Commit 5eb30d94 authored by Niels Möller's avatar Niels Möller

Reject invalid RSA keys with even modulo.

parent b721591c
2016-07-31 Niels Möller <nisse@lysator.liu.se>
* rsa.c (_rsa_check_size): Check that n is odd. Otherwise, using
an invalid key may crash in mpz_powm_sec. Problem reported by
Hanno Böck.
2016-07-13 Niels Möller <nisse@lysator.liu.se> 2016-07-13 Niels Möller <nisse@lysator.liu.se>
* bignum.c (nettle_mpz_from_octets): Unconditionally use * bignum.c (nettle_mpz_from_octets): Unconditionally use
......
...@@ -58,13 +58,18 @@ rsa_public_key_clear(struct rsa_public_key *key) ...@@ -58,13 +58,18 @@ rsa_public_key_clear(struct rsa_public_key *key)
} }
/* Computes the size, in octets, of a the modulo. Returns 0 if the /* Computes the size, in octets, of a the modulo. Returns 0 if the
* modulo is too small to be useful. */ * modulo is too small to be useful, or otherwise appears invalid. */
size_t size_t
_rsa_check_size(mpz_t n) _rsa_check_size(mpz_t n)
{ {
/* Round upwards */ /* Round upwards */
size_t size = (mpz_sizeinbase(n, 2) + 7) / 8; size_t size;
/* Even moduli are invalid, and not supported by mpz_powm_sec. */
if (mpz_even_p (n))
return 0;
size = (mpz_sizeinbase(n, 2) + 7) / 8;
if (size < RSA_MINIMUM_N_OCTETS) if (size < RSA_MINIMUM_N_OCTETS)
return 0; return 0;
......
...@@ -57,6 +57,13 @@ test_main(void) ...@@ -57,6 +57,13 @@ test_main(void)
test_rsa_sha512(&pub, &key, expected); test_rsa_sha512(&pub, &key, expected);
/* Test detection of invalid keys with even modulo */
mpz_clrbit (pub.n, 0);
ASSERT (!rsa_public_key_prepare (&pub));
mpz_clrbit (key.p, 0);
ASSERT (!rsa_private_key_prepare (&key));
/* 777-bit key, generated by /* 777-bit key, generated by
* *
* lsh-keygen -a rsa -l 777 -f advanced-hex * lsh-keygen -a rsa -l 777 -f advanced-hex
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment