From ed8a02bfaef6ad630726a80ac88a01568e04ca8a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Wed, 4 Sep 2013 16:39:03 +0200
Subject: [PATCH] Simplify DH blinding a bit

---
 library/dhm.c                        | 55 ++++++++++++++++------------
 tests/suites/test_suite_dhm.data     |  6 +--
 tests/suites/test_suite_dhm.function |  4 +-
 3 files changed, 35 insertions(+), 30 deletions(-)

diff --git a/library/dhm.c b/library/dhm.c
index 11eee2a7a..b95f89958 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -257,37 +257,44 @@ static int dhm_update_blinding( dhm_context *ctx,
     int ret, count;
 
     /*
-     * We can just update the previous values (by squaring them) if:
-     * - the values are initialized, and
-     * - our secret exponent did not change.
+     * If Vi is initialized, update it by squaring it
      */
-    if( ctx->Vi.p != NULL &&
-        mpi_cmp_mpi( &ctx->X, &ctx->_X ) == 0 )
+    if( ctx->Vi.p != NULL )
+    {
+        MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
+        MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );
+    }
+    else
+    {
+        /* Vi = random( 2, P-1 ) */
+        count = 0;
+        do
+        {
+            mpi_fill_random( &ctx->Vi, mpi_size( &ctx->P ), f_rng, p_rng );
+
+            while( mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
+                mpi_shift_r( &ctx->Vi, 1 );
+
+            if( count++ > 10 )
+                return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
+        }
+        while( mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
+    }
+
+    /*
+     * If X did not change, update Vf by squaring it too
+     */
+    if( mpi_cmp_mpi( &ctx->X, &ctx->_X ) == 0 )
     {
         MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
-        MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
-
+        MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
         return( 0 );
     }
 
     /*
-     * Otherwise, we need to generate new values from scratch for this secret
+     * Otherwise, compute Vf from scratch
      */
 
-    /* Vi = random( 2, P-1 ) */
-    count = 0;
-    do
-    {
-        mpi_fill_random( &ctx->Vi, mpi_size( &ctx->P ), f_rng, p_rng );
-
-        while( mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
-            mpi_shift_r( &ctx->Vi, 1 );
-
-        if( count++ > 10 )
-            return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
-    }
-    while( mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
-
     /* Vf = Vi^-X mod P */
     MPI_CHK( mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
     MPI_CHK( mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );
@@ -319,7 +326,7 @@ int dhm_calc_secret( dhm_context *ctx,
     mpi_init( &GYb );
 
     /* Blind peer's value */
-    if( f_rng != 0 )
+    if( f_rng != NULL )
     {
         MPI_CHK( dhm_update_blinding( ctx, f_rng, p_rng ) );
         MPI_CHK( mpi_mul_mpi( &GYb, &ctx->GY, &ctx->Vi ) );
@@ -333,7 +340,7 @@ int dhm_calc_secret( dhm_context *ctx,
                           &ctx->P, &ctx->RP ) );
 
     /* Unblind secret value */
-    if( f_rng != 0 )
+    if( f_rng != NULL )
     {
         MPI_CHK( mpi_mul_mpi( &ctx->K, &ctx->K, &ctx->Vf ) );
         MPI_CHK( mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
diff --git a/tests/suites/test_suite_dhm.data b/tests/suites/test_suite_dhm.data
index 0c0dce867..168c77c1b 100644
--- a/tests/suites/test_suite_dhm.data
+++ b/tests/suites/test_suite_dhm.data
@@ -1,8 +1,8 @@
 Diffie-Hellman full exchange #1
-dhm_do_dhm:1024:10:"23":10:"5"
+dhm_do_dhm:10:"23":10:"5"
 
 Diffie-Hellman full exchange #2
-dhm_do_dhm:1024:10:"93450983094850938450983409623":10:"9345098304850938450983409622"
+dhm_do_dhm:10:"93450983094850938450983409623":10:"9345098304850938450983409622"
 
 Diffie-Hellman full exchange #3
-dhm_do_dhm:1024:10:"93450983094850938450983409623982317398171298719873918739182739712938719287391879381271":10:"9345098309485093845098340962223981329819812792137312973297123912791271"
+dhm_do_dhm:10:"93450983094850938450983409623982317398171298719873918739182739712938719287391879381271":10:"9345098309485093845098340962223981329819812792137312973297123912791271"
diff --git a/tests/suites/test_suite_dhm.function b/tests/suites/test_suite_dhm.function
index 31a9004c3..e8d9cea84 100644
--- a/tests/suites/test_suite_dhm.function
+++ b/tests/suites/test_suite_dhm.function
@@ -8,7 +8,7 @@
  */
 
 /* BEGIN_CASE */
-void dhm_do_dhm( int NOTUSED, int radix_P, char *input_P,
+void dhm_do_dhm( int radix_P, char *input_P,
                  int radix_G, char *input_G )
 {
     dhm_context ctx_srv;
@@ -25,8 +25,6 @@ void dhm_do_dhm( int NOTUSED, int radix_P, char *input_P,
     int x_size;
     rnd_pseudo_info rnd_info;
 
-    ((void)NOTUSED);
-
     memset( &ctx_srv, 0x00, sizeof( dhm_context ) );
     memset( &ctx_cli, 0x00, sizeof( dhm_context ) );
     memset( ske, 0x00, 1000 );