Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Hello,
I found the reason for the problem, it´s definately a program error:
The reason for it is in sub-program rsa_gen.c
if (BN_cmp(rsa->p, rsa->q) < 0) {
printf("Doppelt!") ;
tmp = rsa->p;
rsa->p = rsa->q;
rsa->q = tmp;
}
Here p and q should be switched if p > q. But this does not work,
probably due to type-incompatible Variable "tmp".
So rsa->p gets the value of rsa->q but not vice versa:
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
genrsa 128
Generating RSA private key, 128 bit long modulus
..+++
...+++
e is 65537 (0x10001)
p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE
KEY-
MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
1lSi
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
genrsa 128
Generating RSA private key, 128 bit long modulus
...+++
..+++
e is 65537 (0x10001)
p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY-
MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
iuyMFDkp
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
genrsa 128
Generating RSA private key, 128 bit long modulus
.+++
.+++
e is 65537 (0x10001)
p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE
KEY-
MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
TT5Qxxw=
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
genrsa 128
Generating RSA private key, 128 bit long modulus
.+++
.+++
e is 65537 (0x10001)
p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE
KEY-
MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC
CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY
CoYAsOE=
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
genrsa 128
Generating RSA private key, 128 bit long modulus
...+++
..+++
e is 65537 (0x10001)
p:DFE0EAAEF64A9ED3 q:DA49968E614FC9E9-BEGIN RSA PRIVATE KEY-
MGECAQACEQC+5eKmNv53y2Hn+t22uzkLAgMBAAECEHmAtlbW7/ZsapBlxpZlu1EC
CQDf4Oqu9kqe0wIJANpJlo5hT8npAggWUvAz6B1CvwIIYCU9fST7gdECCGudR6xt
O4sU
-END RSA PRIVATE KEY
The code is still the same, even in Pre-Version 1.1.0
Regards,
Felix
Am 21.12.2015 21:38, schrieb Kurt Roeckx via RT:
> On Mon, Dec 21, 2015 at 01:51:45PM +, Felix via RT wrote:
>> That does not matter from a technical point of view.
>>
>> The Problem ist the same with 2048-Bit RSA.
> If you're worried that p and q might be the same random number, I
> think you should have other concerns.
>
>
> Kurt
>
>
>
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
On Mon, Dec 21, 2015 at 01:51:45PM +, Felix via RT wrote: > That does not matter from a technical point of view. > > The Problem ist the same with 2048-Bit RSA. If you're worried that p and q might be the same random number, I think you should have other concerns. Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
On Mon, Dec 21, 2015 at 09:36:11PM +, Felix via RT wrote:
> I found the reason for the problem, it´s definately a program error:
Pilot error.
> The reason for it is in sub-program rsa_gen.c
>
> if (BN_cmp(rsa->p, rsa->q) < 0) {
> tmp = rsa->p;
> rsa->p = rsa->q;
> rsa->q = tmp;
> }
The code is just fine.
> # ./openssl genrsa 128
> ..+++
> ...+++
> e is 65537 (0x10001)
> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273
No idea what's printing the output above, but the private key below:
> -BEGIN RSA PRIVATE KEY-
> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
> 1lSi
> -END RSA PRIVATE KEY-
in fact has distinct p/q:
$ openssl rsa -noout -text <<-EOF
-BEGIN RSA PRIVATE KEY-
MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
1lSi
-END RSA PRIVATE KEY-
EOF
Private-Key: (128 bit)
modulus:
00:b1:b7:f3:28:d1:ea:6a:a2:51:66:00:7e:c0:8a:
72:e7
publicExponent: 65537 (0x10001)
privateExponent:
23:90:77:45:b4:f4:5f:50:34:98:e7:61:4c:d3:03:
69
prime1: 16814661991975378109 (0xe959adfe69f45cbd)
prime2: 14048957841162998387 (0xc2f7ecb8d2f59273)
exponent1: 2091537979440366241 (0x1d06a2b5fac802a1)
exponent2: 639027470352730491 (0x8de48193c17497b)
coefficient: 5085844977839658146 (0x46948d0fb6d654a2)
and prime1 > prime2. This ticket should be closed.
--
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Hello,
I "pickup" rsa-p and rsa-q just one source-code-line after they were
"filled" and output the variables using the BN_print_fp function.
please reopen the ticket.
Regards,
Felix
for (;;) {
if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
goto err;
printf(" p:");
BN_print_fp(stdout,rsa->p);
printf(" ");
if (!BN_sub(r2, rsa->p, BN_value_one()))
goto err;
if (!BN_gcd(r1, r2, rsa->e, ctx))
goto err;
if (BN_is_one(r1))
break;
if (!BN_GENCB_call(cb, 2, n++))
goto err;
}
if (!BN_GENCB_call(cb, 3, 0))
goto err;
for (;;) {
/*
* When generating ridiculously small keys, we can get stuck
* continually regenerating the same prime values. Check for
this and
* bail if it happens 3 times.
*/
unsigned int degenerate = 0;
do {
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
goto err;
}
while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10));
if (degenerate == 10) {
ok = 0; /* we set our own err */
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
goto err;
}
if (!BN_sub(r2, rsa->q, BN_value_one()))
goto err;
if (!BN_gcd(r1, r2, rsa->e, ctx))
goto err;
if (BN_is_one(r1))
break;
if (!BN_GENCB_call(cb, 2, n++))
goto err;
}
if (!BN_GENCB_call(cb, 3, 1))
goto err;
if (BN_cmp(rsa->p, rsa->q) < 0) {
printf("Doppelt!") ;
tmp = rsa->p;
rsa->p = rsa->q;
rsa->q = tmp;
}
printf("q:");
BN_print_fp(stdout,rsa->q);
Am 21.12.2015 23:42, schrieb Richard Levitte via RT:
> You're not showing us how you output rsa->p and rsa->q. It doesn't make sense
> at all that you get "Doppelt!" if they were equal, so there's something wrong
> with your output. Also, it's been demonstrated (see mail by Viktor on
> openssl-dev) that the resulting key does have different p and q, with p > q.
>
> For all intents and purposes, this seems not to be a bug. Closing this ticket.
>
> Cheers,
> Richard
>
> Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de:
>> Hello,
>>
>> I found the reason for the problem, it´s definately a program error:
>>
>> The reason for it is in sub-program rsa_gen.c
>>
>> if (BN_cmp(rsa->p, rsa->q) < 0) {
>> printf("Doppelt!") ;
>> tmp = rsa->p;
>> rsa->p = rsa->q;
>> rsa->q = tmp;
>> }
>>
>> Here p and q should be switched if p > q. But this does not work,
>> probably due to type-incompatible Variable "tmp".
>>
>> So rsa->p gets the value of rsa->q but not vice versa:
>>
>> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> ..+++
>> ...+++
>> e is 65537 (0x10001)
>> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE
>> KEY-
>> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
>> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
>> 1lSi
>> -END RSA PRIVATE KEY-
>> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> ...+++
>> ..+++
>> e is 65537 (0x10001)
>> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY-
>> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
>> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
>> iuyMFDkp
>> -END RSA PRIVATE KEY-
>> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> .+++
>> .+++
>> e is 65537 (0x10001)
>> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE
>> KEY-
>> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
>> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
>> TT5Qxxw=
>> -END RSA PRIVATE KEY-
>> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> .+++
>> .+++
>> e is 65537 (0x10001)
>> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE
>> KEY-
>> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC
>> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY
>> CoYAsOE=
>> -END RSA PRIVATE KEY-
>> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> ...+++
>> ..+++
>> e is 65537 (0x10001)
>>
[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
You're not showing us how you output rsa->p and rsa->q. It doesn't make sense
at all that you get "Doppelt!" if they were equal, so there's something wrong
with your output. Also, it's been demonstrated (see mail by Viktor on
openssl-dev) that the resulting key does have different p and q, with p > q.
For all intents and purposes, this seems not to be a bug. Closing this ticket.
Cheers,
Richard
Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de:
> Hello,
>
> I found the reason for the problem, it´s definately a program error:
>
> The reason for it is in sub-program rsa_gen.c
>
> if (BN_cmp(rsa->p, rsa->q) < 0) {
> printf("Doppelt!") ;
> tmp = rsa->p;
> rsa->p = rsa->q;
> rsa->q = tmp;
> }
>
> Here p and q should be switched if p > q. But this does not work,
> probably due to type-incompatible Variable "tmp".
>
> So rsa->p gets the value of rsa->q but not vice versa:
>
> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> ..+++
> ...+++
> e is 65537 (0x10001)
> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE
> KEY-
> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
> 1lSi
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> ...+++
> ..+++
> e is 65537 (0x10001)
> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY-
> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
> iuyMFDkp
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> .+++
> .+++
> e is 65537 (0x10001)
> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE
> KEY-
> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
> TT5Qxxw=
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> .+++
> .+++
> e is 65537 (0x10001)
> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE
> KEY-
> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC
> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY
> CoYAsOE=
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> ...+++
> ..+++
> e is 65537 (0x10001)
> p:DFE0EAAEF64A9ED3 q:DA49968E614FC9E9-BEGIN RSA PRIVATE KEY-
> MGECAQACEQC+5eKmNv53y2Hn+t22uzkLAgMBAAECEHmAtlbW7/ZsapBlxpZlu1EC
> CQDf4Oqu9kqe0wIJANpJlo5hT8npAggWUvAz6B1CvwIIYCU9fST7gdECCGudR6xt
> O4sU
> -END RSA PRIVATE KEY
>
> The code is still the same, even in Pre-Version 1.1.0
>
> Regards,
>
> Felix
>
>
> Am 21.12.2015 21:38, schrieb Kurt Roeckx via RT:
> > On Mon, Dec 21, 2015 at 01:51:45PM +, Felix via RT wrote:
> >> That does not matter from a technical point of view.
> >>
> >> The Problem ist the same with 2048-Bit RSA.
> > If you're worried that p and q might be the same random number, I
> > think you should have other concerns.
> >
> >
> > Kurt
> >
> >
> >
>
--
Richard Levitte
levi...@openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
You're displaying pre-swap p and post-swap q. If they do get swapped, you must
understand that pre-swap p and post-swap q will be the same value.
If you really want to demonstrate something, please display *both* p and q
before swap, and *both* p and q after swap.
Vid Mon, 21 Dec 2015 kl. 23.00.38, skrev felix.wiedenr...@gmx.de:
> Hello,
>
> I "pickup" rsa-p and rsa-q just one source-code-line after they were
> "filled" and output the variables using the BN_print_fp function.
>
> please reopen the ticket.
>
> Regards,
>
> Felix
>
>
> for (;;) {
> if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
> goto err;
> printf(" p:");
> BN_print_fp(stdout,rsa->p);
> printf(" ");
>
> if (!BN_sub(r2, rsa->p, BN_value_one()))
> goto err;
> if (!BN_gcd(r1, r2, rsa->e, ctx))
> goto err;
> if (BN_is_one(r1))
> break;
> if (!BN_GENCB_call(cb, 2, n++))
> goto err;
> }
> if (!BN_GENCB_call(cb, 3, 0))
> goto err;
> for (;;) {
> /*
> * When generating ridiculously small keys, we can get stuck
> * continually regenerating the same prime values. Check for
> this and
> * bail if it happens 3 times.
> */
> unsigned int degenerate = 0;
> do {
> if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
> goto err;
> }
> while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10));
> if (degenerate == 10) {
> ok = 0; /* we set our own err */
> RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
> goto err;
> }
> if (!BN_sub(r2, rsa->q, BN_value_one()))
> goto err;
> if (!BN_gcd(r1, r2, rsa->e, ctx))
> goto err;
> if (BN_is_one(r1))
> break;
> if (!BN_GENCB_call(cb, 2, n++))
> goto err;
> }
> if (!BN_GENCB_call(cb, 3, 1))
> goto err;
> if (BN_cmp(rsa->p, rsa->q) < 0) {
> printf("Doppelt!") ;
> tmp = rsa->p;
> rsa->p = rsa->q;
> rsa->q = tmp;
> }
> printf("q:");
> BN_print_fp(stdout,rsa->q);
>
>
>
>
> Am 21.12.2015 23:42, schrieb Richard Levitte via RT:
> > You're not showing us how you output rsa->p and rsa->q. It doesn't
> > make sense
> > at all that you get "Doppelt!" if they were equal, so there's
> > something wrong
> > with your output. Also, it's been demonstrated (see mail by Viktor on
> > openssl-dev) that the resulting key does have different p and q, with
> > p > q.
> >
> > For all intents and purposes, this seems not to be a bug. Closing
> > this ticket.
> >
> > Cheers,
> > Richard
> >
> > Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de:
> >> Hello,
> >>
> >> I found the reason for the problem, it´s definately a program error:
> >>
> >> The reason for it is in sub-program rsa_gen.c
> >>
> >> if (BN_cmp(rsa->p, rsa->q) < 0) {
> >> printf("Doppelt!") ;
> >> tmp = rsa->p;
> >> rsa->p = rsa->q;
> >> rsa->q = tmp;
> >> }
> >>
> >> Here p and q should be switched if p > q. But this does not work,
> >> probably due to type-incompatible Variable "tmp".
> >>
> >> So rsa->p gets the value of rsa->q but not vice versa:
> >>
> >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> ..+++
> >> ...+++
> >> e is 65537 (0x10001)
> >> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE
> >> KEY-
> >> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
> >> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
> >> 1lSi
> >> -END RSA PRIVATE KEY-
> >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> ...+++
> >> ..+++
> >> e is 65537 (0x10001)
> >> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY-
> >> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
> >> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
> >> iuyMFDkp
> >> -END RSA PRIVATE KEY-
> >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> .+++
> >> .+++
> >> e is 65537 (0x10001)
> >> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE
> >> KEY-
> >> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
> >> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
> >> TT5Qxxw=
> >> -END RSA PRIVATE KEY-
> >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> .+++
> >> .+++
> >> e is 65537 (0x10001)
> >> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE
> >> KEY-
> >> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC
> >> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY
> >> CoYAsOE=
> >> -END RSA PRIVATE KEY-
> >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
O.K. you are right. please close the ticket...
Regards,
Felix
Am 22.12.2015 00:09, schrieb Richard Levitte via RT:
> You're displaying pre-swap p and post-swap q. If they do get swapped, you must
> understand that pre-swap p and post-swap q will be the same value.
>
> If you really want to demonstrate something, please display *both* p and q
> before swap, and *both* p and q after swap.
>
> Vid Mon, 21 Dec 2015 kl. 23.00.38, skrev felix.wiedenr...@gmx.de:
>> Hello,
>>
>> I "pickup" rsa-p and rsa-q just one source-code-line after they were
>> "filled" and output the variables using the BN_print_fp function.
>>
>> please reopen the ticket.
>>
>> Regards,
>>
>> Felix
>>
>>
>> for (;;) {
>> if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
>> goto err;
>> printf(" p:");
>> BN_print_fp(stdout,rsa->p);
>> printf(" ");
>>
>> if (!BN_sub(r2, rsa->p, BN_value_one()))
>> goto err;
>> if (!BN_gcd(r1, r2, rsa->e, ctx))
>> goto err;
>> if (BN_is_one(r1))
>> break;
>> if (!BN_GENCB_call(cb, 2, n++))
>> goto err;
>> }
>> if (!BN_GENCB_call(cb, 3, 0))
>> goto err;
>> for (;;) {
>> /*
>> * When generating ridiculously small keys, we can get stuck
>> * continually regenerating the same prime values. Check for
>> this and
>> * bail if it happens 3 times.
>> */
>> unsigned int degenerate = 0;
>> do {
>> if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
>> goto err;
>> }
>> while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10));
>> if (degenerate == 10) {
>> ok = 0; /* we set our own err */
>> RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
>> goto err;
>> }
>> if (!BN_sub(r2, rsa->q, BN_value_one()))
>> goto err;
>> if (!BN_gcd(r1, r2, rsa->e, ctx))
>> goto err;
>> if (BN_is_one(r1))
>> break;
>> if (!BN_GENCB_call(cb, 2, n++))
>> goto err;
>> }
>> if (!BN_GENCB_call(cb, 3, 1))
>> goto err;
>> if (BN_cmp(rsa->p, rsa->q) < 0) {
>> printf("Doppelt!") ;
>> tmp = rsa->p;
>> rsa->p = rsa->q;
>> rsa->q = tmp;
>> }
>> printf("q:");
>> BN_print_fp(stdout,rsa->q);
>>
>>
>>
>>
>> Am 21.12.2015 23:42, schrieb Richard Levitte via RT:
>>> You're not showing us how you output rsa->p and rsa->q. It doesn't
>>> make sense
>>> at all that you get "Doppelt!" if they were equal, so there's
>>> something wrong
>>> with your output. Also, it's been demonstrated (see mail by Viktor on
>>> openssl-dev) that the resulting key does have different p and q, with
>>> p > q.
>>>
>>> For all intents and purposes, this seems not to be a bug. Closing
>>> this ticket.
>>>
>>> Cheers,
>>> Richard
>>>
>>> Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de:
Hello,
I found the reason for the problem, it´s definately a program error:
The reason for it is in sub-program rsa_gen.c
if (BN_cmp(rsa->p, rsa->q) < 0) {
printf("Doppelt!") ;
tmp = rsa->p;
rsa->p = rsa->q;
rsa->q = tmp;
}
Here p and q should be switched if p > q. But this does not work,
probably due to type-incompatible Variable "tmp".
So rsa->p gets the value of rsa->q but not vice versa:
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
genrsa 128
Generating RSA private key, 128 bit long modulus
..+++
...+++
e is 65537 (0x10001)
p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE
KEY-
MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
1lSi
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
genrsa 128
Generating RSA private key, 128 bit long modulus
...+++
..+++
e is 65537 (0x10001)
p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY-
MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
iuyMFDkp
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
genrsa 128
Generating RSA private key, 128 bit long modulus
.+++
.+++
e is 65537 (0x10001)
p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE
KEY-
MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
TT5Qxxw=
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
genrsa 128
Generating RSA private key, 128 bit long modulus
.+++
.+++
e is 65537 (0x10001)
p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE
KEY-
[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
As Ann points out, 128 bits is way too small, and this ticket does not justify a new release for 0.9.8 Please update 0.9.8 is end of life. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
That does not matter from a technical point of view. The Problem ist the same with 2048-Bit RSA. It´s a general problem of the program-mechanism that could be changed very easily. Openssl 1.0.X ist still too buggy for me... BTW: The mechanisms in 1.10 ist still the same Still no duplicate-check in source-code Regards, Felix Am 21.12.2015 14:46, schrieb Rich Salz via RT: > As Ann points out, 128 bits is way too small, and this ticket does not justify > a new release for 0.9.8 > Please update 0.9.8 is end of life. > -- > Rich Salz, OpenSSL dev team; rs...@openssl.org > > ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Hello, I found out, that in openssl 0.9.8 a check is missing for duplicate primes of p and q, see below. This is relevant when generating RSA-Keys: root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ...+++ .+++ e is 65537 (0x10001) p:DBF7DA8B44ADCDD1 Phase 1 q:DBF7DA8B44ADCDD1 -BEGIN RSA PRIVATE KEY- MGICAQACEQC+ePfpNx2CzoNDm/Aejm7HAgMBAAECEF/t7vYfUxaga1+R+6EPYiEC CQDdrD6E0hkhFwIJANv32otErc3RAgkAz2HVG21zFQECCEW9PRKugZQhAgg9HQ6/ Pr0Uvg== -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ .+++ e is 65537 (0x10001) p:DC32B965793AF86F Phase 1 q:C6F919F7AAA5EC71 -BEGIN RSA PRIVATE KEY- MGUCAQACEQCrJX8Qy0q3bw5VN6G1mPz/AgMBAAECEQCbPCOI5BwdTE4K+TuIwOaB AgkA3DK5ZXk6+G8CCQDG+Rn3qqXscQIJAKbu/YZkRcSZAgkAnE+DS+K+uLECCQCu HHeujcFd/Q== -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ ...+++ e is 65537 (0x10001) p:EFAB9BC12A217257 Phase 1 q:C4B0A783D183DA55 -BEGIN RSA PRIVATE KEY- MGMCAQACEQC4JMYPVKDUPrZfVf8B/gzjAgMBAAECEQCd8r0IbVi+c84EAM4bn4jR AgkA76ubwSohclcCCQDEsKeD0YPaVQIIaHDg8+E3KAsCCELVeAZdof0FAgkAyqHj yqUIUes= -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ..+++ .+++ e is 65537 (0x10001) p:CA1A6069FBCE0E6B Phase 1 q:CA1A6069FBCE0E6B -BEGIN RSA PRIVATE KEY- MGUCAQACEQDIjp/x7uVVrCNdf9Y1SpStAgMBAAECEQCyNiIkPe7lN1KFh4ubrk8V AgkA/gq1dP5Y/0cCCQDKGmBp+84OawIJALlWjL4XFkzfAgkArBEa5wD4pXMCCQDW mLQFBXBWbw== -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ...+++ .+++ e is 65537 (0x10001) p:F4D74AA8BE84C4A3 Phase 1 q:D83D57FC191345D1 -BEGIN RSA PRIVATE KEY- MGICAQACEQDO0FJxcT23cfxgf5/WfXgTAgMBAAECECNo7cS4o92FmsN9eYgtFiEC CQD010qovoTEowIJANg9V/wZE0XRAghhDEkqk8HakwIJAKFKKD12qqRxAggvO+Uz yUnU6g== -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# As, in my environment, p qnd q are identical in about 50% of the cases, this is in my opinion a big security hole, because p and q can be determined from N by calculating the square-root of N. I will try to test this with a newer release of openssl as well. Thank you. Regards, Felix ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Felix, the real security hole is your key length. For a key length greater 1024 p and q should never be identical. The chance of p being not a prime is probably greater. In case p=q the Euler function will be p(p-1), whereas OpenSSL uses (p-1)(q-1) , i.e. (p-1)^2. In this case RSA, i.e. c:=m^e, m:=c^d, will not work. /Ann. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
