New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed unmatched BN_CTX_start/end if an invalid exponent is used. #8569
Conversation
Why do we even have this code? I've asked about this in the original pull request, but it was never answered. This code is only needed when generating keys smaller then 2048 bits, the previous code we had was good for generating 2048 and larger keys. |
Hi Kurt, The latest spec (SP800-56B r1 final) says this: |
There is also a method that does not require 4 primes, where we just generate 2 random numbers. This is what the code did in 1.1.1. This other method is only allowed for keys >= 2048 bits, which are the also the only keys we're allowed to generate in FIPS mode. So all this new code was not needed. It could be that any even number of bits >= 2048 is allowed if you're at the 112 bit level. I think if you create a key for a certain security level, that you should always use it at that level. Generating a 3072 bit key when you're actually in the 112 bit level might be confusing that they prefer you don't do that, and might prefer that you just generate a 2048 bit key instead. Maybe the wording is there for the case where at some future point in time, for the 112 bit level 2048 bits is not enough, but that's really just a guess. But I think the change is wrong. If you generate a 3000 bit RSA key with the new code, it would still only be at the 112 bit level, and not something closer to the 123 bit level. I guess it would make more sense if the API had the security level and not the size of the modulus. This code also prevents you from actually generating keys that are stronger than the 128 bit level, while 192 and 256 are also defined. |
I guess the difference with the new code is that it follows the standard exactly listing the steps as it goes without confusing code related to multi-primes. Please look at the code in rsa_sp800_56b_generate_key() and see which one is clearer :) Yes there is currently no concept of security strength being passed to the keygen (it probably should be). I will change the code back to only do 2048, >3072. There is not much I can do about the >3072 case (there are only 2 table values and it just says to use the last value in the table for higher values in the FIPS140-2 IG - As stated as the comment at the top of the file). |
ping |
It would be nice if you could add your GitHub description to the body of your commit message, too.
(In accordance with the spirit of a distributed VCS our git logs should remain readable and selfcontained offline, without having to make a roundtrip to a centralized GitHub server.) |
Renamed the commit description now that the bug is more specific. |
Merged, thanks all. |
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #8569)
Fixed unmatched BN_CTX_start/end if an invalid exponent is used.
Checklist