commit ff6e24710a8027ee6c669a9a3066feae9809f23f
author Paul Bakker <p.j.bakker@polarssl.org> Mon Jul 07 13:34:41 2014 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Mon Jul 07 13:34:41 2014 +0200
tree 602a1d97724fa57eca83e84d682a05db5d2c6e56
parent 6b06502c4b19ce40a88faca3528b9f3f0c87a755

RSA blinding: check highly unlikely cases

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index 953e852..26191eb 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -283,12 +283,20 @@
 #else
     if( f_rng != NULL )
     {
+        int count = 0;
+
         /*
          * Blinding
          * T = T * Vi mod N
          */
         /* Unblinding value: Vf = random number */
-        MPI_CHK( mpi_fill_random( &Vf, ctx->len - 1, f_rng, p_rng ) );
+        do {
+            if( count++ > 10 )
+                return( POLARSSL_ERR_RSA_RNG_FAILED );
+
+            MPI_CHK( mpi_fill_random( &Vf, ctx->len - 1, f_rng, p_rng ) );
+            MPI_CHK( mpi_gcd( &Vi, &Vf, &ctx->N ) );
+        } while( mpi_cmp_int( &Vi, 1 ) != 0 );
 
         /* Mathematically speaking, the algorithm should check Vf
          * against 0, P and Q (Vf should be relatively prime to N, and 0 < Vf < N),