|
1 From 5b874ee8b72a0c76c990041d2ed8b53a38e2dfde Mon Sep 17 00:00:00 2001 |
|
2 From: Brad Fitzpatrick <[email protected]> |
|
3 Date: Tue, 5 Apr 2016 20:40:40 +0000 |
|
4 Subject: [PATCH 75/79] crypto/rsa, crypto/ecdsa: fail earlier on zero |
|
5 parameters |
|
6 |
|
7 Change-Id: Ia6ed49d5ef3a256a55e6d4eaa1b4d9f0fc447013 |
|
8 Reviewed-on: https://go-review.googlesource.com/21560 |
|
9 Reviewed-by: Robert Griesemer <[email protected]> |
|
10 Reviewed-on: https://go-review.googlesource.com/21638 |
|
11 Reviewed-by: Brad Fitzpatrick <[email protected]> |
|
12 Run-TryBot: Andrew Gerrand <[email protected]> |
|
13 --- |
|
14 src/crypto/ecdsa/ecdsa.go | 11 ++++++++--- |
|
15 src/crypto/rsa/rsa.go | 5 ++++- |
|
16 2 files changed, 12 insertions(+), 4 deletions(-) |
|
17 |
|
18 diff --git a/src/crypto/ecdsa/ecdsa.go b/src/crypto/ecdsa/ecdsa.go |
|
19 index 8d66477..a01e18c 100644 |
|
20 --- a/src/crypto/ecdsa/ecdsa.go |
|
21 +++ b/src/crypto/ecdsa/ecdsa.go |
|
22 @@ -23,6 +23,7 @@ import ( |
|
23 "crypto/elliptic" |
|
24 "crypto/sha512" |
|
25 "encoding/asn1" |
|
26 + "errors" |
|
27 "io" |
|
28 "math/big" |
|
29 ) |
|
30 @@ -129,6 +130,8 @@ func fermatInverse(k, N *big.Int) *big.Int { |
|
31 return new(big.Int).Exp(k, nMinus2, N) |
|
32 } |
|
33 |
|
34 +var errZeroParam = errors.New("zero parameter") |
|
35 + |
|
36 // Sign signs an arbitrary length hash (which should be the result of hashing a |
|
37 // larger message) using the private key, priv. It returns the signature as a |
|
38 // pair of integers. The security of the private key depends on the entropy of |
|
39 @@ -169,7 +172,9 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err |
|
40 // See [NSA] 3.4.1 |
|
41 c := priv.PublicKey.Curve |
|
42 N := c.Params().N |
|
43 - |
|
44 + if N.Sign() == 0 { |
|
45 + return nil, nil, errZeroParam |
|
46 + } |
|
47 var k, kInv *big.Int |
|
48 for { |
|
49 for { |
|
50 @@ -179,7 +184,7 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err |
|
51 return |
|
52 } |
|
53 |
|
54 - kInv = fermatInverse(k, N) |
|
55 + kInv = fermatInverse(k, N) // N != 0 |
|
56 r, _ = priv.Curve.ScalarBaseMult(k.Bytes()) |
|
57 r.Mod(r, N) |
|
58 if r.Sign() != 0 { |
|
59 @@ -191,7 +196,7 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err |
|
60 s = new(big.Int).Mul(priv.D, r) |
|
61 s.Add(s, e) |
|
62 s.Mul(s, kInv) |
|
63 - s.Mod(s, N) |
|
64 + s.Mod(s, N) // N != 0 |
|
65 if s.Sign() != 0 { |
|
66 break |
|
67 } |
|
68 diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go |
|
69 index 1293b78..031de0e 100644 |
|
70 --- a/src/crypto/rsa/rsa.go |
|
71 +++ b/src/crypto/rsa/rsa.go |
|
72 @@ -436,6 +436,9 @@ func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err er |
|
73 err = ErrDecryption |
|
74 return |
|
75 } |
|
76 + if priv.N.Sign() == 0 { |
|
77 + return nil, ErrDecryption |
|
78 + } |
|
79 |
|
80 var ir *big.Int |
|
81 if random != nil { |
|
82 @@ -461,7 +464,7 @@ func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err er |
|
83 } |
|
84 } |
|
85 bigE := big.NewInt(int64(priv.E)) |
|
86 - rpowe := new(big.Int).Exp(r, bigE, priv.N) |
|
87 + rpowe := new(big.Int).Exp(r, bigE, priv.N) // N != 0 |
|
88 cCopy := new(big.Int).Set(c) |
|
89 cCopy.Mul(cCopy, rpowe) |
|
90 cCopy.Mod(cCopy, priv.N) |
|
91 -- |
|
92 2.7.4 |
|
93 |