Add mbedtls_rsa_validate_crt

This commit adds the function mbedtls_rsa_validate_crt for validating a set of CRT parameters. The function mbedtls_rsa_check_crt is simplified accordingly.
2025-01-24 20:21:11 +00:00 · 2017-08-25 07:55:03 +01:00 · 2017-08-25 07:55:03 +01:00 · d363799a9d
parent d56d83a7f3
commit d363799a9d
2 changed files with 124 additions and 56 deletions
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@ -198,6 +198,38 @@ int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,
                                 int (*f_rng)(void *, unsigned char *, size_t),
                                 void *p_rng );

+/**
+ * \brief          Check validity of RSA CRT parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of RSA modulus
+ * \param Q        Second prime factor of RSA modulus
+ * \param D        RSA private exponent
+ * \param DP       MPI to check for D modulo P-1
+ * \param DQ       MPI to check for D modulo P-1
+ * \param QP       MPI to check for the modular inverse of Q modulo P.
+ *
+ * \return         - 0 if the following conditions are satisfied:
+ *                   - D = DP mod P-1 if P, D, DP != NULL
+ *                   - Q = DQ mod P-1 if P, D, DQ != NULL
+ *                   - QP = Q^-1 mod P if P, Q, QP != NULL
+ *                 - MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if check failed,
+ *                   potentially including MBEDTLS_ERR_MPI_XXX if some
+ *                   MPI calculations failed.
+ *                 - MBEDTLS_ERR_RSA_BAD_INPUT_DATA if insufficient
+ *                   data was provided to check DP, DQ or QP.
+ *
+ * \note           The function can be used with a restricted set of arguments
+ *                 to perform specific checks only. E.g., calling it with the
+ *                 parameters (P, -, D, DP, -, -) will check DP = D mod P-1.
+ */
+int mbedtls_rsa_validate_crt( const mbedtls_mpi *P,  const mbedtls_mpi *Q,
+                              const mbedtls_mpi *D,  const mbedtls_mpi *DP,
+                              const mbedtls_mpi *DQ, const mbedtls_mpi *QP );
+
 /**
 * Implementation of RSA interface
 */
@ -394,7 +426,7 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx,
 *                 before calling this function.
 *
 */
-int mbedtls_rsa_check_crt( mbedtls_rsa_context *ctx,
+int mbedtls_rsa_check_crt( const mbedtls_rsa_context *ctx,
                           mbedtls_mpi *DP,
                           mbedtls_mpi *DQ,
                           mbedtls_mpi *QP );
--- a/library/rsa.c
+++ b/library/rsa.c
@ -304,6 +304,92 @@ cleanup:
    return( ret );
 }

+/*
+ * Check that RSA CRT parameters are in accordance with core parameters.
+ */
+
+int mbedtls_rsa_validate_crt( const mbedtls_mpi *P,  const mbedtls_mpi *Q,
+                              const mbedtls_mpi *D,  const mbedtls_mpi *DP,
+                              const mbedtls_mpi *DQ, const mbedtls_mpi *QP )
+{
+    int ret = 0;
+
+    mbedtls_mpi K, L;
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &L );
+
+    /* Check that DP - P == 0 mod P - 1 */
+    if( DP != NULL )
+    {
+        if( P == NULL )
+        {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DP, D ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );
+
+        if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )
+        {
+            return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+        }
+    }
+
+    /* Check that DQ - Q == 0 mod Q - 1 */
+    if( DQ != NULL )
+    {
+        if( Q == NULL )
+        {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DQ, D ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );
+
+        if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )
+        {
+            return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+        }
+    }
+
+    /* Check that QP * P - 1 == 0 mod P */
+    if( QP != NULL )
+    {
+        if( P == NULL || Q == NULL )
+        {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, QP, Q ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, P ) );
+        if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
+        {
+            return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+        }
+    }
+
+cleanup:
+
+    /* Wrap MPI error codes by RSA check failure error code */
+    if( ret != 0 &&
+        ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&
+        ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
+    {
+        ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &L );
+
+    return( ret );
+}
+
 /*
 * Check that core RSA parameters are sane.
 */
@ -621,8 +707,8 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx,
 * in order to be able to validate DER encoded RSA keys,
 * which always contain CRT parameters.
 */
-int mbedtls_rsa_check_crt( mbedtls_rsa_context *ctx, mbedtls_mpi *DP,
-                           mbedtls_mpi *DQ, mbedtls_mpi *QP )
+int mbedtls_rsa_check_crt( const mbedtls_rsa_context *ctx,
+                           mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )
 {
    int ret = 0;

@ -648,61 +734,11 @@ int mbedtls_rsa_check_crt( mbedtls_rsa_context *ctx, mbedtls_mpi *DP,
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    }
 #else /* MBEDTLS_RSA_NO_CRT */
-
-    /*
-     * Check that DP, DQ and QP are in accordance with core parameters.
-     * (1) Check that DP - P     == 0 mod P - 1
-     * (2) Check that DQ - Q     == 0 mod Q - 1
-     * (3) Check that QP * P - 1 == 0 mod P
-
-     * Alternative implementation also not using DP, DQ and QP
-     * should be able to reuse this codepath.
-     */
-
-    /* Check (1) */
-    if( DP != NULL )
+    if( ( ret = mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
+                                          DP, DQ, QP ) ) != 0 )
    {
-        /* Temporarily replace P by P-1 and compute DP - D mod P-1 */
-        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( DP, DP, &ctx->D ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DP, DP, &ctx->P ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );
-
-        if( mbedtls_mpi_cmp_int( DP, 0 ) != 0 )
-        {
-            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
-        }
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    }
-
-    /* Check (1) */
-    if( DQ != NULL )
-    {
-        /* Temporarily replace Q by Q-1 and compute DQ - D mod Q-1 */
-        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( DQ, DQ, &ctx->D ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DQ, DQ, &ctx->Q ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );
-
-        if( mbedtls_mpi_cmp_int( DQ, 0 ) != 0 )
-        {
-            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
-        }
-    }
-
-    /* Check (3) */
-    if( QP != NULL )
-    {
-        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( QP, QP, &ctx->Q ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( QP, QP, 1 ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( QP, QP, &ctx->P ) );
-        if( mbedtls_mpi_cmp_int( QP, 0 ) != 0 )
-        {
-            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
-        }
-    }
-
-cleanup:
-
 #endif

    if( ret != 0 )