Floating point exception in Crypto.PublicKey.RSA

Bug #1193521 reported by Frank on 2013-06-22
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

I've just stumbled on a discrepancy in Crypto.PublicKey.RSA. The code below will trigger a floating point exception, from which the process is terminated by SIGFPE. (I can't guarantee that this modulus is valid, but it should probably not crash'n'burn in any case).

import random
from Crypto.PublicKey import RSA
from binascii import hexlify,unhexlify



def generateRandomBinary(bytes):
    Will SIGFPE before this is called
    val = ''
    for i in range(bytes):
        val += '%02x'%random.randint(0,255)
    return unhexlify(val)

rsa=RSA.construct([long(n, 16), long(e, 16)])
rsa.encrypt(unhexlify(msg), generateRandomBinary)

gdb backtrace:
$ gdb python
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /usr/bin/python...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/bin/python
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Python 2.7.3 (default, Aug 1 2012, 05:16:07)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import bug

Program received signal SIGFPE, Arithmetic exception.
0xb77c9bfb in __gmp_exception () from /usr/lib/i386-linux-gnu/libgmp.so.10
(gdb) backtrace
#0 0xb77c9bfb in __gmp_exception () from /usr/lib/i386-linux-gnu/libgmp.so.10
#1 0xb77c9c4b in __gmp_divide_by_zero () from /usr/lib/i386-linux-gnu/libgmp.so.10
#2 0xb77deb33 in __gmpz_powm_sec () from /usr/lib/i386-linux-gnu/libgmp.so.10
#3 0xb78bbc3b in ?? () from /usr/lib/python2.7/dist-packages/Crypto/PublicKey/_fastmath.so
#4 0x081949c1 in PyEval_EvalFrameEx ()
#5 0x08194eec in PyEval_EvalFrameEx ()
#6 0x08194eec in PyEval_EvalFrameEx ()
#7 0x0819af70 in PyEval_EvalCodeEx ()
#8 0x0819bb03 in PyImport_ExecCodeModuleEx ()
#9 0x0814bd40 in ?? ()
#10 0x0814c6d4 in ?? ()
#11 0x08103146 in ?? ()
#12 0x0814cfe6 in ?? ()
#13 0x08096a0e in ?? ()
#14 0x081287ef in PyObject_Call ()
#15 0x08128c59 in PyEval_CallObjectWithKeywords ()
#16 0x08196e17 in PyEval_EvalFrameEx ()
#17 0x0819af70 in PyEval_EvalCodeEx ()
#18 0x0819c401 in PyRun_InteractiveOneFlags ()
#19 0x0819c735 in PyRun_InteractiveLoopFlags ()
#20 0x080a916e in PyRun_AnyFileExFlags ()
#21 0x080a9949 in Py_Main ()
#22 0x0805ea5b in main ()

Frank (frank-aune) wrote :
description: updated
Frank (frank-aune) on 2013-06-22
description: updated
Legrandin (gooksankoo) wrote :

It turns out your RSA modulus is even (so totally invalid) but mpz_powm_sec() really requires it to be odd:


If the modulus even, the gmp routine crashes (??).

I have some patches out already for making RSA import/construct more robust.
I added a small check in the Python code to catch the even modulus condition as early as possible:


In that way, it is not necessary to modify the C mode.

The other patch already checks that the following components are prime and that automatically covers the even modulus condition:
 * p,q component in RSA (private key)
 * p modulus in DSA
 * p modulus in ElGamal

Frank (frank-aune) wrote :

Yes, you are correct. The RSA keypair was generated by a smartcard, and apparently due to optimization the card uses negative modulus values. Somehow this was fubar'ed on the client side, triggering the above behavior. I've leftpadded the modulus with zero now, in order to always get a positive number and it seems to have fixed the problem.

Good job on the latest pycrypto activities btw! :-)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments