diff --git a/library/pkparse.c b/library/pkparse.c index 2311986f7f..724197d79a 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -769,6 +769,17 @@ static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa, goto cleanup; p += len; + /* + * The RSA CRT parameters DP, DQ and QP are nominally redundant, in + * that they can be easily recomputed from D, P and Q. However by + * parsing them from the PKCS1 structure it is possible to avoid + * recalculating them which both reduces the overhead of loading + * RSA private keys into memory and also avoids side channels which + * can arise when computing those values, since all of D, P, and Q + * are secret. See https://eprint.iacr.org/2020/055 for a + * description of one such attack. + */ + /* Import DP */ if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 || diff --git a/library/rsa.c b/library/rsa.c index 7ea72cd846..dc34e38b4e 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -249,7 +249,10 @@ static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv, int mbedtls_rsa_complete( mbedtls_rsa_context *ctx ) { int ret = 0; - int have_N, have_P, have_Q, have_D, have_E, have_DP, have_DQ, have_QP; + int have_N, have_P, have_Q, have_D, have_E; +#if !defined(MBEDTLS_RSA_NO_CRT) + int have_DP, have_DQ, have_QP; +#endif int n_missing, pq_missing, d_missing, is_pub, is_priv; RSA_VALIDATE_RET( ctx != NULL ); @@ -259,10 +262,12 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx ) have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 ); have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 ); have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 ); + +#if !defined(MBEDTLS_RSA_NO_CRT) have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 ); have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 ); have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 ); - +#endif /* * Check whether provided parameters are enough