yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-26 13:15:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #352 from jack-fortanix/jack/parse-rsa-crt-params

Browse Source 
Parse RSA parameters DP, DQ and QP from PKCS1 private keys
This commit is contained in:
Gilles Peskine 2020-01-31 16:37:31 +01:00 committed by GitHub
commit c0611a5a61
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 40 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
library/pkparse.c
View File

@ -769,14 +769,40 @@ static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
goto cleanup; goto cleanup;
p += len; p += len;
/* Complete the RSA private key */ #if !defined(MBEDTLS_RSA_NO_CRT)
if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 ) /*
goto cleanup; * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
* that they can be easily recomputed from D, P and Q. However by
* parsing them from the PKCS1 structure it is possible to avoid
* recalculating them which both reduces the overhead of loading
* RSA private keys into memory and also avoids side channels which
* can arise when computing those values, since all of D, P, and Q
* are secret. See https://eprint.iacr.org/2020/055 for a
* description of one such attack.
*/
/* Check optional parameters */ /* Import DP */
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &rsa->DP ) ) != 0)
goto cleanup;
/* Import DQ */
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &rsa->DQ ) ) != 0)
goto cleanup;
/* Import QP */
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &rsa->QP ) ) != 0)
goto cleanup;
#else
/* Verify existance of the CRT params */
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 || if( ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 || ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ) ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 )
goto cleanup;
#endif
/* Complete the RSA private key */
if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 )
goto cleanup; goto cleanup;
if( p != end ) if( p != end )

11
library/rsa.c
View File

@ -250,6 +250,9 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
{ {
int ret = 0; int ret = 0;
int have_N, have_P, have_Q, have_D, have_E; int have_N, have_P, have_Q, have_D, have_E;
#if !defined(MBEDTLS_RSA_NO_CRT)
int have_DP, have_DQ, have_QP;
#endif
int n_missing, pq_missing, d_missing, is_pub, is_priv; int n_missing, pq_missing, d_missing, is_pub, is_priv;
RSA_VALIDATE_RET( ctx != NULL ); RSA_VALIDATE_RET( ctx != NULL );
@ -260,6 +263,12 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 ); have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 ); have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
#if !defined(MBEDTLS_RSA_NO_CRT)
have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
#endif
/* /*
* Check whether provided parameters are enough * Check whether provided parameters are enough
* to deduce all others. The following incomplete * to deduce all others. The following incomplete
@ -325,7 +334,7 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
*/ */
#if !defined(MBEDTLS_RSA_NO_CRT) #if !defined(MBEDTLS_RSA_NO_CRT)
if( is_priv ) if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
{ {
ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
&ctx->DP, &ctx->DQ, &ctx->QP ); &ctx->DP, &ctx->DQ, &ctx->QP );