commit 5d42b53e512029bd310d6bd909b27aed8f7a6132
author Hanno Becker <hanno.becker@arm.com> Wed Oct 11 15:58:00 2017 +0100
committer Hanno Becker <hanno.becker@arm.com> Wed Oct 11 16:36:00 2017 +0100
tree a670561461635138acc95c5c21e5d7cdbc95c81e
parent 7643d4e30c887c5ce1ed46893e7423f8ac97c3e8

Enhance documentation and performance of `mbedtls_rsa_deduce_primes`

library/rsa_internal.c

diff --git a/library/rsa_internal.c b/library/rsa_internal.c
index 292fc13..3b54fde 100644
--- a/library/rsa_internal.c
+++ b/library/rsa_internal.c
@@ -150,6 +150,11 @@
 
         for( iter = 1; iter <= order; ++iter )
         {
+            /* If we reach 1 prematurely, there's no point
+             * in continuing to square K */
+            if( mbedtls_mpi_cmp_int( &K, 1 ) == 0 )
+                break;
+
             MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &K, &K, 1 ) );
             MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );
 
@@ -170,6 +175,13 @@
             MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, N ) );
         }
 
+        /*
+         * If we get here, then either we prematurely aborted the loop because
+         * we reached 1, or K holds primes[attempt]^(DE - 1) mod N, which must
+         * be 1 if D,E,N were consistent.
+         * Check if that's the case and abort if not, to avoid very long,
+         * yet eventually failing, computations if N,D,E were not sane.
+         */
         if( mbedtls_mpi_cmp_int( &K, 1 ) != 0 )
         {
             break;