diff --git a/src/rsa/bigint.rs b/src/rsa/bigint.rs index 5a64fbb60..cd83445f9 100644 --- a/src/rsa/bigint.rs +++ b/src/rsa/bigint.rs @@ -71,7 +71,7 @@ impl Positive { #[cfg(feature = "rsa_signing")] pub fn from_der(input: &mut untrusted::Reader) -> Result { - Self::from_be_bytes(try!(der::positive_integer(input))) + Self::from_be_bytes(der::positive_integer(input)?) } // Turns a sequence of big-endian bytes into a Positive Integer. @@ -87,7 +87,7 @@ impl Positive { pub fn from_be_bytes_padded(input: untrusted::Input) -> Result { - let r = try!(Nonnegative::from_be_bytes_padded(input)); + let r = Nonnegative::from_be_bytes_padded(input)?; if r.is_zero() { return Err(error::Unspecified); } @@ -120,7 +120,7 @@ impl OddPositive { #[cfg(feature = "rsa_signing")] pub fn try_clone(&self) -> Result { - let value = try!((self.0).0.try_clone()); + let value = (self.0).0.try_clone()?; Ok(OddPositive(Positive(value))) } @@ -297,7 +297,7 @@ impl Elem { // 0 * R**2 (mod m) == 0, so the modulus isn't even needed to construct a // zero-valued element. pub fn zero() -> Result { - let value = try!(Nonnegative::zero()); + let value = Nonnegative::zero()?; Ok(Elem { value: value, m: PhantomData, @@ -318,7 +318,7 @@ impl Elem { } pub fn try_clone(&self) -> Result { - let value = try!(self.value.try_clone()); + let value = self.value.try_clone()?; Ok(Elem { value: value, m: PhantomData, @@ -338,7 +338,7 @@ impl Elem { impl Elem { #[cfg(feature = "rsa_signing")] pub fn one() -> Result { - let value = try!(Nonnegative::one()); + let value = Nonnegative::one()?; Ok(Elem { value: value, m: PhantomData, @@ -361,7 +361,7 @@ impl Elem { #[cfg(feature = "rsa_signing")] pub fn into_modulus(self) -> Result, error::Unspecified> { - let value = try!(self.value.into_odd_positive()); + let value = self.value.into_odd_positive()?; value.into_modulus() } } @@ -371,10 +371,10 @@ pub fn elem_mul(a: &Elem, b: Elem, m: &Modulus) error::Unspecified> where (AF, BF): ProductEncoding { let mut r = b.value; - try!(bssl::map_result(unsafe { + bssl::map_result(unsafe { GFp_BN_mod_mul_mont(&mut r.0, a.value.as_ref(), &r.0, &m.value.as_ref(), &m.n0) - })); + })?; Ok(Elem { value: r, m: PhantomData, @@ -399,13 +399,13 @@ pub fn elem_set_to_product( pub fn elem_reduced_once>( a: &Elem, m: &Modulus) -> Result, error::Unspecified> { - let mut r = try!(a.value.try_clone()); + let mut r = a.value.try_clone()?; let m_limbs = (m.value.0).0.limbs(); assert!(r.limbs().len() <= m_limbs.len()); - try!(r.0.make_limbs(m_limbs.len(), |r_limbs| { + r.0.make_limbs(m_limbs.len(), |r_limbs| { limb::limbs_reduce_once_constant_time(r_limbs, m_limbs); Ok(()) - })); + })?; debug_assert!(greater_than(&(m.value.0).0, &r)); Ok(Elem { value: r, @@ -419,7 +419,7 @@ pub fn elem_reduced_once>( pub fn elem_reduced>( a: &Elem, m: &Modulus) -> Result, error::Unspecified> { - let tmp = try!(a.try_clone()); + let tmp = a.try_clone()?; elem_reduced_(tmp, m) } @@ -427,11 +427,11 @@ fn elem_reduced_( mut a: Elem, m: &Modulus) -> Result::Output>, error::Unspecified> { - let mut r = try!(Elem::zero()); - try!(bssl::map_result(unsafe { + let mut r = Elem::zero()?; + bssl::map_result(unsafe { GFp_BN_from_montgomery_word(r.value.as_mut_ref(), a.value.as_mut_ref(), &m.value.as_ref(), &m.n0) - })); + })?; Ok(r) } @@ -440,10 +440,10 @@ pub fn elem_squared(a: Elem, m: &Modulus) error::Unspecified> where (E, E): ProductEncoding { let mut value = a.value; - try!(bssl::map_result(unsafe { + bssl::map_result(unsafe { GFp_BN_mod_mul_mont(value.as_mut_ref(), value.as_ref(), value.as_ref(), &m.value.as_ref(), &m.n0) - })); + })?; Ok(Elem { value: value, m: PhantomData, @@ -467,7 +467,7 @@ pub fn elem_widen>( pub fn elem_add(mut a: Elem, mut b: Elem, m: &Modulus) -> Result, error::Unspecified> { let m = (m.value.0).0.limbs(); - try!(a.value.0.make_limbs(m.len(), |a_limbs| { + a.value.0.make_limbs(m.len(), |a_limbs| { b.value.0.make_limbs(m.len(), |b_limbs| { unsafe { LIMBS_add_mod(a_limbs.as_mut_ptr(), a_limbs.as_ptr(), @@ -475,7 +475,7 @@ pub fn elem_add(mut a: Elem, mut b: Elem, m: &Modulus) } Ok(()) }) - })); + })?; Ok(a) } @@ -484,7 +484,7 @@ pub fn elem_add(mut a: Elem, mut b: Elem, m: &Modulus) pub fn elem_sub(mut a: Elem, b: &Elem, m: &Modulus) -> Result, error::Unspecified> { let m_limbs = (m.value.0).0.limbs(); - try!(a.value.0.make_limbs(m_limbs.len(), |a_limbs| { + a.value.0.make_limbs(m_limbs.len(), |a_limbs| { let b_limbs = b.value.limbs(); unsafe { // XXX Not constant-time, even though it looks like it might be. @@ -492,7 +492,7 @@ pub fn elem_sub(mut a: Elem, b: &Elem, m: &Modulus) m_limbs.as_ptr(), m_limbs.len(), b_limbs.len()) } Ok(()) - })); + })?; Ok(a) } @@ -504,15 +504,15 @@ pub struct One(Elem); impl One { pub fn newR(oneRR: &One, m: &Modulus) -> Result, error::Unspecified> { - let value: Elem = try!(Elem::one()); - let value: Elem = try!(elem_mul(oneRR.as_ref(), value, &m)); + let value: Elem = Elem::one()?; + let value: Elem = elem_mul(oneRR.as_ref(), value, &m)?; Ok(One(value)) } } impl One { pub fn newRR(m: &Modulus) -> Result, error::Unspecified> { - let RR = try!(calculate_RR(&(m.value.0).0)); + let RR = calculate_RR(&(m.value.0).0)?; Ok(One(Elem { value: RR, m: PhantomData, @@ -535,11 +535,11 @@ fn calculate_RR(m: &Nonnegative) -> Result { let lg_RR = ((m_bits + (LIMB_BITS - 1)) / LIMB_BITS * LIMB_BITS) * 2; - let mut r = try!(Nonnegative::zero()); + let mut r = Nonnegative::zero()?; let num_limbs = m.limbs().len(); - try!(r.as_mut_ref().make_limbs(num_limbs, |limbs| { + r.as_mut_ref().make_limbs(num_limbs, |limbs| { // Zero all the limbs. for limb in limbs.iter_mut() { *limb = 0; @@ -559,7 +559,7 @@ fn calculate_RR(m: &Nonnegative) -> Result { } Ok(()) - })); + })?; Ok(r) } @@ -568,7 +568,7 @@ fn calculate_RR(m: &Nonnegative) -> Result { impl One { pub fn newRRR(oneRR: One, m: &Modulus) -> Result, error::Unspecified> { - let oneRRR = try!(elem_squared(oneRR.0, &m)); + let oneRRR = elem_squared(oneRR.0, &m)?; Ok(One(oneRRR)) } } @@ -580,7 +580,7 @@ impl AsRef> for One { #[cfg(feature = "rsa_signing")] impl One { pub fn try_clone(&self) -> Result { - let value = try!(self.0.try_clone()); + let value = self.0.try_clone()?; Ok(One(value)) } } @@ -631,14 +631,14 @@ pub fn elem_exp_vartime( // Algorithms (3rd Edition), Section 4.6.3. debug_assert_eq!(exponent & 1, 1); assert!(exponent < (1 << PUBLIC_EXPONENT_MAX_BITS.as_usize_bits())); - let mut acc = try!(base.try_clone()); + let mut acc = base.try_clone()?; let mut bit = 1 << (64 - 1 - exponent.leading_zeros()); debug_assert!((exponent & bit) != 0); while bit > 1 { bit >>= 1; - acc = try!(elem_squared(acc, m)); + acc = elem_squared(acc, m)?; if (exponent & bit) != 0 { - acc = try!(elem_mul(&base, acc, m)); + acc = elem_mul(&base, acc, m)?; } } Ok(acc) @@ -649,12 +649,12 @@ pub fn elem_exp_consttime( base: Elem, exponent: &OddPositive, oneR: &One, m: &Modulus) -> Result, error::Unspecified> { let mut r = base.value; - try!(bssl::map_result(unsafe { + bssl::map_result(unsafe { GFp_BN_mod_exp_mont_consttime(&mut r.0, &r.0, exponent.as_ref(), exponent.0.bit_length().as_usize_bits(), oneR.0.value.as_ref(), &m.value.as_ref(), &m.n0) - })); + })?; let r = Elem { value: r, m: PhantomData, @@ -671,7 +671,7 @@ pub fn elem_exp_consttime( // practical. #[cfg(not(target_arch = "x86_64"))] - let r = try!(r.into_unencoded(m)); + let r = r.into_unencoded(m)?; Ok(r) } @@ -692,12 +692,12 @@ pub fn elem_set_to_inverse_blinded( r: &mut Elem, a: &Elem, n: &Modulus, rng: &rand::SecureRandom) -> Result<(), InversionError> { - let mut blinding_factor = try!(Elem::::zero()); - try!(elem_randomize(&mut blinding_factor, n, rng)); - let to_blind = try!(a.try_clone()); - let blinded = try!(elem_mul(&blinding_factor, to_blind, n)); - let blinded_inverse = try!(elem_inverse(blinded, n)); - try!(elem_set_to_product(r, &blinding_factor, &blinded_inverse, n)); + let mut blinding_factor = Elem::::zero()?; + elem_randomize(&mut blinding_factor, n, rng)?; + let to_blind = a.try_clone()?; + let blinded = elem_mul(&blinding_factor, to_blind, n)?; + let blinded_inverse = elem_inverse(blinded, n)?; + elem_set_to_product(r, &blinding_factor, &blinded_inverse, n)?; Ok(()) } @@ -708,8 +708,8 @@ pub fn elem_set_to_inverse_blinded( #[cfg(feature = "rsa_signing")] fn elem_inverse(a: Elem, m: &Modulus) -> Result, InversionError> { - let a_clone = try!(a.try_clone()); - let inverse = try!(nonnegative_mod_inverse(a.value, &(m.value.0).0)); + let a_clone = a.try_clone()?; + let inverse = nonnegative_mod_inverse(a.value, &(m.value.0).0)?; let r: Elem = Elem { value: inverse, m: PhantomData, @@ -717,7 +717,7 @@ fn elem_inverse(a: Elem, m: &Modulus) }; // Fail safe: Verify a * r == 1 (mod m). - let check = try!(elem_mul(&r, a_clone, m)); + let check = elem_mul(&r, a_clone, m)?; assert!(check.is_one()); Ok(r) @@ -758,7 +758,7 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative) carry = original_value >> (LIMB_BITS - 1); } if carry != 0 { - try!(n.0.grow_by_one_bit()); + n.0.grow_by_one_bit()?; } Ok(()) } @@ -767,7 +767,7 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative) fn add_assign(r: &mut Nonnegative, a: &mut Nonnegative, m_limb_count: usize) -> Result<(), error::Unspecified> { let mut carry = 0; - try!(r.0.make_limbs(m_limb_count, |r_limbs| { + r.0.make_limbs(m_limb_count, |r_limbs| { a.0.make_limbs(m_limb_count, |a_limbs| { carry = unsafe { LIMBS_add_assign(r_limbs.as_mut_ptr(), a_limbs.as_ptr(), @@ -775,10 +775,10 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative) }; Ok(()) }) - })); + })?; // It is possible for the result to be one bit larger than `m`. if carry != 0 { - try!(r.0.grow_by_one_bit()) + r.0.grow_by_one_bit()? } Ok(()) } @@ -799,9 +799,9 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative) } let mut u = a; - let mut v = try!(m.try_clone()); - let mut x1 = try!(Nonnegative::one()); - let mut x2 = try!(Nonnegative::zero()); + let mut v = m.try_clone()?; + let mut x1 = Nonnegative::one()?; + let mut x2 = Nonnegative::zero()?; let mut k = 0; let m_limbs = m.limbs(); @@ -810,20 +810,20 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative) while !v.is_zero() { if v.is_even() { halve(&mut v); - try!(double(&mut x1)); + double(&mut x1)?; } else if u.is_even() { halve(&mut u); - try!(double(&mut x2)); + double(&mut x2)?; } else if !greater_than(&u, &v) { - try!(sub_assign(&mut v, &mut u, m_limb_count)); + sub_assign(&mut v, &mut u, m_limb_count)?; halve(&mut v); - try!(add_assign(&mut x2, &mut x1, m_limb_count)); - try!(double(&mut x1)); + add_assign(&mut x2, &mut x1, m_limb_count)?; + double(&mut x1)?; } else { - try!(sub_assign(&mut u, &mut v, m_limb_count)); + sub_assign(&mut u, &mut v, m_limb_count)?; halve(&mut u); - try!(add_assign(&mut x1, &mut x2, m_limb_count)); - try!(double(&mut x2)); + add_assign(&mut x1, &mut x2, m_limb_count)?; + double(&mut x2)?; } k += 1; } @@ -836,13 +836,13 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative) if !greater_than(m, &x1) { debug_assert!(x1.limbs().len() <= m_limb_count + 1); // If `x` is longer than `m` then chop off that top bit. - try!(x1.0.make_limbs(m_limb_count, |x1_limbs| { + x1.0.make_limbs(m_limb_count, |x1_limbs| { unsafe { LIMBS_sub_assign(x1_limbs.as_mut_ptr(), m_limbs.as_ptr(), m_limb_count); } Ok(()) - })); + })?; } assert!(greater_than(m, &x1)); @@ -854,13 +854,13 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative) let mut carry = 0; if x1.is_odd() { // x1 += m. - try!(x1.0.make_limbs(m_limb_count, |x1_limbs| { + x1.0.make_limbs(m_limb_count, |x1_limbs| { carry = unsafe { LIMBS_add_assign(x1_limbs.as_mut_ptr(), m_limbs.as_ptr(), m_limb_count) }; Ok(()) - })); + })?; } // x1 /= 2. @@ -868,10 +868,10 @@ fn nonnegative_mod_inverse(a: Nonnegative, m: &Nonnegative) // Shift in the carry bit at the top. if carry != 0 { - try!(x1.0.make_limbs(m_limb_count, |limbs| { + x1.0.make_limbs(m_limb_count, |limbs| { *limbs.last_mut().unwrap() |= 1 << (LIMB_BITS - 1); Ok(()) - })); + })?; } } @@ -912,23 +912,23 @@ impl Nonnegative { #[cfg(feature = "rsa_signing")] fn one() -> Result { - let mut r = try!(Self::zero()); - try!(r.0.make_limbs(1, |limbs| { + let mut r = Self::zero()?; + r.0.make_limbs(1, |limbs| { limbs[0] = 1; Ok(()) - })); + })?; Ok(r) } pub fn from_be_bytes_padded(input: untrusted::Input) -> Result { - let mut r = try!(Self::zero()); - try!(r.0.make_limbs( + let mut r = Self::zero()?; + r.0.make_limbs( ((input.len() * limb::LIMB_BYTES) + limb::LIMB_BYTES - 1) / limb::LIMB_BYTES, |limbs| { // Rejects empty inputs. limb::parse_big_endian_and_pad_consttime(input, limbs) - })); + })?; Ok(r) } @@ -987,7 +987,7 @@ impl Nonnegative { fn into_elem(self, m: &Modulus) -> Result, error::Unspecified> { - try!(self.verify_less_than(&(m.value.0).0)); + self.verify_less_than(&(m.value.0).0)?; Ok(Elem { value: self, m: PhantomData, @@ -1003,10 +1003,10 @@ impl Nonnegative { } pub fn try_clone(&self) -> Result { - let mut r = try!(Nonnegative::zero()); - try!(bssl::map_result(unsafe { + let mut r = Nonnegative::zero()?; + bssl::map_result(unsafe { GFp_BN_copy(r.as_mut_ref(), self.as_ref()) - })); + })?; Ok(r) } } @@ -1100,9 +1100,9 @@ mod repr_c { pub fn grow_by_one_bit(&mut self) -> Result<(), error::Unspecified> { let old_top = self.top; let new_top = old_top + 1; - try!(bssl::map_result(unsafe { + bssl::map_result(unsafe { GFp_bn_wexpand(self, new_top) - })); + })?; self.top = new_top; self.limbs_mut()[old_top as usize] = 1; Ok(()) @@ -1123,9 +1123,9 @@ mod repr_c { self.top = num_limbs as c::int; } else { let old_top = self.top as usize; - try!(bssl::map_result(unsafe { + bssl::map_result(unsafe { GFp_bn_wexpand(self, num_limbs as c::int) - })); + })?; self.top = num_limbs as c::int; // Zero the new upper limbs, leaving the old lower limbs untouched. @@ -1134,7 +1134,7 @@ mod repr_c { } } - try!(f(self.limbs_mut())); + f(self.limbs_mut())?; unsafe { GFp_bn_correct_top(self) @@ -1289,8 +1289,8 @@ mod tests { Err(InversionError::Unspecified) => unreachable!("Unspecified"), Err(InversionError::NoInverse) => unreachable!("No Inverse"), }; - let one: Elem = try!(Elem::one()); - let actual_result = try!(elem_mul(&one, actual_result, &m)); + let one: Elem = Elem::one()?; + let actual_result = elem_mul(&one, actual_result, &m)?; assert_elem_eq(&actual_result, &expected_result); Ok(()) }) @@ -1310,11 +1310,11 @@ mod tests { let n = consume_modulus::(test_case, "M"); let a = consume_elem(test_case, "A", &n); let expected_result = consume_elem(test_case, "R", &n); - let mut actual_result = try!(Elem::::zero()); + let mut actual_result = Elem::::zero()?; assert!(elem_set_to_inverse_blinded(&mut actual_result, &a, &n, &rng).is_ok()); - let one: Elem = try!(Elem::one()); - let actual_result = try!(elem_mul(&one, actual_result, &n)); + let one: Elem = Elem::one()?; + let actual_result = elem_mul(&one, actual_result, &n)?; assert_elem_eq(&actual_result, &expected_result); Ok(()) }) @@ -1351,7 +1351,7 @@ mod tests { let n = consume_modulus::(test_case, "M"); let a = consume_elem(test_case, "A", &n); - let mut actual_result = try!(Elem::::zero()); + let mut actual_result = Elem::::zero()?; match elem_set_to_inverse_blinded(&mut actual_result, &a, &n, &rng) { Err(InversionError::NoInverse) => (), Err(InversionError::Unspecified) => unreachable!("Unspecified"), diff --git a/src/rsa/blinding.rs b/src/rsa/blinding.rs index 391695943..a0b507451 100644 --- a/src/rsa/blinding.rs +++ b/src/rsa/blinding.rs @@ -37,7 +37,7 @@ impl Blinding { error::Unspecified> { let old_contents = core::mem::replace(&mut self.0, None); - let new_contents = try!(match old_contents { + let new_contents = match old_contents { Some(Contents { blinding_factor, blinding_factor_inv, @@ -45,9 +45,9 @@ impl Blinding { }) => { if remaining > 0 { let blinding_factor = - try!(bigint::elem_squared(blinding_factor, n)); + bigint::elem_squared(blinding_factor, n)?; let blinding_factor_inv = - try!(bigint::elem_squared(blinding_factor_inv, n)); + bigint::elem_squared(blinding_factor_inv, n)?; Ok(Contents { blinding_factor: blinding_factor, blinding_factor_inv: blinding_factor_inv, @@ -59,18 +59,17 @@ impl Blinding { }, None => { - let elem1 = try!(bigint::Elem::zero()); - let elem2 = try!(bigint::Elem::zero()); + let elem1 = bigint::Elem::zero()?; + let elem2 = bigint::Elem::zero()?; reset(elem1, elem2, e, oneRR, n, rng) }, - }); + }?; let blinded_input = - try!(bigint::elem_mul(&new_contents.blinding_factor, x, n)); - let blinded_result = try!(f(blinded_input)); - let result = - try!(bigint::elem_mul(&new_contents.blinding_factor_inv, - blinded_result, n)); + bigint::elem_mul(&new_contents.blinding_factor, x, n)?; + let blinded_result = f(blinded_input)?; + let result = bigint::elem_mul(&new_contents.blinding_factor_inv, + blinded_result, n)?; let _ = core::mem::replace(&mut self.0, Some(new_contents)); @@ -94,13 +93,12 @@ fn reset(elem1: bigint::Elem, elem2: bigint::Elem, let mut random_inv = bigint::Elem::take_storage(elem2); for _ in 0..32 { - try!(bigint::elem_randomize(&mut random, n, rng)); + bigint::elem_randomize(&mut random, n, rng)?; match bigint::elem_set_to_inverse_blinded(&mut random_inv, &random, n, rng) { Ok(()) => { - let random = - try!(bigint::elem_mul(oneRR.as_ref(), random, n)); - let random = try!(bigint::elem_exp_vartime(random, e, n)); + let random = bigint::elem_mul(oneRR.as_ref(), random, n)?; + let random = bigint::elem_exp_vartime(random, e, n)?; return Ok(Contents { blinding_factor: random, blinding_factor_inv: random_inv, diff --git a/src/rsa/padding.rs b/src/rsa/padding.rs index 524458a95..3d9fc0253 100644 --- a/src/rsa/padding.rs +++ b/src/rsa/padding.rs @@ -198,7 +198,7 @@ impl RSAEncoding for PSS { fn encode(&self, m_hash: &digest::Digest, m_out: &mut [u8], mod_bits: bits::BitLength, rng: &rand::SecureRandom) -> Result<(), error::Unspecified> { - let metrics = try!(PSSMetrics::new(self.digest_alg, mod_bits)); + let metrics = PSSMetrics::new(self.digest_alg, mod_bits)?; // The `m_out` this function fills is the big-endian-encoded value of `m` // from the specification, padded to `k` bytes, where `k` is the length @@ -221,7 +221,7 @@ impl RSAEncoding for PSS { // Step 4. let mut salt = [0u8; MAX_SALT_LEN]; let salt = &mut salt[..metrics.s_len]; - try!(rng.fill(salt)); + rng.fill(salt)?; // Step 5 and 6. let h_hash = pss_digest(self.digest_alg, m_hash, salt); @@ -232,7 +232,7 @@ impl RSAEncoding for PSS { // Step 9. First output the mask into the out buffer. let (mut masked_db, mut digest_terminator) = em.split_at_mut(metrics.db_len); - try!(mgf1(self.digest_alg, h_hash.as_ref(), &mut masked_db)); + mgf1(self.digest_alg, h_hash.as_ref(), &mut masked_db)?; { // Steps 7. @@ -242,7 +242,7 @@ impl RSAEncoding for PSS { let mut masked_db = masked_db.skip(metrics.ps_len); // Step 8. - *try!(masked_db.next().ok_or(error::Unspecified)) ^= 0x01; + *(masked_db.next().ok_or(error::Unspecified)?) ^= 0x01; // Step 10. for (masked_db_b, salt_b) in masked_db.zip(salt) { @@ -266,7 +266,7 @@ impl RSAVerification for PSS { // where steps 1, 2(a), and 2(b) have been done for us. fn verify(&self, m_hash: &digest::Digest, m: &mut untrusted::Reader, mod_bits: bits::BitLength) -> Result<(), error::Unspecified> { - let metrics = try!(PSSMetrics::new(self.digest_alg, mod_bits)); + let metrics = PSSMetrics::new(self.digest_alg, mod_bits)?; // RSASSA-PSS-VERIFY Step 2(c). The `m` this function is given is the // big-endian-encoded value of `m` from the specification, padded to @@ -278,7 +278,7 @@ impl RSAVerification for PSS { // strip before we start the PSS decoding steps which is an artifact of // the `Verification` interface. if metrics.top_byte_mask == 0xff { - if try!(m.read_byte()) != 0 { + if m.read_byte()? != 0 { return Err(error::Unspecified); } }; @@ -292,11 +292,11 @@ impl RSAVerification for PSS { // Step 3 is done by `PSSMetrics::new()` above. // Step 5, out of order. - let masked_db = try!(em.skip_and_get_input(metrics.db_len)); - let h_hash = try!(em.skip_and_get_input(metrics.h_len)); + let masked_db = em.skip_and_get_input(metrics.db_len)?; + let h_hash = em.skip_and_get_input(metrics.h_len)?; // Step 4. - if try!(em.read_byte()) != 0xbc { + if em.read_byte()? != 0xbc { return Err(error::Unspecified); } @@ -304,11 +304,11 @@ impl RSAVerification for PSS { let mut db = [0u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN]; let db = &mut db[..metrics.db_len]; - try!(mgf1(self.digest_alg, h_hash.as_slice_less_safe(), db)); + mgf1(self.digest_alg, h_hash.as_slice_less_safe(), db)?; - try!(masked_db.read_all(error::Unspecified, |masked_bytes| { + masked_db.read_all(error::Unspecified, |masked_bytes| { // Step 6. Check the top bits of first byte are zero. - let b = try!(masked_bytes.read_byte()); + let b = masked_bytes.read_byte()?; if b & !metrics.top_byte_mask != 0 { return Err(error::Unspecified); } @@ -316,10 +316,10 @@ impl RSAVerification for PSS { // Step 8. for i in 1..db.len() { - db[i] ^= try!(masked_bytes.read_byte()); + db[i] ^= masked_bytes.read_byte()?; } Ok(()) - })); + })?; // Step 9. db[0] &= metrics.top_byte_mask; @@ -362,7 +362,7 @@ struct PSSMetrics { impl PSSMetrics { fn new(digest_alg: &'static digest::Algorithm, mod_bits: bits::BitLength) -> Result { - let em_bits = try!(mod_bits.try_sub(bits::ONE)); + let em_bits = mod_bits.try_sub(bits::ONE)?; let em_len = em_bits.as_usize_bytes_rounded_up(); let leading_zero_bits = (8 * em_len) - em_bits.as_usize_bits(); debug_assert!(leading_zero_bits < 8); @@ -380,10 +380,8 @@ impl PSSMetrics { // two conditions are equivalent. 9 bits are required as the 0x01 // before the salt requires 1 bit and the 0xbc after the digest // requires 8 bits. - let db_len = try!(em_len.checked_sub(1 + s_len) - .ok_or(error::Unspecified)); - let ps_len = try!(db_len.checked_sub(h_len + 1) - .ok_or(error::Unspecified)); + let db_len = em_len.checked_sub(1 + s_len).ok_or(error::Unspecified)?; + let ps_len = db_len.checked_sub(h_len + 1).ok_or(error::Unspecified)?; debug_assert!(em_bits.as_usize_bits() >= (8 * h_len) + (8 * s_len) + 9); diff --git a/src/rsa/random.rs b/src/rsa/random.rs index be41c5a43..ba6286f2f 100644 --- a/src/rsa/random.rs +++ b/src/rsa/random.rs @@ -44,7 +44,7 @@ pub fn set_to_rand_mod(out: &mut [Limb], max_exclusive: &[Limb], max_exclusive: &tmp_max[..(max_exclusive.len() + extra_limb)], sampling_params: &sampling_params, }; - try!(range.sample_into_limbs(&mut tmp_out[..out.len() + extra_limb], rng)); + range.sample_into_limbs(&mut tmp_out[..out.len() + extra_limb], rng)?; let dest_len = out.len(); out.copy_from_slice(&tmp_out[..dest_len]); @@ -100,7 +100,7 @@ impl <'a> Range<'a> { for _ in 0..100 { { let mut dest_as_bytes = limbs_as_bytes_mut(out); - try!(rng.fill(&mut dest_as_bytes)); + rng.fill(&mut dest_as_bytes)?; } // Mask off unwanted bits. diff --git a/src/rsa/rsa.rs b/src/rsa/rsa.rs index 2e42a6494..d912962a9 100644 --- a/src/rsa/rsa.rs +++ b/src/rsa/rsa.rs @@ -80,8 +80,8 @@ fn parse_public_key(input: untrusted::Input) error::Unspecified> { input.read_all(error::Unspecified, |input| { der::nested(input, der::Tag::Sequence, error::Unspecified, |input| { - let n = try!(der::positive_integer(input)); - let e = try!(der::positive_integer(input)); + let n = der::positive_integer(input)?; + let e = der::positive_integer(input)?; Ok((n, e)) }) }) @@ -102,8 +102,8 @@ fn check_public_modulus_and_exponent( // keys. // Step 3 / Step c (out of order). - let n = try!(n.into_odd_positive()); - let e = try!(e.into_odd_positive()); + let n = n.into_odd_positive()?; + let e = e.into_odd_positive()?; // `pkcs1_encode` depends on this not being small. Otherwise, // `pkcs1_encode` would generate padding that is invalid (too few 0xFF @@ -116,8 +116,7 @@ fn check_public_modulus_and_exponent( assert!(n_min_bits >= N_MIN_BITS); let n_bits = n.bit_length(); let n_bits_rounded_up = - try!(bits::BitLength::from_usize_bytes( - n_bits.as_usize_bytes_rounded_up())); + bits::BitLength::from_usize_bytes(n_bits.as_usize_bytes_rounded_up())?; if n_bits_rounded_up < n_min_bits { return Err(error::Unspecified); } @@ -136,7 +135,7 @@ fn check_public_modulus_and_exponent( } // Only small public exponents are supported. - let e = try!(e.into_public_exponent()); + let e = e.into_public_exponent()?; // If `n` is less than `e` then somebody has probably accidentally swapped // them. The largest acceptable `e` is smaller than the smallest acceptable diff --git a/src/rsa/signing.rs b/src/rsa/signing.rs index e934d9cfc..81de0f3b7 100644 --- a/src/rsa/signing.rs +++ b/src/rsa/signing.rs @@ -142,8 +142,8 @@ impl RSAKeyPair { -> Result { const RSA_ENCRYPTION: &'static [u8] = include_bytes!("../data/alg-rsa-encryption.der"); - let (der, _) = try!(pkcs8::unwrap_key_(&RSA_ENCRYPTION, - pkcs8::Version::V1Only, input)); + let (der, _) = pkcs8::unwrap_key_(&RSA_ENCRYPTION, + pkcs8::Version::V1Only, input)?; Self::from_der(der) } @@ -166,18 +166,18 @@ impl RSAKeyPair { -> Result { input.read_all(error::Unspecified, |input| { der::nested(input, der::Tag::Sequence, error::Unspecified, |input| { - let version = try!(der::small_nonnegative_integer(input)); + let version = der::small_nonnegative_integer(input)?; if version != 0 { return Err(error::Unspecified); } - let n = try!(bigint::Positive::from_der(input)); - let e = try!(bigint::Positive::from_der(input)); - let d = try!(bigint::Positive::from_der(input)); - let p = try!(bigint::Positive::from_der(input)); - let q = try!(bigint::Positive::from_der(input)); - let dP = try!(bigint::Positive::from_der(input)); - let dQ = try!(bigint::Positive::from_der(input)); - let qInv = try!(bigint::Positive::from_der(input)); + let n = bigint::Positive::from_der(input)?; + let e = bigint::Positive::from_der(input)?; + let d = bigint::Positive::from_der(input)?; + let p = bigint::Positive::from_der(input)?; + let q = bigint::Positive::from_der(input)?; + let dP = bigint::Positive::from_der(input)?; + let dQ = bigint::Positive::from_der(input)?; + let qInv = bigint::Positive::from_der(input)?; let n_bits = n.bit_length(); @@ -202,10 +202,10 @@ impl RSAKeyPair { // Step 1.c. We validate e >= 2**16 = 65536, which, since e is odd, // implies e >= 65537. - let (n, e) = try!(super::check_public_modulus_and_exponent( + let (n, e) = super::check_public_modulus_and_exponent( n, e, bits::BitLength::from_usize_bits(2048), super::PRIVATE_KEY_PUBLIC_MODULUS_MAX_BITS, - bits::BitLength::from_usize_bits(17))); + bits::BitLength::from_usize_bits(17))?; // 6.4.1.4.3 says to skip 6.4.1.2.1 Step 2. @@ -230,7 +230,7 @@ impl RSAKeyPair { if p.bit_length() != half_n_bits { return Err(error::Unspecified); } - let p = try!(p.into_odd_positive()); + let p = p.into_odd_positive()?; // TODO: Step 5.d: Verify GCD(p - 1, e) == 1. @@ -244,17 +244,14 @@ impl RSAKeyPair { if p.bit_length() != q.bit_length() { return Err(error::Unspecified); } - let q = try!(q.into_odd_positive()); + let q = q.into_odd_positive()?; // TODO: Step 5.h: Verify GCD(p - 1, e) == 1. - let n = try!(n.into_modulus::()); - let oneRR_mod_n = try!(bigint::One::newRR(&n)); + let n = n.into_modulus::()?; + let oneRR_mod_n = bigint::One::newRR(&n)?; - let q_mod_n_decoded = { - let q = try!(q.try_clone()); - try!(q.into_elem(&n)) - }; + let q_mod_n_decoded = q.try_clone()?.into_elem(&n)?; // Step 5.i // @@ -269,11 +266,11 @@ impl RSAKeyPair { // this simplification. // // 3.b is unneeded since `n_bits` is derived here from `n`. - try!(q.verify_less_than(&p)); + q.verify_less_than(&p)?; { let p_mod_n = { - let p = try!(p.try_clone()); - try!(p.into_elem(&n)) + let p = p.try_clone()?; + p.into_elem(&n)? }; let p_minus_q_bits = { // Modular subtraction isn't necessary since we already @@ -282,12 +279,11 @@ impl RSAKeyPair { // Modular subtraction without having already verified // q < p would be wrong. let p_minus_q = - try!(bigint::elem_sub(p_mod_n, &q_mod_n_decoded, - &n)); + bigint::elem_sub(p_mod_n, &q_mod_n_decoded, &n)?; p_minus_q.bit_length() }; - let min_pq_bitlen_diff = try!(half_n_bits.try_sub( - bits::BitLength::from_usize_bits(100))); + let min_pq_bitlen_diff = half_n_bits.try_sub( + bits::BitLength::from_usize_bits(100))?; if p_minus_q_bits <= min_pq_bitlen_diff { return Err(error::Unspecified); } @@ -302,15 +298,11 @@ impl RSAKeyPair { // let us assume that checking p * q == 0 (mod n) is equivalent // to checking p * q == n. let q_mod_n = { - let clone = try!(q_mod_n_decoded.try_clone()); - try!(bigint::elem_mul(oneRR_mod_n.as_ref(), clone, &n)) + let clone = q_mod_n_decoded.try_clone()?; + bigint::elem_mul(oneRR_mod_n.as_ref(), clone, &n)? }; - let p_mod_n = { - let p = try!(p.try_clone()); - try!(p.into_elem(&n)) - }; - let pq_mod_n = - try!(bigint::elem_mul(&q_mod_n, p_mod_n, &n)); + let p_mod_n = p.try_clone()?.into_elem(&n)?; + let pq_mod_n = bigint::elem_mul(&q_mod_n, p_mod_n, &n)?; if !pq_mod_n.is_zero() { return Err(error::Unspecified); } @@ -329,8 +321,8 @@ impl RSAKeyPair { // XXX: This check should be `d < LCM(p - 1, q - 1)`, but we // don't have a good way of calculating LCM, so it is omitted, // as explained above. - let d = try!(d.into_odd_positive()); - try!(d.verify_less_than(&n.value())); + let d = d.into_odd_positive()?; + d.verify_less_than(&n.value())?; // Step 6.b is omitted as explained above. @@ -344,12 +336,12 @@ impl RSAKeyPair { // and an odd number modulo an even number is odd. // Therefore `dP` must be odd. But then it cannot be `p - 1` // and so we know `dP < p - 1`. - let p = try!(PrivatePrime::new(p, dP)); + let p = PrivatePrime::new(p, dP)?; // Step 7.b is done out-of-order below. // Step 7.c. - let qInv = try!(qInv.into_elem(&p.modulus)); + let qInv = qInv.into_elem(&p.modulus)?; // Steps 7.d and 7.e are omitted per the documentation above, // and because we don't (in the long term) have a good way to @@ -357,23 +349,19 @@ impl RSAKeyPair { // Step 7.f. let qInv = - try!(bigint::elem_mul(p.oneRR.as_ref(), qInv, &p.modulus)); - let q_mod_p = { - let q = try!(q.try_clone()); - try!(q.into_elem(&p.modulus)) - }; + bigint::elem_mul(p.oneRR.as_ref(), qInv, &p.modulus)?; + let q_mod_p = q.try_clone()?.into_elem(&p.modulus)?; let qInv_times_q_mod_p = - try!(bigint::elem_mul(&qInv, q_mod_p, &p.modulus)); + bigint::elem_mul(&qInv, q_mod_p, &p.modulus)?; if !qInv_times_q_mod_p.is_one() { return Err(error::Unspecified); } // Step 7.b (out of order). Same proof as for `dP < p - 1`. - let q = try!(PrivatePrime::new(q, dQ)); + let q = PrivatePrime::new(q, dQ)?; - let qq = - try!(bigint::elem_mul(&q_mod_n, q_mod_n_decoded, &n)); - let qq = try!(qq.into_modulus::()); + let qq = bigint::elem_mul(&q_mod_n, q_mod_n_decoded, &n)? + .into_modulus::()?; Ok(RSAKeyPair { n, @@ -421,8 +409,8 @@ impl PrivatePrime { // `p - 1` and so we know `dP < p - 1`. // // The proof that `dQ < q - 1` is the same. - let dP = try!(dP.into_odd_positive()); - try!(dP.verify_less_than(&p)); + let dP = dP.into_odd_positive()?; + dP.verify_less_than(&p)?; // XXX: Steps 7.d and 7.e are omitted. We don't check that // `dP == d % (p - 1)` because we don't (in the long term) have a good @@ -433,11 +421,11 @@ impl PrivatePrime { // and `e`. TODO: Either prove that what we do is sufficient, or make // it so. - let p = try!(p.into_modulus()); - let oneRR = try!(bigint::One::newRR(&p)); - let oneRR_clone = try!(oneRR.try_clone()); - let oneR = try!(bigint::One::newR(&oneRR, &p)); - let oneRRR = try!(bigint::One::newRRR(oneRR_clone, &p)); + let p = p.into_modulus()?; + let oneRR = bigint::One::newRR(&p)?; + let oneRR_clone = oneRR.try_clone()?; + let oneR = bigint::One::newR(&oneRR, &p)?; + let oneRRR = bigint::One::newRRR(oneRR_clone, &p)?; Ok(PrivatePrime { modulus: p, @@ -453,8 +441,8 @@ fn elem_exp_consttime(c: &bigint::Elem, p: &PrivatePrime) -> Result, error::Unspecified> where M: bigint::NotMuchSmallerModulus, M: Prime { - let c_mod_m = try!(bigint::elem_reduced(c, &p.modulus)); - let c_mod_m = try!(bigint::elem_mul(p.oneRRR.as_ref(), c_mod_m, &p.modulus)); + let c_mod_m = bigint::elem_reduced(c, &p.modulus)?; + let c_mod_m = bigint::elem_mul(p.oneRRR.as_ref(), c_mod_m, &p.modulus)?; bigint::elem_exp_consttime(c_mod_m, &p.exponent, &p.oneR, &p.modulus) } @@ -570,7 +558,7 @@ impl RSASigningState { } = self; let m_hash = digest::digest(padding_alg.digest_alg(), msg); - try!(padding_alg.encode(&m_hash, signature, mod_bits, rng)); + padding_alg.encode(&m_hash, signature, mod_bits, rng)?; // RFC 8017 Section 5.1.2: RSADP, using the Chinese Remainder Theorem // with Garner's algorithm. @@ -579,34 +567,34 @@ impl RSASigningState { // // TODO: Avoid having `encode()` pad its output, and then remove // `Positive::from_be_bytes_padded()`. - let base = try!(bigint::Positive::from_be_bytes_padded( - untrusted::Input::from(signature))); - let base = try!(base.into_elem(&key.n)); + let base = bigint::Positive::from_be_bytes_padded( + untrusted::Input::from(signature))?; + let base = base.into_elem(&key.n)?; // Step 2. - let result = try!(blinding.blind(base, key.e, &key.oneRR_mod_n, &key.n, - rng, |c| { + let result = blinding.blind(base, key.e, &key.oneRR_mod_n, &key.n, rng, + |c| { // Step 2.b.i. - let m_1 = try!(elem_exp_consttime(&c, &key.p)); - let c_mod_qq = try!(bigint::elem_reduced_once(&c, &key.qq)); - let m_2 = try!(elem_exp_consttime(&c_mod_qq, &key.q)); + let m_1 = elem_exp_consttime(&c, &key.p)?; + let c_mod_qq = bigint::elem_reduced_once(&c, &key.qq)?; + let m_2 = elem_exp_consttime(&c_mod_qq, &key.q)?; // Step 2.b.ii isn't needed since there are only two primes. // Step 2.b.iii. let p = &key.p.modulus; let m_2 = bigint::elem_widen(m_2); - let m_1_minus_m_2 = try!(bigint::elem_sub(m_1, &m_2, p)); - let h = try!(bigint::elem_mul(&key.qInv, m_1_minus_m_2, p)); + let m_1_minus_m_2 = bigint::elem_sub(m_1, &m_2, p)?; + let h = bigint::elem_mul(&key.qInv, m_1_minus_m_2, p)?; // Step 2.b.iv. The reduction in the modular multiplication isn't // necessary because `h < p` and `p * q == n` implies `h * q < n`. // Modular arithmetic is used simply to avoid implementing // non-modular arithmetic. let h = bigint::elem_widen(h); - let q_times_h = try!(bigint::elem_mul(&key.q_mod_n, h, &key.n)); + let q_times_h = bigint::elem_mul(&key.q_mod_n, h, &key.n)?; let m_2 = bigint::elem_widen(m_2); - let m = try!(bigint::elem_add(m_2, q_times_h, &key.n)); + let m = bigint::elem_add(m_2, q_times_h, &key.n)?; // Step 2.b.v isn't needed since there are only two primes. @@ -619,18 +607,16 @@ impl RSASigningState { // size, oddness, and minimum value, since the relationship of `e` // to `d`, `p`, and `q` is not verified during `RSAKeyPair` // construction. - let computed = try!(m.try_clone()); + let computed = m.try_clone()?; let computed = - try!(bigint::elem_mul(&key.oneRR_mod_n.as_ref(), computed, - &key.n)); - let verify = - try!(bigint::elem_exp_vartime(computed, key.e, &key.n)); - let verify = try!(verify.into_unencoded(&key.n)); - try!(bigint::elem_verify_equal_consttime(&verify, &c)); + bigint::elem_mul(&key.oneRR_mod_n.as_ref(), computed, &key.n)?; + let verify = bigint::elem_exp_vartime(computed, key.e, &key.n)?; + let verify = verify.into_unencoded(&key.n)?; + bigint::elem_verify_equal_consttime(&verify, &c)?; // Step 3. Ok(m) - })); + })?; result.fill_be_bytes(signature); diff --git a/src/rsa/verification.rs b/src/rsa/verification.rs index 703e546d7..13b206c0d 100644 --- a/src/rsa/verification.rs +++ b/src/rsa/verification.rs @@ -25,7 +25,7 @@ impl signature::VerificationAlgorithm for RSAParameters { fn verify(&self, public_key: untrusted::Input, msg: untrusted::Input, signature: untrusted::Input) -> Result<(), error::Unspecified> { - let public_key = try!(parse_public_key(public_key)); + let public_key = parse_public_key(public_key)?; verify_rsa(self, public_key, msg, signature) } } @@ -130,10 +130,10 @@ pub fn verify_rsa(params: &RSAParameters, -> Result<(), error::Unspecified> { // Partially validate the public key. See // `check_public_modulus_and_exponent()` for more details. - let n = try!(bigint::Positive::from_be_bytes(n)); - let e = try!(bigint::Positive::from_be_bytes(e)); - let max_bits = try!(bits::BitLength::from_usize_bytes( - PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN)); + let n = bigint::Positive::from_be_bytes(n)?; + let e = bigint::Positive::from_be_bytes(e)?; + let max_bits = bits::BitLength::from_usize_bytes( + PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN)?; // XXX: FIPS 186-4 seems to indicate that the minimum // exponent value is 2**16 + 1, but it isn't clear if this is just for @@ -142,10 +142,10 @@ pub fn verify_rsa(params: &RSAParameters, let e_min_bits = bits::BitLength::from_usize_bits(2); let (n, e) = - try!(super::check_public_modulus_and_exponent(n, e, params.min_bits, - max_bits, e_min_bits)); + super::check_public_modulus_and_exponent(n, e, params.min_bits, max_bits, + e_min_bits)?; let n_bits = n.bit_length(); - let n = try!(n.into_modulus::()); + let n = n.into_modulus::()?; // The signature must be the same length as the modulus, in bytes. if signature.len() != n_bits.as_usize_bytes_rounded_up() { @@ -155,17 +155,17 @@ pub fn verify_rsa(params: &RSAParameters, // RFC 8017 Section 5.2.2: RSAVP1. // Step 1. - let s = try!(bigint::Positive::from_be_bytes_padded(signature)); - let s = try!(s.into_elem::(&n)); + let s = bigint::Positive::from_be_bytes_padded(signature)?; + let s = s.into_elem::(&n)?; // Step 2. let s = { // Montgomery encode `s`. - let oneRR = try!(bigint::One::newRR(&n)); - try!(bigint::elem_mul(oneRR.as_ref(), s, &n)) + let oneRR = bigint::One::newRR(&n)?; + bigint::elem_mul(oneRR.as_ref(), s, &n)? }; - let m = try!(bigint::elem_exp_vartime(s, e, &n)); - let m = try!(m.into_unencoded(&n)); + let m = bigint::elem_exp_vartime(s, e, &n)?; + let m = m.into_unencoded(&n)?; // Step 3. let mut decoded = [0u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN]; diff --git a/tests/rsa_tests.rs b/tests/rsa_tests.rs index 564d13d00..842d9d768 100644 --- a/tests/rsa_tests.rs +++ b/tests/rsa_tests.rs @@ -93,7 +93,7 @@ fn test_signature_rsa_pss_sign() { fn fill(&self, dest: &mut [u8]) -> Result<(), error::Unspecified> { let dest_len = dest.len(); if dest_len != self.salt.len() { - try!(self.rng.fill(dest)); + self.rng.fill(dest)?; } else { dest.copy_from_slice(&self.salt); } @@ -132,7 +132,7 @@ fn test_signature_rsa_pss_sign() { signature::RSASigningState::new(key_pair).unwrap(); let mut actual: std::vec::Vec = vec![0; signing_state.key_pair().public_modulus_len()]; - try!(signing_state.sign(alg, &new_rng, &msg, actual.as_mut_slice())); + signing_state.sign(alg, &new_rng, &msg, actual.as_mut_slice())?; assert_eq!(actual.as_slice() == &expected[..], result == "Pass"); Ok(()) }); @@ -179,8 +179,8 @@ fn test_signature_rsa_pkcs1_verify() { // for improperly-encoded signatures, we'll have to revisit this. assert!(public_key.read_all(error::Unspecified, |input| { der::nested(input, der::Tag::Sequence, error::Unspecified, |input| { - let _ = try!(der::positive_integer(input)); - let _ = try!(der::positive_integer(input)); + let _ = der::positive_integer(input)?; + let _ = der::positive_integer(input)?; Ok(()) }) }).is_ok()); @@ -221,8 +221,8 @@ fn test_signature_rsa_pss_verify() { // for improperly-encoded signatures, we'll have to revisit this. assert!(public_key.read_all(error::Unspecified, |input| { der::nested(input, der::Tag::Sequence, error::Unspecified, |input| { - let _ = try!(der::positive_integer(input)); - let _ = try!(der::positive_integer(input)); + let _ = der::positive_integer(input)?; + let _ = der::positive_integer(input)?; Ok(()) }) }).is_ok());