Check for mandatory RNG parameters in RSA private

(This commit is best reviewed using `git show -b` as indentation levels have changed.) The documentation already states that the RNG parameter is mandatory, since PRs #4488 and #4515. There are several families of functions to consider here: - private-key operations (sign, decrypt) all call mbedtls_rsa_private() where this commit adds a non-NULL check; - encrypt operations need an RNG for masking/padding and already had a non-NULL check since #4515 (conditional on \p mode before that) - verify operations no longer take an RNG parameter since #4515 So, after this commit, all RSA functions that accept an RNG will reach a non-NULL check before the RNG is used. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-15 11:29:26 +02:00 · 2021-06-15 11:29:26 +02:00 · f035904060
commit f035904060
parent 34d3756457
1 changed files with 56 additions and 65 deletions
--- a/library/rsa.c
+++ b/library/rsa.c
@ -929,8 +929,11 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
    RSA_VALIDATE_RET( input  != NULL );
    RSA_VALIDATE_RET( output != NULL );

+    if( f_rng == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
    if( rsa_check_context( ctx, 1 /* private key checks */,
-                                f_rng != NULL /* blinding y/n       */ ) != 0 )
+                                1 /* blinding on        */ ) != 0 )
    {
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    }
@ -947,15 +950,12 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
    mbedtls_mpi_init( &Q1 );
    mbedtls_mpi_init( &R );

-    if( f_rng != NULL )
-    {
 #if defined(MBEDTLS_RSA_NO_CRT)
    mbedtls_mpi_init( &D_blind );
 #else
    mbedtls_mpi_init( &DP_blind );
    mbedtls_mpi_init( &DQ_blind );
 #endif
-    }

 #if !defined(MBEDTLS_RSA_NO_CRT)
    mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
@ -975,8 +975,6 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,

    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );

-    if( f_rng != NULL )
-    {
    /*
     * Blinding
     * T = T * Vi mod N
@ -1025,7 +1023,6 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,

    DQ = &DQ_blind;
 #endif /* MBEDTLS_RSA_NO_CRT */
-    }

 #if defined(MBEDTLS_RSA_NO_CRT)
    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
@ -1054,15 +1051,12 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
 #endif /* MBEDTLS_RSA_NO_CRT */

-    if( f_rng != NULL )
-    {
    /*
     * Unblind
     * T = T * Vf mod N
     */
    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
-    }

    /* Verify the result to prevent glitching attacks. */
    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E,
@ -1086,15 +1080,12 @@ cleanup:
    mbedtls_mpi_free( &Q1 );
    mbedtls_mpi_free( &R );

-    if( f_rng != NULL )
-    {
 #if defined(MBEDTLS_RSA_NO_CRT)
    mbedtls_mpi_free( &D_blind );
 #else
    mbedtls_mpi_free( &DP_blind );
    mbedtls_mpi_free( &DQ_blind );
 #endif
-    }

    mbedtls_mpi_free( &T );