X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/d8770b1245ff0acd81f581c5667563e0d127104a..defab6b847906338311fae6ff37e8b6985c5ac08:/sshrsa.c

diff --git a/sshrsa.c b/sshrsa.c
index 36069ad7..fa5bfa25 100644
--- a/sshrsa.c
+++ b/sshrsa.c
@@ -151,6 +151,57 @@ void rsa_fingerprint(char *str, int len, struct RSAKey *key) {
     }
 }
 
+/*
+ * Verify that the public data in an RSA key matches the private
+ * data. We also check the private data itself: we ensure that p >
+ * q and that iqmp really is the inverse of q mod p.
+ */
+int rsa_verify(struct RSAKey *key) {
+    Bignum n, ed, pm1, qm1;
+    int cmp;
+
+    /* n must equal pq. */
+    n = bigmul(key->p, key->q);
+    cmp = bignum_cmp(n, key->modulus);
+    freebn(n);
+    if (cmp != 0)
+	return 0;
+
+    /* e * d must be congruent to 1, modulo (p-1) and modulo (q-1). */
+    pm1 = copybn(key->p);
+    decbn(pm1);
+    ed = modmul(key->exponent, key->private_exponent, pm1);
+    cmp = bignum_cmp(ed, One);
+    sfree(ed);
+    if (cmp != 0)
+	return 0;
+
+    qm1 = copybn(key->q);
+    decbn(qm1);
+    ed = modmul(key->exponent, key->private_exponent, qm1);
+    cmp = bignum_cmp(ed, One);
+    sfree(ed);
+    if (cmp != 0)
+	return 0;
+
+    /*
+     * Ensure p > q.
+     */
+    if (bignum_cmp(key->p, key->q) <= 0)
+        return 0;
+
+    /*
+     * Ensure iqmp * q is congruent to 1, modulo p.
+     */
+    n = modmul(key->iqmp, key->q, key->p);
+    cmp = bignum_cmp(n, One);
+    sfree(n);
+    if (cmp != 0)
+        return 0;
+
+    return 1;
+}
+
 void freersakey(struct RSAKey *key) {
     if (key->modulus) freebn(key->modulus);
     if (key->exponent) freebn(key->exponent);
@@ -231,7 +282,7 @@ static char *rsa2_fmtkey(void *key) {
     
     len = rsastr_len(rsa);
     p = smalloc(len);
-    rsastr_fmt(p, rsa);
+     rsastr_fmt(p, rsa);
     return p;
 }
 
@@ -304,6 +355,11 @@ static void *rsa2_createkey(unsigned char *pub_blob, int pub_len,
     rsa->q = getmp(&pb, &priv_len);
     rsa->iqmp = getmp(&pb, &priv_len);
 
+    if (!rsa_verify(rsa)) {
+	rsa2_freekey(rsa);
+	return NULL;
+    }
+
     return rsa;
 }
 
@@ -373,17 +429,26 @@ static char *rsa2_fingerprint(void *key) {
 /*
  * This is the magic ASN.1/DER prefix that goes in the decoded
  * signature, between the string of FFs and the actual SHA hash
- * value. As closely as I can tell, the meaning of it is:
+ * value. The meaning of it is:
  * 
  * 00 -- this marks the end of the FFs; not part of the ASN.1 bit itself
  * 
  * 30 21 -- a constructed SEQUENCE of length 0x21
  *    30 09 -- a constructed sub-SEQUENCE of length 9
  *       06 05 -- an object identifier, length 5
- *          2B 0E 03 02 1A -- 
+ *          2B 0E 03 02 1A -- object id { 1 3 14 3 2 26 }
+ *                            (the 1,3 comes from 0x2B = 43 = 40*1+3)
  *       05 00 -- NULL
  *    04 14 -- a primitive OCTET STRING of length 0x14
  *       [0x14 bytes of hash data follows]
+ * 
+ * The object id in the middle there is listed as `id-sha1' in
+ * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2.asn (the
+ * ASN module for PKCS #1) and its expanded form is as follows:
+ * 
+ * id-sha1                OBJECT IDENTIFIER ::= {
+ *    iso(1) identified-organization(3) oiw(14) secsig(3)
+ *    algorithms(2) 26 }
  */
 static unsigned char asn1_weird_stuff[] = {
     0x00,0x30,0x21,0x30,0x09,0x06,0x05,0x2B,