From 5eb30d94f6f5f3f0cb9ba9ed24bc52b7376176b6 Mon Sep 17 00:00:00 2001
From: Niels Möller <nisse@lysator.liu.se>
Date: Sun, 31 Jul 2016 10:32:22 +0200
Subject: [PATCH] Reject invalid RSA keys with even modulo.

---
 rsa.c                | 11 ++++++++---
 testsuite/rsa-test.c |  7 +++++++
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/rsa.c b/rsa.c
index 19d93de..f594140 100644
--- a/rsa.c
+++ b/rsa.c
@@ -58,13 +58,18 @@ rsa_public_key_clear(struct rsa_public_key *key)
 }
 
 /* Computes the size, in octets, of a the modulo. Returns 0 if the
- * modulo is too small to be useful. */
-
+ * modulo is too small to be useful, or otherwise appears invalid. */
 size_t
 _rsa_check_size(mpz_t n)
 {
   /* Round upwards */
-  size_t size = (mpz_sizeinbase(n, 2) + 7) / 8;
+  size_t size;
+
+  /* Even moduli are invalid, and not supported by mpz_powm_sec. */
+  if (mpz_even_p (n))
+    return 0;
+
+  size = (mpz_sizeinbase(n, 2) + 7) / 8;
 
   if (size < RSA_MINIMUM_N_OCTETS)
     return 0;
diff --git a/testsuite/rsa-test.c b/testsuite/rsa-test.c
index e9b1c03..a429664 100644
--- a/testsuite/rsa-test.c
+++ b/testsuite/rsa-test.c
@@ -57,6 +57,13 @@ test_main(void)
 
   test_rsa_sha512(&pub, &key, expected);
 
+  /* Test detection of invalid keys with even modulo */
+  mpz_clrbit (pub.n, 0);
+  ASSERT (!rsa_public_key_prepare (&pub));
+
+  mpz_clrbit (key.p, 0);
+  ASSERT (!rsa_private_key_prepare (&key));
+
   /* 777-bit key, generated by
    *
    *   lsh-keygen -a rsa -l 777 -f advanced-hex
--
libgit2 0.24.0