Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Hello, I found the reason for the problem, it´s definately a program error: The reason for it is in sub-program rsa_gen.c if (BN_cmp(rsa->p, rsa->q) < 0) { printf("Doppelt!") ; tmp = rsa->p; rsa->p = rsa->q; rsa->q = tmp; } Here p and q should be switched if p > q. But this does not work, probably due to type-incompatible Variable "tmp". So rsa->p gets the value of rsa->q but not vice versa: root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ..+++ ...+++ e is 65537 (0x10001) p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE KEY- MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 1lSi -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ...+++ ..+++ e is 65537 (0x10001) p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY- MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs iuyMFDkp -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ .+++ e is 65537 (0x10001) p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE KEY- MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg TT5Qxxw= -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ .+++ e is 65537 (0x10001) p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE KEY- MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY CoYAsOE= -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ...+++ ..+++ e is 65537 (0x10001) p:DFE0EAAEF64A9ED3 q:DA49968E614FC9E9-BEGIN RSA PRIVATE KEY- MGECAQACEQC+5eKmNv53y2Hn+t22uzkLAgMBAAECEHmAtlbW7/ZsapBlxpZlu1EC CQDf4Oqu9kqe0wIJANpJlo5hT8npAggWUvAz6B1CvwIIYCU9fST7gdECCGudR6xt O4sU -END RSA PRIVATE KEY The code is still the same, even in Pre-Version 1.1.0 Regards, Felix Am 21.12.2015 21:38, schrieb Kurt Roeckx via RT: > On Mon, Dec 21, 2015 at 01:51:45PM +, Felix via RT wrote: >> That does not matter from a technical point of view. >> >> The Problem ist the same with 2048-Bit RSA. > If you're worried that p and q might be the same random number, I > think you should have other concerns. > > > Kurt > > > ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
On Mon, Dec 21, 2015 at 01:51:45PM +, Felix via RT wrote: > That does not matter from a technical point of view. > > The Problem ist the same with 2048-Bit RSA. If you're worried that p and q might be the same random number, I think you should have other concerns. Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
On Mon, Dec 21, 2015 at 09:36:11PM +, Felix via RT wrote: > I found the reason for the problem, it´s definately a program error: Pilot error. > The reason for it is in sub-program rsa_gen.c > > if (BN_cmp(rsa->p, rsa->q) < 0) { > tmp = rsa->p; > rsa->p = rsa->q; > rsa->q = tmp; > } The code is just fine. > # ./openssl genrsa 128 > ..+++ > ...+++ > e is 65537 (0x10001) > p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273 No idea what's printing the output above, but the private key below: > -BEGIN RSA PRIVATE KEY- > MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC > CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 > 1lSi > -END RSA PRIVATE KEY- in fact has distinct p/q: $ openssl rsa -noout -text <<-EOF -BEGIN RSA PRIVATE KEY- MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 1lSi -END RSA PRIVATE KEY- EOF Private-Key: (128 bit) modulus: 00:b1:b7:f3:28:d1:ea:6a:a2:51:66:00:7e:c0:8a: 72:e7 publicExponent: 65537 (0x10001) privateExponent: 23:90:77:45:b4:f4:5f:50:34:98:e7:61:4c:d3:03: 69 prime1: 16814661991975378109 (0xe959adfe69f45cbd) prime2: 14048957841162998387 (0xc2f7ecb8d2f59273) exponent1: 2091537979440366241 (0x1d06a2b5fac802a1) exponent2: 639027470352730491 (0x8de48193c17497b) coefficient: 5085844977839658146 (0x46948d0fb6d654a2) and prime1 > prime2. This ticket should be closed. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Hello, I "pickup" rsa-p and rsa-q just one source-code-line after they were "filled" and output the variables using the BN_print_fp function. please reopen the ticket. Regards, Felix for (;;) { if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) goto err; printf(" p:"); BN_print_fp(stdout,rsa->p); printf(" "); if (!BN_sub(r2, rsa->p, BN_value_one())) goto err; if (!BN_gcd(r1, r2, rsa->e, ctx)) goto err; if (BN_is_one(r1)) break; if (!BN_GENCB_call(cb, 2, n++)) goto err; } if (!BN_GENCB_call(cb, 3, 0)) goto err; for (;;) { /* * When generating ridiculously small keys, we can get stuck * continually regenerating the same prime values. Check for this and * bail if it happens 3 times. */ unsigned int degenerate = 0; do { if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) goto err; } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10)); if (degenerate == 10) { ok = 0; /* we set our own err */ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); goto err; } if (!BN_sub(r2, rsa->q, BN_value_one())) goto err; if (!BN_gcd(r1, r2, rsa->e, ctx)) goto err; if (BN_is_one(r1)) break; if (!BN_GENCB_call(cb, 2, n++)) goto err; } if (!BN_GENCB_call(cb, 3, 1)) goto err; if (BN_cmp(rsa->p, rsa->q) < 0) { printf("Doppelt!") ; tmp = rsa->p; rsa->p = rsa->q; rsa->q = tmp; } printf("q:"); BN_print_fp(stdout,rsa->q); Am 21.12.2015 23:42, schrieb Richard Levitte via RT: > You're not showing us how you output rsa->p and rsa->q. It doesn't make sense > at all that you get "Doppelt!" if they were equal, so there's something wrong > with your output. Also, it's been demonstrated (see mail by Viktor on > openssl-dev) that the resulting key does have different p and q, with p > q. > > For all intents and purposes, this seems not to be a bug. Closing this ticket. > > Cheers, > Richard > > Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de: >> Hello, >> >> I found the reason for the problem, it´s definately a program error: >> >> The reason for it is in sub-program rsa_gen.c >> >> if (BN_cmp(rsa->p, rsa->q) < 0) { >> printf("Doppelt!") ; >> tmp = rsa->p; >> rsa->p = rsa->q; >> rsa->q = tmp; >> } >> >> Here p and q should be switched if p > q. But this does not work, >> probably due to type-incompatible Variable "tmp". >> >> So rsa->p gets the value of rsa->q but not vice versa: >> >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl >> genrsa 128 >> Generating RSA private key, 128 bit long modulus >> ..+++ >> ...+++ >> e is 65537 (0x10001) >> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE >> KEY- >> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC >> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 >> 1lSi >> -END RSA PRIVATE KEY- >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl >> genrsa 128 >> Generating RSA private key, 128 bit long modulus >> ...+++ >> ..+++ >> e is 65537 (0x10001) >> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY- >> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx >> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs >> iuyMFDkp >> -END RSA PRIVATE KEY- >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl >> genrsa 128 >> Generating RSA private key, 128 bit long modulus >> .+++ >> .+++ >> e is 65537 (0x10001) >> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE >> KEY- >> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC >> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg >> TT5Qxxw= >> -END RSA PRIVATE KEY- >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl >> genrsa 128 >> Generating RSA private key, 128 bit long modulus >> .+++ >> .+++ >> e is 65537 (0x10001) >> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE >> KEY- >> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC >> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY >> CoYAsOE= >> -END RSA PRIVATE KEY- >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl >> genrsa 128 >> Generating RSA private key, 128 bit long modulus >> ...+++ >> ..+++ >> e is 65537 (0x10001) >>
[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
You're not showing us how you output rsa->p and rsa->q. It doesn't make sense at all that you get "Doppelt!" if they were equal, so there's something wrong with your output. Also, it's been demonstrated (see mail by Viktor on openssl-dev) that the resulting key does have different p and q, with p > q. For all intents and purposes, this seems not to be a bug. Closing this ticket. Cheers, Richard Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de: > Hello, > > I found the reason for the problem, it´s definately a program error: > > The reason for it is in sub-program rsa_gen.c > > if (BN_cmp(rsa->p, rsa->q) < 0) { > printf("Doppelt!") ; > tmp = rsa->p; > rsa->p = rsa->q; > rsa->q = tmp; > } > > Here p and q should be switched if p > q. But this does not work, > probably due to type-incompatible Variable "tmp". > > So rsa->p gets the value of rsa->q but not vice versa: > > root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > ..+++ > ...+++ > e is 65537 (0x10001) > p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE > KEY- > MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC > CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 > 1lSi > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > ...+++ > ..+++ > e is 65537 (0x10001) > p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY- > MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx > AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs > iuyMFDkp > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > .+++ > .+++ > e is 65537 (0x10001) > p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE > KEY- > MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC > CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg > TT5Qxxw= > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > .+++ > .+++ > e is 65537 (0x10001) > p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE > KEY- > MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC > CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY > CoYAsOE= > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > ...+++ > ..+++ > e is 65537 (0x10001) > p:DFE0EAAEF64A9ED3 q:DA49968E614FC9E9-BEGIN RSA PRIVATE KEY- > MGECAQACEQC+5eKmNv53y2Hn+t22uzkLAgMBAAECEHmAtlbW7/ZsapBlxpZlu1EC > CQDf4Oqu9kqe0wIJANpJlo5hT8npAggWUvAz6B1CvwIIYCU9fST7gdECCGudR6xt > O4sU > -END RSA PRIVATE KEY > > The code is still the same, even in Pre-Version 1.1.0 > > Regards, > > Felix > > > Am 21.12.2015 21:38, schrieb Kurt Roeckx via RT: > > On Mon, Dec 21, 2015 at 01:51:45PM +, Felix via RT wrote: > >> That does not matter from a technical point of view. > >> > >> The Problem ist the same with 2048-Bit RSA. > > If you're worried that p and q might be the same random number, I > > think you should have other concerns. > > > > > > Kurt > > > > > > > -- Richard Levitte levi...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
You're displaying pre-swap p and post-swap q. If they do get swapped, you must understand that pre-swap p and post-swap q will be the same value. If you really want to demonstrate something, please display *both* p and q before swap, and *both* p and q after swap. Vid Mon, 21 Dec 2015 kl. 23.00.38, skrev felix.wiedenr...@gmx.de: > Hello, > > I "pickup" rsa-p and rsa-q just one source-code-line after they were > "filled" and output the variables using the BN_print_fp function. > > please reopen the ticket. > > Regards, > > Felix > > > for (;;) { > if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) > goto err; > printf(" p:"); > BN_print_fp(stdout,rsa->p); > printf(" "); > > if (!BN_sub(r2, rsa->p, BN_value_one())) > goto err; > if (!BN_gcd(r1, r2, rsa->e, ctx)) > goto err; > if (BN_is_one(r1)) > break; > if (!BN_GENCB_call(cb, 2, n++)) > goto err; > } > if (!BN_GENCB_call(cb, 3, 0)) > goto err; > for (;;) { > /* > * When generating ridiculously small keys, we can get stuck > * continually regenerating the same prime values. Check for > this and > * bail if it happens 3 times. > */ > unsigned int degenerate = 0; > do { > if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) > goto err; > } > while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10)); > if (degenerate == 10) { > ok = 0; /* we set our own err */ > RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); > goto err; > } > if (!BN_sub(r2, rsa->q, BN_value_one())) > goto err; > if (!BN_gcd(r1, r2, rsa->e, ctx)) > goto err; > if (BN_is_one(r1)) > break; > if (!BN_GENCB_call(cb, 2, n++)) > goto err; > } > if (!BN_GENCB_call(cb, 3, 1)) > goto err; > if (BN_cmp(rsa->p, rsa->q) < 0) { > printf("Doppelt!") ; > tmp = rsa->p; > rsa->p = rsa->q; > rsa->q = tmp; > } > printf("q:"); > BN_print_fp(stdout,rsa->q); > > > > > Am 21.12.2015 23:42, schrieb Richard Levitte via RT: > > You're not showing us how you output rsa->p and rsa->q. It doesn't > > make sense > > at all that you get "Doppelt!" if they were equal, so there's > > something wrong > > with your output. Also, it's been demonstrated (see mail by Viktor on > > openssl-dev) that the resulting key does have different p and q, with > > p > q. > > > > For all intents and purposes, this seems not to be a bug. Closing > > this ticket. > > > > Cheers, > > Richard > > > > Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de: > >> Hello, > >> > >> I found the reason for the problem, it´s definately a program error: > >> > >> The reason for it is in sub-program rsa_gen.c > >> > >> if (BN_cmp(rsa->p, rsa->q) < 0) { > >> printf("Doppelt!") ; > >> tmp = rsa->p; > >> rsa->p = rsa->q; > >> rsa->q = tmp; > >> } > >> > >> Here p and q should be switched if p > q. But this does not work, > >> probably due to type-incompatible Variable "tmp". > >> > >> So rsa->p gets the value of rsa->q but not vice versa: > >> > >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > >> genrsa 128 > >> Generating RSA private key, 128 bit long modulus > >> ..+++ > >> ...+++ > >> e is 65537 (0x10001) > >> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE > >> KEY- > >> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC > >> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 > >> 1lSi > >> -END RSA PRIVATE KEY- > >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > >> genrsa 128 > >> Generating RSA private key, 128 bit long modulus > >> ...+++ > >> ..+++ > >> e is 65537 (0x10001) > >> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY- > >> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx > >> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs > >> iuyMFDkp > >> -END RSA PRIVATE KEY- > >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > >> genrsa 128 > >> Generating RSA private key, 128 bit long modulus > >> .+++ > >> .+++ > >> e is 65537 (0x10001) > >> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE > >> KEY- > >> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC > >> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg > >> TT5Qxxw= > >> -END RSA PRIVATE KEY- > >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > >> genrsa 128 > >> Generating RSA private key, 128 bit long modulus > >> .+++ > >> .+++ > >> e is 65537 (0x10001) > >> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE > >> KEY- > >> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC > >> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY > >> CoYAsOE= > >> -END RSA PRIVATE KEY- > >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl >
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
O.K. you are right. please close the ticket... Regards, Felix Am 22.12.2015 00:09, schrieb Richard Levitte via RT: > You're displaying pre-swap p and post-swap q. If they do get swapped, you must > understand that pre-swap p and post-swap q will be the same value. > > If you really want to demonstrate something, please display *both* p and q > before swap, and *both* p and q after swap. > > Vid Mon, 21 Dec 2015 kl. 23.00.38, skrev felix.wiedenr...@gmx.de: >> Hello, >> >> I "pickup" rsa-p and rsa-q just one source-code-line after they were >> "filled" and output the variables using the BN_print_fp function. >> >> please reopen the ticket. >> >> Regards, >> >> Felix >> >> >> for (;;) { >> if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) >> goto err; >> printf(" p:"); >> BN_print_fp(stdout,rsa->p); >> printf(" "); >> >> if (!BN_sub(r2, rsa->p, BN_value_one())) >> goto err; >> if (!BN_gcd(r1, r2, rsa->e, ctx)) >> goto err; >> if (BN_is_one(r1)) >> break; >> if (!BN_GENCB_call(cb, 2, n++)) >> goto err; >> } >> if (!BN_GENCB_call(cb, 3, 0)) >> goto err; >> for (;;) { >> /* >> * When generating ridiculously small keys, we can get stuck >> * continually regenerating the same prime values. Check for >> this and >> * bail if it happens 3 times. >> */ >> unsigned int degenerate = 0; >> do { >> if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) >> goto err; >> } >> while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10)); >> if (degenerate == 10) { >> ok = 0; /* we set our own err */ >> RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); >> goto err; >> } >> if (!BN_sub(r2, rsa->q, BN_value_one())) >> goto err; >> if (!BN_gcd(r1, r2, rsa->e, ctx)) >> goto err; >> if (BN_is_one(r1)) >> break; >> if (!BN_GENCB_call(cb, 2, n++)) >> goto err; >> } >> if (!BN_GENCB_call(cb, 3, 1)) >> goto err; >> if (BN_cmp(rsa->p, rsa->q) < 0) { >> printf("Doppelt!") ; >> tmp = rsa->p; >> rsa->p = rsa->q; >> rsa->q = tmp; >> } >> printf("q:"); >> BN_print_fp(stdout,rsa->q); >> >> >> >> >> Am 21.12.2015 23:42, schrieb Richard Levitte via RT: >>> You're not showing us how you output rsa->p and rsa->q. It doesn't >>> make sense >>> at all that you get "Doppelt!" if they were equal, so there's >>> something wrong >>> with your output. Also, it's been demonstrated (see mail by Viktor on >>> openssl-dev) that the resulting key does have different p and q, with >>> p > q. >>> >>> For all intents and purposes, this seems not to be a bug. Closing >>> this ticket. >>> >>> Cheers, >>> Richard >>> >>> Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de: Hello, I found the reason for the problem, it´s definately a program error: The reason for it is in sub-program rsa_gen.c if (BN_cmp(rsa->p, rsa->q) < 0) { printf("Doppelt!") ; tmp = rsa->p; rsa->p = rsa->q; rsa->q = tmp; } Here p and q should be switched if p > q. But this does not work, probably due to type-incompatible Variable "tmp". So rsa->p gets the value of rsa->q but not vice versa: root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ..+++ ...+++ e is 65537 (0x10001) p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE KEY- MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 1lSi -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ...+++ ..+++ e is 65537 (0x10001) p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY- MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs iuyMFDkp -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ .+++ e is 65537 (0x10001) p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE KEY- MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg TT5Qxxw= -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ .+++ e is 65537 (0x10001) p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE KEY-
[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
As Ann points out, 128 bits is way too small, and this ticket does not justify a new release for 0.9.8 Please update 0.9.8 is end of life. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
That does not matter from a technical point of view. The Problem ist the same with 2048-Bit RSA. It´s a general problem of the program-mechanism that could be changed very easily. Openssl 1.0.X ist still too buggy for me... BTW: The mechanisms in 1.10 ist still the same Still no duplicate-check in source-code Regards, Felix Am 21.12.2015 14:46, schrieb Rich Salz via RT: > As Ann points out, 128 bits is way too small, and this ticket does not justify > a new release for 0.9.8 > Please update 0.9.8 is end of life. > -- > Rich Salz, OpenSSL dev team; rs...@openssl.org > > ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Hello, I found out, that in openssl 0.9.8 a check is missing for duplicate primes of p and q, see below. This is relevant when generating RSA-Keys: root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ...+++ .+++ e is 65537 (0x10001) p:DBF7DA8B44ADCDD1 Phase 1 q:DBF7DA8B44ADCDD1 -BEGIN RSA PRIVATE KEY- MGICAQACEQC+ePfpNx2CzoNDm/Aejm7HAgMBAAECEF/t7vYfUxaga1+R+6EPYiEC CQDdrD6E0hkhFwIJANv32otErc3RAgkAz2HVG21zFQECCEW9PRKugZQhAgg9HQ6/ Pr0Uvg== -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ .+++ e is 65537 (0x10001) p:DC32B965793AF86F Phase 1 q:C6F919F7AAA5EC71 -BEGIN RSA PRIVATE KEY- MGUCAQACEQCrJX8Qy0q3bw5VN6G1mPz/AgMBAAECEQCbPCOI5BwdTE4K+TuIwOaB AgkA3DK5ZXk6+G8CCQDG+Rn3qqXscQIJAKbu/YZkRcSZAgkAnE+DS+K+uLECCQCu HHeujcFd/Q== -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ ...+++ e is 65537 (0x10001) p:EFAB9BC12A217257 Phase 1 q:C4B0A783D183DA55 -BEGIN RSA PRIVATE KEY- MGMCAQACEQC4JMYPVKDUPrZfVf8B/gzjAgMBAAECEQCd8r0IbVi+c84EAM4bn4jR AgkA76ubwSohclcCCQDEsKeD0YPaVQIIaHDg8+E3KAsCCELVeAZdof0FAgkAyqHj yqUIUes= -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ..+++ .+++ e is 65537 (0x10001) p:CA1A6069FBCE0E6B Phase 1 q:CA1A6069FBCE0E6B -BEGIN RSA PRIVATE KEY- MGUCAQACEQDIjp/x7uVVrCNdf9Y1SpStAgMBAAECEQCyNiIkPe7lN1KFh4ubrk8V AgkA/gq1dP5Y/0cCCQDKGmBp+84OawIJALlWjL4XFkzfAgkArBEa5wD4pXMCCQDW mLQFBXBWbw== -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ...+++ .+++ e is 65537 (0x10001) p:F4D74AA8BE84C4A3 Phase 1 q:D83D57FC191345D1 -BEGIN RSA PRIVATE KEY- MGICAQACEQDO0FJxcT23cfxgf5/WfXgTAgMBAAECECNo7cS4o92FmsN9eYgtFiEC CQD010qovoTEowIJANg9V/wZE0XRAghhDEkqk8HakwIJAKFKKD12qqRxAggvO+Uz yUnU6g== -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# As, in my environment, p qnd q are identical in about 50% of the cases, this is in my opinion a big security hole, because p and q can be determined from N by calculating the square-root of N. I will try to test this with a newer release of openssl as well. Thank you. Regards, Felix ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Felix, the real security hole is your key length. For a key length greater 1024 p and q should never be identical. The chance of p being not a prime is probably greater. In case p=q the Euler function will be p(p-1), whereas OpenSSL uses (p-1)(q-1) , i.e. (p-1)^2. In this case RSA, i.e. c:=m^e, m:=c^d, will not work. /Ann. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev