Address review comments
diff --git a/library/pkparse.c b/library/pkparse.c
index 2311986..724197d 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -769,6 +769,17 @@
goto cleanup;
p += len;
+ /*
+ * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
+ * that they can be easily recomputed from D, P and Q. However by
+ * parsing them from the PKCS1 structure it is possible to avoid
+ * recalculating them which both reduces the overhead of loading
+ * RSA private keys into memory and also avoids side channels which
+ * can arise when computing those values, since all of D, P, and Q
+ * are secret. See https://eprint.iacr.org/2020/055 for a
+ * description of one such attack.
+ */
+
/* Import DP */
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_INTEGER ) ) != 0 ||
diff --git a/library/rsa.c b/library/rsa.c
index 7ea72cd..dc34e38 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -249,7 +249,10 @@
int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
{
int ret = 0;
- int have_N, have_P, have_Q, have_D, have_E, have_DP, have_DQ, have_QP;
+ int have_N, have_P, have_Q, have_D, have_E;
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ int have_DP, have_DQ, have_QP;
+#endif
int n_missing, pq_missing, d_missing, is_pub, is_priv;
RSA_VALIDATE_RET( ctx != NULL );
@@ -259,10 +262,12 @@
have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
-
+#endif
/*
* Check whether provided parameters are enough