diff options
| author | Filippo Valsorda <filippo@golang.org> | 2024-11-28 19:55:53 +0100 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2024-11-30 01:47:06 +0000 |
| commit | fa38b41be94f66d3d49e10f673643105f44fe540 (patch) | |
| tree | bcb714efdd368c728ea7b4a079f06353a0e7a8fc /src/crypto | |
| parent | f7475a0af3169d3d91f6071646defcf103393cc0 (diff) | |
| download | go-fa38b41be94f66d3d49e10f673643105f44fe540.tar.xz | |
crypto/internal/fips140/rsa: check that e and N are odd
N needs to be odd or we can't call Nat.Exp with it. This was previously
enforced at the Modulus level, but was relaxed in CL 630515.
While at it, also assert that e is odd. If it's even, there is no
possible corresponding private key, and we might as well error out.
Change-Id: I43a6c6e5789683854e4aece650fbf85166b6c318
Reviewed-on: https://go-review.googlesource.com/c/go/+/632475
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Diffstat (limited to 'src/crypto')
| -rw-r--r-- | src/crypto/internal/fips140/rsa/rsa.go | 10 | ||||
| -rw-r--r-- | src/crypto/rsa/rsa.go | 9 |
2 files changed, 15 insertions, 4 deletions
diff --git a/src/crypto/internal/fips140/rsa/rsa.go b/src/crypto/internal/fips140/rsa/rsa.go index 91655142dd..692cd3b1ad 100644 --- a/src/crypto/internal/fips140/rsa/rsa.go +++ b/src/crypto/internal/fips140/rsa/rsa.go @@ -115,15 +115,23 @@ func checkPublicKey(pub *PublicKey) error { if pub.N == nil { return errors.New("crypto/rsa: missing public modulus") } + if pub.N.Nat().IsOdd() == 0 { + return errors.New("crypto/rsa: public modulus is even") + } if pub.N.BitLen() < 2048 || pub.N.BitLen() > 16384 { fips140.RecordNonApproved() } if pub.E < 2 { return errors.New("crypto/rsa: public exponent too small or negative") } + // e needs to be coprime with p-1 and q-1, since it must be invertible + // modulo λ(pq). Since p and q are prime, this means e needs to be odd. + if pub.E&1 == 0 { + return errors.New("crypto/rsa: public exponent is even") + } // FIPS 186-5, Section 5.5(e): "The exponent e shall be an odd, positive // integer such that 2¹⁶ < e < 2²⁵⁶." - if pub.E <= 1<<16 || pub.E&1 == 0 { + if pub.E <= 1<<16 { fips140.RecordNonApproved() } // We require pub.E to fit into a 32-bit integer so that we diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go index 3c9b98eae9..9051f176f7 100644 --- a/src/crypto/rsa/rsa.go +++ b/src/crypto/rsa/rsa.go @@ -228,9 +228,15 @@ func (priv *PrivateKey) Validate() error { if pub.N == nil { return errors.New("crypto/rsa: missing public modulus") } + if pub.N.Bit(0) == 0 { + return errors.New("crypto/rsa: public modulus is even") + } if pub.E < 2 { return errors.New("crypto/rsa: public exponent is less than 2") } + if pub.E&1 == 0 { + return errors.New("crypto/rsa: public exponent is even") + } if pub.E > 1<<31-1 { return errors.New("crypto/rsa: public exponent too large") } @@ -544,9 +550,6 @@ func fipsPublicKey(pub *PublicKey) (*rsa.PublicKey, error) { if err != nil { return nil, err } - if pub.E < 0 { - return nil, errors.New("crypto/rsa: negative public exponent") - } return &rsa.PublicKey{N: N, E: pub.E}, nil } |