Charles Wilcox reported a signature validation bug with 2500-bit RSA

keys. This _appears_ to be due to me computing the byte count of the
key by dividing the bit count by 8 and rounding _down_ rather than
up. Therefore, I can't see how this code could ever have worked on
any SSH2 RSA key whose length was not a multiple of 8 bits; and
therefore I'm staggered that we haven't noticed it before! OpenSSH's
keygen appears to be scrupulous about ensuring the returned key
length is exactly what you asked for rather than one bit less, but
even so I'm astonished that _all_ keygen implementations for servers
we've ever interoperated with have avoided tripping this bug...

[originally from svn r3815]

diff --git a/sshrsa.c b/sshrsa.c
index b7732105c019126189dff60e0dcc2b6a9f2f1283..f78173610b55960a61cde4f3e8ac8ee3811a4871 100644 (file)
--- a/sshrsa.c
+++ b/sshrsa.c
@@ -727,7 +727,7 @@ static int rsa2_verifysig(void *key, char *sig, int siglen,
 
     ret = 1;
 
-    bytes = bignum_bitcount(rsa->modulus) / 8;
+    bytes = (bignum_bitcount(rsa->modulus)+7) / 8;
     /* Top (partial) byte should be zero. */
     if (bignum_byte(out, bytes - 1) != 0)
        ret = 0;