Fix assertion failure in rsa_verify.

If a malformed private key (received through any channel, whether loaded from a disk file or over the wire by Pageant) specifies either of the modulus's prime factors p or q as 1, then when rsa_verify tries to check that e*d is congruent to 1 mod (p-1) and mod (q-1), that check will involve a division by zero, which in this context means failing an assertion in mp_divmod. We were already doing a preliminary check that neither of p and q was actually zero. Now that check is strengthened to check that p-1 and q-1 are not zero either.
2025-01-09 09:27:59 +00:00 · 2019-04-28 09:59:28 +01:00 · 2019-04-28 09:59:28 +01:00 · 4b8aad76f8
commit 4b8aad76f8
parent 5f204d1ef1
1 changed files with 5 additions and 2 deletions
--- a/sshrsa.c
+++ b/sshrsa.c
@ -296,8 +296,11 @@ bool rsa_verify(RSAKey *key)
    mp_int *n, *ed, *pm1, *qm1;
    unsigned ok = 1;

-    /* Preliminary checks: p,q must actually be nonzero. */
-    if (mp_eq_integer(key->p, 0) | mp_eq_integer(key->q, 0))
+    /* Preliminary checks: p,q can't be 0 or 1. (Of course no other
+     * very small value is any good either, but these are the values
+     * we _must_ check for to avoid assertion failures further down
+     * this function.) */
+    if (!(mp_hs_integer(key->p, 2) & mp_hs_integer(key->q, 2)))
        return false;

    /* n must equal pq. */