Blame SOURCES/nettle-2.7.1-powm-sec.patch

c91e6d
diff --git a/configure.ac b/configure.ac
c91e6d
index 78a3d4e..dfb151e 100644
c91e6d
--- a/configure.ac
c91e6d
+++ b/configure.ac
c91e6d
@@ -645,9 +645,9 @@ if test "x$nettle_cv_fcntl_locking" = "xyes" ; then
c91e6d
 fi
c91e6d
 
c91e6d
 # Checks for libraries
c91e6d
-AC_CHECK_LIB(gmp, __gmpz_getlimbn,,
c91e6d
+AC_CHECK_LIB(gmp, __gmpz_powm_sec,,
c91e6d
     [AC_MSG_WARN(
c91e6d
-[GNU MP not found, or not 3.1 or up, see http://gmplib.org/.
c91e6d
+[GNU MP not found, or not 5.0 or up, see http://gmplib.org/.
c91e6d
 Support for public key algorithms will be unavailable.])]
c91e6d
     enable_public_key=no)
c91e6d
 
c91e6d
diff --git a/dsa-sign.c b/dsa-sign.c
c91e6d
index 0b5ab1d..d0baa27 100644
c91e6d
--- a/dsa-sign.c
c91e6d
+++ b/dsa-sign.c
c91e6d
@@ -54,6 +54,11 @@ _dsa_sign(const struct dsa_public_key *pub,
c91e6d
   if (mpz_sizeinbase(pub->q, 2) != 8 * digest_size)
c91e6d
     return 0;
c91e6d
 
c91e6d
+  /* Check that p is odd, so that invalid keys don't result in a crash
c91e6d
+     inside mpz_powm_sec. */
c91e6d
+  if (mpz_even_p (pub->p))
c91e6d
+    return 0;
c91e6d
+
c91e6d
   /* Select k, 0
c91e6d
   mpz_init_set(tmp, pub->q);
c91e6d
   mpz_sub_ui(tmp, tmp, 1);
c91e6d
@@ -63,7 +68,7 @@ _dsa_sign(const struct dsa_public_key *pub,
c91e6d
   mpz_add_ui(k, k, 1);
c91e6d
 
c91e6d
   /* Compute r = (g^k (mod p)) (mod q) */
c91e6d
-  mpz_powm(tmp, pub->g, k, pub->p);
c91e6d
+  mpz_powm_sec(tmp, pub->g, k, pub->p);
c91e6d
   mpz_fdiv_r(signature->r, tmp, pub->q);
c91e6d
 
c91e6d
   /* Compute hash */
c91e6d
diff --git a/rsa-blind.c b/rsa-blind.c
c91e6d
index 97485be..468b68e 100644
c91e6d
--- a/rsa-blind.c
c91e6d
+++ b/rsa-blind.c
c91e6d
@@ -53,7 +53,7 @@ _rsa_blind (const struct rsa_public_key *pub,
c91e6d
   while (!mpz_invert (ri, r, pub->n));
c91e6d
 
c91e6d
   /* c = c*(r^e) mod n */
c91e6d
-  mpz_powm(r, r, pub->e, pub->n);
c91e6d
+  mpz_powm_sec(r, r, pub->e, pub->n);
c91e6d
   mpz_mul(c, c, r);
c91e6d
   mpz_fdiv_r(c, c, pub->n);
c91e6d
 
c91e6d
diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c
c91e6d
index 312b182..4066619 100644
c91e6d
--- a/rsa-decrypt-tr.c
c91e6d
+++ b/rsa-decrypt-tr.c
c91e6d
@@ -43,6 +43,9 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
c91e6d
   mpz_t m, ri;
c91e6d
   int res;
c91e6d
 
c91e6d
+  if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q))
c91e6d
+    return 0;
c91e6d
+
c91e6d
   mpz_init_set(m, gibberish);
c91e6d
   mpz_init (ri);
c91e6d
 
c91e6d
diff --git a/rsa-decrypt.c b/rsa-decrypt.c
c91e6d
index a3abf6e..64d12ae 100644
c91e6d
--- a/rsa-decrypt.c
c91e6d
+++ b/rsa-decrypt.c
c91e6d
@@ -39,6 +39,9 @@ rsa_decrypt(const struct rsa_private_key *key,
c91e6d
   mpz_t m;
c91e6d
   int res;
c91e6d
 
c91e6d
+  if (mpz_even_p (key->p) || mpz_even_p (key->q))
c91e6d
+    return 0;
c91e6d
+
c91e6d
   mpz_init(m);
c91e6d
   rsa_compute_root(key, m, gibberish);
c91e6d
 
c91e6d
diff --git a/rsa-pkcs1-sign-tr.c b/rsa-pkcs1-sign-tr.c
c91e6d
index 5efc155..0031706 100644
c91e6d
--- a/rsa-pkcs1-sign-tr.c
c91e6d
+++ b/rsa-pkcs1-sign-tr.c
c91e6d
@@ -40,6 +40,9 @@ rsa_pkcs1_sign_tr(const struct rsa_public_key *pub,
c91e6d
 {
c91e6d
   mpz_t ri;
c91e6d
 
c91e6d
+  if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q))
c91e6d
+    return 0;
c91e6d
+
c91e6d
   if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info))
c91e6d
     {
c91e6d
       mpz_init (ri);
c91e6d
diff --git a/rsa-pkcs1-sign.c b/rsa-pkcs1-sign.c
c91e6d
index 9162cfc..e39485b 100644
c91e6d
--- a/rsa-pkcs1-sign.c
c91e6d
+++ b/rsa-pkcs1-sign.c
c91e6d
@@ -36,6 +36,9 @@ rsa_pkcs1_sign(const struct rsa_private_key *key,
c91e6d
 	       unsigned length, const uint8_t *digest_info,
c91e6d
 	       mpz_t s)
c91e6d
 {  
c91e6d
+  if (mpz_even_p (key->p) || mpz_even_p (key->q))
c91e6d
+    return 0;
c91e6d
+
c91e6d
   if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info))
c91e6d
     {
c91e6d
       rsa_compute_root(key, s, s);
c91e6d
diff --git a/rsa-sign.c b/rsa-sign.c
c91e6d
index 56adda3..9f2a707 100644
c91e6d
--- a/rsa-sign.c
c91e6d
+++ b/rsa-sign.c
c91e6d
@@ -88,11 +88,11 @@ rsa_compute_root(const struct rsa_private_key *key,
c91e6d
 
c91e6d
   /* Compute xq = m^d % q = (m%q)^b % q */
c91e6d
   mpz_fdiv_r(xq, m, key->q);
c91e6d
-  mpz_powm(xq, xq, key->b, key->q);
c91e6d
+  mpz_powm_sec(xq, xq, key->b, key->q);
c91e6d
 
c91e6d
   /* Compute xp = m^d % p = (m%p)^a % p */
c91e6d
   mpz_fdiv_r(xp, m, key->p);
c91e6d
-  mpz_powm(xp, xp, key->a, key->p);
c91e6d
+  mpz_powm_sec(xp, xp, key->a, key->p);
c91e6d
 
c91e6d
   /* Set xp' = (xp - xq) c % p. */
c91e6d
   mpz_sub(xp, xp, xq);
c91e6d
diff --git a/rsa.c b/rsa.c
c91e6d
index e303a8c..91b3f85 100644
c91e6d
--- a/rsa.c
c91e6d
+++ b/rsa.c
c91e6d
@@ -58,6 +58,9 @@ _rsa_check_size(mpz_t n)
c91e6d
   /* Round upwards */
c91e6d
   unsigned size = (mpz_sizeinbase(n, 2) + 7) / 8;
c91e6d
 
c91e6d
+  if (mpz_even_p (n))
c91e6d
+    return 0;
c91e6d
+
c91e6d
   if (size < RSA_MINIMUM_N_OCTETS)
c91e6d
     return 0;
c91e6d
 
c91e6d
diff --git a/testsuite/rsa-test.c b/testsuite/rsa-test.c
c91e6d
index e9b1c03..a429664 100644
c91e6d
--- a/testsuite/rsa-test.c
c91e6d
+++ b/testsuite/rsa-test.c
c91e6d
@@ -57,6 +57,13 @@ test_main(void)
c91e6d
 
c91e6d
   test_rsa_sha512(&pub, &key, expected);
c91e6d
 
c91e6d
+  /* Test detection of invalid keys with even modulo */
c91e6d
+  mpz_clrbit (pub.n, 0);
c91e6d
+  ASSERT (!rsa_public_key_prepare (&pub));
c91e6d
+
c91e6d
+  mpz_clrbit (key.p, 0);
c91e6d
+  ASSERT (!rsa_private_key_prepare (&key));
c91e6d
+
c91e6d
   /* 777-bit key, generated by
c91e6d
    *
c91e6d
    *   lsh-keygen -a rsa -l 777 -f advanced-hex