[PATCH 1/2] Validate CRT factors in rsa_decrypt

David Galos davegalos at google.com
Fri Jul 10 01:11:17 CEST 2026


---
  cipher/rsa.c | 17 +++++++++++++++++
  1 file changed, 17 insertions(+)

diff --git a/cipher/rsa.c b/cipher/rsa.c
index 44a44bdc..58058d6a 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -30,6 +30,7 @@
  #include <errno.h>

  #include "g10lib.h"
+#include "gcrypt.h"
  #include "mpi.h"
  #include "cipher.h"
  #include "pubkey-internal.h"
@@ -1449,6 +1450,18 @@ rsa_encrypt (gcry_sexp_t *r_ciph, gcry_sexp_t  
s_data, gcry_sexp_t keyparms)
  }


+static gcry_err_code_t
+crt_validate_factors (RSA_secret_key *sk)
+{
+  int cmp;
+  gcry_mpi_t result = mpi_alloc_secure (0);
+
+  mpi_mulm (result, sk->u, sk->p, sk->q);
+  cmp = mpi_cmp (result, GCRYMPI_CONST_ONE);
+  mpi_free (result);
+  return cmp == 0 ? 0 : GPG_ERR_BAD_SECKEY;
+}
+
  static gcry_err_code_t
  rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t  
keyparms)

@@ -1505,6 +1518,10 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t  
s_data, gcry_sexp_t keyparms)
          }
      }

+  rc = crt_validate_factors (&sk);
+  if (rc)
+    goto leave;
+
    /* Better make sure that there are no superfluous leading zeroes in
       the input and it has not been "padded" using multiples of N.
       This mitigates side-channel attacks (CVE-2013-4576).  */
-- 
2.55.0.795.g602f6c329a-goog




More information about the Gcrypt-devel mailing list