mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-23 04:25:44 +01:00
Clarify some comments
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
parent
ab601d6a1c
commit
b2b1d8e762
@ -771,20 +771,22 @@ static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
|
||||
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
|
||||
|
||||
/* Compute the Vf^1 as R * (R Vf)^-1 to avoid leaks from inv_mod.
|
||||
* There's a negligible but non-zero probability that R is not
|
||||
* invertible mod N, in that case we'd just loop one more time,
|
||||
* just as if Vf itself wasn't invertible - no need to distinguish. */
|
||||
/* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
|
||||
|
||||
/* At this point, Vi is invertible mod N if and only if both Vf and R
|
||||
* are invertible mod N. If one of them isn't, we don't need to know
|
||||
* which one, we just loop and choose new values for both of them.
|
||||
* (Each iteration succeeds with overwhelming probability.) */
|
||||
ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
|
||||
if( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
|
||||
continue;
|
||||
if( ret != 0 )
|
||||
goto cleanup;
|
||||
|
||||
/* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
|
||||
} while( 0 );
|
||||
|
Loading…
Reference in New Issue
Block a user