-
Notifications
You must be signed in to change notification settings - Fork 457
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
re-work PK crypto im- & export #302
Conversation
On 29Sep, 2017, at 9:29 AM, Steffen Jaeckel ***@***.***> wrote:
After some thinking I'd even propose to remove MIN_RSA_SIZEand MAX_RSA_SIZE entirely! Somebody against it?
Not really, but note that it is currently set to 4096. Given recent interest in post-quantum resistance with longer key lengths, folks may want to play with 8192 and 15360. ...but given space and time, not for long. ;-)
That said, checking inputs for reasonableness is not a bad idea. The question then becomes what should be the limit? Everybody will have a different opinion but I consider 8192 another "reasonable" number. (A higher or lower number can always set it at compile time.)
…-----
Also on the subject of key lengths, a few lines further down in tomcrypt_custom.h, LTC_DER_MAX_PUBKEY_SIZE is set to 1024. FIPS.186-4 now defines longer DSA key lengths.
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
This might cause DSA key import problems in pk/dsa/dsa_import.c
|
I have doubts about `der_decode_raw_bit_string`:
1/ Ad `blen/8 > *outlen` - what if `blen` is not multiple of 8? And the
part `*outlen = blen;` perhaps also needs a fix.
2/ To me it seems like we are (falsely) assuming that `out[]` is
zero-initialized, we are setting just 1-bits.
|
yeah, I would basically just remove the limits, so someone could create arbitrary sized RSA keys
I also think that sanity checking is useful at one point but I'm not sure if this library is the correct point where someone should hit an error because he chose an insane (from the library's view) value. |
probably keeping |
Ad (MAX|MIN)_RSA_SIZE I am for removing them completely.
Looking at der_decode_raw_bit_string once again:
outlen [in/out] The number of *bits* stored
So perhaps the original comparison with just `blen` was correct.
|
wouldn't that prevent usage of 1024 bit keys ? i can imagine there are still some users of such keys, which may not have the option to change them. |
well it would prevent the creation of fresh 1024 bit keys but importing would still be feasible. |
yeah you're right... now the API is completely inconsistent.. |
>> wouldn't that prevent usage of 1024 bit keys ? i can imagine there are
>> still some users of such keys, which may not have the option to change them.
>
> well it would prevent the creation of fresh 1024 bit keys but importing
> would still be feasible.
We do not have an ambition to prevent ltc users from weak crypo at many
other places. The recommended minimum should be mentioned with a loud
warning in the doc, not compiled into the library.
Enforcing min/max limits make sense to me only if those are limits of our
RSA make key implementation.
|
56cbb84
to
130d657
Compare
For what it's worth, rsa_import() is now working in a (very) memory-constrained environment. Thanks for all your fixes! |
According to my testing this PR introduces the following valgrind warnings:
The remaining 4 are DSA related and are unfortunately already present in Steps to reproduce:
|
static int _rsa_issue_301(int prng_idx) | ||
{ | ||
rsa_key key, key_in; | ||
unsigned char buf[4096]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
approx buf[2500]
should be enough here
unsigned char buf[4096]; | ||
unsigned long len; | ||
|
||
DO(rsa_make_key(&yarrow_prng, prng_idx, sizeof(buf)/8, 65537, &key)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
4096/8
instead of sizeof(buf)/8
would be IMO better
tests/rsa_test.c
Outdated
@@ -308,6 +365,10 @@ int rsa_test(void) | |||
return 1; | |||
} | |||
|
|||
if (_rsa_issue_301(prng_idx) != 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about DO(_rsa_issue_301(prng_idx))
?
src/pk/rsa/rsa_make_key.c
Outdated
@@ -32,10 +32,6 @@ int rsa_make_key(prng_state *prng, int wprng, int size, long e, rsa_key *key) | |||
LTC_ARGCHK(ltc_mp.name != NULL); | |||
LTC_ARGCHK(key != NULL); | |||
|
|||
if ((size < (MIN_RSA_SIZE/8)) || (size > (MAX_RSA_SIZE/8))) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
considering the fact that size
is int
we should at least check LTC_ARGCHK(size > 0)
tests/rsa_test.c
Outdated
rsa_free(&key_in); | ||
|
||
rsa_free(&key); | ||
return 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about return CRYPT_OK
instead of return 0
Bug-fix: MAX_RSA_SIZE is the maximum RSA key size in *bits* (as commented in tomcrypt_custom.h), so the proper conversion to bytes (as the argument value to XCALLOC) would be to divide by 8 (bits per byte), not multiply by 8. This excessive allocation (32 Kbytes instead of 512 bytes) is readily apparent in memory-constrained environments.
The ASN1 encoded RSA key contains two MPI's therefore MAX_RSA_SIZE / 8 isn't enough.
[skip ci]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
well this turned out to become a bigger one with some real bugfixes as well...
This mostly removes
MAX_RSA_SIZE
from the code, onlyrsa_make_key()
still checks for it.After some thinking I'd even propose to remove
MIN_RSA_SIZE
andMAX_RSA_SIZE
entirely! Somebody against it?