[PATCH 2/2] Fix intermittent failure in rsa_decrypt when p>q.
David Galos
davegalos at google.com
Fri Jul 10 01:11:18 CEST 2026
---
cipher/rsa.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/cipher/rsa.c b/cipher/rsa.c
index 58058d6a..ff679d95 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1141,9 +1141,12 @@ secret_core_crt (gcry_mpi_t M, gcry_mpi_t C,
mpi_free ( D_blind );
/* h = u * ( m2 - m1 ) mod q */
- mpi_sub ( h, m2, m1 );
- if ( mpi_has_sign ( h ) )
- mpi_add ( h, h, Q );
+ /* NB: prior code used non-modular subtraction and a sign check,
+ * adding Q to the result when negative, which does not work if
+ * P > Q + 1. That is not technically a bug because RFC 4880 requires
+ * that P < Q, but there are non-compliant keys out there, and is
+ * a more direct rendition of the equation anyway. */
+ mpi_subm ( h, m2, m1, Q );
mpi_mulm ( h, U, h, Q );
/* m = m1 + h * p */
--
2.55.0.795.g602f6c329a-goog
More information about the Gcrypt-devel
mailing list