DHM: use CT modinv for blinding
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/library/dhm.c b/library/dhm.c
index bcc07f5..3c65bc8 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -18,6 +18,7 @@
#if defined(MBEDTLS_DHM_C)
#include "mbedtls/dhm.h"
+#include "bignum_internal.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
@@ -381,16 +382,8 @@
/* Vi = random( 2, P-2 ) */
MBEDTLS_MPI_CHK(dhm_random_below(&ctx->Vi, &ctx->P, f_rng, p_rng));
- /* Vf = Vi^-X mod P
- * First compute Vi^-1 = R * (R Vi)^-1, (avoiding leaks from inv_mod),
- * then elevate to the Xth power. */
- MBEDTLS_MPI_CHK(dhm_random_below(&R, &ctx->P, f_rng, p_rng));
- MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vi, &R));
- MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
- MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->Vf, &ctx->Vf, &ctx->P));
- MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &R));
- MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
-
+ /* Vf = Vi^-X mod P */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_gcd_modinv_odd(NULL, &ctx->Vf, &ctx->Vi, &ctx->P));
MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP));
cleanup: