diff options
| author | Geoff Thorpe <geoff@openssl.org> | 2001-07-20 15:16:10 +0000 |
|---|---|---|
| committer | Geoff Thorpe <geoff@openssl.org> | 2001-07-20 15:16:10 +0000 |
| commit | 81d1998e096684d8ca4318ffdfc07495a8c906de (patch) | |
| tree | ab38030965caad2e0c0e3bce8ecb92deaf4e0dae /crypto/rsa | |
| parent | 6b46ca135a70ad7f77bba771496751f555e4863c (diff) | |
| download | openssl-new-81d1998e096684d8ca4318ffdfc07495a8c906de.tar.gz | |
Currently, RSA code, when using no padding scheme, simply checks that input
does not contain more bytes than the RSA modulus 'n' - it does not check
that the input is strictly *less* than 'n'. Whether this should be the
case or not is open to debate - however, due to security problems with
returning miscalculated CRT results, the 'rsa_mod_exp' implementation in
rsa_eay.c now performs a public-key exponentiation to verify the CRT result
and in the event of an error will instead recalculate and return a non-CRT
(more expensive) mod_exp calculation. As the mod_exp of 'I' is equivalent
to the mod_exp of 'I mod n', and the verify result is automatically between
0 and n-1 inclusive, the verify only matches the input if 'I' was less than
'n', otherwise even a correct CRT calculation is only congruent to 'I' (ie.
they differ by a multiple of 'n'). Rather than rejecting correct
calculations and doing redundant and slower ones instead, this changes the
equality check in the verification code to a congruence check.
Diffstat (limited to 'crypto/rsa')
| -rw-r--r-- | crypto/rsa/rsa_eay.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 06f73fc8ff..f325050c1c 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -545,10 +545,19 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) if (rsa->e && rsa->n) { if (!meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; - if (BN_cmp(I, &vrfy) != 0) - { + /* If 'I' was greater than (or equal to) rsa->n, the operation + * will be equivalent to using 'I mod n'. However, the result of + * the verify will *always* be less than 'n' so we don't check + * for absolute equality, just congruency. */ + if (!BN_sub(&vrfy, &vrfy, I)) goto err; + if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err; + if (vrfy.neg) + if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; + if (!BN_is_zero(&vrfy)) + /* 'I' and 'vrfy' aren't congruent mod n. Don't leak + * miscalculated CRT output, just do a raw (slower) + * mod_exp and return that instead. */ if (!meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err; - } } ret=1; err: |