mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-31 10:20:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Parse RSA parameters DP, DQ and QP from PKCS1 private keys

Browse Source 
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which
currently suffers from side channel issues in the computation of QP (see
https://eprint.iacr.org/2020/055). By loading the pre-computed values not
only is the side channel avoided, but runtime overhead of loading RSA keys
is reduced.

Discussion in https://github.com/ARMmbed/mbed-crypto/issues/347
This commit is contained in:
Jack Lloyd 2020-01-22 17:34:29 -05:00
parent d27a88438f
commit 80cc811039
2 changed files with 27 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
library/pkparse.c
View File

@ -769,16 +769,31 @@ static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
goto cleanup; goto cleanup;
p += len; p += len;
/* Import DP */
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_INTEGER ) ) != 0 ||
( ret = mbedtls_mpi_read_binary( &rsa->DP, p, len ) ) != 0 )
goto cleanup;
p += len;
/* Import DQ */
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_INTEGER ) ) != 0 ||
( ret = mbedtls_mpi_read_binary( &rsa->DQ, p, len ) ) != 0 )
goto cleanup;
p += len;
/* Import QP */
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_INTEGER ) ) != 0 ||
( ret = mbedtls_mpi_read_binary( &rsa->QP, p, len ) ) != 0 )
goto cleanup;
p += len;
/* Complete the RSA private key */ /* Complete the RSA private key */
if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 ) if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 )
goto cleanup; goto cleanup;
/* Check optional parameters */
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 )
goto cleanup;
if( p != end ) if( p != end )
{ {
ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +

8
library/rsa.c
View File

@ -249,7 +249,7 @@ static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
int mbedtls_rsa_complete( mbedtls_rsa_context *ctx ) int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
{ {
int ret = 0; int ret = 0;
int have_N, have_P, have_Q, have_D, have_E; int have_N, have_P, have_Q, have_D, have_E, have_DP, have_DQ, have_QP;
int n_missing, pq_missing, d_missing, is_pub, is_priv; int n_missing, pq_missing, d_missing, is_pub, is_priv;
RSA_VALIDATE_RET( ctx != NULL ); RSA_VALIDATE_RET( ctx != NULL );
@ -259,6 +259,10 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 ); have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 ); have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 ); have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
/* /*
* Check whether provided parameters are enough * Check whether provided parameters are enough
@ -325,7 +329,7 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
*/ */
#if !defined(MBEDTLS_RSA_NO_CRT) #if !defined(MBEDTLS_RSA_NO_CRT)
if( is_priv ) if( is_priv && !(have_DP && have_DQ && have_QP))
{ {
ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
&ctx->DP, &ctx->DQ, &ctx->QP ); &ctx->DP, &ctx->DQ, &ctx->QP );