Require that certain public keys have public exponent 65537

2 files changed, 22 insertions, 0 deletions

diff --git a/changes/check-public-key-exponents b/changes/check-public-key-exponents
new file mode 100644
index 0000000000..a8d00673be
--- /dev/null
+++ b/changes/check-public-key-exponents
@@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Require that introduction point keys and onion keys have public
+      exponent 65537.  Bugfix on 0.2.0.10-alpha.
+
+
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 7ff0e2c3ce..ceef054af0 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -1326,6 +1326,11 @@ router_parse_entry_from_string(const char *s, const char *end,
     goto err;
 
   tok = find_by_keyword(tokens, K_ONION_KEY);
+  if (!crypto_pk_check_key_public_exponent(tok->key)) {
+    log_warn(LD_DIR,
+             "Relay's onion key had invalid exponent.");
+    goto err;
+  }
   router->onion_pkey = tok->key;
   tok->key = NULL; /* Prevent free */
 
@@ -3971,10 +3976,22 @@ rend_parse_introduction_points(rend_service_descriptor_t *parsed,
     }
     /* Parse onion key. */
     tok = find_by_keyword(tokens, R_IPO_ONION_KEY);
+    if (!crypto_pk_check_key_public_exponent(tok->key)) {
+      log_warn(LD_REND,
+               "Introduction point's onion key had invalid exponent.");
+      rend_intro_point_free(intro);
+      goto err;
+    }
     info->onion_key = tok->key;
     tok->key = NULL; /* Prevent free */
     /* Parse service key. */
     tok = find_by_keyword(tokens, R_IPO_SERVICE_KEY);
+    if (!crypto_pk_check_key_public_exponent(tok->key)) {
+      log_warn(LD_REND,
+               "Introduction point key had invalid exponent.");
+      rend_intro_point_free(intro);
+      goto err;
+    }
     intro->intro_key = tok->key;
     tok->key = NULL; /* Prevent free */
     /* Add extend info to list of introduction points. */