зеркало из https://github.com/mozilla/gecko-dev.git
merge in 3.3 branch changes to tip
This commit is contained in:
ian.mcgreer%sun.com
Родитель
c1baa75a23
Коммит
264c4e04c8
|
|
@ -35,7 +35,7 @@
|
|||
/*
|
||||
* RSA key generation, public key op, private key op.
|
||||
*
|
||||
* $Id: rsa.c,v 1.28 2001/11/30 23:21:49 relyea%netscape.com Exp $
|
||||
* $Id: rsa.c,v 1.29 2001/12/10 18:14:23 ian.mcgreer%sun.com Exp $
|
||||
*/
|
||||
|
||||
#include "secerr.h"
|
||||
|
|
@ -50,13 +50,6 @@
|
|||
#include "secmpi.h"
|
||||
#include "secitem.h"
|
||||
|
||||
#if 0
|
||||
/* The cutoff for determining whether a private key operation double check
|
||||
* should be performed by a public key operation or Shamir's test.
|
||||
*/
|
||||
#define MAX_BITS_IN_E_FOR_PUBKEY_SIG_CHECK ???
|
||||
#endif
|
||||
|
||||
/*
|
||||
** Number of times to attempt to generate a prime (p or q) from a random
|
||||
** seed (the seed changes for each iteration).
|
||||
|
|
@ -450,123 +443,38 @@ cleanup:
|
|||
}
|
||||
|
||||
/*
|
||||
* Perform a check on the received private key CRT parameters. An attack
|
||||
* against RSA CRT was described by Boneh, DeMillo, and Lipton in:
|
||||
* "On the Importance of Eliminating Errors in Cryptographic Computations",
|
||||
* http://theory.stanford.edu/~dabo/papers/faults.ps.gz
|
||||
*
|
||||
* The check used to prevent this attack was demonstrated by Shamir in:
|
||||
* "How to check modular exponentiation", Rump Session of EUROCRYPT '97
|
||||
*/
|
||||
static SECStatus
|
||||
rsa_PrivateKeyOpCRTCheckedShamir(RSAPrivateKey *key, mp_int *m, mp_int *c)
|
||||
{
|
||||
/* XXX
|
||||
* This is not implemented. Open issues are how to store/maintain a
|
||||
* set of { r(p), r(q) } values, where r is a 32-bit prime number used
|
||||
* in the test.
|
||||
* Also, we must determine when this test should be performed in favor
|
||||
* of a simple public key operation.
|
||||
*/
|
||||
#if 0
|
||||
mp_int p, q, qInv;
|
||||
mp_int m1, m2, h, ctmp, res1, res2;
|
||||
mp_err err = MP_OKAY;
|
||||
SECStatus rv = SECSuccess;
|
||||
MP_DIGITS(&p) = 0;
|
||||
MP_DIGITS(&q) = 0;
|
||||
MP_DIGITS(&qInv) = 0;
|
||||
MP_DIGITS(&m1) = 0;
|
||||
MP_DIGITS(&m2) = 0;
|
||||
MP_DIGITS(&h) = 0;
|
||||
MP_DIGITS(&ctmp) = 0;
|
||||
MP_DIGITS(&res1) = 0;
|
||||
MP_DIGITS(&res2) = 0;
|
||||
CHECK_MPI_OK( mp_init(&p) );
|
||||
CHECK_MPI_OK( mp_init(&q) );
|
||||
CHECK_MPI_OK( mp_init(&qInv) );
|
||||
CHECK_MPI_OK( mp_init(&m1) );
|
||||
CHECK_MPI_OK( mp_init(&m2) );
|
||||
CHECK_MPI_OK( mp_init(&h) );
|
||||
CHECK_MPI_OK( mp_init(&ctmp) );
|
||||
CHECK_MPI_OK( mp_init(&res1) );
|
||||
CHECK_MPI_OK( mp_init(&res2) );
|
||||
/* copy private key parameters into mp integers */
|
||||
SECITEM_TO_MPINT(key->prime1, &p); /* p */
|
||||
SECITEM_TO_MPINT(key->prime2, &q); /* q */
|
||||
SECITEM_TO_MPINT(key->coefficient, &qInv); /* qInv = q**-1 mod p */
|
||||
/* s1 = M**d mod pr */
|
||||
CHECK_MPI_OK( mp_exptmod(m, d, &pr, s1) );
|
||||
/* s2 = M**d mod qr */
|
||||
CHECK_MPI_OK( mp_exptmod(m, d, &qr, s2) );
|
||||
/* perform the check: s1 mod r = s2 mod r */
|
||||
CHECK_MPI_OK( mp_mod_d(s1, r, &res1) );
|
||||
CHECK_MPI_OK( mp_mod_d(s2, r, &res2) );
|
||||
if (res1 != res2) {
|
||||
rv = SECFailure;
|
||||
goto cleanup;
|
||||
}
|
||||
/* reduce s1 = s1 mod p */
|
||||
CHECK_MPI_OK( mp_mod(s1, p, &s1) );
|
||||
/* reduce s2 = s2 mod q */
|
||||
CHECK_MPI_OK( mp_mod(s2, q, &s2) );
|
||||
/* 3. h = (m1 - m2) * qInv mod p */
|
||||
CHECK_MPI_OK( mp_submod(&m1, &m2, &p, &h) );
|
||||
CHECK_MPI_OK( mp_mulmod(&h, &qInv, &p, &h) );
|
||||
/* 4. m = m2 + h * q */
|
||||
CHECK_MPI_OK( mp_mul(&h, &q, m) );
|
||||
CHECK_MPI_OK( mp_add(m, &m2, m) );
|
||||
cleanup:
|
||||
mp_clear(&p);
|
||||
mp_clear(&q);
|
||||
mp_clear(&qInv);
|
||||
mp_clear(&m1);
|
||||
mp_clear(&m2);
|
||||
mp_clear(&h);
|
||||
mp_clear(&ctmp);
|
||||
mp_clear(&res1);
|
||||
mp_clear(&res2);
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
rv = SECFailure;
|
||||
}
|
||||
return rv;
|
||||
#endif
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
/*
|
||||
** As a defense against the same attack mentioned above, carry out the
|
||||
** private key operation. Follow up with a public key operation to invert
|
||||
** the result. Verify that result against the input.
|
||||
** An attack against RSA CRT was described by Boneh, DeMillo, and Lipton in:
|
||||
** "On the Importance of Eliminating Errors in Cryptographic Computations",
|
||||
** http://theory.stanford.edu/~dabo/papers/faults.ps.gz
|
||||
**
|
||||
** As a defense against the attack, carry out the private key operation,
|
||||
** followed up with a public key operation to invert the result.
|
||||
** Verify that result against the input.
|
||||
*/
|
||||
static SECStatus
|
||||
rsa_PrivateKeyOpCRTCheckedPubKey(RSAPrivateKey *key, mp_int *m, mp_int *c)
|
||||
{
|
||||
mp_int n, e, s;
|
||||
mp_int n, e, v;
|
||||
mp_err err = MP_OKAY;
|
||||
SECStatus rv = SECSuccess;
|
||||
MP_DIGITS(&n) = 0;
|
||||
MP_DIGITS(&e) = 0;
|
||||
MP_DIGITS(&s) = 0;
|
||||
MP_DIGITS(&v) = 0;
|
||||
CHECK_MPI_OK( mp_init(&n) );
|
||||
CHECK_MPI_OK( mp_init(&e) );
|
||||
CHECK_MPI_OK( mp_init(&s) );
|
||||
CHECK_MPI_OK( mp_init(&v) );
|
||||
CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, m, c) );
|
||||
/* Perform the CRT parameters check for the small e case.
|
||||
* Simply verify that a public key op inverts this operation.
|
||||
*/
|
||||
SECITEM_TO_MPINT(key->modulus, &n);
|
||||
SECITEM_TO_MPINT(key->publicExponent, &e);
|
||||
/* Perform a public key operation c = m ** e mod n */
|
||||
CHECK_MPI_OK( mp_exptmod(m, &e, &n, &s) );
|
||||
if (mp_cmp(&s, c) != 0) {
|
||||
/* Perform a public key operation v = m ** e mod n */
|
||||
CHECK_MPI_OK( mp_exptmod(m, &e, &n, &v) );
|
||||
if (mp_cmp(&v, c) != 0) {
|
||||
rv = SECFailure;
|
||||
}
|
||||
cleanup:
|
||||
mp_clear(&n);
|
||||
mp_clear(&e);
|
||||
mp_clear(&s);
|
||||
mp_clear(&v);
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
rv = SECFailure;
|
||||
|
|
@ -755,7 +663,7 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
|||
{
|
||||
unsigned int modLen;
|
||||
unsigned int offset;
|
||||
SECStatus rv = SECSuccess;
|
||||
SECStatus rv;
|
||||
mp_err err;
|
||||
mp_int n, c, m;
|
||||
mp_int f, g;
|
||||
|
|
@ -798,14 +706,7 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
|||
key->coefficient.len == 0) {
|
||||
CHECK_SEC_OK( rsa_PrivateKeyOpNoCRT(key, &m, &c, &n, modLen) );
|
||||
} else if (check) {
|
||||
/* until the implementation of Shamir's check is complete, all
|
||||
* double-checks will be done via a public key operation.
|
||||
*/
|
||||
if (PR_TRUE) {
|
||||
CHECK_SEC_OK( rsa_PrivateKeyOpCRTCheckedPubKey(key, &m, &c) );
|
||||
} else {
|
||||
CHECK_SEC_OK( rsa_PrivateKeyOpCRTCheckedShamir(key, &m, &c) );
|
||||
}
|
||||
CHECK_SEC_OK( rsa_PrivateKeyOpCRTCheckedPubKey(key, &m, &c) );
|
||||
} else {
|
||||
CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, &m, &c) );
|
||||
}
|
||||
|
|
@ -847,6 +748,29 @@ RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key,
|
|||
return rsa_PrivateKeyOp(key, output, input, PR_TRUE);
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
swap_in_key_value(PRArenaPool *arena, mp_int *mpval, SECItem *buffer)
|
||||
{
|
||||
int len;
|
||||
mp_err err = MP_OKAY;
|
||||
memset(buffer->data, 0, buffer->len);
|
||||
len = mp_unsigned_octet_size(mpval);
|
||||
if (len <= 0) return SECFailure;
|
||||
if ((unsigned int)len <= buffer->len) {
|
||||
/* The new value is no longer than the old buffer, so use it */
|
||||
err = mp_to_unsigned_octets(mpval, buffer->data, len);
|
||||
buffer->len = len;
|
||||
} else if (arena) {
|
||||
/* The new value is longer, but working within an arena */
|
||||
(void)SECITEM_AllocItem(arena, buffer, len);
|
||||
err = mp_to_unsigned_octets(mpval, buffer->data, len);
|
||||
} else {
|
||||
/* The new value is longer, no arena, can't handle this key */
|
||||
return SECFailure;
|
||||
}
|
||||
return (err == MP_OKAY) ? SECSuccess : SECFailure;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
RSA_PrivateKeyCheck(RSAPrivateKey *key)
|
||||
{
|
||||
|
|
@ -883,15 +807,15 @@ RSA_PrivateKeyCheck(RSAPrivateKey *key)
|
|||
SECITEM_TO_MPINT(key->coefficient, &qInv);
|
||||
/* p > q */
|
||||
if (mp_cmp(&p, &q) <= 0) {
|
||||
/* mind the p's and q's */
|
||||
/* mind the p's and q's (and d_p's and d_q's) */
|
||||
SECItem tmp;
|
||||
mp_exch(&p, &q);
|
||||
tmp.data = key->prime1.data;
|
||||
tmp.len = key->prime1.len;
|
||||
key->prime1.data = key->prime2.data;
|
||||
key->prime1.len = key->prime2.len;
|
||||
key->prime2.data = tmp.data;
|
||||
key->prime2.len = tmp.len;
|
||||
tmp = key->prime1;
|
||||
key->prime1 = key->prime2;
|
||||
key->prime2 = tmp;
|
||||
tmp = key->exponent1;
|
||||
key->exponent1 = key->exponent2;
|
||||
key->exponent2 = tmp;
|
||||
}
|
||||
#define VERIFY_MPI_EQUAL(m1, m2) \
|
||||
if (mp_cmp(m1, m2) != 0) { \
|
||||
|
|
@ -930,23 +854,20 @@ RSA_PrivateKeyCheck(RSAPrivateKey *key)
|
|||
CHECK_MPI_OK( mp_mod(&d, &psub1, &res) );
|
||||
if (mp_cmp(&d_p, &res) != 0) {
|
||||
/* swap in the correct value */
|
||||
SECITEM_ZfreeItem(&key->exponent1, PR_FALSE);
|
||||
MPINT_TO_SECITEM(&res, &key->exponent1, key->arena);
|
||||
CHECK_SEC_OK( swap_in_key_value(key->arena, &res, &key->exponent1) );
|
||||
}
|
||||
/* d_q == d mod q-1 */
|
||||
CHECK_MPI_OK( mp_mod(&d, &qsub1, &res) );
|
||||
if (mp_cmp(&d_q, &res) != 0) {
|
||||
/* swap in the correct value */
|
||||
SECITEM_ZfreeItem(&key->exponent2, PR_FALSE);
|
||||
MPINT_TO_SECITEM(&res, &key->exponent2, key->arena);
|
||||
CHECK_SEC_OK( swap_in_key_value(key->arena, &res, &key->exponent2) );
|
||||
}
|
||||
/* q * q**-1 == 1 mod p */
|
||||
CHECK_MPI_OK( mp_mulmod(&q, &qInv, &p, &res) );
|
||||
if (mp_cmp_d(&res, 1) != 0) {
|
||||
/* compute the correct value */
|
||||
CHECK_MPI_OK( mp_invmod(&q, &p, &qInv) );
|
||||
SECITEM_ZfreeItem(&key->coefficient, PR_FALSE);
|
||||
MPINT_TO_SECITEM(&res, &key->coefficient, key->arena);
|
||||
CHECK_SEC_OK( swap_in_key_value(key->arena, &qInv, &key->coefficient) );
|
||||
}
|
||||
cleanup:
|
||||
mp_clear(&n);
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче