yggdrasil/ring
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Switch to ? syntax in ring::rsa.

Browse Source
This commit is contained in:
Brian Smith 2017-05-17 21:35:53 -10:00
parent cfb1018a86
commit f66121467d
8 changed files with 211 additions and 230 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

174
src/rsa/bigint.rs
View File

@ -71,7 +71,7 @@ impl Positive {
#[cfg(feature = "rsa_signing")]
pub fn from_der(input: &mut untrusted::Reader)
-> Result<Positive, error::Unspecified> {
Self::from_be_bytes(try!(der::positive_integer(input)))
Self::from_be_bytes(der::positive_integer(input)?)
}
// Turns a sequence of big-endian bytes into a Positive Integer.
@ -87,7 +87,7 @@ impl Positive {
pub fn from_be_bytes_padded(input: untrusted::Input)
-> Result<Self, error::Unspecified> {
let r = try!(Nonnegative::from_be_bytes_padded(input));
let r = Nonnegative::from_be_bytes_padded(input)?;
if r.is_zero() {
return Err(error::Unspecified);
}
@ -120,7 +120,7 @@ impl OddPositive {
#[cfg(feature = "rsa_signing")]
pub fn try_clone(&self) -> Result<OddPositive, error::Unspecified> {
let value = try!((self.0).0.try_clone());
let value = (self.0).0.try_clone()?;
Ok(OddPositive(Positive(value)))
}
@ -297,7 +297,7 @@ impl<M, E> Elem<M, E> {
// 0 * R**2 (mod m) == 0, so the modulus isn't even needed to construct a
// zero-valued element.
pub fn zero() -> Result<Self, error::Unspecified> {
let value = try!(Nonnegative::zero());
let value = Nonnegative::zero()?;
Ok(Elem {
value: value,
m: PhantomData,
@ -318,7 +318,7 @@ impl<M, E> Elem<M, E> {
}
pub fn try_clone(&self) -> Result<Self, error::Unspecified> {
let value = try!(self.value.try_clone());
let value = self.value.try_clone()?;
Ok(Elem {
value: value,
m: PhantomData,
@ -338,7 +338,7 @@ impl<M> Elem<M, R> {
impl<M> Elem<M, Unencoded> {
#[cfg(feature = "rsa_signing")]
pub fn one() -> Result<Self, error::Unspecified> {
let value = try!(Nonnegative::one());
let value = Nonnegative::one()?;
Ok(Elem {
value: value,
m: PhantomData,
@ -361,7 +361,7 @@ impl<M> Elem<M, Unencoded> {
#[cfg(feature = "rsa_signing")]
pub fn into_modulus<MM>(self) -> Result<Modulus<MM>, error::Unspecified> {
let value = try!(self.value.into_odd_positive());
let value = self.value.into_odd_positive()?;
value.into_modulus()
}
}
@ -371,10 +371,10 @@ pub fn elem_mul<M, AF, BF>(a: &Elem<M, AF>, b: Elem<M, BF>, m: &Modulus<M>)
error::Unspecified>
where (AF, BF): ProductEncoding {
let mut r = b.value;
try!(bssl::map_result(unsafe {
bssl::map_result(unsafe {
GFp_BN_mod_mul_mont(&mut r.0, a.value.as_ref(), &r.0, &m.value.as_ref(),
&m.n0)
}));
})?;
Ok(Elem {
value: r,
m: PhantomData,
@ -399,13 +399,13 @@ pub fn elem_set_to_product<M, AF, BF>(
pub fn elem_reduced_once<Larger, Smaller: SlightlySmallerModulus<Larger>>(
a: &Elem<Larger, Unencoded>, m: &Modulus<Smaller>)
-> Result<Elem<Smaller, Unencoded>, error::Unspecified> {
let mut r = try!(a.value.try_clone());
let mut r = a.value.try_clone()?;
let m_limbs = (m.value.0).0.limbs();
assert!(r.limbs().len() <= m_limbs.len());
try!(r.0.make_limbs(m_limbs.len(), |r_limbs| {
r.0.make_limbs(m_limbs.len(), |r_limbs| {
limb::limbs_reduce_once_constant_time(r_limbs, m_limbs);
Ok(())
}));
})?;
debug_assert!(greater_than(&(m.value.0).0, &r));
Ok(Elem {
value: r,
@ -419,7 +419,7 @@ pub fn elem_reduced_once<Larger, Smaller: SlightlySmallerModulus<Larger>>(
pub fn elem_reduced<Larger, Smaller: NotMuchSmallerModulus<Larger>>(
a: &Elem<Larger, Unencoded>, m: &Modulus<Smaller>)
-> Result<Elem<Smaller, RInverse>, error::Unspecified> {
let tmp = try!(a.try_clone());
let tmp = a.try_clone()?;
elem_reduced_(tmp, m)
}
@ -427,11 +427,11 @@ fn elem_reduced_<LargerM, E: ReductionEncoding, SmallerM>(
mut a: Elem<LargerM, E>, m: &Modulus<SmallerM>)
-> Result<Elem<SmallerM, <E as ReductionEncoding>::Output>,
error::Unspecified> {
let mut r = try!(Elem::zero());
try!(bssl::map_result(unsafe {
let mut r = Elem::zero()?;
bssl::map_result(unsafe {
GFp_BN_from_montgomery_word(r.value.as_mut_ref(), a.value.as_mut_ref(),
&m.value.as_ref(), &m.n0)
}));
})?;
Ok(r)
}
@ -440,10 +440,10 @@ pub fn elem_squared<M, E>(a: Elem<M, E>, m: &Modulus<M>)
error::Unspecified>
where (E, E): ProductEncoding {
let mut value = a.value;
try!(bssl::map_result(unsafe {
bssl::map_result(unsafe {
GFp_BN_mod_mul_mont(value.as_mut_ref(), value.as_ref(), value.as_ref(),
&m.value.as_ref(), &m.n0)
}));
})?;
Ok(Elem {
value: value,
m: PhantomData,
@ -467,7 +467,7 @@ pub fn elem_widen<Larger, Smaller: SmallerModulus<Larger>>(
pub fn elem_add<M, E>(mut a: Elem<M, E>, mut b: Elem<M, E>, m: &Modulus<M>)
-> Result<Elem<M, E>, error::Unspecified> {
let m = (m.value.0).0.limbs();
try!(a.value.0.make_limbs(m.len(), |a_limbs| {
a.value.0.make_limbs(m.len(), |a_limbs| {
b.value.0.make_limbs(m.len(), |b_limbs| {
unsafe {
LIMBS_add_mod(a_limbs.as_mut_ptr(), a_limbs.as_ptr(),
@ -475,7 +475,7 @@ pub fn elem_add<M, E>(mut a: Elem<M, E>, mut b: Elem<M, E>, m: &Modulus<M>)
}
Ok(())
})
}));
})?;
Ok(a)
}
@ -484,7 +484,7 @@ pub fn elem_add<M, E>(mut a: Elem<M, E>, mut b: Elem<M, E>, m: &Modulus<M>)
pub fn elem_sub<M, E>(mut a: Elem<M, E>, b: &Elem<M, E>, m: &Modulus<M>)
-> Result<Elem<M, E>, error::Unspecified> {
let m_limbs = (m.value.0).0.limbs();
try!(a.value.0.make_limbs(m_limbs.len(), |a_limbs| {
a.value.0.make_limbs(m_limbs.len(), |a_limbs| {
let b_limbs = b.value.limbs();
unsafe {
// XXX Not constant-time, even though it looks like it might be.
@ -492,7 +492,7 @@ pub fn elem_sub<M, E>(mut a: Elem<M, E>, b: &Elem<M, E>, m: &Modulus<M>)
m_limbs.as_ptr(), m_limbs.len(), b_limbs.len())
}
Ok(())
}));
})?;
Ok(a)
}
@ -504,15 +504,15 @@ pub struct One<M, E>(Elem<M, E>);
impl<M> One<M, R> {
pub fn newR(oneRR: &One<M, RR>, m: &Modulus<M>)
-> Result<One<M, R>, error::Unspecified> {
let value: Elem<M> = try!(Elem::one());
let value: Elem<M, R> = try!(elem_mul(oneRR.as_ref(), value, &m));
let value: Elem<M> = Elem::one()?;
let value: Elem<M, R> = elem_mul(oneRR.as_ref(), value, &m)?;
Ok(One(value))
}
}
impl<M> One<M, RR> {
pub fn newRR(m: &Modulus<M>) -> Result<One<M, RR>, error::Unspecified> {
let RR = try!(calculate_RR(&(m.value.0).0));
let RR = calculate_RR(&(m.value.0).0)?;
Ok(One(Elem {
value: RR,
m: PhantomData,
@ -535,11 +535,11 @@ fn calculate_RR(m: &Nonnegative) -> Result<Nonnegative, error::Unspecified> {
let lg_RR = ((m_bits + (LIMB_BITS - 1)) / LIMB_BITS * LIMB_BITS) * 2;
let mut r = try!(Nonnegative::zero());
let mut r = Nonnegative::zero()?;
let num_limbs = m.limbs().len();
try!(r.as_mut_ref().make_limbs(num_limbs, |limbs| {
r.as_mut_ref().make_limbs(num_limbs, |limbs| {
// Zero all the limbs.
for limb in limbs.iter_mut() {
*limb = 0;
@ -559,7 +559,7 @@ fn calculate_RR(m: &Nonnegative) -> Result<Nonnegative, error::Unspecified> {
}
Ok(())
}));
})?;
Ok(r)
}
@ -568,7 +568,7 @@ fn calculate_RR(m: &Nonnegative) -> Result<Nonnegative, error::Unspecified> {
impl<M> One<M, RRR> {
pub fn newRRR(oneRR: One<M, RR>, m: &Modulus<M>)
-> Result<One<M, RRR>, error::Unspecified> {
let oneRRR = try!(elem_squared(oneRR.0, &m));
let oneRRR = elem_squared(oneRR.0, &m)?;
Ok(One(oneRRR))
}
}
@ -580,7 +580,7 @@ impl<M, E> AsRef<Elem<M, E>> for One<M, E> {
#[cfg(feature = "rsa_signing")]
impl<M, E> One<M, E> {
pub fn try_clone(&self) -> Result<Self, error::Unspecified> {
let value = try!(self.0.try_clone());
let value = self.0.try_clone()?;
Ok(One(value))
}
}
@ -631,14 +631,14 @@ pub fn elem_exp_vartime<M>(
// Algorithms (3rd Edition), Section 4.6.3.
debug_assert_eq!(exponent & 1, 1);
assert!(exponent < (1 << PUBLIC_EXPONENT_MAX_BITS.as_usize_bits()));
let mut acc = try!(base.try_clone());
let mut acc = base.try_clone()?;
let mut bit = 1 << (64 - 1 - exponent.leading_zeros());
debug_assert!((exponent & bit) != 0);
while bit > 1 {
bit >>= 1;
acc = try!(elem_squared(acc, m));
acc = elem_squared(acc, m)?;
if (exponent & bit) != 0 {
acc = try!(elem_mul(&base, acc, m));
acc = elem_mul(&base, acc, m)?;
}
}
Ok(acc)
@ -649,12 +649,12 @@ pub fn elem_exp_consttime<M>(
base: Elem<M, R>, exponent: &OddPositive, oneR: &One<M, R>,
m: &Modulus<M>) -> Result<Elem<M, Unencoded>, error::Unspecified> {
let mut r = base.value;
try!(bssl::map_result(unsafe {
bssl::map_result(unsafe {
GFp_BN_mod_exp_mont_consttime(&mut r.0, &r.0, exponent.as_ref(),
exponent.0.bit_length().as_usize_bits(),
oneR.0.value.as_ref(), &m.value.as_ref(),
&m.n0)
}));
})?;
let r = Elem {
value: r,
m: PhantomData,
@ -671,7 +671,7 @@ pub fn elem_exp_consttime<M>(
// practical.
#[cfg(not(target_arch = "x86_64"))]
let r = try!(r.into_unencoded(m));
let r = r.into_unencoded(m)?;
Ok(r)
}
@ -692,12 +692,12 @@ pub fn elem_set_to_inverse_blinded(
r: &mut Elem<super::N, R>, a: &Elem<super::N, Unencoded>,
n: &Modulus<super::N>, rng: &rand::SecureRandom)
-> Result<(), InversionError> {
let mut blinding_factor = try!(Elem::<super::N, R>::zero());
try!(elem_randomize(&mut blinding_factor, n, rng));
let to_blind = try!(a.try_clone());
let blinded = try!(elem_mul(&blinding_factor, to_blind, n));
let blinded_inverse = try!(elem_inverse(blinded, n));
try!(elem_set_to_product(r, &blinding_factor, &blinded_inverse, n));
let mut blinding_factor = Elem::<super::N, R>::zero()?;
elem_randomize(&mut blinding_factor, n, rng)?;
let to_blind = a.try_clone()?;
let blinded = elem_mul(&blinding_factor, to_blind, n)?;
let blinded_inverse = elem_inverse(blinded, n)?;
elem_set_to_product(r, &blinding_factor, &blinded_inverse, n)?;
Ok(())
}
@ -708,8 +708,8 @@ pub fn elem_set_to_inverse_blinded(
#[cfg(feature = "rsa_signing")]
fn elem_inverse<M>(a: Elem<M, Unencoded>, m: &Modulus<M>)
-> Result<Elem<M, R>, InversionError> {
let a_clone = try!(a.try_clone());
let inverse = try!(nonnegative_mod_inverse(a.value, &(m.value.0).0));
let a_clone = a.try_clone()?;
let inverse = nonnegative_mod_inverse(a.value, &(m.value.0).0)?;
let r: Elem<M, R> = Elem {
value: inverse,
m: PhantomData,
@ -717,7 +717,7 @@ fn elem_inverse<M>(a: Elem<M, Unencoded>, m: &Modulus<M>)
};
// Fail safe: Verify a * r == 1 (mod m).
let check = try!(elem_mul(&r, a_clone, m));
let check = elem_mul(&r, a_clone, m)?;
assert!(check.is_one());
Ok(r)
@ -758,7 +758,7 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative)
carry = original_value >> (LIMB_BITS - 1);
}
if carry != 0 {
try!(n.0.grow_by_one_bit());
n.0.grow_by_one_bit()?;
}
Ok(())
}
@ -767,7 +767,7 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative)
fn add_assign(r: &mut Nonnegative, a: &mut Nonnegative, m_limb_count: usize)
-> Result<(), error::Unspecified> {
let mut carry = 0;
try!(r.0.make_limbs(m_limb_count, |r_limbs| {
r.0.make_limbs(m_limb_count, |r_limbs| {
a.0.make_limbs(m_limb_count, |a_limbs| {
carry = unsafe {
LIMBS_add_assign(r_limbs.as_mut_ptr(), a_limbs.as_ptr(),
@ -775,10 +775,10 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative)
};
Ok(())
})
}));
})?;
// It is possible for the result to be one bit larger than `m`.
if carry != 0 {
try!(r.0.grow_by_one_bit())
r.0.grow_by_one_bit()?
}
Ok(())
}
@ -799,9 +799,9 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative)
}
let mut u = a;
let mut v = try!(m.try_clone());
let mut x1 = try!(Nonnegative::one());
let mut x2 = try!(Nonnegative::zero());
let mut v = m.try_clone()?;
let mut x1 = Nonnegative::one()?;
let mut x2 = Nonnegative::zero()?;
let mut k = 0;
let m_limbs = m.limbs();
@ -810,20 +810,20 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative)
while !v.is_zero() {
if v.is_even() {
halve(&mut v);
try!(double(&mut x1));
double(&mut x1)?;
} else if u.is_even() {
halve(&mut u);
try!(double(&mut x2));
double(&mut x2)?;
} else if !greater_than(&u, &v) {
try!(sub_assign(&mut v, &mut u, m_limb_count));
sub_assign(&mut v, &mut u, m_limb_count)?;
halve(&mut v);
try!(add_assign(&mut x2, &mut x1, m_limb_count));
try!(double(&mut x1));
add_assign(&mut x2, &mut x1, m_limb_count)?;
double(&mut x1)?;
} else {
try!(sub_assign(&mut u, &mut v, m_limb_count));
sub_assign(&mut u, &mut v, m_limb_count)?;
halve(&mut u);
try!(add_assign(&mut x1, &mut x2, m_limb_count));
try!(double(&mut x2));
add_assign(&mut x1, &mut x2, m_limb_count)?;
double(&mut x2)?;
}
k += 1;
}
@ -836,13 +836,13 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative)
if !greater_than(m, &x1) {
debug_assert!(x1.limbs().len() <= m_limb_count + 1);
// If `x` is longer than `m` then chop off that top bit.
try!(x1.0.make_limbs(m_limb_count, |x1_limbs| {
x1.0.make_limbs(m_limb_count, |x1_limbs| {
unsafe {
LIMBS_sub_assign(x1_limbs.as_mut_ptr(), m_limbs.as_ptr(),
m_limb_count);
}
Ok(())
}));
})?;
}
assert!(greater_than(m, &x1));
@ -854,13 +854,13 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative)
let mut carry = 0;
if x1.is_odd() {
// x1 += m.
try!(x1.0.make_limbs(m_limb_count, |x1_limbs| {
x1.0.make_limbs(m_limb_count, |x1_limbs| {
carry = unsafe {
LIMBS_add_assign(x1_limbs.as_mut_ptr(), m_limbs.as_ptr(),
m_limb_count)
};
Ok(())
}));
})?;
}
// x1 /= 2.
@ -868,10 +868,10 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative)
// Shift in the carry bit at the top.
if carry != 0 {
try!(x1.0.make_limbs(m_limb_count, |limbs| {
x1.0.make_limbs(m_limb_count, |limbs| {
*limbs.last_mut().unwrap() |= 1 << (LIMB_BITS - 1);
Ok(())
}));
})?;
}
}
@ -912,23 +912,23 @@ impl Nonnegative {
#[cfg(feature = "rsa_signing")]
fn one() -> Result<Self, error::Unspecified> {
let mut r = try!(Self::zero());
try!(r.0.make_limbs(1, |limbs| {
let mut r = Self::zero()?;
r.0.make_limbs(1, |limbs| {
limbs[0] = 1;
Ok(())
}));
})?;
Ok(r)
}
pub fn from_be_bytes_padded(input: untrusted::Input)
-> Result<Self, error::Unspecified> {
let mut r = try!(Self::zero());
try!(r.0.make_limbs(
let mut r = Self::zero()?;
r.0.make_limbs(
((input.len() * limb::LIMB_BYTES) + limb::LIMB_BYTES - 1) /
limb::LIMB_BYTES, |limbs| {
// Rejects empty inputs.
limb::parse_big_endian_and_pad_consttime(input, limbs)
}));
})?;
Ok(r)
}
@ -987,7 +987,7 @@ impl Nonnegative {
fn into_elem<M>(self, m: &Modulus<M>)
-> Result<Elem<M, Unencoded>, error::Unspecified> {
try!(self.verify_less_than(&(m.value.0).0));
self.verify_less_than(&(m.value.0).0)?;
Ok(Elem {
value: self,
m: PhantomData,
@ -1003,10 +1003,10 @@ impl Nonnegative {
}
pub fn try_clone(&self) -> Result<Nonnegative, error::Unspecified> {
let mut r = try!(Nonnegative::zero());
try!(bssl::map_result(unsafe {
let mut r = Nonnegative::zero()?;
bssl::map_result(unsafe {
GFp_BN_copy(r.as_mut_ref(), self.as_ref())
}));
})?;
Ok(r)
}
}
@ -1100,9 +1100,9 @@ mod repr_c {
pub fn grow_by_one_bit(&mut self) -> Result<(), error::Unspecified> {
let old_top = self.top;
let new_top = old_top + 1;
try!(bssl::map_result(unsafe {
bssl::map_result(unsafe {
GFp_bn_wexpand(self, new_top)
}));
})?;
self.top = new_top;
self.limbs_mut()[old_top as usize] = 1;
Ok(())
@ -1123,9 +1123,9 @@ mod repr_c {
self.top = num_limbs as c::int;
} else {
let old_top = self.top as usize;
try!(bssl::map_result(unsafe {
bssl::map_result(unsafe {
GFp_bn_wexpand(self, num_limbs as c::int)
}));
})?;
self.top = num_limbs as c::int;
// Zero the new upper limbs, leaving the old lower limbs untouched.
@ -1134,7 +1134,7 @@ mod repr_c {
}
}
try!(f(self.limbs_mut()));
f(self.limbs_mut())?;
unsafe {
GFp_bn_correct_top(self)
@ -1289,8 +1289,8 @@ mod tests {
Err(InversionError::Unspecified) => unreachable!("Unspecified"),
Err(InversionError::NoInverse) => unreachable!("No Inverse"),
};
let one: Elem<M, Unencoded> = try!(Elem::one());
let actual_result = try!(elem_mul(&one, actual_result, &m));
let one: Elem<M, Unencoded> = Elem::one()?;
let actual_result = elem_mul(&one, actual_result, &m)?;
assert_elem_eq(&actual_result, &expected_result);
Ok(())
})
@ -1310,11 +1310,11 @@ mod tests {
let n = consume_modulus::<N>(test_case, "M");
let a = consume_elem(test_case, "A", &n);
let expected_result = consume_elem(test_case, "R", &n);
let mut actual_result = try!(Elem::<N, R>::zero());
let mut actual_result = Elem::<N, R>::zero()?;
assert!(elem_set_to_inverse_blinded(&mut actual_result, &a, &n,
&rng).is_ok());
let one: Elem<N, Unencoded> = try!(Elem::one());
let actual_result = try!(elem_mul(&one, actual_result, &n));
let one: Elem<N, Unencoded> = Elem::one()?;
let actual_result = elem_mul(&one, actual_result, &n)?;
assert_elem_eq(&actual_result, &expected_result);
Ok(())
})
@ -1351,7 +1351,7 @@ mod tests {
let n = consume_modulus::<N>(test_case, "M");
let a = consume_elem(test_case, "A", &n);
let mut actual_result = try!(Elem::<N, R>::zero());
let mut actual_result = Elem::<N, R>::zero()?;
match elem_set_to_inverse_blinded(&mut actual_result, &a, &n, &rng) {
Err(InversionError::NoInverse) => (),
Err(InversionError::Unspecified) => unreachable!("Unspecified"),

28
src/rsa/blinding.rs
View File

@ -37,7 +37,7 @@ impl Blinding {
error::Unspecified> {
let old_contents = core::mem::replace(&mut self.0, None);
let new_contents = try!(match old_contents {
let new_contents = match old_contents {
Some(Contents {
blinding_factor,
blinding_factor_inv,
@ -45,9 +45,9 @@ impl Blinding {
}) => {
if remaining > 0 {
let blinding_factor =
try!(bigint::elem_squared(blinding_factor, n));
bigint::elem_squared(blinding_factor, n)?;
let blinding_factor_inv =
try!(bigint::elem_squared(blinding_factor_inv, n));
bigint::elem_squared(blinding_factor_inv, n)?;
Ok(Contents {
blinding_factor: blinding_factor,
blinding_factor_inv: blinding_factor_inv,
@ -59,18 +59,17 @@ impl Blinding {
},
None => {
let elem1 = try!(bigint::Elem::zero());
let elem2 = try!(bigint::Elem::zero());
let elem1 = bigint::Elem::zero()?;
let elem2 = bigint::Elem::zero()?;
reset(elem1, elem2, e, oneRR, n, rng)
},
});
}?;
let blinded_input =
try!(bigint::elem_mul(&new_contents.blinding_factor, x, n));
let blinded_result = try!(f(blinded_input));
let result =
try!(bigint::elem_mul(&new_contents.blinding_factor_inv,
blinded_result, n));
bigint::elem_mul(&new_contents.blinding_factor, x, n)?;
let blinded_result = f(blinded_input)?;
let result = bigint::elem_mul(&new_contents.blinding_factor_inv,
blinded_result, n)?;
let _ = core::mem::replace(&mut self.0, Some(new_contents));
@ -94,13 +93,12 @@ fn reset(elem1: bigint::Elem<N, R>, elem2: bigint::Elem<N, R>,
let mut random_inv = bigint::Elem::take_storage(elem2);
for _ in 0..32 {
try!(bigint::elem_randomize(&mut random, n, rng));
bigint::elem_randomize(&mut random, n, rng)?;
match bigint::elem_set_to_inverse_blinded(&mut random_inv, &random, n,
rng) {
Ok(()) => {
let random =
try!(bigint::elem_mul(oneRR.as_ref(), random, n));
let random = try!(bigint::elem_exp_vartime(random, e, n));
let random = bigint::elem_mul(oneRR.as_ref(), random, n)?;
let random = bigint::elem_exp_vartime(random, e, n)?;
return Ok(Contents {
blinding_factor: random,
blinding_factor_inv: random_inv,

36
src/rsa/padding.rs
View File

@ -198,7 +198,7 @@ impl RSAEncoding for PSS {
fn encode(&self, m_hash: &digest::Digest, m_out: &mut [u8],
mod_bits: bits::BitLength, rng: &rand::SecureRandom)
-> Result<(), error::Unspecified> {
let metrics = try!(PSSMetrics::new(self.digest_alg, mod_bits));
let metrics = PSSMetrics::new(self.digest_alg, mod_bits)?;
// The `m_out` this function fills is the big-endian-encoded value of `m`
// from the specification, padded to `k` bytes, where `k` is the length
@ -221,7 +221,7 @@ impl RSAEncoding for PSS {
// Step 4.
let mut salt = [0u8; MAX_SALT_LEN];
let salt = &mut salt[..metrics.s_len];
try!(rng.fill(salt));
rng.fill(salt)?;
// Step 5 and 6.
let h_hash = pss_digest(self.digest_alg, m_hash, salt);
@ -232,7 +232,7 @@ impl RSAEncoding for PSS {
// Step 9. First output the mask into the out buffer.
let (mut masked_db, mut digest_terminator) =
em.split_at_mut(metrics.db_len);
try!(mgf1(self.digest_alg, h_hash.as_ref(), &mut masked_db));
mgf1(self.digest_alg, h_hash.as_ref(), &mut masked_db)?;
{
// Steps 7.
@ -242,7 +242,7 @@ impl RSAEncoding for PSS {
let mut masked_db = masked_db.skip(metrics.ps_len);
// Step 8.
*try!(masked_db.next().ok_or(error::Unspecified)) ^= 0x01;
*(masked_db.next().ok_or(error::Unspecified)?) ^= 0x01;
// Step 10.
for (masked_db_b, salt_b) in masked_db.zip(salt) {
@ -266,7 +266,7 @@ impl RSAVerification for PSS {
// where steps 1, 2(a), and 2(b) have been done for us.
fn verify(&self, m_hash: &digest::Digest, m: &mut untrusted::Reader,
mod_bits: bits::BitLength) -> Result<(), error::Unspecified> {
let metrics = try!(PSSMetrics::new(self.digest_alg, mod_bits));
let metrics = PSSMetrics::new(self.digest_alg, mod_bits)?;
// RSASSA-PSS-VERIFY Step 2(c). The `m` this function is given is the
// big-endian-encoded value of `m` from the specification, padded to
@ -278,7 +278,7 @@ impl RSAVerification for PSS {
// strip before we start the PSS decoding steps which is an artifact of
// the `Verification` interface.
if metrics.top_byte_mask == 0xff {
if try!(m.read_byte()) != 0 {
if m.read_byte()? != 0 {
return Err(error::Unspecified);
}
};
@ -292,11 +292,11 @@ impl RSAVerification for PSS {
// Step 3 is done by `PSSMetrics::new()` above.
// Step 5, out of order.
let masked_db = try!(em.skip_and_get_input(metrics.db_len));
let h_hash = try!(em.skip_and_get_input(metrics.h_len));
let masked_db = em.skip_and_get_input(metrics.db_len)?;
let h_hash = em.skip_and_get_input(metrics.h_len)?;
// Step 4.
if try!(em.read_byte()) != 0xbc {
if em.read_byte()? != 0xbc {
return Err(error::Unspecified);
}
@ -304,11 +304,11 @@ impl RSAVerification for PSS {
let mut db = [0u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN];
let db = &mut db[..metrics.db_len];
try!(mgf1(self.digest_alg, h_hash.as_slice_less_safe(), db));
mgf1(self.digest_alg, h_hash.as_slice_less_safe(), db)?;
try!(masked_db.read_all(error::Unspecified, |masked_bytes| {
masked_db.read_all(error::Unspecified, |masked_bytes| {
// Step 6. Check the top bits of first byte are zero.
let b = try!(masked_bytes.read_byte());
let b = masked_bytes.read_byte()?;
if b & !metrics.top_byte_mask != 0 {
return Err(error::Unspecified);
}
@ -316,10 +316,10 @@ impl RSAVerification for PSS {
// Step 8.
for i in 1..db.len() {
db[i] ^= try!(masked_bytes.read_byte());
db[i] ^= masked_bytes.read_byte()?;
}
Ok(())
}));
})?;
// Step 9.
db[0] &= metrics.top_byte_mask;
@ -362,7 +362,7 @@ struct PSSMetrics {
impl PSSMetrics {
fn new(digest_alg: &'static digest::Algorithm, mod_bits: bits::BitLength)
-> Result<PSSMetrics, error::Unspecified> {
let em_bits = try!(mod_bits.try_sub(bits::ONE));
let em_bits = mod_bits.try_sub(bits::ONE)?;
let em_len = em_bits.as_usize_bytes_rounded_up();
let leading_zero_bits = (8 * em_len) - em_bits.as_usize_bits();
debug_assert!(leading_zero_bits < 8);
@ -380,10 +380,8 @@ impl PSSMetrics {
// two conditions are equivalent. 9 bits are required as the 0x01
// before the salt requires 1 bit and the 0xbc after the digest
// requires 8 bits.
let db_len = try!(em_len.checked_sub(1 + s_len)
.ok_or(error::Unspecified));
let ps_len = try!(db_len.checked_sub(h_len + 1)
.ok_or(error::Unspecified));
let db_len = em_len.checked_sub(1 + s_len).ok_or(error::Unspecified)?;
let ps_len = db_len.checked_sub(h_len + 1).ok_or(error::Unspecified)?;
debug_assert!(em_bits.as_usize_bits() >= (8 * h_len) + (8 * s_len) + 9);

4
src/rsa/random.rs
View File

@ -44,7 +44,7 @@ pub fn set_to_rand_mod(out: &mut [Limb], max_exclusive: &[Limb],
max_exclusive: &tmp_max[..(max_exclusive.len() + extra_limb)],
sampling_params: &sampling_params,
};
try!(range.sample_into_limbs(&mut tmp_out[..out.len() + extra_limb], rng));
range.sample_into_limbs(&mut tmp_out[..out.len() + extra_limb], rng)?;
let dest_len = out.len();
out.copy_from_slice(&tmp_out[..dest_len]);
@ -100,7 +100,7 @@ impl <'a> Range<'a> {
for _ in 0..100 {
{
let mut dest_as_bytes = limbs_as_bytes_mut(out);
try!(rng.fill(&mut dest_as_bytes));
rng.fill(&mut dest_as_bytes)?;
}
// Mask off unwanted bits.

13
src/rsa/rsa.rs
View File

@ -80,8 +80,8 @@ fn parse_public_key(input: untrusted::Input)
error::Unspecified> {
input.read_all(error::Unspecified, |input| {
der::nested(input, der::Tag::Sequence, error::Unspecified, |input| {
let n = try!(der::positive_integer(input));
let e = try!(der::positive_integer(input));
let n = der::positive_integer(input)?;
let e = der::positive_integer(input)?;
Ok((n, e))
})
})
@ -102,8 +102,8 @@ fn check_public_modulus_and_exponent(
// keys.
// Step 3 / Step c (out of order).
let n = try!(n.into_odd_positive());
let e = try!(e.into_odd_positive());
let n = n.into_odd_positive()?;
let e = e.into_odd_positive()?;
// `pkcs1_encode` depends on this not being small. Otherwise,
// `pkcs1_encode` would generate padding that is invalid (too few 0xFF
@ -116,8 +116,7 @@ fn check_public_modulus_and_exponent(
assert!(n_min_bits >= N_MIN_BITS);
let n_bits = n.bit_length();
let n_bits_rounded_up =
try!(bits::BitLength::from_usize_bytes(
n_bits.as_usize_bytes_rounded_up()));
bits::BitLength::from_usize_bytes(n_bits.as_usize_bytes_rounded_up())?;
if n_bits_rounded_up < n_min_bits {
return Err(error::Unspecified);
}
@ -136,7 +135,7 @@ fn check_public_modulus_and_exponent(
}
// Only small public exponents are supported.
let e = try!(e.into_public_exponent());
let e = e.into_public_exponent()?;
// If `n` is less than `e` then somebody has probably accidentally swapped
// them. The largest acceptable `e` is smaller than the smallest acceptable

146
src/rsa/signing.rs
View File

@ -142,8 +142,8 @@ impl RSAKeyPair {
-> Result<RSAKeyPair, error::Unspecified> {
const RSA_ENCRYPTION: &'static [u8] =
include_bytes!("../data/alg-rsa-encryption.der");
let (der, _) = try!(pkcs8::unwrap_key_(&RSA_ENCRYPTION,
pkcs8::Version::V1Only, input));
let (der, _) = pkcs8::unwrap_key_(&RSA_ENCRYPTION,
pkcs8::Version::V1Only, input)?;
Self::from_der(der)
}
@ -166,18 +166,18 @@ impl RSAKeyPair {
-> Result<RSAKeyPair, error::Unspecified> {
input.read_all(error::Unspecified, |input| {
der::nested(input, der::Tag::Sequence, error::Unspecified, |input| {
let version = try!(der::small_nonnegative_integer(input));
let version = der::small_nonnegative_integer(input)?;
if version != 0 {
return Err(error::Unspecified);
}
let n = try!(bigint::Positive::from_der(input));
let e = try!(bigint::Positive::from_der(input));
let d = try!(bigint::Positive::from_der(input));
let p = try!(bigint::Positive::from_der(input));
let q = try!(bigint::Positive::from_der(input));
let dP = try!(bigint::Positive::from_der(input));
let dQ = try!(bigint::Positive::from_der(input));
let qInv = try!(bigint::Positive::from_der(input));
let n = bigint::Positive::from_der(input)?;
let e = bigint::Positive::from_der(input)?;
let d = bigint::Positive::from_der(input)?;
let p = bigint::Positive::from_der(input)?;
let q = bigint::Positive::from_der(input)?;
let dP = bigint::Positive::from_der(input)?;
let dQ = bigint::Positive::from_der(input)?;
let qInv = bigint::Positive::from_der(input)?;
let n_bits = n.bit_length();
@ -202,10 +202,10 @@ impl RSAKeyPair {
// Step 1.c. We validate e >= 2**16 = 65536, which, since e is odd,
// implies e >= 65537.
let (n, e) = try!(super::check_public_modulus_and_exponent(
let (n, e) = super::check_public_modulus_and_exponent(
n, e, bits::BitLength::from_usize_bits(2048),
super::PRIVATE_KEY_PUBLIC_MODULUS_MAX_BITS,
bits::BitLength::from_usize_bits(17)));
bits::BitLength::from_usize_bits(17))?;
// 6.4.1.4.3 says to skip 6.4.1.2.1 Step 2.
@ -230,7 +230,7 @@ impl RSAKeyPair {
if p.bit_length() != half_n_bits {
return Err(error::Unspecified);
}
let p = try!(p.into_odd_positive());
let p = p.into_odd_positive()?;
// TODO: Step 5.d: Verify GCD(p - 1, e) == 1.
@ -244,17 +244,14 @@ impl RSAKeyPair {
if p.bit_length() != q.bit_length() {
return Err(error::Unspecified);
}
let q = try!(q.into_odd_positive());
let q = q.into_odd_positive()?;
// TODO: Step 5.h: Verify GCD(p - 1, e) == 1.
let n = try!(n.into_modulus::<N>());
let oneRR_mod_n = try!(bigint::One::newRR(&n));
let n = n.into_modulus::<N>()?;
let oneRR_mod_n = bigint::One::newRR(&n)?;
let q_mod_n_decoded = {
let q = try!(q.try_clone());
try!(q.into_elem(&n))
};
let q_mod_n_decoded = q.try_clone()?.into_elem(&n)?;
// Step 5.i
//
@ -269,11 +266,11 @@ impl RSAKeyPair {
// this simplification.
//
// 3.b is unneeded since `n_bits` is derived here from `n`.
try!(q.verify_less_than(&p));
q.verify_less_than(&p)?;
{
let p_mod_n = {
let p = try!(p.try_clone());
try!(p.into_elem(&n))
let p = p.try_clone()?;
p.into_elem(&n)?
};
let p_minus_q_bits = {
// Modular subtraction isn't necessary since we already
@ -282,12 +279,11 @@ impl RSAKeyPair {
// Modular subtraction without having already verified
// q < p would be wrong.
let p_minus_q =
try!(bigint::elem_sub(p_mod_n, &q_mod_n_decoded,
&n));
bigint::elem_sub(p_mod_n, &q_mod_n_decoded, &n)?;
p_minus_q.bit_length()
};
let min_pq_bitlen_diff = try!(half_n_bits.try_sub(
bits::BitLength::from_usize_bits(100)));
let min_pq_bitlen_diff = half_n_bits.try_sub(
bits::BitLength::from_usize_bits(100))?;
if p_minus_q_bits <= min_pq_bitlen_diff {
return Err(error::Unspecified);
}
@ -302,15 +298,11 @@ impl RSAKeyPair {
// let us assume that checking p * q == 0 (mod n) is equivalent
// to checking p * q == n.
let q_mod_n = {
let clone = try!(q_mod_n_decoded.try_clone());
try!(bigint::elem_mul(oneRR_mod_n.as_ref(), clone, &n))
let clone = q_mod_n_decoded.try_clone()?;
bigint::elem_mul(oneRR_mod_n.as_ref(), clone, &n)?
};
let p_mod_n = {
let p = try!(p.try_clone());
try!(p.into_elem(&n))
};
let pq_mod_n =
try!(bigint::elem_mul(&q_mod_n, p_mod_n, &n));
let p_mod_n = p.try_clone()?.into_elem(&n)?;
let pq_mod_n = bigint::elem_mul(&q_mod_n, p_mod_n, &n)?;
if !pq_mod_n.is_zero() {
return Err(error::Unspecified);
}
@ -329,8 +321,8 @@ impl RSAKeyPair {
// XXX: This check should be `d < LCM(p - 1, q - 1)`, but we
// don't have a good way of calculating LCM, so it is omitted,
// as explained above.
let d = try!(d.into_odd_positive());
try!(d.verify_less_than(&n.value()));
let d = d.into_odd_positive()?;
d.verify_less_than(&n.value())?;
// Step 6.b is omitted as explained above.
@ -344,12 +336,12 @@ impl RSAKeyPair {
// and an odd number modulo an even number is odd.
// Therefore `dP` must be odd. But then it cannot be `p - 1`
// and so we know `dP < p - 1`.
let p = try!(PrivatePrime::new(p, dP));
let p = PrivatePrime::new(p, dP)?;
// Step 7.b is done out-of-order below.
// Step 7.c.
let qInv = try!(qInv.into_elem(&p.modulus));
let qInv = qInv.into_elem(&p.modulus)?;
// Steps 7.d and 7.e are omitted per the documentation above,
// and because we don't (in the long term) have a good way to
@ -357,23 +349,19 @@ impl RSAKeyPair {
// Step 7.f.
let qInv =
try!(bigint::elem_mul(p.oneRR.as_ref(), qInv, &p.modulus));
let q_mod_p = {
let q = try!(q.try_clone());
try!(q.into_elem(&p.modulus))
};
bigint::elem_mul(p.oneRR.as_ref(), qInv, &p.modulus)?;
let q_mod_p = q.try_clone()?.into_elem(&p.modulus)?;
let qInv_times_q_mod_p =
try!(bigint::elem_mul(&qInv, q_mod_p, &p.modulus));
bigint::elem_mul(&qInv, q_mod_p, &p.modulus)?;
if !qInv_times_q_mod_p.is_one() {
return Err(error::Unspecified);
}
// Step 7.b (out of order). Same proof as for `dP < p - 1`.
let q = try!(PrivatePrime::new(q, dQ));
let q = PrivatePrime::new(q, dQ)?;
let qq =
try!(bigint::elem_mul(&q_mod_n, q_mod_n_decoded, &n));
let qq = try!(qq.into_modulus::<QQ>());
let qq = bigint::elem_mul(&q_mod_n, q_mod_n_decoded, &n)?
.into_modulus::<QQ>()?;
Ok(RSAKeyPair {
n,
@ -421,8 +409,8 @@ impl<M: Prime> PrivatePrime<M> {
// `p - 1` and so we know `dP < p - 1`.
//
// The proof that `dQ < q - 1` is the same.
let dP = try!(dP.into_odd_positive());
try!(dP.verify_less_than(&p));
let dP = dP.into_odd_positive()?;
dP.verify_less_than(&p)?;
// XXX: Steps 7.d and 7.e are omitted. We don't check that
// `dP == d % (p - 1)` because we don't (in the long term) have a good
@ -433,11 +421,11 @@ impl<M: Prime> PrivatePrime<M> {
// and `e`. TODO: Either prove that what we do is sufficient, or make
// it so.
let p = try!(p.into_modulus());
let oneRR = try!(bigint::One::newRR(&p));
let oneRR_clone = try!(oneRR.try_clone());
let oneR = try!(bigint::One::newR(&oneRR, &p));
let oneRRR = try!(bigint::One::newRRR(oneRR_clone, &p));
let p = p.into_modulus()?;
let oneRR = bigint::One::newRR(&p)?;
let oneRR_clone = oneRR.try_clone()?;
let oneR = bigint::One::newR(&oneRR, &p)?;
let oneRRR = bigint::One::newRRR(oneRR_clone, &p)?;
Ok(PrivatePrime {
modulus: p,
@ -453,8 +441,8 @@ fn elem_exp_consttime<M, MM>(c: &bigint::Elem<MM>, p: &PrivatePrime<M>)
-> Result<bigint::Elem<M>, error::Unspecified>
where M: bigint::NotMuchSmallerModulus<MM>,
M: Prime {
let c_mod_m = try!(bigint::elem_reduced(c, &p.modulus));
let c_mod_m = try!(bigint::elem_mul(p.oneRRR.as_ref(), c_mod_m, &p.modulus));
let c_mod_m = bigint::elem_reduced(c, &p.modulus)?;
let c_mod_m = bigint::elem_mul(p.oneRRR.as_ref(), c_mod_m, &p.modulus)?;
bigint::elem_exp_consttime(c_mod_m, &p.exponent, &p.oneR, &p.modulus)
}
@ -570,7 +558,7 @@ impl RSASigningState {
} = self;
let m_hash = digest::digest(padding_alg.digest_alg(), msg);
try!(padding_alg.encode(&m_hash, signature, mod_bits, rng));
padding_alg.encode(&m_hash, signature, mod_bits, rng)?;
// RFC 8017 Section 5.1.2: RSADP, using the Chinese Remainder Theorem
// with Garner's algorithm.
@ -579,34 +567,34 @@ impl RSASigningState {
//
// TODO: Avoid having `encode()` pad its output, and then remove
// `Positive::from_be_bytes_padded()`.
let base = try!(bigint::Positive::from_be_bytes_padded(
untrusted::Input::from(signature)));
let base = try!(base.into_elem(&key.n));
let base = bigint::Positive::from_be_bytes_padded(
untrusted::Input::from(signature))?;
let base = base.into_elem(&key.n)?;
// Step 2.
let result = try!(blinding.blind(base, key.e, &key.oneRR_mod_n, &key.n,
rng, |c| {
let result = blinding.blind(base, key.e, &key.oneRR_mod_n, &key.n, rng,
|c| {
// Step 2.b.i.
let m_1 = try!(elem_exp_consttime(&c, &key.p));
let c_mod_qq = try!(bigint::elem_reduced_once(&c, &key.qq));
let m_2 = try!(elem_exp_consttime(&c_mod_qq, &key.q));
let m_1 = elem_exp_consttime(&c, &key.p)?;
let c_mod_qq = bigint::elem_reduced_once(&c, &key.qq)?;
let m_2 = elem_exp_consttime(&c_mod_qq, &key.q)?;
// Step 2.b.ii isn't needed since there are only two primes.
// Step 2.b.iii.
let p = &key.p.modulus;
let m_2 = bigint::elem_widen(m_2);
let m_1_minus_m_2 = try!(bigint::elem_sub(m_1, &m_2, p));
let h = try!(bigint::elem_mul(&key.qInv, m_1_minus_m_2, p));
let m_1_minus_m_2 = bigint::elem_sub(m_1, &m_2, p)?;
let h = bigint::elem_mul(&key.qInv, m_1_minus_m_2, p)?;
// Step 2.b.iv. The reduction in the modular multiplication isn't
// necessary because `h < p` and `p * q == n` implies `h * q < n`.
// Modular arithmetic is used simply to avoid implementing
// non-modular arithmetic.
let h = bigint::elem_widen(h);
let q_times_h = try!(bigint::elem_mul(&key.q_mod_n, h, &key.n));
let q_times_h = bigint::elem_mul(&key.q_mod_n, h, &key.n)?;
let m_2 = bigint::elem_widen(m_2);
let m = try!(bigint::elem_add(m_2, q_times_h, &key.n));
let m = bigint::elem_add(m_2, q_times_h, &key.n)?;
// Step 2.b.v isn't needed since there are only two primes.
@ -619,18 +607,16 @@ impl RSASigningState {
// size, oddness, and minimum value, since the relationship of `e`
// to `d`, `p`, and `q` is not verified during `RSAKeyPair`
// construction.
let computed = try!(m.try_clone());
let computed = m.try_clone()?;
let computed =
try!(bigint::elem_mul(&key.oneRR_mod_n.as_ref(), computed,
&key.n));
let verify =
try!(bigint::elem_exp_vartime(computed, key.e, &key.n));
let verify = try!(verify.into_unencoded(&key.n));
try!(bigint::elem_verify_equal_consttime(&verify, &c));
bigint::elem_mul(&key.oneRR_mod_n.as_ref(), computed, &key.n)?;
let verify = bigint::elem_exp_vartime(computed, key.e, &key.n)?;
let verify = verify.into_unencoded(&key.n)?;
bigint::elem_verify_equal_consttime(&verify, &c)?;
// Step 3.
Ok(m)
}));
})?;
result.fill_be_bytes(signature);

28
src/rsa/verification.rs
View File

@ -25,7 +25,7 @@ impl signature::VerificationAlgorithm for RSAParameters {
fn verify(&self, public_key: untrusted::Input, msg: untrusted::Input,
signature: untrusted::Input)
-> Result<(), error::Unspecified> {
let public_key = try!(parse_public_key(public_key));
let public_key = parse_public_key(public_key)?;
verify_rsa(self, public_key, msg, signature)
}
}
@ -130,10 +130,10 @@ pub fn verify_rsa(params: &RSAParameters,
-> Result<(), error::Unspecified> {
// Partially validate the public key. See
// `check_public_modulus_and_exponent()` for more details.
let n = try!(bigint::Positive::from_be_bytes(n));
let e = try!(bigint::Positive::from_be_bytes(e));
let max_bits = try!(bits::BitLength::from_usize_bytes(
PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN));
let n = bigint::Positive::from_be_bytes(n)?;
let e = bigint::Positive::from_be_bytes(e)?;
let max_bits = bits::BitLength::from_usize_bytes(
PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN)?;
// XXX: FIPS 186-4 seems to indicate that the minimum
// exponent value is 2**16 + 1, but it isn't clear if this is just for
@ -142,10 +142,10 @@ pub fn verify_rsa(params: &RSAParameters,
let e_min_bits = bits::BitLength::from_usize_bits(2);
let (n, e) =
try!(super::check_public_modulus_and_exponent(n, e, params.min_bits,
max_bits, e_min_bits));
super::check_public_modulus_and_exponent(n, e, params.min_bits, max_bits,
e_min_bits)?;
let n_bits = n.bit_length();
let n = try!(n.into_modulus::<N>());
let n = n.into_modulus::<N>()?;
// The signature must be the same length as the modulus, in bytes.
if signature.len() != n_bits.as_usize_bytes_rounded_up() {
@ -155,17 +155,17 @@ pub fn verify_rsa(params: &RSAParameters,
// RFC 8017 Section 5.2.2: RSAVP1.
// Step 1.
let s = try!(bigint::Positive::from_be_bytes_padded(signature));
let s = try!(s.into_elem::<N>(&n));
let s = bigint::Positive::from_be_bytes_padded(signature)?;
let s = s.into_elem::<N>(&n)?;
// Step 2.
let s = {
// Montgomery encode `s`.
let oneRR = try!(bigint::One::newRR(&n));
try!(bigint::elem_mul(oneRR.as_ref(), s, &n))
let oneRR = bigint::One::newRR(&n)?;
bigint::elem_mul(oneRR.as_ref(), s, &n)?
};
let m = try!(bigint::elem_exp_vartime(s, e, &n));
let m = try!(m.into_unencoded(&n));
let m = bigint::elem_exp_vartime(s, e, &n)?;
let m = m.into_unencoded(&n)?;
// Step 3.
let mut decoded = [0u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN];

12
tests/rsa_tests.rs
View File

@ -93,7 +93,7 @@ fn test_signature_rsa_pss_sign() {
fn fill(&self, dest: &mut [u8]) -> Result<(), error::Unspecified> {
let dest_len = dest.len();
if dest_len != self.salt.len() {
try!(self.rng.fill(dest));
self.rng.fill(dest)?;
} else {
dest.copy_from_slice(&self.salt);
}
@ -132,7 +132,7 @@ fn test_signature_rsa_pss_sign() {
signature::RSASigningState::new(key_pair).unwrap();
let mut actual: std::vec::Vec<u8> =
vec![0; signing_state.key_pair().public_modulus_len()];
try!(signing_state.sign(alg, &new_rng, &msg, actual.as_mut_slice()));
signing_state.sign(alg, &new_rng, &msg, actual.as_mut_slice())?;
assert_eq!(actual.as_slice() == &expected[..], result == "Pass");
Ok(())
});
@ -179,8 +179,8 @@ fn test_signature_rsa_pkcs1_verify() {
// for improperly-encoded signatures, we'll have to revisit this.
assert!(public_key.read_all(error::Unspecified, |input| {
der::nested(input, der::Tag::Sequence, error::Unspecified, |input| {
let _ = try!(der::positive_integer(input));
let _ = try!(der::positive_integer(input));
let _ = der::positive_integer(input)?;
let _ = der::positive_integer(input)?;
Ok(())
})
}).is_ok());
@ -221,8 +221,8 @@ fn test_signature_rsa_pss_verify() {
// for improperly-encoded signatures, we'll have to revisit this.
assert!(public_key.read_all(error::Unspecified, |input| {
der::nested(input, der::Tag::Sequence, error::Unspecified, |input| {
let _ = try!(der::positive_integer(input));
let _ = try!(der::positive_integer(input));
let _ = der::positive_integer(input)?;
let _ = der::positive_integer(input)?;
Ok(())
})
}).is_ok());