[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Felix via RT
rt at openssl.org
Mon Dec 21 23:00:39 UTC 2015
Hello,
I "pickup" rsa-p and rsa-q just one source-code-line after they were
"filled" and output the variables using the BN_print_fp function.
please reopen the ticket.
Regards,
Felix
for (;;) {
if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
goto err;
printf(" p:");
BN_print_fp(stdout,rsa->p);
printf(" ");
if (!BN_sub(r2, rsa->p, BN_value_one()))
goto err;
if (!BN_gcd(r1, r2, rsa->e, ctx))
goto err;
if (BN_is_one(r1))
break;
if (!BN_GENCB_call(cb, 2, n++))
goto err;
}
if (!BN_GENCB_call(cb, 3, 0))
goto err;
for (;;) {
/*
* When generating ridiculously small keys, we can get stuck
* continually regenerating the same prime values. Check for
this and
* bail if it happens 3 times.
*/
unsigned int degenerate = 0;
do {
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
goto err;
}
while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10));
if (degenerate == 10) {
ok = 0; /* we set our own err */
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
goto err;
}
if (!BN_sub(r2, rsa->q, BN_value_one()))
goto err;
if (!BN_gcd(r1, r2, rsa->e, ctx))
goto err;
if (BN_is_one(r1))
break;
if (!BN_GENCB_call(cb, 2, n++))
goto err;
}
if (!BN_GENCB_call(cb, 3, 1))
goto err;
if (BN_cmp(rsa->p, rsa->q) < 0) {
printf("Doppelt!") ;
tmp = rsa->p;
rsa->p = rsa->q;
rsa->q = tmp;
}
printf("q:");
BN_print_fp(stdout,rsa->q);
Am 21.12.2015 23:42, schrieb Richard Levitte via RT:
> You're not showing us how you output rsa->p and rsa->q. It doesn't make sense
> at all that you get "Doppelt!" if they were equal, so there's something wrong
> with your output. Also, it's been demonstrated (see mail by Viktor on
> openssl-dev) that the resulting key does have different p and q, with p > q.
>
> For all intents and purposes, this seems not to be a bug. Closing this ticket.
>
> Cheers,
> Richard
>
> Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenroth at gmx.de:
>> Hello,
>>
>> I found the reason for the problem, it´s definately a program error:
>>
>> The reason for it is in sub-program rsa_gen.c
>>
>> if (BN_cmp(rsa->p, rsa->q) < 0) {
>> printf("Doppelt!") ;
>> tmp = rsa->p;
>> rsa->p = rsa->q;
>> rsa->q = tmp;
>> }
>>
>> Here p and q should be switched if p > q. But this does not work,
>> probably due to type-incompatible Variable "tmp".
>>
>> So rsa->p gets the value of rsa->q but not vice versa:
>>
>> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> ..+++++++++++++++++++++++++++
>> ...+++++++++++++++++++++++++++
>> e is 65537 (0x10001)
>> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-----BEGIN RSA PRIVATE
>> KEY-----
>> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
>> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
>> 1lSi
>> -----END RSA PRIVATE KEY-----
>> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> ...+++++++++++++++++++++++++++
>> ..+++++++++++++++++++++++++++
>> e is 65537 (0x10001)
>> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-----BEGIN RSA PRIVATE KEY-----
>> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
>> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
>> iuyMFDkp
>> -----END RSA PRIVATE KEY-----
>> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> .+++++++++++++++++++++++++++
>> .+++++++++++++++++++++++++++
>> e is 65537 (0x10001)
>> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-----BEGIN RSA PRIVATE
>> KEY-----
>> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
>> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
>> TT5Qxxw=
>> -----END RSA PRIVATE KEY-----
>> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> .+++++++++++++++++++++++++++
>> .+++++++++++++++++++++++++++
>> e is 65537 (0x10001)
>> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-----BEGIN RSA PRIVATE
>> KEY-----
>> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC
>> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY
>> CoYAsOE=
>> -----END RSA PRIVATE KEY-----
>> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> ...+++++++++++++++++++++++++++
>> ..+++++++++++++++++++++++++++
>> e is 65537 (0x10001)
>> p:DFE0EAAEF64A9ED3 q:DA49968E614FC9E9-----BEGIN RSA PRIVATE KEY-----
>> MGECAQACEQC+5eKmNv53y2Hn+t22uzkLAgMBAAECEHmAtlbW7/ZsapBlxpZlu1EC
>> CQDf4Oqu9kqe0wIJANpJlo5hT8npAggWUvAz6B1CvwIIYCU9fST7gdECCGudR6xt
>> O4sU
>> -----END RSA PRIVATE KEY----
>>
>> The code is still the same, even in Pre-Version 1.1.0
>>
>> Regards,
>>
>> Felix
>>
>>
>> Am 21.12.2015 21:38, schrieb Kurt Roeckx via RT:
>>> On Mon, Dec 21, 2015 at 01:51:45PM +0000, Felix via RT wrote:
>>>> That does not matter from a technical point of view.
>>>>
>>>> The Problem ist the same with 2048-Bit RSA.
>>> If you're worried that p and q might be the same random number, I
>>> think you should have other concerns.
>>>
>>>
>>> Kurt
>>>
>>>
>>>
>
> --
> Richard Levitte
> levitte at openssl.org
>
>
More information about the openssl-dev
mailing list