6b13f685e
김민수
BSP 최초 추가
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
From 6450224f3e3c78fdfa37eadbe6ada8301279f6c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Mon, 20 Jun 2016 20:04:56 +0200
Subject: Use mpz_powm_sec.
Subject: Check for invalid keys, with even p, in dsa_sign.
Subject: Reject invalid keys, with even moduli, in rsa_compute_root_tr.
Subject: Reject invalid RSA keys with even modulo.
Patch status: upstream
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
diff --git a/bignum.h b/bignum.h
index 24158e0..0d30534 100644
--- a/bignum.h
+++ b/bignum.h
@@ -53,6 +53,8 @@
# define mpz_combit mpz_combit
# define mpz_import mpz_import
# define mpz_export mpz_export
+/* Side-channel silent powm not available in mini-gmp. */
+# define mpz_powm_sec mpz_powm
#else
# include <gmp.h>
#endif
diff --git a/configure.ac b/configure.ac
index e1ee64c..1e88477 100644
--- a/configure.ac
+++ b/configure.ac
@@ -236,9 +236,9 @@ fi
# Checks for libraries
if test "x$enable_public_key" = "xyes" ; then
if test "x$enable_mini_gmp" = "xno" ; then
- AC_CHECK_LIB(gmp, __gmpz_getlimbn,,
+ AC_CHECK_LIB(gmp, __gmpz_powm_sec,,
[AC_MSG_WARN(
- [GNU MP not found, or not 3.1 or up, see http://gmplib.org/.
+ [GNU MP not found, or too old. GMP-5.0 or later is needed, see http://gmplib.org/.
Support for public key algorithms will be unavailable.])]
enable_public_key=no)
diff --git a/dsa-sign.c b/dsa-sign.c
index 62c7d4a..b713743 100644
--- a/dsa-sign.c
+++ b/dsa-sign.c
@@ -56,6 +56,11 @@ dsa_sign(const struct dsa_params *params,
mpz_t tmp;
int res;
+ /* Check that p is odd, so that invalid keys don't result in a crash
+ inside mpz_powm_sec. */
+ if (mpz_even_p (params->p))
+ return 0;
+
/* Select k, 0<k<q, randomly */
mpz_init_set(tmp, params->q);
mpz_sub_ui(tmp, tmp, 1);
@@ -65,7 +70,7 @@ dsa_sign(const struct dsa_params *params,
mpz_add_ui(k, k, 1);
/* Compute r = (g^k (mod p)) (mod q) */
- mpz_powm(tmp, params->g, k, params->p);
+ mpz_powm_sec(tmp, params->g, k, params->p);
mpz_fdiv_r(signature->r, tmp, params->q);
/* Compute hash */
diff --git a/rsa-blind.c b/rsa-blind.c
index 7662f50..16b03d7 100644
--- a/rsa-blind.c
+++ b/rsa-blind.c
@@ -61,7 +61,7 @@ _rsa_blind (const struct rsa_public_key *pub,
while (!mpz_invert (ri, r, pub->n));
/* c = c*(r^e) mod n */
- mpz_powm(r, r, pub->e, pub->n);
+ mpz_powm_sec(r, r, pub->e, pub->n);
mpz_mul(c, c, r);
mpz_fdiv_r(c, c, pub->n);
diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c
index 3d80ed4..8542cae 100644
--- a/rsa-sign-tr.c
+++ b/rsa-sign-tr.c
@@ -60,7 +60,7 @@ rsa_blind (const struct rsa_public_key *pub,
while (!mpz_invert (ri, r, pub->n));
/* c = c*(r^e) mod n */
- mpz_powm(r, r, pub->e, pub->n);
+ mpz_powm_sec(r, r, pub->e, pub->n);
mpz_mul(c, m, r);
mpz_fdiv_r(c, c, pub->n);
@@ -88,6 +88,14 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
int res;
mpz_t t, mb, xb, ri;
+ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
+ key is invalid and rejected by rsa_private_key_prepare. However,
+ some applications, notably gnutls, don't use this function, and
+ we don't want an invalid key to lead to a crash down inside
+ mpz_powm_sec. So do an additional check here. */
+ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q))
+ return 0;
+
mpz_init (mb);
mpz_init (xb);
mpz_init (ri);
@@ -97,7 +105,7 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
rsa_compute_root (key, xb, mb);
- mpz_powm(t, xb, pub->e, pub->n);
+ mpz_powm_sec(t, xb, pub->e, pub->n);
res = (mpz_cmp(mb, t) == 0);
if (res)
diff --git a/rsa-sign.c b/rsa-sign.c
index eba7388..4832352 100644
--- a/rsa-sign.c
+++ b/rsa-sign.c
@@ -96,11 +96,11 @@ rsa_compute_root(const struct rsa_private_key *key,
/* Compute xq = m^d % q = (m%q)^b % q */
mpz_fdiv_r(xq, m, key->q);
- mpz_powm(xq, xq, key->b, key->q);
+ mpz_powm_sec(xq, xq, key->b, key->q);
/* Compute xp = m^d % p = (m%p)^a % p */
mpz_fdiv_r(xp, m, key->p);
- mpz_powm(xp, xp, key->a, key->p);
+ mpz_powm_sec(xp, xp, key->a, key->p);
/* Set xp' = (xp - xq) c % p. */
mpz_sub(xp, xp, xq);
diff --git a/rsa.c b/rsa.c
index 19d93de..f594140 100644
--- a/rsa.c
+++ b/rsa.c
@@ -58,13 +58,18 @@ rsa_public_key_clear(struct rsa_public_key *key)
}
/* Computes the size, in octets, of a the modulo. Returns 0 if the
- * modulo is too small to be useful. */
-
+ * modulo is too small to be useful, or otherwise appears invalid. */
size_t
_rsa_check_size(mpz_t n)
{
/* Round upwards */
- size_t size = (mpz_sizeinbase(n, 2) + 7) / 8;
+ size_t size;
+
+ /* Even moduli are invalid, and not supported by mpz_powm_sec. */
+ if (mpz_even_p (n))
+ return 0;
+
+ size = (mpz_sizeinbase(n, 2) + 7) / 8;
if (size < RSA_MINIMUM_N_OCTETS)
return 0;
diff --git a/testsuite/rsa-test.c b/testsuite/rsa-test.c
index e9b1c03..a429664 100644
--- a/testsuite/rsa-test.c
+++ b/testsuite/rsa-test.c
@@ -57,6 +57,13 @@ test_main(void)
test_rsa_sha512(&pub, &key, expected);
+ /* Test detection of invalid keys with even modulo */
+ mpz_clrbit (pub.n, 0);
+ ASSERT (!rsa_public_key_prepare (&pub));
+
+ mpz_clrbit (key.p, 0);
+ ASSERT (!rsa_private_key_prepare (&key));
+
/* 777-bit key, generated by
*
* lsh-keygen -a rsa -l 777 -f advanced-hex
--
2.7.3
|