Fix an incorrect error code if RSA private operation glitched

mbedtls_rsa_private() could return the sum of two RSA error codes
instead of a valid error code in some rare circumstances:

* If rsa_prepare_blinding() returned  MBEDTLS_ERR_RSA_RNG_FAILED
  (indicating a misbehaving or misconfigured RNG).
* If the comparison with the public value failed (typically indicating
  a glitch attack).

Make sure not to add two high-level error codes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2020-11-25 00:10:31 +01:00
parent 40d8160c8e
commit ae3741e8a4
2 changed files with 4 additions and 2 deletions

View File

@ -0,0 +1,2 @@
Bugfix
* Fix an incorrect error code if an RSA private operation glitched.

View File

@ -1076,10 +1076,10 @@ cleanup:
mbedtls_mpi_free( &C ); mbedtls_mpi_free( &C );
mbedtls_mpi_free( &I ); mbedtls_mpi_free( &I );
if( ret != 0 ) if( ret != 0 && ret >= -0x007f )
return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret ); return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
return( 0 ); return( ret );
} }
#if defined(MBEDTLS_PKCS1_V21) #if defined(MBEDTLS_PKCS1_V21)