Fix SSH-1 RSA key handling in Pageant.

The auxiliary values (the two primes and the inverse of one mod the
other) were being read into the key structure wrongly, causing
crt_modpow() in sshrsa.c to give the wrong answers where straight
modpow would not have.

This must have been broken ever since I implemented the RSA CRT
optimisation in 2011. And nobody has noticed, which is a good sign for
the phasing out of SSH-1 :-) I only spotted it myself because I was
testing all the Pageant message types in the course of implementing
the new logging.

pageant.c

@@ -580,6 +580,10 @@ void *pageant_handle_msg(const void *msg, int msglen, int *outlen,
 	    }
 	    p += n;
 
+            /* SSH-1 names p and q the other way round, i.e. we have
+             * the inverse of p mod q and not of q mod p. We swap the
+             * names, because our internal RSA wants iqmp. */
+
 	    n = ssh1_read_bignum(p, msgend - p, &key->iqmp);  /* p^-1 mod q */
 	    if (n < 0) {
 		freersakey(key);
@@ -589,7 +593,7 @@ void *pageant_handle_msg(const void *msg, int msglen, int *outlen,
 	    }
 	    p += n;
 
-	    n = ssh1_read_bignum(p, msgend - p, &key->p);  /* p */
+	    n = ssh1_read_bignum(p, msgend - p, &key->q);  /* p */
 	    if (n < 0) {
 		freersakey(key);
 		sfree(key);
@@ -598,7 +602,7 @@ void *pageant_handle_msg(const void *msg, int msglen, int *outlen,
 	    }
 	    p += n;
 
-	    n = ssh1_read_bignum(p, msgend - p, &key->q);  /* q */
+	    n = ssh1_read_bignum(p, msgend - p, &key->p);  /* q */
 	    if (n < 0) {
 		freersakey(key);
 		sfree(key);