[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

Mon Dec 21 23:27:47 UTC 2015

O.K. you are right. please close the ticket...

Regards,

Felix

Am 22.12.2015 00:09, schrieb Richard Levitte via RT:
> You're displaying pre-swap p and post-swap q. If they do get swapped, you must
> understand that pre-swap p and post-swap q will be the same value.
>
> If you really want to demonstrate something, please display *both* p and q
> before swap, and *both* p and q after swap.
>
> Vid Mon, 21 Dec 2015 kl. 23.00.38, skrev felix.wiedenroth at gmx.de:
>> Hello,
>>
>> I "pickup" rsa-p and rsa-q just one source-code-line after they were
>> "filled" and output the variables using the BN_print_fp function.
>>
>> please reopen the ticket.
>>
>> Regards,
>>
>> Felix
>>
>>
>> for (;;) {
>> if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
>> goto err;
>> printf(" p:");
>> BN_print_fp(stdout,rsa->p);
>> printf(" ");
>>
>> if (!BN_sub(r2, rsa->p, BN_value_one()))
>> goto err;
>> if (!BN_gcd(r1, r2, rsa->e, ctx))
>> goto err;
>> if (BN_is_one(r1))
>> break;
>> if (!BN_GENCB_call(cb, 2, n++))
>> goto err;
>> }
>> if (!BN_GENCB_call(cb, 3, 0))
>> goto err;
>> for (;;) {
>> /*
>> * When generating ridiculously small keys, we can get stuck
>> * continually regenerating the same prime values. Check for
>> this and
>> * bail if it happens 3 times.
>> */
>> unsigned int degenerate = 0;
>> do {
>> if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
>> goto err;
>> }
>> while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10));
>> if (degenerate == 10) {
>> ok = 0; /* we set our own err */
>> RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
>> goto err;
>> }
>> if (!BN_sub(r2, rsa->q, BN_value_one()))
>> goto err;
>> if (!BN_gcd(r1, r2, rsa->e, ctx))
>> goto err;
>> if (BN_is_one(r1))
>> break;
>> if (!BN_GENCB_call(cb, 2, n++))
>> goto err;
>> }
>> if (!BN_GENCB_call(cb, 3, 1))
>> goto err;
>> if (BN_cmp(rsa->p, rsa->q) < 0) {
>> printf("Doppelt!") ;
>> tmp = rsa->p;
>> rsa->p = rsa->q;
>> rsa->q = tmp;
>> }
>> printf("q:");
>> BN_print_fp(stdout,rsa->q);
>>
>>
>>
>>
>> Am 21.12.2015 23:42, schrieb Richard Levitte via RT:
>>> You're not showing us how you output rsa->p and rsa->q. It doesn't
>>> make sense
>>> at all that you get "Doppelt!" if they were equal, so there's
>>> something wrong
>>> with your output. Also, it's been demonstrated (see mail by Viktor on
>>> openssl-dev) that the resulting key does have different p and q, with
>>> p > q.
>>>
>>> For all intents and purposes, this seems not to be a bug. Closing
>>> this ticket.
>>>
>>> Cheers,
>>> Richard
>>>
>>> Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenroth at gmx.de:
>>>> Hello,
>>>>
>>>> I found the reason for the problem, it´s definately a program error:
>>>>
>>>> The reason for it is in sub-program rsa_gen.c
>>>>
>>>> if (BN_cmp(rsa->p, rsa->q) < 0) {
>>>> printf("Doppelt!") ;
>>>> tmp = rsa->p;
>>>> rsa->p = rsa->q;
>>>> rsa->q = tmp;
>>>> }
>>>>
>>>> Here p and q should be switched if p > q. But this does not work,
>>>> probably due to type-incompatible Variable "tmp".
>>>>
>>>> So rsa->p gets the value of rsa->q but not vice versa:
>>>>
>>>> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>>>> genrsa 128
>>>> Generating RSA private key, 128 bit long modulus
>>>> ..+++++++++++++++++++++++++++
>>>> ...+++++++++++++++++++++++++++
>>>> e is 65537 (0x10001)
>>>> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-----BEGIN RSA PRIVATE
>>>> KEY-----
>>>> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
>>>> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
>>>> 1lSi
>>>> -----END RSA PRIVATE KEY-----
>>>> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>>>> genrsa 128
>>>> Generating RSA private key, 128 bit long modulus
>>>> ...+++++++++++++++++++++++++++
>>>> ..+++++++++++++++++++++++++++
>>>> e is 65537 (0x10001)
>>>> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-----BEGIN RSA PRIVATE KEY-----
>>>> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
>>>> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
>>>> iuyMFDkp
>>>> -----END RSA PRIVATE KEY-----
>>>> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>>>> genrsa 128
>>>> Generating RSA private key, 128 bit long modulus
>>>> .+++++++++++++++++++++++++++
>>>> .+++++++++++++++++++++++++++
>>>> e is 65537 (0x10001)
>>>> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-----BEGIN RSA PRIVATE
>>>> KEY-----
>>>> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
>>>> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
>>>> TT5Qxxw=
>>>> -----END RSA PRIVATE KEY-----
>>>> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>>>> genrsa 128
>>>> Generating RSA private key, 128 bit long modulus
>>>> .+++++++++++++++++++++++++++
>>>> .+++++++++++++++++++++++++++
>>>> e is 65537 (0x10001)
>>>> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-----BEGIN RSA PRIVATE
>>>> KEY-----
>>>> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC
>>>> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY
>>>> CoYAsOE=
>>>> -----END RSA PRIVATE KEY-----
>>>> root at debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>>>> genrsa 128
>>>> Generating RSA private key, 128 bit long modulus
>>>> ...+++++++++++++++++++++++++++
>>>> ..+++++++++++++++++++++++++++
>>>> e is 65537 (0x10001)
>>>> p:DFE0EAAEF64A9ED3 q:DA49968E614FC9E9-----BEGIN RSA PRIVATE KEY-----
>>>> MGECAQACEQC+5eKmNv53y2Hn+t22uzkLAgMBAAECEHmAtlbW7/ZsapBlxpZlu1EC
>>>> CQDf4Oqu9kqe0wIJANpJlo5hT8npAggWUvAz6B1CvwIIYCU9fST7gdECCGudR6xt
>>>> O4sU
>>>> -----END RSA PRIVATE KEY----
>>>>
>>>> The code is still the same, even in Pre-Version 1.1.0
>>>>
>>>> Regards,
>>>>
>>>> Felix
>>>>
>>>>
>>>> Am 21.12.2015 21:38, schrieb Kurt Roeckx via RT:
>>>>> On Mon, Dec 21, 2015 at 01:51:45PM +0000, Felix via RT wrote:
>>>>>> That does not matter from a technical point of view.
>>>>>>
>>>>>> The Problem ist the same with 2048-Bit RSA.
>>>>> If you're worried that p and q might be the same random number, I
>>>>> think you should have other concerns.
>>>>>
>>>>>
>>>>> Kurt
>>>>>
>>>>>
>>>>>
>>> --
>>> Richard Levitte
>>> levitte at openssl.org
>>>
>>>
>
> --
> Richard Levitte
> levitte at openssl.org
>
>