check the CRT result.

diff --git a/CHANGES b/CHANGES
index 318e4aebcb70d27d573126972bdb89d3d1eb7b34..0c1f30e0b482517f591118ab1792853b291b883c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
 
  Changes between 0.9.6 and 0.9.6a  [xx XXX 2001]
 
+  *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
+     On the Importance of Eliminating Errors in Cryptographic
+        Computations, J. Cryptology 14 (2001) 2, 101-119,
+        http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
+        [Ulf Moeller]
+  
   *) MIPS assembler BIGNUM division bug fix. 
      [Andy Polyakov]
 

diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index 62618fe5a9991acab84c7b476306a7efd8357d38..3e3832025781e70946b253225f25f59fe16ae3b6 100644 (file)
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -443,13 +443,14 @@ err:
 
 static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
        {
-       BIGNUM r1,m1;
+       BIGNUM r1,m1,vrfy;
        int ret=0;
        BN_CTX *ctx;
 
        if ((ctx=BN_CTX_new()) == NULL) goto err;
        BN_init(&m1);
        BN_init(&r1);
+       BN_init(&vrfy);
 
        if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
                {
@@ -530,10 +531,19 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
        if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
        if (!BN_add(r0,&r1,&m1)) goto err;
 
+       if (rsa->e && rsa->n)
+               {
+               if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
+               if (BN_cmp(I, &vrfy) != 0)
+                       {
+                       if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
+                       }
+               }
        ret=1;
 err:
        BN_clear_free(&m1);
        BN_clear_free(&r1);
+       BN_clear_free(&vrfy);
        BN_CTX_free(ctx);
        return(ret);
        }