From 7f2f1a730caa23a811ed710d67feb8f6b2ebb9a5 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 28 Oct 2016 22:01:55 +0200 Subject: Throw excepton on unknown tag --- crypto/src/asn1/ocsp/CertStatus.cs | 2 ++ 1 file changed, 2 insertions(+) (limited to 'crypto/src') diff --git a/crypto/src/asn1/ocsp/CertStatus.cs b/crypto/src/asn1/ocsp/CertStatus.cs index b524364c9..7dd99b844 100644 --- a/crypto/src/asn1/ocsp/CertStatus.cs +++ b/crypto/src/asn1/ocsp/CertStatus.cs @@ -48,6 +48,8 @@ namespace Org.BouncyCastle.Asn1.Ocsp case 2: value = DerNull.Instance; break; + default: + throw new ArgumentException("Unknown tag encountered: " + choice.TagNo); } } -- cgit 1.5.1 From 5f3830451fa08884b751b8de4f2ee8109ac3527f Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Thu, 10 Nov 2016 14:42:27 +0700 Subject: Fix possible NPE when cofactor != 1 (from bc-java) --- crypto/src/math/ec/multiplier/WNafUtilities.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'crypto/src') diff --git a/crypto/src/math/ec/multiplier/WNafUtilities.cs b/crypto/src/math/ec/multiplier/WNafUtilities.cs index 5491297d7..7d565dfbd 100644 --- a/crypto/src/math/ec/multiplier/WNafUtilities.cs +++ b/crypto/src/math/ec/multiplier/WNafUtilities.cs @@ -423,7 +423,7 @@ namespace Org.BouncyCastle.Math.EC.Multiplier * 1) additions do not use the curve's A, B coefficients. * 2) no special cases (i.e. Q +/- Q) when calculating 1P, 3P, 5P, ... */ - if (ECAlgorithms.IsFpCurve(c) && c.FieldSize >= 64) + if (!twiceP.IsInfinity && ECAlgorithms.IsFpCurve(c) && c.FieldSize >= 64) { switch (c.CoordinateSystem) { -- cgit 1.5.1 From 0eca6bebcc0d1b29d8b73d4790d314a9719081d0 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 11 Nov 2016 22:30:03 +0700 Subject: EncryptionAlgorithm.NULL is a 'stream' cipher --- crypto/src/crypto/tls/TlsUtilities.cs | 1 + 1 file changed, 1 insertion(+) (limited to 'crypto/src') diff --git a/crypto/src/crypto/tls/TlsUtilities.cs b/crypto/src/crypto/tls/TlsUtilities.cs index 25908d163..d51a8ff48 100644 --- a/crypto/src/crypto/tls/TlsUtilities.cs +++ b/crypto/src/crypto/tls/TlsUtilities.cs @@ -1246,6 +1246,7 @@ namespace Org.BouncyCastle.Crypto.Tls case EncryptionAlgorithm.SEED_CBC: return CipherType.block; + case EncryptionAlgorithm.NULL: case EncryptionAlgorithm.RC4_40: case EncryptionAlgorithm.RC4_128: return CipherType.stream; -- cgit 1.5.1 From bd844ab76865ffaad429d8f1795db1ccedac70b1 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Mon, 14 Nov 2016 14:18:28 +0700 Subject: After receiving fatal alert, don't echo that alert to peer (from bc-java) - https://github.com/bcgit/bc-java/issues/148 - also explicitly invalidate session after fatal alert --- crypto/src/crypto/tls/DtlsClientProtocol.cs | 16 +++++++++++--- crypto/src/crypto/tls/DtlsRecordLayer.cs | 12 +++++++++- crypto/src/crypto/tls/DtlsServerProtocol.cs | 34 ++++++++++++++++++++++++++--- 3 files changed, 55 insertions(+), 7 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/crypto/tls/DtlsClientProtocol.cs b/crypto/src/crypto/tls/DtlsClientProtocol.cs index abb402077..90430d772 100644 --- a/crypto/src/crypto/tls/DtlsClientProtocol.cs +++ b/crypto/src/crypto/tls/DtlsClientProtocol.cs @@ -53,19 +53,29 @@ namespace Org.BouncyCastle.Crypto.Tls } catch (TlsFatalAlert fatalAlert) { - recordLayer.Fail(fatalAlert.AlertDescription); + AbortClientHandshake(state, recordLayer, fatalAlert.AlertDescription); throw fatalAlert; } catch (IOException e) { - recordLayer.Fail(AlertDescription.internal_error); + AbortClientHandshake(state, recordLayer, AlertDescription.internal_error); throw e; } catch (Exception e) { - recordLayer.Fail(AlertDescription.internal_error); + AbortClientHandshake(state, recordLayer, AlertDescription.internal_error); throw new TlsFatalAlert(AlertDescription.internal_error, e); } + finally + { + securityParameters.Clear(); + } + } + + internal virtual void AbortClientHandshake(ClientHandshakeState state, DtlsRecordLayer recordLayer, byte alertDescription) + { + recordLayer.Fail(alertDescription); + InvalidateSession(state); } internal virtual DtlsTransport ClientHandshake(ClientHandshakeState state, DtlsRecordLayer recordLayer) diff --git a/crypto/src/crypto/tls/DtlsRecordLayer.cs b/crypto/src/crypto/tls/DtlsRecordLayer.cs index 6796f4cbb..4a781b5b5 100644 --- a/crypto/src/crypto/tls/DtlsRecordLayer.cs +++ b/crypto/src/crypto/tls/DtlsRecordLayer.cs @@ -237,7 +237,7 @@ namespace Org.BouncyCastle.Crypto.Tls if (alertLevel == AlertLevel.fatal) { - Fail(alertDescription); + Failed(); throw new TlsFatalAlert(alertDescription); } @@ -375,6 +375,16 @@ namespace Org.BouncyCastle.Crypto.Tls } } + internal virtual void Failed() + { + if (!mClosed) + { + mFailed = true; + + CloseTransport(); + } + } + internal virtual void Fail(byte alertDescription) { if (!mClosed) diff --git a/crypto/src/crypto/tls/DtlsServerProtocol.cs b/crypto/src/crypto/tls/DtlsServerProtocol.cs index d05af193c..fbf33045b 100644 --- a/crypto/src/crypto/tls/DtlsServerProtocol.cs +++ b/crypto/src/crypto/tls/DtlsServerProtocol.cs @@ -54,19 +54,29 @@ namespace Org.BouncyCastle.Crypto.Tls } catch (TlsFatalAlert fatalAlert) { - recordLayer.Fail(fatalAlert.AlertDescription); + AbortServerHandshake(state, recordLayer, fatalAlert.AlertDescription); throw fatalAlert; } catch (IOException e) { - recordLayer.Fail(AlertDescription.internal_error); + AbortServerHandshake(state, recordLayer, AlertDescription.internal_error); throw e; } catch (Exception e) { - recordLayer.Fail(AlertDescription.internal_error); + AbortServerHandshake(state, recordLayer, AlertDescription.internal_error); throw new TlsFatalAlert(AlertDescription.internal_error, e); } + finally + { + securityParameters.Clear(); + } + } + + internal virtual void AbortServerHandshake(ServerHandshakeState state, DtlsRecordLayer recordLayer, byte alertDescription) + { + recordLayer.Fail(alertDescription); + InvalidateSession(state); } internal virtual DtlsTransport ServerHandshake(ServerHandshakeState state, DtlsRecordLayer recordLayer) @@ -263,6 +273,21 @@ namespace Org.BouncyCastle.Crypto.Tls return new DtlsTransport(recordLayer); } + protected virtual void InvalidateSession(ServerHandshakeState state) + { + if (state.sessionParameters != null) + { + state.sessionParameters.Clear(); + state.sessionParameters = null; + } + + if (state.tlsSession != null) + { + state.tlsSession.Invalidate(); + state.tlsSession = null; + } + } + protected virtual byte[] GenerateCertificateRequest(ServerHandshakeState state, CertificateRequest certificateRequest) { MemoryStream buf = new MemoryStream(); @@ -650,6 +675,9 @@ namespace Org.BouncyCastle.Crypto.Tls { internal TlsServer server = null; internal TlsServerContextImpl serverContext = null; + internal TlsSession tlsSession = null; + internal SessionParameters sessionParameters = null; + internal SessionParameters.Builder sessionParametersBuilder = null; internal int[] offeredCipherSuites = null; internal byte[] offeredCompressionMethods = null; internal IDictionary clientExtensions = null; -- cgit 1.5.1 From 84b2be3efb82184703e350c26d7f13330395c15b Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Wed, 30 Nov 2016 05:36:43 +0700 Subject: Fix carry propagation bug in Nat???.Square methods --- crypto/Readme.html | 14 +- crypto/crypto.csproj | 10 ++ crypto/src/math/raw/Nat128.cs | 8 +- crypto/src/math/raw/Nat160.cs | 16 +- crypto/src/math/raw/Nat192.cs | 24 +-- crypto/src/math/raw/Nat224.cs | 32 ++-- crypto/src/math/raw/Nat256.cs | 40 ++--- crypto/test/UnitTests.csproj | 2 + .../math/ec/custom/sec/test/SecP256R1FieldTest.cs | 181 +++++++++++++++++++++ .../math/ec/custom/sec/test/SecP384R1FieldTest.cs | 146 +++++++++++++++++ 10 files changed, 412 insertions(+), 61 deletions(-) create mode 100644 crypto/test/src/math/ec/custom/sec/test/SecP256R1FieldTest.cs create mode 100644 crypto/test/src/math/ec/custom/sec/test/SecP384R1FieldTest.cs (limited to 'crypto/src') diff --git a/crypto/Readme.html b/crypto/Readme.html index 0cbd91daa..b26937714 100644 --- a/crypto/Readme.html +++ b/crypto/Readme.html @@ -294,6 +294,18 @@ We state, where EC MQV has not otherwise been disabled or removed:

Release 1.8.2, Release Date TBD

+
Security Advisory
+
    +
  • + Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (Org.BouncyCastle.Math.Raw.Nat???). + These classes are used by our custom elliptic curve implementations (Org.BouncyCastle.Math.Ec.Custom.**), so there was the possibility + of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with + high probability by the output validation for our scalar multipliers. We consider these bugs to be exploitable for static ECDH with + long-term keys, per "Practical realisation and elimination of an ECC-related software bug attack", + Brumley et.al. +
    • +
+
IMPORTANT
  • @@ -381,7 +393,7 @@ We state, where EC MQV has not otherwise been disabled or removed:
  • RFC 6637 ECDSA and ECDH support has been added to the OpenPGP API.
  • Implementations of Threefish and Skein have been added.
  • Implementation of the SM3 digest has been added.
    • -
  • Implementations of XSalsa20 and ChaCha have been added. Support for reduced round Salas20 has been added.
    • +
  • Implementations of XSalsa20 and ChaCha have been added. Support for reduced round Salsa20 has been added.
  • Support has been added for RFC 6979 Deterministic DSA/ECDSA.
  • Support for the Poly1305 MAC has been added.
  • GCM and GMAC now support tag lengths down to 32 bits.
    • diff --git a/crypto/crypto.csproj b/crypto/crypto.csproj index fcb52bb20..6f1fdcf61 100644 --- a/crypto/crypto.csproj +++ b/crypto/crypto.csproj @@ -12054,6 +12054,16 @@ SubType = "Code" BuildAction = "Compile" /> + + > 32); zz_4 &= M; + ulong zz_6 = zz[6] + (zz_5 >> 32); zz_5 &= M; { zz_3 += x_3 * x_0; w = (uint)zz_3; @@ -702,8 +702,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_3 = x[xOff + 3]; - ulong zz_5 = zz[zzOff + 5]; - ulong zz_6 = zz[zzOff + 6]; + ulong zz_5 = zz[zzOff + 5] + (zz_4 >> 32); zz_4 &= M; + ulong zz_6 = zz[zzOff + 6] + (zz_5 >> 32); zz_5 &= M; { zz_3 += x_3 * x_0; w = (uint)zz_3; diff --git a/crypto/src/math/raw/Nat160.cs b/crypto/src/math/raw/Nat160.cs index 153ac0a43..1fd00e576 100644 --- a/crypto/src/math/raw/Nat160.cs +++ b/crypto/src/math/raw/Nat160.cs @@ -604,8 +604,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_3 = x[3]; - ulong zz_5 = zz[5]; - ulong zz_6 = zz[6]; + ulong zz_5 = zz[5] + (zz_4 >> 32); zz_4 &= M; + ulong zz_6 = zz[6] + (zz_5 >> 32); zz_5 &= M; { zz_3 += x_3 * x_0; w = (uint)zz_3; @@ -619,8 +619,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_4 = x[4]; - ulong zz_7 = zz[7]; - ulong zz_8 = zz[8]; + ulong zz_7 = zz[7] + (zz_6 >> 32); zz_6 &= M; + ulong zz_8 = zz[8] + (zz_7 >> 32); zz_7 &= M; { zz_4 += x_4 * x_0; w = (uint)zz_4; @@ -699,8 +699,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_3 = x[xOff + 3]; - ulong zz_5 = zz[zzOff + 5]; - ulong zz_6 = zz[zzOff + 6]; + ulong zz_5 = zz[zzOff + 5] + (zz_4 >> 32); zz_4 &= M; + ulong zz_6 = zz[zzOff + 6] + (zz_5 >> 32); zz_5 &= M; { zz_3 += x_3 * x_0; w = (uint)zz_3; @@ -714,8 +714,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_4 = x[xOff + 4]; - ulong zz_7 = zz[zzOff + 7]; - ulong zz_8 = zz[zzOff + 8]; + ulong zz_7 = zz[zzOff + 7] + (zz_6 >> 32); zz_6 &= M; + ulong zz_8 = zz[zzOff + 8] + (zz_7 >> 32); zz_7 &= M; { zz_4 += x_4 * x_0; w = (uint)zz_4; diff --git a/crypto/src/math/raw/Nat192.cs b/crypto/src/math/raw/Nat192.cs index 4797609ee..3099bafab 100644 --- a/crypto/src/math/raw/Nat192.cs +++ b/crypto/src/math/raw/Nat192.cs @@ -706,8 +706,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_3 = x[3]; - ulong zz_5 = zz[5]; - ulong zz_6 = zz[6]; + ulong zz_5 = zz[5] + (zz_4 >> 32); zz_4 &= M; + ulong zz_6 = zz[6] + (zz_5 >> 32); zz_5 &= M; { zz_3 += x_3 * x_0; w = (uint)zz_3; @@ -721,8 +721,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_4 = x[4]; - ulong zz_7 = zz[7]; - ulong zz_8 = zz[8]; + ulong zz_7 = zz[7] + (zz_6 >> 32); zz_6 &= M; + ulong zz_8 = zz[8] + (zz_7 >> 32); zz_7 &= M; { zz_4 += x_4 * x_0; w = (uint)zz_4; @@ -738,8 +738,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_5 = x[5]; - ulong zz_9 = zz[9]; - ulong zz_10 = zz[10]; + ulong zz_9 = zz[9] + (zz_8 >> 32); zz_8 &= M; + ulong zz_10 = zz[10] + (zz_9 >> 32); zz_9 &= M; { zz_5 += x_5 * x_0; w = (uint)zz_5; @@ -822,8 +822,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_3 = x[xOff + 3]; - ulong zz_5 = zz[zzOff + 5]; - ulong zz_6 = zz[zzOff + 6]; + ulong zz_5 = zz[zzOff + 5] + (zz_4 >> 32); zz_4 &= M; + ulong zz_6 = zz[zzOff + 6] + (zz_5 >> 32); zz_5 &= M; { zz_3 += x_3 * x_0; w = (uint)zz_3; @@ -837,8 +837,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_4 = x[xOff + 4]; - ulong zz_7 = zz[zzOff + 7]; - ulong zz_8 = zz[zzOff + 8]; + ulong zz_7 = zz[zzOff + 7] + (zz_6 >> 32); zz_6 &= M; + ulong zz_8 = zz[zzOff + 8] + (zz_7 >> 32); zz_7 &= M; { zz_4 += x_4 * x_0; w = (uint)zz_4; @@ -854,8 +854,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_5 = x[xOff + 5]; - ulong zz_9 = zz[zzOff + 9]; - ulong zz_10 = zz[zzOff + 10]; + ulong zz_9 = zz[zzOff + 9] + (zz_8 >> 32); zz_8 &= M; + ulong zz_10 = zz[zzOff + 10] + (zz_9 >> 32); zz_9 &= M; { zz_5 += x_5 * x_0; w = (uint)zz_5; diff --git a/crypto/src/math/raw/Nat224.cs b/crypto/src/math/raw/Nat224.cs index 940e930ac..978caf265 100644 --- a/crypto/src/math/raw/Nat224.cs +++ b/crypto/src/math/raw/Nat224.cs @@ -786,8 +786,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_3 = x[3]; - ulong zz_5 = zz[5]; - ulong zz_6 = zz[6]; + ulong zz_5 = zz[5] + (zz_4 >> 32); zz_4 &= M; + ulong zz_6 = zz[6] + (zz_5 >> 32); zz_5 &= M; { zz_3 += x_3 * x_0; w = (uint)zz_3; @@ -801,8 +801,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_4 = x[4]; - ulong zz_7 = zz[7]; - ulong zz_8 = zz[8]; + ulong zz_7 = zz[7] + (zz_6 >> 32); zz_6 &= M; + ulong zz_8 = zz[8] + (zz_7 >> 32); zz_7 &= M; { zz_4 += x_4 * x_0; w = (uint)zz_4; @@ -818,8 +818,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_5 = x[5]; - ulong zz_9 = zz[9]; - ulong zz_10 = zz[10]; + ulong zz_9 = zz[9] + (zz_8 >> 32); zz_8 &= M; + ulong zz_10 = zz[10] + (zz_9 >> 32); zz_9 &= M; { zz_5 += x_5 * x_0; w = (uint)zz_5; @@ -837,8 +837,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_6 = x[6]; - ulong zz_11 = zz[11]; - ulong zz_12 = zz[12]; + ulong zz_11 = zz[11] + (zz_10 >> 32); zz_10 &= M; + ulong zz_12 = zz[12] + (zz_11 >> 32); zz_11 &= M; { zz_6 += x_6 * x_0; w = (uint)zz_6; @@ -925,8 +925,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_3 = x[xOff + 3]; - ulong zz_5 = zz[zzOff + 5]; - ulong zz_6 = zz[zzOff + 6]; + ulong zz_5 = zz[zzOff + 5] + (zz_4 >> 32); zz_4 &= M; + ulong zz_6 = zz[zzOff + 6] + (zz_5 >> 32); zz_5 &= M; { zz_3 += x_3 * x_0; w = (uint)zz_3; @@ -940,8 +940,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_4 = x[xOff + 4]; - ulong zz_7 = zz[zzOff + 7]; - ulong zz_8 = zz[zzOff + 8]; + ulong zz_7 = zz[zzOff + 7] + (zz_6 >> 32); zz_6 &= M; + ulong zz_8 = zz[zzOff + 8] + (zz_7 >> 32); zz_7 &= M; { zz_4 += x_4 * x_0; w = (uint)zz_4; @@ -957,8 +957,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_5 = x[xOff + 5]; - ulong zz_9 = zz[zzOff + 9]; - ulong zz_10 = zz[zzOff + 10]; + ulong zz_9 = zz[zzOff + 9] + (zz_8 >> 32); zz_8 &= M; + ulong zz_10 = zz[zzOff + 10] + (zz_9 >> 32); zz_9 &= M; { zz_5 += x_5 * x_0; w = (uint)zz_5; @@ -976,8 +976,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_6 = x[xOff + 6]; - ulong zz_11 = zz[zzOff + 11]; - ulong zz_12 = zz[zzOff + 12]; + ulong zz_11 = zz[zzOff + 11] + (zz_10 >> 32); zz_10 &= M; + ulong zz_12 = zz[zzOff + 12] + (zz_11 >> 32); zz_11 &= M; { zz_6 += x_6 * x_0; w = (uint)zz_6; diff --git a/crypto/src/math/raw/Nat256.cs b/crypto/src/math/raw/Nat256.cs index 19455031a..09c751a5a 100644 --- a/crypto/src/math/raw/Nat256.cs +++ b/crypto/src/math/raw/Nat256.cs @@ -917,8 +917,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_3 = x[3]; - ulong zz_5 = zz[5]; - ulong zz_6 = zz[6]; + ulong zz_5 = zz[5] + (zz_4 >> 32); zz_4 &= M; + ulong zz_6 = zz[6] + (zz_5 >> 32); zz_5 &= M; { zz_3 += x_3 * x_0; w = (uint)zz_3; @@ -932,8 +932,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_4 = x[4]; - ulong zz_7 = zz[7]; - ulong zz_8 = zz[8]; + ulong zz_7 = zz[7] + (zz_6 >> 32); zz_6 &= M; + ulong zz_8 = zz[8] + (zz_7 >> 32); zz_7 &= M; { zz_4 += x_4 * x_0; w = (uint)zz_4; @@ -949,8 +949,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_5 = x[5]; - ulong zz_9 = zz[9]; - ulong zz_10 = zz[10]; + ulong zz_9 = zz[9] + (zz_8 >> 32); zz_8 &= M; + ulong zz_10 = zz[10] + (zz_9 >> 32); zz_9 &= M; { zz_5 += x_5 * x_0; w = (uint)zz_5; @@ -968,8 +968,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_6 = x[6]; - ulong zz_11 = zz[11]; - ulong zz_12 = zz[12]; + ulong zz_11 = zz[11] + (zz_10 >> 32); zz_10 &= M; + ulong zz_12 = zz[12] + (zz_11 >> 32); zz_11 &= M; { zz_6 += x_6 * x_0; w = (uint)zz_6; @@ -989,8 +989,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_7 = x[7]; - ulong zz_13 = zz[13]; - ulong zz_14 = zz[14]; + ulong zz_13 = zz[13] + (zz_12 >> 32); zz_12 &= M; + ulong zz_14 = zz[14] + (zz_13 >> 32); zz_13 &= M; { zz_7 += x_7 * x_0; w = (uint)zz_7; @@ -1081,8 +1081,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_3 = x[xOff + 3]; - ulong zz_5 = zz[zzOff + 5]; - ulong zz_6 = zz[zzOff + 6]; + ulong zz_5 = zz[zzOff + 5] + (zz_4 >> 32); zz_4 &= M; + ulong zz_6 = zz[zzOff + 6] + (zz_5 >> 32); zz_5 &= M; { zz_3 += x_3 * x_0; w = (uint)zz_3; @@ -1096,8 +1096,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_4 = x[xOff + 4]; - ulong zz_7 = zz[zzOff + 7]; - ulong zz_8 = zz[zzOff + 8]; + ulong zz_7 = zz[zzOff + 7] + (zz_6 >> 32); zz_6 &= M; + ulong zz_8 = zz[zzOff + 8] + (zz_7 >> 32); zz_7 &= M; { zz_4 += x_4 * x_0; w = (uint)zz_4; @@ -1113,8 +1113,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_5 = x[xOff + 5]; - ulong zz_9 = zz[zzOff + 9]; - ulong zz_10 = zz[zzOff + 10]; + ulong zz_9 = zz[zzOff + 9] + (zz_8 >> 32); zz_8 &= M; + ulong zz_10 = zz[zzOff + 10] + (zz_9 >> 32); zz_9 &= M; { zz_5 += x_5 * x_0; w = (uint)zz_5; @@ -1132,8 +1132,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_6 = x[xOff + 6]; - ulong zz_11 = zz[zzOff + 11]; - ulong zz_12 = zz[zzOff + 12]; + ulong zz_11 = zz[zzOff + 11] + (zz_10 >> 32); zz_10 &= M; + ulong zz_12 = zz[zzOff + 12] + (zz_11 >> 32); zz_11 &= M; { zz_6 += x_6 * x_0; w = (uint)zz_6; @@ -1153,8 +1153,8 @@ namespace Org.BouncyCastle.Math.Raw } ulong x_7 = x[xOff + 7]; - ulong zz_13 = zz[zzOff + 13]; - ulong zz_14 = zz[zzOff + 14]; + ulong zz_13 = zz[zzOff + 13] + (zz_12 >> 32); zz_12 &= M; + ulong zz_14 = zz[zzOff + 14] + (zz_13 >> 32); zz_13 &= M; { zz_7 += x_7 * x_0; w = (uint)zz_7; diff --git a/crypto/test/UnitTests.csproj b/crypto/test/UnitTests.csproj index b4c53092b..fe4dd9583 100644 --- a/crypto/test/UnitTests.csproj +++ b/crypto/test/UnitTests.csproj @@ -312,6 +312,8 @@ + + diff --git a/crypto/test/src/math/ec/custom/sec/test/SecP256R1FieldTest.cs b/crypto/test/src/math/ec/custom/sec/test/SecP256R1FieldTest.cs new file mode 100644 index 000000000..374b1ecd1 --- /dev/null +++ b/crypto/test/src/math/ec/custom/sec/test/SecP256R1FieldTest.cs @@ -0,0 +1,181 @@ +using System; + +using NUnit.Framework; + +using Org.BouncyCastle.Asn1.Sec; +using Org.BouncyCastle.Asn1.X9; +using Org.BouncyCastle.Crypto.EC; +using Org.BouncyCastle.Math.Raw; +using Org.BouncyCastle.Security; + +namespace Org.BouncyCastle.Math.EC.Custom.Sec.Tests +{ + [TestFixture] + public class SecP256R1FieldTest + { + private static readonly SecureRandom Random = new SecureRandom(); + + private static readonly X9ECParameters DP = CustomNamedCurves + .GetByOid(SecObjectIdentifiers.SecP256r1); + private static readonly BigInteger Q = DP.Curve.Field.Characteristic; + + [Test] + public void TestMultiply1() + { + int COUNT = 1000; + + for (int i = 0; i < COUNT; ++i) + { + ECFieldElement x = GenerateMultiplyInput_Random(); + ECFieldElement y = GenerateMultiplyInput_Random(); + + BigInteger X = x.ToBigInteger(), Y = y.ToBigInteger(); + BigInteger R = X.Multiply(Y).Mod(Q); + + ECFieldElement z = x.Multiply(y); + BigInteger Z = z.ToBigInteger(); + + Assert.AreEqual(R, Z); + } + } + + [Test] + public void TestMultiply2() + { + int COUNT = 100; + ECFieldElement[] inputs = new ECFieldElement[COUNT]; + BigInteger[] INPUTS = new BigInteger[COUNT]; + + for (int i = 0; i < inputs.Length; ++i) + { + inputs[i] = GenerateMultiplyInput_Random(); + INPUTS[i] = inputs[i].ToBigInteger(); + } + + for (int j = 0; j < inputs.Length; ++j) + { + for (int k = 0; k < inputs.Length; ++k) + { + BigInteger R = INPUTS[j].Multiply(INPUTS[k]).Mod(Q); + + ECFieldElement z = inputs[j].Multiply(inputs[k]); + BigInteger Z = z.ToBigInteger(); + + Assert.AreEqual(R, Z); + } + } + } + + [Test] + public void TestSquare() + { + int COUNT = 1000; + + for (int i = 0; i < COUNT; ++i) + { + ECFieldElement x = GenerateMultiplyInput_Random(); + + BigInteger X = x.ToBigInteger(); + BigInteger R = X.Multiply(X).Mod(Q); + + ECFieldElement z = x.Square(); + BigInteger Z = z.ToBigInteger(); + + Assert.AreEqual(R, Z); + } + } + + /** + * Test multiplication with specifically selected values that triggered a bug in the modular + * reduction in OpenSSL (last affected version 0.9.8g). + * + * See "Practical realisation and elimination of an ECC-related software bug attack", B. B. + * Brumley, M. Barbarosa, D. Page, F. Vercauteren. + */ + [Test] + public void TestMultiply_OpenSSLBug() + { + int COUNT = 100; + + for (int i = 0; i < COUNT; ++i) + { + ECFieldElement x = GenerateMultiplyInputA_OpenSSLBug(); + ECFieldElement y = GenerateMultiplyInputB_OpenSSLBug(); + + BigInteger X = x.ToBigInteger(), Y = y.ToBigInteger(); + BigInteger R = X.Multiply(Y).Mod(Q); + + ECFieldElement z = x.Multiply(y); + BigInteger Z = z.ToBigInteger(); + + Assert.AreEqual(R, Z); + } + } + + /** + * Test squaring with specifically selected values that triggered a bug in the modular reduction + * in OpenSSL (last affected version 0.9.8g). + * + * See "Practical realisation and elimination of an ECC-related software bug attack", B. B. + * Brumley, M. Barbarosa, D. Page, F. Vercauteren. + */ + [Test] + public void TestSquare_OpenSSLBug() + { + int COUNT = 100; + + for (int i = 0; i < COUNT; ++i) + { + ECFieldElement x = GenerateSquareInput_OpenSSLBug(); + + BigInteger X = x.ToBigInteger(); + BigInteger R = X.Multiply(X).Mod(Q); + + ECFieldElement z = x.Square(); + BigInteger Z = z.ToBigInteger(); + + Assert.AreEqual(R, Z); + } + } + + private ECFieldElement FE(BigInteger x) + { + return DP.Curve.FromBigInteger(x); + } + + private ECFieldElement GenerateMultiplyInput_Random() + { + return FE(new BigInteger(DP.Curve.FieldSize + 32, Random).Mod(Q)); + } + + private ECFieldElement GenerateMultiplyInputA_OpenSSLBug() + { + uint[] x = Nat256.Create(); + x[0] = (uint)Random.NextInt() >> 1; + x[4] = 3; + x[7] = 0xFFFFFFFF; + + return FE(Nat256.ToBigInteger(x)); + } + + private ECFieldElement GenerateMultiplyInputB_OpenSSLBug() + { + uint[] x = Nat256.Create(); + x[0] = (uint)Random.NextInt() >> 1; + x[3] = 1; + x[7] = 0xFFFFFFFF; + + return FE(Nat256.ToBigInteger(x)); + } + + private ECFieldElement GenerateSquareInput_OpenSSLBug() + { + uint[] x = Nat256.Create(); + x[0] = (uint)Random.NextInt() >> 1; + x[4] = 2; + x[7] = 0xFFFFFFFF; + + return FE(Nat256.ToBigInteger(x)); + } + } +} diff --git a/crypto/test/src/math/ec/custom/sec/test/SecP384R1FieldTest.cs b/crypto/test/src/math/ec/custom/sec/test/SecP384R1FieldTest.cs new file mode 100644 index 000000000..86ec4894f --- /dev/null +++ b/crypto/test/src/math/ec/custom/sec/test/SecP384R1FieldTest.cs @@ -0,0 +1,146 @@ +using System; + +using NUnit.Framework; + +using Org.BouncyCastle.Asn1.Sec; +using Org.BouncyCastle.Asn1.X9; +using Org.BouncyCastle.Crypto.EC; +using Org.BouncyCastle.Math.Raw; +using Org.BouncyCastle.Security; + +namespace Org.BouncyCastle.Math.EC.Custom.Sec.Tests +{ + [TestFixture] + public class SecP384R1FieldTest + { + private static readonly SecureRandom Random = new SecureRandom(); + + private static readonly X9ECParameters DP = CustomNamedCurves + .GetByOid(SecObjectIdentifiers.SecP384r1); + private static readonly BigInteger Q = DP.Curve.Field.Characteristic; + + [Test] + public void TestMultiply1() + { + int COUNT = 1000; + + for (int i = 0; i < COUNT; ++i) + { + ECFieldElement x = GenerateMultiplyInput_Random(); + ECFieldElement y = GenerateMultiplyInput_Random(); + + BigInteger X = x.ToBigInteger(), Y = y.ToBigInteger(); + BigInteger R = X.Multiply(Y).Mod(Q); + + ECFieldElement z = x.Multiply(y); + BigInteger Z = z.ToBigInteger(); + + Assert.AreEqual(R, Z); + } + } + + [Test] + public void TestMultiply2() + { + int COUNT = 100; + ECFieldElement[] inputs = new ECFieldElement[COUNT]; + BigInteger[] INPUTS = new BigInteger[COUNT]; + + for (int i = 0; i < inputs.Length; ++i) + { + inputs[i] = GenerateMultiplyInput_Random(); + INPUTS[i] = inputs[i].ToBigInteger(); + } + + for (int j = 0; j < inputs.Length; ++j) + { + for (int k = 0; k < inputs.Length; ++k) + { + BigInteger R = INPUTS[j].Multiply(INPUTS[k]).Mod(Q); + + ECFieldElement z = inputs[j].Multiply(inputs[k]); + BigInteger Z = z.ToBigInteger(); + + Assert.AreEqual(R, Z); + } + } + } + + [Test] + public void TestSquare() + { + int COUNT = 1000; + + for (int i = 0; i < COUNT; ++i) + { + ECFieldElement x = GenerateMultiplyInput_Random(); + + BigInteger X = x.ToBigInteger(); + BigInteger R = X.Multiply(X).Mod(Q); + + ECFieldElement z = x.Square(); + BigInteger Z = z.ToBigInteger(); + + Assert.AreEqual(R, Z); + } + } + + [Test] + public void TestSquare_CarryBug() + { + int COUNT = 100; + + for (int i = 0; i < COUNT; ++i) + { + ECFieldElement x = GenerateSquareInput_CarryBug(); + + BigInteger X = x.ToBigInteger(); + BigInteger R = X.Multiply(X).Mod(Q); + + ECFieldElement z = x.Square(); + BigInteger Z = z.ToBigInteger(); + + Assert.AreEqual(R, Z); + } + } + + /* + * Based on another example input demonstrating the carry propagation bug in Nat192.square, as + * reported by Joseph Friel on dev-crypto. + */ + [Test] + public void TestSquare_CarryBug_Reported() + { + ECFieldElement x = FE(new BigInteger("2fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd", 16)); + + BigInteger X = x.ToBigInteger(); + BigInteger R = X.Multiply(X).Mod(Q); + + ECFieldElement z = x.Square(); + BigInteger Z = z.ToBigInteger(); + + Assert.AreEqual(R, Z); + } + + private ECFieldElement FE(BigInteger x) + { + return DP.Curve.FromBigInteger(x); + } + + private ECFieldElement GenerateMultiplyInput_Random() + { + return FE(new BigInteger(DP.Curve.FieldSize + 32, Random).Mod(Q)); + } + + private ECFieldElement GenerateSquareInput_CarryBug() + { + uint[] x = Nat.Create(12); + x[0] = (uint)Random.NextInt() >> 1; + x[6] = 2; + x[10] = 0xFFFF0000; + x[11] = 0xFFFFFFFF; + + return FE(Nat.ToBigInteger(12, x)); + } + } +} -- cgit 1.5.1 From 96e500fd17aac287d0682aaf58c7f1f4341e1fd6 Mon Sep 17 00:00:00 2001 From: David Hook Date: Wed, 28 Dec 2016 22:01:08 +1100 Subject: fixed head of loop to use primitive type. --- crypto/src/x509/extension/X509ExtensionUtil.cs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'crypto/src') diff --git a/crypto/src/x509/extension/X509ExtensionUtil.cs b/crypto/src/x509/extension/X509ExtensionUtil.cs index 845a87bad..5f65ebfda 100644 --- a/crypto/src/x509/extension/X509ExtensionUtil.cs +++ b/crypto/src/x509/extension/X509ExtensionUtil.cs @@ -44,9 +44,11 @@ namespace Org.BouncyCastle.X509.Extension { Asn1Sequence seq = DerSequence.GetInstance(FromExtensionValue(extVal)); - foreach (GeneralName genName in seq) + foreach (Asn1Encodable primName in seq) { IList list = Platform.CreateArrayList(); + GeneralName genName = GeneralName.GetInstance(primName); + list.Add(genName.TagNo); switch (genName.TagNo) -- cgit 1.5.1