[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Rich Salz rsalz at openssl.org
Mon Aug 22 15:52:36 UTC 2016


The branch OpenSSL_1_0_2-stable has been updated
       via  561530da966ac63a73a35e3b856a56e4fc3fe849 (commit)
      from  51690fb8881955a4ff3f4648a06f1be3f0945d7b (commit)


- Log -----------------------------------------------------------------
commit 561530da966ac63a73a35e3b856a56e4fc3fe849
Author: Rich Salz <rsalz at openssl.org>
Date:   Mon Aug 22 11:25:12 2016 -0400

    RT2676: Reject RSA eponent if even or 1
    
    Also, re-organize RSA check to use goto err.
    Try all checks, not just stopping at first (via Richard Levitte)
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 464d59a5bb5811f7671e2bd37f41d610606b829d)

-----------------------------------------------------------------------

Summary of changes:
 crypto/rsa/rsa_chk.c   | 89 +++++++++++++++++++-------------------------------
 crypto/rsa/rsa_pmeth.c |  4 ++-
 2 files changed, 36 insertions(+), 57 deletions(-)

diff --git a/crypto/rsa/rsa_chk.c b/crypto/rsa/rsa_chk.c
index 607faa0..475dfc5 100644
--- a/crypto/rsa/rsa_chk.c
+++ b/crypto/rsa/rsa_chk.c
@@ -56,7 +56,6 @@ int RSA_check_key(const RSA *key)
 {
     BIGNUM *i, *j, *k, *l, *m;
     BN_CTX *ctx;
-    int r;
     int ret = 1;
 
     if (!key->p || !key->q || !key->n || !key->e || !key->d) {
@@ -70,75 +69,68 @@ int RSA_check_key(const RSA *key)
     l = BN_new();
     m = BN_new();
     ctx = BN_CTX_new();
-    if (i == NULL || j == NULL || k == NULL || l == NULL ||
-        m == NULL || ctx == NULL) {
+    if (i == NULL || j == NULL || k == NULL || l == NULL
+            || m == NULL || ctx == NULL) {
         ret = -1;
         RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
         goto err;
     }
 
+    if (BN_is_one(key->e)) {
+        ret = 0;
+        RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_BAD_E_VALUE);
+    }
+    if (!BN_is_odd(key->e)) {
+        ret = 0;
+        RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_BAD_E_VALUE);
+    }
+
     /* p prime? */
-    r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
-    if (r != 1) {
-        ret = r;
-        if (r != 0)
-            goto err;
+    if (BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL) != 1) {
+        ret = 0;
         RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
     }
 
     /* q prime? */
-    r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
-    if (r != 1) {
-        ret = r;
-        if (r != 0)
-            goto err;
+    if (BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL) != 1) {
+        ret = 0;
         RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
     }
 
     /* n = p*q? */
-    r = BN_mul(i, key->p, key->q, ctx);
-    if (!r) {
+    if (!BN_mul(i, key->p, key->q, ctx)) {
         ret = -1;
         goto err;
     }
-
     if (BN_cmp(i, key->n) != 0) {
         ret = 0;
         RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
     }
 
     /* d*e = 1  mod lcm(p-1,q-1)? */
-
-    r = BN_sub(i, key->p, BN_value_one());
-    if (!r) {
+    if (!BN_sub(i, key->p, BN_value_one())) {
         ret = -1;
         goto err;
     }
-    r = BN_sub(j, key->q, BN_value_one());
-    if (!r) {
+    if (!BN_sub(j, key->q, BN_value_one())) {
         ret = -1;
         goto err;
     }
 
     /* now compute k = lcm(i,j) */
-    r = BN_mul(l, i, j, ctx);
-    if (!r) {
+    if (!BN_mul(l, i, j, ctx)) {
         ret = -1;
         goto err;
     }
-    r = BN_gcd(m, i, j, ctx);
-    if (!r) {
+    if (!BN_gcd(m, i, j, ctx)) {
         ret = -1;
         goto err;
     }
-    r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
-    if (!r) {
+    if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */
         ret = -1;
         goto err;
     }
-
-    r = BN_mod_mul(i, key->d, key->e, k, ctx);
-    if (!r) {
+    if (!BN_mod_mul(i, key->d, key->e, k, ctx)) {
         ret = -1;
         goto err;
     }
@@ -150,36 +142,28 @@ int RSA_check_key(const RSA *key)
 
     if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
         /* dmp1 = d mod (p-1)? */
-        r = BN_sub(i, key->p, BN_value_one());
-        if (!r) {
+        if (!BN_sub(i, key->p, BN_value_one())) {
             ret = -1;
             goto err;
         }
-
-        r = BN_mod(j, key->d, i, ctx);
-        if (!r) {
+        if (!BN_mod(j, key->d, i, ctx)) {
             ret = -1;
             goto err;
         }
-
         if (BN_cmp(j, key->dmp1) != 0) {
             ret = 0;
             RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMP1_NOT_CONGRUENT_TO_D);
         }
 
         /* dmq1 = d mod (q-1)? */
-        r = BN_sub(i, key->q, BN_value_one());
-        if (!r) {
+        if (!BN_sub(i, key->q, BN_value_one())) {
             ret = -1;
             goto err;
         }
-
-        r = BN_mod(j, key->d, i, ctx);
-        if (!r) {
+        if (!BN_mod(j, key->d, i, ctx)) {
             ret = -1;
             goto err;
         }
-
         if (BN_cmp(j, key->dmq1) != 0) {
             ret = 0;
             RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
@@ -190,7 +174,6 @@ int RSA_check_key(const RSA *key)
             ret = -1;
             goto err;
         }
-
         if (BN_cmp(i, key->iqmp) != 0) {
             ret = 0;
             RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_IQMP_NOT_INVERSE_OF_Q);
@@ -198,17 +181,11 @@ int RSA_check_key(const RSA *key)
     }
 
  err:
-    if (i != NULL)
-        BN_free(i);
-    if (j != NULL)
-        BN_free(j);
-    if (k != NULL)
-        BN_free(k);
-    if (l != NULL)
-        BN_free(l);
-    if (m != NULL)
-        BN_free(m);
-    if (ctx != NULL)
-        BN_CTX_free(ctx);
-    return (ret);
+    BN_free(i);
+    BN_free(j);
+    BN_free(k);
+    BN_free(l);
+    BN_free(m);
+    BN_CTX_free(ctx);
+    return ret;
 }
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
index 2036355..94db87a 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -545,8 +545,10 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
         return 1;
 
     case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
-        if (!p2)
+        if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || BN_is_one((BIGNUM *)p2)) {
+            RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_BAD_E_VALUE);
             return -2;
+        }
         BN_free(rctx->pub_exp);
         rctx->pub_exp = p2;
         return 1;


More information about the openssl-commits mailing list