From: Niels Möller Date: Thu, 4 Aug 2016 08:18:23 +0000 (+0200) Subject: Reject invalid keys, with even moduli, in rsa_compute_root_tr. X-Git-Tag: nettle_3.3_release_20161001~48 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=52b9223126b3f997c00d399166c006ae28669068;p=thirdparty%2Fnettle.git Reject invalid keys, with even moduli, in rsa_compute_root_tr. --- diff --git a/ChangeLog b/ChangeLog index 83e56a0a..771632c9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2016-08-04 Niels Möller + + * rsa-sign-tr.c (rsa_compute_root_tr): Return failure if any of p, + q or n is even, to avoid crashing inside mpz_powm_sec. Invalid + keys with even modulo are rejected by rsa_public_key_prepare and + rsa_private_key_prepare, but some applications, notably gnutls, + don't use them. + 2016-07-31 Niels Möller * rsa.c (_rsa_check_size): Check that n is odd. Otherwise, using diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c index 68233a3c..8542cae2 100644 --- a/rsa-sign-tr.c +++ b/rsa-sign-tr.c @@ -88,6 +88,14 @@ rsa_compute_root_tr(const struct rsa_public_key *pub, int res; mpz_t t, mb, xb, ri; + /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the + key is invalid and rejected by rsa_private_key_prepare. However, + some applications, notably gnutls, don't use this function, and + we don't want an invalid key to lead to a crash down inside + mpz_powm_sec. So do an additional check here. */ + if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) + return 0; + mpz_init (mb); mpz_init (xb); mpz_init (ri);