From 3b7523e11e5be2c7a9deeca1dc7c0501b8952534 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 25 Nov 2020 00:10:31 +0100
Subject: [PATCH] Fix an incorrect error code if RSA private operation glitched

mbedtls_rsa_private() could return the sum of two RSA error codes
instead of a valid error code in some rare circumstances:

* If rsa_prepare_blinding() returned  MBEDTLS_ERR_RSA_RNG_FAILED
  (indicating a misbehaving or misconfigured RNG).
* If the comparison with the public value failed (typically indicating
  a glitch attack).

Make sure not to add two high-level error codes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 ChangeLog.d/rsa_private-ret.txt | 2 ++
 library/rsa.c                   | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 ChangeLog.d/rsa_private-ret.txt

diff --git a/ChangeLog.d/rsa_private-ret.txt b/ChangeLog.d/rsa_private-ret.txt
new file mode 100644
index 000000000..b965cea77
--- /dev/null
+++ b/ChangeLog.d/rsa_private-ret.txt
@@ -0,0 +1,2 @@
+Bugfix
+   * Fix an incorrect error code if an RSA private operation glitched.
diff --git a/library/rsa.c b/library/rsa.c
index a25c633bc..000754649 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1106,10 +1106,10 @@ cleanup:
     mbedtls_mpi_free( &C );
     mbedtls_mpi_free( &I );
 
-    if( ret != 0 )
+    if( ret != 0 && ret >= -0x007f )
         return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
 
-    return( 0 );
+    return( ret );
 }
 
 #if defined(MBEDTLS_PKCS1_V21)