From 80cc81103918e33b293b51c306b047b1e1911b72 Mon Sep 17 00:00:00 2001
From: Jack Lloyd <jack.lloyd@fortanix.com>
Date: Wed, 22 Jan 2020 17:34:29 -0500
Subject: [PATCH] Parse RSA parameters DP, DQ and QP from PKCS1 private keys

Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which
currently suffers from side channel issues in the computation of QP (see
https://eprint.iacr.org/2020/055). By loading the pre-computed values not
only is the side channel avoided, but runtime overhead of loading RSA keys
is reduced.

Discussion in https://github.com/ARMmbed/mbed-crypto/issues/347
---
 library/pkparse.c | 27 +++++++++++++++++++++------
 library/rsa.c     |  8 ++++++--
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/library/pkparse.c b/library/pkparse.c
index 596dae919..2311986f7 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -769,16 +769,31 @@ static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
         goto cleanup;
     p += len;
 
+    /* Import DP */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                                      MBEDTLS_ASN1_INTEGER ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &rsa->DP, p, len ) ) != 0 )
+        goto cleanup;
+    p += len;
+
+    /* Import DQ */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                                      MBEDTLS_ASN1_INTEGER ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &rsa->DQ, p, len ) ) != 0 )
+        goto cleanup;
+    p += len;
+
+    /* Import QP */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                                      MBEDTLS_ASN1_INTEGER ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &rsa->QP, p, len ) ) != 0 )
+        goto cleanup;
+    p += len;
+
     /* Complete the RSA private key */
     if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 )
         goto cleanup;
 
-    /* Check optional parameters */
-    if( ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
-        ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
-        ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 )
-        goto cleanup;
-
     if( p != end )
     {
         ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
diff --git a/library/rsa.c b/library/rsa.c
index 3c2f31438..7ea72cd84 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -249,7 +249,7 @@ static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
 int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
 {
     int ret = 0;
-    int have_N, have_P, have_Q, have_D, have_E;
+    int have_N, have_P, have_Q, have_D, have_E, have_DP, have_DQ, have_QP;
     int n_missing, pq_missing, d_missing, is_pub, is_priv;
 
     RSA_VALIDATE_RET( ctx != NULL );
@@ -259,6 +259,10 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
     have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
     have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
     have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
+    have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
+    have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
+    have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
+
 
     /*
      * Check whether provided parameters are enough
@@ -325,7 +329,7 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
      */
 
 #if !defined(MBEDTLS_RSA_NO_CRT)
-    if( is_priv )
+    if( is_priv && !(have_DP && have_DQ && have_QP))
     {
         ret = mbedtls_rsa_deduce_crt( &ctx->P,  &ctx->Q,  &ctx->D,
                                       &ctx->DP, &ctx->DQ, &ctx->QP );