The branch master has been updated via 422da9bbfb739a5d42292c990c0b81552060d5a2 (commit) via 5c99d57ea3903211f313e7760f045ac48273e79d (commit) via dfad3a00be4101479744cac1fe4314c567f1e35e (commit) via 3134fb284fe632424ee3bd380c4bf95342aa00fd (commit) via 476798f22f76040dc5218aa8e91ffb0177fea9e7 (commit) via 0c05fda40e3d55a322970f2bbbfea89e645e6902 (commit) from 9d0dd1d51335cd17d2594adfe4d30142f2ab8b19 (commit)
- Log ----------------------------------------------------------------- commit 422da9bbfb739a5d42292c990c0b81552060d5a2 Author: Pauli <pa...@openssl.org> Date: Wed May 26 10:24:40 2021 +1000 test: test MP genrsa in deprecated builds These multi-prime tests were omitted when genrsa was deprecated but not returned when it was restored. Reviewed-by: Shane Lontis <shane.lon...@oracle.com> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15472) commit 5c99d57ea3903211f313e7760f045ac48273e79d Author: Pauli <pa...@openssl.org> Date: Wed May 26 10:11:29 2021 +1000 test: add test for key generation strength > RNG strength Reviewed-by: Shane Lontis <shane.lon...@oracle.com> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15472) commit dfad3a00be4101479744cac1fe4314c567f1e35e Author: Pauli <pa...@openssl.org> Date: Wed May 26 10:10:51 2021 +1000 test: test genrsa in deprecated builds These tests were omitted when genrsa was deprecated but not returned when it was restored. Reviewed-by: Shane Lontis <shane.lon...@oracle.com> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15472) commit 3134fb284fe632424ee3bd380c4bf95342aa00fd Author: Pauli <pa...@openssl.org> Date: Wed May 26 10:02:09 2021 +1000 errors: update error message (to be squashed) Reviewed-by: Shane Lontis <shane.lon...@oracle.com> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15472) commit 476798f22f76040dc5218aa8e91ffb0177fea9e7 Author: Pauli <pa...@openssl.org> Date: Wed May 26 10:00:37 2021 +1000 rsa: check that the RNG is capable of producing a key of the specified size During key generation, any sized key can be asked for. Attempting to generate a key with a security strength larger than the RNG strength now fails. Fixes #15421 Reviewed-by: Shane Lontis <shane.lon...@oracle.com> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15472) commit 0c05fda40e3d55a322970f2bbbfea89e645e6902 Author: Pauli <pa...@openssl.org> Date: Wed May 26 09:27:32 2021 +1000 rsa: remove the limit on the maximum key strength Reviewed-by: Shane Lontis <shane.lon...@oracle.com> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15472) ----------------------------------------------------------------------- Summary of changes: crypto/err/openssl.txt | 2 ++ crypto/rsa/rsa_err.c | 4 ++- crypto/rsa/rsa_sp800_56b_gen.c | 26 ++++++++++++++++--- include/crypto/rsaerr.h | 2 +- include/openssl/rsaerr.h | 1 + test/recipes/15-test_genrsa.t | 58 ++++++++++++++++++------------------------ test/recipes/15-test_mp_rsa.t | 31 ++++++++++++++-------- 7 files changed, 76 insertions(+), 48 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 3e9bfc1acf..48d1175bce 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1190,6 +1190,8 @@ RSA_R_PSS_SALTLEN_TOO_SMALL:164:pss saltlen too small RSA_R_PUB_EXPONENT_OUT_OF_RANGE:178:pub exponent out of range RSA_R_P_NOT_PRIME:128:p not prime RSA_R_Q_NOT_PRIME:129:q not prime +RSA_R_RANDOMNESS_SOURCE_STRENGTH_INSUFFICIENT:180:\ + randomness source strength insufficient RSA_R_RSA_OPERATIONS_NOT_SUPPORTED:130:rsa operations not supported RSA_R_SLEN_CHECK_FAILED:136:salt length check failed RSA_R_SLEN_RECOVERY_FAILED:135:salt length recovery failed diff --git a/crypto/rsa/rsa_err.c b/crypto/rsa/rsa_err.c index 1e3c81ff5e..85bee965fc 100644 --- a/crypto/rsa/rsa_err.c +++ b/crypto/rsa/rsa_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -118,6 +118,8 @@ static const ERR_STRING_DATA RSA_str_reasons[] = { "pub exponent out of range"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_P_NOT_PRIME), "p not prime"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_Q_NOT_PRIME), "q not prime"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_RANDOMNESS_SOURCE_STRENGTH_INSUFFICIENT), + "randomness source strength insufficient"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED), "rsa operations not supported"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_SLEN_CHECK_FAILED), diff --git a/crypto/rsa/rsa_sp800_56b_gen.c b/crypto/rsa/rsa_sp800_56b_gen.c index 077c32f1e9..d2052c5796 100644 --- a/crypto/rsa/rsa_sp800_56b_gen.c +++ b/crypto/rsa/rsa_sp800_56b_gen.c @@ -11,13 +11,14 @@ #include <openssl/err.h> #include <openssl/bn.h> #include <openssl/core.h> +#include <openssl/evp.h> +#include <openssl/rand.h> #include "crypto/bn.h" #include "crypto/security_bits.h" #include "rsa_local.h" #define RSA_FIPS1864_MIN_KEYGEN_KEYSIZE 2048 #define RSA_FIPS1864_MIN_KEYGEN_STRENGTH 112 -#define RSA_FIPS1864_MAX_KEYGEN_STRENGTH 256 /* * Generate probable primes 'p' & 'q'. See FIPS 186-4 Section B.3.6 @@ -174,8 +175,7 @@ int ossl_rsa_sp800_56b_validate_strength(int nbits, int strength) int s = (int)ossl_ifc_ffc_compute_security_bits(nbits); #ifdef FIPS_MODULE - if (s < RSA_FIPS1864_MIN_KEYGEN_STRENGTH - || s > RSA_FIPS1864_MAX_KEYGEN_STRENGTH) { + if (s < RSA_FIPS1864_MIN_KEYGEN_STRENGTH) { ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MODULUS); return 0; } @@ -187,6 +187,22 @@ int ossl_rsa_sp800_56b_validate_strength(int nbits, int strength) return 1; } +/* + * Validate that the random bit generator is of sufficient strength to generate + * a key of the specified length. + */ +static int rsa_validate_rng_strength(EVP_RAND_CTX *rng, int nbits) +{ + if (rng == NULL) + return 0; + if (EVP_RAND_strength(rng) < ossl_ifc_ffc_compute_security_bits(nbits)) { + ERR_raise(ERR_LIB_RSA, + RSA_R_RANDOMNESS_SOURCE_STRENGTH_INSUFFICIENT); + return 0; + } + return 1; +} + /* * * Using p & q, calculate other required parameters such as n, d. @@ -348,6 +364,10 @@ int ossl_rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed, if (!ossl_rsa_sp800_56b_validate_strength(nbits, -1)) return 0; + /* Check that the RNG is capable of generating a key this large */ + if (!rsa_validate_rng_strength(RAND_get0_private(rsa->libctx), nbits)) + return 0; + ctx = BN_CTX_new_ex(rsa->libctx); if (ctx == NULL) return 0; diff --git a/include/crypto/rsaerr.h b/include/crypto/rsaerr.h index 43541b7faf..9b23500b37 100644 --- a/include/crypto/rsaerr.h +++ b/include/crypto/rsaerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/rsaerr.h b/include/openssl/rsaerr.h index bc31d2fe65..4335f1cb33 100644 --- a/include/openssl/rsaerr.h +++ b/include/openssl/rsaerr.h @@ -85,6 +85,7 @@ # define RSA_R_PUB_EXPONENT_OUT_OF_RANGE 178 # define RSA_R_P_NOT_PRIME 128 # define RSA_R_Q_NOT_PRIME 129 +# define RSA_R_RANDOMNESS_SOURCE_STRENGTH_INSUFFICIENT 180 # define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130 # define RSA_R_SLEN_CHECK_FAILED 136 # define RSA_R_SLEN_RECOVERY_FAILED 135 diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t index 501d3a100f..6c67f04af9 100644 --- a/test/recipes/15-test_genrsa.t +++ b/test/recipes/15-test_genrsa.t @@ -25,18 +25,21 @@ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); plan tests => ($no_fips ? 0 : 2) # Extra FIPS related test - + 13; + + 14; # We want to know that an absurdly small number of bits isn't support -if (disabled("deprecated-3.0")) { - is(run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem', - '-algorithm', 'RSA', '-pkeyopt', 'rsa_keygen_bits:8', - '-pkeyopt', 'rsa_keygen_pubexp:3'])), - 0, "genrsa -3 8"); -} else { - is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), - 0, "genrsa -3 8"); -} +is(run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem', + '-algorithm', 'RSA', '-pkeyopt', 'rsa_keygen_bits:8', + '-pkeyopt', 'rsa_keygen_pubexp:3'])), + 0, "genpkey 8"); +is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), + 0, "genrsa -3 8"); + +# We want to know that an absurdly large number of bits fails the RNG check +is(run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem', + '-algorithm', 'RSA', '-pkeyopt', 'rsa_keygen_bits:1000000000', + '-pkeyopt', 'rsa_keygen_pubexp:3'])), + 0, "genpkey 1000000000"); # Depending on the shared library, we might have different lower limits. # Let's find it! This is a simple binary search @@ -50,16 +53,10 @@ my $fin; while ($good > $bad + 1) { my $checked = int(($good + $bad + 1) / 2); my $bits = 2 ** $checked; - if (disabled("deprecated-3.0")) { - $fin = run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem', - '-algorithm', 'RSA', '-pkeyopt', 'rsa_keygen_pubexp:65537', - '-pkeyopt', "rsa_keygen_bits:$bits", - ], stderr => undef)); - } else { - $fin = run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', - $bits - ], stderr => undef)); - } + $fin = run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem', + '-algorithm', 'RSA', '-pkeyopt', 'rsa_keygen_pubexp:65537', + '-pkeyopt', "rsa_keygen_bits:$bits", + ], stderr => undef)); if ($fin) { note 2 ** $checked, " bits is good"; $good = $checked; @@ -76,14 +73,9 @@ ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'RSA', '-pkeyopt', 'rsa_keygen_pubexp:65537', '-pkeyopt', "rsa_keygen_bits:$good", '-out', 'genrsatest.pem' ])), - "genpkey -3 $good"); + "genpkey $good"); ok(run(app([ 'openssl', 'pkey', '-check', '-in', 'genrsatest.pem', '-noout' ])), "pkey -check"); -ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'RSA', - '-pkeyopt', 'rsa_keygen_pubexp:65537', - '-pkeyopt', "rsa_keygen_bits:$good", - '-out', 'genrsatest.pem' ])), - "genpkey -f4 $good"); ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'RSA', '-pkeyopt', 'rsa_keygen_bits:2048', @@ -104,19 +96,19 @@ ok(!run(app([ 'openssl', 'genpkey', '-propquery', 'unknown', '-algorithm', 'RSA' ])), "genpkey requesting unknown=yes property should fail"); - SKIP: { - skip "Skipping rsa command line test", 4 if disabled("deprecated-3.0"); + skip "Skipping rsa command line test", 2 if disabled("deprecated-3.0"); ok(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', $good ])), "genrsa -3 $good"); ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])), "rsa -check"); - ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])), - "genrsa -f4 $good"); - ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])), - "rsa -check"); -} + } + +ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])), + "genrsa -f4 $good"); +ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])), + "rsa -check"); unless ($no_fips) { my $provconf = srctop_file("test", "fips-and-base.cnf"); diff --git a/test/recipes/15-test_mp_rsa.t b/test/recipes/15-test_mp_rsa.t index ad7018789b..339a2a811d 100644 --- a/test/recipes/15-test_mp_rsa.t +++ b/test/recipes/15-test_mp_rsa.t @@ -35,14 +35,14 @@ my @test_param = ( }, ); -plan tests => 1 + scalar(@test_param) * 5 * (disabled('deprecated-3.0') ? 1 : 2); +plan tests => 1 + scalar(@test_param) * 5 * 2; ok(run(test(["rsa_mp_test"])), "running rsa multi prime test"); my $cleartext = data_file("plain_text"); # genrsa -run_mp_tests(0) if !disabled('deprecated-3.0'); +run_mp_tests(0); # evp run_mp_tests(1); @@ -77,14 +77,25 @@ sub run_mp_tests { ok(run(app([ 'openssl', 'rsa', '-check', '-in', "rsamptest-$name.pem", '-noout'])), "rsa -check $name"); - ok(run(app([ 'openssl', 'rsautl', '-inkey', "rsamptest-$name.pem", - '-encrypt', '-in', $cleartext, - '-out', "rsamptest-$name.enc" ])), - "rsa $name encrypt"); - ok(run(app([ 'openssl', 'rsautl', '-inkey', "rsamptest-$name.pem", - '-decrypt', '-in', "rsamptest-$name.enc", - '-out', "rsamptest-$name.dec" ])), - "rsa $name decrypt"); + if (!disabled('deprecated-3.0')) { + ok(run(app([ 'openssl', 'rsautl', '-inkey', "rsamptest-$name.pem", + '-encrypt', '-in', $cleartext, + '-out', "rsamptest-$name.enc" ])), + "rsa $name encrypt"); + ok(run(app([ 'openssl', 'rsautl', '-inkey', "rsamptest-$name.pem", + '-decrypt', '-in', "rsamptest-$name.enc", + '-out', "rsamptest-$name.dec" ])), + "rsa $name decrypt"); + } else { + ok(run(app([ 'openssl', 'pkeyutl', '-inkey', "rsamptest-$name.pem", + '-encrypt', '-in', $cleartext, + '-out', "rsamptest-$name.enc" ])), + "rsa $name encrypt"); + ok(run(app([ 'openssl', 'pkeyutl', '-inkey', "rsamptest-$name.pem", + '-decrypt', '-in', "rsamptest-$name.enc", + '-out', "rsamptest-$name.dec" ])), + "rsa $name decrypt"); + } } ok(check_msg("rsamptest-$name.dec"), "rsa $name check result"); }