From 1777e3fd5eac0e491bb16a0bb37f4b0f298e6486 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ulf=20M=C3=B6ller?= Date: Wed, 28 Mar 2001 04:49:39 +0000 Subject: [PATCH] check the CRT result. --- CHANGES | 6 ++++++ crypto/rsa/rsa_eay.c | 12 +++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 318e4aebcb..0c1f30e0b4 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,12 @@ Changes between 0.9.6 and 0.9.6a [xx XXX 2001] + *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton: + On the Importance of Eliminating Errors in Cryptographic + Computations, J. Cryptology 14 (2001) 2, 101-119, + http://theory.stanford.edu/~dabo/papers/faults.ps.gz). + [Ulf Moeller] + *) MIPS assembler BIGNUM division bug fix. [Andy Polyakov] diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 62618fe5a9..3e38320257 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -443,13 +443,14 @@ err: static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) { - BIGNUM r1,m1; + BIGNUM r1,m1,vrfy; int ret=0; BN_CTX *ctx; if ((ctx=BN_CTX_new()) == NULL) goto err; BN_init(&m1); BN_init(&r1); + BN_init(&vrfy); if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { @@ -530,10 +531,19 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; if (!BN_add(r0,&r1,&m1)) goto err; + if (rsa->e && rsa->n) + { + if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; + if (BN_cmp(I, &vrfy) != 0) + { + if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err; + } + } ret=1; err: BN_clear_free(&m1); BN_clear_free(&r1); + BN_clear_free(&vrfy); BN_CTX_free(ctx); return(ret); } -- 2.25.1