diff options
Diffstat (limited to 'openssl/trunk/crypto/rsa')
| -rw-r--r-- | openssl/trunk/crypto/rsa/rsa.h | 12 | ||||
| -rw-r--r-- | openssl/trunk/crypto/rsa/rsa_eay.c | 101 | ||||
| -rw-r--r-- | openssl/trunk/crypto/rsa/rsa_err.c | 1 | ||||
| -rw-r--r-- | openssl/trunk/crypto/rsa/rsa_sign.c | 17 |
4 files changed, 114 insertions, 17 deletions
diff --git a/openssl/trunk/crypto/rsa/rsa.h b/openssl/trunk/crypto/rsa/rsa.h index d302254b..b19c5569 100644 --- a/openssl/trunk/crypto/rsa/rsa.h +++ b/openssl/trunk/crypto/rsa/rsa.h @@ -159,6 +159,17 @@ struct rsa_st BN_BLINDING *mt_blinding; }; +#ifndef OPENSSL_RSA_MAX_MODULUS_BITS +# define OPENSSL_RSA_MAX_MODULUS_BITS 16384 +#endif + +#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS +# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072 +#endif +#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS +# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */ +#endif + #define RSA_3 0x3L #define RSA_F4 0x10001L @@ -407,6 +418,7 @@ void ERR_load_RSA_strings(void); #define RSA_R_IQMP_NOT_INVERSE_OF_Q 126 #define RSA_R_KEY_SIZE_TOO_SMALL 120 #define RSA_R_LAST_OCTET_INVALID 134 +#define RSA_R_MODULUS_TOO_LARGE 105 #define RSA_R_NO_PUBLIC_EXPONENT 140 #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 diff --git a/openssl/trunk/crypto/rsa/rsa_eay.c b/openssl/trunk/crypto/rsa/rsa_eay.c index 56da9448..e7b7a9c4 100644 --- a/openssl/trunk/crypto/rsa/rsa_eay.c +++ b/openssl/trunk/crypto/rsa/rsa_eay.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -168,6 +168,28 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *buf=NULL; BN_CTX *ctx=NULL; + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); + return -1; + } + + if (BN_ucmp(rsa->n, rsa->e) <= 0) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); + return -1; + } + + /* for large moduli, enforce exponent limit */ + if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) + { + if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); + return -1; + } + } + if ((ctx=BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); f = BN_CTX_get(ctx); @@ -238,40 +260,63 @@ err: return(r); } -static BN_BLINDING *rsa_get_blinding(RSA *rsa, BIGNUM **r, int *local, BN_CTX *ctx) +static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) { BN_BLINDING *ret; + int got_write_lock = 0; + + CRYPTO_r_lock(CRYPTO_LOCK_RSA); if (rsa->blinding == NULL) { + CRYPTO_r_unlock(CRYPTO_LOCK_RSA); + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + got_write_lock = 1; + if (rsa->blinding == NULL) - { - CRYPTO_w_lock(CRYPTO_LOCK_RSA); - if (rsa->blinding == NULL) - rsa->blinding = RSA_setup_blinding(rsa, ctx); - CRYPTO_w_unlock(CRYPTO_LOCK_RSA); - } + rsa->blinding = RSA_setup_blinding(rsa, ctx); } ret = rsa->blinding; if (ret == NULL) - return NULL; + goto err; - if (BN_BLINDING_get_thread_id(ret) != CRYPTO_thread_id()) + if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id()) { - *local = 0; + /* rsa->blinding is ours! */ + + *local = 1; + } + else + { + /* resort to rsa->mt_blinding instead */ + + *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() + * that the BN_BLINDING is shared, meaning that accesses + * require locks, and that the blinding factor must be + * stored outside the BN_BLINDING + */ + if (rsa->mt_blinding == NULL) { - CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (!got_write_lock) + { + CRYPTO_r_unlock(CRYPTO_LOCK_RSA); + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + got_write_lock = 1; + } + if (rsa->mt_blinding == NULL) rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); - CRYPTO_w_unlock(CRYPTO_LOCK_RSA); } ret = rsa->mt_blinding; } - else - *local = 1; + err: + if (got_write_lock) + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + else + CRYPTO_r_unlock(CRYPTO_LOCK_RSA); return ret; } @@ -358,7 +403,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { - blinding = rsa_get_blinding(rsa, &br, &local_blinding, ctx); + blinding = rsa_get_blinding(rsa, &local_blinding, ctx); if (blinding == NULL) { RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); @@ -479,7 +524,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { - blinding = rsa_get_blinding(rsa, &br, &local_blinding, ctx); + blinding = rsa_get_blinding(rsa, &local_blinding, ctx); if (blinding == NULL) { RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); @@ -574,6 +619,28 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *buf=NULL; BN_CTX *ctx=NULL; + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); + return -1; + } + + if (BN_ucmp(rsa->n, rsa->e) <= 0) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); + return -1; + } + + /* for large moduli, enforce exponent limit */ + if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) + { + if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); + return -1; + } + } + if((ctx = BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); f = BN_CTX_get(ctx); diff --git a/openssl/trunk/crypto/rsa/rsa_err.c b/openssl/trunk/crypto/rsa/rsa_err.c index f82b2d6a..da7a4fb4 100644 --- a/openssl/trunk/crypto/rsa/rsa_err.c +++ b/openssl/trunk/crypto/rsa/rsa_err.c @@ -137,6 +137,7 @@ static ERR_STRING_DATA RSA_str_reasons[]= {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"}, {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, {ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"}, +{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"}, {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"}, {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"}, diff --git a/openssl/trunk/crypto/rsa/rsa_sign.c b/openssl/trunk/crypto/rsa/rsa_sign.c index 230ec6d7..71aabeea 100644 --- a/openssl/trunk/crypto/rsa/rsa_sign.c +++ b/openssl/trunk/crypto/rsa/rsa_sign.c @@ -185,6 +185,23 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, sig=d2i_X509_SIG(NULL,&p,(long)i); if (sig == NULL) goto err; + + /* Excess data can be used to create forgeries */ + if(p != s+i) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + + /* Parameters to the signature algorithm can also be used to + create forgeries */ + if(sig->algor->parameter + && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + sigtype=OBJ_obj2nid(sig->algor->algorithm); |