RSA: use constant-time modinv in deduce_crt()

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

library/bignum.c

@@ -1924,9 +1924,9 @@ int mbedtls_mpi_random(mbedtls_mpi *X,
 /*
  * Modular inverse: X = A^-1 mod N with N odd (and A any range)
  */
-static int mbedtls_mpi_inv_mod_odd(mbedtls_mpi *X,
-                                   const mbedtls_mpi *A,
-                                   const mbedtls_mpi *N)
+int mbedtls_mpi_inv_mod_odd(mbedtls_mpi *X,
+                            const mbedtls_mpi *A,
+                            const mbedtls_mpi *N)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi T, G;

library/bignum_internal.h

@@ -80,4 +80,22 @@ int mbedtls_mpi_gcd_modinv_odd(mbedtls_mpi *G,
                                const mbedtls_mpi *A,
                                const mbedtls_mpi *N);
 
+/**
+ * \brief          Modular inverse: X = A^-1 mod N with N odd
+ *
+ * \param[out] X   The inverse of \p A modulo \p N on success,
+ *                 indeterminate otherwise.
+ * \param[in] A    The number to invert.
+ * \param[in] N    The modulus. Must be odd and greater than 1.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if preconditions were not
+ *                 met.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if A is not invertible mod N.
+ */
+int mbedtls_mpi_inv_mod_odd(mbedtls_mpi *X,
+                            const mbedtls_mpi *A,
+                            const mbedtls_mpi *N);
+
 #endif /* bignum_internal.h */

library/rsa_alt_helpers.c

@@ -245,7 +245,7 @@ int mbedtls_rsa_deduce_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q,
 
     /* QP = Q^{-1} mod P */
     if (QP != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(QP, Q, P));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod_odd(QP, Q, P));
     }
 
 cleanup: