commit 9e1c532847af26ea6504720c6755b668b4b1d0da
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Aug 13 14:14:19 2025 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Aug 14 09:40:05 2025 +0200
tree 5c7038a5e4e91438b6d572238dfebffb9fcfda5e
parent a4bf680e92dc5be758a730daaad7bf6eac5d7353

RSA: use CT gcd-modinv in deduce_private_exponent()

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

library/rsa_alt_helpers.c

diff --git a/library/rsa_alt_helpers.c b/library/rsa_alt_helpers.c
index 08adbe3..50a5c4e 100644
--- a/library/rsa_alt_helpers.c
+++ b/library/rsa_alt_helpers.c
@@ -198,6 +198,10 @@
         return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
     }
 
+    if (mbedtls_mpi_get_bit(E, 0) != 1) {
+        return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+    }
+
     mbedtls_mpi_init(&K);
     mbedtls_mpi_init(&L);
 
@@ -216,7 +220,7 @@
      * This is FIPS 186-4 §B.3.1 criterion 3(b).
      * This will return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if E is not coprime to
      * (P-1)(Q-1), also validating FIPS 186-4 §B.3.1 criterion 2(a). */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(D, E, &K));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod_even_in_range(D, E, &K));
 
 cleanup: