diff --git a/configure.ac b/configure.ac
index 78a3d4e..dfb151e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -645,9 +645,9 @@ if test "x$nettle_cv_fcntl_locking" = "xyes" ; then
fi
# Checks for libraries
-AC_CHECK_LIB(gmp, __gmpz_getlimbn,,
+AC_CHECK_LIB(gmp, __gmpz_powm_sec,,
[AC_MSG_WARN(
-[GNU MP not found, or not 3.1 or up, see http://gmplib.org/.
+[GNU MP not found, or not 5.0 or up, see http://gmplib.org/.
Support for public key algorithms will be unavailable.])]
enable_public_key=no)
diff --git a/dsa-sign.c b/dsa-sign.c
index 0b5ab1d..d0baa27 100644
--- a/dsa-sign.c
+++ b/dsa-sign.c
@@ -54,6 +54,11 @@ _dsa_sign(const struct dsa_public_key *pub,
if (mpz_sizeinbase(pub->q, 2) != 8 * digest_size)
return 0;
+ /* Check that p is odd, so that invalid keys don't result in a crash
+ inside mpz_powm_sec. */
+ if (mpz_even_p (pub->p))
+ return 0;
+
/* Select k, 0<k<q, randomly */
mpz_init_set(tmp, pub->q);
mpz_sub_ui(tmp, tmp, 1);
@@ -63,7 +68,7 @@ _dsa_sign(const struct dsa_public_key *pub,
mpz_add_ui(k, k, 1);
/* Compute r = (g^k (mod p)) (mod q) */
- mpz_powm(tmp, pub->g, k, pub->p);
+ mpz_powm_sec(tmp, pub->g, k, pub->p);
mpz_fdiv_r(signature->r, tmp, pub->q);
/* Compute hash */
diff --git a/rsa-blind.c b/rsa-blind.c
index 97485be..468b68e 100644
--- a/rsa-blind.c
+++ b/rsa-blind.c
@@ -53,7 +53,7 @@ _rsa_blind (const struct rsa_public_key *pub,
while (!mpz_invert (ri, r, pub->n));
/* c = c*(r^e) mod n */
- mpz_powm(r, r, pub->e, pub->n);
+ mpz_powm_sec(r, r, pub->e, pub->n);
mpz_mul(c, c, r);
mpz_fdiv_r(c, c, pub->n);
diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c
index 312b182..4066619 100644
--- a/rsa-decrypt-tr.c
+++ b/rsa-decrypt-tr.c
@@ -43,6 +43,9 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
mpz_t m, ri;
int res;
+ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q))
+ return 0;
+
mpz_init_set(m, gibberish);
mpz_init (ri);
diff --git a/rsa-decrypt.c b/rsa-decrypt.c
index a3abf6e..64d12ae 100644
--- a/rsa-decrypt.c
+++ b/rsa-decrypt.c
@@ -39,6 +39,9 @@ rsa_decrypt(const struct rsa_private_key *key,
mpz_t m;
int res;
+ if (mpz_even_p (key->p) || mpz_even_p (key->q))
+ return 0;
+
mpz_init(m);
rsa_compute_root(key, m, gibberish);
diff --git a/rsa-pkcs1-sign-tr.c b/rsa-pkcs1-sign-tr.c
index 5efc155..0031706 100644
--- a/rsa-pkcs1-sign-tr.c
+++ b/rsa-pkcs1-sign-tr.c
@@ -40,6 +40,9 @@ rsa_pkcs1_sign_tr(const struct rsa_public_key *pub,
{
mpz_t ri;
+ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q))
+ return 0;
+
if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info))
{
mpz_init (ri);
diff --git a/rsa-pkcs1-sign.c b/rsa-pkcs1-sign.c
index 9162cfc..e39485b 100644
--- a/rsa-pkcs1-sign.c
+++ b/rsa-pkcs1-sign.c
@@ -36,6 +36,9 @@ rsa_pkcs1_sign(const struct rsa_private_key *key,
unsigned length, const uint8_t *digest_info,
mpz_t s)
{
+ if (mpz_even_p (key->p) || mpz_even_p (key->q))
+ return 0;
+
if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info))
{
rsa_compute_root(key, s, s);
diff --git a/rsa-sign.c b/rsa-sign.c
index 56adda3..9f2a707 100644
--- a/rsa-sign.c
+++ b/rsa-sign.c
@@ -88,11 +88,11 @@ rsa_compute_root(const struct rsa_private_key *key,
/* Compute xq = m^d % q = (m%q)^b % q */
mpz_fdiv_r(xq, m, key->q);
- mpz_powm(xq, xq, key->b, key->q);
+ mpz_powm_sec(xq, xq, key->b, key->q);
/* Compute xp = m^d % p = (m%p)^a % p */
mpz_fdiv_r(xp, m, key->p);
- mpz_powm(xp, xp, key->a, key->p);
+ mpz_powm_sec(xp, xp, key->a, key->p);
/* Set xp' = (xp - xq) c % p. */
mpz_sub(xp, xp, xq);
diff --git a/rsa.c b/rsa.c
index e303a8c..91b3f85 100644
--- a/rsa.c
+++ b/rsa.c
@@ -58,6 +58,9 @@ _rsa_check_size(mpz_t n)
/* Round upwards */
unsigned size = (mpz_sizeinbase(n, 2) + 7) / 8;
+ if (mpz_even_p (n))
+ return 0;
+
if (size < RSA_MINIMUM_N_OCTETS)
return 0;
diff --git a/testsuite/rsa-test.c b/testsuite/rsa-test.c
index e9b1c03..a429664 100644
--- a/testsuite/rsa-test.c
+++ b/testsuite/rsa-test.c
@@ -57,6 +57,13 @@ test_main(void)
test_rsa_sha512(&pub, &key, expected);
+ /* Test detection of invalid keys with even modulo */
+ mpz_clrbit (pub.n, 0);
+ ASSERT (!rsa_public_key_prepare (&pub));
+
+ mpz_clrbit (key.p, 0);
+ ASSERT (!rsa_private_key_prepare (&key));
+
/* 777-bit key, generated by
*
* lsh-keygen -a rsa -l 777 -f advanced-hex