Don't require P,Q in rsa_private if neither CRT nor blinding used

This commit is contained in:
Hanno Becker 2017-10-12 10:54:53 +01:00
parent 08f055eb4f
commit ebd2c024dc

View File

@ -137,8 +137,15 @@ cleanup:
* that the RSA primitives will be able to execute without error. * that the RSA primitives will be able to execute without error.
* It does *not* make guarantees for consistency of the parameters. * It does *not* make guarantees for consistency of the parameters.
*/ */
static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv ) static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
int blinding_needed )
{ {
#if !defined(MBEDTLS_RSA_NO_CRT)
/* blinding_needed is only used for NO_CRT to decide whether
* P,Q need to be present or not. */
((void) blinding_needed);
#endif
if( ctx->len != mbedtls_mpi_size( &ctx->N ) ) if( ctx->len != mbedtls_mpi_size( &ctx->N ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@ -194,7 +201,7 @@ static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv )
* so check that P, Q >= 1 if that hasn't yet been * so check that P, Q >= 1 if that hasn't yet been
* done as part of 1. */ * done as part of 1. */
#if defined(MBEDTLS_RSA_NO_CRT) #if defined(MBEDTLS_RSA_NO_CRT)
if( is_priv && if( is_priv && blinding_needed &&
( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 || ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) ) mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
{ {
@ -303,7 +310,7 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
* Step 3: Basic sanity checks * Step 3: Basic sanity checks
*/ */
return( rsa_check_context( ctx, is_priv ) ); return( rsa_check_context( ctx, is_priv, 1 ) );
} }
int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx, int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
@ -563,7 +570,7 @@ cleanup:
*/ */
int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ) int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
{ {
if( rsa_check_context( ctx, 0 /* public */ ) != 0 ) if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
if( mbedtls_mpi_bitlen( &ctx->N ) < 128 || if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||
@ -588,7 +595,7 @@ int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ) int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
{ {
if( mbedtls_rsa_check_pubkey( ctx ) != 0 || if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
rsa_check_context( ctx, 1 /* private */ ) != 0 ) rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
{ {
return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
} }
@ -642,7 +649,7 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
size_t olen; size_t olen;
mbedtls_mpi T; mbedtls_mpi T;
if( rsa_check_context( ctx, 0 /* public */ ) ) if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T );
@ -761,8 +768,11 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
mbedtls_mpi *DQ = &ctx->DQ; mbedtls_mpi *DQ = &ctx->DQ;
#endif #endif
if( rsa_check_context( ctx, 1 /* private */ ) != 0 ) if( rsa_check_context( ctx, 1 /* private key checks */,
f_rng != NULL /* blinding y/n */ ) != 0 )
{
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
}
mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R );