From 4b8aad76f8d545032a7824398695e7fdcd226ba6 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Sun, 28 Apr 2019 09:59:28 +0100
Subject: [PATCH] Fix assertion failure in rsa_verify.

If a malformed private key (received through any channel, whether
loaded from a disk file or over the wire by Pageant) specifies either
of the modulus's prime factors p or q as 1, then when rsa_verify tries
to check that e*d is congruent to 1 mod (p-1) and mod (q-1), that
check will involve a division by zero, which in this context means
failing an assertion in mp_divmod.

We were already doing a preliminary check that neither of p and q was
actually zero. Now that check is strengthened to check that p-1 and
q-1 are not zero either.
---
 sshrsa.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sshrsa.c b/sshrsa.c
index 1fd5fb25..4d26f9f6 100644
--- a/sshrsa.c
+++ b/sshrsa.c
@@ -296,8 +296,11 @@ bool rsa_verify(RSAKey *key)
     mp_int *n, *ed, *pm1, *qm1;
     unsigned ok = 1;
 
-    /* Preliminary checks: p,q must actually be nonzero. */
-    if (mp_eq_integer(key->p, 0) | mp_eq_integer(key->q, 0))
+    /* Preliminary checks: p,q can't be 0 or 1. (Of course no other
+     * very small value is any good either, but these are the values
+     * we _must_ check for to avoid assertion failures further down
+     * this function.) */
+    if (!(mp_hs_integer(key->p, 2) & mp_hs_integer(key->q, 2)))
         return false;
 
     /* n must equal pq. */