Fix SSH-1 RSA key handling in Pageant.

The auxiliary values (the two primes and the inverse of one mod the
other) were being read into the key structure wrongly, causing
crt_modpow() in sshrsa.c to give the wrong answers where straight
modpow would not have.

This must have been broken ever since I implemented the RSA CRT
optimisation in 2011. And nobody has noticed, which is a good sign for
the phasing out of SSH-1 :-) I only spotted it myself because I was
testing all the Pageant message types in the course of implementing
the new logging.

diff --git a/pageant.c b/pageant.c
index 220d0ca164619ef677dbf6380365b14156bf2b75..33d0d30594bbc30c25453b4f60c9dffe9729f0b0 100644 (file)
--- a/pageant.c
+++ b/pageant.c
@@ -580,6 +580,10 @@ void *pageant_handle_msg(const void *msg, int msglen, int *outlen,
            }
            p += n;
 
+            /* SSH-1 names p and q the other way round, i.e. we have
+             * the inverse of p mod q and not of q mod p. We swap the
+             * names, because our internal RSA wants iqmp. */
+
            n = ssh1_read_bignum(p, msgend - p, &key->iqmp);  /* p^-1 mod q */
            if (n < 0) {
                freersakey(key);
@@ -589,7 +593,7 @@ void *pageant_handle_msg(const void *msg, int msglen, int *outlen,
            }
            p += n;
 
-           n = ssh1_read_bignum(p, msgend - p, &key->p);  /* p */
+           n = ssh1_read_bignum(p, msgend - p, &key->q);  /* p */
            if (n < 0) {
                freersakey(key);
                sfree(key);
@@ -598,7 +602,7 @@ void *pageant_handle_msg(const void *msg, int msglen, int *outlen,
            }
            p += n;
 
-           n = ssh1_read_bignum(p, msgend - p, &key->q);  /* q */
+           n = ssh1_read_bignum(p, msgend - p, &key->p);  /* q */
            if (n < 0) {
                freersakey(key);
                sfree(key);