Uprev NSS to 3.18 RTM

nss/lib/freebl/rsa.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * RSA key generation, public key op, private key op.
  */
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
@@ skipping 79 matching lines @@
 static struct RSABlindingParamsListStr blindingParamsList = { 0 };
 
 /* Number of times to reuse (f, g).  Suggested by Paul Kocher */
 #define RSA_BLINDING_PARAMS_MAX_REUSE 50
 
 /* Global, allows optional use of blinding.  On by default. */
 /* Cannot be changed at the moment, due to thread-safety issues. */
 static PRBool nssRSAUseBlinding = PR_TRUE;
 
 static SECStatus
-rsa_build_from_primes(mp_int *p, mp_int *q, 
-                mp_int *e, PRBool needPublicExponent, 
+rsa_build_from_primes(const mp_int *p, const mp_int *q,
+                mp_int *e, PRBool needPublicExponent,
                 mp_int *d, PRBool needPrivateExponent,
                 RSAPrivateKey *key, unsigned int keySizeInBits)
 {
     mp_int n, phi;
     mp_int psub1, qsub1, tmp;
     mp_err   err = MP_OKAY;
     SECStatus rv = SECSuccess;
     MP_DIGITS(&n)     = 0;
     MP_DIGITS(&phi)   = 0;
     MP_DIGITS(&psub1) = 0;
     MP_DIGITS(&qsub1) = 0;
     MP_DIGITS(&tmp)   = 0;
     CHECK_MPI_OK( mp_init(&n)     );
     CHECK_MPI_OK( mp_init(&phi)   );
     CHECK_MPI_OK( mp_init(&psub1) );
     CHECK_MPI_OK( mp_init(&qsub1) );
     CHECK_MPI_OK( mp_init(&tmp)   );
+    /* p and q must be distinct. */
+    if (mp_cmp(p, q) == 0) {
+        PORT_SetError(SEC_ERROR_NEED_RANDOM);
+        rv = SECFailure;
+        goto cleanup;
+    }
     /* 1.  Compute n = p*q */
     CHECK_MPI_OK( mp_mul(p, q, &n) );
     /*     verify that the modulus has the desired number of bits */
     if ((unsigned)mpl_significant_bits(&n) != keySizeInBits) {
         PORT_SetError(SEC_ERROR_NEED_RANDOM);
         rv = SECFailure;
         goto cleanup;
     }
 
     /* at least one exponent must be given */
@@ skipping 144 matching lines @@
     SECITEM_AllocItem(arena, &key->version, 1);
     key->version.data[0] = 0;
     /* 3.  Set the public exponent */
     SECITEM_TO_MPINT(*publicExponent, &e);
     kiter = 0;
     do {
         prerr = 0;
         PORT_SetError(0);
         CHECK_SEC_OK( generate_prime(&p, primeLen) );
         CHECK_SEC_OK( generate_prime(&q, primeLen) );
-        /* Assure q < p */
+        /* Assure p > q */
+        /* NOTE: PKCS #1 does not require p > q, and NSS doesn't use any
+         * implementation optimization that requires p > q. We can remove
+         * this code in the future.
+         */
         if (mp_cmp(&p, &q) < 0)
             mp_exch(&p, &q);
         /* Attempt to use these primes to generate a key */
         rv = rsa_build_from_primes(&p, &q, 
                         &e, PR_FALSE,  /* needPublicExponent=false */
                         &d, PR_TRUE,   /* needPrivateExponent=true */
                         key, keySizeInBits);
         if (rv == SECSuccess)
             break; /* generated two good primes */
         prerr = PORT_GetError();
@@ skipping 461 matching lines @@
                 ((prime_count > 0) || hasModulus)) {
             CHECK_MPI_OK(rsa_get_primes_from_exponents(&e,&d,&p,&q,
                         &n,hasModulus,keySizeInBits));
         } else {
             /* not enough given parameters to get both primes */
             err = MP_BADARG;
             goto cleanup;
         }
      }
 
-     /* force p to the the larger prime */
+     /* Assure p > q */
+     /* NOTE: PKCS #1 does not require p > q, and NSS doesn't use any
+      * implementation optimization that requires p > q. We can remove
+      * this code in the future.
+      */
      if (mp_cmp(&p, &q) < 0)
         mp_exch(&p, &q);
 
      /* we now have our 2 primes and at least one exponent, we can fill
       * in the key */
      rv = rsa_build_from_primes(&p, &q, 
                         &e, needPublicExponent,
                         &d, needPrivateExponent,
                         key, keySizeInBits);
 cleanup:
@@ skipping 310 matching lines @@
 
     return SECSuccess;
 }
 
 static SECStatus
 get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
                     mp_int *f, mp_int *g)
 {
     RSABlindingParams *rsabp           = NULL;
     blindingParams    *bpUnlinked      = NULL;
-    blindingParams    *bp, *prevbp     = NULL;
+    blindingParams    *bp;
     PRCList           *el;
     SECStatus          rv              = SECSuccess;
     mp_err             err             = MP_OKAY;
     int                cmp             = -1;
     PRBool             holdingLock     = PR_FALSE;
 
     do {
         if (blindingParamsList.lock == NULL) {
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
             return SECFailure;
@@ skipping 69 matching lines @@
              */
             if (blindingParamsList.waitCount > 0) {
                 PR_NotifyCondVar( blindingParamsList.cVar );
                 blindingParamsList.waitCount--;
             }
             PZ_Unlock(blindingParamsList.lock); 
             return SECSuccess;
         }
         /* We did not find a usable set of blinding params.  Can we make one? */
         /* Find a free bp struct. */
-        prevbp = NULL;
         if ((bp = rsabp->free) != NULL) {
             /* unlink this bp */
             rsabp->free  = bp->next;
             bp->next     = NULL;
             bpUnlinked   = bp;  /* In case we fail */
 
             PZ_Unlock(blindingParamsList.lock); 
             holdingLock = PR_FALSE;
             /* generate blinding parameter values for the current thread */
             CHECK_SEC_OK( generate_blinding_params(key, f, g, n, modLen ) );
@@ skipping 196 matching lines @@
     }
 
     SECITEM_TO_MPINT(key->modulus,         &n);
     SECITEM_TO_MPINT(key->prime1,          &p);
     SECITEM_TO_MPINT(key->prime2,          &q);
     SECITEM_TO_MPINT(key->publicExponent,  &e);
     SECITEM_TO_MPINT(key->privateExponent, &d);
     SECITEM_TO_MPINT(key->exponent1,       &d_p);
     SECITEM_TO_MPINT(key->exponent2,       &d_q);
     SECITEM_TO_MPINT(key->coefficient,     &qInv);
-    /* p > q */
-    if (mp_cmp(&p, &q) <= 0) {
+    /* p and q must be distinct. */
+    if (mp_cmp(&p, &q) == 0) {
         rv = SECFailure;
         goto cleanup;
     }
 #define VERIFY_MPI_EQUAL(m1, m2) \
     if (mp_cmp(m1, m2) != 0) {   \
         rv = SECFailure;         \
         goto cleanup;            \
     }
 #define VERIFY_MPI_EQUAL_1(m)    \
     if (mp_cmp_d(m, 1) != 0) {   \
@@ skipping 117 matching lines @@
 PRBool bl_parentForkedAfterC_Initialize;
 
 /*
  * Set fork flag so it can be tested in SKIP_AFTER_FORK on relevant platforms.
  */
 void BL_SetForkState(PRBool forked)
 {
     bl_parentForkedAfterC_Initialize = forked;
 }