Don't use CRT for signature verification

If CRT is not used, the helper fields CRT are not assumed to be present in the
RSA context structure, so do the verification directly in this case. If CRT is
used, verification could be done using CRT, but we're sticking to ordinary
verification for uniformity.

library/rsa.c

@@ -428,15 +428,9 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
 #endif
 
 #if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
-     /* Temporaries holding input mod p resp. mod q. */
+    /* Temporaries holding the initial input and the double
-    mbedtls_mpi IP, IQ;
+     * checked result; should be the same in the end. */
-
+    mbedtls_mpi I, C;
-    /* Temporaries holding double check results mod p resp. mod q;
-     * should in the end have the same values as IP and IQ. */
-    mbedtls_mpi CP, CQ;
-
-    /* Comparison results */
-    int check = 0;
 #endif
 
 #if defined(MBEDTLS_RSA_FORCE_BLINDING)
@@ -476,8 +470,8 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
 #endif
 
 #if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
-    mbedtls_mpi_init( &IP ); mbedtls_mpi_init( &IQ );
+    mbedtls_mpi_init( &I );
-    mbedtls_mpi_init( &CP ); mbedtls_mpi_init( &CQ );
+    mbedtls_mpi_init( &C );
 #endif
 
     /* End of MPI initialization */
@@ -490,8 +484,7 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
     }
 
 #if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
-    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &IP, &T, &ctx->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
-    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &IQ, &T, &ctx->Q ) );
 #endif
 
     if( f_rng != NULL )
@@ -583,18 +576,11 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
     }
 
-    /* If requested by the config, verify the result to prevent glitching attacks.
+    /* If requested by the config, verify the result to prevent glitching attacks. */
-     * For that, check the two prime moduli separately. */
 #if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
-    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &CP, &T, &ctx->E, &ctx->P, &ctx->RP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, &ctx->N, &ctx->RN ) );
-    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &CQ, &T, &ctx->E, &ctx->Q, &ctx->RQ ) );
+    if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
-
-    check |= mbedtls_mpi_cmp_mpi( &CP, &IP );
-    check |= mbedtls_mpi_cmp_mpi( &CQ, &IQ );
-
-    if( check != 0 )
     {
-        /* Verification failed */
         ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
         goto cleanup;
     }
@@ -630,8 +616,8 @@ cleanup:
 #endif
 
 #if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
-    mbedtls_mpi_free( &IP ); mbedtls_mpi_free( &IQ );
+    mbedtls_mpi_free( &C );
-    mbedtls_mpi_free( &CP ); mbedtls_mpi_free( &CQ );
+    mbedtls_mpi_free( &I );
 #endif
 
     if( ret != 0 )
@@ -1245,11 +1231,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
     size_t nb_pad, olen, oid_size = 0;
     unsigned char *p = sig;
     const char *oid = NULL;
-    unsigned char *sig_try = NULL, *verif = NULL;
-    size_t i;
-    unsigned char diff;
-    volatile unsigned char diff_no_optimize;
-    int ret;
 
     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );