}
}
+/*
+ * Verify that the public data in an RSA key matches the private
+ * data. We also check the private data itself: we ensure that p >
+ * q and that iqmp really is the inverse of q mod p.
+ */
+int rsa_verify(struct RSAKey *key) {
+ Bignum n, ed, pm1, qm1;
+ int cmp;
+
+ /* n must equal pq. */
+ n = bigmul(key->p, key->q);
+ cmp = bignum_cmp(n, key->modulus);
+ freebn(n);
+ if (cmp != 0)
+ return 0;
+
+ /* e * d must be congruent to 1, modulo (p-1) and modulo (q-1). */
+ pm1 = copybn(key->p);
+ decbn(pm1);
+ ed = modmul(key->exponent, key->private_exponent, pm1);
+ cmp = bignum_cmp(ed, One);
+ sfree(ed);
+ if (cmp != 0)
+ return 0;
+
+ qm1 = copybn(key->q);
+ decbn(qm1);
+ ed = modmul(key->exponent, key->private_exponent, qm1);
+ cmp = bignum_cmp(ed, One);
+ sfree(ed);
+ if (cmp != 0)
+ return 0;
+
+ /*
+ * Ensure p > q.
+ */
+ if (bignum_cmp(key->p, key->q) <= 0)
+ return 0;
+
+ /*
+ * Ensure iqmp * q is congruent to 1, modulo p.
+ */
+ n = modmul(key->iqmp, key->q, key->p);
+ cmp = bignum_cmp(n, One);
+ sfree(n);
+ if (cmp != 0)
+ return 0;
+
+ return 1;
+}
+
void freersakey(struct RSAKey *key) {
if (key->modulus) freebn(key->modulus);
if (key->exponent) freebn(key->exponent);
len = rsastr_len(rsa);
p = smalloc(len);
- rsastr_fmt(p, rsa);
+ rsastr_fmt(p, rsa);
return p;
}
rsa->q = getmp(&pb, &priv_len);
rsa->iqmp = getmp(&pb, &priv_len);
+ if (!rsa_verify(rsa)) {
+ rsa2_freekey(rsa);
+ return NULL;
+ }
+
return rsa;
}
projects / u / mdw / putty / blobdiff