commit c6075cc5acccf5bdd105a31300da7957a16e7ce3
author Hanno Becker <hanno.becker@arm.com> Fri Aug 25 11:45:35 2017 +0100
committer Hanno Becker <hanno.becker@arm.com> Fri Aug 25 11:45:35 2017 +0100
tree 65caf0bfcf84f5636b7830b53b798564fea459f1
parent 9f4e670b14b41ac2978469852acae943f8a2b19c

Don't use CRT for signature verification

If CRT is not used, the helper fields CRT are not assumed to be present in the
RSA context structure, so do the verification directly in this case. If CRT is
used, verification could be done using CRT, but we're sticking to ordinary
verification for uniformity.

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index d3feeba..0c5bc4f 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -428,15 +428,9 @@
 #endif
 
 #if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
-     /* Temporaries holding input mod p resp. mod q. */
-    mbedtls_mpi IP, IQ;
-
-    /* Temporaries holding double check results mod p resp. mod q;
-     * should in the end have the same values as IP and IQ. */
-    mbedtls_mpi CP, CQ;
-
-    /* Comparison results */
-    int check = 0;
+    /* Temporaries holding the initial input and the double
+     * checked result; should be the same in the end. */
+    mbedtls_mpi I, C;
 #endif
 
 #if defined(MBEDTLS_RSA_FORCE_BLINDING)
@@ -476,8 +470,8 @@
 #endif
 
 #if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
-    mbedtls_mpi_init( &IP ); mbedtls_mpi_init( &IQ );
-    mbedtls_mpi_init( &CP ); mbedtls_mpi_init( &CQ );
+    mbedtls_mpi_init( &I );
+    mbedtls_mpi_init( &C );
 #endif
 
     /* End of MPI initialization */
@@ -490,8 +484,7 @@
     }
 
 #if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
-    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &IP, &T, &ctx->P ) );
-    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &IQ, &T, &ctx->Q ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
 #endif
 
     if( f_rng != NULL )
@@ -583,18 +576,11 @@
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
     }
 
-    /* If requested by the config, verify the result to prevent glitching attacks.
-     * For that, check the two prime moduli separately. */
+    /* If requested by the config, verify the result to prevent glitching attacks. */
 #if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
-    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &CP, &T, &ctx->E, &ctx->P, &ctx->RP ) );
-    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &CQ, &T, &ctx->E, &ctx->Q, &ctx->RQ ) );
-
-    check |= mbedtls_mpi_cmp_mpi( &CP, &IP );
-    check |= mbedtls_mpi_cmp_mpi( &CQ, &IQ );
-
-    if( check != 0 )
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, &ctx->N, &ctx->RN ) );
+    if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
     {
-        /* Verification failed */
         ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
         goto cleanup;
     }
@@ -630,8 +616,8 @@
 #endif
 
 #if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
-    mbedtls_mpi_free( &IP ); mbedtls_mpi_free( &IQ );
-    mbedtls_mpi_free( &CP ); mbedtls_mpi_free( &CQ );
+    mbedtls_mpi_free( &C );
+    mbedtls_mpi_free( &I );
 #endif
 
     if( ret != 0 )
@@ -1245,11 +1231,6 @@
     size_t nb_pad, olen, oid_size = 0;
     unsigned char *p = sig;
     const char *oid = NULL;
-    unsigned char *sig_try = NULL, *verif = NULL;
-    size_t i;
-    unsigned char diff;
-    volatile unsigned char diff_no_optimize;
-    int ret;
 
     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );