[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

Mon Dec 21 23:09:48 UTC 2015

You're displaying pre-swap p and post-swap q. If they do get swapped, you must
understand that pre-swap p and post-swap q will be the same value.

If you really want to demonstrate something, please display *both* p and q
before swap, and *both* p and q after swap.

Vid Mon, 21 Dec 2015 kl. 23.00.38, skrev felix.wiedenroth at gmx.de:
> Hello,
>
> I "pickup" rsa-p and rsa-q just one source-code-line after they were
> "filled" and output the variables using the BN_print_fp function.
>
> please reopen the ticket.
>
> Regards,
>
> Felix
>
>
> for (;;) {
> if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
> goto err;
> printf(" p:");
> BN_print_fp(stdout,rsa->p);
> printf(" ");
>
> if (!BN_sub(r2, rsa->p, BN_value_one()))
> goto err;
> if (!BN_gcd(r1, r2, rsa->e, ctx))
> goto err;
> if (BN_is_one(r1))
> break;
> if (!BN_GENCB_call(cb, 2, n++))
> goto err;
> }
> if (!BN_GENCB_call(cb, 3, 0))
> goto err;
> for (;;) {
> /*
> * When generating ridiculously small keys, we can get stuck
> * continually regenerating the same prime values. Check for
> this and
> * bail if it happens 3 times.
> */
> unsigned int degenerate = 0;
> do {
> if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
> goto err;
> }
> while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10));
> if (degenerate == 10) {
> ok = 0; /* we set our own err */
> RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
> goto err;
> }
> if (!BN_sub(r2, rsa->q, BN_value_one()))
> goto err;
> if (!BN_gcd(r1, r2, rsa->e, ctx))
> goto err;
> if (BN_is_one(r1))
> break;
> if (!BN_GENCB_call(cb, 2, n++))
> goto err;
> }
> if (!BN_GENCB_call(cb, 3, 1))
> goto err;
> if (BN_cmp(rsa->p, rsa->q) < 0) {
> printf("Doppelt!") ;
> tmp = rsa->p;
> rsa->p = rsa->q;
> rsa->q = tmp;
> }
> printf("q:");
> BN_print_fp(stdout,rsa->q);
>
>
>
>
> Am 21.12.2015 23:42, schrieb Richard Levitte via RT:
> > You're not showing us how you output rsa->p and rsa->q. It doesn't
> > make sense
> > at all that you get "Doppelt!" if they were equal, so there's
> > something wrong
> > with your output. Also, it's been demonstrated (see mail by Viktor on
> > openssl-dev) that the resulting key does have different p and q, with
> > p > q.
> >
> > For all intents and purposes, this seems not to be a bug. Closing
> > this ticket.
> >
> > Cheers,
> > Richard
> >
> > Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenroth at gmx.de:
> >> Hello,
> >>
> >> I found the reason for the problem, it´s definately a program error:
> >>
> >> The reason for it is in sub-program rsa_gen.c
> >>
> >> if (BN_cmp(rsa->p, rsa->q) < 0) {
> >> printf("Doppelt!") ;
> >> tmp = rsa->p;
> >> rsa->p = rsa->q;
> >> rsa->q = tmp;
> >> }
> >>
> >> Here p and q should be switched if p > q. But this does not work,
> >> probably due to type-incompatible Variable "tmp".
> >>
> >> So rsa->p gets the value of rsa->q but not vice versa:
> >>
> >> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> ..+++++++++++++++++++++++++++
> >> ...+++++++++++++++++++++++++++
> >> e is 65537 (0x10001)
> >> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-----BEGIN RSA PRIVATE
> >> KEY-----
> >> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
> >> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
> >> 1lSi
> >> -----END RSA PRIVATE KEY-----
> >> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> ...+++++++++++++++++++++++++++
> >> ..+++++++++++++++++++++++++++
> >> e is 65537 (0x10001)
> >> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-----BEGIN RSA PRIVATE KEY-----
> >> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
> >> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
> >> iuyMFDkp
> >> -----END RSA PRIVATE KEY-----
> >> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> .+++++++++++++++++++++++++++
> >> .+++++++++++++++++++++++++++
> >> e is 65537 (0x10001)
> >> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-----BEGIN RSA PRIVATE
> >> KEY-----
> >> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
> >> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
> >> TT5Qxxw=
> >> -----END RSA PRIVATE KEY-----
> >> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> .+++++++++++++++++++++++++++
> >> .+++++++++++++++++++++++++++
> >> e is 65537 (0x10001)
> >> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-----BEGIN RSA PRIVATE
> >> KEY-----
> >> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC
> >> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY
> >> CoYAsOE=
> >> -----END RSA PRIVATE KEY-----
> >> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> ...+++++++++++++++++++++++++++
> >> ..+++++++++++++++++++++++++++
> >> e is 65537 (0x10001)
> >> p:DFE0EAAEF64A9ED3 q:DA49968E614FC9E9-----BEGIN RSA PRIVATE KEY-----
> >> MGECAQACEQC+5eKmNv53y2Hn+t22uzkLAgMBAAECEHmAtlbW7/ZsapBlxpZlu1EC
> >> CQDf4Oqu9kqe0wIJANpJlo5hT8npAggWUvAz6B1CvwIIYCU9fST7gdECCGudR6xt
> >> O4sU
> >> -----END RSA PRIVATE KEY----
> >>
> >> The code is still the same, even in Pre-Version 1.1.0
> >>
> >> Regards,
> >>
> >> Felix
> >>
> >>
> >> Am 21.12.2015 21:38, schrieb Kurt Roeckx via RT:
> >>> On Mon, Dec 21, 2015 at 01:51:45PM +0000, Felix via RT wrote:
> >>>> That does not matter from a technical point of view.
> >>>>
> >>>> The Problem ist the same with 2048-Bit RSA.
> >>> If you're worried that p and q might be the same random number, I
> >>> think you should have other concerns.
> >>>
> >>>
> >>> Kurt
> >>>
> >>>
> >>>
> >
> > --
> > Richard Levitte
> > levitte at openssl.org
> >
> >

--
Richard Levitte
levitte at openssl.org