DHM: use mbedtls_mpi_random for blinding and key generation
Instead of generating blinding values and keys in a not-quite-uniform way
(https://github.com/ARMmbed/mbedtls/issues/4245) with copy-pasted code,
use mbedtls_mpi_random().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/library/dhm.c b/library/dhm.c
index befa998..e8055be 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -150,25 +150,15 @@
}
/*
- * Pick a random R in the range [2, M) for blinding or key generation.
+ * Pick a random R in the range [2, M-2] for blinding or key generation.
*/
static int dhm_random_below( mbedtls_mpi *R, const mbedtls_mpi *M,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- int ret, count;
+ int ret;
- count = 0;
- do
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( R, mbedtls_mpi_size( M ), f_rng, p_rng ) );
-
- while( mbedtls_mpi_cmp_mpi( R, M ) >= 0 )
- MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( R, 1 ) );
-
- if( count++ > 10 )
- return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
- }
- while( dhm_check_range( R, M ) != 0 );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_random( R, 3, M, f_rng, p_rng ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( R, R, 1 ) );
cleanup:
return( ret );
diff --git a/tests/suites/test_suite_dhm.data b/tests/suites/test_suite_dhm.data
index fcfc5cf..773fe3b 100644
--- a/tests/suites/test_suite_dhm.data
+++ b/tests/suites/test_suite_dhm.data
@@ -74,7 +74,7 @@
dhm_do_dhm:10:"23":1:10:"-1":MBEDTLS_ERR_DHM_BAD_INPUT_DATA
Diffie-Hellman small modulus
-dhm_do_dhm:10:"3":1:10:"5":MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED
+dhm_do_dhm:10:"3":1:10:"5":MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED+MBEDTLS_ERR_MPI_BAD_INPUT_DATA
Diffie-Hellman zero modulus
dhm_do_dhm:10:"0":1:10:"5":MBEDTLS_ERR_DHM_BAD_INPUT_DATA