Extend blinding to RSA result check

Signed-off-by: Janos Follath <janos.follath@arm.com>
2025-07-30 22:43:08 +03:00 · 2023-11-21 09:46:43 +00:00
parent 10f8366499
commit 2d8624dae2
1 changed files with 8 additions and 8 deletions
--- a/library/rsa.c
+++ b/library/rsa.c
@ -1125,8 +1125,6 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
        goto cleanup;
    }

-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
-
    /*
     * Blinding
     * T = T * Vi mod N
@ -1135,6 +1133,8 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));

+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
+
    /*
     * Exponent blinding
     */
@ -1203,12 +1203,6 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
 #endif /* MBEDTLS_RSA_NO_CRT */

-    /*
-     * Unblind
-     * T = T * Vf mod N
-     */
-    MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N));
-
    /* Verify the result to prevent glitching attacks. */
    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&C, &T, &ctx->E,
                                        &ctx->N, &ctx->RN));
@ -1217,6 +1211,12 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
        goto cleanup;
    }

+    /*
+     * Unblind
+     * T = T * Vf mod N
+     */
+    MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N));
+
    olen = ctx->len;
    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));