[PATCH 1/2] Validate CRT factors in rsa_decrypt
David Galos
davegalos at google.com
Fri Jul 10 01:11:17 CEST 2026
---
cipher/rsa.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/cipher/rsa.c b/cipher/rsa.c
index 44a44bdc..58058d6a 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -30,6 +30,7 @@
#include <errno.h>
#include "g10lib.h"
+#include "gcrypt.h"
#include "mpi.h"
#include "cipher.h"
#include "pubkey-internal.h"
@@ -1449,6 +1450,18 @@ rsa_encrypt (gcry_sexp_t *r_ciph, gcry_sexp_t
s_data, gcry_sexp_t keyparms)
}
+static gcry_err_code_t
+crt_validate_factors (RSA_secret_key *sk)
+{
+ int cmp;
+ gcry_mpi_t result = mpi_alloc_secure (0);
+
+ mpi_mulm (result, sk->u, sk->p, sk->q);
+ cmp = mpi_cmp (result, GCRYMPI_CONST_ONE);
+ mpi_free (result);
+ return cmp == 0 ? 0 : GPG_ERR_BAD_SECKEY;
+}
+
static gcry_err_code_t
rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t
keyparms)
@@ -1505,6 +1518,10 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t
s_data, gcry_sexp_t keyparms)
}
}
+ rc = crt_validate_factors (&sk);
+ if (rc)
+ goto leave;
+
/* Better make sure that there are no superfluous leading zeroes in
the input and it has not been "padded" using multiples of N.
This mitigates side-channel attacks (CVE-2013-4576). */
--
2.55.0.795.g602f6c329a-goog
More information about the Gcrypt-devel
mailing list