commit 100e147c71e0db398085ada3d8b8e074a79a7ad2
author Jack Lloyd <jack.lloyd@fortanix.com> Wed Jan 29 13:13:04 2020 -0500
committer Jack Lloyd <jack.lloyd@fortanix.com> Wed Jan 29 13:13:04 2020 -0500
tree cc7e11382159bad1e328a8531518cf01faa290aa
parent a67508e066ed19118363ef5ebbc9c30a426c724f

Parse RSA parameters DP, DQ and QP from PKCS1 private keys

Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which
currently suffers from side channel issues in the computation of QP
(see https://eprint.iacr.org/2020/055). By loading the pre-computed
values not only is the side channel avoided, but runtime overhead of
loading RSA keys is reduced.

Discussion in https://github.com/ARMmbed/mbed-crypto/issues/347

Backport of https://github.com/ARMmbed/mbed-crypto/pull/352

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index 4b3cc02..98c529f 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -251,6 +251,12 @@
     const int have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
     const int have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
 
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    const int have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
+    const int have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
+    const int have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
+#endif
+
     /*
      * Check whether provided parameters are enough
      * to deduce all others. The following incomplete
@@ -316,7 +322,7 @@
      */
 
 #if !defined(MBEDTLS_RSA_NO_CRT)
-    if( is_priv )
+    if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
     {
         ret = mbedtls_rsa_deduce_crt( &ctx->P,  &ctx->Q,  &ctx->D,
                                       &ctx->DP, &ctx->DQ, &ctx->QP );