check CRT

6a5b52ef · Ulf Möller · 6d864b70 · 6a5b52ef · 6a5b52ef
隐藏空白更改
内联并排

Showing with 18 addition and 2 deletion

CHANGES CHANGES +7 -1

crypto/rsa/rsa_eay.c crypto/rsa/rsa_eay.c +11 -1

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,13 @@

 Changes between 0.9.6 and 0.9.7  [xx XXX 2000]

-  *) MIPS assembler BIGNUM division bug fix.
+  *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
+     On the Importance of Eliminating Errors in Cryptographic
+	 Computations, J. Cryptology 14 (2001) 2, 101-119,
+	 http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
+	 [Ulf Moeller]
+  
+  *) MIPS assembler BIGNUM division bug fix. 
     [Andy Polyakov]

  *) Fix bug in PKCS#12 key generation routines. This was triggered

--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -453,7 +453,7 @@ err:
 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	{
 	const RSA_METHOD *meth;
-	BIGNUM r1,m1;
+	BIGNUM r1,m1,vrfy;
 	int ret=0;
 	BN_CTX *ctx;

@@ -461,6 +461,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	if ((ctx=BN_CTX_new()) == NULL) goto err;
 	BN_init(&m1);
 	BN_init(&r1);
+	BN_init(&vrfy);

 	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
 		{
@@ -541,10 +542,19 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
 	if (!BN_add(r0,&r1,&m1)) goto err;

+	if (rsa->e && rsa->n)
+		{
+		if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
+		if (BN_cmp(I, &vrfy) != 0)
+			{
+			if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
+			}
+		}
 	ret=1;
 err:
 	BN_clear_free(&m1);
 	BN_clear_free(&r1);
+	BN_clear_free(&vrfy);
 	BN_CTX_free(ctx);
 	return(ret);
 	}