From: simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Date: Tue, 7 Oct 2008 17:48:59 +0000 (+0000)
Subject: sshrsa.c now obeys the RFC793 Robustness Principle when it comes to
X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/commitdiff_plain/f5bcbcc2b1f5c6aac6379615bd9a6bc942cce98a

sshrsa.c now obeys the RFC793 Robustness Principle when it comes to
the ordering of the primes in a fully specified RSA private key:
when the key format typically has p > q, it will always output p > q
but be willing to tolerate p < q on input. (Inspired by seeing an
OpenSSH-format key file in the wild which had p < q, which I've
never seen before; I suspect a third-party application incautiously
generating the format.)


git-svn-id: svn://svn.tartarus.org/sgt/putty@8201 cda61777-01e9-0310-a592-d414129be87e
---

diff --git a/sshrsa.c b/sshrsa.c
index 12229e63..371b3e1f 100644
--- a/sshrsa.c
+++ b/sshrsa.c
@@ -352,9 +352,20 @@ int rsa_verify(struct RSAKey *key)
 
     /*
      * Ensure p > q.
+     *
+     * I have seen key blobs in the wild which were generated with
+     * p < q, so instead of rejecting the key in this case we
+     * should instead flip them round into the canonical order of
+     * p > q. This also involves regenerating iqmp.
      */
-    if (bignum_cmp(key->p, key->q) <= 0)
-	return 0;
+    if (bignum_cmp(key->p, key->q) <= 0) {
+	Bignum tmp = key->p;
+	key->p = key->q;
+	key->q = tmp;
+
+	freebn(key->iqmp);
+	key->iqmp = modinv(key->q, key->p);
+    }
 
     /*
      * Ensure iqmp * q is congruent to 1, modulo p.
@@ -419,6 +430,12 @@ void freersakey(struct RSAKey *key)
 	freebn(key->exponent);
     if (key->private_exponent)
 	freebn(key->private_exponent);
+    if (key->p)
+	freebn(key->p);
+    if (key->q)
+	freebn(key->q);
+    if (key->iqmp)
+	freebn(key->iqmp);
     if (key->comment)
 	sfree(key->comment);
 }