Copied from upstream nettle git repository. Removed changes to ChangeLog, to allow this patch to apply to nettle-3.5. From 0ad0b5df315665250dfdaa4a1e087f4799edaefe Mon Sep 17 00:00:00 2001 From: Niels Möller Date: Mon, 17 May 2021 22:02:47 +0200 Subject: [PATCH 2/2] Add input check to rsa_decrypt family of functions. --- ChangeLog | 8 ++++++++ rsa-decrypt-tr.c | 4 ++++ rsa-decrypt.c | 10 ++++++++++ rsa-sec-decrypt.c | 4 ++++ rsa.h | 5 +++-- testsuite/rsa-encrypt-test.c | 38 ++++++++++++++++++++++++++++++------ 6 files changed, 61 insertions(+), 8 deletions(-) diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c index 927a8915..4a9e9d74 100644 --- a/rsa-decrypt-tr.c +++ b/rsa-decrypt-tr.c @@ -52,6 +52,10 @@ rsa_decrypt_tr(const struct rsa_public_key *pub, mp_size_t key_limb_size; int res; + /* First check that input is in range. */ + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) + return 0; + key_limb_size = mpz_size(pub->n); TMP_GMP_ALLOC (m, key_limb_size); diff --git a/rsa-decrypt.c b/rsa-decrypt.c index 7681439d..540d8baa 100644 --- a/rsa-decrypt.c +++ b/rsa-decrypt.c @@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key *key, int res; mpz_init(m); + + /* First check that input is in range. Since we don't have the + public key available here, we need to reconstruct n. */ + mpz_mul (m, key->p, key->q); + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0) + { + mpz_clear (m); + return 0; + } + rsa_compute_root(key, m, gibberish); res = pkcs1_decrypt (key->size, m, length, message); diff --git a/rsa-sec-decrypt.c b/rsa-sec-decrypt.c index fc4757a0..4c98958d 100644 --- a/rsa-sec-decrypt.c +++ b/rsa-sec-decrypt.c @@ -55,6 +55,10 @@ rsa_sec_decrypt(const struct rsa_public_key *pub, TMP_GMP_DECL (em, uint8_t); int res; + /* First check that input is in range. */ + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) + return 0; + TMP_GMP_ALLOC (m, mpz_size(pub->n)); TMP_GMP_ALLOC (em, key->size); diff --git a/rsa.h b/rsa.h index 3b10155f..2dd35a2d 100644 --- a/rsa.h +++ b/rsa.h @@ -428,13 +428,14 @@ rsa_sec_decrypt(const struct rsa_public_key *pub, size_t length, uint8_t *message, const mpz_t gibberish); -/* Compute x, the e:th root of m. Calling it with x == m is allowed. */ +/* Compute x, the e:th root of m. Calling it with x == m is allowed. + It is required that 0 <= m < n. */ void rsa_compute_root(const struct rsa_private_key *key, mpz_t x, const mpz_t m); /* Safer variant, using RSA blinding, and checking the result after - CRT. */ + CRT. It is required that 0 <= m < n. */ int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, diff --git a/testsuite/rsa-encrypt-test.c b/testsuite/rsa-encrypt-test.c index d3bc374b..d1a440f6 100644 --- a/testsuite/rsa-encrypt-test.c +++ b/testsuite/rsa-encrypt-test.c @@ -19,11 +19,12 @@ test_main(void) uint8_t after; mpz_t gibberish; - mpz_t zero; + mpz_t bad_input; rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_init(gibberish); + mpz_init(bad_input); knuth_lfib_init(&lfib, 17); @@ -103,15 +104,40 @@ test_main(void) ASSERT(decrypted[0] == 'A'); /* Test zero input. */ - mpz_init_set_ui (zero, 0); + mpz_set_ui (bad_input, 0); decrypted_length = msg_length; - ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero)); + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, - &decrypted_length, decrypted, zero)); + &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, - decrypted_length, decrypted, zero)); + decrypted_length, decrypted, bad_input)); + ASSERT(decrypted_length == msg_length); + + /* Test input that is slightly larger than n */ + mpz_add(bad_input, gibberish, pub.n); + decrypted_length = msg_length; + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); + ASSERT(!rsa_decrypt_tr(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, + &decrypted_length, decrypted, bad_input)); + ASSERT(!rsa_sec_decrypt(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, + decrypted_length, decrypted, bad_input)); + ASSERT(decrypted_length == msg_length); + + /* Test input that is considerably larger than n */ + mpz_mul_2exp (bad_input, pub.n, 100); + mpz_add (bad_input, bad_input, gibberish); + decrypted_length = msg_length; + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); + ASSERT(!rsa_decrypt_tr(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, + &decrypted_length, decrypted, bad_input)); + ASSERT(!rsa_sec_decrypt(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, + decrypted_length, decrypted, bad_input)); ASSERT(decrypted_length == msg_length); /* Test invalid key. */ @@ -124,6 +150,6 @@ test_main(void) rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(gibberish); - mpz_clear(zero); + mpz_clear(bad_input); free(decrypted); } -- 2.31.1 scm?id=882112b581b2e6e7796f34ab0e3eb5cef18c8f18'>services: knot: Default zone-file-refresh to 12h....The Knot DNS service in Guix uses two days, or 48 hours, for the SOA refresh interval but that is outside the range of RFC 1912, which is entitled "Common DNS Operational and Configuration Errors." [1] Section 2.2 of RFC 1912 recommends a maximum of 12 hours for the SOA refresh rate: "You can keep it short (20 mins to 2 hours) if you aren't worried about a small increase in bandwidth used, or longer (2-12 hours) if your Internet connection is slow or is started on demand." This commit sets the default refresh interval at the nearest value recommended by the standard, which is 12 hours. Due to the widespread adoption of NOTIFY messages between primary and secondary DNS servers, the SOA refresh interval has arguably lost some importance, but the Guix default should still be in line with the standards. Values outside the recommended range can provoke warning messages from services commonly used to find bugs in DNS configurations, such as the MX Toolbox Super Tool. [2] [1] https://datatracker.ietf.org/doc/rfc1912/ [2] https://mxtoolbox.com/SuperTool.aspx * gnu/services/dns.scm (<zone-file>)[refresh]: Default to (* 12 3600). Signed-off-by: 宋文武 <iyzsong@member.fsf.org> Felix Lechner