From 9e6669d30ad33d7b3112c100fe11d588f310ae14 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Tue, 29 Jan 2019 20:03:10 +0000 Subject: [PATCH] rsa_verify: fix assertion if p,q are different lengths. The mp_cond_swap that sorts the key's factors into p>q order only works if the mp_int representations of p and q have the same nw. It's unusual but by no means illegal for an RSA key to be the product of wildly different-length primes, so we should cope. Now we sort p and q by using mp_min and mp_max. --- sshrsa.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sshrsa.c b/sshrsa.c index b845b46c..11687979 100644 --- a/sshrsa.c +++ b/sshrsa.c @@ -328,9 +328,12 @@ bool rsa_verify(RSAKey *key) * should instead flip them round into the canonical order of * p > q. This also involves regenerating iqmp. */ - unsigned swap_pq = mp_cmp_hs(key->q, key->p); - mp_cond_swap(key->p, key->q, swap_pq); - mp_free(key->iqmp); + mp_int *p_new = mp_max(key->p, key->q); + mp_int *q_new = mp_min(key->p, key->q); + mp_free(key->p); + mp_free(key->q); + key->p = p_new; + key->q = q_new; key->iqmp = mp_invert(key->q, key->p); return ok;