FAQ
Reviewers: agl1,

Message:
Hello agl1 (cc: golang-dev@googlegroups.com),

I'd like you to review this change to
https://go.googlecode.com/hg/


Description:
crypto/rsa: reject PublicKey.E if it won't fit in a 32-bit int

Right now we only have 32-bit ints so that's a no-op.
Took the opportunity to check for some other invalid values too.
Suggestions for additions or modifications welcome.

Please review this at http://codereview.appspot.com/6493112/

Affected files:
M src/pkg/crypto/rsa/pkcs1v15.go
M src/pkg/crypto/rsa/rsa.go


Index: src/pkg/crypto/rsa/pkcs1v15.go
===================================================================
--- a/src/pkg/crypto/rsa/pkcs1v15.go
+++ b/src/pkg/crypto/rsa/pkcs1v15.go
@@ -19,6 +19,9 @@
// WARNING: use of this function to encrypt plaintexts other than session
keys
// is dangerous. Use RSA OAEP in new protocols.
func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) (out
[]byte, err error) {
+ if err := checkPub(pub); err != nil {
+ return nil, err
+ }
k := (pub.N.BitLen() + 7) / 8
if len(msg) > k-11 {
err = ErrMessageTooLong
@@ -47,6 +50,9 @@
// DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme
from PKCS#1 v1.5.
// If rand != nil, it uses RSA blinding to avoid timing side-channel
attacks.
func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte)
(out []byte, err error) {
+ if err := checkPub(&priv.PublicKey); err != nil {
+ return nil, err
+ }
valid, out, err := decryptPKCS1v15(rand, priv, ciphertext)
if err == nil && valid == 0 {
err = ErrDecryption
@@ -69,6 +75,9 @@
// Encryption Standard PKCS #1'', Daniel Bleichenbacher, Advances in
Cryptology
// (Crypto '98).
func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey,
ciphertext []byte, key []byte) (err error) {
+ if err := checkPub(&priv.PublicKey); err != nil {
+ return err
+ }
k := (priv.N.BitLen() + 7) / 8
if k-(len(key)+3+8) < 0 {
err = ErrDecryption
Index: src/pkg/crypto/rsa/rsa.go
===================================================================
--- a/src/pkg/crypto/rsa/rsa.go
+++ b/src/pkg/crypto/rsa/rsa.go
@@ -25,6 +25,20 @@
E int // public exponent
}

+var errPublicKey = errors.New("crypto/rsa: invalid public key")
+
+// checkPub sanity checks the public key before we use it.
+// We require pub.E to fit into a 32-bit integer so that we
+// do not have different behavior depending on whether
+// int is 32 or 64 bits. See also
+// http://www.imperialviolet.org/2012/03/16/rsae.html.
+func checkPub(pub *PublicKey) error {
+ if pub.N == nil || pub.E < 2 || pub.E > 1<<31-1 {
+ return errPublicKey
+ }
+ return nil
+}
+
// A PrivateKey represents an RSA key
type PrivateKey struct {
PublicKey // public part.
@@ -216,6 +230,9 @@
// The message must be no longer than the length of the public modulus less
// twice the hash length plus 2.
func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg
[]byte, label []byte) (out []byte, err error) {
+ if err := checkPub(pub); err != nil {
+ return nil, err
+ }
hash.Reset()
k := (pub.N.BitLen() + 7) / 8
if len(msg) > k-2*hash.Size()-2 {
@@ -402,6 +419,9 @@
// DecryptOAEP decrypts ciphertext using RSA-OAEP.
// If random != nil, DecryptOAEP uses RSA blinding to avoid timing
side-channel attacks.
func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey,
ciphertext []byte, label []byte) (msg []byte, err error) {
+ if err := checkPub(&priv.PublicKey); err != nil {
+ return nil, err
+ }
k := (priv.N.BitLen() + 7) / 8
if len(ciphertext) > k ||
k < hash.Size()*2+2 {

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-dev @
categoriesgo
postedSep 12, '12 at 4:49p
activeSep 13, '12 at 3:12p
posts4
users2
websitegolang.org

2 users in discussion

Rsc: 2 posts Agl: 2 posts

People

Translate

site design / logo © 2022 Grokbase