Reject invalid RSA keys with even modulo.

5eb30d94 · Niels Möller · b721591c · 5eb30d94 · 5eb30d94 · 5eb30d94
Commit 5eb30d94 authored Jul 31, 2016 by Niels Möller
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 3 deletions

ChangeLog ChangeLog +6 -0

rsa.c rsa.c +8 -3

testsuite/rsa-test.c testsuite/rsa-test.c +7 -0

No files found.
--- a/ChangeLog
+++ b/ChangeLog
+2016-07-31  Niels Möller  <nisse@lysator.liu.se>
+
+	* rsa.c (_rsa_check_size): Check that n is odd. Otherwise, using
+	an invalid key may crash in mpz_powm_sec. Problem reported by
+	Hanno Böck.
+
 2016-07-13  Niels Möller  <nisse@lysator.liu.se>

 	* bignum.c (nettle_mpz_from_octets): Unconditionally use

--- a/rsa.c
+++ b/rsa.c
@@ -58,13 +58,18 @@ rsa_public_key_clear(struct rsa_public_key *key)
 }

 /* Computes the size, in octets, of a the modulo. Returns 0 if the
- * modulo is too small to be useful. */
-
+ * modulo is too small to be useful, or otherwise appears invalid. */
 size_t
 _rsa_check_size(mpz_t n)
 {
  /* Round upwards */
-  size_t size = (mpz_sizeinbase(n, 2) + 7) / 8;
+  size_t size;
+
+  /* Even moduli are invalid, and not supported by mpz_powm_sec. */
+  if (mpz_even_p (n))
+    return 0;
+
+  size = (mpz_sizeinbase(n, 2) + 7) / 8;

  if (size < RSA_MINIMUM_N_OCTETS)
    return 0;

--- a/testsuite/rsa-test.c
+++ b/testsuite/rsa-test.c
@@ -57,6 +57,13 @@ test_main(void)

  test_rsa_sha512(&pub, &key, expected);

+  /* Test detection of invalid keys with even modulo */
+  mpz_clrbit (pub.n, 0);
+  ASSERT (!rsa_public_key_prepare (&pub));
+
+  mpz_clrbit (key.p, 0);
+  ASSERT (!rsa_private_key_prepare (&key));
+
  /* 777-bit key, generated by
   *
   *   lsh-keygen -a rsa -l 777 -f advanced-hex