[PATCH 2/2] Fix intermittent failure in rsa_decrypt when p>q.

David Galos davegalos at google.com
Fri Jul 10 01:11:18 CEST 2026


---
  cipher/rsa.c | 9 ++++++---
  1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/cipher/rsa.c b/cipher/rsa.c
index 58058d6a..ff679d95 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1141,9 +1141,12 @@ secret_core_crt (gcry_mpi_t M, gcry_mpi_t C,
    mpi_free ( D_blind );

    /* h = u * ( m2 - m1 ) mod q */
-  mpi_sub ( h, m2, m1 );
-  if ( mpi_has_sign ( h ) )
-    mpi_add ( h, h, Q );
+  /* NB: prior code used non-modular subtraction and a sign check,
+   * adding Q to the result when negative, which does not work if
+   * P > Q + 1. That is not technically a bug because RFC 4880 requires
+   * that P < Q, but there are non-compliant keys out there, and is
+   * a more direct rendition of the equation anyway. */
+  mpi_subm ( h, m2, m1, Q );
    mpi_mulm ( h, U, h, Q );

    /* m = m1 + h * p */
-- 
2.55.0.795.g602f6c329a-goog




More information about the Gcrypt-devel mailing list