Re: [gnutls-dev] bug in _gnutls_pkcs1_rsa_encrypt

[Werner Koch]

On Wed, 18 Aug 2004 13:58:49 -0700, Robey Pointer said:

> extra k/128 byte(s).  The simplicity outweighs the very very small
> chance that you might avoid an extra loop iteration by obsessively
> checking for (and skipping) zeros in the replacement buffer.

The thing is that each call to the random function turns out to be a
real performance hog; asking for a few bytes more in one call is far
cheaper.

The loop does now read:

    for(;;) {
        int j, k;
        byte *pp;

        /* count the zero bytes */
        for(j=k=0; j < i; j++ )
            if( !p[j] )
                k++;
        if( !k )
            break; /* okay: no zero bytes */
        k += 3; /* better get some more */  /* <========= */
        pp = get_random_bits( k*8, 1, 1);
        for(j=0; j < i && k ; j++ )
            if( !p[j] && pp[k-1] )          /* <========= */
                p[j] = pp[--k];
        m_free(pp);
    }

Does this look better?

  Werner