base/SOURCES/nettle-2.7.1-powm-sec.patch

diff --git a/configure.ac b/configure.ac
index 78a3d4e..dfb151e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -645,9 +645,9 @@ if test "x$nettle_cv_fcntl_locking" = "xyes" ; then
 fi

 # Checks for libraries
-AC_CHECK_LIB(gmp, __gmpz_getlimbn,,
+AC_CHECK_LIB(gmp, __gmpz_powm_sec,,
     [AC_MSG_WARN(
-[GNU MP not found, or not 3.1 or up, see http://gmplib.org/.
+[GNU MP not found, or not 5.0 or up, see http://gmplib.org/.
 Support for public key algorithms will be unavailable.])]
     enable_public_key=no)

diff --git a/dsa-sign.c b/dsa-sign.c
index 0b5ab1d..d0baa27 100644
--- a/dsa-sign.c
+++ b/dsa-sign.c
@@ -54,6 +54,11 @@ _dsa_sign(const struct dsa_public_key *pub,
   if (mpz_sizeinbase(pub->q, 2) != 8 * digest_size)
     return 0;

+  /* Check that p is odd, so that invalid keys don't result in a crash
+     inside mpz_powm_sec. */
+  if (mpz_even_p (pub->p))
+    return 0;
+
   /* Select k, 0<k<q, randomly */
   mpz_init_set(tmp, pub->q);
   mpz_sub_ui(tmp, tmp, 1);
@@ -63,7 +68,7 @@ _dsa_sign(const struct dsa_public_key *pub,
   mpz_add_ui(k, k, 1);

   /* Compute r = (g^k (mod p)) (mod q) */
-  mpz_powm(tmp, pub->g, k, pub->p);
+  mpz_powm_sec(tmp, pub->g, k, pub->p);
   mpz_fdiv_r(signature->r, tmp, pub->q);

   /* Compute hash */
diff --git a/rsa-blind.c b/rsa-blind.c
index 97485be..468b68e 100644
--- a/rsa-blind.c
+++ b/rsa-blind.c
@@ -53,7 +53,7 @@ _rsa_blind (const struct rsa_public_key *pub,
   while (!mpz_invert (ri, r, pub->n));

   /* c = c*(r^e) mod n */
-  mpz_powm(r, r, pub->e, pub->n);
+  mpz_powm_sec(r, r, pub->e, pub->n);
   mpz_mul(c, c, r);
   mpz_fdiv_r(c, c, pub->n);

diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c
index 312b182..4066619 100644
--- a/rsa-decrypt-tr.c
+++ b/rsa-decrypt-tr.c
@@ -43,6 +43,9 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
   mpz_t m, ri;
   int res;

+  if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q))
+    return 0;
+
   mpz_init_set(m, gibberish);
   mpz_init (ri);

diff --git a/rsa-decrypt.c b/rsa-decrypt.c
index a3abf6e..64d12ae 100644
--- a/rsa-decrypt.c
+++ b/rsa-decrypt.c
@@ -39,6 +39,9 @@ rsa_decrypt(const struct rsa_private_key *key,
   mpz_t m;
   int res;

+  if (mpz_even_p (key->p) || mpz_even_p (key->q))
+    return 0;
+
   mpz_init(m);
   rsa_compute_root(key, m, gibberish);

diff --git a/rsa-pkcs1-sign-tr.c b/rsa-pkcs1-sign-tr.c
index 5efc155..0031706 100644
--- a/rsa-pkcs1-sign-tr.c
+++ b/rsa-pkcs1-sign-tr.c
@@ -40,6 +40,9 @@ rsa_pkcs1_sign_tr(const struct rsa_public_key *pub,
 {
   mpz_t ri;

+  if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q))
+    return 0;
+
   if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info))
     {
       mpz_init (ri);
diff --git a/rsa-pkcs1-sign.c b/rsa-pkcs1-sign.c
index 9162cfc..e39485b 100644
--- a/rsa-pkcs1-sign.c
+++ b/rsa-pkcs1-sign.c
@@ -36,6 +36,9 @@ rsa_pkcs1_sign(const struct rsa_private_key *key,
	       unsigned length, const uint8_t *digest_info,
	       mpz_t s)
 {
+  if (mpz_even_p (key->p) || mpz_even_p (key->q))
+    return 0;
+
   if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info))
     {
       rsa_compute_root(key, s, s);
diff --git a/rsa-sign.c b/rsa-sign.c
index 56adda3..9f2a707 100644
--- a/rsa-sign.c
+++ b/rsa-sign.c
@@ -88,11 +88,11 @@ rsa_compute_root(const struct rsa_private_key *key,

   /* Compute xq = m^d % q = (m%q)^b % q */
   mpz_fdiv_r(xq, m, key->q);
-  mpz_powm(xq, xq, key->b, key->q);
+  mpz_powm_sec(xq, xq, key->b, key->q);

   /* Compute xp = m^d % p = (m%p)^a % p */
   mpz_fdiv_r(xp, m, key->p);
-  mpz_powm(xp, xp, key->a, key->p);
+  mpz_powm_sec(xp, xp, key->a, key->p);

   /* Set xp' = (xp - xq) c % p. */
   mpz_sub(xp, xp, xq);
diff --git a/rsa.c b/rsa.c
index e303a8c..91b3f85 100644
--- a/rsa.c
+++ b/rsa.c
@@ -58,6 +58,9 @@ _rsa_check_size(mpz_t n)
   /* Round upwards */
   unsigned size = (mpz_sizeinbase(n, 2) + 7) / 8;

+  if (mpz_even_p (n))
+    return 0;
+
   if (size < RSA_MINIMUM_N_OCTETS)
     return 0;

diff --git a/testsuite/rsa-test.c b/testsuite/rsa-test.c
index e9b1c03..a429664 100644
--- a/testsuite/rsa-test.c
+++ b/testsuite/rsa-test.c
@@ -57,6 +57,13 @@ test_main(void)

   test_rsa_sha512(&pub, &key, expected);

+  /* Test detection of invalid keys with even modulo */
+  mpz_clrbit (pub.n, 0);
+  ASSERT (!rsa_public_key_prepare (&pub));
+
+  mpz_clrbit (key.p, 0);
+  ASSERT (!rsa_private_key_prepare (&key));
+
   /* 777-bit key, generated by
    *
    *   lsh-keygen -a rsa -l 777 -f advanced-hex