DHM: use mbedtls_mpi_random for blinding and key generation

Instead of generating blinding values and keys in a not-quite-uniform way (https://github.com/ARMmbed/mbedtls/issues/4245) with copy-pasted code, use mbedtls_mpi_random(). Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-11-03 20:22:59 -05:00 · 2021-03-31 23:04:50 +02:00 · 2021-03-31 23:04:50 +02:00 · da7ee01589
commit da7ee01589
parent 8e38acc9a5
2 changed files with 5 additions and 15 deletions
--- a/library/dhm.c
+++ b/library/dhm.c
@ -150,25 +150,15 @@ int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
 }

 /*
- * Pick a random R in the range [2, M) for blinding or key generation.
+ * Pick a random R in the range [2, M-2] for blinding or key generation.
 */
 static int dhm_random_below( mbedtls_mpi *R, const mbedtls_mpi *M,
                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
 {
-    int ret, count;
+    int ret;

-    count = 0;
-    do
-    {
-        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( R, mbedtls_mpi_size( M ), f_rng, p_rng ) );
-
-        while( mbedtls_mpi_cmp_mpi( R, M ) >= 0 )
-            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( R, 1 ) );
-
-        if( count++ > 10 )
-            return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
-    }
-    while( dhm_check_range( R, M ) != 0 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_random( R, 3, M, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( R, R, 1 ) );

 cleanup:
    return( ret );
--- a/tests/suites/test_suite_dhm.data
+++ b/tests/suites/test_suite_dhm.data
@ -74,7 +74,7 @@ Diffie-Hellman trivial subgroup #2
 dhm_do_dhm:10:"23":1:10:"-1":MBEDTLS_ERR_DHM_BAD_INPUT_DATA

 Diffie-Hellman small modulus
-dhm_do_dhm:10:"3":1:10:"5":MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED
+dhm_do_dhm:10:"3":1:10:"5":MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED+MBEDTLS_ERR_MPI_BAD_INPUT_DATA

 Diffie-Hellman zero modulus
 dhm_do_dhm:10:"0":1:10:"5":MBEDTLS_ERR_DHM_BAD_INPUT_DATA