Skip to content

Add regression test for CVE-2026-21895 (per @tarcieri's note in #690)#692

Merged
tarcieri merged 1 commit intoRustCrypto:masterfrom
vulgraph:regression-test-CVE-2026-21895
May 1, 2026
Merged

Add regression test for CVE-2026-21895 (per @tarcieri's note in #690)#692
tarcieri merged 1 commit intoRustCrypto:masterfrom
vulgraph:regression-test-CVE-2026-21895

Conversation

@vulgraph
Copy link
Copy Markdown
Contributor

@vulgraph vulgraph commented May 1, 2026

Per @tarcieri's reply on #690:

The fix for the logic is there, however it looks like the regression test wasn't carried over and probably should be.
As it were, the entire implementation diverged as we moved from num-bigint to crypto-bigint.

The production fix lives on master already (validate_private_key_parts rejects any prime <= one with Error::InvalidPrime, src/key.rs:760-763). What was missing was the regression test added alongside it in upstream commit 2926c91bef (PR #624). This PR ports just that test.

Adaptations vs the original test

  • Type swap: original used num-bigint::BigUint constructors (BigUint::from_u64, BigUint::zero()); ported to crypto-bigint::BoxedUint::from(u64) since that's what current master's from_components API takes.
  • API path: the original numeric inputs (n=239, e=185, d=0, primes=[1, 239]) include an e below master's MIN_PUB_EXPONENT bound, so the test calls from_components_with_large_exponent (gated #[cfg(feature = "hazmat")], matching the existing test_from_components_with_small_exponent / test_from_components_with_large_exponent neighbors) rather than from_components. Ordering inside validate_skip_exponent_size -> validate_private_key_parts still hits the prime <= one check first, so we exercise exactly the path the original test did.
  • Assertion: Err(Error::InvalidPrime) (not a panic) — same intent as the original.

No production-code changes. Single-file diff in src/key.rs.

Refs: GHSA-9c48-w39g-hm26, #690, #624, upstream 2926c91bef.

@vulgraph
Add regression test for CVE-2026-21895 (prime == 1 rejection)
117dfea 
Per @tarcieri's note in RustCrypto#690: the panic-on-prime-equal-1 fix landed on
master via the num-bigint -> crypto-bigint refactor, but the regression
test from upstream commit 2926c91 (PR RustCrypto#624) was not carried over.

This adds an adapted port of that test:

- Original used num-bigint BigUint; this version uses crypto-bigint
  BoxedUint to match current master.
- Original used a small public exponent (185) which the current
  from_components rejects via the standard exponent-size check; this
  version goes through from_components_with_large_exponent so the
  exact same numeric inputs from the original test can be used. The
  test is therefore gated on the hazmat feature, consistent with the
  other small/large-exponent tests in this module.
- Asserts Err(Error::InvalidPrime) rather than a panic, matching the
  upstream fix's intent.

No production-code changes; the underlying logic fix
(prime <= one => InvalidPrime in validate_private_key_parts) is
already present on master.

Refs: GHSA-9c48-w39g-hm26, RustCrypto#690, RustCrypto#624
@vulgraph vulgraph mentioned this pull request May 1, 2026
Closed
@tarcieri tarcieri merged commit 4da5150 into RustCrypto:master May 1, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarcieri tarcieri tarcieri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vulgraph @tarcieri