1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00

Fix assertion failure in rsa_verify.

If a malformed private key (received through any channel, whether
loaded from a disk file or over the wire by Pageant) specifies either
of the modulus's prime factors p or q as 1, then when rsa_verify tries
to check that e*d is congruent to 1 mod (p-1) and mod (q-1), that
check will involve a division by zero, which in this context means
failing an assertion in mp_divmod.

We were already doing a preliminary check that neither of p and q was
actually zero. Now that check is strengthened to check that p-1 and
q-1 are not zero either.
This commit is contained in:
Simon Tatham 2019-04-28 09:59:28 +01:00
parent 5f204d1ef1
commit 4b8aad76f8

View File

@ -296,8 +296,11 @@ bool rsa_verify(RSAKey *key)
mp_int *n, *ed, *pm1, *qm1; mp_int *n, *ed, *pm1, *qm1;
unsigned ok = 1; unsigned ok = 1;
/* Preliminary checks: p,q must actually be nonzero. */ /* Preliminary checks: p,q can't be 0 or 1. (Of course no other
if (mp_eq_integer(key->p, 0) | mp_eq_integer(key->q, 0)) * very small value is any good either, but these are the values
* we _must_ check for to avoid assertion failures further down
* this function.) */
if (!(mp_hs_integer(key->p, 2) & mp_hs_integer(key->q, 2)))
return false; return false;
/* n must equal pq. */ /* n must equal pq. */