X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Frsa%2Frsa_i32_priv.c;h=05c22ec39ce94ca42040f21607cf7972c2bb6c77;hp=3c08d00a917740b9356a8beeb85ed67c75da48be;hb=f81a2828787c3ae7903bff66d64d71d6362ab4e1;hpb=3210f38e0491b39aec1ef419cb4114e9483089fb

diff --git a/src/rsa/rsa_i32_priv.c b/src/rsa/rsa_i32_priv.c
index 3c08d00..05c22ec 100644
--- a/src/rsa/rsa_i32_priv.c
+++ b/src/rsa/rsa_i32_priv.c
@@ -35,7 +35,8 @@ br_rsa_i32_private(unsigned char *x, const br_rsa_private_key *sk)
 	uint32_t tmp[6 * U];
 	uint32_t *mp, *mq, *s1, *s2, *t1, *t2, *t3;
 	uint32_t p0i, q0i;
-	size_t xlen;
+	size_t xlen, u;
+	uint32_t r;
 
 	/*
 	 * All our temporary buffers are from the tmp[] array.
@@ -82,16 +83,22 @@ br_rsa_i32_private(unsigned char *x, const br_rsa_private_key *sk)
 	br_i32_decode(mq, q, qlen);
 
 	/*
-	 * obsolete -- we do not compute the length of n, it is now
-	 * an input parameter.
-	br_i32_zero(t3, mp[0]);
-	br_i32_mulacc(t3, mp, mq);
-	n_bitlen = br_i32_bit_length(t3 + 1, (t3[0] + 31) >> 5);
-	if (xlen != ((n_bitlen + 7) >> 3)) {
-		return 0;
-	}
+	 * Recompute modulus, to compare with the source value.
 	 */
+	br_i32_zero(t2, mp[0]);
+	br_i32_mulacc(t2, mp, mq);
 	xlen = (sk->n_bitlen + 7) >> 3;
+	br_i32_encode(t2 + 2 * U, xlen, t2);
+	u = xlen;
+	r = 0;
+	while (u > 0) {
+		uint32_t wn, wx;
+
+		u --;
+		wn = ((unsigned char *)(t2 + 2 * U))[u];
+		wx = x[u];
+		r = ((wx - (wn + r)) >> 8) & 1;
+	}
 
 	/*
 	 * Compute s1 = x^dp mod p.
@@ -149,5 +156,5 @@ br_rsa_i32_private(unsigned char *x, const br_rsa_private_key *sk)
 	 * The only error conditions remaining at that point are invalid
 	 * values for p and q (even integers).
 	 */
-	return p0i & q0i & 1;
+	return p0i & q0i & r;
 }