mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 10:55:27 +00:00
Parse RSA parameters DP, DQ and QP from PKCS1 private keys
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which currently suffers from side channel issues in the computation of QP (see https://eprint.iacr.org/2020/055). By loading the pre-computed values not only is the side channel avoided, but runtime overhead of loading RSA keys is reduced. Discussion in https://github.com/ARMmbed/mbed-crypto/issues/347 Backport of https://github.com/ARMmbed/mbed-crypto/pull/352
This commit is contained in:
parent
bac9f1bfb0
commit
b10fd065be
|
@ -768,15 +768,41 @@ static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
p += len;
|
p += len;
|
||||||
|
|
||||||
/* Complete the RSA private key */
|
#if !defined(MBEDTLS_RSA_NO_CRT)
|
||||||
if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 )
|
/*
|
||||||
|
* The RSA CRT parameters DP, DQ and QP are nominally redundant, in
|
||||||
|
* that they can be easily recomputed from D, P and Q. However by
|
||||||
|
* parsing them from the PKCS1 structure it is possible to avoid
|
||||||
|
* recalculating them which both reduces the overhead of loading
|
||||||
|
* RSA private keys into memory and also avoids side channels which
|
||||||
|
* can arise when computing those values, since all of D, P, and Q
|
||||||
|
* are secret. See https://eprint.iacr.org/2020/055 for a
|
||||||
|
* description of one such attack.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Import DP */
|
||||||
|
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &rsa->DP ) ) != 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
/* Check optional parameters */
|
/* Import DQ */
|
||||||
|
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &rsa->DQ ) ) != 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
/* Import QP */
|
||||||
|
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &rsa->QP ) ) != 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
#else
|
||||||
|
/* Verify existance of the CRT params */
|
||||||
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
|
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
|
||||||
( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
|
( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
|
||||||
( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 )
|
( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 )
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Complete the RSA private key */
|
||||||
|
if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 )
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
if( p != end )
|
if( p != end )
|
||||||
{
|
{
|
||||||
|
|
|
@ -249,6 +249,9 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
|
||||||
{
|
{
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
int have_N, have_P, have_Q, have_D, have_E;
|
int have_N, have_P, have_Q, have_D, have_E;
|
||||||
|
#if !defined(MBEDTLS_RSA_NO_CRT)
|
||||||
|
int have_DP, have_DQ, have_QP;
|
||||||
|
#endif
|
||||||
int n_missing, pq_missing, d_missing, is_pub, is_priv;
|
int n_missing, pq_missing, d_missing, is_pub, is_priv;
|
||||||
|
|
||||||
RSA_VALIDATE_RET( ctx != NULL );
|
RSA_VALIDATE_RET( ctx != NULL );
|
||||||
|
@ -259,6 +262,12 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
|
||||||
have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
|
have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
|
||||||
have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
|
have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_RSA_NO_CRT)
|
||||||
|
have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
|
||||||
|
have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
|
||||||
|
have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Check whether provided parameters are enough
|
* Check whether provided parameters are enough
|
||||||
* to deduce all others. The following incomplete
|
* to deduce all others. The following incomplete
|
||||||
|
@ -324,7 +333,7 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#if !defined(MBEDTLS_RSA_NO_CRT)
|
#if !defined(MBEDTLS_RSA_NO_CRT)
|
||||||
if( is_priv )
|
if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
|
||||||
{
|
{
|
||||||
ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
|
ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
|
||||||
&ctx->DP, &ctx->DQ, &ctx->QP );
|
&ctx->DP, &ctx->DQ, &ctx->QP );
|
||||||
|
|
Loading…
Reference in a new issue