| From 6450224f3e3c78fdfa37eadbe6ada8301279f6c1 Mon Sep 17 00:00:00 2001 |
| From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> |
| Date: Mon, 20 Jun 2016 20:04:56 +0200 |
| Subject: Use mpz_powm_sec. |
| Subject: Check for invalid keys, with even p, in dsa_sign. |
| Subject: Reject invalid keys, with even moduli, in rsa_compute_root_tr. |
| Subject: Reject invalid RSA keys with even modulo. |
| |
| Patch status: upstream |
| |
| Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> |
| |
| diff --git a/bignum.h b/bignum.h |
| index 24158e0..0d30534 100644 |
| --- a/bignum.h |
| +++ b/bignum.h |
| @@ -53,6 +53,8 @@ |
| # define mpz_combit mpz_combit |
| # define mpz_import mpz_import |
| # define mpz_export mpz_export |
| +/* Side-channel silent powm not available in mini-gmp. */ |
| +# define mpz_powm_sec mpz_powm |
| #else |
| # include <gmp.h> |
| #endif |
| diff --git a/configure.ac b/configure.ac |
| index e1ee64c..1e88477 100644 |
| --- a/configure.ac |
| +++ b/configure.ac |
| @@ -236,9 +236,9 @@ fi |
| # Checks for libraries |
| if test "x$enable_public_key" = "xyes" ; then |
| if test "x$enable_mini_gmp" = "xno" ; then |
| - AC_CHECK_LIB(gmp, __gmpz_getlimbn,, |
| + AC_CHECK_LIB(gmp, __gmpz_powm_sec,, |
| [AC_MSG_WARN( |
| - [GNU MP not found, or not 3.1 or up, see http://gmplib.org/. |
| + [GNU MP not found, or too old. GMP-5.0 or later is needed, see http://gmplib.org/. |
| Support for public key algorithms will be unavailable.])] |
| enable_public_key=no) |
| |
| diff --git a/dsa-sign.c b/dsa-sign.c |
| index 62c7d4a..b713743 100644 |
| --- a/dsa-sign.c |
| +++ b/dsa-sign.c |
| @@ -56,6 +56,11 @@ dsa_sign(const struct dsa_params *params, |
| mpz_t tmp; |
| int res; |
| |
| + /* Check that p is odd, so that invalid keys don't result in a crash |
| + inside mpz_powm_sec. */ |
| + if (mpz_even_p (params->p)) |
| + return 0; |
| + |
| /* Select k, 0<k<q, randomly */ |
| mpz_init_set(tmp, params->q); |
| mpz_sub_ui(tmp, tmp, 1); |
| @@ -65,7 +70,7 @@ dsa_sign(const struct dsa_params *params, |
| mpz_add_ui(k, k, 1); |
| |
| /* Compute r = (g^k (mod p)) (mod q) */ |
| - mpz_powm(tmp, params->g, k, params->p); |
| + mpz_powm_sec(tmp, params->g, k, params->p); |
| mpz_fdiv_r(signature->r, tmp, params->q); |
| |
| /* Compute hash */ |
| diff --git a/rsa-blind.c b/rsa-blind.c |
| index 7662f50..16b03d7 100644 |
| --- a/rsa-blind.c |
| +++ b/rsa-blind.c |
| @@ -61,7 +61,7 @@ _rsa_blind (const struct rsa_public_key *pub, |
| while (!mpz_invert (ri, r, pub->n)); |
| |
| /* c = c*(r^e) mod n */ |
| - mpz_powm(r, r, pub->e, pub->n); |
| + mpz_powm_sec(r, r, pub->e, pub->n); |
| mpz_mul(c, c, r); |
| mpz_fdiv_r(c, c, pub->n); |
| |
| diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c |
| index 3d80ed4..8542cae 100644 |
| --- a/rsa-sign-tr.c |
| +++ b/rsa-sign-tr.c |
| @@ -60,7 +60,7 @@ rsa_blind (const struct rsa_public_key *pub, |
| while (!mpz_invert (ri, r, pub->n)); |
| |
| /* c = c*(r^e) mod n */ |
| - mpz_powm(r, r, pub->e, pub->n); |
| + mpz_powm_sec(r, r, pub->e, pub->n); |
| mpz_mul(c, m, r); |
| mpz_fdiv_r(c, c, pub->n); |
| |
| @@ -88,6 +88,14 @@ rsa_compute_root_tr(const struct rsa_public_key *pub, |
| int res; |
| mpz_t t, mb, xb, ri; |
| |
| + /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the |
| + key is invalid and rejected by rsa_private_key_prepare. However, |
| + some applications, notably gnutls, don't use this function, and |
| + we don't want an invalid key to lead to a crash down inside |
| + mpz_powm_sec. So do an additional check here. */ |
| + if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) |
| + return 0; |
| + |
| mpz_init (mb); |
| mpz_init (xb); |
| mpz_init (ri); |
| @@ -97,7 +105,7 @@ rsa_compute_root_tr(const struct rsa_public_key *pub, |
| |
| rsa_compute_root (key, xb, mb); |
| |
| - mpz_powm(t, xb, pub->e, pub->n); |
| + mpz_powm_sec(t, xb, pub->e, pub->n); |
| res = (mpz_cmp(mb, t) == 0); |
| |
| if (res) |
| diff --git a/rsa-sign.c b/rsa-sign.c |
| index eba7388..4832352 100644 |
| --- a/rsa-sign.c |
| +++ b/rsa-sign.c |
| @@ -96,11 +96,11 @@ rsa_compute_root(const struct rsa_private_key *key, |
| |
| /* Compute xq = m^d % q = (m%q)^b % q */ |
| mpz_fdiv_r(xq, m, key->q); |
| - mpz_powm(xq, xq, key->b, key->q); |
| + mpz_powm_sec(xq, xq, key->b, key->q); |
| |
| /* Compute xp = m^d % p = (m%p)^a % p */ |
| mpz_fdiv_r(xp, m, key->p); |
| - mpz_powm(xp, xp, key->a, key->p); |
| + mpz_powm_sec(xp, xp, key->a, key->p); |
| |
| /* Set xp' = (xp - xq) c % p. */ |
| mpz_sub(xp, xp, xq); |
| diff --git a/rsa.c b/rsa.c |
| index 19d93de..f594140 100644 |
| --- a/rsa.c |
| +++ b/rsa.c |
| @@ -58,13 +58,18 @@ rsa_public_key_clear(struct rsa_public_key *key) |
| } |
| |
| /* Computes the size, in octets, of a the modulo. Returns 0 if the |
| - * modulo is too small to be useful. */ |
| - |
| + * modulo is too small to be useful, or otherwise appears invalid. */ |
| size_t |
| _rsa_check_size(mpz_t n) |
| { |
| /* Round upwards */ |
| - size_t size = (mpz_sizeinbase(n, 2) + 7) / 8; |
| + size_t size; |
| + |
| + /* Even moduli are invalid, and not supported by mpz_powm_sec. */ |
| + if (mpz_even_p (n)) |
| + return 0; |
| + |
| + size = (mpz_sizeinbase(n, 2) + 7) / 8; |
| |
| if (size < RSA_MINIMUM_N_OCTETS) |
| return 0; |
| diff --git a/testsuite/rsa-test.c b/testsuite/rsa-test.c |
| index e9b1c03..a429664 100644 |
| --- a/testsuite/rsa-test.c |
| +++ b/testsuite/rsa-test.c |
| @@ -57,6 +57,13 @@ test_main(void) |
| |
| test_rsa_sha512(&pub, &key, expected); |
| |
| + /* Test detection of invalid keys with even modulo */ |
| + mpz_clrbit (pub.n, 0); |
| + ASSERT (!rsa_public_key_prepare (&pub)); |
| + |
| + mpz_clrbit (key.p, 0); |
| + ASSERT (!rsa_private_key_prepare (&key)); |
| + |
| /* 777-bit key, generated by |
| * |
| * lsh-keygen -a rsa -l 777 -f advanced-hex |
| -- |
| 2.7.3 |
| |