merge 3.3 branch checkin; rsa double check and key consistency functions (see bug 74226)

This commit is contained in:
ian.mcgreer%sun.com 2001-11-14 23:03:20 +00:00
Родитель a6e2921d0f
Коммит a7f8233621
2 изменённых файлов: 304 добавлений и 16 удалений

Просмотреть файл

@ -32,7 +32,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: blapi.h,v 1.7 2001/01/05 22:37:47 mcgreer%netscape.com Exp $
* $Id: blapi.h,v 1.8 2001/11/14 23:03:19 ian.mcgreer%sun.com Exp $
*/
#ifndef _BLAPI_H_
@ -77,6 +77,19 @@ extern SECStatus RSA_PrivateKeyOp(RSAPrivateKey * key,
unsigned char * output,
const unsigned char * input);
/*
** Perform a raw private-key operation, and check the parameters used in
** the operation for validity by performing a test operation first.
** Length of input and output buffers are equal to key's modulus len.
*/
extern SECStatus RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey * key,
unsigned char * output,
const unsigned char * input);
/*
** Perform a check of private key parameters for consistency.
*/
extern SECStatus RSA_PrivateKeyCheck(RSAPrivateKey *key);
/********************************************************************

Просмотреть файл

@ -35,7 +35,7 @@
/*
* RSA key generation, public key op, private key op.
*
* $Id: rsa.c,v 1.26 2001/09/20 22:14:06 relyea%netscape.com Exp $
* $Id: rsa.c,v 1.27 2001/11/14 23:03:20 ian.mcgreer%sun.com Exp $
*/
#include "secerr.h"
@ -50,6 +50,13 @@
#include "secmpi.h"
#include "secitem.h"
#if 0
/* The cutoff for determining whether a private key operation double check
* should be performed by a public key operation or Shamir's test.
*/
#define MAX_BITS_IN_E_FOR_PUBKEY_SIG_CHECK ???
#endif
/*
** Number of times to attempt to generate a prime (p or q) from a random
** seed (the seed changes for each iteration).
@ -359,8 +366,8 @@ cleanup:
** RSA Private key operation (no CRT).
*/
static SECStatus
rsa_PrivateKeyOp(RSAPrivateKey *key, mp_int *m, mp_int *c, mp_int *n,
unsigned int modLen)
rsa_PrivateKeyOpNoCRT(RSAPrivateKey *key, mp_int *m, mp_int *c, mp_int *n,
unsigned int modLen)
{
mp_int d;
mp_err err = MP_OKAY;
@ -383,11 +390,10 @@ cleanup:
** RSA Private key operation using CRT.
*/
static SECStatus
rsa_PrivateKeyOpCRT(RSAPrivateKey *key, mp_int *m, mp_int *c,
unsigned int modLen)
rsa_PrivateKeyOpCRTNoCheck(RSAPrivateKey *key, mp_int *m, mp_int *c)
{
mp_int p, q, d_p, d_q, qInv;
mp_int m1, m2, b2, h, ctmp;
mp_int m1, m2, h, ctmp;
mp_err err = MP_OKAY;
SECStatus rv = SECSuccess;
MP_DIGITS(&p) = 0;
@ -397,7 +403,6 @@ rsa_PrivateKeyOpCRT(RSAPrivateKey *key, mp_int *m, mp_int *c,
MP_DIGITS(&qInv) = 0;
MP_DIGITS(&m1) = 0;
MP_DIGITS(&m2) = 0;
MP_DIGITS(&b2) = 0;
MP_DIGITS(&h) = 0;
MP_DIGITS(&ctmp) = 0;
CHECK_MPI_OK( mp_init(&p) );
@ -407,14 +412,13 @@ rsa_PrivateKeyOpCRT(RSAPrivateKey *key, mp_int *m, mp_int *c,
CHECK_MPI_OK( mp_init(&qInv) );
CHECK_MPI_OK( mp_init(&m1) );
CHECK_MPI_OK( mp_init(&m2) );
CHECK_MPI_OK( mp_init(&b2) );
CHECK_MPI_OK( mp_init(&h) );
CHECK_MPI_OK( mp_init(&ctmp) );
/* copy private key parameters into mp integers */
SECITEM_TO_MPINT(key->prime1, &p); /* p */
SECITEM_TO_MPINT(key->prime2, &q); /* q */
SECITEM_TO_MPINT(key->exponent1, &d_p); /* d_p = d mod (p-1) */
SECITEM_TO_MPINT(key->exponent2, &d_q); /* d_p = d mod (q-1) */
SECITEM_TO_MPINT(key->exponent2, &d_q); /* d_q = d mod (q-1) */
SECITEM_TO_MPINT(key->coefficient, &qInv); /* qInv = q**-1 mod p */
/* 1. m1 = c**d_p mod p */
CHECK_MPI_OK( mp_mod(c, &p, &ctmp) );
@ -436,7 +440,6 @@ cleanup:
mp_clear(&qInv);
mp_clear(&m1);
mp_clear(&m2);
mp_clear(&b2);
mp_clear(&h);
mp_clear(&ctmp);
if (err) {
@ -446,6 +449,131 @@ cleanup:
return rv;
}
/*
* Perform a check on the received private key CRT parameters. An attack
* against RSA CRT was described by Boneh, DeMillo, and Lipton in:
* "On the Importance of Eliminating Errors in Cryptographic Computations",
* http://theory.stanford.edu/~dabo/papers/faults.ps.gz
*
* The check used to prevent this attack was demonstrated by Shamir in:
* "How to check modular exponentiation", Rump Session of EUROCRYPT '97
*/
static SECStatus
rsa_PrivateKeyOpCRTCheckedShamir(RSAPrivateKey *key, mp_int *m, mp_int *c)
{
/* XXX
* This is not implemented. Open issues are how to store/maintain a
* set of { r(p), r(q) } values, where r is a 32-bit prime number used
* in the test.
* Also, we must determine when this test should be performed in favor
* of a simple public key operation.
*/
#if 0
mp_int p, q, qInv;
mp_int m1, m2, h, ctmp, res1, res2;
mp_err err = MP_OKAY;
SECStatus rv = SECSuccess;
MP_DIGITS(&p) = 0;
MP_DIGITS(&q) = 0;
MP_DIGITS(&qInv) = 0;
MP_DIGITS(&m1) = 0;
MP_DIGITS(&m2) = 0;
MP_DIGITS(&h) = 0;
MP_DIGITS(&ctmp) = 0;
MP_DIGITS(&res1) = 0;
MP_DIGITS(&res2) = 0;
CHECK_MPI_OK( mp_init(&p) );
CHECK_MPI_OK( mp_init(&q) );
CHECK_MPI_OK( mp_init(&qInv) );
CHECK_MPI_OK( mp_init(&m1) );
CHECK_MPI_OK( mp_init(&m2) );
CHECK_MPI_OK( mp_init(&h) );
CHECK_MPI_OK( mp_init(&ctmp) );
CHECK_MPI_OK( mp_init(&res1) );
CHECK_MPI_OK( mp_init(&res2) );
/* copy private key parameters into mp integers */
SECITEM_TO_MPINT(key->prime1, &p); /* p */
SECITEM_TO_MPINT(key->prime2, &q); /* q */
SECITEM_TO_MPINT(key->coefficient, &qInv); /* qInv = q**-1 mod p */
/* s1 = M**d mod pr */
CHECK_MPI_OK( mp_exptmod(m, d, &pr, s1) );
/* s2 = M**d mod qr */
CHECK_MPI_OK( mp_exptmod(m, d, &qr, s2) );
/* perform the check: s1 mod r = s2 mod r */
CHECK_MPI_OK( mp_mod_d(s1, r, &res1) );
CHECK_MPI_OK( mp_mod_d(s2, r, &res2) );
if (res1 != res2) {
rv = SECFailure;
goto cleanup;
}
/* reduce s1 = s1 mod p */
CHECK_MPI_OK( mp_mod(s1, p, &s1) );
/* reduce s2 = s2 mod q */
CHECK_MPI_OK( mp_mod(s2, q, &s2) );
/* 3. h = (m1 - m2) * qInv mod p */
CHECK_MPI_OK( mp_submod(&m1, &m2, &p, &h) );
CHECK_MPI_OK( mp_mulmod(&h, &qInv, &p, &h) );
/* 4. m = m2 + h * q */
CHECK_MPI_OK( mp_mul(&h, &q, m) );
CHECK_MPI_OK( mp_add(m, &m2, m) );
cleanup:
mp_clear(&p);
mp_clear(&q);
mp_clear(&qInv);
mp_clear(&m1);
mp_clear(&m2);
mp_clear(&h);
mp_clear(&ctmp);
mp_clear(&res1);
mp_clear(&res2);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
#endif
return SECFailure;
}
/*
** As a defense against the same attack mentioned above, carry out the
** private key operation. Follow up with a public key operation to invert
** the result. Verify that result against the input.
*/
static SECStatus
rsa_PrivateKeyOpCRTCheckedPubKey(RSAPrivateKey *key, mp_int *m, mp_int *c)
{
mp_int n, e, s;
mp_err err = MP_OKAY;
SECStatus rv = SECSuccess;
MP_DIGITS(&n) = 0;
MP_DIGITS(&e) = 0;
MP_DIGITS(&s) = 0;
CHECK_MPI_OK( mp_init(&n) );
CHECK_MPI_OK( mp_init(&e) );
CHECK_MPI_OK( mp_init(&s) );
CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, m, c) );
/* Perform the CRT parameters check for the small e case.
* Simply verify that a public key op inverts this operation.
*/
SECITEM_TO_MPINT(key->modulus, &n);
SECITEM_TO_MPINT(key->publicExponent, &e);
/* Perform a public key operation c = m ** e mod n */
CHECK_MPI_OK( mp_exptmod(m, &e, &n, &s) );
if (mp_cmp(&s, c) != 0) {
rv = SECFailure;
}
cleanup:
mp_clear(&n);
mp_clear(&e);
mp_clear(&s);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}
static PRCallOnceType coBPInit = { 0, 0, 0 };
static PRStatus
init_blinding_params_list(void)
@ -619,10 +747,11 @@ cleanup:
** Perform a raw private-key operation
** Length of input and output buffers are equal to key's modulus len.
*/
SECStatus
RSA_PrivateKeyOp(RSAPrivateKey *key,
static SECStatus
rsa_PrivateKeyOp(RSAPrivateKey *key,
unsigned char *output,
const unsigned char *input)
const unsigned char *input,
PRBool check)
{
unsigned int modLen;
unsigned int offset;
@ -667,9 +796,18 @@ RSA_PrivateKeyOp(RSAPrivateKey *key,
key->exponent1.len == 0 ||
key->exponent2.len == 0 ||
key->coefficient.len == 0) {
CHECK_SEC_OK( rsa_PrivateKeyOp(key, &m, &c, &n, modLen) );
CHECK_SEC_OK( rsa_PrivateKeyOpNoCRT(key, &m, &c, &n, modLen) );
} else if (check) {
/* until the implementation of Shamir's check is complete, all
* double-checks will be done via a public key operation.
*/
if (PR_TRUE) {
CHECK_SEC_OK( rsa_PrivateKeyOpCRTCheckedPubKey(key, &m, &c) );
} else {
CHECK_SEC_OK( rsa_PrivateKeyOpCRTCheckedShamir(key, &m, &c) );
}
} else {
CHECK_SEC_OK( rsa_PrivateKeyOpCRT(key, &m, &c, modLen) );
CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, &m, &c) );
}
/* If blinding, compute post-image of plaintext by multiplying by
** blinding factor
@ -692,3 +830,140 @@ cleanup:
}
return rv;
}
SECStatus
RSA_PrivateKeyOp(RSAPrivateKey *key,
unsigned char *output,
const unsigned char *input)
{
return rsa_PrivateKeyOp(key, output, input, PR_FALSE);
}
SECStatus
RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key,
unsigned char *output,
const unsigned char *input)
{
return rsa_PrivateKeyOp(key, output, input, PR_TRUE);
}
SECStatus
RSA_PrivateKeyCheck(RSAPrivateKey *key)
{
mp_int p, q, n, psub1, qsub1, e, d, d_p, d_q, qInv, res;
mp_err err = MP_OKAY;
SECStatus rv = SECSuccess;
MP_DIGITS(&n) = 0;
MP_DIGITS(&psub1)= 0;
MP_DIGITS(&qsub1)= 0;
MP_DIGITS(&e) = 0;
MP_DIGITS(&d) = 0;
MP_DIGITS(&d_p) = 0;
MP_DIGITS(&d_q) = 0;
MP_DIGITS(&qInv) = 0;
MP_DIGITS(&res) = 0;
CHECK_MPI_OK( mp_init(&n) );
CHECK_MPI_OK( mp_init(&p) );
CHECK_MPI_OK( mp_init(&q) );
CHECK_MPI_OK( mp_init(&psub1));
CHECK_MPI_OK( mp_init(&qsub1));
CHECK_MPI_OK( mp_init(&e) );
CHECK_MPI_OK( mp_init(&d) );
CHECK_MPI_OK( mp_init(&d_p) );
CHECK_MPI_OK( mp_init(&d_q) );
CHECK_MPI_OK( mp_init(&qInv) );
CHECK_MPI_OK( mp_init(&res) );
SECITEM_TO_MPINT(key->modulus, &n);
SECITEM_TO_MPINT(key->prime1, &p);
SECITEM_TO_MPINT(key->prime2, &q);
SECITEM_TO_MPINT(key->publicExponent, &e);
SECITEM_TO_MPINT(key->privateExponent, &d);
SECITEM_TO_MPINT(key->exponent1, &d_p);
SECITEM_TO_MPINT(key->exponent2, &d_q);
SECITEM_TO_MPINT(key->coefficient, &qInv);
/* p > q */
if (mp_cmp(&p, &q) <= 0) {
/* mind the p's and q's */
SECItem tmp;
mp_exch(&p, &q);
tmp.data = key->prime1.data;
tmp.len = key->prime1.len;
key->prime1.data = key->prime2.data;
key->prime1.len = key->prime2.len;
key->prime2.data = tmp.data;
key->prime2.len = tmp.len;
}
#define VERIFY_MPI_EQUAL(m1, m2) \
if (mp_cmp(m1, m2) != 0) { \
rv = SECFailure; \
goto cleanup; \
}
#define VERIFY_MPI_EQUAL_1(m) \
if (mp_cmp_d(m, 1) != 0) { \
rv = SECFailure; \
goto cleanup; \
}
/*
* The following errors cannot be recovered from.
*/
/* n == p * q */
CHECK_MPI_OK( mp_mul(&p, &q, &res) );
VERIFY_MPI_EQUAL(&res, &n);
/* gcd(e, p-1) == 1 */
CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );
CHECK_MPI_OK( mp_gcd(&e, &psub1, &res) );
VERIFY_MPI_EQUAL_1(&res);
/* gcd(e, q-1) == 1 */
CHECK_MPI_OK( mp_sub_d(&q, 1, &qsub1) );
CHECK_MPI_OK( mp_gcd(&e, &qsub1, &res) );
VERIFY_MPI_EQUAL_1(&res);
/* d*e == 1 mod p-1 */
CHECK_MPI_OK( mp_mulmod(&d, &e, &psub1, &res) );
VERIFY_MPI_EQUAL_1(&res);
/* d*e == 1 mod q-1 */
CHECK_MPI_OK( mp_mulmod(&d, &e, &qsub1, &res) );
VERIFY_MPI_EQUAL_1(&res);
/*
* The following errors can be recovered from.
*/
/* d_p == d mod p-1 */
CHECK_MPI_OK( mp_mod(&d, &psub1, &res) );
if (mp_cmp(&d_p, &res) != 0) {
/* swap in the correct value */
SECITEM_ZfreeItem(&key->exponent1, PR_FALSE);
MPINT_TO_SECITEM(&res, &key->exponent1, key->arena);
}
/* d_q == d mod q-1 */
CHECK_MPI_OK( mp_mod(&d, &qsub1, &res) );
if (mp_cmp(&d_q, &res) != 0) {
/* swap in the correct value */
SECITEM_ZfreeItem(&key->exponent2, PR_FALSE);
MPINT_TO_SECITEM(&res, &key->exponent2, key->arena);
}
/* q * q**-1 == 1 mod p */
CHECK_MPI_OK( mp_mulmod(&q, &qInv, &p, &res) );
if (mp_cmp_d(&res, 1) != 0) {
/* compute the correct value */
CHECK_MPI_OK( mp_invmod(&q, &p, &qInv) );
SECITEM_ZfreeItem(&key->coefficient, PR_FALSE);
MPINT_TO_SECITEM(&res, &key->coefficient, key->arena);
}
cleanup:
mp_clear(&n);
mp_clear(&p);
mp_clear(&q);
mp_clear(&psub1);
mp_clear(&qsub1);
mp_clear(&e);
mp_clear(&d);
mp_clear(&d_p);
mp_clear(&d_q);
mp_clear(&qInv);
mp_clear(&res);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}