Don't use CRT for signature verification
If CRT is not used, the helper fields CRT are not assumed to be present in the RSA context structure, so do the verification directly in this case. If CRT is used, verification could be done using CRT, but we're sticking to ordinary verification for uniformity.
This commit is contained in:
parent
9f4e670b14
commit
c6075cc5ac
1 changed files with 11 additions and 30 deletions
|
@ -428,15 +428,9 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||||
/* Temporaries holding input mod p resp. mod q. */
|
/* Temporaries holding the initial input and the double
|
||||||
mbedtls_mpi IP, IQ;
|
* checked result; should be the same in the end. */
|
||||||
|
mbedtls_mpi I, C;
|
||||||
/* Temporaries holding double check results mod p resp. mod q;
|
|
||||||
* should in the end have the same values as IP and IQ. */
|
|
||||||
mbedtls_mpi CP, CQ;
|
|
||||||
|
|
||||||
/* Comparison results */
|
|
||||||
int check = 0;
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_RSA_FORCE_BLINDING)
|
#if defined(MBEDTLS_RSA_FORCE_BLINDING)
|
||||||
|
@ -476,8 +470,8 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||||
mbedtls_mpi_init( &IP ); mbedtls_mpi_init( &IQ );
|
mbedtls_mpi_init( &I );
|
||||||
mbedtls_mpi_init( &CP ); mbedtls_mpi_init( &CQ );
|
mbedtls_mpi_init( &C );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* End of MPI initialization */
|
/* End of MPI initialization */
|
||||||
|
@ -490,8 +484,7 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &IP, &T, &ctx->P ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &IQ, &T, &ctx->Q ) );
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if( f_rng != NULL )
|
if( f_rng != NULL )
|
||||||
|
@ -583,18 +576,11 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
/* If requested by the config, verify the result to prevent glitching attacks.
|
/* If requested by the config, verify the result to prevent glitching attacks. */
|
||||||
* For that, check the two prime moduli separately. */
|
|
||||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &CP, &T, &ctx->E, &ctx->P, &ctx->RP ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, &ctx->N, &ctx->RN ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &CQ, &T, &ctx->E, &ctx->Q, &ctx->RQ ) );
|
if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
|
||||||
|
|
||||||
check |= mbedtls_mpi_cmp_mpi( &CP, &IP );
|
|
||||||
check |= mbedtls_mpi_cmp_mpi( &CQ, &IQ );
|
|
||||||
|
|
||||||
if( check != 0 )
|
|
||||||
{
|
{
|
||||||
/* Verification failed */
|
|
||||||
ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
|
ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
@ -630,8 +616,8 @@ cleanup:
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||||
mbedtls_mpi_free( &IP ); mbedtls_mpi_free( &IQ );
|
mbedtls_mpi_free( &C );
|
||||||
mbedtls_mpi_free( &CP ); mbedtls_mpi_free( &CQ );
|
mbedtls_mpi_free( &I );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
|
@ -1245,11 +1231,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
|
||||||
size_t nb_pad, olen, oid_size = 0;
|
size_t nb_pad, olen, oid_size = 0;
|
||||||
unsigned char *p = sig;
|
unsigned char *p = sig;
|
||||||
const char *oid = NULL;
|
const char *oid = NULL;
|
||||||
unsigned char *sig_try = NULL, *verif = NULL;
|
|
||||||
size_t i;
|
|
||||||
unsigned char diff;
|
|
||||||
volatile unsigned char diff_no_optimize;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
|
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
|
||||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
|
Loading…
Reference in a new issue