             return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
     }
-    while( mbedtls_mpi_cmp_int( R, 1 ) <= 0 );
+    while( dhm_check_range( R, M ) != 0 );
 
 cleanup:
     return( ret );
@@ -382,7 +382,7 @@
      * We need to generate blinding values from scratch
      */
 
-    /* Vi = random( 2, P-1 ) */
+    /* Vi = random( 2, P-2 ) */
     MBEDTLS_MPI_CHK( dhm_random_below( &ctx->Vi, &ctx->P, f_rng, p_rng ) );
 
     /* Vf = Vi^-X mod P
commit	7b2b66e3f3cbe8b56288d741ac5909f86d1994b8	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Wed Mar 31 22:50:57 2021 +0200
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Jun 03 18:10:04 2021 +0200
tree	d47db4a1e2825fe9650e0c848c1a005592862858
parent	cb660f2bdaf8572243462bcd89f8d778f91d9ea4 [diff]