Don't use CRT for signature verification
If CRT is not used, the helper fields CRT are not assumed to be present in the RSA context structure, so do the verification directly in this case. If CRT is used, verification could be done using CRT, but we're sticking to ordinary verification for uniformity.
This commit is contained in:
parent
9f4e670b14
commit
c6075cc5ac
1 changed files with 11 additions and 30 deletions
|
@ -428,15 +428,9 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
|||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||
/* Temporaries holding input mod p resp. mod q. */
|
||||
mbedtls_mpi IP, IQ;
|
||||
|
||||
/* Temporaries holding double check results mod p resp. mod q;
|
||||
* should in the end have the same values as IP and IQ. */
|
||||
mbedtls_mpi CP, CQ;
|
||||
|
||||
/* Comparison results */
|
||||
int check = 0;
|
||||
/* Temporaries holding the initial input and the double
|
||||
* checked result; should be the same in the end. */
|
||||
mbedtls_mpi I, C;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RSA_FORCE_BLINDING)
|
||||
|
@ -476,8 +470,8 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
|||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||
mbedtls_mpi_init( &IP ); mbedtls_mpi_init( &IQ );
|
||||
mbedtls_mpi_init( &CP ); mbedtls_mpi_init( &CQ );
|
||||
mbedtls_mpi_init( &I );
|
||||
mbedtls_mpi_init( &C );
|
||||
#endif
|
||||
|
||||
/* End of MPI initialization */
|
||||
|
@ -490,8 +484,7 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
|||
}
|
||||
|
||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &IP, &T, &ctx->P ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &IQ, &T, &ctx->Q ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
|
||||
#endif
|
||||
|
||||
if( f_rng != NULL )
|
||||
|
@ -583,18 +576,11 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
|||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
|
||||
}
|
||||
|
||||
/* If requested by the config, verify the result to prevent glitching attacks.
|
||||
* For that, check the two prime moduli separately. */
|
||||
/* If requested by the config, verify the result to prevent glitching attacks. */
|
||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &CP, &T, &ctx->E, &ctx->P, &ctx->RP ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &CQ, &T, &ctx->E, &ctx->Q, &ctx->RQ ) );
|
||||
|
||||
check |= mbedtls_mpi_cmp_mpi( &CP, &IP );
|
||||
check |= mbedtls_mpi_cmp_mpi( &CQ, &IQ );
|
||||
|
||||
if( check != 0 )
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, &ctx->N, &ctx->RN ) );
|
||||
if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
|
||||
{
|
||||
/* Verification failed */
|
||||
ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
|
@ -630,8 +616,8 @@ cleanup:
|
|||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||
mbedtls_mpi_free( &IP ); mbedtls_mpi_free( &IQ );
|
||||
mbedtls_mpi_free( &CP ); mbedtls_mpi_free( &CQ );
|
||||
mbedtls_mpi_free( &C );
|
||||
mbedtls_mpi_free( &I );
|
||||
#endif
|
||||
|
||||
if( ret != 0 )
|
||||
|
@ -1245,11 +1231,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
|
|||
size_t nb_pad, olen, oid_size = 0;
|
||||
unsigned char *p = sig;
|
||||
const char *oid = NULL;
|
||||
unsigned char *sig_try = NULL, *verif = NULL;
|
||||
size_t i;
|
||||
unsigned char diff;
|
||||
volatile unsigned char diff_no_optimize;
|
||||
int ret;
|
||||
|
||||
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
|
Loading…
Reference in a new issue