On Thu, 2016-08-04 at 10:05 +0200, Niels Möller wrote:
nisse@lysator.liu.se (Niels Möller) writes:
Do you think it is sufficient for gnutls to add an extra check that p and q are odd in nettle's rsa_compute_root? (Used also by rsa_compute_root_tr).
On second look, it can't be rsa_compute_root, since that function has no return value. Is it sufficient for gnutls to do this check in rsa_compute_root_tr instead?
Yes. Although if this is only for the versions prior to using the prepare function, this is not a significant threat (the private key computations are typically done on trusted values by the server).
What is more important for older versions of gnutls are the public key operations such as ecdsa_verify(), dsa_verify() and rsa_encrypt().
regards, Nikos