crypto/rsa, crypto/ecdsa: fail earlier on zero parameters

Change-Id: Ia6ed49d5ef3a256a55e6d4eaa1b4d9f0fc447013
Reviewed-on: https://go-review.googlesource.com/21560
Reviewed-by: Robert Griesemer <gri@golang.org>
Reviewed-on: https://go-review.googlesource.com/21638
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Andrew Gerrand <adg@golang.org>

diff --git a/src/crypto/ecdsa/ecdsa.go b/src/crypto/ecdsa/ecdsa.go
index 8d66477fd10d2871e0b4bc571383a683058db4fe..a01e18c836fc054267f2ad86c391b5f4723f923b 100644 (file)
--- a/src/crypto/ecdsa/ecdsa.go
+++ b/src/crypto/ecdsa/ecdsa.go
@@ -23,6 +23,7 @@ import (
        "crypto/elliptic"
        "crypto/sha512"
        "encoding/asn1"
+       "errors"
        "io"
        "math/big"
 )
@@ -129,6 +130,8 @@ func fermatInverse(k, N *big.Int) *big.Int {
        return new(big.Int).Exp(k, nMinus2, N)
 }
 
+var errZeroParam = errors.New("zero parameter")
+
 // Sign signs an arbitrary length hash (which should be the result of hashing a
 // larger message) using the private key, priv. It returns the signature as a
 // pair of integers. The security of the private key depends on the entropy of
@@ -169,7 +172,9 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
        // See [NSA] 3.4.1
        c := priv.PublicKey.Curve
        N := c.Params().N
-
+       if N.Sign() == 0 {
+               return nil, nil, errZeroParam
+       }
        var k, kInv *big.Int
        for {
                for {
@@ -179,7 +184,7 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
                                return
                        }
 
-                       kInv = fermatInverse(k, N)
+                       kInv = fermatInverse(k, N) // N != 0
                        r, _ = priv.Curve.ScalarBaseMult(k.Bytes())
                        r.Mod(r, N)
                        if r.Sign() != 0 {
@@ -191,7 +196,7 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
                s = new(big.Int).Mul(priv.D, r)
                s.Add(s, e)
                s.Mul(s, kInv)
-               s.Mod(s, N)
+               s.Mod(s, N) // N != 0
                if s.Sign() != 0 {
                        break
                }

diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go
index 1293b783679b143440aabb2d5a9e04a391273f46..031de0e79c2f2b0168f2bab3d756cf4b2040abc5 100644 (file)
--- a/src/crypto/rsa/rsa.go
+++ b/src/crypto/rsa/rsa.go
@@ -436,6 +436,9 @@ func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err er
                err = ErrDecryption
                return
        }
+       if priv.N.Sign() == 0 {
+               return nil, ErrDecryption
+       }
 
        var ir *big.Int
        if random != nil {
@@ -461,7 +464,7 @@ func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err er
                        }
                }
                bigE := big.NewInt(int64(priv.E))
-               rpowe := new(big.Int).Exp(r, bigE, priv.N)
+               rpowe := new(big.Int).Exp(r, bigE, priv.N) // N != 0
                cCopy := new(big.Int).Set(c)
                cCopy.Mul(cCopy, rpowe)
                cCopy.Mod(cCopy, priv.N)