commit 9e1c532847af26ea6504720c6755b668b4b1d0da
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Aug 13 14:14:19 2025 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Aug 14 09:40:05 2025 +0200
tree 5c7038a5e4e91438b6d572238dfebffb9fcfda5e
parent a4bf680e92dc5be758a730daaad7bf6eac5d7353

RSA: use CT gcd-modinv in deduce_private_exponent()

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

library/bignum.c

diff --git a/library/bignum.c b/library/bignum.c
index 00aa79c..f6b8f99 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1963,9 +1963,9 @@
  *
  * Return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the inverse doesn't exist.
  */
-static int mbedtls_mpi_inv_mod_even_in_range(mbedtls_mpi *X,
-                                             mbedtls_mpi const *A,
-                                             mbedtls_mpi const *N)
+int mbedtls_mpi_inv_mod_even_in_range(mbedtls_mpi *X,
+                                      mbedtls_mpi const *A,
+                                      mbedtls_mpi const *N)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi I, G;

library/bignum_internal.h

diff --git a/library/bignum_internal.h b/library/bignum_internal.h
index a947497..3413462 100644
--- a/library/bignum_internal.h
+++ b/library/bignum_internal.h
@@ -98,4 +98,24 @@
                             const mbedtls_mpi *A,
                             const mbedtls_mpi *N);
 
+/**
+ * \brief          Modular inverse: X = A^-1 mod N with N even,
+ *                 A odd and 1 < A < N.
+ *
+ * \param[out] X   The inverse of \p A modulo \p N on success,
+ *                 indeterminate otherwise.
+ * \param[in] A    The number to invert. Must be odd, greated than 1
+ *                 and less than \p N.
+ * \param[in] N    The modulus. Must be even and greater than 1.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if preconditions were not
+ *                 met.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if A is not invertible mod N.
+ */
+int mbedtls_mpi_inv_mod_even_in_range(mbedtls_mpi *X,
+                                      mbedtls_mpi const *A,
+                                      mbedtls_mpi const *N);
+
 #endif /* bignum_internal.h */

library/rsa_alt_helpers.c

diff --git a/library/rsa_alt_helpers.c b/library/rsa_alt_helpers.c
index 08adbe3..50a5c4e 100644
--- a/library/rsa_alt_helpers.c
+++ b/library/rsa_alt_helpers.c
@@ -198,6 +198,10 @@
         return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
     }
 
+    if (mbedtls_mpi_get_bit(E, 0) != 1) {
+        return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+    }
+
     mbedtls_mpi_init(&K);
     mbedtls_mpi_init(&L);
 
@@ -216,7 +220,7 @@
      * This is FIPS 186-4 §B.3.1 criterion 3(b).
      * This will return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if E is not coprime to
      * (P-1)(Q-1), also validating FIPS 186-4 §B.3.1 criterion 2(a). */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(D, E, &K));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod_even_in_range(D, E, &K));
 
 cleanup: