fix: handle odd keys (#459)

dignifiedquire · web-flow · commit 9956b8f898fd · 2024-12-17T12:06:16.000+01:00
Ther are two issues with oddly formed keys that were not properly
handled

- avoid using `-` to avoid a subtraction with overflow for pkcs
- always validate the key in `from_components` to avoid errors in the
internal `precompute`
diff --git a/src/algorithms/pkcs1v15.rs b/src/algorithms/pkcs1v15.rs
@@ -41,7 +41,7 @@ pub(crate) fn pkcs1v15_encrypt_pad<R>(
 where
     R: CryptoRngCore + ?Sized,
 {
-    if msg.len() > k - 11 {
+    if msg.len() + 11 > k {
         return Err(Error::MessageTooLong);
     }
 
@@ -195,4 +195,13 @@ mod tests {
             }
         }
     }
+
+    #[test]
+    fn test_encrypt_tiny_no_crash() {
+        let mut rng = ChaCha8Rng::from_seed([42; 32]);
+        let k = 8;
+        let message = vec![1u8; 4];
+        let res = pkcs1v15_encrypt_pad(&mut rng, &message, k);
+        assert_eq!(res, Err(Error::MessageTooLong));
+    }
 }
diff --git a/src/key.rs b/src/key.rs
@@ -252,7 +252,6 @@ impl RsaPrivateKey {
         d: BigUint,
         mut primes: Vec<BigUint>,
     ) -> Result<RsaPrivateKey> {
-        let mut should_validate = false;
         if primes.len() < 2 {
             if !primes.is_empty() {
                 return Err(Error::NprimesTooSmall);
@@ -262,7 +261,6 @@ impl RsaPrivateKey {
             let (p, q) = recover_primes(&n, &e, &d)?;
             primes.push(p);
             primes.push(q);
-            should_validate = true;
         }
 
         let mut k = RsaPrivateKey {
@@ -272,10 +270,8 @@ impl RsaPrivateKey {
             precomputed: None,
         };
 
-        // Validate the key if we had to recover the primes.
-        if should_validate {
-            k.validate()?;
-        }
+        // Alaways validate the key, to ensure precompute can't fail
+        k.validate()?;
 
         // precompute when possible, ignore error otherwise.
         let _ = k.precompute();
@@ -787,13 +783,13 @@ mod tests {
             .unwrap(),
         ];
 
-        RsaPrivateKey::from_components(
+        let res = RsaPrivateKey::from_components(
             BigUint::from_bytes_be(&n),
             BigUint::from_bytes_be(&e),
             BigUint::from_bytes_be(&d),
             primes.iter().map(|p| BigUint::from_bytes_be(p)).collect(),
-        )
-        .unwrap();
+        );
+        assert_eq!(res, Err(Error::InvalidModulus));
     }
 
     #[test]

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ pub(crate) fn pkcs1v15_encrypt_pad<R>(`
`41`	`41`	`where`
`42`	`42`	`R: CryptoRngCore + ?Sized,`
`43`	`43`	`{`
`44`		`- if msg.len() > k - 11 {`
	`44`	`+ if msg.len() + 11 > k {`
`45`	`45`	`return Err(Error::MessageTooLong);`
`46`	`46`	`}`
`47`	`47`
`@@ -195,4 +195,13 @@ mod tests {`
`195`	`195`	`}`
`196`	`196`	`}`
`197`	`197`	`}`
	`198`	`+`
	`199`	`+ #[test]`
	`200`	`+ fn test_encrypt_tiny_no_crash() {`
	`201`	`+ let mut rng = ChaCha8Rng::from_seed([42; 32]);`
	`202`	`+ let k = 8;`
	`203`	`+ let message = vec![1u8; 4];`
	`204`	`+ let res = pkcs1v15_encrypt_pad(&mut rng, &message, k);`
	`205`	`+ assert_eq!(res, Err(Error::MessageTooLong));`
	`206`	`+ }`
`198`	`207`	`}`